July 31, 2006 By Adam Stone
As policy and planning manager in the Office of Information Services at Oregon's Department of Human Services (DHS), Wells is running an open source customer relationship management (CRM) system at a time when attacks against open source operating systems and products are increasing at an alarming rate.
"It's probably because of the rising popularity of open source," Wells said of the newest attacks against the Linux operating system and other open source products. "Because it is there -- out there, where people can see it -- it provides more of an interesting challenge to attackers."
Yet Wells said he has it covered. Sugar CRM, which sells the CRM software Wells uses, keeps the DHS's machines patched and updated, and an entire community of open source users keeps him abreast of threats.
That appears to be the lay of the land in Linux and open source these days. On one hand, a rising tide of threats; on the other hand, vigilant vendors working in consortium with users to keep the open source environment safe and stable.
On the face of it, the numbers do give cause for concern -- the pace of malware attacks against Linux operating systems doubling during 2005, according to Kaspersky Lab's 2005 *nix Malware Evolution report. Kaspersky reported 863 attacks on Linux in 2005, up from 422 in 2004.
However, it's still a drop in the bucket compared to Windows. Security firm Symantec reported nearly 11,000 Windows viruses and worms in just the last half of 2005. Still, the increase in the number of attacks on open source is ringing warning bells.
"We are still in the very beginnings of what will come," cautioned Ben Chelf, chief technology officer of open source code security firm Coverity.
A Deeper Threat
It's not just the attacks' increase, but also their nature, Chelf said. The majority of Windows usage still resides on the desktop, he said, whereas Linux typically operates at the server level. Desktop damage is certainly a problem, but back-door access to the server presents a far deeper level of threat.
Given the seriousness of that threat, Andy Stein, director of IT in Newport News, Va., is paying close attention to the situation. Stein is directing the development of a new e-government site based on open source code. He said the relatively low number of attacks on Linux should not lull one into a false sense of security.
"I am just as concerned about open source [malware] as I am about the fact that Windows is under attack," Stein said.
For government users in particular, the nature of the present attacks against open source products may be a cause for concern. Windows attacks typically come in some flavor of overwhelm-and-destroy: Crash the system, bring traffic to a halt. Linux attacks on the other hand have tended in the direction of information plundering.
"The most common class of these things is the back door or Trojan things used to capture and export data," said Robert Shoemaker, CEO of IT support firm HelpMeRemote.
For government IT managers, that focus on data can be a big issue.
"Of course, governmental agencies have very strict requirements about privacy of data, and face a dilemma of needing to protect data while often lacking the budget to do so," said Bernard Golden, CEO of open source system integrator Navica.
The Good News Is ...
Threats there may be, but proponents of open source argue that the Linux and open source communities today are prepared to deal with them, despite what some people may think.
"The misconception is that there is no vendor support, that there is no option for vendor support. The assumption
You may use or reference this story with attribution and a link to