i am very confused. the BCS is supposed to be a reputable organisation,
yet this article - every paragraph - is complete horse-shit. i thought
about saying otherwise, so that the chances of this comment not being
censored are reduced, but i cannot think of any other words to choose
which express clearly enough what _really_ needs to be said.
let's go through it.
"Experts do not agree about open source security in terms of whether
there is an advantage or disadvantage to its use in the business world."
"Experts argue that keeping the source code closed provides an
additional layer of security through obscurity."
... for about 5 minutes. ok, that's maybe an exaggeration. in three
weeks, i reverse-engineered a binary linux kernel to the point where i
could get a replacement running on a closed system. the "security" they
added was a complete joke, relying on an EEPROM which, if you didn't
read what was in it... well, an analogy is like asking someone to leave
a key to the front door under the mat, with a note on the front door
saying "if you are a robber, please don't look under the mat".
the only reason the reverse-engineering took three weeks was because it
has been a while since i did ARM disassembly, and if it had been x86 and
i had money, i could have bought hex-rays which is capable of
disassembling x86 code _directly_ into c-code.
so the whole idea of adding security through obscurity is horse-shit for
two reasons: a) skilled people have the tools to piss all over binaries
as if they were source code _anyway_ b) obscurity usually means "we
don't consult any _real_ security experts, we _think_ we know best, but
we're not going to get this peer-reviewed 'for secuuuurity reasonns',
we're just going to believe in our own arrogance".
even microsoft has some of the world's best cryptographers - they hired
them so that nobody else could get them. they sit in their offices.
does anyone actually come and consult them? of course not.
"However, just because the source code cannot by seen, it does not mean
an application is secure."
hooray! a sentence i agree with. once you wrap your head round its
similarity to "just because you're paranoid _doesn't_ mean that everyone
isn't out to get you", it actually makes sense...
"Microsoft, as well as many other leading vendors, is well known for
releasing regular patch updates to fix security vulnerabilities."
only on the issues that get found / reported. i presume you've seen the
reports of underground sales on IRC channels, of "undiscovered" flaws,
to the highest bidder? if someone _really_ wants to walk through to
somebody's commercial secrets, they need not look very far, just have a
lot of money.
"Although Microsoft has become very efficient and transparent with their
security vulnerabilities, this still leaves a window of opportunity for
anyone who has discovered a security flaw prior to a patch being issued
to exploit the vulnerability."
yes. which usually means that someone made a mistake in going a biiit
too far with the creation and spread of their virus, so that it ended up
being detected (whoopsie) but that's ok, because they can always go back
to that IRC channel and spend another $5k+ on yet another unknown
" On the upside, you can usually rely on the patches being dependable
and generally not causing systems to crash as they go through a process
of quality testing before being released. "
the implication being, because you never bothered to check whether there
_was_ a process in the major free software projects, that free software
teams are somehow irresponsible? sorry, but you either need to get laid
or you need to get out more. take your pick, i don't mind which, but
please ... *click*.... who allowed this article to be published in the
biased state it's in???
"Alternatively open source applications can be updated via the community
as developers release updates free-of-charge for the good of the open
source users. However, there are no guarantees that the patch will be
written and released at all, let alone the quality of the patch, as
there is no overriding responsibility to provide a service level of any
sentence 1 contradicts sentence 2. either that, or the implication is
that "developers releasing updates free-of-charge for the good of the
community is somehow... irresponsible".
it's worthwhile pointing out that if this is a problem, then PAY THE
DEVELOPERS SOME DAMN MONEY for god's sake. your business saved enough
money not having to pay for proprietary software, so damn well give some
to the developers, contract them to do the required improvements, give
them a maintenance contract _anything_.
concrete example also where this paragraph is horse-shit: the french
government converted to OpenOffice. the french security services found
a number of security vulnerabilities. they reported them to the
openoffice team. the openoffice team fixed them.
i know a number of free software projects that have private mailing
lists for the discussion of security vulnerabilities. samba is one of
them. they do an extremely thorough job.
"When large numbers of corporate users are involved, IT departments will
look at IT support contracts and SLAs, licensing costs and systems
management, as well as system and user security."
most of the time they ignore the fact that they are totally locked-in,
and cannot migrate, even if they wanted to: it's too late. there's no
alternative. i've dedicated about four years of my life so far to
bridging the gap, kick-starting projects that needed to even _begin_ to
bridge the gap between the microsoft proprietary and the free software
worlds, so i know what i'm talking about.
to discuss this entire issue _without_ even mentioning the yawning gap
between the two technological bases (MS proprietary and Free Software)
completely undermines the entire article.
