Slashdot Mirror
Trend Micro Chairman Says Open Source Is a Security Risk
dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
This comes a week after Trend Micro released a mobile security app for Android.
Just some FUD to sell an app.
In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...
Right. And the color yellow is more secure than the color blue.
There's a spot in User Info for World of Warcraft account names? Really?
people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?
new sig
First, no one who reads this is suddenly going to be convinced either way. Either you feel that making the code obscure makes it harder to find bugs, or you feel that making the code open makes it easier to fix them. Both are true, for various levels of vendor responsiveness in closed-source code and level of active involvement in open-source code.
If you have a vendor who actively solicits and rewards bug/vulnerability reports, puts a lot of time and money into fixing them, and keeps their source closed, you'll probably have about the best security possible. In the real world, it's not so black and white.
Having said all that, this is pure astroturfing. GAAAAAHHHHH!!! THE FUCKING SCARE MONSTER'S GONNA GET YA IF YOU DON'T BUY OUR SHIT!!!! BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.
Living With a Nerd
It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.
and Trend. I spend all my time cleaning up machines that have those products installed and they still get hosed. Its really kind of nice knowing that as long as they exist I will be able to make a living.
That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.
Dewey, what part of this looks like authorities should be involved?
I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...
@Mr Chang...
Repeat after me.. security through secrecy only works while your secret is, err, secret..
Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?
In modern business it seems the more someone is paid, the more drivel they spout.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
To be fair those are the big three and anyone writing spyware/viruses is going to have a copy of them and won't release their product until it gets past them
I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.
It completely fails to surprise me that an AV would have completely given up on the notion of security through technical correctness and have fallen back on the notion of security through obscurity.
The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.
I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...
I guess things like SHA-1, RSA and AES are also bad and insecure because they are "open", So obscurity is not security now, not that I'd expect much from an AV vendor that ultimately benefits from insecure systems.
I have to constantly find open source malware and virus protection because the server/client TrendMicro package we have at my employer doesn't catch anything.
What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.
So why is this news? Stupid people say stupid things all the time.
The CEO of a computer security company parrots "security through obscurity." Well guess I won't trust any Trend Micro products.
"This comes a week after Trend Micro released a mobility security app for Android."
Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.
Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.
I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
Security through obscurity FTW! Everyone knows that is the best way to secure a system!
"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
And that guy is the chairman of a computer security company?
no, I don't have a sig
Does this guy really expect to be taken seriously? He claims that iPhone is more secure than Android, and they still launched for iPhone???? I bet they're hoping that WIndoze Phone 7 gets some sales(however unlikely that seems right now), so they can scare the victims into buying their security app for that. I reckon that they are starting to see the end for windoze and the demise of their dismal, unnecessary businesses, so they're trying to scare up business elsewhere.
Good heavens! Oh my, a maker of anti-virus software for the most virus ridden system in the world claims OSS is insecure? Wow, the shenanigans couldn't be anymore obvious. Of course it's more insecure and it's in his best interest to say so. That's business folks! As always, follow the money. Trend Micro has been in bed with MSFT for a LONG time.
...especially if someone takes an OSS app that is compilable and adds few backdoors etc. and puts it up on mirrors. Yeah, check the checksums. I do, but how many non-tech geeks know even how to do that? Last company I worked for we provided service contracts for an OSS app and got it PA-DSS certified, fixed a bunch of problems, added features, and most importantly signed our binaries. Most OSS project don't and a lot of times are in a format where that is difficult.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Parent was obviously using a closed-source operating system.
"When information is power, privacy is freedom" - Jah-Wren Ryel
every time someone thinks that closed source is better we have this debate. many eyes = better security
I guess he's never heard of a decompiler?
I guess, if nobody actually gets to look at your source, you're not opening yourself up to ridicule and scorn for the shoddy coding practices and multitude of exploitable errors...
No, the real ridicule comes when hostile crackers discover those exploitable errors through brute force or reverse engineering and, well, exploit them.
Sure, sometimes it can be a case of too many cooks and all that, but when it comes to hunting for security holes I'd think it just plain makes sense to have as many friendly eyes on the code as are willing to spend the time.
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
This is complicated.
First, open source vs closed source:
Security problems are just a very nasty subset of quality control issues. Quality code is a function of the quality of programmer, tooling, time schedule, etc.
