Steve Smith, Managing Director of IT security consultancy Pentura, looks at the implications of using open source in business and argues that security is just one issue that organisations need to consider when contemplating an open source system.
The debate by IT security experts around using open source in a business environment, and the impact of this on IT security, is a mature one. Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world.
By its very nature, open source applications expose the source code used to write programs to examination by everyone, both attackers and defenders. Experts argue that keeping the source code closed provides an additional layer of security through obscurity.
However, just because the source code cannot by seen, it does not mean an application is secure. Microsoft, as well as many other leading vendors, is well known for releasing regular patch updates to fix security vulnerabilities.
Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability. On the upside, you can usually rely on the patches being dependable and generally not causing systems to crash as they go through a process of quality testing before being released.
Alternatively open source applications can be updated via the community as developers release updates free-of-charge for the good of the open source users. However, there are no guarantees that the patch will be written and released at all, let alone the quality of the patch, as there is no overriding responsibility to provide a service level of any kind.
The debate on whether to use open source in business goes beyond the issue of security. When large numbers of corporate users are involved, IT departments will look at IT support contracts and SLAs, licensing costs and systems management, as well as system and user security.
If a business chooses to run an open source system, IT system support is likely to be one of the biggest issues an organisation faces. Due to the lack of commercial responsibility and the un-managed nature of an open source system, established IT support offered by organisations such as Microsoft is rare and relying on a disparate team of developers who write open source code has obvious risks.
During an open source project’s lifetime, it usually forks off into a variety of different versions, depending on what developers require of the new application or operating system. Commercial organisations can often get involved in this, forking off a version of the open source application and placing some commercial backing to the project, typically involving a more structured development approach, a licensing model and structured support services.
This offers users the best of both worlds, where they can benefit from access to the open community of applications whilst still having someone to turn to if they have problems.
The important part to note here is that the commercial organisation is still extremely keen to ensure the success of the open source project from where their commercial solutions have originated; thus giving something back to the community that has helped them become successful and to ensure future open source ideas have a chance to nurture and grow. Novell’s Suse Linux, Sourcefire’s Snort and Oracle’s OpenOffice are great examples of how successful this partnership can be.
The cost of maintaining open source applications is another important factor to consider. An organisation with a 2,000 seat license for Microsoft Office faces significant licensing costs.
Oracle’s OpenOffice offers an alternative option, allowing an organisation to use the familiar format of Microsoft Office, whilst making cost savings on the standard Microsoft license costs. However, companies should be aware of the hidden increased costs in support and training if an existing Microsoft house is going to change to a new application.
The smaller company often has a ‘one-man-band’ IT support department, which is left to its own devices when it comes to managing and securing the business, and often working with a tight budget.
Through using open source solutions, the smaller IT department can get kudos from saving the organisation money, whilst at the same time building their own education. As well as the potential financial savings to a business in deploying the ‘free’ software, the bespoke style of deployment and management that open source solutions offer could potentially make the IT support professional indispensible.
The reality of open source security Open source has advantages and disadvantages. The most widely used argument for not using open source is the additional layer of security through obscurity a closed source application provides.
This argument is slightly misleading. An open source operating system contains many thousands of lines of code, and the complexity of reading and understanding the entire open source code and then spotting and exploiting vulnerabilities in the code is an arduous task that is difficult and often requires highly specialist knowledge.
On top of that, when speaking to many open source users, penetration testers and hackers, you could count on one hand the number that would even be interested in reading and understanding such large applications. They prefer to use the open source operating systems and the plethora of tools that have already been written to test closed source applications. It’s just that much easier.
Although the argument for security through obscurity is a powerful one, its significance is overplayed within the open source debate as a serious attempt to find a system vulnerability begins with the attacker writing a specific application to look for system vulnerabilities - a tactic that works equally well on open and closed source systems.
Open source in business can offer organisations a significant advantage and should not be overlooked because of concerns over security. Although this is an important issue to any organisation, data and system security can be equally or more secure with an open source system than the alternative.
Both open and closed source systems have advantages and disadvantages. Although security experts are unlikely to unanimously agree on the best route for an organisation to take, it is critical that organisations protect their most important asset, their data, regardless of which path they take.
Can open source be secure in business? Yes - but organisations should not rush into an open source system without considering all of the other issues that come as part of the package. Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting.
i am very confused. the BCS is supposed to be a reputable organisation, yet this article - every paragraph - is complete [DELETED]. i thought about saying otherwise, so that the chances of this article not being censored are reduced, but i cannot think of any other words to choose which express clearly enough what _really_ needs to be said.
let's go through it.
"Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world."
"Experts argue that keeping the source code closed provides an additional layer of security through obscurity."
... for about 5 minutes. ok, that's maybe an exaggeration. in three weeks, i reverse-engineered a binary linux kernel to the point where i could get a replacement running on a closed system. the "security" they added was a complete joke, relying on an EEPROM which, if you didn't read what was in it... well, an analogy is like asking someone to leave a key to the front door under the mat, with a note on the front door saying "if you are a robber, please don't look under the mat".
the only reason the reverse-engineering took three weeks was because it has been a while since i did ARM disassembly, and if it had been x86 and i had money, i could have bought hex-rays which is capable of disassembling x86 code _directly_ into c-code.
so the whole idea of adding security through obscurity is [DELETED] for two reasons: a) skilled people have the tools to [DELETED]all over binaries as if they were source code _anyway_ b) obscurity usually means "we don't consult any _real_ security experts, we _think_ we know best, but we're not going to get this peer-reviewed 'for secuuuurity reasonns', we're just going to believe in our own arrogance".
even microsoft has some of the world's best cryptographers - they hired them so that nobody else could get them. they sit in their offices. does anyone actually come and consult them? of course not.
