News.com blogger and outgoing Open Source Initiative board member Matt Asay says security software provider McAfee has libeled open source and needs to 'fess up to its ignorance regarding open source.
McAfee made the statement at issue in a white paper, which Asay quotes as follows:
Taking the bot controller of�ine may kill a botnet. As a result, many bots use a Dynamic Domain Name System (DDNS) or have a list of backup IP addresses to survive such an event. Bot technology is rapidly evolving, often aided and abetted, unfortunately, by the open-source movement.
If McAfee had offered evidence or further explanation to support the last sentence, there may not have been a problem. But McAfee didn't, Asay says. And he points to the definition of "botnet" (from Wikipedia, it seems), which includes the note that most zombie computers -- of which botnets are comprised -- are running Microsoft Windows.
From that -- and, I'd imagine, from his experience in the world of open source -- Asay concludes that computers running Linux are "more impervious to bot attacks." That may be true. In fact, from what I've seen in the relatively short time I've been covering open source, it is more likely true than not. But even before we get to that point, I think Asay is a bit hasty in his conclusion that McAfee's statement is libelous.
law.com defines libel, in part:
to publish in print (including pictures), writing or broadcast through radio, television or film, an untruth about another which will do harm to that person or his/her reputation, by tending to bring the target into ridicule, hatred, scorn or contempt of others.
To be absolutely clear, I don't practice in this area, and I will gladly defer to those who do.
For the sake of argument, it seems that McAfee's statement cannot constitute libel because it is not false. (Never mind whether a movement -- as opposed to a person -- can be libeled, or a host of other questions that could come into play.) Open source does help technology evolve, bot or otherwise, simply because the code is available to everyone.
Anyone can look at it, work to improve it, find and fix flaws. Time and time again, open source vendors have told me that one of the great values in open source is that you have so many eyes looking at the code.
The downside, of course, is that everyone can look at the code. For better or worse, hackers can see exactly where the weak spots in programs are -- and develop malware to exploit those weaknesses. Moreover, as Jack Germain pointed out in a LinuxInsider.com piece a few weeks ago
Linux servers are very valuable to hackers, according to SophosLabs experts. Servers, by their nature, are rarely turned off and often do not run sufficient protection against malware attacks. This makes the Linux systems ideal candidates for the role of controller in a botnet -- the central control point when creating and managing an army of infected computers, known as "bots" or "zombies."
What's more, a quick Internet search on "open source" and "botnets" yields this Wired how-to wiki: "Build Your Own Botnet with Open Source Software."
I enjoy reading Asay's blog, and he is a valued source here at IT Business Edge. It's obvious that he's passionate about advancing open source in the enterprise. But the fact is, whether a botnet is built for good purposes or for illicit ones, the argument can certainly be made that open source has, at least in some fashion, advanced the technology.
McAfee may have been sloppy in failing to substantiate or state its claim with more clarity, but I don't think the statement is libelous.