Slashdot Mirror
'Experts' Back To Claiming Open Source Insecure
jacobito was the first of the folks who sent us a report running in Silicon.com regarding security and open source products. It's the typical claims - that open source is insecure because it is open source. They've also provided the counter-quotes, though, talking about that because it is open source, it's inherently more secure. *sigh* I hate issue re-tread.
It never ceases to amaze me how many 'experts' make the newbie mistake of thinking security is a matter of obscurity. I pity the companies that hire such newbie 'experts' to 'secure' their systems.
I wonder if any of the 'experts' quoted worked on CSS?
Of course, by their definition, no OS can be secure since every proprietary OS vendor has to have had at least one disgruntled programmer who has seen the source.
I've never even heard of any of these "experts" before. Only the Open-Source advocate actually gave any facts to back up his claim, I might add; the other three seem to be just spreading FUD.
Yeah; you can find an exploit more easily if you have the code in front of you. So what? You get maybe a full day to use it if you're lucky. The second you use it you'll be pounced on, and if you try "waiting for the right moment" someone else will find your precious exploit and see that it's fixed.
Contrast this with the "security-through-obscurity" of a closed-source system. OK, so it's harder to find an exploit. But you'll get at least a week, possibly even months if it's Windows, to play around with the exploit once you do find it, because it simply doesn't get fixed so quickly.
Does being Open-Source make something more secure? Nope. But it doesn't make things less secure, either. It all comes down to how good of an admin you are. But it should be moted that the bugfix time on an OSS system is a huge advantage; there will always be exploits lurking around in any operating system, but the fast turnaround time of Linux and its kin make it easier to keep a system secure even as those exploits are found.
Some anonymous coward dun said:
*chuckle* As far as that goes...I dunno on that, but I can truthfully state that I've not been able to eat meat at McDonald's since I saw one of the employees take a 50-pound bag of "Miracle Meat" (no, I am not making this up--this is what their meat is called), which resembled nothing less than the 50-pound bags of Gravy Train dog food you see at the pet-food department of the grocery, from the freezer-shed. :) (The really sad thing is--Gravy Train likely tastes better and has more nutritional value (not to mention more actual meat) than Miracle Meat does. :)
Seriously, though...the real reason Dave Barry's analysis holds up well (save for Belgrade) is due to a combination of three factors:
1). Generally, when the US goes into a state of war with another country, they put in rather strict trade sanctions that basically state that you cannot do any business--not even visit relatives--with that country unless you have special permission from both the State Department and the US Treasury. (The law that this is under is specifically called the "Trading with the Enemy Act", and you don't even need to be at a state of war--hell, out of the countries where it is virtually illegal for a normal US citizen to go (incidentially, now the only countries you can't send crypto to) we've had shooting wars with only two of them. It's this very law that makes it outright illegal for most Americans to go to Cuba or even buy Cuban cigars in Canada, while everyone else goes to vacations on Cuban beaches...)
It doesn't hurt that the vast majority of big fast-food chains are based in the US, and even if they weren't the US anymore tends to not only put strict sanctions on its own citizens under the Trading with the Enemy Act, but they also manage to get through UN sanctions or at the very least sanctions among NATO members. You know what they say about 800-pound gorillas (no offense to gorillas, who generally are peaceful folk, have good senses of humour, and are rather intelligent unlike the US government ;)...
2) Most countries that the US is pissed off enough at to get trade sanctions against and/or go to shooting wars with aren't likely to want much to do with American stuff at all, and likely have imposed their own versions of the Trading with the Enemy Act in regards to American goods and companies. (I'd be REALLY surprised if the Serbian government hadn't run the McDonald's out of Belgrade.) Again, shooting wars aren't even a necessity here, and a lot of it has to do with ideology--it's rather unlikely Afghanistan would be getting a McDonald's soon, or North Korea (even if eighty percent of the country wasn't starving to death) because the ideology of the countries wouldn't permit such a thing.
3) The potential Real Biggie here is that there have not been any hellaciously big shooting wars since McDonald's incorporated back in the 50's. The last Really Big War was in the 40's, during World War II; most wars then have been skirmishes between at most four or five countries (literally the three largest wars the US was involved in were with Vietnam, Korea and Iraq since McDonald's opened shop--for various and sundry reasons hinted at with 1 and 2 above, it's doubtful they'd have McDonald's restaurants to begin with [though in Iraq's case it was probably a combination of culture and the fact they were fighting with Iran]). If another World War were to break out (Grud forbid), we'd likely end up warring with a country with a McDonald's (or more properly, one which HAD one before we ordered McDonald's to Divest Or Else). (Of course, we'd also end up likely going back to the high technology of making knives and projectiles out of obsidian and flint, not to mention getting meat by hunting down deer instead of ingesting Miracle Meat--this is, of course, assuming mammals larger than mice or bats survived and we didn't end up with Planet of the Bipedal Mousies 65 million years later :)
For that matter--interesting historical note: McDonald's didn't enter either what is now Russia nor did it enter China until the Cold War had thawed quite considerably. (Most of you who are reading probably do not remember the days before Gorbachev in the old USSR. Gorby did a lot to warm up relations between the US and the USSR--before that, especially in the early- to mid-80's, people were convinced that before my generation hit the age of 18 (I'll be turning 27 this year, btw) the world would have been blown to smithereens and we'd end up with Planet of the Cockroaches. It was Quite Tense, believe you me.) Even then, they didn't open till things had warmed up to the point there was almost no going back from there...and, more to the point, companies like Pepsi and McDonald's thought it would be profitable to operate there and didn't have to worry about the State Department coming about and telling them they had to divest (other companies--most notably, oil concerns and banks--had already been burned like this several times, most notably in Cuba and in Iran).
