- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Same thing happens where I am. They'd rather spend $30,000 on a system than use an equivalent open-source product. Then they spend another wad of cash on a support contract. The face, the palm, the me shutting up and getting back to work.
Admin
Admin
Nobody yet mentioned the parallel to the Wooden Table Approach. And voila, I seem to recognize a wooden deck involved in the setup!
Admin
Admin
TRWTF is not turning that meeting into the exit interview immediately upon being threatened with termination.
Admin
I sort of also think that some people think that Open Source means anyone can modify the copy you have or something. Have to keep in mind 2 things about managers:
Admin
there's a lot of "why do IT Sec people alwyas think Open Source is (more) insecure (than propritary software)?
The answer is simple - IT Security people are too often hired for their ability to come up with complex password rules, and experience shutting down massive systems in an attempt to keep everyone out. They are (generally) NON-TECHNICAL. They are good at POLICY and that is all.
This is how IT Security decisions on Open Source are made: We need a policy on open source. I once read an article on some random blog about the dangers of some Open Source product This had a big discussion in some forum I once visited, and although I didn't actually read all of it, skimming over it I noticed there were people commenting who claimed years of experience in security.
Some of them seemed to endorse the idea that some elements of Open Source might be problematic Open Source is evil, so our policy will sya it's not allowed. At All.
QED.
Admin
Oh, right, because she's going to read the source code of the open source software and determine how secure it is.
She should have just made an S-corp, downloaded the software and sold it back to the company.
Admin
All security is through obscurity. A key is literally a secret, typically not so convoluted as poorly written code, but there's no mathematical reason why a crypto algorithm couldn't be based on poetry or interpretive dance.
And whether or not my security systems are well written, it's still additional work for an attacker to reverse engineer them over simply reading the source. And in a non-trivial system, the security features will have weaknesses and you are somewhat better off if you can avoid advertising them.
That said... popular open source projects do benefit from third parties reviewing their code, and though it doesn't happen nearly as often as people think, in practice that process seems to outweigh the benefits of hiding the source. And even if you're not a security professional, if you can read source, a quick perusal can tell you if it's just complete crap and if it doesn't seem to be buggy as shit it's probably not too, too bad.
Admin
For six years, closed-source Borland Interbase* had a backdoor account in it. It took six months to find it after they threw the code into open source. If no blackhat decompiled the code and found «if account = "bob" and password = "bob" then valid_account_found();», it's because none of them really tried.
Admin
Ugh. Been there. Done that. Only in our case, it wasn't the boss. It wasn't even someone with authority to do anything. It was just some idiot from another campus kicking up a stink and accusing us of having pirated Linux (there was no invoice, therefore no license was his logic).
We decided to ignore the idiot and keep using it. Pretty sure our boss went to his boss over it too and told him to never contact our campus directly again... I certainly never heard from them again, anyway.
Admin
I've seen plenty of WTF's in my life but this sir, this is ...
THE MOTHER OF ALL WTF's
Admin
Yes, on a very technical level you are right, its all obscurity.
Yes a key is literally a secret, but it's pretty fatuous to consider the obscurity of a key in a proper security system to be equivalent to the obscurity of some convoluted (and probably badly conceived and written) code.
Some (i.e. almost all proper) security software relies on mathematically intractable problems which are WELL KNOWN. Their security works despite this.
The algorithms are NOT obscure.
Knowing anything about those algorithms doesn't actually help you crack them (unless mistakes were made in implementation).
Sure, the KEY is obscure, but it is simple arbitrary data... there is no rhyme nor reason to a key, it simply is what it is, and crucially still works within a publically documented system.
That kind of obscurity is in no way similar to having a system of just semi-random code that is confusingly difficult to navigate (but not mathematically intractable). If you get hold of the code (which may or may not be easy), such a system becomes trivial to crack (though a little time consuming to navigate all the spaghetti).
So, sure... the key is obscure, but you simply cannot compare the two systems and say "oh, they're both just security via obscurity" because to do so is to willfully misrepresent the critical differences between the technologies.
