February 6, 2015 at 15:17Free and Safe: The Main Myths of Free Software
The Ministry of Communications in late December published its views on the introduction of free software (STR) in government agencies. The document lists the benefits of free products, the main ones being called free and security. But is it really so?
Free means free?
There is a widespread belief that free software is simultaneously free. The document of the Ministry of Communications used this particular thesis:
Firstly, it is cheap and anti-corruption. Open source software does not require royalties for each installed copy of the program.
However, IT experts, including the founder of the open source movement, Richard Stallman, disagree. Stallman himself at each of his speeches repeats the phrase:
Free means free, but not free. And all this is not equal to Open Source. These are three concepts that you should not mix.
For examples that confirm this opinion, you do not need to go far. From a recent one, Dell agreed to pay Microsoft royalties (“royalties”) for using Android and Chrome OS on their devices. The Redmond Corporation holds a number of technology patents that are used in open source projects created by Google.
Stallman himself published an article calling for a campaign to “free Android,” that is, publishing the source code for the operating system (and its creator, Google, is not going to do this).
Ultimately, open source software may be free for the end user, but with enterprise products and mass installations, things are not so simple. A company can participate in the development of a product it needs and send its fixes to a common repository - or (if during the process of “completing” the product, the GNU license goes beyond the scope), hire its own dedicated development team to support the fork. As you might guess, this path has little to do with free.
Free software is more secure
Since, as we just found out, free software, free and Open Source are three completely different things, it seems that one of them should be more secure than proprietary products. This is actually not the case.
The document of the Ministry of Communications says that closed products are less safe, since there are undocumented opportunities in them:
Many proprietary applications from well-known manufacturers contain undocumented features, which is a potential threat.
But after all, many of the open (free, free) applications also contain undocumented functions. Developers do not always have time (and not always want) to properly document the capabilities of their project. Moreover, a number of documented features (e.g. Userialize or Bash ) are a potential threat .
A separate question that needs to be answered is what are “undocumented functions”, does the menu item, not described in the documentation, fit this definition? If we are talking about " undeclared opportunities ", then there must be a process for their declaration. If vulnerabilities are implied, then this is a completely different topic.
In fact, in order to increase confidence in the security of the code, it is enough to follow a simple algorithm:
- There should be an “extreme” who is responsible for this security (internal or external, for example, a software manufacturer).
- Responsible should receive the appropriate task.
- It must be provided with the necessary tools and instruments!
- Secure development (SDL), configuration and vulnerability management needs to be implemented.
In this case, it will be completely unimportant whether the work is conducted with “free”, “free”, “paid” or “proprietary” software. The presence of published source codes in some cases facilitates the security process (while it’s still not about free), but this fact does not help (and sometimes hinders) finding someone responsible. Moreover, total openness makes the question useless: "Who wrote this line?"
In the case of the backdoor at RSA, it turned out that the company paid the NSA - that is, the culprit was found. But where the Heartbleed vulnerability came from in the SSL package is still unclear.
Free software, on the other hand, is easier to adapt to changing conditions. Of course, installing “closed and non-free” Windows on HMI in ICS systems is an obvious error, which led to the fact that in many systems CVE-2010-2568 vulnerability , through which the Stuxnet worm once spread, was still not closed . Using an “open” system would allow you to develop your own patch, but this also requires a development team that costs money.
Should the state develop the Russian Open Source
Another excerpt from the document of the Ministry of Communications, in which the thesis that free software meets national interests sounds:
Fourth, the use of open source software takes into account national interests. Despite the fact that the creation of free programs is inseparable from the global community of developers, the services for their adaptation, implementation, support and development are usually provided by national firms, which is more beneficial to the state and society.
It turns out that “switching” Open Source (even with a violation of the GPL) - this correctly meets the interests of the country, but the creation from scratch of its own technology, which for some reason is not open source software - does not meet such interests.
In Russia, there are very few companies like ALT Linux that do everything right and spell all licenses and open source laws. On the whole, the development of a “free domestic software package” is perhaps a bright task, but clearly not a priority.
Here I would like to turn to another popular topic - the creation of a “domestic OS”.
No operating system needed!
In the case of import substitution, it is much more logical to pay attention not to creating your own OS and office suites, but to completely different directions. You need to start with something that has an ultimate goal, and there must be an opportunity to calculate the effectiveness of this "something." The operating system is clearly not “it.”
Desktops
Desktops, in spite of all their archaism, will remain a serious “devourer” of the IT budget in the corporate sector for a long time with a 3-5-year refresh cycle. Considering that the public sector and related companies are an essential part of the corporate sector in Russia, the transfer of this niche to Russian products is quite real - you only need a strong-willed decision.
“Well, your Windows!” - the reader will say. Not at all! You need to start making the desktop with the processor. Moreover, we have it, and not bad. Yes, it's about Elbrus.
Already in the process of working on your own processor, along the way, you will also have to solve issues with the creation of operating systems, programming languages, and other elements of the ecosystem. In order for software manufacturers to want to write under the conditional "Elbrus", it is necessary that such products be in demand, and the MCST can produce a sufficient amount of iron.
The already mentioned state-owned companies and their satellites can form the backbone of the first users. If software manufacturers (the same ALT Linux, or JetBrains) see prospects and a user base, they will not refuse to create a version for Elbrus (by the way, we are also porting the PT Application Firewall to this processor) - at the same time compatibility with “just Linux” and other platforms will appear.
All in the cloud
The trend to “move” many familiar applications to the cloud is undeniable: Excel, Word, and 1C are already there. A private “office” cloud would cover the needs of 90% of desktop users in the corporate sector. At the moment, such products are increasingly becoming an ordinary substrate for the "Internet" itself. The browser is becoming the most important desktop application, and creating it is not at all as difficult as the example of Opera or Yandex.Browser shows.
It would seem that everyone moved to Chromium - but there is nothing wrong with that. If we take the existing platform as a basis, add additional functions to it and provide a support cycle, this will create a competitive product. And already in parallel it will be possible to start creating your own Chromium, if necessary.
Iron Sky
Of course, other components are needed to create your own cloud, and the first problem here is the lack of hardware (a particularly sad situation has developed with server platforms). There is no need to wait for a quick solution in this area, so in the early stages there is nothing wrong with using existing solutions.
With network hardware, the situation is gradually getting better, RAIDIX does serious things in the NAS area , and T-Platforms cannot be discounted . The situation with software is much better - there is an excellent platform for virtualization from Parallels and nginx, as a reliable foundation for application servers.
Not everything is smooth with the DBMS (even the creators of Elbrus from the MCST sayabout Oracle), although there are products such as Linter, Red Database. At the same time, you need to understand that moving with MS SQL and Oracle is easy and simply does not work. This, however, does not mean that you do not need to create your own enterprise DBMSs: at least RDBMS and a certain number of NoSQL projects (for example, document and graph) would definitely not hurt. Even if you take PostgreSQL, Hadoop or ElasticSearch as the basis, the main thing is that these products are used and applications are created for them.
Total
Of course, free software can and should be used, adapted and developed. However, the theses about its gratuitousness, “licensed purity” and security do not stand up to criticism. “Free” and “safe” are just fairy tales, and everyone knows where free cheese is.
The current period may be a golden time for the IT industry in Russia. In the case of import substitution, it is worth betting on “national champions” in their field, working in tight cooperation, forcing breakthrough or simply necessary projects, providing business with “long money” and ensuring control and transparency - but this is precisely what the state can do.
Author: Sergey Gordeychik, based on a personal blog ( 1 , 2 )