"However, just because the source code cannot by seen, it does not mean an application is secure."
hooray! a sentence i agree with. once you wrap your head round its similarity to "just because you're paranoid _doesn't_ mean that everyone isn't out to get you", it actually makes sense...
"Microsoft, as well as many other leading vendors, is well known for releasing regular patch updates to fix security vulnerabilities."
only on the issues that get found / reported. i presume you've seen the reports of underground sales on IRC channels, of "undiscovered" flaws, to the highest bidder? if someone _really_ wants to walk through to somebody's commercial secrets, they need not look very far, just have a lot of money.
"Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability."
yes. which usually means that someone made a mistake in going a biiit too far with the creation and spread of their virus, so that it ended up being detected (whoopsie) but that's ok, because they can always go back to that IRC channel and spend another $5k+ on yet another unknown vulnerability.
" On the upside, you can usually rely on the patches being dependable and generally not causing systems to crash as they go through a process of quality testing before being released. "
the implication being, because you never bothered to check whether there _was_ a process in the major free software projects, that free software teams are somehow irresponsible? sorry, but you either need to get laid or you need to get out more. take your pick, i don't mind which, but please ... *click*.... who allowed this article to be published in the biased state it's in???
"Alternatively open source applications can be updated via the community as developers release updates free-of-charge for the good of the open source users. However, there are no guarantees that the patch will be written and released at all, let alone the quality of the patch, as there is no overriding responsibility to provide a service level of any kind."
sentence 1 contradicts sentence 2. either that, or the implication is that "developers releasing updates free-of-charge for the good of the community is somehow... irresponsible".
it's worthwhile pointing out that if this is a problem, then PAY THE DEVELOPERS SOME DAMN MONEY for god's sake. your business saved enough money not having to pay for proprietary software, so damn well give some to the developers, contract them to do the required improvements, give them a maintenance contract _anything_.
concrete example also where this paragraph is [DELETED]: the french government converted to OpenOffice. the french security services found a number of security vulnerabilities. they reported them to the openoffice team. the openoffice team fixed them.
i know a number of free software projects that have private mailing lists for the discussion of security vulnerabilities. samba is one of them. they do an extremely thorough job.
"When large numbers of corporate users are involved, IT departments will look at IT support contracts and SLAs, licensing costs and systems management, as well as system and user security."
most of the time they ignore the fact that they are totally locked-in, and cannot migrate, even if they wanted to: it's too late. there's no alternative. i've dedicated about four years of my life so far to bridging the gap, kick-starting projects that needed to even _begin_ to bridge the gap between the microsoft proprietary and the free software worlds, so i know what i'm talking about.
to discuss this entire issue _without_ even mentioning the yawning gap between the two technological bases (MS proprietary and Free Software) completely undermines the entire article.
"If a business chooses to run an open source system, IT system support is likely to be one of the biggest issues an organisation faces. Due to the lack of commercial responsibility and the un-managed nature of an open source system, established IT support offered by organisations such as Microsoft is rare and relying on a disparate team of developers who write open source code has obvious risks."
[DELETED]. [DELETED]. the samba team core members have been in the employ of one organisation or the other for nearly.... fifteen years. the apache team members longer than that. the top people in free software are rare but they make their living by being _the_ top experts in their field.
... and you are forgetting: google, IBM, HP, SGI, Sun, novell, redhat - all these companies rely _heavily_ for their success on having the "major" free software project developers happy, funded and taken care of. it's not exactly orchestrated, but they tend to "divvy up" the developers between them. jeremy allison quit novell in protest at their deal with microsoft over patent licensing, and went to work for google.
i'm kinda getting tired already of pointing out the flaws in this article, so won't attempt to make yet another point on this paragraph: it's too easy and a bit like kicking feathers.
"During an open source project’s lifetime, it usually forks off into a variety of different versions,"
err... no "it" doesn't. which ones are you referring to? and the other point: "welcome to free software! you have the _right_ to do that, if you think you have the skills _great_!".
... can you do the same thing with a proprietary software system? good luck with that...
" depending on what developers require of the new application or operating system. Commercial organisations can often get involved in this, forking off a version of the open source application and placing some commercial backing to the project, typically involving a more structured development approach, a licensing model and structured support services."
*sigh*. and then, equally, there are individuals who can do the same. the ruby-on-rails guy isn't a "company", but he's still the world's leading expert, and he _on his own_ gives a structured approach and structured support services, like... by writing a book and giving lectures and tutorials.
what _exactly_ is the point of mentioning this?? *spits out a feather*.
"This offers users the best of both worlds, where they can benefit from access to the open community of applications whilst still having someone to turn to if they have problems."
err... such as the core developers, as well? by emailing them direct, and offering them benefits-in-kind or, shock-horror, even some money? hellooo? can you even _remotely_ imagine a situation where you could gain direct access to the developers, the best people to solve technical issues, in a large proprietary corporate structure??
"The important part to note here is that the commercial organisation is still extremely keen to ensure the success of the open source project from where their commercial solutions have originated; thus giving something back to the community that has helped them become successful and to ensure future open source ideas have a chance to nurture and grow. Novell’s Suse Linux, Sourcefire’s Snort and Oracle’s OpenOffice are great examples of how successful this partnership can be."
what does this have to do with open source being "secure"? yes, great, you've just mislead readers into believing that the only way that free software can be funded is by paying novell or oracle instead of the developers themselves, but what in hell's name does this have to do with the main focus of the article: "security" in free software?
"The cost of maintaining open source applications is another important factor to consider."
the cost of maintaining insecure windows systems is another important factor to consider.
