Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Cellphones IOS Open Source Security Software IT

Trend Micro Chairman Says Open Source Is a Security Risk 258

dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture." This comes a week after Trend Micro released a mobile security app for Android.
This discussion has been archived. No new comments can be posted.

Trend Micro Chairman Says Open Source Is a Security Risk

Comments Filter:
  • by WiglyWorm ( 1139035 ) on Friday January 14, 2011 @09:29AM (#34877076) Homepage
    Just some FUD to sell an app.
    • by dintech ( 998802 ) on Friday January 14, 2011 @09:37AM (#34877174)

      It's scary that someone of his seniority in the computer security business would be pushing 'security through obscurity'. Doesn't he have access to Google? The only fear uncertainty and doubt I have is about Trend Micro.

      • by fuzzyfuzzyfungus ( 1223518 ) on Friday January 14, 2011 @09:40AM (#34877232) Journal
        If I had spent years building AV software to paper over Windows' flaws, I'd probably have given up on technical correctness as well...
      • by nahdude812 ( 88157 ) * on Friday January 14, 2011 @10:05AM (#34877568) Homepage

        He's not pushing security through obscurity. He's pushing fear plus "security through giving us your money." His claim is a clear conflict of interest.

        Did you know dangerous radio waves are passing through your brain every minute? Buy my special tinfoil hat to protect yourself!

      • Someone should remind this guy about the availability of fuzzing tools, and their effectiveness in finding bugs that might be exploitable.

        http://it.slashdot.org/tag/fuzzing [slashdot.org]

      • by mcgrew ( 92797 ) * on Friday January 14, 2011 @10:40AM (#34878160) Homepage Journal

        Indeed. But think about it -- his business depends on insecure software, and the fewer people who use Windows and closed source apps, the better for his business.

        Businessmen are more and more becoming bald-faced liars, and it's been going on for some time. He surely knows that "security through obscurity" is a falsehood, but if you have no morals or ethics you have no reason to tell the truth. I'm reminded of DS9 characters; the two characters that most resemble today's businesspeople are bar owner Quark and his Ferengi "rules of acquisition" and clothing store owner Garak, whose motto was "Never tell the truth when a lie will do".

        If open source is less secure, then why don't I need Trend Micro's bullshit AV on my Linux box?

      • Have some F about Trend Micro, but don't have any U or D - TM is one of the worst AV programs I've seen in action.

        Back around 2003, the corporate parent of my little used-to-be-locally-owned business set up a "19th hole" deal with TM. We were told to use TM as our sole AV in our local branch, as we now had a corporate-wide license. We refused, and were told that our AV must then come out of our own IT budget. Fair enough.

        Why did we refuse TM? For one, the version we were given at that time had to be installed by hand on every machine. Corporate IT actually went through their thousands of machine and installed the damn thing. Probably using interns, as it wouldn't have been cost effective to have actual IT do that work, despite their sweetheart deal with TM. With an IT staff of 3, only one of which was on desktop support, we didn't feel that it was worth a hand-install on 150 or so machines. Especially since almost everything about TM sucked.

        So we shelled out for Norton Corporate, set up a beefy desktop as a dedicated AV server, and pushed the client to all the local machines. 15 minutes of visual inspection plus the help of the rest of the employees found the dozen or so that didn't install properly, and those were dealt with by hand.

        A few months later, corporate got slammed with some hellacious worm. TM didn't pick it up at all. In the least. While it spread like wildfire from one of our local corporate goons' laptops onto our systems, Norton at least disarmed all the tens of thousands of copies it placed throughout most of our file systems. (The bastard was doing auditing, and had access to just about everything.)

        Corporate was unable to deal with the worm for a few days - we firewalled them off, cleaned up the mess, and got on with life before their IT was able to send us instructions on how to deal with it, and how to fix TM, which it had destroyed in the process. (Yes, every machine by hand, once again.)

        So long ramble short - don't listen to TM. Ever.
    • by Latent Heat ( 558884 ) on Friday January 14, 2011 @09:41AM (#34877262)
      So some suit is claiming Android is less secure because it is open in some sense. A suit makes some claim and the sun also rises in the east.

