Closed Source and the naked Emperor

published Jun 27, 2006, last modified Jun 26, 2013

For the past 8 years, I've read countless articles on Open Source and Closed Source security. I've endured bickering that asymptotically approaches infinite. I've tried to understand every possible argument, perspective and angle. And, today, I've come to a definitive conclusion.

The Emperor is butt naked. And the majority of the people can't see it.

Before the storm

In the interest of full disclosure, and knowing this simple honest action will net me a thousand clogged ears and blind eyes, I must state the following: I'm an experienced Free Software and Open Source developer. I've been working on IT for my entire life using Open Source practices (and I've never managed to stay comfortable in Closed Source-type environments for more than two months). I've been using Open Source since it was practical to have it on my computer (which was inextricably tied to the availability of Internet connections in my country, a Third World place named Ecuador).

Let's get started

Recently, a Microsoft security official said phishing is a problem because there's no patch for human stupidity. Which, in other words, is the exact equivalent of saying that people's computers get infected by malware because they're stupid.

Are users really stupid?

Are you, Mr. Reader, stupid enough to fall for a phishing scam? Are you, Mr. Reader, stupid enough to install a virus on your computer? Are you, Mr. Reader, stupid enough to be aware that the latest screen saver you downloaded contains spyware?

I bet you're not.

Textbook facts:

  • Now, for those of you who don't know software engineering: a bug is a condition in a computer program, the result of human error at the software manufacturing stage.
  • Normally, bugs only diminish your productivity. But, due to their nature, some computer bugs can be leveraged into giving third parties or unwanted programs (viruses and their cousins) full access to your computer.
  • Modern computers (and their operating systems) exploit a series of built-in mechanisms to provide separation between programs.
  • Modern bugs are the gateways for malicious programs to get where they do not belong.

This is the truth. Malware gets into your computer when your computer software has bugs. No bugs, no malicious activity.

In a way, viruses are a problem of the past... and not because of antivirus software!

In other words: with a properly built, bug-free computer system, no virus attack is possible, or (as is the case with Microsoft Windows) able to obliterate your computer and your information. Attaining bug-free computer programs is very hard (some would argue it's undoable). But building completely secure systems is possible. It's so possible that they have already been built.

This is not just my "opinion" or "educated guess". This is something real, derived directly from cutting-edge science and engineering.

And here's another textbook fact: malware (malicious software) is spreading because of the poor quality and the irresponsible attitudes of Closed Source software houses (with their flagship operating system, Microsoft Windows).

The Emperor is naked. Why doesn't anybody notice it?

The Closed Source camp has completely succeeded at the task of convincing the entire planet that the spread of malware is the responsibility of computer users everywhere. It's a concerted effort of PR quotes in mainstream media, such as the quote from the Microsoft security official in the article I mentioned earlier.

They've lead the world to believe that bugs in their software are not only an unsurmountable "inconvenience", but that you have to pay for "protection" in the form of antiviruses and antispyware. And, to top it, it's "your fault" when a virus gets on your computer.

Why the lie sticks

Of course, the spread of a vulgar lie like this one is only possible because only a microscopic portion of the populace understands software engineering. Not that you, me or anyone else is at fault. I know nothing about engine repair. And why should I be forced to know? But the point is simple: computers (like microwave ovens) are the postmodern "black magic" -- hocus pocus -- and people, in absence of knowledge, have always tended to believe what the expert wizard said. Not far ago, people believed a ten pound rock would fall ten times faster than a one-pounder. And this is about the only piece of truth to the "blame the user for the virus" lie.

Under the hood, Microsoft Windows and related software has tens of thousands of known bugs, and (judging by the available statistical data) many more unknown bugs. Scarce days pass between discoveries of previously unknown bugs, bugs that malicious programs continually use to destroy your work and to endanger your personal life. Will you ever know if there's a bug going undetected, Mr. Reader? You will never, ever know, because they won't let you see under the hood. Ever. It's in their best interest to break your legs and then sell you crutches, each pair more "sophisticated" than the old one.

How can we sidestep this issue? Isn't Windows mandatory?

How can Microsoft get away with a blatant lie? Simple. You have no other choice but to believe them. You will never be able to prove them wrong, because they have the source, and you do not.

Fortunately, you do have a choice. Use Open Source software. Use Linux, use Firefox, use OpenOffice.org. The real security innovations and cutting-edge advancements are happening in our camp, not the Closed Source camp.

Open Source is simply better -- don't just take my word for it, give it a run.