" An organisation with a 2,000 seat license for Microsoft Office faces significant licensing costs."
good god. the second sentence in this dog's dinner of an article which i can whole-heartedly agree with.
"Oracle’s OpenOffice offers an alternative option, allowing an organisation to use the familiar format of Microsoft Office, whilst making cost savings on the standard Microsoft license costs. However, companies should be aware of the hidden increased costs in support and training if an existing Microsoft house is going to change to a new application. "
1) OpenOffice doesn't _belong_ to Oracle. check the headers and the list of contributors and copyright holders: i think you'll find this "claim" to be false.
2) have you ever heard of "kitchen" support? companies that ban people from congregating in kitchens often experience a massive spike in internal IT support calls. perhaps this is merely a psychological issue: those people want _somebody_ to speak to, so they subconsciously "break" their machines. perhaps it's merely that people talk during their breaks, and find, especially in a very large organisation, that amongst their peers there are some people who tend to be more knowledgeable than others, and they help _each other_.
3) if you need "training" of people who can't move a mouse over an icon to activate the "tooltips", and who can't tell that there's no difference between a "File" Menu on MS Office and a "File" Menu on OpenOffice, then you REALLY need to get some less stupid employees. GUIs are there to help people who have no ability to "recall". they help people "recognise" - they help people use "recognition" over "recollection" as a means to get things done. the clue is in the word "recognise". "re-cognise". look up the word "cognize" in a dictionary some day. it's a real word. not made up or anything. unlike most of the article.
"The smaller company often has ..."
"Through using open source solutions, ...."
good god - i take it all back. two whole paragraphs that i have nothing to criticise. well done! throw away the rest of the article, just leave those two paragraphs, and you'll have an informative readable article. hurrah! well done BCS.
"The reality of open source security Open source has advantages and disadvantages. The most widely used argument for not using open source is the additional layer of security through obscurity a closed source application provides."
you've clearly not actually read any free software source code, then, and probably haven't read much source code _at all_. try looking at fontforge's source code some day. i'm an experienced free software developer, and i swear it would take me _months_ to remotely understand how that code works, it's _that_ specialist.
but, joking aside: go get yourself a copy of hex-rays, run it on some windows DLLs that you have the source code for, and then sit the decompiled code side-by-side with the original. i think you'll be in for a bit of a shock.
"This argument is slightly misleading."
" An open source operating system contains many thousands of lines of code, and the complexity of reading and understanding the entire open source code and then spotting and exploiting vulnerabilities in the code is an arduous task that is difficult and often requires highly specialist knowledge."
oh for [DELETED] sake. since when is that something that's _exclusive_ to free software? code complexity is due to users' constantly increasing expectations of computing, and it's NOT exclusive to free software. at least with free software, the discussions are invariably online, you can see what's going on, go back in time, find things, and _help_ the developers (if they want you to). you _certainly_ can't do that with proprietary software.
but - i have an apology to make: i actually seem to be agreeing with you about code complexity, and it would appear that you have actually read some free software source code.
who you probably _haven't_ met is some of the people i know from ISS X-Force Research (now IBM X-Force Research), who used SoftICE to decode x86 assembler (before hex-rays existed) and who just discovered vulnerabilities and flaws in software, directly from the assembler code.
you _don't_ need the source code to find vulnerabilities, and in fact it actually often gets in the way, because the flaws such as buffer overruns or stack overflows are to do with the language and/or the compiler as much as they are to do with programming errors. and if you don't know that, you're not a very good hacker (or security expert).
plus, why is this article making no mention of automated attacks and randomisation? i wrote rpctorture ten years ago, it basically did a network conversation up to a certain point and then started sending random crap instead (or inserting or removing random data). it was _great_ for detecting flaws, as it found things that a human could never reproduce, by quite literally overwhelming a remote system under analysis with possibilities.
such monte-carlo style testing _completely_ undermines this [DELETED] "security through obscurity is best" argument, because simply through sheer overwhelming numbers, randomisation _will_ find that one bug that you would never find by "manual" testing or by looking for years at the source code.
monte-carlo testing basically levels the playing-field between free software and proprietary systems. well... more like nukes it.
why in god's name has this person been allowed to write this article, when even basic things like this aren't even mentioned??
"On top of that, when speaking to many open source users, penetration testers and hackers, you could count on one hand the number that would even be interested in reading and understanding such large applications. They prefer to use the open source operating systems and the plethora of tools that have already been written to test closed source applications. It’s just that much easier."
i don't even understand why this paragraph is here, because... i don't understand this paragraph. perhaps it contains some coded cypher. perhaps it contains the key to unlocking the secret message in nostradamus' prophecies. who knows. but anyway - i think this paragraph translates as: "i know - let's take the average person in the street, and let's take people with specialist skills, and let's ask them if they'd like to spend their time learning completely different skills that are of absolutely no interest to them. let's completely forget about the people coming out of university who want a bit of a challenge, who actually _decided_ to get a training in software development, and are wondering how to keep themselves occupied whilst looking for a job. let's completely forget about the google summer of code programme. let's forget about all the intelligent people in the world (such as myself) who excel at simply diving into massive random bits of source code and becoming familiar with it in weeks (except for fontforge - i reaallly don't get that code)". ok, enough with the sarcasm, i think you get the point.
"Although the argument for security through obscurity is a powerful one,"
HAHAHAHAHAHAH ahHAHAHAa. i'm sorry, couldn't help it. laugh? i nearly did.