"If a business chooses to run an open source system, IT system support
is likely to be one of the biggest issues an organisation faces. Due to
the lack of commercial responsibility and the un-managed nature of an
open source system, established IT support offered by organisations such
as Microsoft is rare and relying on a disparate team of developers who
write open source code has obvious risks."
horse-shit. you've been taking too many drugs, again, naughty man. the
samba team core members have been in the employ of one organisation or
the other for nearly.... fifteen years. the apache team members longer
than that. the top people in free software are rare but they make their
living by being _the_ top experts in their field.
... and you are forgetting: google, IBM, HP, SGI, Sun, novell, redhat -
all these companies rely _heavily_ for their success on having the
"major" free software project developers happy, funded and taken care
of. it's not exactly orchestrated, but they tend to "divvy up" the
developers between them. jeremy allison quit novell in protest at their
deal with microsoft over patent licensing, and went to work for google.
i'm kinda getting tired already of pointing out the flaws in this
article, so won't attempt to make yet another point on this paragraph:
it's too easy and a bit like kicking feathers.
"During an open source project’s lifetime, it usually forks off into a
variety of different versions,"
err... no "it" doesn't. which ones are you referring to? and the other
point: "welcome to free software! you have the _right_ to do that, if
you think you have the skills _great_!".
... can you do the same thing with a proprietary software system? good
luck with that...
" depending on what developers require of the new application or
operating system. Commercial organisations can often get involved in
this, forking off a version of the open source application and placing
some commercial backing to the project, typically involving a more
structured development approach, a licensing model and structured
*sigh*. and then, equally, there are individuals who can do the same.
the ruby-on-rails guy isn't a "company", but he's still the world's
leading expert, and he _on his own_ gives a structured approach and
structured support services, like... by writing a book and giving
lectures and tutorials.
what _exactly_ is the point of mentioning this?? *spits out a feather*.
"This offers users the best of both worlds, where they can benefit from
access to the open community of applications whilst still having someone
to turn to if they have problems."
err... such as the core developers, as well? by emailing them direct,
and offering them benefits-in-kind or, shock-horror, even some money?
hellooo? can you even _remotely_ imagine a situation where you could
gain direct access to the developers, the best people to solve technical
issues, in a large proprietary corporate structure??
"The important part to note here is that the commercial organisation is
still extremely keen to ensure the success of the open source project
from where their commercial solutions have originated; thus giving
something back to the community that has helped them become successful
and to ensure future open source ideas have a chance to nurture and
grow. Novell’s Suse Linux, Sourcefire’s Snort and Oracle’s OpenOffice
are great examples of how successful this partnership can be."
what does this have to do with open source being "secure"? yes, great,
you've just mislead readers into believing that the only way that free
software can be funded is by paying novell or oracle instead of the
developers themselves, but what in hell's name does this have to do with
the main focus of the article: "security" in free software?
"The cost of maintaining open source applications is another important
factor to consider."
the cost of maintaining insecure windows systems is another important
factor to consider.
" An organisation with a 2,000 seat license for Microsoft Office faces
significant licensing costs."
good god. the second sentence in this dog's dinner of an article which
i can whole-heartedly agree with.
"Oracle’s OpenOffice offers an alternative option, allowing an
organisation to use the familiar format of Microsoft Office, whilst
making cost savings on the standard Microsoft license costs. However,
companies should be aware of the hidden increased costs in support and
training if an existing Microsoft house is going to change to a new
1) OpenOffice doesn't _belong_ to Oracle. check the headers and the
list of contributors and copyright holders: i think you'll find this
"claim" to be false.
2) have you ever heard of "kitchen" support? companies that ban people
from congregating in kitchens often experience a massive spike in
internal IT support calls. perhaps this is merely a psychological
issue: those people want _somebody_ to speak to, so they subconsciously
"break" their machines. perhaps it's merely that people talk during
their breaks, and find, especially in a very large organisation, that
amongst their peers there are some people who tend to be more
knowledgeable than others, and they help _each other_.
3) if you need "training" of people who can't move a mouse over an icon
to activate the "tooltips", and who can't tell that there's no
difference between a "File" Menu on MS Office and a "File" Menu on
OpenOffice, then you REALLY need to get some less stupid employees.
GUIs are there to help people who have no ability to "recall". they
help people "recognise" - they help people use "recognition" over
"recollection" as a means to get things done. the clue is in the word
"recognise". "re-cognise". look up the word "cognize" in a dictionary
some day. it's a real word. not made up or anything. unlike most of
"The smaller company often has ..."
"Through using open source solutions, ...."
good god - i take it all back. two whole paragraphs that i have nothing
to criticise. well done! throw away the rest of the article, just
leave those two paragraphs, and you'll have an informative readable
article. hurrah! well done BCS.