-Windigo The Feral (NYAR!)
I can easily log onto my ISP's very secure FreeBSD box, make a SAMBA build and browse around several business systems that are currently connected with their Win9x or NT shares left open to the world. Except I just don't do that, but Msft has given the keys to THEIR systems to anyone with half a brain to snoop around in.
Read between the lines - the people quoted in the article, a 'network installer' and a Company "Strategy Partners" both probably have a big investment in NT & 2K, and probably are able to setup a secure NT system, but their claims that Linux is somehow inherently less secure and wide open to Linux savvy hackers is just sales FUD. They are Msft 'expurts' in the sense of the old joke: and 'ex' is a has-been, and a 'spurt' is a drip under pressure.
Now I rarely use 'FUD' for any Linux critics, but this is a clear case. I learned long ago how sales/politics works, and you have to build up CONFIDENCE in a system. Just having a working server is not enough, the owners have to BELEIVE in it and get the warm fuzzies as well. That's one thing Msft is good at, getting and keeping big clients happy in the board room, while the McSE's are in the server closet plugging up holes and traipsing around land mines.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I like OpenBSD but your assertion is bogus. There are closed-source operating systems that are very secure, Multics, MLS versions of UNIX, SCOMP, MVS. See the list here and look for operating systems with A or B class security ratings.
Mea navis aericumbens anguillis abundat
Bernie Dodwell, business development manager for System Security specialist Integralis Group, said the operating system is insecure because it is open source. "This issue has to be resolved to get the system ready for the enterprise. At present a hacker would be able to go through the operating system like a dose of salts," he said. Microsoft was keen to endorse this view.
Anyone else find that last bit amusing?
Seatte, WA In an anouncement that has all of Sillicon Valley and Redmond buzzing, abnormal psychologists at the University of Washington have found widespread insecurity among Linux advocates.
Dr. Rajeev Papshigali and his team of graduate students analyzed Linux advocates in the lab for several months in the groundbreaking study. "We found several neuroses common among Linux advocates, including paranoid delusions of the most severe sort" reported Dr. Papshigali. "It was amazing, every time you mentioned anything unfavorable about Linux, they would become extremely defensive and begin shouting 'FUD!!!' Many of them also display paranoid delusions about Bill Gates."
Dr. Papshigali's study has lead several "Security Experts" to try and reach out to Linux users. Dr. Charles Widebottom, a popular self help author has just released a new book entitled My OS is Okay, Your OS is Okay. "The important thing for Linux advocates to realize is that not everything is FUD." advises Dr. Widebottom. "Some of it is valid criticism, and some articles like the silicon.com one are plain old fashioned stupidity." Dr. Widebottom hopes that Linux advocates will simply take a deep breath before accusing Microsoft of controlling every aspect of the Media.
Dr. Papshigali calls this approach naive. "One Linux advocate we studied actually walked into a McDonalds and ordered a burger with Linux on it. When the cashier said 'what's linux?' he started screaming 'microserf' and then accused Ronald McDonald of being a paid henchman of Bill Gates. I don't see how a deep breath will help these guys."
Dr. Papshigali also noted that other OS advocates display major insecurities. With Windows fans becoming very irate and defensive when you point out that Microsoft means 'small and flaccid', and mac users (to put it politely) thinking a bit different. "We see the possibility of virtually limitless research grants with the mac users." commented Dr. Papshigali.
--Shoeboy
Bernie Dodwell, business development manager
Clive Longbottom, strategy analyst at Strategy Partners
Phil Roberts, systems manager for a network installer
Since when did these chaps become "security experts" Anyone ever heard of them. Just for the purpose of comparison I did a quick poll of my chums and came up with this:
1 operations manager
1 senior DBA
1 dev manager
1 senior systems engineer
Wow, equally impressive titles. Maybe we can start writing security articles too.
I can spare 5 minutes to provide the same level of detailed, well researched analysis these guys did.
--Shoeboy
(full disclosure, I work for microsoft)
Steg. is security via a secret. Obscurity is not a real secret, it's just something that cost a little effort to find. Yes, this small effort is a barrier making it slightly more difficult to find an exploit. However, it is a far greater barrier for fixing things.
In addition to the question of how fast the closed-source vendors are going to move to patch exploits...
Who's going to secure us from the closed-source vendors?
That became a big question after some nasty pranks were revealed back in '99, and I suspect it will become and increasingly important question for consumers, businesses, and governments alike, over the next few years.
--
Sheesh, evil *and* a jerk. -- Jade
It could almost make a guy wonder who's behind silicon.com, eh?
It's obvious who suffers under competition with free software. But who suffers from open software?
--
Sheesh, evil *and* a jerk. -- Jade
> open source is no more stable than closed by default. the oposite is probably true
By the same logic, companies should not document the features of their applications, because that makes it easier for people to find ways to abuse them (think "macro viruses").
The solution isn't keeping the problems hidden, it's keeping the problems out.
And no one has ever shown, nor posited a convincing argument, that closed source beats open source on that.