" its significance is overplayed within the open source debate as a serious attempt to find a system vulnerability begins with the attacker writing a specific application to look for system vulnerabilities - a tactic that works equally well on open and closed source systems."
hooray! why the [DELETED] didn't you say that earlier? and why insult the readers' intelligence by not mentioning the names of such techniques, so that people like myself don't rip this article to shreds??
so, you go to alll the trouble of making "security through obscurity" implicitly the main argument for favouring proprietary software, and _then_ towards the end of the article, _then_ you say "actually, security through obscurity isn't great"??? [DELETED]
"Open source in business can offer organisations a significant advantage and should not be overlooked because of concerns over security."
don't think of the pink elephant, don't think of the pink elephant! err... _what_ concerns? the entire article reads like an implicit attack on free software, only now i'm really confused.
" Although this is an important issue to any organisation, data and system security can be equally or more secure with an open source system than the alternative."
in other words, you're hedging your bets. you don't _actually_ have any clue, or any real advice for people, and decided that it's best to come up with an inconclusive conclusion. i thought conclusions were supposed to... conclude? i could be wrong, i'm learning new things all the time, especially here, wow.
"Both open and closed source systems have advantages and disadvantages. Although security experts are unlikely to unanimously agree on the best route for an organisation to take, it is critical that organisations protect their most important asset, their data, regardless of which path they take."
great! another paragraph i agree wholeheartedly with. it's such a pity that the rest of the article gives me absolutely _no_ good advice that i can make use of to make any decisions, one way or the other.
"Can open source be secure in business? Yes - but organisations should not rush into an open source system without considering all of the other issues that come as part of the package. Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting."
you should have stopped at the previous paragraph. or maybe stepped out to the beach for the day and allowed the deadline for submission of the article to expire.
organisations should not rush into ANY software system without considering all of the other issues that come as part of the package, and you haven't really advised readers what those issues are. in fact, you've misled them quite a lot, on an authoritative web site such as the BCS, no less. oops.
Ultimately ALL software is a moving target for as long as users' requirements change. humans change their minds. [DELETED] happens. the world spins. it's just that you don't get to _see_ the process of development behind "closed proprietary doors". should you somehow feel "more comfortable" because you can't see what's going on?? read dilbert for the best answer to that one.
ultimately, the development models are just... different - radically different. free software is about returning to "software as a service" as opposed to a "boxed product" mentality, where back-handed ways to maintain monopolies, and obsolescence and _deliberate_ yes deliberate early-release and deliberately installed bugs are the only way to guarantee continued income.
these kinds of tactics are why i flatly refuse to use proprietary software, except in absolute absolute specialist areas where there is literally no alternative, and no way that "grass roots" would result in a free software project beginning, let alone taking over. modelling in 3 dimensions of gas / molecular simulations, for very large companies such as Boeing, so that they can do accurate jet engine simulations. real-time engine management software where absolute safety and a 5-man team doing line-by-line code reviews justifying and discussing absolutely every single line of code is paramount. google's massively distributed search engine. these are highly highly specialist software tasks that take incredibly intelligent people _years_ to get right, and you simply don't get the average kid out of university knocking together something like that "for free".
although, FlightGear did knock even its proprietary commercial competition off its perch, to the extent where the commercial competition abandoned their own product, they submitted their data and code as free software as a contribution to FlightGear and then started selling and supporting FlightGear instead!
i have to confess: it's easier to knock somebody else's article than it is to give you some concrete advice, especially unplanned at midnight, but let me try to regurgitate something:
* the author is right in one respect: you DO need to think seriously about what software you're going to deploy, and to properly plan ahead for protection of assets. first by working out which assets are most valuable - i.e. which ones earn you the most money. this is a _business_ evaluation, not an "IT" evaluation. i have a friend who specialises in this kind of analysis: he told me about one example where, in a room full of servers, _one_ machine which was unmarked, not backed up, and had _no_ redundancy of any kind, was responsible for 90% of the company's revenue. the rest of the servers were [DELETED].
* for the _average_ business, free software such as Firefox, OpenOffice, Apache, Ubuntu, PostgreSQL, MySQL and so on are _perfectly_ adequate replacements for the proprietary alternatives, and it's only because the proprietary software is "ingrained" into people's skulls that they complain. anyone _not_ exposed to microsoft software, when put in front of the free software alternatives, just "gets on with it".
* for _specialist_ tasks, it's a different story. there simply isn't the overwhelming statistical numbers (million monkeys) to result in the creation of specialist software as _free_ software. this doesn't mean that you should deploy an _entirely_ proprietary software stack throughout the entire business (baby, bath-water..) the key here is the word "specialist". does your business _really_ need specialist software?
* for free software, you are immune from windows viruses. at a quarter of a million new viruses per year and _exponentially rising_, the microsoft monoculture is, like any biologist will be able to tell you, imploding. get out while you still can is my best advice.
* for free software, the "diversity" which is sooo scary, actually _protects_ against virus attacks. it's simply not possible to write a virus which can simultaneously target 150 subtly different linux distributions, when you don't even know if some of those systems are going to be Intel x86 boxes or not: they could be increasingly MIPS or ARM-based. if the processor is an ARM processor, it simply _cannot_ run x86 code, and that's the end of it: any x86 virus is dead in the water on an incompatible processor. but because you have access to the source code, the application (firefox, openoffice etc.) can be compiled for that processor, and it will just work, regardless of the CPU it's running on. you cannot *get* microsoft windows 7 for ARM or MIPS (but you can get Windows NT 3.5 from 20 years ago, or Windows CE! try running your business on those!)
that's all i have time for - there is obviously more, but i'm not getting paid to write this, so i will stop. if anyone would actually _like_ to pay me for having written this, then great! look me up, i'm easy to find.
I agree with what Luke has to say. It seems to me that either Steve Smith does not know what he is talking about or is misusing what is put up as an expert / impartial opinion to promote some commercial interests.
