Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trend Micro Chairman Says Open Source Is a Security Risk

Soulskill posted more than 3 years ago | from the with-friends-like-these dept.

Android 258

dkd903 writes "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure than closed source. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture." This comes a week after Trend Micro released a mobile security app for Android.

Sorry! There are no comments related to the filter you selected.

Security through obscurity doesn't work (5, Insightful)

WiglyWorm (1139035) | more than 3 years ago | (#34877076)

Just some FUD to sell an app.

Re:Security through obscurity doesn't work (5, Insightful)

dintech (998802) | more than 3 years ago | (#34877174)

It's scary that someone of his seniority in the computer security business would be pushing 'security through obscurity'. Doesn't he have access to Google? The only fear uncertainty and doubt I have is about Trend Micro.

Re:Security through obscurity doesn't work (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34877232)

If I had spent years building AV software to paper over Windows' flaws, I'd probably have given up on technical correctness as well...

Re:Security through obscurity doesn't work (4, Insightful)

nahdude812 (88157) | more than 3 years ago | (#34877568)

He's not pushing security through obscurity. He's pushing fear plus "security through giving us your money." His claim is a clear conflict of interest.

Did you know dangerous radio waves are passing through your brain every minute? Buy my special tinfoil hat to protect yourself!

Re:Security through obscurity doesn't work (4, Insightful)

Eraesr (1629799) | more than 3 years ago | (#34877628)

His claim is a clear conflict of interest.

Not at all, really. His claim clearly lines up with his interests. He wants you to buy his Android security app, so he'll claim that Android is really insecure.

Re:Security through obscurity doesn't work (2, Informative)

Anonymous Coward | more than 3 years ago | (#34878000)

Which is the very definition of conflict of interest.

Re:Security through obscurity doesn't work (1)

camperslo (704715) | more than 3 years ago | (#34877574)

Someone should remind this guy about the availability of fuzzing tools, and their effectiveness in finding bugs that might be exploitable.

http://it.slashdot.org/tag/fuzzing [slashdot.org]

Re:Security through obscurity doesn't work (0, Flamebait)

commodore64_love (1445365) | more than 3 years ago | (#34877626)

He is technically-correct:
Open source lets dishonest people search for flaws to exploit. BUT he overlooks that closed-source companies like Microsoft are slow to fix problems (often going years before fixing known bugs), so they are oftentimes Less safe than open source, due to inertia.

The ideal would probably be closed source (so thieves can't see the flaws), and a company that fixes bugs immediately after discovery. In the real world no such thing exist..... except possibly OS 10.x by Apple who fix bugs at a rapid rate.

Re:Security through obscurity doesn't work (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34877730)

Don't forget that the bad guys end up with the source code while the white hats don't get it. Take a look at Windows. The Chinese intel services have the source for it. Russia does too. However, people who need and rely the protection of the OS do not get the source code.

So, the blackhats already have a leg up because they can clear-box their exploits. The whitehats have to keep disassembling stuff in order to have any hope whatsoever.

Because MS doesn't trust people with the source code of their products, how can people trust them?

Re:Security through obscurity doesn't work (2)

mlush (620447) | more than 3 years ago | (#34877798)

He is technically-correct: Open source lets dishonest people search for flaws to exploit. BUT he overlooks that closed-source companies like Microsoft are slow to fix problems (often going years before fixing known bugs), so they are oftentimes Less safe than open source, due to inertia.

Open Source also lets honest people search for flaws to exploit. and when they find them does not punish them for the effrontery of disclosing them.

Re:Security through obscurity doesn't work (1)

commodore64_love (1445365) | more than 3 years ago | (#34877840)

>>>Open Source does not punish them for the effrontery of disclosing them.

Punish them? What you say?

Re:Security through obscurity doesn't work (3, Informative)

mlush (620447) | more than 3 years ago | (#34878096)

>>>Open Source does not punish them for the effrontery of disclosing them.

Punish them? What you say?

Like this [zdnet.com.au]

Can Slashdot OP's cut the snark? (3, Insightful)

Latent Heat (558884) | more than 3 years ago | (#34877262)

So some suit is claiming Android is less secure because it is open in some sense. A suit makes some claim and the sun also rises in the east.

