How much of a problem is security updating for open source software going to be in 2009?
On Jan. 1, Dana Blankenhorn published the sensationally titled The biggest threat to open source in 2009.
His thesis is simple: that, because open source software usually lacks any mechanisms for easily updating to the latest security patched version, the growing popularity of open source software will render it more vulnerable to problems than its closed source counterparts.
As a lead-in to his main point, he said:
There is no longer any doubt that hackers and malware writers are going after open source projects as they once went after Windows. Vulnerabilities are being found, discovered, created, exchanged.
There seems to be a common malady amongst opinionated tech writers--that of never quite getting it when it comes to the fundamental principles of security. A particular favorite for being ignored is that of security through obscurity.
Many many moons ago, I wrote what I think is a decent treatment of the subject as it applies to open source software, Security through visibility. While it makes a pretty strong case for ignoring the bleatings of "popularity is insecurity" doomsayers, it's really only the first step toward full understanding of all the problems with the assumption that the only thing "secure" about open source software is obscurity.
Obviously, based on his start to the article, I was already expecting very little in the way of useful information. His next statement left me even more mystified at what appeared to be a towering edifice of ignorance, however. Specifically, he said:
The best protection against vulnerabilities is to keep software updated, but most open source lacks update services. That's one part of the Windows license that is worth paying for, and there does not seem to be an open source equivalent.
As a long-time user of open source operating systems, previously favoring Debian GNU/Linux, and subsequently moving on to FreeBSD, I was stunned to see this in writing, published for all the world to see. Was he serious? Could he really believe that?
One of the most visible wins for open source Unix-like OSes, once one has learned a fair bit about them, is the casual availability of superior software management systems. Ive written a brief primer for effective use of APT for TechRepublic, Efficient software management with the Advanced Package Tool in Debian. Ive also addressed the excellence of a security tool integrated with FreeBSDs ports system, How FreeBSD makes vulnerability auditing easy: portaudit. Both of these articles illustrate some of the significant benefits of better software management systems than offered by MS Windows.
Perhaps even more relevant to Danas point is the fact that, on open source Unix-like OSes (but not on MS Windows), the software management system typically manages security updates for far more than just the core OS and a couple of applications created by the same vendor. Such Unix-like OSes software management systems tend to provide security update management for literally thousands of software packages originating outside the core OS project itself--in some cases, tens of thousands.
Then, his next statement clarified his meaning:
An exception is Firefox...But how many take advantage of this? And how tied is Firefox to updating for security purposes? Remember were talking about pushing updates, not asking users to pull them.
Suddenly, it all became clear. In Dana Blankenhorns mind, "open source software" refers only to the handful of popular open source applications that are regularly used on MS Windows systems. I find it interesting that the only example of an open source application he offers is an exception to his rule, however.
Where are all the legions of open source applications that dont provide easy software updates? Whose fault is it that MS Windows doesn't have a software management system that can help ease the process of applying security patches for these applications the way open source OSes do? Where are the examples of closed source applications that provide such update management as he describes, where the MS Windows compatible open source alternative does not--thus justifying his singling out of open source software as somehow more notably vulnerable?
Perhaps the worst part of the inaccuracies of the article is the fact that its clear assumptions (that all software worth discussing is MS Windows-centric, for instance) for those of us who know better are opaque to those who do not.
A manager with little or no experience of OSes outside of MS Windows may read this article and come away with the assumption that open source OSes completely lack software management systems. As a result, he or she may scupper any potential plans to deploy open source Unix-like systems in the network. So much for "the best tool for the job"; such decisions are often difficult to make well even when you aren't hampered by wrong-headed ideas like those Dana's article might inspire.
He does make a good point about corporate culture, though:
But until this ramps up (hopefully in a competitive market), enterprise managers have an easy way to say "no" to open source.
Regardless of how dangerous this is, the fact that managers feel it's dangerous makes it so.
Too bad some of those managers might "feel" its dangerous specifically because of his own article.
