Slashdot Mirror
Trend Micro Chairman Says Open Source Is a Security Risk
dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
This comes a week after Trend Micro released a mobile security app for Android.
Just some FUD to sell an app.
In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...
Right. And the color yellow is more secure than the color blue.
There's a spot in User Info for World of Warcraft account names? Really?
people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?
new sig
They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.
Living With a Nerd
It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.
That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.
Dewey, what part of this looks like authorities should be involved?
I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...
@Mr Chang...
Repeat after me.. security through secrecy only works while your secret is, err, secret..
Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?
In modern business it seems the more someone is paid, the more drivel they spout.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
To be fair those are the big three and anyone writing spyware/viruses is going to have a copy of them and won't release their product until it gets past them
I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.
It completely fails to surprise me that an AV would have completely given up on the notion of security through technical correctness and have fallen back on the notion of security through obscurity.
The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.
I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...
I have to constantly find open source malware and virus protection because the server/client TrendMicro package we have at my employer doesn't catch anything.
What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.
BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!
Sheesh. I mean honestly. How could you?
Note for the humor impaired, please see the sig I have been using for the past 6 years or so
Seven puppies were harmed during the making of this post.
"This comes a week after Trend Micro released a mobility security app for Android."
Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.
Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.
I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
And that guy is the chairman of a computer security company?
no, I don't have a sig
Does this guy really expect to be taken seriously? He claims that iPhone is more secure than Android, and they still launched for iPhone???? I bet they're hoping that WIndoze Phone 7 gets some sales(however unlikely that seems right now), so they can scare the victims into buying their security app for that. I reckon that they are starting to see the end for windoze and the demise of their dismal, unnecessary businesses, so they're trying to scare up business elsewhere.
Good heavens! Oh my, a maker of anti-virus software for the most virus ridden system in the world claims OSS is insecure? Wow, the shenanigans couldn't be anymore obvious. Of course it's more insecure and it's in his best interest to say so. That's business folks! As always, follow the money. Trend Micro has been in bed with MSFT for a LONG time.
Parent was obviously using a closed-source operating system.
"When information is power, privacy is freedom" - Jah-Wren Ryel
He's not really wrong necessarily, but every piece of software is a new security risk. Games, email programs, you name it its a security risk. Its obviously just a bunch of PR to sell an app. Open Source's greatest risk is also its best potential strength. Because hackers and anyone else can see the underlying code, the security holes that a hacker may exploit will be patched in record time, possibly even by the hacker himself. Meanwhile closed source can only rely on internal resources, not a bad thing necessarily but different. The truth is that Open Source is great, but then again so is closed. Six of one half dozen of another. I really see plenty of room for these two differing development styles to coexist.
Is it reasonable to expect that every SysAdmin is an expert in programming to the degree necessary to thoroughly evaluate whether *working code* contains subtle bugs that can be exploited by a cracker? Don't get me wrong, I don't think the argument that proprietary software has an inherent security advantage is valid, but what I'm saying is that SysAdmin is a different job, with different skillsets, than is software development. Sure, there's a lot of overlap, but I don't think it's reasonable to say that every SysAdmin has to be a programming expert and validate security.
On the other hand. . . every company larger than some threshold size, probably should have security-trained programmers on staff whose job it is to security-audit the source code of programs which are being considered for implementation at the company, who can make a report that can guide the IT decision makers. In the case of open-source programs, the company might even consider having those programmers fix the bugs (if it's determined from their report that it makes business sense to fix found bugs instead of using an alternative solution), and submit those fixes to the program's 'official' maintainers.
That, however, still leaves small businesses, most of whom will not be able to afford to have a staff programmer to security audit their code. However, Open Source means they reap the benefits of the larger businesses' investments in auditing the code and fixing problems (which, the larger businesses might not find particularly fair, but otoh, those businesses too are reaping big benefits from their investments in the Open Source code - including better security and control over their own operations).
Anyone that knows anything about computer security just lost all respect and sense of credibility for Trend Micro with this idiot-leader's claim.
Unfortunately, it is not often that security experts are responsible for making purchase decisions. The more those who make purchase decision hear about a company making claims in support of "the defacto norm" and deriding "the new thing" it reinforces the "decisions not to change" that are frequently made by people who simply don't know the truth.
There is more money to be made by resisting change and improvement, especially when that change is in favor of free and open source software. "Leader of well known security expert company says not changing is good" simply helps to reinforce the intertia of non-change. So now decision makers can feel more justified in their not making decisions and calling it "decision not to change" without actually doing anything or learning anything.
In the 1990s, there were a lot of people who made their own encryption algorithms, of course they were "secret" for their own encryption products. Not surprisingly, a lot of them were just using rand() with the password the user types in as the seed for srand() and then XOR-ing the data. To the casual user, random cyphertext is random cyphertext. However, it doesn't take long to spin through 65536 possibilities for a seed.
Of course, we had Clipper/Skipjack. I'd dread what life would be like if we had to trust the encryption on that chip (without knowing anything about the algorithm), and nevermind who had access to the LEAF fields. Probably most of the /. readers would have found a way to zero out the LEAF fields so the key couldn't be pulled out of escrow.
I'm just glad we have decent, open cryptographic standards. If a product doesn't use AES with a good implementation other than ECB, find something that does. RSA and SHA1 are not perfect, but so far, they have been secure.
We get your Stephen Colbert style reverse psychology message. Unfortunately, it is still an uphill battle for people to divest themselves of their misconceptions and asshats like this chairman of a highly visible commercial vendor of security (yes, I said "vendor of security" because people think they can BUY security rather than practice it... just like we can buy a healthy body rather than eat better and exercise.) reinforcing these misconceptions is unhelpful.
Still, they can't stop the inevitable. World politics are causing the rest of the world to mistrust U.S. government and especially U.S. businesses whose interests the U.S. government most often serving and acting on behalf of. So, there is a continuous growth in activities by governments outside of the U.S. interested in migrating to F/OSS operating systems and applications software. Foreign business is also moving in this direction.
What we are witnessing is a "slow burning bridge" and it is uncertain if this has yet progressed beyond a point of no return, but F/OSS has already reached a point of acceptance that it is no longer to be considered "fringe" and "non-mainstream."
There's one sneaking up behind you. No he moved just when you turned, now he's on the other side. He's going to get you! Run! The rock does nothing!
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Very true. If SHA-X was secure for the foreseeable future, there wouldn't be a contest going on for someone to make a replacement algorithm for the SHA-3 name. In the meantime, it would be nice for Whirlpool, Skein, or another well tested hash function to take up the slack.
However, the hash functions are open for all to look at. This beats someone stuffing all the data into an 8 bit LFSR, yanking 128 bits out and calling that a cryptographically secure hash.