--
Sheesh, evil *and* a jerk. -- Jade
Well, yes, unless of course you are a really smart administrator, and you install a linux based firewall, while letting your boss be so proud of his NT network -grin-. That way security fixed can be made at the door, by you.
There are two claims in the article. The first one, that Linux is not secure enough, is the one that I don't afraid at all. All of us knows that only troll will still think that they need a close source system in order to get security. All of us knows how open-source works to allow bugs, and in particular security holes, to be found and patched quickly.
But the second claim is somewhat more disturbing: that there is a trend that more people become trolls. If this is really such a trend, this has to be dealt with. Of course, there is every possibility that the article is once again funded by Microsoft to generate FUD.
But if not, what can be done? How new comers can be educated about security more readily than getting the FUD?
Here is the NSA list of Evaluated Systems.
No one wants to hear it, but all security is security through obscurity. It's simply a matter of whether something is obscure enough.
Hoping you're safe because you haven't publicized that your web server exists, even though it has holes, probably isn't obscure enough. Port scans happen all day, every day.
Hoping your e-mail is secure because someone shouldn't be able to randomly bang on the keyboard and generate your 2048-bit key IS probably obscure enough.
In both cases, if the attacker knew what they needed to know, they'd succeed.
OBOSS: We've been breaking commercial, closed-source software for way too many years to believe that not having the source code slows us down.
>would not have been able to decipher the
>password so quickly...
http://www.thievco.com/advisor ies/nspreferences.html
Actually, yes.
whois silicon.com
Registrant:
Network Multimedia Television (SILICON16-DOM)
15-19 Britten Street
London, SW3 3TZ
UK
Hmmm...
James
I was amused by the line "Microsoft was keen to agree with this." I can just see it now:
"Mr Balmer, do you agree that Linux is insecure because of the source code being available."
"Well, from a marketing standpoint, I'd love to agree (as you know we hide our source as if it were actually valuable, so we have something to concede to the DoJ). However, the truth is that my technical analysts (yeah, we had to hire a couple last week) told me that Linux is actually very secure, and that most of the security problems that arise in any environment are either insiders exploiting the local security policy or months old problems that the administrators should have fixed. Now, I'm no programmer, but it seems to me that if I had the source code, then I could do my own security evaluations, and limit the extent of problem #2, but it still lies in my hands to create good security policy."
"Wow, Mr Balmer, that's just an amazingly cogent and forthright statement for you!"
"Mmmmrrfffll... Mrrrrmmm! Rugh.... Get this damn daemon out of my head!"
"Um, and as Mr. Balmer spews forth pea soup, we go back to you in Metropolis, Clark!"
I see I got side-tracked, there. Sorry.
Disclaimer: None of the people herin depicted ever acted this reasonably.
The first rule of security is to limit what programs can do to the minimum neccessary to do their job. Putting the video drivers into the kernel is not the minimum neccessary to do their job, so obviously security was secondary to other aspects.
He added that the issue could
lead to proprietary versions of Linux being developed.
Obvious that this person does not know much about Linux. Since everyone I know, knows that the GPL will prevent this.
This view seems to be more or less closed source advocates trying to bring a dead horse back to life, just to beat it a few more times.
A system is not easy to break just because you have source, Unless you have a bad system, where a cracker can see areas where buffer overflows exist. I was recently told by a Samba developer that there are several areas that buffer overflows exist in W2K. And this is just one of the ways crackers can break systems.
Steven Rostedt
Steven Rostedt
-- Nevermind
...you just wouldn't be able to distribute the binary if you didn't also make the source available.
;) (IANACL)
IIRC, the GPL only controls distribution, not what you actually do with the OS in-house. Of course, that implies that if General Motors distributed a proprietary Linux to all their employees, the employees would also have a right to the source code. I guess that the employees would also have the right to redistribute the whole thing. They might get fired, but probably would be legally safe.
Geeky modern art T-shirts
First and foremost, it has to be mentioned that Quake has a very poor security model. It relies heavily on client-side security. Quake isn't alone in using this model; however, it provides countless ways to attack the integrity of the environment. To id's credit, there are some very important performance reasons this model was adopted (search for Carmak's Slashdot posting on this topic). Nevertheless, we have a design that is wide open to attack.
Closed source obscurity did not protect Quake. It sometimes sounds like Quake's cheating woes didn't begin until the release of the Quake source. Untrue. While Quake was a closed source product, various ways to cheat existed (proxies, hacked maps, hacked models, etc.) It wasn't as wide-spread and blatant as it is now, but cheating was hardly uncommon.
Open Source changed the environment. By releasing the source code, Carmak allowed the world to see exactly how insecure the Quake environment was. Blatent cheats (ie: speed cheat) appeared. Cheats became more widespread as more people had access to them. It would be ignorant to claim that the Quake community hasn't suffered because of this. And many blame Open Source and the GPL.
But blaming Open Source, and claiming the widespread cheating is an example of how Open Source can't be secure, is also just as ignorant. Quake itself is to blame. Its security model needs a complete overhaul. Open Source developers have a chance to shine. Their challenge is to do that overhaul - make Quake playable and secure. As Carmak has noted, its no easy task.
Whether Open Source developers are able to "fix" Quake or not... there will be one thing for certain. We will all know how secure Quake is. Before, only a select few knew of its weaknesses. And some of those select few used their rare knowledge to exploit the environment without public awareness.
An interesting side note to all this... I visited a Quake cheating web site the other day. It seems that they pulled a bunch of the cheats since they violated the GPL (no source code available).
silicon.com, advocates for closed source software! I knew there had to be one out there.
