Slashdot Mirror
'Experts' Back To Claiming Open Source Insecure
jacobito was the first of the folks who sent us a report running in Silicon.com regarding security and open source products. It's the typical claims - that open source is insecure because it is open source. They've also provided the counter-quotes, though, talking about that because it is open source, it's inherently more secure. *sigh* I hate issue re-tread.
I was travelling into London on the Tube yesterday, and an ad for silicon.com caught my eye. It was a picture of a man's head, with a finger held up to his lips, and the slogan "Don't reveal your source!" underneath it. I assumed at the time that it meant "silicon.com is a source of industry knowledge - don't tell people where you get your information", but I'm not so sure that the second (anti-free software/open source) meaning is an accident, now.
Paranoia isn't an infectious condition, it's a way of life
Check the credentials of the people questioned and you realize that this article is heavily pro Linux.
1. Phil Roberts, systems manager for a network installer, ( anti )
2. Clive Longbottom, strategy analyst at Strategy Partners ( anti )
3. Bernie Dodwell, business development manager for System Security specialist Integralis Group ( anti )
4. Unix expert Malcolm Beattie, systems programmer for Oxford University Computer Service ( pro )
This is like coming out with some claim about the thrust required to launch a 15 tun object into space and having bunch of automechanics and a graphic artist give one view then getting another from the chief launch engineer at NASA.
Simply put the fact that the only Linux supporter comes down strongly against the other 3 and also has the best standing to make such claims speaks wonders. For those who don't know You can't name a top ten list of Universities without Oxford on it. Some of us would call it the #1 university on this planet.
--= Isn't it surprising how badly I spell ?
Move along. Nothing to see here. Just more FUD.
For those who didn't read the article, you didn't miss much. No real examples. No specific instances of Linux being insecure. Just general hearsay about how insecure Open Source must be. If you want a textbook example of FUD, this is it.
I don't even recommend writing to correct these people. Let them wallow in their own crapulence(sp).
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
Even our highly clueful friends at id were caught with their hands in the cookie jar. Carmack later went on record as saying that leaving the back door in the finished product was a dumb idea, and that he regretted the decision.
I've got an in idea. Someone should implement a credibility database for pundits and other self-described "experts". When they say something really good or really stupid, they go in. Positive karma when good, negative when bad.
When one needs the services of a consulting group, or just needs to hire more people, you can go to the credibility database to help weed out the morons. It might encourage these people to think a little before they say something controversial and stupid just to get their name in an article.
Say for instance, Phil Roberts of some unnamed company, Clive Longbottom of Strategy Partners, and Bernie Dodwell of the Integralis Group, would all go into this database as "clueless".
My only concern is that this could be used to silence speech, as your company forbids you from talking to the media about *anything*, because they don't your negative karma affecting them. It could also encourage "cliquish" behavior, as people who have a high rating in the Linux db would probably be negative in the Win2k db. But hey, that's politics, it's been that way without public databases.
A. The slashdot community is on the internet.
B. When something like this gets put on slashdot it often results in the slashdot effect.
C. Companies like Silicon.com generate revenue through ads
D. More hits = more money
E. Slashdot effect = More hits
F. Slashdot effect = More money
Are we responsible in some way for the Linux FUD. By visiting these sites we are supporting the FUD.
Just an idle observation.
If at first you don't succeed, skydiving is not for you.
Unfortunately, this is EXACTLY the sort of rag we need to keep FUD down in - we don't need our PHB's taking every word as gospel, as we could find yet another "use only microsoft, only microsoft can be trusted" Corporate Strategy Decision handed down from on high and enforced, purely on gossip and heresay.
I am going to have a go at tracking down the authors of these quotes on the offchance they have been taken out of context; I am not familiar with the Strategy Partners, but I know many at Integralis Group would be horrified that they had given a press release / quote stating they believed in security though obscurity....
BTW, did anyone else visit the registration screen and read their blatant attempts to build a headhunter-register? "how soon do you plan to change jobs" as a mandatory field.... :+)
--
-=DaveHowe=-
The former kind doesn't work. The latter kind (which is steganography) may work if you keep low profile.
IOW you probably can leave your briefcase in the trunk of your $500 '78 Subaru, but not of your $800,000 '99 Ferrari.
--
Industrial space for lease in Flatlandia.
The Computer Virus Myths page labels this "False Authority Syndrome" and has a pretty good write-up at http://kumite.com/myths/fas/.