Did the BCS seek independent review of these articles or did it publish whatever it was sent? I am a BCS member and feel ashamed that this goes out with the BCS name on it.
This is a disappointing and unnecessarily biased article, to the point of being misleading.
The title suggests that the content will be about security of open source products, which implies comparison to comparable proprietary solutions, yet it rambles into an uninformed assault on the relative merits of distributed and unpaid development against captive, employed expertise, all without substantive example or citation.
Microsoft may be much more transparent than they used to be about vulnerabilities but we still have Patch Tuesday. By comparison, my Linux machine receives patches, updates and bug fixes almost every day.
For updates to other proprietary software, like for instance Adobe Acrobat or printer software, I have to have other background processes running in the System Tray to alert me of their sporadic updates. My Open Source updates on Linux all come through one channel, monitored by one application.
In addition, Open Office is backed by Sun, now owned by Oracle; Ubuntu Linux is backed by Canonical; Firefox and Thunderbird are backed by the Mozilla Foundation, all of which are large organisations, not the implied pasty-faced, long-haired friendless geek writing untested code in his bedroom after college.
My point is that open source is serviced by large companies who leverage pools of external developers to deliver bug fixes, patches and updates as soon as they are required. They are released as soon as they are sufficiently tested. Sure, sometimes mistakes are made but there are also examples of Microsoft Updates causing problems due to incompatibilities or insufficient testing. Closed source solutions deliver when it suits them to do so and, until they do, the vulnerability remains present.
Frankly, I'm disappointed by this article. As a BCS member, I expect published articles to contain expert opinion and be well researched to provide an informed and informative explanation of the subject matter referred to in the title. This falls way short.
This is just... Wow. I'm baffled by the bias and utter misleading snippets this article is riddled with.
I'm a multi-OS user. I've used Windows for about 17 years, Dos falling somewhere within the first 5. I currently use Linux after switching to it almost a year and 8 months ago. I've also had the chance to use Mac OS X on more than one occasion.
When did Windows get Winsocks? When did they address teardrop issues and similar (d)DOS attacks?
Remember XP, SP1-SP3? I sure bloody do. Half the time they are quite lazy with the way they apply security patches. Packet fragments between SP1 and SP2? Anyone remember that?
What the hell happened to raw data? If you can answer these questions then I give you the prized label of not being utterly clueless.
Microsoft screwed up in security. Big time. They knew they had to start changing it otherwise they would be simply overrun by exploits (you'll find more exploits on Mac OS X, oddly enough... A closed-source OS based on FreeBSD - which is open source. Does FreeBSD suffer from similar exploits? Hah! No. Are they closed source? About as closed source as I am a Martian).
Why do you think they adapted the 'pseudo' functionality in Vista/7? And even then, they did a rather botched job. XP had something similar but nowhere near as sophisticated. There were (and still are) exploits that actually undermine the pseudo (I believe that is what it's called, ironically) functionality in Windoze to target critical elements of the OS.
Look up some Secunia reports. See where closed-source sits, and where open source sits.
This is biased hogwash, and I'm actually shocked that it somehow was passed as an article.
www.groklaw.net/pdf/Comes-3096.pdf tells about "The Stacked Panel", a deception used by Microsoft to "compete" against its competitors. The method is more than unethical, it is fraudulent. James Plamondon, the first trainer of Microsoft's "Technical Evangelists" explains the subtle differences between an unbiased panel and one set up by Microsoft:
"I have mentioned before the "stacked panel". Panel discussions naturally favor alliances of relatively weak partners - our usual opposition. For example, an "unbiased" panel on OLE vs. OpenDoc would contain representatives of the backers of OLE (Microsoft) and the backers of OpenDoc (Apple, IBM, Novell, WordPerfect, OMG, etc.). Thus we find ourselves outnumbered in almost every "naturally occurring" panel debate.
A stacked panel, on the other hand, is like a stacked deck: it is packed with people who, on the face of things, should be neutral, but who are in fact strong supporters of our technology. The key to stacking a panel is being able to choose the moderator. Most conference organizers allow the moderator to select the panel, so if you can pick the moderator, you win. Since you can't expect representatives of our competitors to speak on your behalf, you have to get the moderator to agree to having only "independent ISVs" on the panel. No one from Microsoft or any other formal backer of the competing technologies would be allowed – just ISVs who have to use this stuff in the "real world." Sounds marvelously independent doesn't it? In fact, it allows us to stack the panel with ISVs that back our cause. Thus, the "independent" panel ends up telling the audience that our technology beats the others hands down. Get the press to cover this panel, and you've got a major win on your hands.
Finding a moderator is key to setting up a stacked panel. The best sources of pliable moderators are:
-- Analysts: Analysts sell out - that's their business model. But they are very concerned that they never look like they are selling out, so that makes them very prickly to work with.
-- Consultants: These guys are your best bets as moderators. Get a well-known consultant on your side early, but don't let him publish anything blatantly pro-Microsoft. Then, get him to propose himself to the conference organizers as a moderator, whenever a panel opportunity comes up. Since he's well- known, but apparently independent, he'll be accepted – one less thing for the constantly-overworked conference organizer to worry about, right?"
I guess we can add to scenario a former computer "society" publishing a papers written by an "independent" consultant. The goals of the BCS seems to be in conflict with its behavior.
The comments I've written have been subtly edited. Unfortunately, some of the edits leave out some of the things that I said, as well as removing all the swearwords and occasional witticism that i used to emphasise the points and underscore the ridiculousness of the original article.
anyone wishing to find the original can do so by looking up the latest article on advogato.org.
