Slashdot Mirror
UK Conservatives Slammed Over Open Source Stance
Golygydd Max writes "The UK government has been criticised by the opposition Conservative (Tory) party for its lack of support for open-source software. Now, according to Techworld, a security company that has examined the Tory plans has come out against the use of open source software, citing the number of security problems inherent in the software. This is a sensitive issue for the UK government, still smarting from the loss of 7m family records from HM Revenue and Customs in 2007. What makes this criticism interesting is that this is an attack on the policies of what will certainly be the next British government — it's unusual for a party to be criticised like this before it comes to office. It's an indication of how IT is going to be a battleground in the future general election."
> it's unusual for a party to be criticised like this before it comes to office
Clearly timothy is unfamiliar with UK politics.
...Now, according to Techworld, a security company that has examined the Tory plans has come out against the use of open source software, citing the number of security problems inherent in the software...
I think we need to be objective here. Software both closed source and open source is created by human beings.
By nature, these human beings make mistakes.
The question then becomes: Which model of software development fixes security issues faster? We should collect statistics here and convince these Britons that OSS is still the best model around.
We should also remind the skeptics about OSS, that more than 80% of internet traffic is handled by OSS systems, so if OSS were that insecure, it would show...fast.
"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches," said Fortify vice president, Richard Kirk.
US outfit Fortify Software has come up with research to prove it.
Uh, wow, a US company that sells software doesn't want the British government to switch to open source software? What a radical position to take! Of course, it couldn't have anything to do with the fact that its hard to price gouge a rich government for security software if they're not running propriatary crap. I'm sure if they had their way the Brits would all be running Vista and MS Office.
The world you experience is only a close approximation of reality.
...it's unusual for a party to be criticised like this before it comes to office.
How is it unusual? It happens all the time. And anyway, the whole summary doesn't make sense.
The UK government has been criticised by the opposition Conservative (Tory) party for its lack of support for open-source software.
And, then:
a security company that has examined the Tory plans has come out against the use of open source software
So, the security company agrees with the current government? How is this news?
"It's an indication of how IT is going to be a battleground in the future general election."
Not really. Politicians will grasp at anything to make sensational claims about their opponents. Doesn't matter if it involves IT, their sex lives or what they eat for breakfast.
American here, maybe politics are better in the UK. (but I doubt it)
We should collect statistics here and convince these Britons that OSS is still the best model around.
Yeah, maybe we look here https://opensource.fortify.com/ They scanned 103 projects with a total of 24668646 loc and found a total of 403 error which makes for 1 error in 61212 loc or 4 errors per projects. Not too bad I'd say. Oh, btw of those 403 errors found 383 are already fixed.
1. Identify greatest long term threat to my industry
2. Conduct "Research" on threat and publish to increase FUD.
3. Sell products to "fix" FUD issues.
4. Profit!
Subject: No ?????????
Filter error: Your subject looks too much like ascii art.
You saw him repressing me, didn't you?
brandelf -t FreeBSD
Politics is about, "We would do things better than you do!", open source software is just an unfortunate, innocent bystander in this process. If Labour were open source advocates, the Tories would be saying exactly what the, presumably Labour funded, security company are saying right now.
Personally, I think the time has come for another interesting political scandal so they will leave the software industry alone.
For those of you not familiar with UK politics, it works a bit like this...
There are 2 main parties, plus a 3rd with a small but meaningful number of seats. Each of the two main parties elect a leader who becomes candidate for PM. Labour are historically the party for the working man, formed out of the unions, however, in recent years they have figured out that the working man is significantly less likely to invite you for a spin on their yacht, so have shifted their position a little.
The current opposition party, the conservatives (or 'Torys'), usually have MPs that come from the rich and privately educated set, such as the hilarious London mayor Boris Johnson (seriously, look this guy up, he is a laugh a minute). They stand for strong family values, but are actually quite likely to be found having a three-way homosexual romp in a public toilet while their wife is at home taking care of the kids.
Neither party gives the slightest toss about open source software (at least, not even close to the level that we do here), but they *do* care about scoring some points. If FOSS is the battlegroud-dujour so be it... tomorrow it will be the colour of the sky!
Incidentally, you have have detected a slight hint of British cynicism in my post, it is pretty common. When Obama got elected I was thinking, "Does this guy have a brother that can come and help us out?", then I found out he has a brother that has recently been charged with drug offenses in Kenya... but to be honest, I am still thinking... 'He'll do!'.
The British Government, or at least, branches of it, used to be very open source friendly. Developing software and publishing it with a very permissive license attached to the source code.