I was looking at these ads too, but now I'll look at them with a different point of view.
Check out their website, you'll need to log on to see anything interesting (hint, the anti-cypher is your friend) to see these gems
UK employees happy with big brother watching
We like being spied on, says study by monitoring software company.
Microsoft UK MD blames Win2000 bugs on rivals
But win2000 is closed souce, so how did those rivals plant those bugs in there?
Eric Raymond backs Linux profiteers
Go ESR!
Consider this to be news lite. Nothing more than a handful of overworked and underinformed journalists who reformat press releases and trim them down into bite size newsbits. So this is where all those ex-Dennis people ended up (bring back Zero!)
If you have the patience, try loading one of their streaming videos. They are under a permanent slashdot effect, so the videos are best viewed by copying locally. The little chats they have with industry 'experts' can be quite hilarious, they are really nothing more than info-mercials.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
It seems that any article with so-called "experts" seems to find mostly experts in other areas. The "strategy analyst" and the other "experts" don't seem to know what they're talking about. For one thing, some of them seem to ignore the fact that OpenBSD, undoubtedly one of the most secure, if not the most secure operating system, is open-source. If an operating system is truly secure, it does not matter whether it is open-source or not, and open-source projects undoubtedly end up the most secure.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
HOWEVER, why is there in each article like this also an "open source advocate" who claims that "patches from Microsoft take months to appear!", which is simply not true either!
It's a mild exaggeration, but is probably pretty close - have a read though the BugTraq archives - it is often two to three weeks after a report is handed to them before they acknowledge a problem exists, and another few weeks before a patch is released - and even then, they often seem to have "phone support for this patch as it is not regression tested" on it......
--
-=DaveHowe=-
I have contacted the two whose companies are named (interestingly enough, one doesn't actually work for the company given, but the journalist thought it would sound "better" to name the larger company, and not the subcontractor) and both say they were taken massively out of context; ,and that the open/disclosed source nature of some unix-alikes make vunerability finding easier and faster than they would be if they were closed source (which of course is true). Given that BOTH stressed in their replies that they had been discussing only the needs of secure services (for example, banking servers) the exercise of a certain caution (for example, recommending SeOS as a secure operating system, which it practically defines) is understandable.
Both seem to believe that the more recent server platforms (NT and Linux in particular) are not yet mature enough for a "secure" environment,
Both also expressed their disappointment at the hate-mail they had received from members of this forum over this - which is predictable, I suppose, but as is usually the case, uncalled-for.
--
-=DaveHowe=-
Chanting that it doesn't work doesn't make it so and doesn't help.
It's a debatable option - in the short term, Security Through Obscurity DOES work, provided
- Black Hats can't get hold of a working copy to test against
- The vendors are committed to expansive testing and getting the patches out into the field fast and
- Known exploits against similar systems don't work on this one
If ANY of the above aren't true, then StO fails; if the system actually DOES have good enough security to survive a failure of one of the above three points, than it has good enough security to be open source (or at least peer reviewed) in the first place.Out of interest, does anyone know
--
-=DaveHowe=-
This is obviously true. Obviously security through obscurity works - that's why Windows NEVER gets hacked, and why we hear about Linux machines being compromised every day. You just have to look at the real statistics - none of this 'Anecdotal' evidence...
:-)
Actually, it was Thomas Freidman, the Foreign Affairs columnist for the NY Times, who came up with the McDonald's Theory of Conflict Prevention. And yes, it did fail in the case of the US bombings of Serbia, although Freidman rather convincingly argues that it was "McDonald's" that stopped that war, rather than any traditional military concerns.
.)
That is to say (since obviously McDonald's didn't literally stop the war, just like it doesn't literally prevent other ones) that the reasons the Serbs gave in and withdrew from Kosovo had nothing to do with any military losses we inflicted on them. Indeed, we barely touched their tanks/artilary in Kosovo, which were dug in well in advance and shielded by the mountainous terrain. Our bombing campaign against their military targets was a pretty big flop.
Instead, they surrendered because we bombed their economic infrastructure--namely all the bridges and power plants in Belgrade. Thus, Milosovic didn't withdraw because he no longer had the military ability to continue occupying Kosovo and killing/kicking out Kosovars at will, but rather because Serbia wants to be part of the global economy--hence the McDonald's--and the economic/political costs were too great. Indeed, he would have had a revolt on his hands, precisely (so says Freidman) because the citizens of Serbia care more about being able to "eat at McDonald's" (i.e. partake in the global economy) than they care about oppressing a bunch of Kosovars. (Or Kosovians, if you're George W. Bush.)
Hence the McDonald's Theory of Conflict Prevention is strengthened, despite being conclusively refuted by example. Or so says Freidman. (If you can't tell, I'm taking a course that he's co-teaching this semester. But you can read all of this in his book, The Lexus and the Olive Tree
"An example: the SYN DoS weakness discovered a while back, in both Windows and various UNIXen. Open source administrators and Linux/FreeBSD kernel hackers had a fix out within hours, while Microsoft and others languished for days or even weeks before releasing a fix. "
:-)
:-)
So a skilled administrator would then install an opensource firewall of some type over night.