Any "security expert" who implies that with just the right choice of operating system can complete security be attained is an idiot. Security is an ongoing process that starts with well trained administrators. But most companies want to pay some dipshit (much less money) to keep their network running and like to delude themselves into thinking that their networks are secure because they're running an obscure OS.
Anyone out there holding shares in any internet company should attend the next shareholder's meeting and ask some hard questions about the security policy and the "experts" in place to deal with it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
....Once again.   A quote from the article:
Both agreed that commercial flavors of Linux are still fall from ready for the corporate environment
Uh excuse me?   If we're focussing strictly on security, then how (and please don't flame me Microsoft users/administrators, because I am one myself at work by requirement, whereas I choose something different at home), can any Microsoft product be "ready for the corporate environment", with at least a virus a week (and more and more - at least one a day being reported), whereas Linux is not????   The amount of time *I* and my staff have to spend making sure 800+ desktops running Microsoft products, as well as 30 servers running said MS products, are virus-free has gone beyond comprehension.
We do have some production Linux boxes at work as well (have had them for several years) - and have yet to run into any "security" problem.
Note too, that most of the powerful firewalls are running *nix products, eg., SunOS.
Some on other forums have posted an interesting ditty that I'll post here:
On Winning
First they ignore you
Then they laugh at you
Then they fight you
Then you win.
-- Win2k: "It's not so much that it's only 65,000 bugs, it's just that they stopped at 65,535 to prevent an overflow."
Ohhhh, I've been waiting for some geniuses to make this mistake publically.
Anyone install CuteFTP lately? Or any of a couple hundred other applications that Aureate Inc. paid companies to install their advertising software within?
Now, many people have debunked the rather virulent myth that Aureate was paying off these hundreds of shareware developers so that they could spy on people's computers.
However, it'd be rather hard to debunk one simple fact: Hundreds of software developers put their good name on code that not only wasn't open to the world to search for security concerns...
It wasn't even open to them.
You can't just can't pay a Linux developer to include code in their software that nobody else can see, let alone that they can't. But hundreds of software developers merrily included Aureate's package, sight unseen, and hoped it didn't do anything bad.
Perhaps Aureate indeed does expose the final end customers to certain forms of privacy violation(most directly, users don't generally expect that anyone on the outside world knows what software they're running). But that's not nearly as significant as some of the charges against Aureate--that they were searching through registries, rifling through hard drives looking for data.
But the developers who put their name on the package didn't know for sure that the code didn't do that. The users who trusted those developers--the users whose systems were at the greatest risk--they too had no ability to audit that code for safety analysis.
And, for all of Aureate's desperate attempts to defend itself, not even they can ever be absolutely sure that their code is intrinsically free of all buffer overflows, of all forged replies, of a preconstructed false advertisement that, when retrieved, overflows the GIF decompression code to allow the host system to be compromised...in the Open Source world, we find these problems quickly and send the authors fixes.
Aureate has no such help, and no such luck.
But, they'll just keep payin' 'em off...proving every day just why Open Source is more trustable.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Your first sentence is not at all correct. Your second sentence is very true, and explicitly explains why your first comment is not, if you think about it.
Open Source tools and operating systems give the "most important security device" the ability to do something to correct an emerging security issue, which in a closed source environment may not exist.
An example: the SYN DoS weakness discovered a while back, in both Windows and various UNIXen. Open source administrators and Linux/FreeBSD kernel hackers had a fix out within hours, while Microsoft and others languished for days or even weeks before releasing a fix. It made absolutely no difference how good or skilled a system administrator responsible for Windows machines was in that scenerio - they simply could do nothing about the problem (short of sitting in the office watching the system and doing a manaul reboot) until Microsoft got around to releasing their patch. The same was true of other closed source platforms which have an otherwise much better history of quality control than MS. The open source admins, on the other hand, were able to fix the problem (and share the solution with the world) almost immediately.
Clearly, the Open Source paradigm allows for a much more timely and robust response to security threats:
The Future of Human Evolution: Autonomy
More info:
Integralis.com is bought by Articon.com. Incidentally, www.articon.com runs Apache on Linux.--
Industrial space for lease in Flatlandia.
--
Industrial space for lease in Flatlandia.
Chanting that it doesn't work doesn't make it so and doesn't help.
