Trend Micro Chairman Says Open Source Is a Security Risk 258
dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
This comes a week after Trend Micro released a mobile security app for Android.
Security through obscurity doesn't work (Score:5, Insightful)
Re:Security through obscurity doesn't work (Score:5, Insightful)
It's scary that someone of his seniority in the computer security business would be pushing 'security through obscurity'. Doesn't he have access to Google? The only fear uncertainty and doubt I have is about Trend Micro.
Re:Security through obscurity doesn't work (Score:5, Insightful)
Re:Security through obscurity doesn't work (Score:5, Insightful)
He's not pushing security through obscurity. He's pushing fear plus "security through giving us your money." His claim is a clear conflict of interest.
Did you know dangerous radio waves are passing through your brain every minute? Buy my special tinfoil hat to protect yourself!
Re:Security through obscurity doesn't work (Score:5, Insightful)
His claim is a clear conflict of interest.
Not at all, really. His claim clearly lines up with his interests. He wants you to buy his Android security app, so he'll claim that Android is really insecure.
Re: (Score:2, Informative)
Re: (Score:2)
He probably knows his customers' profile quite well by now, and new yachts are soooo expensive.
Re: (Score:2)
Never mind his tinfoil hats, buy my tyrannosaurus-repelling rocks!
Re: (Score:3)
There's one sneaking up behind you. No he moved just when you turned, now he's on the other side. He's going to get you! Run! The rock does nothing!
Re: (Score:2)
Someone should remind this guy about the availability of fuzzing tools, and their effectiveness in finding bugs that might be exploitable.
http://it.slashdot.org/tag/fuzzing [slashdot.org]
Re:Security through obscurity doesn't work (Score:4, Insightful)
Indeed. But think about it -- his business depends on insecure software, and the fewer people who use Windows and closed source apps, the better for his business.
Businessmen are more and more becoming bald-faced liars, and it's been going on for some time. He surely knows that "security through obscurity" is a falsehood, but if you have no morals or ethics you have no reason to tell the truth. I'm reminded of DS9 characters; the two characters that most resemble today's businesspeople are bar owner Quark and his Ferengi "rules of acquisition" and clothing store owner Garak, whose motto was "Never tell the truth when a lie will do".
If open source is less secure, then why don't I need Trend Micro's bullshit AV on my Linux box?
Re:Security through obscurity doesn't work (Score:5, Insightful)
Back around 2003, the corporate parent of my little used-to-be-locally-owned business set up a "19th hole" deal with TM. We were told to use TM as our sole AV in our local branch, as we now had a corporate-wide license. We refused, and were told that our AV must then come out of our own IT budget. Fair enough.
Why did we refuse TM? For one, the version we were given at that time had to be installed by hand on every machine. Corporate IT actually went through their thousands of machine and installed the damn thing. Probably using interns, as it wouldn't have been cost effective to have actual IT do that work, despite their sweetheart deal with TM. With an IT staff of 3, only one of which was on desktop support, we didn't feel that it was worth a hand-install on 150 or so machines. Especially since almost everything about TM sucked.
So we shelled out for Norton Corporate, set up a beefy desktop as a dedicated AV server, and pushed the client to all the local machines. 15 minutes of visual inspection plus the help of the rest of the employees found the dozen or so that didn't install properly, and those were dealt with by hand.
A few months later, corporate got slammed with some hellacious worm. TM didn't pick it up at all. In the least. While it spread like wildfire from one of our local corporate goons' laptops onto our systems, Norton at least disarmed all the tens of thousands of copies it placed throughout most of our file systems. (The bastard was doing auditing, and had access to just about everything.)
Corporate was unable to deal with the worm for a few days - we firewalled them off, cleaned up the mess, and got on with life before their IT was able to send us instructions on how to deal with it, and how to fix TM, which it had destroyed in the process. (Yes, every machine by hand, once again.)
So long ramble short - don't listen to TM. Ever.
Re:Security through obscurity doesn't work (Score:5, Interesting)
Don't forget that the bad guys end up with the source code while the white hats don't get it. Take a look at Windows. The Chinese intel services have the source for it. Russia does too. However, people who need and rely the protection of the OS do not get the source code.