Open source vs closed source is only one part of that equation, and though I believe it matters, it's not a determining factor BY ITSELF.
Second, Android VS iphone. There's 2 most likely attack vectors today: Browser bugs, and trojans downloaded on purpose that do something other then what they claim.
Android fairs worse then iOS on both of these. Both have lots of flaws in the browsers, but Apple is much better about actually allowing their users to patch their own phones(which just blows my mind, I admit, because they are still slow, but it happens.. Android patching rarely happens).
Both have malware available, but it's easier to distruibuite for Android.
Note that neither has a lick to do with opensource vs closed source, it's timely (though SLOW by desktop standards) software updates and quality control vs carrier locked, no-updates-ever and free for all downloading.
Blessed are the pessimists, for they have made backups.
I have been giving the whole security argument some thought lately, and I think security through obscurity has merit in the short term. It should be obvious that security holes can be found quicker when you have the source than when you don't. All products have security flaws. All products tend to have more security problems initially and they get corrected over time.
Where open source helps is almost like homoeopathy, to cure your disease, you basically force your body to have symptoms in order to get the immune system working overtime. Open source exacerbates the security threat, initially, finding (and fixing) more of the security holes, that every product has, more quickly. So, at inception, an open source program or package would seem to have way more security holes up front, but once the initial wave passes, it will have far fewer. Closed source, on the other hand, never gets that initial wave, and their security holes get discovered regularly over time, usually very quietly.
A couple cycles of open source, and you'll have something tested to be secure. Using Windows as an example, you'll never be able to have any way to quantify the risk in a closed source package or product.
If that was true then why do we have so many holes in Windows? That is closed source and everytime I turn around there is another security hole that has to get patched. I have dual boot machines at home and most of my time doing patches is for the windows side of things. On the other side of things my Linux boxes at home don't have as many problems with security and when a hole is found a patch is done much more quickly than I could even hope for in Windows.
It has all of the sound of a security vendor trying to scare people into going with a product that they know has problems and then sell them more of their offerings to 'protect'.
Security by obscurity is not security at all. Open source allows anyone to review the code and if there is a problem then a patch can be proposed and the hole is closed quickly. With closed source we don't know (unless you have a disassembler and can read assembler code) what is there and are dependant on the vendor doing timely patches.
One other observation. Security is not absolute, it is a process. This goes for both open source and closed source. What is secure today is not necessarily secure in the future. When holes are found they need to be analysed and fixed.
Panic now, beat the rush!
What worries me is all you "sysadmins" who are admitting you are currently using trendMicro at all.
- http://www.milkme.co.uk
He's not really wrong necessarily, but every piece of software is a new security risk. Games, email programs, you name it its a security risk. Its obviously just a bunch of PR to sell an app. Open Source's greatest risk is also its best potential strength. Because hackers and anyone else can see the underlying code, the security holes that a hacker may exploit will be patched in record time, possibly even by the hacker himself. Meanwhile closed source can only rely on internal resources, not a bad thing necessarily but different. The truth is that Open Source is great, but then again so is closed. Six of one half dozen of another. I really see plenty of room for these two differing development styles to coexist.
There is an old argument that public key cryptography is weaker than a private key system. In public key systems, one key is out there and inherently contains everything an attacker needs to decode a message. We rely on the security of the crypto system to ensure they can't do that. Contrast this to the SAME system where both keys are kept secret - the attacker now has zero information about the keys. It's a bit of weak argument, since we do rely completely on the cryptosystem, but being obscure on top of being effective does help a little bit. That said, I would argue that the mere existence of alureon.h should convince folks that at least one platform (that is closed source) should be avoided.
The real risk is Trend Micro Chairman, to the security of your wallet.
Just don't give it to him.
You can't handle the truth.
Just take Windows vs Linux as an example. Everyone knows Windows is less of a security risk. It gets hacked less often, has the least amount of exploits and as a bonus even runs faster and more stable!
The sour grapes or better said "security by obscurity". That philosophy got Sony very far. Go-go TrendMicro !!!
+1 Garage
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Using closed source software is like putting an admin in the woods at night with a thousand attackers and telling him to catch the attackers before they break into your treasure chest. By the time the admin catches one, the chest has already been looted and the admin spends the rest of his time patching up the loophole while the other attackers are already preparing their next break-in. A good admin shouldn't be measured by how well they handle damage control but how well they can analyze a new piece of software prior to business implementation. Obscurity is just another label for "I'm too lazy to look at source code, so I'm going to take out a giant insurance policy instead and hope that Snake Oil's interns weren't complete dunces when they wrote this software."
