Reducing the risks of vendor lock-in

Peter Hansteen of Bergen Norway reports that the Norwegian Police Force has disclosed two large-scale information security incidents. He explains that:

Apparently large parts of the bureaucracy that is responsible for the confidential and correct processing of criminal matters and all sorts of sensitive personal information associated with the crimes runs essential services on Microsoft Windows NT 4.0.

That version of the Microsoft product is so old it is officially abandonware, and early reports of the police network problems included the oldish news that even the antiware vendors have stopped supporting the system. Later reports had police IT department officials claim that the worm infections were not that much of a security problem, since at this point all the worm actually did was spread.

The emphases above are, understandably, in the original report.

His post continues by explaining in detail how a model that is designed to achieve vendor lock-in has the unintended consequence of actually locking the customer into a vendor’s product from which they cannot escape…not even when the vendor wishes to sell them a new product. He then explains, because he is a BSD advocate, how the BSD development process ensures that choice is preserved all along the way. And he tells the truth: the BSD model does a fantastic job of preserving backward compatibility while ensuring forward progress.

It is indeed remarkable how well the BSD community has thrived in spite of major proprietary detours, first taken by Sun Microsystems with SunOS and then abandoned when Sun promised to shift to a GPL-based OpenSolaris, and secondly (and presently) maintained by Apple with OSX, which continues to hide anti-features in a source code based that is constantly refreshed with the best that the BSD community has to offer. The fact that BSD can continue to offer choice when subject to such commercial behaviors is a testimony to its community and to the power of the open source model, even when not protected with a purely reciprocal license like the GPL.

To look at an even stronger case of consumer (and thus also business) protection, consider Linux, which does have reciprocal protection. The array of Linux platform offerings is broad, deep, and rich, and they run across the full gamut of devices and architectures, from cellphones to supercomputers, from portable virtualized environments to bare-metal real-time systems. Not only does open source provide a far better track record of system security (the Linux kernel in Red Hat’s Enterprise Linux 4 suffered zero critical flaws in four years of commercial use), but it provides the best track record for customers seeking the best choice every day. Of course a great deal of credit goes to the Linux community for that, but a certain amount of credit must also be given to the governance model that open source licenses enable and to the non-choice models they preclude.