So, the blackhats already have a leg up because they can clear-box their exploits. The whitehats have to keep disassembling stuff in order to have any hope whatsoever.
Because MS doesn't trust people with the source code of their products, how can people trust them?
Re: (Score:2)
He is technically-correct: Open source lets dishonest people search for flaws to exploit. BUT he overlooks that closed-source companies like Microsoft are slow to fix problems (often going years before fixing known bugs), so they are oftentimes Less safe than open source, due to inertia.
Open Source also lets honest people search for flaws to exploit. and when they find them does not punish them for the effrontery of disclosing them.
Re: (Score:3, Informative)
>>>Open Source does not punish them for the effrontery of disclosing them.
Punish them? What you say?
Like this [zdnet.com.au]
Re: (Score:2)
except possibly OS 10.x by Apple who fix bugs at a rapid rate.
Really? I read they've had a known bug in the IPv6 implementation for years now. Maybe they're faster with security updates?
Can Slashdot OP's cut the snark? (Score:4, Insightful)
"This comes a week after Trend Micro released a mobility security app for Android."
Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.
Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.
I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
Re:Can Slashdot OP's cut the snark? (Score:5, Insightful)
Re: (Score:2)
If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.
Are you really and truly complaining about there being more information in the summary? Thanks for helping make Slashdot grate.
Re: (Score:2)
Re: (Score:2)
It's even questionable whether MacOS is BSD-Darwin at this point. Strange how the company with the second largest market cap on the planet did so on the shoulders of arguable open source microkernels.
Re: (Score:3, Funny)
Define source..
Inside iOS are millions of midi-chlorians which, oh wait, that's something else...
Re: (Score:2)
iOS may be Vader some day later but now it's just a small fry?
Re: (Score:2)
Re: (Score:3, Funny)
Hopefully they dont read this and declare me a virus though!
Re:Security through obscurity doesn't work (Score:5, Interesting)
It's not all FUD... open source is actually a security risk... for mr. Chang's wallet.
Remember the lawsuit against clamav [google.com]? And of course, there's the fact that if everyone ditched windows for an open source OS, trend micro wouldn't have many customers anymore.
Re:Security through obscurity doesn't work (Score:4, Insightful)
Linux can't fix stupid; there'd still be call for Trend Micro's services.
Re:Security through obscurity doesn't work (Score:5, Informative)
If people dumped Windows for open source, there will still be a large market for AV utilities, for legal reasons.
There are a lot of companies where I had to spec out antivirus solutions for AIX, Solaris, RedHat, and OS X just for CYA reasons. Not like all the LPARs on the pSeries 795 in the server room is going to get infected, but because it is a checkbox on a contract that "all computers on the corporate network will have antivirus software on them."
Re: (Score:3)
Actually it does to some extent (Score:2)
Re: (Score:2)
What we don't want them to decrypt is a message that I encrypted with pe
Exactly (Score:2)
Came to post exactly that. Tren Micro has just proven that as a tech company they don't even understand basic security.
Re: (Score:3)
Just some FUD to sell an app.
To some extent yes. But I'm tired of the old "obscurity doesn't work" meme. That one is right up there with "violence never solved anything".
The fewer people that know about a security vulnerability means that fewer people will try to exploit it. That's a fact. STO isn't a better model by any means, but can we quit pretending that it's inferior to the open source model? Because the "thousand eyeballs" theory of security has been repeatedly beaten into the ground. As Prof. Gene Spafford at Purdue so eloquent
Also in the news ... (Score:5, Funny)
In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...
Re:Also in the news ... (Score:5, Funny)
Re: (Score:3)
To make it even MORE secure, while there's pretty little you can do to make Linux more secure, it's just utterly pointless and hopeless to try to improve the security of such a system, no AV could hope to create a product that could possibly aid the security of this!
I'm not lying here! That statement is true and you know it. It's all in the wording... ;)
Re: (Score:2)
Also, you can ask if he has plans for his software on desktop (and server) linux. After all, there's a lot of linux servers facing the internet that need virus protection.