"The reality of open source security Open source has advantages and
disadvantages. The most widely used argument for not using open source
is the additional layer of security through obscurity a closed source
you've clearly not actually read any free software source code, then,
and probably haven't read much source code _at all_. try looking at
fontforge's source code some day. i'm an experienced free software
developer, and i swear it would take me _months_ to remotely understand
how that code works, it's _that_ specialist.
but, joking aside: go get yourself a copy of hex-rays, run it on some
windows DLLs that you have the source code for, and then sit the
decompiled code side-by-side with the original. i think you'll be in
for a bit of a shock.
"This argument is slightly misleading."
" An open source operating system contains many thousands of lines of
code, and the complexity of reading and understanding the entire open
source code and then spotting and exploiting vulnerabilities in the code
is an arduous task that is difficult and often requires highly
oh for fuck's sake. since when is that something that's _exclusive_ to
free software? code complexity is due to users' constantly increasing
expectations of computing, and it's NOT exclusive to free software. at
least with free software, the discussions are invariably online, you can
see what's going on, go back in time, find things, and _help_ the
developers (if they want you to). you _certainly_ can't do that with
but - i have an apology to make: i actually seem to be agreeing with you
about code complexity, and it would appear that you have actually read
some free software source code.
who you probably _haven't_ met is some of the people i know from ISS
X-Force Research (now IBM X-Force Research), who used SoftICE to decode
x86 assembler (before hex-rays existed) and who just discovered
vulnerabilities and flaws in software, directly from the assembler code.
you _don't_ need the source code to find vulnerabilities, and in fact it
actually often gets in the way, because the flaws such as buffer
overruns or stack overflows are to do with the language and/or the
compiler as much as they are to do with programming errors. and if you
don't know that, you're not a very good hacker (or security expert).
plus, why is this article making no mention of automated attacks and
randomisation? i wrote rpctorture ten years ago, it basically did a
network conversation up to a certain point and then started sending
random crap instead (or inserting or removing random data). it was
_great_ for detecting flaws, as it found things that a human could never
reproduce, by quite literally overwhelming a remote system under
analysis with possibilities.
such monte-carlo style testing _completely_ undermines this horse-shit
"security through obscurity is best" argument, because simply through
sheer overwhelming numbers, randomisation _will_ find that one bug that
you would never find by "manual" testing or by looking for years at the
monte-carlo testing basically levels the playing-field between free
software and proprietary systems. well... more like nukes it.
why in god's name has this person been allowed to write this article,
when even basic things like this aren't even mentioned??
"On top of that, when speaking to many open source users, penetration
testers and hackers, you could count on one hand the number that would
even be interested in reading and understanding such large applications.
They prefer to use the open source operating systems and the plethora of
tools that have already been written to test closed source applications.
It’s just that much easier."
i don't even understand why this paragraph is here, because... i don't
understand this paragraph. perhaps it contains some coded cypher.
perhaps it contains the key to unlocking the secret message in
nostradamus' prophecies. who knows. but anyway - i think this
paragraph translates as: "i know - let's take the average person in the
street, and let's take people with specialist skills, and let's ask them
if they'd like to spend their time learning completely different skills
that are of absolutely no interest to them. let's completely forget
about the people coming out of university who want a bit of a challenge,
who actually _decided_ to get a training in software development, and
are wondering how to keep themselves occupied whilst looking for a job.
let's completely forget about the google summer of code programme.
let's forget about all the intelligent people in the world (such as
myself) who excel at simply diving into massive random bits of source
code and becoming familiar with it in weeks (except for fontforge - i
reaallly don't get that code)". ok, enough with the sarcasm, i think
you get the point.
"Although the argument for security through obscurity is a powerful one,"
HAHAHAHAHAHAH ahHAHAHAa. i'm sorry, couldn't help it. laugh? i
" its significance is overplayed within the open source debate as a
serious attempt to find a system vulnerability begins with the attacker
writing a specific application to look for system vulnerabilities - a
tactic that works equally well on open and closed source systems."
hooray! why the bloody hell didn't you say that earlier? and why
insult the readers' intelligence by not mentioning the names of such
techniques, so that people like myself don't rip this article to shreds??
so, you go to alll the trouble of making "security through obscurity"
implicitly the main argument for favouring proprietary software, and
_then_ towards the end of the article, _then_ you say "actually,
security through obscurity isn't great"??? can i help you with that
medication at all, sir?
"Open source in business can offer organisations a significant advantage
and should not be overlooked because of concerns over security."
don't think of the pink elephant, don't think of the pink elephant!
err... _what_ concerns? the entire article reads like an implicit
attack on free software, only now i'm really confused.
" Although this is an important issue to any organisation, data and
system security can be equally or more secure with an open source system
than the alternative."
in other words, you're hedging your bets. you don't _actually_ have any
clue, or any real advice for people, and decided that it's best to come
up with an inconclusive conclusion. i thought conclusions were supposed
to... conclude? i could be wrong, i'm learning new things all the time,
especially here, wow.
"Both open and closed source systems have advantages and disadvantages.