The open source vs proprietary software debate is always a heated one. We have asked the author of the article to respond to the reader criticism.
BCS is absolutely against censorship, but as a professional organisation we have a responsibility to remove expletives, profanity and any comment which could potentially be construed as libellous from our site. The original comment has been replaced with all deletes highlighted; we apologise for any upset the initial editing may have caused.
Well, let me see if I can trigger the editors. I promise, no swearing. :)
The incompetent jerk who wrote this piece of garbage didn't bother to do even the most basic research. For heaven's sake, just try a basic Google search to find all the refutation necessary:
Whenever FOSS is compared to closed source code fulfilling the same function, the FOSS code is clearly more stable and secure. The more mature the project, the wider the divide.
(Graham Chapman voice) "Git."
Almost forgot one possibility. It's possible that the author is competent. In which case, I can only assume that such a glaring set of misstatements about FOSS is a deliberate lie. In either case, publishing this article does the BCS no credit.
Have I triggered the editors yet?
This article is so riddled with unsupported assertions and flat out FUD that it amazes me any reputable forum would waste time on it. The author basically argues that closed source systems are more secure because the underlying source code can not be accessed. That "security through obscurity" is good security. Balderdash!!
Hi all, thanks for your feedback. We are asking the author to reply on this. BTW, the editors are only triggered by profanity, things libellous and the like. We don't mind honest straightforward comment.
Once again, luke leighton (lkcl?) says what needs to be said,
fisking the article as it deserves. The full version of his
article, including swearing, is on the front page advogato.org programmer social network site. BCS = Bad Computing Society?
That's an awful lot of (mostly deserved) vitriol.
Lets not offend BCS into never publishing anything again however.
Calm and reasoned refutation leads to a debate. Angry rebuke tends to kill discussion.
Luke, your comments were more interesting than the article which I couldn't be bothered to finished with all it's bland mis-statements.
I read the article in full, as this website area was pointed out to me as a reason for me to reconsider my decision to let my BCS membership lapse when I completed my degree, as I felt at the time that the BCS was likely to be actively hostile to my likely career path.
Having read this current top ten articles at http://www.bcs.org/server.php?show=nav.7, it's clear that the BCS still does not consider my role as a professional software engineer and amateur computer scientist important; instead, the BCS appears to have decided (as exemplified by this article) that it is a place for IT businesses to push their wares at overwhelmed IT managers.
I hope that when I re-examine this choice in 10 years time, the BCS will have decided that it is important to provide something for those of us who directly work "at the coal face", not those of us whose interaction with computing systems is mediated by systems and network administrators.
I must admit to being a Chartered Member for a number of years, but I reached a point in 2007 where I found being associated with the BCS was just too embarrassing, so I allowed my membership to lapse.
Little seems to have changed.
Steve starts out by raising a number of questions that on the face of it sound entirely reasonable, after all, experts argue in every field an you can always find some who will disagree and some who are paid to disagree. But reading on, come on Steve, this is the same discredited rubbish M$ have been spewing out for years. Have you really been taken in, or can I get away with "written like a true M$ Fanboi" ??
I'm not going to take the whole article apart, Luke seems to have covered that, let me just comment on the last paragraph.
>Can open source be secure in business? Yes
Without explicitly defining "secure" in context this is a bit of a non-statement - what's it for? Some sort of condescension?
>but organisations should not rush into an open source system without
>considering all of the other issues that come as part of the package.
So what you are saying is that there are "issues" with Open Source that would put you off if you were to really look into using it?
How do you justify this as a balanced statement? If the alternative is closed source, it's like giving someone the choice between a BMW and a Reliant Robin and saying "yes, but if you look into it you'll find that the BMW doesn't carry a spare tyre!", and forgetting to mention that the BMW comes with "run-flats". Sure there are always things to think about, but your statement does seem a little biased in one direction whereas the choice for the *majority* of experts would lean towards "nobrainer" in the other direction.
>Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting.
I'm not sure exactly what this means, anyone care to interpret? He seems to be staying that Open Source is a moving target, hence more difficult to hit, hence more secure .. did I get that right?
I came back here because my brain was still boggled. It's funny, because I spent a portion of my break yesterday thinking about the third point Gareth has just made.
He pointed out a line from the article stating:
"Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting."
I find this most ironic. Ofcourse both need protecting- but in varying degrees, and varying ways. Ultimately, different layers and applications.
Closed source is stationary and for this reason alone is more susceptible to attack than open source (Linux for example, due to its modular nature can rebuild itself or add onto itself as it deems fit. SELinux speaks for itself in that manner.) The changing need of the FLOSS community (especially in security), the ability to find/track bugs by multi-tudes of people and the underlying security architecture make it solid for these reasons. I mean, hell, it's a point that factually reinforces Luke Leighton's statement made earlier in regards to this.
Can anyone tell me what ring the GUI and Windows (ha ha! /slaps knee) system runs on in... Well, Windows?
I'll give you a hint. It's the ring that makes your OS go 'boom' if there's a crash. I know this is a poor argument but this example is for the sake of debate: If you know you can always depend on such factors, then through a plethora of attacks and exploits you can succesfully crash the OS. This is where it can be quite dangerous.
Linux is modular enough to at least give you the ABILITY to run at different runlevels (and thusly, restrict applications to a certain range on the OS ring). Init 3 and servers are best friends. However- where does the GUI/Window system sit in Linux? Init 5, outer ring of the OS (The 'Go ahead, crash and explode as much as you want, ring' - The kernel sits back comfortably, untouched, sipping on pina coladas watching the fireworks- as rare as they are).
Open source- per this point- is in some manners also stationary, but has the OPTION, and ABILITY to be a moving target. It CAN change if the community deems it fit.