Re: (Score:3)
Now, in fairness, having a single AV engine, running on a box with powerful CPU(s) and a fast disk subsystem; busily snipping known viral payloads off of passing emails and network shared directories is actually a reasonably sensible 'pragmatic risk reduction' strategy, no matter what OS the server is running. It does help catch a lot of the more sophmoric virus attempts floating around, at zero computational and disk access overhead to the clients, who are the ones that likely have wea
Right. (Score:4, Informative)
Re:Right. (Score:5, Funny)
It is if you're Sir Gallahad of Camelot at the Bridge of Death [youtube.com].
indeed (Score:3, Insightful)
people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?
Re:indeed (Score:5, Insightful)
And also rocks should be banned.
Re: (Score:2)
and all heads removed, *just in case*
Re:Rocks Banned (Score:2)
+1 Garage
Re: (Score:2)
But they protect us from tigers!
Re: (Score:2)
Would you like to try my proprietary closed source rock scanner to tell if you are carrying a rock?
Feh (Score:5, Interesting)
They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.
Re:Feh (Score:5, Insightful)
Wrong approach. It took me a while to wrap my mind around the mindset of the execs, but their reasoning seems to follow two logics when it comes to software:
1. If it doesn't cost anything, it can't be worth anything.
2. If there is no company behind it, we can't sue anyone if it fails.
It's near impossible to show them that 1 is untrue and that 2 is a wet dream at best.
Re: (Score:2)
Might as well have used Windows Sound Recorder.. bleh. I hate how stupid people are.
Underlying Archecture (Score:4, Insightful)
It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.
Consider the source (Score:5, Insightful)
That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.
Re: (Score:2)
With SEO....yeah most of the consultants are playing off ignorance, but from past experience, there are some out there that are worth their weight. Once you've done all the technical things with mod_rewrite/etc. the rest becomes content and making sure the keywords in the meta match what is in the body and that is an art. On one e-commerce site, we went from page 6 on google to the bottom of page 1 within weeks after a gal came in and rewrote all the website text. This was after 3 months of those of us
Comment removed (Score:4, Interesting)
Re: (Score:2)
I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...
Really? Or in a month, you forgot about this, or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?
Re: (Score:2)
Re: (Score:2)
IIRC, it's not free for companies - in fact, it's really rather pricey.
Re: (Score:2)
ClamAV? [clamav.net] ClamWin? [clamwin.com] Works for me :)
Re: (Score:2)
On home machines, Microsoft System Essentials. In the enterprise, Forefront. MS said that Forefront can effectively protect against the zombie horde, as well as ninja attacks in an ad campaign a few years back, and if that is true, just that ability is well worth the product's price.
HaHa its LART time (Score:4, Insightful)
@Mr Chang...
Repeat after me.. security through secrecy only works while your secret is, err, secret..
Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?
In modern business it seems the more someone is paid, the more drivel they spout.
Oh yeah? (Score:3)
I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.
I'm shocked... (Score:3)
The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.
I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...
lol (Score:3, Interesting)
Security Through Obscurity (Score:4, Informative)
What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.
Sad joke (Score:2)
Security 101 (Score:2)
Security by obscurity? (Score:3)
"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."
And that guy is the chairman of a computer security company?
Re: (Score:3)
"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture." And that guy is the chairman of a computer security company?
Yes, the chairman who wants to sell his security software. If he had security software for the iPhone then we wouldn't hesitate one second to say "Android is more secure than iPhone because being an open-source platform lets everyone know more about the underlying architecture and fix security problems." If you asked him "Which is more secure, iPhone or Android", he'd ask you "what phone do you have?" and your phone would be the one that is less secure and needs his software.
Re: (Score:2)
Don't confuse chairman with someone who actually knows shit about what his company produces. I've had my share of bosses that had NO clue about IT security whatsoever. Chang is no exception to this.
Re: (Score:2)
Hrm... when it comes to numbers of compromised devices, both the iPhone and Android have not had any real intrusions (other than some jailbroken devices with the root password still set to "alpine" and sshd enabled.)