Any competent system administrator would be able to install a firewall, and work around the operating system bug (hack around, in this case)
Just scale up your thinking beyond the case/case scenario. Any admin worth his/her salt would just grab a 486, firewall with NAT/MASQ, and then report the problem to the PHBs. If the PHBs insisted on insecurity, the admin would then follow the job description (security over all), and lie to them like many other IT people have had to in the past (see false authority syndrome).
QED a knowledgeable, competent sysadmin is the most crucial part of any security
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The program encrypts it in a trivial fashion to stop any namby from just going in and looking in. However, given enough time, anyone could decrypt it -- even by hand. This is why the shadow password system exists -- only UID 0 processes can access the (trivial to brute force) crypt DES hashes of the passwords. True, modern distros (Slackware) use MD5 hashes now, but they can still be brute forced given a dictionary, an MD5 encoder, and a final "hash" to compare to.
It is not possible to store secrets on the client computer if the client computer cannot be trusted.
Let me reiterate: it is not possible to store complete secrets on the local computer if the local computer cannot be trusted.
Solution: Don't write apps that store passwords on the local computer without using another password to encrypt them.
Workaround: Disable all "remember this password for me" checkboxes that keep cropping up in all sorts of apps
If I have access to your money box, I can break the lock. If I have access to your passwords, I can brute the hash. That's why you shouldn't "remember passwords" unless you 1) have the computer some place secure, and 2) are willing to remember it yourself so you don't put yourself in that situation.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Here's Bruce Schneier's commentary on open source and cryptography, an obviously security related subject on which he can reasonably be considered an expert:
There is more detailed commentary in the newsletter that I have quoted. The people who believe FUD respect recognized authorities. Use him as a good one to counter this particular piece of FUD.
The net will not be what we demand, but what we make it. Build it well.
A small correction: www.articon.com probably has nothing to do with that. The relevant sites are www.articon.at, .ch, .cz, and .de, but still 3 out of 4 are running Apache on Linux.
--
Industrial space for lease in Flatlandia.
I really don't know where they find these people. I noticed his title was "strategy analyst" not "security analyst." The part where he said "Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available"--what rock has this guy been living under? This guy is supposed to have some kind of understanding about OS security?
I wouldn't be too concerned about this article at any rate. Open source has already proven itself in this area. It just goes to show that there is still a bit of ignorance about it and there will always be someone that digs it up and puts it in an article...
numb
However, I would like to make one single comment. If this headline were true then how on earth can a program like PGP be as secure as it is even when they released their source code?
These guys still live in the stone age if you ask me. Back then you could hack a dBase database just by taking a closer look at the Clipper source code. Times have changed; guess its time to read up and get a clue.
1. Individual applications often perform security audits looking for buffer overruns and the like. Also, a buffer overrun found in gnu grep would be fixed and benefit all operating systems that it can be compiled on.
2. I use RedHat as my single point of contact. It's worked very well so far. Linuxtoday also publishes when security patches are released.
3. The community keeps an eye on this, and if the Ukrainian fixes the problem and there seems to be a consensus that that is the proper fix, I'd install it without compunctions. Hence the quickness of the response. Besides, the community mobilizes pretty quickly. It's not like there's just you and that Ukrainian working on the problem.
4. As 2 and 3 are not a problem, 4 isn't either. There are many people dedicated to finding security bugs, and many amatuers who stumble upon them. With many eyes, all bugs are shallow. As is all FUD.
Interestingly enough, a quick look trough netcraft reveals the following:
While Clide Longbottom claims that Open Source is insecure, Strategy-partners.com , his company, runs a BSD server.
And while Bernie Dodwell says the same thing, his company, Integralis, merged with Articon, where most of their servers run, yes, you got it, none other than linux:
www.articon.com
www.articon.de (german branch).
www.articon.cz (czech branch).
www.articon.at (austrian branch).
Now thats what I call getting things straight.
I am going to have a go at tracking down the authors of these quotes on the offchance they have been taken out of context; I am not familiar with the Strategy Partners, but I know many at Integralis Group would be horrified that they had given a press release / quote stating they believed in security though obscurity....
The bio of Clive Longbottom (one of the Open Source is less secure guys) is at:
http://www.strategy-partners.com/bios/clive.htm
Since he's a chemist, I wonder if he's in favor of knowing what active ingredients are in medications and drugs. After all, "close the source" of drugs and it's harder to abuse them!
Do you put valuables out of sight when you leave your car parked in public?
:) 10 minutes before your car is apart and the object is stolen.
Yes, it's called keeping a LOW PROFILE. There is no security in dealing with cars, anyone can come along and smash a window or torch through the trunk.
Let's take your analogy and express it in a little more realistic scenario: The black hats want an object that is in your car, and they're going to make every attempt to steal that object when your car is parked.
Security through obscurity: Hide the object under a seat or in the trunk. I'd give a professional car stripper (hey I live in New Jersey
or
Good security: Attack dogs inside the car, the object in a safe that is welded to the frame, armed guards surrounding the car.
Which is more secure? I even told you where the object is in the second situation...
Do you have a hidden key for your house/car, and if you really believe that obscurity doesn't work, why is it hidden?
This isn't SOA really either. This is like suggesting that even though I use Open Source operating systems, I'm using SOA because I don't give the root password out.
The security is with the lock I use at the door. I'd much rather use a lock that has been under a peer review and proven unpassable without the key than one which is "closed source" and unreviewed.