Alas, since the Blair Regime started, that all seemed to come to an end... and the British people had to learn to put up with huge IT spending to private firms, usually affiliated with Fujitsu or Microsoft ... and those public IT projects would famously fall flat on their faces and be quietly shelved.
Just look at the recent hiccups with the UK Biometrics scheme... 'nuff said.
No sig. Move along - nothing to see here.
A simple Google Search shows rather more than just being a vendor of some random proprietary software. Fortify is a Microsoft partner which has indulged in joint product launches with them and this isn't even mentioned in the original article.
This is yet another example of a Microsoft inspired campaign of lies. This group never changes and they and their software should be automatically excluded from all state contracts for ethical violations.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
A link to the company's study: http://www.fortify.com/servlet/download/user/OpenSource_Security_WP_V5.pdf
While they raise a couple interesting points, my first impression is that they broadly generalize from a small sample set. Specifically, they only look at about 10 Java projects (including Tomcat, Hibernate, and JBoss), and proceed to conclude that the open source community is unresponsive to security threats. Conspicuously absent are any Linux distributions (let alone any *BSD... they have obviously never heard of OpenBSD), OpenOffice, or any tools likely to make it into desktop use for the UK government.
Oh, and the solution to all this apparently is to rely on their company's security auditing services to make sure that your company doesn't have "hidden security holes".... Riiiight....
'Every story, if continued long enough, ends in death.' --Ernest Hemingway
Actually both the city of London (which would tend to contain Tories, they're often investment bankers) and the BBC (which contains champagne socialists) both use a lot of open source, mainly scripting languages, databases and web servers.
However, in both cases, anybody 'political' wouldn't actually dirty their hands with 'software' AND software engineers wouldn't dirty their hands with 'politics'.
As for the 'report' it's basically self-promotion by the company in order to peddle its wares.
On y va, qui mal y pense!
Because there's nothing more objective than deciding what conclusion you want to convince people of before collecting the statistics! (You don't happen to work for Gartner, do you?)
In case I missed something there are multiple parties in the UK who will contest the next election - there are no certainties. Whilst the Tories may have a strong lead now in the polls anything could happen between now and the election.
Fortify Software is not exactly a neutral party for conducting studies of the fitness of FOSS for enterprise software use. Half its Board of Directors have ties to enterprise software and service corporations like PeopleSoft, Sybase, Oracle, and Microsoft. I think I might get a second opinion.
The "press release" by Fortify for this claims that Larry Suto performed the test. He has a reputation for faulty, perhaps even fraudulent, testing methods. He also only tested 11 specific Java apps (and Fortify sells "audited" versions of those apps). The tests were performed using Fortify's software, no other testing software was used. So the accuracy of this test relies on the accuracy of Fortify's software, which hasn't been independently tested as far as I can tell. The press release also mentions findings by the Forrester Group, who are well known for a history of spreading inaccurate FUD about non-MS software.
Open Source for Open Minds
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
Um.. Microsoft's EULA basically says the same thing.
I've yet to be in an enterprise which uses enterprise-level change control.
Working for one of the world's largest commercial companies: Closest thing to "source control" was a rigorous automated backup process across network shares.
Working for a small commercial company which sold commercial data processing tools for some of the world's largest commercial companies, and the U.S. Military, and various parts of the U.S. Government: Closest thing to "source control" was laws requiring our code be held in escrow for every release. We routinely released completely untested versions and claimed that it was a re-build of the same sources. Eventually management was convinced to start using source control after asking if anyone had an old copy of a file lying around and I quickly produced it from my local repository. Just before I left, I brought up the issue of segmentation faults and memory corruption, and was told "we can't avoid signalling if we're given bad inputs".
Working for possibly the largest I.T. Company in the world, processing data for the U.S. Government: One person in charge of source control. No branching allowed. Occasionally heard complaints from the guru that people were overwriting each-other's changes. Never heard the word "security" mentioned at any point. Found out I could get a root shell and modify anyone else's source code by passing bad parameters to the reporting system.
-- 'The' Lord and Master Bitman On High, Master Of All
As much as you might be right, it doesn't change the fact that it works. It's a little bit like the wikipedia problem - it can cite 100 sources that all use information lifted off wikipedia, it just seems reliable and independently confirmed even though there's really only one source. In this you got one piece of FUD "confirming" another piece of FUD and to the general public it will look like "massive independent confirmation" instead of "whole lot of FUD being passed aorund in their own FUD-circle". A lie doesn't become less of a lie if you keep repeating it, but it does become more credible unfortunately.
Live today, because you never know what tomorrow brings
Then why use it for your website? http://toolbar.netcraft.com/site_report?url=http://www.fortify.com
such security fixes could dry up overnight on a OSS project. that's the whole point i'm trying to get through to people, start thinking like you've got 100 million dollar projects relying on this stuff. who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
If you mod me down, I will become more powerful than you can imagine....