The security mechanisms of both operating systems are both pretty open. Android uses the Dalvik VM to sandbox, and Linux's user level protection to keep apps in their directories. iOS uses chroot() and the mobile user to enforce its security. Which is better? This can be argued endlessly.
So, why not release for Android? (Score:2)
Really? Good heavens! (Score:3)
It can be an avenue for attack... (Score:2)
...especially if someone takes an OSS app that is compilable and adds few backdoors etc. and puts it up on mirrors. Yeah, check the checksums. I do, but how many non-tech geeks know even how to do that? Last company I worked for we provided service contracts for an OSS app and got it PA-DSS certified, fixed a bunch of problems, added features, and most importantly signed our binaries. Most OSS project don't and a lot of times are in a format where that is difficult.
oh that old argument again (Score:2)
every time someone thinks that closed source is better we have this debate. many eyes = better security
open source != many eyes (Score:2)
The vast majority of millions of open source projects only have a few eyes one them.
Only projects like Linux kernel, apache, and a few others can claim "many eyes".
For the rest, security through obscurity would have been a better choice.
Well, it is less embarassing... (Score:2)
I guess, if nobody actually gets to look at your source, you're not opening yourself up to ridicule and scorn for the shoddy coding practices and multitude of exploitable errors...
No, the real ridicule comes when hostile crackers discover those exploitable errors through brute force or reverse engineering and, well, exploit them.
Sure, sometimes it can be a case of too many cooks and all that, but when it comes to hunting for security holes I'd think it just plain makes sense to have as many friendly eyes on
Complicated... (Score:2)
This is complicated.
First, open source vs closed source:
Security problems are just a very nasty subset of quality control issues. Quality code is a function of the quality of programmer, tooling, time schedule, etc.
Open source vs closed source is only one part of that equation, and though I believe it matters, it's not a determining factor BY ITSELF.
Second, Android VS iphone. There's 2 most likely attack vectors today: Browser bugs, and trojans downloaded on purpose that do something other then what they
He may have a point about Android (Score:2)
I have been giving the whole security argument some thought lately, and I think security through obscurity has merit in the short term. It should be obvious that security holes can be found quicker when you have the source than when you don't. All products have security flaws. All products tend to have more security problems initially and they get corrected over time.
Where open source helps is almost like homoeopathy, to cure your disease, you basically force your body to have symptoms in order to get the
I call FUD (Score:2)
If that was true then why do we have so many holes in Windows? That is closed source and everytime I turn around there is another security hole that has to get patched. I have dual boot machines at home and most of my time doing patches is for the windows side of things. On the other side of things my Linux boxes at home don't have as many problems with security and when a hole is found a patch is done much more quickly than I could even hope for in Windows.
It has all of the sound of a security vendor tryi
Just hype, move along (Score:2)
The real security risk (Score:2)
The real risk is Trend Micro Chairman, to the security of your wallet.
Just don't give it to him.
He's right (Score:2)
Just take Windows vs Linux as an example. Everyone knows Windows is less of a security risk. It gets hacked less often, has the least amount of exploits and as a bonus even runs faster and more stable!
Re:He's right (Score:4, Insightful)
We get your Stephen Colbert style reverse psychology message. Unfortunately, it is still an uphill battle for people to divest themselves of their misconceptions and asshats like this chairman of a highly visible commercial vendor of security (yes, I said "vendor of security" because people think they can BUY security rather than practice it... just like we can buy a healthy body rather than eat better and exercise.) reinforcing these misconceptions is unhelpful.
Still, they can't stop the inevitable. World politics are causing the rest of the world to mistrust U.S. government and especially U.S. businesses whose interests the U.S. government most often serving and acting on behalf of. So, there is a continuous growth in activities by governments outside of the U.S. interested in migrating to F/OSS operating systems and applications software. Foreign business is also moving in this direction.
What we are witnessing is a "slow burning bridge" and it is uncertain if this has yet progressed beyond a point of no return, but F/OSS has already reached a point of acceptance that it is no longer to be considered "fringe" and "non-mainstream."