Opinion: This article may or may not be FUD, but, inescapably, its pretty much the 'Other Camp' reaction to the zealot rallying cry that Open Source code is some kind of software panacea. If OS proponents weren't so single-mindedly bullish about its superiority in all fields, this wouldnt happen nearly as much. Don't confuse the development process (which IMHO is superior) with the product. OS is a solution, but not necessarily the only solution. Its an alternative, but shouldnt be dogma.
And I'll state what I consider to be a fact. There's nothing inherently more secure about an Open Source implementation of a feature versus a proprietry implementation. But there is a greater likelihood that the feature will be improved upon, faster and better, than a proprietry solution. Not always, but it is more likely.
The article, though, seems to make a different (mistaken) assumption. Access to the source code for a given Linux distro is probably the least significant factor in compromising security on a given Linux box. Is the article implying that someone would be able to develop a cracked kernel, and somehow cause its proliferation? Why not also mention Sendmail, BIND, or Apache, all of which sit on more boxen than Linux does? The kernel isn't the typical weak spot in a system; if there's any main software weakness, it's likely to be in the various server daemons.
Most importantly, though, at the end of the day, poor administration is absolutely the worst problem. Implying that a closed-source OS is automatically safer instills a ludicrous perspective, implying that admins of closed OS's need to know less about security. For that reason, and that reason alone, Silicon.com ought to be pilloried publically.
free experimental electronic music netlabel at www.viablehybrid.com
at epinions.com. You can rate a ton of different things and people can rate reviews. The site includes a section for software, including OSes. You can rate people's opinions. Pretty neat idea, really.
If the information on your machines is so incredibly vital to you, disconnect them from the network.
Of course, this isn't always an option. But i think the common view on `hacking' is still the TV-ish "hey, i cracked the DoD's machine in 5min.".
I'm having a bit of trouble imagining that the DoD, or any other organization for that matter, would but all their "Top Secret" documents (including the ones with the red "Top Secret" label) equipped with a modem or a connection to the Internet.
The same effect can be reached through firewalling and proper administration.
If the information is unavailable it is secure.
Security through obscurity DOES NOT WORK!
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
Personally, having worked on development of secure operating systems for DoD years ago, I don't take seriously anything with an all-powerful "root" or "administrator" account. In the serious security world, it's not done that way. But users hate highly secure operating systems. There are lots of things you're not allowed to do.
From a PHB's point of view, plain and simple, Security on any system is more in the hands of the Sys admins and proper implementation and administration of the products that just the base architecture of the product. This said, with the caliber of admins on the street, basically between the MCSE variety and a solid Linux or Open OS admin, I would choose the Open OS admin every time.
More race stuff in one place,
than any one place on the net.
Silicon.com has uncovered growing concern that the Linux operating system suffers from major security problems that could prevent its widespread adoption in the enterprise environment.
The very first paragraph tells me I do not need to continue reading. Amazing how they have magically uncovered this to reveal it to the rest of the world. BZZT im working lol no time to read garbage.
You want to design a secure lock? Take your design and throw it to the cat burglars of the world and see what they do with it.
You want a secure server? Give the source to the system crackers to play with...same thing. You go through a time when exploits are showing up left and right (and getting patched), but soon you'll have a hardened server.
Afterall, who do you trust more to find the holes in your security? A couple of hired security experts? Or a few thousand people with direct experience slipping into places they don't belong?
What part of this doesn't make sense?
-- WhiskeyJack
Anyway, who cares what the analysts think? The proof is in the pudding - people who need secure OSs are using OpenBSD. No endorsement is more important than a headcount of installations.
No, it's just confirmation of his cluelessness.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
I was travelling into London on the Tube yesterday, and an ad for silicon.com caught my eye. It was a picture of a man's head, with a finger held up to his lips, and the slogan "Don't reveal your source!" underneath it. I assumed at the time that it meant "silicon.com is a source of industry knowledge - don't tell people where you get your information", but I'm not so sure that the second (anti-free software/open source) meaning is an accident, now.
Paranoia isn't an infectious condition, it's a way of life
Check the credentials of the people questioned and you realize that this article is heavily pro Linux.
1. Phil Roberts, systems manager for a network installer, ( anti )
2. Clive Longbottom, strategy analyst at Strategy Partners ( anti )
3. Bernie Dodwell, business development manager for System Security specialist Integralis Group ( anti )
4. Unix expert Malcolm Beattie, systems programmer for Oxford University Computer Service ( pro )
This is like coming out with some claim about the thrust required to launch a 15 tun object into space and having bunch of automechanics and a graphic artist give one view then getting another from the chief launch engineer at NASA.
Simply put the fact that the only Linux supporter comes down strongly against the other 3 and also has the best standing to make such claims speaks wonders. For those who don't know You can't name a top ten list of Universities without Oxford on it. Some of us would call it the #1 university on this planet.
--= Isn't it surprising how badly I spell ?
Move along. Nothing to see here. Just more FUD.
For those who didn't read the article, you didn't miss much. No real examples. No specific instances of Linux being insecure. Just general hearsay about how insecure Open Source must be. If you want a textbook example of FUD, this is it.
I don't even recommend writing to correct these people. Let them wallow in their own crapulence(sp).
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
Even our highly clueful friends at id were caught with their hands in the cookie jar. Carmack later went on record as saying that leaving the back door in the finished product was a dumb idea, and that he regretted the decision.
I've got an in idea. Someone should implement a credibility database for pundits and other self-described "experts". When they say something really good or really stupid, they go in. Positive karma when good, negative when bad.
