March 12, 1999
The following article is written by Pete Loshin, editor of the CORPORATE INTERNET STRATEGIES newsletter.
OPEN SOURCE SOFTWARE
Open source software started out as a crazy sort of crusade by a handful of idealists. Now it is becoming an important force in software development -- particularly Internet software. Open-source Apache is still perhaps the most important Web server for Internet Web sites. Sales of Linux distributions are making it the only operating system not coming out of Redmond that has a growing market share. The popular Perl scripting language is open source code, as is Netscape's Mozilla browser code. There are many others, and they all share some important advantages over competitive products that have been developed in the corporate "cathedrals." The two most important are:
* Open source software can be free both in the sense that it doesn't cost anything and in that there are no restrictions on its use.
* Popular open source software can be much more robust and reliable than competitive commercial software.
The term "open source" has been registered as a certification mark (a special kind of trademark), which means that only certain kinds of software can be called open source. Eric Raymond provides much of the content and impetus behind the Open Source Initiative. Raymond defines the attributes that make software eligible to be called open source and provides a rationale behind each criteria on the Web site at http://www.opensource.org
Playing It Safe
If you do decide to experiment with open source software, here are some guidelines that can help make it an enjoyable and safe experience:
* Trust the source. Get the software from a source you trust. That may mean buying a distribution from Caldera or Red Hat, or it may mean downloading the source code from an "official" Web site and then examining and compiling it yourself.
* Security is an even greater issue with open source software - it is much easier for someone to create and distribute a hacked version of Linux that will forward all your e-mail to an attacker than it is for someone to do the same with Windows. This means you should scrutinize not just the code but also the configuration of any system connected to a network.
* Some source code and binaries may be signed with a Pretty Good Privacy digital signature. This can help increase your trust of the source code.
* Think twice before you take a box that runs open source networking software and connect it to the Internet. Then, think one more time. Check the configuration as well as all the rest of the installation very carefully. If you need professional help with your security, don't hesitate to seek it out.
* If you decide to hire a security consultant, be sure to ask for and carefully verify references.
* There is plenty of information available on security. For example, in addition to using books like Practical Unix & Internet Security (Simson Garfinkel and Gene Spafford, O'Reilly 1996) you can check out Internet newsgroups (for example, comp.security firewalls, comp.security.unix) for help. And your ISP should have some advice, wisdom, or at least some information to help you get secure -- if they don't, you might want to reconsider your ISP selection.
One good starting point for evaluating network security is to get a copy of SATAN, the Security Administrator's Tool for Analyzing Networks, and run it on your network. If you do this on a testbed LAN that has been isolated from your production networks and the Internet, you can make a start toward evaluating the level of security of open source systems before you deploy them.
--Pete Loshin
+++++++++++++++
This article was reprinted with permission from the Cutter Edge,
the weekly e-mail service for IT professionals, provided free
by Cutter Information Corp. (c) 1999 Cutter Information Corp.
All rights reserved. For more information please visit:
http://www.cutter.com/itgroup
+++++++++++++++
Please share your thoughts and comments regarding this feature. You can do so by posting to our Open Technology Forum or by writing us at webadmin@itmweb.com.