Like Hunting in the Dark (Score:2)
Re: (Score:3)
Is it reasonable to expect that every SysAdmin is an expert in programming to the degree necessary to thoroughly evaluate whether *working code* contains subtle bugs that can be exploited by a cracker? Don't get me wrong, I don't think the argument that proprietary software has an inherent security advantage is valid, but what I'm saying is that SysAdmin is a different job, with different skillsets, than is software development. Sure, there's a lot of overlap, but I don't think it's reasonable to say that e
Re: (Score:2)
Translation (Score:2)
Security through obscurity is better for our sales. OSS contains far too few bugs to make our products necessary.
(Not that TM produced any good protection software, to be blunt for a change. Sorry, but given the choice between TM, McAfee and Panda I'd probably choose... a bullet).
Nice Android you got there... (Score:2)
it'd be a shame if something happened to it.
Trend Micro "expertise" credibility up in smoke (Score:3)
Anyone that knows anything about computer security just lost all respect and sense of credibility for Trend Micro with this idiot-leader's claim.
Unfortunately, it is not often that security experts are responsible for making purchase decisions. The more those who make purchase decision hear about a company making claims in support of "the defacto norm" and deriding "the new thing" it reinforces the "decisions not to change" that are frequently made by people who simply don't know the truth.
There is more money to be made by resisting change and improvement, especially when that change is in favor of free and open source software. "Leader of well known security expert company says not changing is good" simply helps to reinforce the intertia of non-change. So now decision makers can feel more justified in their not making decisions and calling it "decision not to change" without actually doing anything or learning anything.
Idiot (Score:2)
So, major corporations, focused mostly on profit, care more about device security than the owners of those devices? Interesting.
I'm just glad I can short-circuit Sprint's broken agps with a simple iptables rule on my Palm Pre. Voila! A GPS that works quickly and properly. No hacking required. Open platforms FTW.
Such dorks have been saying that for decades. (Score:2)
Not news.
Re: (Score:3)
Re: (Score:2)
And as long as MS produces OSs, I'll be able to make a living coding AV software.
Imagine a world of OSS only. Can you see how we'd be out on the street selling pencils and apples?
Closed source gives me a job! Hurray for CSS!
Re: (Score:3)
BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!
Sheesh. I mean honestly. How could you?
Note for the humor impaired, please see the sig I have been using for the past 6 years or so
Re: (Score:2)
I have sigs turned off, you insensitive clod!
Re: (Score:2)
If you have a vendor who actively solicits and rewards bug/vulnerability reports, puts a lot of time and money into fixing them, and keeps their source closed, you'll probably have about the best security possible. In the real world, it's not so black and white.
And that one vendor is..... Google! (Except of course that their source is open.)
Re: (Score:3)
Parent was obviously using a closed-source operating system.
Re: (Score:2)
What worries me is all you "sysadmins" who are admitting you are currently using trendMicro at all.
Re: (Score:2)
Never give malice the benefit of being mere incompetence.
Re:Misguided (Score:4, Insightful)
In the 1990s, there were a lot of people who made their own encryption algorithms, of course they were "secret" for their own encryption products. Not surprisingly, a lot of them were just using rand() with the password the user types in as the seed for srand() and then XOR-ing the data. To the casual user, random cyphertext is random cyphertext. However, it doesn't take long to spin through 65536 possibilities for a seed.
Of course, we had Clipper/Skipjack. I'd dread what life would be like if we had to trust the encryption on that chip (without knowing anything about the algorithm), and nevermind who had access to the LEAF fields. Probably most of the /. readers would have found a way to zero out the LEAF fields so the key couldn't be pulled out of escrow.
I'm just glad we have decent, open cryptographic standards. If a product doesn't use AES with a good implementation other than ECB, find something that does. RSA and SHA1 are not perfect, but so far, they have been secure.
Re: (Score:3)
Very true. If SHA-X was secure for the foreseeable future, there wouldn't be a contest going on for someone to make a replacement algorithm for the SHA-3 name. In the meantime, it would be nice for Whirlpool, Skein, or another well tested hash function to take up the slack.
However, the hash functions are open for all to look at. This beats someone stuffing all the data into an 8 bit LFSR, yanking 128 bits out and calling that a cryptographically secure hash.