      "This comes a week after Trend Micro released a mobility security app for Android."

      Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.

      Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.

      I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.

      • by WiglyWorm ( 1139035 ) on Friday January 14, 2011 @09:51AM (#34877386) Homepage
        I take this as full disclosure, not editorializing.
      • If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.

        Are you really and truly complaining about there being more information in the summary? Thanks for helping make Slashdot grate.

    • Re: (Score:3, Funny)

      Considering the past mess-ups of AVG, Norton, McAfee and probably pretty much all the others, it could be argued that anti virus apps are the real threat ;)

      Hopefully they dont read this and declare me a virus though!
    • by fearlezz ( 594718 ) on Friday January 14, 2011 @09:57AM (#34877466)

      It's not all FUD... open source is actually a security risk... for mr. Chang's wallet.
      Remember the lawsuit against clamav [google.com]? And of course, there's the fact that if everyone ditched windows for an open source OS, trend micro wouldn't have many customers anymore.

      • by Spad ( 470073 ) <slashdot.spad@co@uk> on Friday January 14, 2011 @10:03AM (#34877554) Homepage

        Linux can't fix stupid; there'd still be call for Trend Micro's services.

      • by mlts ( 1038732 ) * on Friday January 14, 2011 @10:27AM (#34877944)

        If people dumped Windows for open source, there will still be a large market for AV utilities, for legal reasons.

        There are a lot of companies where I had to spec out antivirus solutions for AIX, Solaris, RedHat, and OS X just for CYA reasons. Not like all the LPARs on the pSeries 795 in the server room is going to get infected, but because it is a checkbox on a contract that "all computers on the corporate network will have antivirus software on them."

      • I was wondering something along the same lines. Since when is anybody working at Trend Micro an expert on security. I don't think I've ever used a security product so incompetently built as PC-Cillin. And I only used that in the sense that it came pre-installed on my laptop for the few seconds before it was removed for using 99% of my processing power.
    • There is an old argument that public key cryptography is weaker than a private key system. In public key systems, one key is out there and inherently contains everything an attacker needs to decode a message. We rely on the security of the crypto system to ensure they can't do that. Contrast this to the SAME system where both keys are kept secret - the attacker now has zero information about the keys. It's a bit of weak argument, since we do rely completely on the cryptosystem, but being obscure on top of b
      • by tom17 ( 659054 )
        I'm confused by what you mean. With a public key system, you *want* one key to be 'out there' (the public key) and it's fine for people to decrypt your message (that you encrypted with your private key). Effectively, you have just signed your message and by decrypting it, they are just confirming that you are the author. We are not relying "on the security of the crypto system to ensure they can't do that" as we want them to do that.

        What we don't want them to decrypt is a message that I encrypted with pe
    • Came to post exactly that. Tren Micro has just proven that as a tech company they don't even understand basic security.

    • Just some FUD to sell an app.

      To some extent yes. But I'm tired of the old "obscurity doesn't work" meme. That one is right up there with "violence never solved anything".

      The fewer people that know about a security vulnerability means that fewer people will try to exploit it. That's a fact. STO isn't a better model by any means, but can we quit pretending that it's inferior to the open source model? Because the "thousand eyeballs" theory of security has been repeatedly beaten into the ground. As Prof. Gene Spafford at Purdue so eloquent

  • by BrianRoach ( 614397 ) on Friday January 14, 2011 @09:30AM (#34877088)

    In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...

    • by fuzzyfuzzyfungus ( 1223518 ) on Friday January 14, 2011 @09:41AM (#34877256) Journal
      They then politely ignored inquiries as to why their software was needed to protect superior closed-source systems...
      • To make it even MORE secure, while there's pretty little you can do to make Linux more secure, it's just utterly pointless and hopeless to try to improve the security of such a system, no AV could hope to create a product that could possibly aid the security of this!

        I'm not lying here! That statement is true and you know it. It's all in the wording... ;)

      • Also, you can ask if he has plans for his software on desktop (and server) linux. After all, there's a lot of linux servers facing the internet that need virus protection.

