Monthly Posts: July
by Andrei Bogza
In April 2014 Microsoft ended support for Windows XP, and although the end of an operating system era is not much of a great deal it is remarkable that after 13 years since launch it still managed to keep a market share of 25%. Although some of the users will upgrade to newer versions of the windows OS, the vast majority that remains do not meet the system requirements to do so. And we’re not talking only about home users but also business and government users where the upgrade to a newer OS comes at a high cost for both software and hardware. This is where open source software comes into play to give a new life to what could be considered obsolete hardware by today’s standards.
Open source software is around for quite some time but what it really lacked for mass adoption were the success stories that would boost the confidence around it. One of the most mediatized stories in the last years was the city of Munich in Germany which migrated 13,000 computers to Linux and OpenOffice. The move started in 2004 and was completed in 2013 with savings of over 11 million euro compared to proprietary alternatives. Another confidence boost came from the European Commission in 2007 with a report about the economic impact of open source software. The report also encouraged organizations to consider using Open Office (Open Office has all the functionalities that public offices need to create documents, spreadsheets and presentations” and “Open Office is free and extremely stable”).
One of the countries directly affected by Windows XP’s end of life was China where the OS had a market share of 72%. In preparation for the event that would leave its computers unprotected the Ministry of Industry and Information Technology of the People’s Republic of China reached an agreement with Canonical in 2013 for the creation of Ubuntu-based OS targeted at the Chinese market followed by the release of Ubuntu Kylin the same year. The project was a success with millions of downloads to date and OEM manufacturers like Dell and HP offering laptops and desktop computers with Ubuntu Kylin preinstalled. To further increase its adoption rate the Chinese government issued in May 2014 an order to put a stop to further upgrades to Windows OS followed by one in June encouraging a move from Microsoft Office to open source alternatives. Therefore we can expect China to lead the open source in the years to come.
Since the beginning of 2000 there has been a trend of calling each year the “Year of the Linux desktop” (even though it conquered servers and mobile devices the desktop still seems to struggle). Although Linux is a small fish in the open source ocean its adoption also raises the awareness level for the rest of the projects available, especially when looking for alternatives to software once used on Windows. Following the latest developments in filling he hole left on the market by XP 2014 has actually a decent earning the name of “Year of the Linux desktop”.
The so called Windows XP apocalypse that we witnessed also teaches us why we should avoid a vendor lock-in. When a software company decides to no longer support certain applications or operating systems or worse, the company disappears, the end users are left in the dark. Finding a new alternative costs both money and time and affects their productivity with the possibility that the same scenario could repeat itself. Going the “open source way” provides us with direct control over the evolution for the software we use lowering the impact of the vendor’s decisions. This is also the main reasons why we promote FinTP, our open source final transactions processing software, ensuring that financial institutions can literally write their own future either with or without Allevo’s help.
Heartbleed is one of the biggest and most publicized vulnerability of the last decade. The affected open source library, OpenSSL is one of the critical elements of the infrastructure the internet is based upon. According to estimates, approximately 66% of internet services users have been affected by this vulnerability.
In the last 15 years, open source projects have built an image based on security and reliability and the doctrine that supports this image is free access to the source code. The more people get to look at and analyze the code, the greater chances that bugs and vulnerabilities are discovered and fixed faster. Thereby, the users’ trust is built based on transparency. Having this advantage over the proprietary projects, the natural question that comes to mind is: what did not work in OpenSSL’s case?
Unfortunately, this vulnerability has proved that usually, users take the open source security for granted, based on the idea that more qualified people have already reviewed the code. What happens though when everyone thinks the same? We get to that point where developers rely on users or at least a part of them, to discover possible errors and the users rely on developers not to make any mistakes (or to discover them on their own).
The OpenSSL project, a tool the internet security infrastructure is based upon, is maintained by a group of developers from which most are volunteers, working on their own free time. Although this project has a great business impact for companies like Google, Yahoo or Microsoft, most of the funding that kept the project going came from individual donations of a few tens up to hundreds of dollars. Therefore, money, time and resource consuming activities such as impact analysis, code review and audit have been done at a superficial level or not at all. Nobody referred to these gaps until it was too late. At first, the blame was cast on the project developers, but then, when all the shortcomings of this project have surfaced, the general opinion was shifted. The community took the blame upon itself and started taking measure to prevent similar scenarios in the future.
Luckily, the exposure caused by Heartbleed did not reach the presumed catastrophic proportions. The patch was published in record time by the members of the community that were directly affected and the attempts to exploit the vulnerability after the publishing were isolated.
An important conclusion that came out of this crisis was the necessity of acknowledging the importance of Open SSL and other open source projects unrolling in the internet security infrastructure. The first step in this direction was taken by The Linux Foundation, which motioned a 3.9 million dollars fund designed to help underfinanced open source projects, with OpenSSL first on the list. Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, VMware and other such industry giants have announced their willingness to provide 100.000 dollars a year, for at least 3 years from now, for what they called the “Core Infrastructure Initiative”. Its purpose is to identify and adequately finance other critical open source projects, in order to avoid another Heartbleed.
Even though there were voices claiming that the open source security image has been tamed, the outcome was quite the opposite. The community understood that the main benefit of open source – free access to the source code – counts for nothing if no one takes advantage of it. It also realized that as projects get more complex and have more users, they need proportional funding and infrastructure.