Although security experts are unlikely to unanimously agree on the best
route for an organisation to take, it is critical that organisations
protect their most important asset, their data, regardless of which path
great! another paragraph i agree wholeheartedly with. it's such a
pity that the rest of the article gives me absolutely _no_ good advice
that i can make use of to make any decisions, one way or the other.
"Can open source be secure in business? Yes - but organisations should
not rush into an open source system without considering all of the other
issues that come as part of the package. Ultimately open source is a
moving target, closed source is a stationary target - both are targets
that need protecting."
you should have stopped at the previous paragraph. or maybe stepped out
to the beach for the day and allowed the deadline for submission of the
article to expire.
organisations should not rush into ANY software system without
considering all of the other issues that come as part of the package,
and you haven't really advised readers what those issues are. in fact,
you've misled them quite a lot, on an authoritative web site such as the
BCS, no less. oops.
Ultimately ALL software is a moving target for as long as users'
requirements change. humans change their minds. shit happens. the
world spins. it's just that you don't get to _see_ the process of
development behind "closed proprietary doors". should you somehow feel
"more comfortable" because you can't see what's going on?? read dilbert
for the best answer to that one.
ultimately, the development models are just... different - radically
different. free software is about returning to "software as a service"
as opposed to a "boxed product" mentality, where back-handed ways to
maintain monopolies, and obsolescence and _deliberate_ yes deliberate
early-release and deliberately installed bugs are the only way to
guarantee continued income.
these kinds of tactics are why i flatly refuse to use proprietary
software, except in absolute absolute specialist areas where there is
literally no alternative, and no way that "grass roots" would result in
a free software project beginning, let alone taking over. modelling in
3 dimensions of gas / molecular simulations, for very large companies
such as Boeing, so that they can do accurate jet engine simulations.
real-time engine management software where absolute safety and a 5-man
team doing line-by-line code reviews justifying and discussing
absolutely every single line of code is paramount. google's massively
distributed search engine. these are highly highly specialist software
tasks that take incredibly intelligent people _years_ to get right, and
you simply don't get the average kid out of university knocking together
something like that "for free".
although, FlightGear did knock even its proprietary commercial
competition off its perch, to the extent where the commercial
competition abandoned their own product, they submitted their data and
code as free software as a contribution to FlightGear and then started
selling and supporting FlightGear instead!
i have to confess: it's easier to knock somebody else's article than it
is to give you some concrete advice, especially unplanned at midnight,
but let me try to regurgitate something:
* the author is right in one respect: you DO need to think seriously
about what software you're going to deploy, and to properly plan ahead
for protection of assets. first by working out which assets are most
valuable - i.e. which ones earn you the most money. this is a
_business_ evaluation, not an "IT" evaluation. i have a friend who
specialises in this kind of analysis: he told me about one example
where, in a room full of servers, _one_ machine which was unmarked, not
backed up, and had _no_ redundancy of any kind, was responsible for 90%
of the company's revenue. the rest of the servers were horse-shit.
* for the _average_ business, free software such as Firefox, OpenOffice,
Apache, Ubuntu, PostgreSQL, MySQL and so on are _perfectly_ adequate
replacements for the proprietary alternatives, and it's only because the
proprietary software is "ingrained" into people's skulls that they
complain. anyone _not_ exposed to microsoft software, when put in front
of the free software alternatives, just "gets on with it".
* for _specialist_ tasks, it's a different story. there simply isn't
the overwhelming statistical numbers (million monkeys) to result in the
creation of specialist software as _free_ software. this doesn't mean
that you should deploy an _entirely_ proprietary software stack
throughout the entire business (baby, bath-water..) the key here is the
word "specialist". does your business _really_ need specialist software?
* for free software, you are immune from windows viruses. at a quarter
of a million new viruses per year and _exponentially rising_, the
microsoft monoculture is, like any biologist will be able to tell you,
imploding. get out while you still can is my best advice.
* for free software, the "diversity" which is sooo scary, actually
_protects_ against virus attacks. it's simply not possible to write a
virus which can simultaneously target 150 subtly different linux
distributions, when you don't even know if some of those systems are
going to be Intel x86 boxes or not: they could be increasingly MIPS or
ARM-based. if the processor is an ARM processor, it simply _cannot_ run
x86 code, and that's the end of it: any x86 virus is dead in the water
on an incompatible processor. but because you have access to the source
code, the application (firefox, openoffice etc.) can be compiled for
that processor, and it will just work, regardless of the CPU it's
running on. you cannot *get* microsoft windows 7 for ARM or MIPS (but
you can get Windows NT 3.5 from 20 years ago, or Windows CE! try
running your business on those!)
that's all i have time for - there is obviously more, but i'm not
getting paid to write this, so i will stop. if anyone would actually
_like_ to pay me for having written this, then great! look me up, i'm
easy to find.