Oh, dear, such deep, perhaps even honest, misunderstanding of the Open Source ecology and its implications for business.
Most fundamental is the curious theory that you get a service level from proprietary vendors that you cannot get from Open Source. Oh, the stories I could tell! But IANAL so I'd better not try. My experience is simply that proprietary vendors are more interested in their own bottom line than in the client's software problems. Open Source support organizations (of which many have been named by other respondents) base their business model entirely on solving their clients' software problems - issuing security patches and suchlike where a commercial vendor all too often refuses.
It is true that Open Source is not a panacea. Security through obscurity has its place. Any company investing in new systems needs to evaluate all options, and a good consultant can work wonders. But, sadly, not the consultant who wrote this article.
How is the response? Is it going to come? I'd love to read it. :p
What's he going to say, "Ooops!" ?
As Chair of the BCS Open Source SG (OSSG) - I've put up a post related to this article and more at http://ossg.bcs.org/
I think you will find this interesting reading.
The author seems to forget that nowadays, most propietary software relies on open source software. Eclipse, nsort, xerces, java are just some examples I can think of at the moment.
Oh yes, bcs.org i also built using php. :)
What a terrible article. I hope this was an opinion piece and not an editorial and appeal to the editorial staff to make this clear. Otherwise I will be resigning my membership forthwith; in my job - the shadowlands between open and closed source - it's professionally embarrassing for me to be associated with such an article.
I am certainly not one to advocate illegal action, so I strongly hope that the irresponsible Open Source security experts do not feel the need to hack into Pentura's servers to try to prove any points against Mr Smith. Such an action would be childish and pointless and although I'm sure a lot of people would find it funny, it would be very wrong.
I have to agree with Annoyed Member; it needs to be made clear that this was an opinion piece from someone who clearly does not have the knowledge to be associated with the BCS. I have considered whether there is any value in membership several times over the last 10 or 12 years and each time, I get closer to resigning.
You're an idiot, Mr. Smith.
You NEED open source security programs, so that you can see just how secure it is. For all you know, your beloved Microshaft has very unsafe software.
Well, Is it opensource secure?, I will answer to Mr. Smith with one good example:
One year ago the London Stock Exchange have a serious problem with a .NET/MS Product crash. After that do you know what they choose ?. The answer is: YES OPENSOURCE!!!!, they move to a new platform to take care that they will not have the same problem in the future. I would recommend anyone to read this article because it is very well known problem. Just go to google and you will see there is a couple of documents about how The London Stock Exchange moves from MS to OpenSource plaform for security reason and stabilty.
"Seeing is Believing"
For an organization which is CHECK accredited I do have to wonder how many of the employees who work at Pentura are banging their heads against the desk having read what their MD thinks of open source?
I only got to know of this from The Register and when i read what Mr Smith had written i was cursing under my breath as well. He should have gone and done his research better, before nailing his colours to the pole.
Open sourse is constantly changing environmnet and, as someone who uses Linux OS i can honestly say it better than some other OS's i could mention...maybe BCS needs to open its eyes every now and then it might be supprise what open sourse has to offer rarther than sticking to two closed OS's i could mention.
let me guess you were funded by an intellectual properrty LLC company that a former employee of microsoft started or a group of them started but yet are in no one connected or funded by microsoft.
why don't you ask the nsa about open source and see who is more secure.
I believe they chose open source so they can get the utmost security.
I can lock a box down with selinux but it is the vendors (probably the same vendors who fund this organization) who have the problem with security. Tell them to stop opening ports and running as admin on the boxes and all will be good.
any organization who wants the utmost security will chose open source cause they can get to the source code and they can audit the code and what is running and compile in a clean environment.
so please save all the diatribe for the people who think they know what they are doing and stop disguising yourself behind an organization who is funded by silly organizations who are trying to keep their dying model alive.
I am an avid open source user and advocate.
I agree with many of the critical comments, but I think that some of the posts and vitriol (to use another commenter's words) are due to over-sensitivity. If you read carefully and WITHOUT GETTING ANGRY, you will see that the author tries to make a case that Open Source software has its place and its strengths. However, the author does a poor job of elucidating and expanding upon the statements made, and the whole article feels very amateurish and lacking in real depth. As well, many of the sentences communicated are blatantly false and/or misleading as most FOSS advocates can easily understand.
I can't really believe Mr Smith would be such an ignorant person. I'm more inclined to believe he was offered some financial incentive for spreading such misinformation.
Was it worth it Mr Smith? You don't seem to care about your reputation/credibility. What about Pentura? It definitely won't bring you more clients, will it?
Looking forward to your response to the comments above
In contrast there is a well argued article in PC World on why open source is More secure.
What an awful article. Amazing to see it published on the website of a professional institution.
If I were a Pentura customer I'd be walking away sharpish and if I were a BCS member I'd be demanding the head of the editor who published this drivel.
Am quite amused that the MD of a small security form who are a partner of Sourcefire (wonder what Marty Roesch thinks of this article) would create an article so incredibly full of inaccurate research and invalid statements.
This isn't editorial. I've read more rationale on the back of a packet of Swan Vestas.
What would I know ? I just created one of the worlds most widely used Open Source security platforms thats spawned 30m+ installs in SmoothWall, IPCop, Endian and other formats since August 2000, without breach or security incident. It's also made a lot more revenue than Pentura.
Thank you for all the comments in response to our by-lined article ‘Can open source be secure?’, which was featured in the July edition of ITNow.
We are pleased it has generated such a passionate response and would like to highlight our reasoning behind the style and tone of the article, which was written as an opinion piece to generate a discussion within the industry.