I'd clarify that to say that managers feeling its dangerous doesn't actually make it so--but it does make it so for all intents and purposes in the corporate environment, when it comes to technology implementation decisions. When the higher-up says "I think the closed source software offering is better, because I have these concerns about the open source software alternative", his or her subordinate (and perhaps more technically inclined) IT worker will eventually reach a point where he or she must either make decisions limited by the managers fears or polish his resume. Take it from someone who knows from personal experience.
On one hand, I'm inclined to be dismayed by this common bureaucratic failure of corporate culture, and feel the urge to rail against it. After all, security is everybody's problem; it's not just a problem for "that guy over there". Your problem, to a significant extent, becomes my problem when you connect to the Internet.
On the other hand, knowing something about security that others don't provides something of a competitive advantage. Where competitors may stumble and fall, the organization with a knowledgeable IT department will remain stable and secure, and prosper where others have failed.
Tuesday, February 3, 2009
First look - Internet Explorer 8 RC1
On 26th January Microsoft made available Internet Explorer 8 RC1 (release candidate 1), which means that as far as Microsoft is concerned, IE8 is cooked and that barring anything major, this will become the final release. So, what’s the new browser like? A new release of IE is always important because this is the browser that many millions of Windows users will be surfing the web with daily. Like it or not, by the very fact that IE is knitted into every Windows installation makes this an important event.
After what seemed like years of stagnation, Microsoft is continuing the tradition of kitting out IE8 with features that users of other browsers take for granted. That said, there are very nice features built into IE8, which include:
Smart Address BarThe address bar isn’t now just a place to type URLs into. The Smart Address bar in IE8 tries to make sense of what the user is looking for by retrieving sites visited from the history and bookmarks. This is handy for those times when you want to find something but can’t remember where you saw it.
Enhanced findSometimes it’s not finding the site that’s difficult, but finding where on the page you need to look for the information that you are after. IE8 offers a broad range of enhanced and improved tools to help you spot the information you are after. One such example if this is result highlighting.
Tab groupsWhen one tab is opened from another one, the new tab is placed next to the one from which it was opened, and both are marked with a colored tab. This is a good way to keep track of your open tabs.
InPrivateAlong with keeping track of stuff that you might later want to refer back to, IE8 also gives you powerful tools that allow the browser to have temporary amnesia in relation to the sites you’ve visited by temporarily halting the writing of information to the cache and history.
Crash recoveryIf your IE locks up of crashes while you’ve a shed-load of tabs open, with IE8 there’s a good chance that when you fire up the browser again that it will remember what what sites you had open and fire them up again. It can also reload information that you had typed into forms.
Your current favorite browser ... (Public view)
Firefox (52%)
Internet Explorer (32%)
Chrome (8%)
Opera (4%)
Safari (2%)
Other (2%)
After what seemed like years of stagnation, Microsoft is continuing the tradition of kitting out IE8 with features that users of other browsers take for granted. That said, there are very nice features built into IE8, which include:
Smart Address BarThe address bar isn’t now just a place to type URLs into. The Smart Address bar in IE8 tries to make sense of what the user is looking for by retrieving sites visited from the history and bookmarks. This is handy for those times when you want to find something but can’t remember where you saw it.
Enhanced findSometimes it’s not finding the site that’s difficult, but finding where on the page you need to look for the information that you are after. IE8 offers a broad range of enhanced and improved tools to help you spot the information you are after. One such example if this is result highlighting.
Tab groupsWhen one tab is opened from another one, the new tab is placed next to the one from which it was opened, and both are marked with a colored tab. This is a good way to keep track of your open tabs.
InPrivateAlong with keeping track of stuff that you might later want to refer back to, IE8 also gives you powerful tools that allow the browser to have temporary amnesia in relation to the sites you’ve visited by temporarily halting the writing of information to the cache and history.
Crash recoveryIf your IE locks up of crashes while you’ve a shed-load of tabs open, with IE8 there’s a good chance that when you fire up the browser again that it will remember what what sites you had open and fire them up again. It can also reload information that you had typed into forms.
Your current favorite browser ... (Public view)
Firefox (52%)
Internet Explorer (32%)
Chrome (8%)
Opera (4%)
Safari (2%)
Other (2%)
Subscribe to:
Posts (Atom)