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances. the big font stating "use at own risk" is a massive turn off for government and rightly so.
Um.. Microsoft's EULA basically says the same thing.
Not only that, but with OSS you can actually do a risk assesment by inspecting the source code. In the case of proprietary software that gives no warantee, how can I asses my risk?
What I find interesting is that in most cases you really want to "use at your own risk", after having assessed that risk properly. Because, if I buy a piece of software from Mario's Super Software company for $100, but it blows up in my face for $10 million.... my $100 refund isn't going to comfort me all that much...
It's a little bit like the wikipedia problem - it can cite 100 sources that all use information lifted off wikipedia, it just seems reliable and independently confirmed even though there's really only one source.
citation needed.
c++;
Showing that a statistically insignificant number of Java applications failed a test by a proprietary system which nobody is allowed to decompile so they can reproduce the results.
Hmm. Perhaps I am being a crotchety old science traditionalist, but the definition of the word 'research' seems to have changed of late.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Well the US DoD seems to be trusting to OSS with forge.mil. I know the company I work for does a variety of UK government contracts as well and we're using more and more open source (mainly Eclipse and its plugins, Protege and OWL in my area of work).
Besides, what's the real difference between relying on an OSS project with no license fee for five years then (possibly) having to migrate and learn something new but similar versus being charged year on year for Office 2003 then having to migrate to 2007 and all its new UI and still being charged year on year?
Read the guy again
The Conservatives have usually portrayed themselves as the family of family values, Married, 2.4 kids, stable etc
But in real life enough Tory MPs were seen to be living a life other than they preached. One even died during a bout of erotic asphyxiation
So it is Hypocrisy he is against, not same sex relationships
We can also look here http://www.fortify.com/partners/technologyPartners.jsp and note that Microsoft is one of their partners.
I'd trust my own employees with access to the sourcecode, or lacking employees competent in the area, consultants with the same source code access. With the consultants I'd also have the added bonus of being able to replace them, where they not able to fix my problems :)
You know, you _do_ have to pay for support, FOSS or closed source. But you do get what you pay for. And with FOSS, that includes the ability to switch vendor without switching the software.
err... less of the FUD please.
First of all, why on earth are you assuming a multi million dollar project is going to be using software supported by some guy called bob?
Rewrite that as using open source software supported by Canonical, Novell, Red Hat or Sun, and all of a sudden Open Source is competing on much more equal footing, and your first argument goes out of the window. After all, you could just have easily bought some closed source software off 'Bob' for your multi-million pound project.
What that, you don't trust Bob's software, and would rather buy from a big company? Funny that.
And do you *really* think Microsoft's EULA disclaimers don't apply to large organizations? Bill Gates didn't get Microsoft to where they are today by the company being dumb. I've seen their volume license terms, and if anything they're *more* restrictive, not less. By all means, quote me a paragraph or two from one of these 'favourible' EULA's that show me I'm wrong, but somehow I don't think that's going to happen.
like the OSS crowd, i'm sure they merely sourced their data to fit their own agenda.
Yes like FUD.
OSS lacks QA - show me a OSS project that government is likely to use that has any quality assurances.
Really I guess you have not looked at Redhat or Novel support.
OSS takes control away from the customer as to who supplies their patches
Now that trolling. If you don't like the software then you can always write your own. Of course if you like the software you can post bug reports or even fix it yourself and if you don't have the expertise you can hire someone to do that. Try doing that with closed source or proprietary software. As for the people who supply patches all you need to do is look at the "Help" or even the source to get the name of the people who are maintaining the package.
these are merely the security concerns. yes there is the usual stupid argument of being able to see the source code - but here is a clue for you - that's hellish expensive and blows the OSS is cheap myth out of the water.
Sigh! If you have done a cost benefit analysis then you would clearly see that a "supported" open source operating system is much more cheaper and reliable than a proprietary solution. You honestly don't think that just because you install a Linux distribution that everything is going to work forever, you need an administrator and depending on how much you value your data you will need some level of vendor support which is normally much cheaper than a proprietary solution.
The grammar Nazi in me states you should always start a sentence with a capital letter as is a stand alone "I". After all that is very basic English.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
If security fixes dry up on OSS, the UK government can just get the source code and pay *anyone* to fix it. How is this better than relying on just one company, especially when that one company is a well-known scofflaw that has incurred the biggest fines in the history of EU law?
A pizza of radius z and thickness a has a volume of pi z z a
I don't think anyone would propose that a government just take a random FOSS project from freshmeat.net and put it into production, least of all with anything resembling sensitive data.