Security through obscurity is better for our sales. OSS contains far too few bugs to make our products necessary.
(Not that TM produced any good protection software, to be blunt for a change. Sorry, but given the choice between TM, McAfee and Panda I'd probably choose... a bullet).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And as long as MS produces OSs, I'll be able to make a living coding AV software.
Imagine a world of OSS only. Can you see how we'd be out on the street selling pencils and apples?
Closed source gives me a job! Hurray for CSS!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
it'd be a shame if something happened to it.
Came to post exactly that. Tren Micro has just proven that as a tech company they don't even understand basic security.
Well, I typically buy it for cheap, but I guess I won't be purchasing any more Trend Micro software.
Anyone that knows anything about computer security just lost all respect and sense of credibility for Trend Micro with this idiot-leader's claim.
Unfortunately, it is not often that security experts are responsible for making purchase decisions. The more those who make purchase decision hear about a company making claims in support of "the defacto norm" and deriding "the new thing" it reinforces the "decisions not to change" that are frequently made by people who simply don't know the truth.
There is more money to be made by resisting change and improvement, especially when that change is in favor of free and open source software. "Leader of well known security expert company says not changing is good" simply helps to reinforce the intertia of non-change. So now decision makers can feel more justified in their not making decisions and calling it "decision not to change" without actually doing anything or learning anything.
So, major corporations, focused mostly on profit, care more about device security than the owners of those devices? Interesting.
I'm just glad I can short-circuit Sprint's broken agps with a simple iptables rule on my Palm Pre. Voila! A GPS that works quickly and properly. No hacking required. Open platforms FTW.
Not news.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The vast majority of millions of open source projects only have a few eyes one them.
Only projects like Linux kernel, apache, and a few others can claim "many eyes".
For the rest, security through obscurity would have been a better choice.
# curl -i http://us.trendmicro.com/
HTTP/1.1 301 Moved Permanently
Server: Apache
etc...
Hmm.
Counter-example. I reverse engineered part of a device to permit me to write my own software to interact with it. The results were useful to a community of a few thousand people. In return, some people sent me information they had for the device. I now have access to data sheets of its components, OS dumps, interface definitions, the results of various other bits of reverse engineering efforts, even full schematics of all the hardware.
Now remind me again, how does being closed source make a product more secure again?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Nice Strawman there!
There are many ways to skin a cat and many safeguards that can be used to secure an OS.
Open source makes it easy to find which ones are in use and closed source makes it difficult.
The message is that good design plus obscurity beats just good design. That, at least, is the theory behind steganography.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
A security company chairman advocating security through obscurity. I certainly buy any Trend Micro products now.
And what a fucking retard anyways. Christ PKI is a frickin' open standard, but it doesn't matter the least whether a potential attacker can read the specs, it isn't going to help him bust into my OpenVPN network any bloody better.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Antisemitics: "[Jews] are [feeding on our babies' blood] and must be eradicated."
AntiFOSSes: "[Open Source developers] are [putting back doors into our computers] and must be eradicated."
Obi-Wan: "I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were sudden
Hence trend micro's most trusted software being open source?
Http://ossec.net
Everyone knows that if you leave your key under the doormat and you tell nobody, your house is *far* more secure than when you install a drawbridge, dig a moat around it, put alligators in the moat and then give out blueprints for the drawbridge, moat and alligators. And that, my fellow Slashdotters, is why nobody uses drawbridges anymore.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
What a maroon! And just how secure is Windows (proprietary OS) compared to Linux (open source)? IMHO, there is no comparison. I can't run Windows for more than a day without being inundated with virus attacks, and an occasional infection. I have been running Linux systems continuously and actively for 10 years and have yet to get a virus, rootkit, or other malware infection.
Sometimes, real fast is almost as good as real-time.
Obviously iOS is much more secure than Android:
Trend Micro Chairman Says Open Source Is a Security Risk
I think someone slipped and mixed up their words, because open source software is generally less of a security risk than is Trend Micro software.
This is a hacked account, for which the owner can not be held responsible.