        • No need to ask... [trendmicro.com]

          Now, in fairness, having a single AV engine, running on a box with powerful CPU(s) and a fast disk subsystem; busily snipping known viral payloads off of passing emails and network shared directories is actually a reasonably sensible 'pragmatic risk reduction' strategy, no matter what OS the server is running. It does help catch a lot of the more sophmoric virus attempts floating around, at zero computational and disk access overhead to the clients, who are the ones that likely have wea
  • Right. (Score:4, Informative)

    by DWMorse ( 1816016 ) on Friday January 14, 2011 @09:30AM (#34877092) Homepage
    Right. And the color yellow is more secure than the color blue.
  • indeed (Score:3, Insightful)

    by chichilalescu ( 1647065 ) on Friday January 14, 2011 @09:30AM (#34877094) Homepage Journal

    people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?

  • Feh (Score:5, Interesting)

    by Pojut ( 1027544 ) on Friday January 14, 2011 @09:33AM (#34877134) Homepage

    They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.

    • Re:Feh (Score:5, Insightful)

      by Opportunist ( 166417 ) on Friday January 14, 2011 @10:33AM (#34878042)

      Wrong approach. It took me a while to wrap my mind around the mindset of the execs, but their reasoning seems to follow two logics when it comes to software:

      1. If it doesn't cost anything, it can't be worth anything.
      2. If there is no company behind it, we can't sue anyone if it fails.

      It's near impossible to show them that 1 is untrue and that 2 is a wet dream at best.

    • Might as well have used Windows Sound Recorder.. bleh. I hate how stupid people are.

  • by EXTomar ( 78739 ) on Friday January 14, 2011 @09:35AM (#34877154)

    It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.

  • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Friday January 14, 2011 @09:37AM (#34877178) Homepage Journal

    That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.

    • With SEO....yeah most of the consultants are playing off ignorance, but from past experience, there are some out there that are worth their weight. Once you've done all the technical things with mod_rewrite/etc. the rest becomes content and making sure the keywords in the meta match what is in the body and that is an art. On one e-commerce site, we went from page 6 on google to the bottom of page 1 within weeks after a gal came in and rewrote all the website text. This was after 3 months of those of us

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Friday January 14, 2011 @09:37AM (#34877180)
    Comment removed based on user account deletion
    • by rvw ( 755107 )

      I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...

      Really? Or in a month, you forgot about this, or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?

      • Well hey, if Microsoft Windows is so secure, why not go with MSSE?
      • or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?

        ClamAV? [clamav.net] ClamWin? [clamwin.com] Works for me :)

      • by mlts ( 1038732 ) *

        On home machines, Microsoft System Essentials. In the enterprise, Forefront. MS said that Forefront can effectively protect against the zombie horde, as well as ninja attacks in an ad campaign a few years back, and if that is true, just that ability is well worth the product's price.

  • HaHa its LART time (Score:4, Insightful)

    by EasyTarget ( 43516 ) on Friday January 14, 2011 @09:37AM (#34877182) Journal

    @Mr Chang...

    Repeat after me.. security through secrecy only works while your secret is, err, secret..

    Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?

    In modern business it seems the more someone is paid, the more drivel they spout.

  • by Eggplant62 ( 120514 ) on Friday January 14, 2011 @09:38AM (#34877198)

    I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.

  • by fuzzyfuzzyfungus ( 1223518 ) on Friday January 14, 2011 @09:38AM (#34877200) Journal
    It completely fails to surprise me that an AV would have completely given up on the notion of security through technical correctness and have fallen back on the notion of security through obscurity.

    The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.

    I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...
  • lol (Score:3, Interesting)

    by jimmerz28 ( 1928616 ) on Friday January 14, 2011 @09:38AM (#34877212)
    I have to constantly find open source malware and virus protection because the server/client TrendMicro package we have at my employer doesn't catch anything.
  • by Lazareth ( 1756336 ) on Friday January 14, 2011 @09:39AM (#34877214)

    What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.

  • The CEO of a computer security company parrots "security through obscurity." Well guess I won't trust any Trend Micro products.
  • Security through obscurity FTW! Everyone knows that is the best way to secure a system!
  • by X10 ( 186866 ) on Friday January 14, 2011 @09:44AM (#34877300) Homepage

    "iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."

    And that guy is the chairman of a computer security company?

