Slashdot Mirror
UK Conservatives Slammed Over Open Source Stance
Golygydd Max writes "The UK government has been criticised by the opposition Conservative (Tory) party for its lack of support for open-source software. Now, according to Techworld, a security company that has examined the Tory plans has come out against the use of open source software, citing the number of security problems inherent in the software. This is a sensitive issue for the UK government, still smarting from the loss of 7m family records from HM Revenue and Customs in 2007. What makes this criticism interesting is that this is an attack on the policies of what will certainly be the next British government — it's unusual for a party to be criticised like this before it comes to office. It's an indication of how IT is going to be a battleground in the future general election."
oh no, not again. David Cameron has picked up on another techy buzzword and is hoping to slam Labor into the ground with it. This isn't about FOSS at all, it's about the political machinations of a desperate man and a desperate party, futily attempting to win favour with the masses.
I'm sorry David, but we will never forget Maggie Maggie Milk Snatcher, nor will we forget your morning 'green friendly' cycle to work while your briefcase goes by car
It pays to be obvious, especially if you have a reputation for being subtle.
I think the Democrats were traditionally the party of slavery. Hardly a platform of support for the workers.
Real Daleks don't climb stairs - they level the building.
Well, she did screw things up majorly, turning Britain into this first "underdeveloping country", as someone put it.
Yes, but it also makes it easier for those who use the software to locate and fix the flaws first ;)
To give a better explanation of why OSS is more secure though, think about this scenario. You have a web server on the wide open internet serving an important web page for your business or institution and any downtime will lose you thousands, maybe millions of pounds of profit (think how much Amazon would lose if it's site goes down for example). If you run an open source web server and an exploit is uncovered by security researchers that allows an attacker to take over your web server then you can edit the source code to fix it immediately, or at least put a quick fix in place to block the attack and have very little, perhaps even no downtime.
If however you rely on a propriatary vendor, say Microsoft, to fix it and it takes them 2 weeks to release a patch, what do you do in the meantime? Do you keep your web server up and risk having your web server hijacked or do you take it down and lose millions in business?
This is just an example, you can mitigate the problem by having a firewall block attacks but this only works to a degree. I wasn't too sure about why OSS myself was more secure for a while, but it's one of those things that when you look into the reasoning behind such comments you'll see realise that yes, they're right, OSS really is fundamentally a more secure concept.
Of course, the other thing to realise is that binaries are themselves fairly trivial to interpret for people who have a strong computer science background such that it's not even particularly a massively difficult task to spot exploits in closed source software. It is however often much harder to fix faults in closed source software in the same way.
This entire argument falls apart if the closed source software has a fast response security team. With a centralized system like Windows, they might be able to distribute the fixed code faster and more completely. Enterprise customers can receive hotfixes for security issues in mere hours, despite the fact that the major patch needs to go through QA before getting sent out to the whole platform.
This argument is decimated if untrusted parties are involved anywhere in the software creation process for the OSS. Unintentional bugs and exploits are found all the time in the linux kernel... imagine what would happen if someone dropped in well hidden intentional malicious code?
Remember that the majority of successfully hacked webservers are linux systems running apache, so it's difficult to tell whether the systems are more dangerous due to malicious intent or the more commonplace incompetence that riddles free code in general.
Nothing to do with Apache, the Linux kernel, or anything else that gets included in a standard Enterprise distro, but merely the stuff the user/admin installs afterwards, and doesn't bother to harden appropriately.
Okay, it's less secure. I get it. I wrote that already, but in a less dismissive and excusing way. If the user needs to know all sorts of secret "in-the-know" unix crap to run a webserver that's secure, then small businesses and personal users should use Windows Server, which will probably be more secure out of the box, with graphical tools and wizards to help you configure it... since so many people aren't smart enough to use linux, it seems.
It's difficult to remember something that isn't true.
http://it.toolbox.com/blogs/managing-infosec/linux-hacked-more-often-than-windows-2003-23371
It takes more than excited zeal to keep a system secure.
...he does raise the point that Microsoft will only issue fixes for certain customers.
Anyone can request a hotfix. Every copy of Windows purchased within the last decade is supported.
At least with open source you can patch problems on your own, even if the owner does not wish to or even goes out of business.
Did you know that that violates your support contract? If you should choose to do that, you've forfeited your rights to hold RedHat or Novell or whomever your vendor is liable in case of a major support issue-- they no longer have to hold your support contract valid. I don't think some amateur hacked solution is worth the loss of your vendor's liability.