There is a whole field of cryptography called "Steganograpy" that studies how to hide messages. Do you put valuables out of sight when you leave your car parked in public? Do you have a hidden key for your house/car, and if you really believe that obscurity doesn't work, why is it hidden? How many times have you heard wisecrackers on /. say that "microsoft will never release their source 'cause think of how many security holes would be immediately found." Look at the rapid increase in problems with Quake bots after source was released.
Obscurity is just one more layer of protection. Hopefully it isn't the only layer nor the strongest layer, but it does help. Obscurity is often a very easy layer to add so the cost/benefit ratio is very good.
Yes, obscurity most keeps out only the least skilled or people who want to spend only a little bit of time breaking something, but that is a huge group.
Ranting that "security through obscurity doesn't work" is a nice bummer-sticker type slogan. Like most other short rants, it is bogus and life is more complicated than that.
Instead, we should be calmly explaining that "open source is more secure despite not being obscure." We can take about how open source can be a plus as well as a minus. We can show emprical evidence, we can talk about how many "white hat" people can fix bugs, we can talk about how "too often closed source developers use obscurity as their only defense".
SPF support for most open source mail servers can be found at libspf2.
First of all, Silicon.com isn't any place to be getting good opinions about technical stuff. It's a overview-style PHB rag. Too bad they don't recognise this.
The more important thing we all seem to miss is that the security of an OS is dependent on two critical features:
How easy is to find exploits?
and
How fast are those exploits fixed?
Now, as a simple matter of logic, it is easier to find an exploit on a Open-Source system than a closed source system, everything else being equal. It's that simple. You've got the code right in front of you, so it's easy to verify that there is indeed a flaw.
However, the other issue is where is Open Source community shines. Typical patches for exploits are generally issued within hours, or at most a couple of days for OS stuff, whereas we all know how long it takes our favorite vendors to fix their stuff (if they ever get around to it).
You simply can't consider one of the two requirements in absence of the other. It's impossible. Doing so marks you as a complete nincompoop. Or dort, whichever you prefer. And, of course, we're talking about an ideal world, where everyone has an equally elegant design, all coders made the same quality code, etc. In reality, these other issues generally far outweigh the first consideration, and have a considerable impact on the second (bad code is harder to fix, thus longer patch times). And we've all seen the quality of some of the closed-source code, haven't we?
The other quote there that I love is: Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available. The first sentance has nothing to do with the second one - they are completely unrelated. Indeed, security must be built into the OS, you simply can't bolt it on later. This is a design issue, and has nothing to do with whether the OS is OpenSource or closed. The guy's a blathering clueless moron.
Right now, the most secure OSes around are OpenBSD, Secure IRIX, and Secure SunOS. All have a very careful security design included in them, and are very attentive to security concerns. One is OpenSource, the other two are closed. Giving away the code makes no difference to the end -security of your system. Either you did a good security design, or you didn't.
The article is simply wrong.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
You can make NT, Linux, BSD, the MacOS, or even MS-DOS secure with a little bit of knowhow, even if the latter two are inherently nonsecured operating systems.
(A car with ABS is no good if the driver still pumps the brakes, if you know what I mean.)
--
--
E2 IN2 IE?
What is the best way to do this? You need to ensure that the source code to your Operating System (tm) is in the hands of a neutral third party: Microsoft (C)(R)(tm)(sm)(patent pending). We've been doing this for years. We ensure that nobody outside of our Company (tm) knows about any bugs that may or may not be in our Closed Source Code (tm). And because every Operating System (tm), as long as it is designed by humans, will have security holes, we ensure that each Service Pack (tm) will not only plug the old security holes, but also will introduce new ones that no one yet knows about. This, friends, truly is Quality (tm); there will always be security flaws, but don't you sleep better at night knowing that for the time being, the only party who knows about them is a name you can trust? And that so-called Operating System (tm) (we are investigating a trademark infringemnt lawsuit over the unauthorized use of a registered Microsoft (C)(R)(tm)(sm)(patent pending) trademark) designed by one Mr. Linux Torvalds has new security holes discovered at least once a week! You don't hear about Windows NT (C)(R)(tm)(sm)(patent pending) security holes for months sometimes!
In closing, permit me to thank you for your continued patronage of Microsoft (C)(R)(tm)(sm)(patent pending), or your imminent switch to a Microsoft (C)(R)(tm)(sm)(patent pending)-based Operating System (tm).
Sincerely,
Mr. L. Mer Fudd, Microsoft (C)(R)(tm)(sm)(patent pending) Assistant Vice-Presidential Director of Marketing-Type Activities
--
--
We have fought the AC's, and they have won.