Admin
I thought you were just farting personally. Rude, but hey its natural, shit happens
Admin
Fake, joke, blaah and booo
Admin
Admin
And continuging to be horridly underpaid. I worked at a company that loved buying overpriced toys but not paying its employees. It was fun for a few months having a $4000 workstation on my desk for simple windows programing work. Soon I realized that I would be much more happy making a real salary.
Admin
And if you get hold of the key, your cryptographic systems becomes trivial to crack, too.
I'm not saying there aren't good reasons which support Kerckhoff's Principle, but that ain't one of them.
Admin
Or he's a manager and he meant "allot"
Admin
Well, I think the real difference is this: The same security software is used by many, many people. If someone buys (or steals) a copy of the software and finds a security hole, he can then exploit that hole on any computer he can reach that is running the same software.
A password or private key is known only to you. The whole point of a password is that you DON'T share it with anyone else. So if someone discovers the password on computer A, that doesn't help them break into computer B.
Well, that's the goal. Whether a particular algorithm achieves that goal is another question. You may think that your algorithm is secure and unbreakable but then someone figures out a way to beat it.
Admin
Hmmm, I sent this picture without this novel. The real story behind is that an engineer want to find fast glitch in one of the parameters displayed but the logs are recorded every second. So with the help of the camera( recording on 25 frames per second from 60 Hz monitor) trying to capture it.
Admin
Admin
You don't necessarily know that nobody found it for six years; only that nobody reported it....
Admin
Let's think of some reasons the optimistic view of Open Source might not the best choice:
Having an OSL does not make code more secure. Yes, people can see security holes, but they may not care, or actually may hope to create and/or exploit them. Some "Open Source" projects have little or no barriers to commit, and the quality really shows. Some would probably need to be completely rewritten to reach the Microsoft (i.e. bare minimum) level of security.
Then there's another scenario. Say your vendor uses Open Source to reduce costs, and for their next release pulls in something with some stealth GPL code. No one notices until your system is deployed, and then some Assange-iot sues your vendor for specific performance to expose the entire secure-through-obscure code base for all your competitors and enemies to see.
So, when one of our business units decided to eliminate all Open Source from their product, it was one of many sound business decisions, because the day was coming where no one in their industry was going to buy anything with these unpredictable liabilities.
So, yes, be amazed at how foolish those security droids are, as you light your natural gas stove, and the next time you drive over a towering bridge.
Admin
Say you vendor takes some code it does not have the rights to, say some windows code they reversed engineered. The exact same situation will occur
Admin
If your vendor infringes upon a closed source copyright, the last thing the owner will ask for is public disclosure of the offending source code.
If your vendor infringes upon an open source copyright, this is the first thing that will be demanded. And, if the vendor has certified "no open source", they have now defrauded their customers, too.
That, in a nutshell, is the difference between Open and Closed source.
Admin
I'm in favor of using open source software for security BUT I can see a reason in this case that open source might be a bad thing:
In theory, an employee of the company could modify and recompile the open source software to remove the security and gain access that way. Potentially a disgruntled employee sabotage thing. Perhaps.
Admin
Admin
Admin
Admin
Admin
Admin
Indeed, the turnaround for security vulnerability fixes in open source is typically much shorter than proprietary software. Nevermind the bosses that think closed source is more secure because the source is withheld; proprietary vendors consider their software secure if the person that discovered a serious vulnerability doesn't disclose it to anyone else.
Not only are there more eyes looking at popular open source code, but there's also freedom to improve it without the limitations that a profit-seeking entity enforces. ANYBODY can fix open source. Only a select few can fix closed source, and only if it appeals to the business' bottom line. Open source developers are also more forthcoming with vulnerabilities. They're more likely to warn the users about it, whereas a proprietary vendor is more likely to sweep it under the rug and feign ignorance.
Admin
Secourity through... insanity?
Admin
That security guy doesn't seem smart, so changing shortcut's icon and name would probably do. If not, you can always replace icon inside binary with resource hacking program, or recompile it (Hey, open source!) with different name. Bam, you're the only owner of the only copy of closed open source program! And you can still get some updates!
Admin
"we can’t rely on open source software for protection"
File under the same category as "Java is too slow".