However, both Red Hat Enterprise Linux and SuSE Linux Enterprise Server have both achieved Common Criteria EAL4+ assurance, making them equivalent to Solaris, Windows Server 2003 and Windows XP in the eyes of the evaluation bodies and therefore suitable for many roles within government IT systems.
such security fixes could dry up overnight on a OSS project...start thinking like you've got 100 million dollar projects relying on this stuff.
This situation is PRECISELY when open source shows its strength. Take the massive annual license fee that you would need to pay MS to provide such support and hire your own, competent IT staff to maintain the code you want. First this means that you are creating jobs in the UK rather than paying some foreign company which should be a very important consideration for the UK government especially in the current climate. Secondly you now have your own local experts to provide support, implement the features that you want, provide support etc. etc. This puts you in a far better position than having to ring up MS. You own guys will be familiar with your usage and can give advice based on what they know the code does rather than on black-box trial and error experience. Finally you are contributing any changes and code back to the community helping those people that pay the taxes in the first place. Since this may also encourage other firms to invest in local expertise rather than ship money abroad this can help the local economy.
Comment removed based on user account deletion
ok I am just having a laugh cos I know you were teasing too on the old north/south divide, we're all southern softies and you're hard as nails with ferrets down your trousers... but most of London doesn't vote Conservative. More like a split between Labour/Lib/Tory.
I lived in Hackney for ten years and that's hardly a rich place, there's not a lot of love for Thatcher and now Cameron there. Reckon there's probably more Cameron voters in the posh end of Sheffield than in Hackney or Brixton...
But yeah we probably got the Tories coming, very depressing. It's feeling more and more like the 30s every day, the BNP will probably get a lot of votes in the white working class heartlands as well, I think that's something we've got to worry about, when socialist voters turn national socialist....
Whenever I worry that I'm an overly smug asshole, I look to Slashdot comments and thank CmdrTaco for giving us such a good breeding ground for idiots.
Why hasn't this story been fixed? The title says that the Conservatives have been criticised, and the summary says that Labour has been criticised by the Conservatives. You don't even have to be familiar with the facts to see the contradiction.
And yes, during the 80s and 90s I helped lobby Parliament on the value of the British electronics and software industries, served on DTI committees, talked to our MP and Euro MP. I didn't say "oh nasty Conservatives, don't get involved." That's pointless.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
The Westminster government *is* the British government, regardless of who occupies the Scottish parliament.
Oolite: Elite-like game. For Mac, Linux and Windows
To people who don't know about UK politics this post might imply that Scotland is not governed by the British (Westminster) government. Scotland still is, though many powers have been devolved to the Scottish parliament.
If the Conservatives form the next British government, Scotland will still be affected.
http://www.parliament.uk/about/how/role/devolved.cfm
Who are you going to trust this to, some guy called bob on sourceforge, or a multi billion dollar company with resources to get you out of the shit?
I'm not going to trust a multi billion dollar company to get me out of shit if its track record clearly shows that it's not going to do what I need of it. If bob@sourceforge fails to be reliable too, with OSS I can at least hire anyone else; with proprietary software I can hire no one else.
(Deciding whether or not the track record shows that is left as an exercise to the reader.)
"or a multi billion dollar company with resources to get you out of the shit?"
Oh, you mean like Red Hat? Or maybe Novell? Or any of the other dozens of billion dollar companies that sell open source software/support?
The thing about Microsoft propaganda is that they always leave out key facts and details.
Palm trees and 8
Get involved in the party closer to your heart and change things (it is what I did when I was in my country, a place far more dangerous than the UK for opposition politicians).
I frankly can't stand all this defeatist whining.
IANAL but write like a drunk one.
Don't be silly. The security of a technology company's public website is very important. If they truly believed the conclusions of their report, they would take steps to make sure their site was not hosted by open source software. Even if they don't manage the web server, they could easily request to be moved to a Windows/IIS machine.
1998 called, it wants its anti-open-source arguments back.
STFU about slashdot bias.
That this is the best evidence so far that Microsoft's new carey, sharey nice image is basically what many people have assumed it to be, i.e. bullshit.
The scenario is nothing new. Bring in a friendly company, get them to slate the competition and then brag about how an "independent" analyst has found something meaningful. Similarly, as usual, the people who don't care still won't care, the whole thing will be forgotten and FOSS will continue to gain ground as those who know its true value will continue to use and propagate it.
The important thing is to remember that we're still dealing with the same selfish, power hungry, lying, money grabbing, unethical, amoral, shower of shites that we were 5 years ago.
Hmmmmmm..... Deep fried and look like Squirrel.