When one needs the services of a consulting group, or just needs to hire more people, you can go to the credibility database to help weed out the morons. It might encourage these people to think a little before they say something controversial and stupid just to get their name in an article.
Say for instance, Phil Roberts of some unnamed company, Clive Longbottom of Strategy Partners, and Bernie Dodwell of the Integralis Group, would all go into this database as "clueless".
My only concern is that this could be used to silence speech, as your company forbids you from talking to the media about *anything*, because they don't your negative karma affecting them. It could also encourage "cliquish" behavior, as people who have a high rating in the Linux db would probably be negative in the Win2k db. But hey, that's politics, it's been that way without public databases.
A. The slashdot community is on the internet.
B. When something like this gets put on slashdot it often results in the slashdot effect.
C. Companies like Silicon.com generate revenue through ads
D. More hits = more money
E. Slashdot effect = More hits
F. Slashdot effect = More money
Are we responsible in some way for the Linux FUD. By visiting these sites we are supporting the FUD.
Just an idle observation.
If at first you don't succeed, skydiving is not for you.
Unfortunately, this is EXACTLY the sort of rag we need to keep FUD down in - we don't need our PHB's taking every word as gospel, as we could find yet another "use only microsoft, only microsoft can be trusted" Corporate Strategy Decision handed down from on high and enforced, purely on gossip and heresay.
I am going to have a go at tracking down the authors of these quotes on the offchance they have been taken out of context; I am not familiar with the Strategy Partners, but I know many at Integralis Group would be horrified that they had given a press release / quote stating they believed in security though obscurity....
BTW, did anyone else visit the registration screen and read their blatant attempts to build a headhunter-register? "how soon do you plan to change jobs" as a mandatory field.... :+)
--
-=DaveHowe=-
The former kind doesn't work. The latter kind (which is steganography) may work if you keep low profile.
IOW you probably can leave your briefcase in the trunk of your $500 '78 Subaru, but not of your $800,000 '99 Ferrari.
--
Industrial space for lease in Flatlandia.
Any "security expert" who implies that with just the right choice of operating system can complete security be attained is an idiot. Security is an ongoing process that starts with well trained administrators. But most companies want to pay some dipshit (much less money) to keep their network running and like to delude themselves into thinking that their networks are secure because they're running an obscure OS.
Anyone out there holding shares in any internet company should attend the next shareholder's meeting and ask some hard questions about the security policy and the "experts" in place to deal with it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
....Once again.   A quote from the article:
Both agreed that commercial flavors of Linux are still fall from ready for the corporate environment
Uh excuse me?   If we're focussing strictly on security, then how (and please don't flame me Microsoft users/administrators, because I am one myself at work by requirement, whereas I choose something different at home), can any Microsoft product be "ready for the corporate environment", with at least a virus a week (and more and more - at least one a day being reported), whereas Linux is not????   The amount of time *I* and my staff have to spend making sure 800+ desktops running Microsoft products, as well as 30 servers running said MS products, are virus-free has gone beyond comprehension.
We do have some production Linux boxes at work as well (have had them for several years) - and have yet to run into any "security" problem.
Note too, that most of the powerful firewalls are running *nix products, eg., SunOS.
Some on other forums have posted an interesting ditty that I'll post here:
On Winning
First they ignore you
Then they laugh at you
Then they fight you
Then you win.
-- Win2k: "It's not so much that it's only 65,000 bugs, it's just that they stopped at 65,535 to prevent an overflow."
Ohhhh, I've been waiting for some geniuses to make this mistake publically.
Anyone install CuteFTP lately? Or any of a couple hundred other applications that Aureate Inc. paid companies to install their advertising software within?
Now, many people have debunked the rather virulent myth that Aureate was paying off these hundreds of shareware developers so that they could spy on people's computers.
However, it'd be rather hard to debunk one simple fact: Hundreds of software developers put their good name on code that not only wasn't open to the world to search for security concerns...
It wasn't even open to them.
You can't just can't pay a Linux developer to include code in their software that nobody else can see, let alone that they can't. But hundreds of software developers merrily included Aureate's package, sight unseen, and hoped it didn't do anything bad.
Perhaps Aureate indeed does expose the final end customers to certain forms of privacy violation(most directly, users don't generally expect that anyone on the outside world knows what software they're running). But that's not nearly as significant as some of the charges against Aureate--that they were searching through registries, rifling through hard drives looking for data.
But the developers who put their name on the package didn't know for sure that the code didn't do that. The users who trusted those developers--the users whose systems were at the greatest risk--they too had no ability to audit that code for safety analysis.
And, for all of Aureate's desperate attempts to defend itself, not even they can ever be absolutely sure that their code is intrinsically free of all buffer overflows, of all forged replies, of a preconstructed false advertisement that, when retrieved, overflows the GIF decompression code to allow the host system to be compromised...in the Open Source world, we find these problems quickly and send the authors fixes.
Aureate has no such help, and no such luck.
But, they'll just keep payin' 'em off...proving every day just why Open Source is more trustable.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Your first sentence is not at all correct. Your second sentence is very true, and explicitly explains why your first comment is not, if you think about it.
Open Source tools and operating systems give the "most important security device" the ability to do something to correct an emerging security issue, which in a closed source environment may not exist.
