Trend Micro Chairman Says Open Source Is a Security Risk 258
dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
This comes a week after Trend Micro released a mobile security app for Android.
Security through obscurity doesn't work (Score:5, Insightful)
indeed (Score:3, Insightful)
people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?
Underlying Archecture (Score:4, Insightful)
It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.
Re:Security through obscurity doesn't work (Score:5, Insightful)
It's scary that someone of his seniority in the computer security business would be pushing 'security through obscurity'. Doesn't he have access to Google? The only fear uncertainty and doubt I have is about Trend Micro.
Consider the source (Score:5, Insightful)
That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.
HaHa its LART time (Score:4, Insightful)
@Mr Chang...
Repeat after me.. security through secrecy only works while your secret is, err, secret..
Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?
In modern business it seems the more someone is paid, the more drivel they spout.
Re:indeed (Score:5, Insightful)
And also rocks should be banned.
Re:Security through obscurity doesn't work (Score:5, Insightful)
Can Slashdot OP's cut the snark? (Score:4, Insightful)
"This comes a week after Trend Micro released a mobility security app for Android."
Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.
Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.
I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
Re:Can Slashdot OP's cut the snark? (Score:5, Insightful)
Re:Security through obscurity doesn't work (Score:4, Insightful)
Linux can't fix stupid; there'd still be call for Trend Micro's services.
Re:Security through obscurity doesn't work (Score:5, Insightful)
He's not pushing security through obscurity. He's pushing fear plus "security through giving us your money." His claim is a clear conflict of interest.
Did you know dangerous radio waves are passing through your brain every minute? Buy my special tinfoil hat to protect yourself!
Re:Security through obscurity doesn't work (Score:5, Insightful)
His claim is a clear conflict of interest.
Not at all, really. His claim clearly lines up with his interests. He wants you to buy his Android security app, so he'll claim that Android is really insecure.
Re:Feh (Score:5, Insightful)
Wrong approach. It took me a while to wrap my mind around the mindset of the execs, but their reasoning seems to follow two logics when it comes to software:
1. If it doesn't cost anything, it can't be worth anything.
2. If there is no company behind it, we can't sue anyone if it fails.
It's near impossible to show them that 1 is untrue and that 2 is a wet dream at best.
Re:Security through obscurity doesn't work (Score:4, Insightful)
Indeed. But think about it -- his business depends on insecure software, and the fewer people who use Windows and closed source apps, the better for his business.
Businessmen are more and more becoming bald-faced liars, and it's been going on for some time. He surely knows that "security through obscurity" is a falsehood, but if you have no morals or ethics you have no reason to tell the truth. I'm reminded of DS9 characters; the two characters that most resemble today's businesspeople are bar owner Quark and his Ferengi "rules of acquisition" and clothing store owner Garak, whose motto was "Never tell the truth when a lie will do".
If open source is less secure, then why don't I need Trend Micro's bullshit AV on my Linux box?
Re:Misguided (Score:4, Insightful)
In the 1990s, there were a lot of people who made their own encryption algorithms, of course they were "secret" for their own encryption products. Not surprisingly, a lot of them were just using rand() with the password the user types in as the seed for srand() and then XOR-ing the data. To the casual user, random cyphertext is random cyphertext. However, it doesn't take long to spin through 65536 possibilities for a seed.
Of course, we had Clipper/Skipjack. I'd dread what life would be like if we had to trust the encryption on that chip (without knowing anything about the algorithm), and nevermind who had access to the LEAF fields. Probably most of the /. readers would have found a way to zero out the LEAF fields so the key couldn't be pulled out of escrow.
I'm just glad we have decent, open cryptographic standards. If a product doesn't use AES with a good implementation other than ECB, find something that does. RSA and SHA1 are not perfect, but so far, they have been secure.
Re:He's right (Score:4, Insightful)
We get your Stephen Colbert style reverse psychology message. Unfortunately, it is still an uphill battle for people to divest themselves of their misconceptions and asshats like this chairman of a highly visible commercial vendor of security (yes, I said "vendor of security" because people think they can BUY security rather than practice it... just like we can buy a healthy body rather than eat better and exercise.) reinforcing these misconceptions is unhelpful.
Still, they can't stop the inevitable. World politics are causing the rest of the world to mistrust U.S. government and especially U.S. businesses whose interests the U.S. government most often serving and acting on behalf of. So, there is a continuous growth in activities by governments outside of the U.S. interested in migrating to F/OSS operating systems and applications software. Foreign business is also moving in this direction.
What we are witnessing is a "slow burning bridge" and it is uncertain if this has yet progressed beyond a point of no return, but F/OSS has already reached a point of acceptance that it is no longer to be considered "fringe" and "non-mainstream."
Re:Security through obscurity doesn't work (Score:5, Insightful)
Back around 2003, the corporate parent of my little used-to-be-locally-owned business set up a "19th hole" deal with TM. We were told to use TM as our sole AV in our local branch, as we now had a corporate-wide license. We refused, and were told that our AV must then come out of our own IT budget. Fair enough.
Why did we refuse TM? For one, the version we were given at that time had to be installed by hand on every machine. Corporate IT actually went through their thousands of machine and installed the damn thing. Probably using interns, as it wouldn't have been cost effective to have actual IT do that work, despite their sweetheart deal with TM. With an IT staff of 3, only one of which was on desktop support, we didn't feel that it was worth a hand-install on 150 or so machines. Especially since almost everything about TM sucked.
So we shelled out for Norton Corporate, set up a beefy desktop as a dedicated AV server, and pushed the client to all the local machines. 15 minutes of visual inspection plus the help of the rest of the employees found the dozen or so that didn't install properly, and those were dealt with by hand.
A few months later, corporate got slammed with some hellacious worm. TM didn't pick it up at all. In the least. While it spread like wildfire from one of our local corporate goons' laptops onto our systems, Norton at least disarmed all the tens of thousands of copies it placed throughout most of our file systems. (The bastard was doing auditing, and had access to just about everything.)
Corporate was unable to deal with the worm for a few days - we firewalled them off, cleaned up the mess, and got on with life before their IT was able to send us instructions on how to deal with it, and how to fix TM, which it had destroyed in the process. (Yes, every machine by hand, once again.)
So long ramble short - don't listen to TM. Ever.
Re:Security through obscurity doesn't work (Score:2, Insightful)
Wait... Windows is closed source... Trend's bread and butter. OS X is based on the open source Darwin system. iOS is based on it too....
So, is Trend saying that Windows is inherently more secure than OS X and iOS? Does this mean that the platforms Trend supports are already more secure than the ones they don't support? I'm confused.