The article was not written to define which option is technically better than the other, as the open source verses proprietary software debate is always a heated one. It was simply designed to discuss some of the options available to organisations based on our experience of using both open and closed source code and the pros and cons of each from a general business point of view – hence the deliberate omission of technical information.
Our intentions were not to mislead readers, simply to engage businesses in the debate. We encourage continued discussion on this subject as it can only be beneficial to all organisations considering these options.
Hello Again, actually maybe you don't want to mislead people but actually the document is confusing some of the readers (I am one of them). The OpenSource comunity have a faster respond when there is problems or security hole than MS. Yes the source code is opened to everybody and you can see it by yourself to make improvements and to check what is right or what is wrong. But when you add this:
"By its very nature, open source applications expose the source code used to write programs to examination by everyone, both attackers and defenders. Experts argue that keeping the source code closed provides an additional layer of security through obscurity."
and then this:
"Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability. On the upside, you can usually rely on the patches being dependable and generally not causing systems to crash as they go through a process of quality testing before being released. "
Alternatively open source applications can be updated via the community as developers release updates free-of-charge for the good of the open source users. However, there are no guarantees that the patch will be written and released at all, let alone the quality of the patch, as there is no overriding responsibility to provide a service level of any kind"
You are telling people that MS can be better than OpenSource, and it is a matter because anybody knows the thousands of security holes that MS have more than OpenSource. Even in a recently Google decide to change their WIN machines to mac or to linux because from the attack of the chinese hackers. So it is opensource not the best option?. See the article here:
So ?, is it MS secure than OpenSource, so I ask myself, if it is suppose that MS or WIN is secure? so why we need to install a Antivirus, Firewall and Antispyware?. If is suppose that MS Product is secure so you don't need those applications for have a good security. With Linux you don't need all those stuff because is it more difficult to hack a linux machine than a win machine, even do a bank transacction on linux is more secure than the ms product, see here the information about:
Finally, as I know the NSA (National Security Agency) in USA had wrote the security system that is inside on Linux and BSD systems. That means that Linux and BSD system have strong security system than MS Products. Here is the article for those who want to read about:
I would change your title as the following "Why OpenSource is more secure than MS Products?". That's my thinkings.
A few links around this topic and the July edition of ITNow
I'm kind of thinking should OSSG hold an event around this?
Just to point out the utter hypocrisy of the original poor-excuse-for-an-article, and the BCS alike, here is a quote:
"Steve Smith, Managing Director of IT security consultancy Pentura, looks at the implications of using open source in business and argues that security is just one issue that organisations need to consider when contemplating an open source system."
But Steve then tells us in his response, Comment 37:
"The article was not written to define which option is technically better than the other, as the open source verses proprietary software debate is always a heated one. It was simply designed to discuss some of the options available to organisations based on our experience of using both open and closed source code and the pros and cons of each from a general business point of view – hence the deliberate omission of technical information. "
I think anyone with just a little more than two dead cells up in their skull can draw conclusion.
I've been in computing since the age of 9, and a professional, an academic Computer Scientist for at least 20 years and the director of a commercial organisation that makes a living selling technology and software; I can safely say that never, ever, have I seen seen such an unworthy stock pile of rubbish being published as an article, on what is supposedly a reputable organisation's we site.
For God's sake, if you are going to even pretend to write technical material, then please do yourself a favour and READ before you even try to start the argument.
Any undergrad can do better, and, which is so disturbing and reassuring at the same time, reading this has reinforced a life-long belief of mine not to have anything to do with the BCS, nor with the utter trash being soled to us as "IT", let alone what that actually means.
There I sat, considering joining BCS as after a quarter of a century in the business, I thought it would be a good club. I actually did the ECDL. I have my plastic card to say I did. That was so embarassing that I cannot admit it to anyone. Completely useless and designed by someone to give everyone on the planet a qualification. Now this article comes along. So shockingly bad that I actually feel confident to quote Groucho about any club that wants me... It is only £95 , but it is £95 you have lost because of this article. I will not be back. Shoddy and incompetent!
This article has already been substantially corrected by other people in their comments.
I just got a question, it's a burning question....
How much money did Pentura get from Microsoft for writing and submitting this article?
Steve Smith is obviously a Microsoft drone; Google implies this with some simple searching. BCS has obviously let this trash slip through. Pentura is probably financially connected to or dependent no Microsoft.
Please fix this.
I have one question: why is this article still up on the BCS site? The least that moderators could do is put a disclaimer at the **beginning** to the effect that if you read this it may make you very annoyed and it's not endorsed by BCS. As it was I read a lot of it with growing disbelief until I got to the comments. Serious brand damage. As a member I don't appreciate that. Paul
Steve Smith's opinion seems to be formed around the idea that proprietary software benefits from a company wanting to make a profit. That they are inclined to make fixes more so than those people working on open source.
What he seems to have completely missed is the number or large companies that are vested into open source and make money from it which also have a serious interest in ensuring the security and reliability of the software. If it just boiled down to money as the influence.
However open source was more secure before most of them came along to start with. Probably because the users who participate have an even greater want for that security than relying on someone just telling them it is secure.
If you look at proprietary software you can only run external checks on it but you have to rely on the manufacture to say there are no code issues. Which from my experience in the field they tend to lie, they have an incentive to do so called profit.
As to BCS allowing free speech. It isn't a good reason to allow an article like this to even be printed. Allowing someone to print an opinion is one thing. This is not an opinion it is at best a out right lie. Allowing the publishing of such a blatant lie and or attack does nothing for this sites reputation.
Where is this author living ? Anyone who has been in IT for any number of years knows the world runs on FOSS. Only people who are incapable of coding would even make the mistake of thinking closed source would be superior in any way.