An example: the SYN DoS weakness discovered a while back, in both Windows and various UNIXen. Open source administrators and Linux/FreeBSD kernel hackers had a fix out within hours, while Microsoft and others languished for days or even weeks before releasing a fix. It made absolutely no difference how good or skilled a system administrator responsible for Windows machines was in that scenerio - they simply could do nothing about the problem (short of sitting in the office watching the system and doing a manaul reboot) until Microsoft got around to releasing their patch. The same was true of other closed source platforms which have an otherwise much better history of quality control than MS. The open source admins, on the other hand, were able to fix the problem (and share the solution with the world) almost immediately.
Clearly, the Open Source paradigm allows for a much more timely and robust response to security threats:
The Future of Human Evolution: Autonomy
More info:
Integralis.com is bought by Articon.com. Incidentally, www.articon.com runs Apache on Linux.--
Industrial space for lease in Flatlandia.
--
Industrial space for lease in Flatlandia.
Chanting that it doesn't work doesn't make it so and doesn't help.
There is a whole field of cryptography called "Steganograpy" that studies how to hide messages. Do you put valuables out of sight when you leave your car parked in public? Do you have a hidden key for your house/car, and if you really believe that obscurity doesn't work, why is it hidden? How many times have you heard wisecrackers on /. say that "microsoft will never release their source 'cause think of how many security holes would be immediately found." Look at the rapid increase in problems with Quake bots after source was released.
Obscurity is just one more layer of protection. Hopefully it isn't the only layer nor the strongest layer, but it does help. Obscurity is often a very easy layer to add so the cost/benefit ratio is very good.
Yes, obscurity most keeps out only the least skilled or people who want to spend only a little bit of time breaking something, but that is a huge group.
Ranting that "security through obscurity doesn't work" is a nice bummer-sticker type slogan. Like most other short rants, it is bogus and life is more complicated than that.
Instead, we should be calmly explaining that "open source is more secure despite not being obscure." We can take about how open source can be a plus as well as a minus. We can show emprical evidence, we can talk about how many "white hat" people can fix bugs, we can talk about how "too often closed source developers use obscurity as their only defense".
SPF support for most open source mail servers can be found at libspf2.
First of all, Silicon.com isn't any place to be getting good opinions about technical stuff. It's a overview-style PHB rag. Too bad they don't recognise this.
The more important thing we all seem to miss is that the security of an OS is dependent on two critical features:
How easy is to find exploits?
and
How fast are those exploits fixed?
Now, as a simple matter of logic, it is easier to find an exploit on a Open-Source system than a closed source system, everything else being equal. It's that simple. You've got the code right in front of you, so it's easy to verify that there is indeed a flaw.
However, the other issue is where is Open Source community shines. Typical patches for exploits are generally issued within hours, or at most a couple of days for OS stuff, whereas we all know how long it takes our favorite vendors to fix their stuff (if they ever get around to it).
You simply can't consider one of the two requirements in absence of the other. It's impossible. Doing so marks you as a complete nincompoop. Or dort, whichever you prefer. And, of course, we're talking about an ideal world, where everyone has an equally elegant design, all coders made the same quality code, etc. In reality, these other issues generally far outweigh the first consideration, and have a considerable impact on the second (bad code is harder to fix, thus longer patch times). And we've all seen the quality of some of the closed-source code, haven't we?
The other quote there that I love is: Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available. The first sentance has nothing to do with the second one - they are completely unrelated. Indeed, security must be built into the OS, you simply can't bolt it on later. This is a design issue, and has nothing to do with whether the OS is OpenSource or closed. The guy's a blathering clueless moron.
Right now, the most secure OSes around are OpenBSD, Secure IRIX, and Secure SunOS. All have a very careful security design included in them, and are very attentive to security concerns. One is OpenSource, the other two are closed. Giving away the code makes no difference to the end -security of your system. Either you did a good security design, or you didn't.
The article is simply wrong.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
You can make NT, Linux, BSD, the MacOS, or even MS-DOS secure with a little bit of knowhow, even if the latter two are inherently nonsecured operating systems.
(A car with ABS is no good if the driver still pumps the brakes, if you know what I mean.)
--
--
E2 IN2 IE?
What is the best way to do this? You need to ensure that the source code to your Operating System (tm) is in the hands of a neutral third party: Microsoft (C)(R)(tm)(sm)(patent pending). We've been doing this for years. We ensure that nobody outside of our Company (tm) knows about any bugs that may or may not be in our Closed Source Code (tm). And because every Operating System (tm), as long as it is designed by humans, will have security holes, we ensure that each Service Pack (tm) will not only plug the old security holes, but also will introduce new ones that no one yet knows about. This, friends, truly is Quality (tm); there will always be security flaws, but don't you sleep better at night knowing that for the time being, the only party who knows about them is a name you can trust? And that so-called Operating System (tm) (we are investigating a trademark infringemnt lawsuit over the unauthorized use of a registered Microsoft (C)(R)(tm)(sm)(patent pending) trademark) designed by one Mr. Linux Torvalds has new security holes discovered at least once a week! You don't hear about Windows NT (C)(R)(tm)(sm)(patent pending) security holes for months sometimes!
In closing, permit me to thank you for your continued patronage of Microsoft (C)(R)(tm)(sm)(patent pending), or your imminent switch to a Microsoft (C)(R)(tm)(sm)(patent pending)-based Operating System (tm).
Sincerely,
Mr. L. Mer Fudd, Microsoft (C)(R)(tm)(sm)(patent pending) Assistant Vice-Presidential Director of Marketing-Type Activities
--
--
We have fought the AC's, and they have won.