    • "iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture." And that guy is the chairman of a computer security company?

      Yes, the chairman who wants to sell his security software. If he had security software for the iPhone then we wouldn't hesitate one second to say "Android is more secure than iPhone because being an open-source platform lets everyone know more about the underlying architecture and fix security problems." If you asked him "Which is more secure, iPhone or Android", he'd ask you "what phone do you have?" and your phone would be the one that is less secure and needs his software.

    • Don't confuse chairman with someone who actually knows shit about what his company produces. I've had my share of bosses that had NO clue about IT security whatsoever. Chang is no exception to this.

    • by mlts ( 1038732 ) *

      Hrm... when it comes to numbers of compromised devices, both the iPhone and Android have not had any real intrusions (other than some jailbroken devices with the root password still set to "alpine" and sshd enabled.)

      The security mechanisms of both operating systems are both pretty open. Android uses the Dalvik VM to sandbox, and Linux's user level protection to keep apps in their directories. iOS uses chroot() and the mobile user to enforce its security. Which is better? This can be argued endlessly.

  • Does this guy really expect to be taken seriously? He claims that iPhone is more secure than Android, and they still launched for iPhone???? I bet they're hoping that WIndoze Phone 7 gets some sales(however unlikely that seems right now), so they can scare the victims into buying their security app for that. I reckon that they are starting to see the end for windoze and the demise of their dismal, unnecessary businesses, so they're trying to scare up business elsewhere.
  • by i_want_you_to_throw_ ( 559379 ) on Friday January 14, 2011 @09:46AM (#34877318) Journal
    Good heavens! Oh my, a maker of anti-virus software for the most virus ridden system in the world claims OSS is insecure? Wow, the shenanigans couldn't be anymore obvious. Of course it's more insecure and it's in his best interest to say so. That's business folks! As always, follow the money. Trend Micro has been in bed with MSFT for a LONG time.
  • ...especially if someone takes an OSS app that is compilable and adds few backdoors etc. and puts it up on mirrors. Yeah, check the checksums. I do, but how many non-tech geeks know even how to do that? Last company I worked for we provided service contracts for an OSS app and got it PA-DSS certified, fixed a bunch of problems, added features, and most importantly signed our binaries. Most OSS project don't and a lot of times are in a format where that is difficult.

  • every time someone thinks that closed source is better we have this debate. many eyes = better security

    • The vast majority of millions of open source projects only have a few eyes one them.

      Only projects like Linux kernel, apache, and a few others can claim "many eyes".

      For the rest, security through obscurity would have been a better choice.

  • I guess, if nobody actually gets to look at your source, you're not opening yourself up to ridicule and scorn for the shoddy coding practices and multitude of exploitable errors...

    No, the real ridicule comes when hostile crackers discover those exploitable errors through brute force or reverse engineering and, well, exploit them.

    Sure, sometimes it can be a case of too many cooks and all that, but when it comes to hunting for security holes I'd think it just plain makes sense to have as many friendly eyes on

  • This is complicated.

    First, open source vs closed source:

    Security problems are just a very nasty subset of quality control issues. Quality code is a function of the quality of programmer, tooling, time schedule, etc.
    Open source vs closed source is only one part of that equation, and though I believe it matters, it's not a determining factor BY ITSELF.

    Second, Android VS iphone. There's 2 most likely attack vectors today: Browser bugs, and trojans downloaded on purpose that do something other then what they

  • I have been giving the whole security argument some thought lately, and I think security through obscurity has merit in the short term. It should be obvious that security holes can be found quicker when you have the source than when you don't. All products have security flaws. All products tend to have more security problems initially and they get corrected over time.

    Where open source helps is almost like homoeopathy, to cure your disease, you basically force your body to have symptoms in order to get the

  • If that was true then why do we have so many holes in Windows? That is closed source and everytime I turn around there is another security hole that has to get patched. I have dual boot machines at home and most of my time doing patches is for the windows side of things. On the other side of things my Linux boxes at home don't have as many problems with security and when a hole is found a patch is done much more quickly than I could even hope for in Windows.

