According to the editor’s letter in the recently released inaugural edition of Sage, a magazine produced by anti-malware vendor McAfee: “Open source is not to blame for current security trends.” Maybe not, but apparently it’s still expected to take the blame.
The issue’s cover feature, under the headline, “Paying a price for the open source advantage”, devotes some 30 pages to the assertion that malware authors are using “open-source methods” to build better botnets, worms and viruses. This is nothing more than a gross and self-serving distortion of the facts.
I know something about malware development. In 1990, as a teenager, I wrote and distributed a primitive MS-DOS virus called Leprosy. It’s not my proudest moment, but it is significant because Leprosy was unique in one important way. Long before I had ever heard of open source, I shipped my software complete with its accompanying source code and full documentation explaining how it worked.
At that time, this was virtually unheard of. Working virus code was a prized possession, one that catapulted the owner into the ranks of the so-called elite. To simply give it away, along with all its secrets, ran contrary to every principle of the status-centric hacker culture.
My fellow tinkerers jumped at the opportunity, however, and so the Leprosy source code travelled far and wide. Within a few years, hundreds of new, derivative viruses had appeared. The upside? My open code made it easy for other developers to build on my foundation, but its transparency also made it trivial to defeat. In the wild, the threat of Leprosy and its descendents was virtually non-existent.
The techniques Leprosy employed in that pre-Windows world aren’t much use to virus writers today. Nor have today’s malware authors followed my lead towards open source. Although it’s true that much public code is available and malware authors have built on one another’s successes, this baseline of collaboration is inevitable in any field of endeavour. The really sophisticated techniques, however, are still hoarded as if they were secret weapons, and necessarily so.
If social status is no longer a driver for malware development, in its place is an equally ignoble motive: old-fashioned financial gain. In fact, as McAfee’s Sage points out, some malware authors even sell value-added versions of their code in a “mixed-source” model. In a sense, they are proprietary software vendors like any other, and they’ll remain that.
“Open source was supposed to hinder malware,” claims one Sage article, before asking, “So, what happened?” What happened, of course, was Apache, Firefox, Linux and the numerous other open source projects that remain remarkably resilient to malware.
Meanwhile, the closed-source software community hasn’t fared as well. As recent news has shown, even security vendors such as McAfee can fall prey to exploits in their proprietary code.
Open-source methods are not the problem. As the shared body of knowledge around malware techniques has evolved, it is no longer sufficient for companies such as McAfee to act as gatekeepers of that knowledge for the security community. Share the code. Expose the threats. Make the solutions known. What we need is more openness, not less.