Nobody should doubt that he is correct, because as we all know, open source software has a terrible reputation for security when compared to closed source software. Over and over, headlines trumpet breaches of OSS while CSS quietly performs with astonishing perfection.
Right? Right? That's what Trend Micro is saying, right?
After all, you don't see any tyrannosauruses 'round here, do ya?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
There are zero ways to jailbreak my shoe.
Sorry about that, Chief.
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
Open Source is a risk to Trend because ClamAV is open source. They have tried to sue ClamAV out of existence before. Funny story: Trend gives the sysadmin no way to uninstall their products when migrating. I had to replace Trend with SEP. A kludgy script to stop services, delete files and registry keys, and get their shim out of the TCP/IP stack was the only way to do it. Their support sucks, as I can personally attest. On several occasions, I have fixed my problems with IMSS on Solaris while on a support call with their call center in Philippines. On one occasion, latency in pattern update installs caused a large newspaper for which I worked to contract a virus that put all the Windows servers in a reboot cycle. I had to get a list of IPs of infected servers from a Solaris box so the Windows admin could manually disinfect with NTFSDOS Pro.
Normally, both open and closed source have security advantages. Open source programs can be vetted by anybody, and changes can be (and usually are) applied quickly. Closed source programs are a bit harder to hack into, and it's more likely that somebody's actually paid for a good security analysis (although I'm not sure Apple does - as far as I can tell, they understand security less than Microsoft does).
In the case of mobile phones, the user may not have the ability to upgrade the software, and the people who can may simply not care. That nullifies the advantages of open source, and may leave closed source as more secure. At least if Apple has designed iOS intelligently with respect to security.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
1) If Closed source is more secure then why is he writing security software to "secure" it?
2) If Open Source is so much less secure then there must be a viable market to tap. All those CEO's who want to make *billeens and billeens of dollars* for the greedy investors please speak now. <sound of crickets>
The reality check is that Open Source is doing just fine in keeping up with the problem of software vulnerabilities leading to the likes of massive bot-nets which have become the bane of our society. By Chang's own definition of "secure" he is targeting the wrong market, yet the market he is targeting is the one with all the problems in need of being fixed, but he has done nothing to change that. His own products have done nothing to "secure" even the most "secure" systems out there. He should be removed from being CEO as he has proven that he is both ineffective as a corporate officer, and he has proven that he doesn't even understand the market that he should be marketing to. In either case he is a poor excuse for a CEO of a publicly traded company.
Although Android is open source, actually installing new software on real-world devices is usually difficult and generally requires hacks. Unlike Linux or Firefox or whatever where a fix may be in a point release soon after its known about, if a flaw is found on an Android handset, it may only be fixed months down the track in a manufacturer update or it may never be fixed (unless someone has fixed it in a custom ROM and you are willing to go through all the sometimes-tricky steps to install those ROMs)
That Steve Chang is not considered a security expert ... The reason Android is less secure is due to implementation choices. If he believes that the iPhone OS has not been ripped apart to its very basic structures he is wrong. The jailbreak community developed sophisticated tools for just that and the Objective-C language itself lends to easy discovery. The quality of the code written with a mindful recognition of security issues is why it may be more secure than Android. Considering that the tools used to create each is mainly open source code, and that interface discovery is possible on both. And that I can profile the execution of code on either platform. (And Apple nicely provides me a simulator where 90% of this can be done without the issues of debugging on the device. Add that to the issue that Android is on a plethora of platforms, and iPhone is on one architecture with incremental improvements. Well iPhone has to be better designed than Android to put up the fight it puts up.
In addition Apple addresses the bugs in their platforms more promptly and is the single source of software updates. The Google Android environment involves too many players and too much finger pointing, and has issues such as delaying updates to push new phone models by the manufacturers responsible for pushing the updates to the phones. So Security fails for Android for commercial conflicts as well.
The assertion that open source is less secure than closed source is laughable considering that the majority of network connected machines rely on open source components for security; outside of Windows architecture machines (Which might arguably be the majority of connected machines but are calculably the largest source of security issues.)
FUD in the security field is unacceptable and when found out I think grounds for corporate punishment if done my executives to push their products on the uninformed.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Why do people allow chairmen to make ignorant remarks like that? Friends don't let friends make asinine remarks about security without at least understanding the issues: Kerckhoff's Principle.
Remember when the jailbreakers fixed iOS's PDF exploit before Apple did? Good times.