    It has all of the sound of a security vendor tryi

  • He's not really wrong necessarily, but every piece of software is a new security risk. Games, email programs, you name it its a security risk. Its obviously just a bunch of PR to sell an app. Open Source's greatest risk is also its best potential strength. Because hackers and anyone else can see the underlying code, the security holes that a hacker may exploit will be patched in record time, possibly even by the hacker himself. Meanwhile closed source can only rely on internal resources, not a bad thing nec
  • The real risk is Trend Micro Chairman, to the security of your wallet.

    Just don't give it to him.

  • Just take Windows vs Linux as an example. Everyone knows Windows is less of a security risk. It gets hacked less often, has the least amount of exploits and as a bonus even runs faster and more stable!

    • Re:He's right (Score:4, Insightful)

      by erroneus ( 253617 ) on Friday January 14, 2011 @10:55AM (#34878496) Homepage

      We get your Stephen Colbert style reverse psychology message. Unfortunately, it is still an uphill battle for people to divest themselves of their misconceptions and asshats like this chairman of a highly visible commercial vendor of security (yes, I said "vendor of security" because people think they can BUY security rather than practice it... just like we can buy a healthy body rather than eat better and exercise.) reinforcing these misconceptions is unhelpful.

      Still, they can't stop the inevitable. World politics are causing the rest of the world to mistrust U.S. government and especially U.S. businesses whose interests the U.S. government most often serving and acting on behalf of. So, there is a continuous growth in activities by governments outside of the U.S. interested in migrating to F/OSS operating systems and applications software. Foreign business is also moving in this direction.

      What we are witnessing is a "slow burning bridge" and it is uncertain if this has yet progressed beyond a point of no return, but F/OSS has already reached a point of acceptance that it is no longer to be considered "fringe" and "non-mainstream."

  • Using closed source software is like putting an admin in the woods at night with a thousand attackers and telling him to catch the attackers before they break into your treasure chest. By the time the admin catches one, the chest has already been looted and the admin spends the rest of his time patching up the loophole while the other attackers are already preparing their next break-in. A good admin shouldn't be measured by how well they handle damage control but how well they can analyze a new piece of s
    • by JSBiff ( 87824 )

      Is it reasonable to expect that every SysAdmin is an expert in programming to the degree necessary to thoroughly evaluate whether *working code* contains subtle bugs that can be exploited by a cracker? Don't get me wrong, I don't think the argument that proprietary software has an inherent security advantage is valid, but what I'm saying is that SysAdmin is a different job, with different skillsets, than is software development. Sure, there's a lot of overlap, but I don't think it's reasonable to say that e

      • I'd mod you some points if I could, but yes, that's where I was going. I guess I meant to refer to admins in the sense of security admins. I work in a large company so system admins tend to work in the world of fixing computer issues, network admins keep the network in check and security admins bounce around with a magnifying glass and a bunch of drain plugs keeping everything shipshape. Like you said, the small business man benefits from the big business man's expertise and everyone benefits from the br
  • Security through obscurity is better for our sales. OSS contains far too few bugs to make our products necessary.

    (Not that TM produced any good protection software, to be blunt for a change. Sorry, but given the choice between TM, McAfee and Panda I'd probably choose... a bullet).

  • it'd be a shame if something happened to it.

  • Anyone that knows anything about computer security just lost all respect and sense of credibility for Trend Micro with this idiot-leader's claim.

    Unfortunately, it is not often that security experts are responsible for making purchase decisions. The more those who make purchase decision hear about a company making claims in support of "the defacto norm" and deriding "the new thing" it reinforces the "decisions not to change" that are frequently made by people who simply don't know the truth.

    There is more money to be made by resisting change and improvement, especially when that change is in favor of free and open source software. "Leader of well known security expert company says not changing is good" simply helps to reinforce the intertia of non-change. So now decision makers can feel more justified in their not making decisions and calling it "decision not to change" without actually doing anything or learning anything.

  • So, major corporations, focused mostly on profit, care more about device security than the owners of those devices? Interesting.

    I'm just glad I can short-circuit Sprint's broken agps with a simple iptables rule on my Palm Pre. Voila! A GPS that works quickly and properly. No hacking required. Open platforms FTW.

CChheecckk yyoouurr dduupplleexx sswwiittcchh..

Working...