"This comes a week after Trend Micro released a mobility security app for Android."

Oooooooohhh. Trend Micro wants us to worry about security and then sell us a security app.

Slashdot is News for Nerds: the OP's are supposed to be news whereas the editorializing is supposed to take place in the comments sections. There is a trend around here that the OP's render their opinions now.

I say to the OP's, cut out the snark and leave the snark to those of us in the Peanut Gallery. If you want to color the news with your opinions, get in line with the rest of us and subject your comments to the moderation system.

Re:Can Slashdot OP's cut the snark? (4, Insightful)

WiglyWorm (1139035) | more than 3 years ago | (#34877386)

I take this as full disclosure, not editorializing.

Re:Can Slashdot OP's cut the snark? (0)

Slime-dogg (120473) | more than 3 years ago | (#34877520)

The odd thing is that iOS is based off of MacOS X, which is based off an open source implementation of UNIX.

Re:Can Slashdot OP's cut the snark? (1)

pipatron (966506) | more than 3 years ago | (#34877536)

Can I see the source code for the iOS?

Re:Can Slashdot OP's cut the snark? (0)

Anonymous Coward | more than 3 years ago | (#34877620)

Define source..

Re:Can Slashdot OP's cut the snark? (3, Funny)

Anonymous Coward | more than 3 years ago | (#34877916)

Define source..

Inside iOS are millions of midi-chlorians which, oh wait, that's something else...

Re:Can Slashdot OP's cut the snark? (1)

jgagnon (1663075) | more than 3 years ago | (#34878062)

iOS may be Vader some day later but now it's just a small fry?

Re:Can Slashdot OP's cut the snark? (1)

postbigbang (761081) | more than 3 years ago | (#34877664)

It's even questionable whether MacOS is BSD-Darwin at this point. Strange how the company with the second largest market cap on the planet did so on the shoulders of arguable open source microkernels.

Re:Security through obscurity doesn't work (3, Funny)

alostpacket (1972110) | more than 3 years ago | (#34877334)

Considering the past mess-ups of AVG, Norton, McAfee and probably pretty much all the others, it could be argued that anti virus apps are the real threat ;)

Hopefully they dont read this and declare me a virus though!

Re:Security through obscurity doesn't work (4, Interesting)

fearlezz (594718) | more than 3 years ago | (#34877466)

It's not all FUD... open source is actually a security risk... for mr. Chang's wallet.
Remember the lawsuit against clamav [google.com] ? And of course, there's the fact that if everyone ditched windows for an open source OS, trend micro wouldn't have many customers anymore.

Re:Security through obscurity doesn't work (3, Insightful)

Spad (470073) | more than 3 years ago | (#34877554)

Linux can't fix stupid; there'd still be call for Trend Micro's services.

Re:Security through obscurity doesn't work (4, Informative)

mlts (1038732) | more than 3 years ago | (#34877944)

If people dumped Windows for open source, there will still be a large market for AV utilities, for legal reasons.

There are a lot of companies where I had to spec out antivirus solutions for AIX, Solaris, RedHat, and OS X just for CYA reasons. Not like all the LPARs on the pSeries 795 in the server room is going to get infected, but because it is a checkbox on a contract that "all computers on the corporate network will have antivirus software on them."

Actually it does to some extent (1)

gr8_phk (621180) | more than 3 years ago | (#34877602)

There is an old argument that public key cryptography is weaker than a private key system. In public key systems, one key is out there and inherently contains everything an attacker needs to decode a message. We rely on the security of the crypto system to ensure they can't do that. Contrast this to the SAME system where both keys are kept secret - the attacker now has zero information about the keys. It's a bit of weak argument, since we do rely completely on the cryptosystem, but being obscure on top of being effective does help a little bit. That said, I would argue that the mere existence of alureon.h [microsoft.com] should convince folks that at least one platform (that is closed source) should be avoided.

Re:Actually it does to some extent (1)

tom17 (659054) | more than 3 years ago | (#34878088)

I'm confused by what you mean. With a public key system, you *want* one key to be 'out there' (the public key) and it's fine for people to decrypt your message (that you encrypted with your private key). Effectively, you have just signed your message and by decrypting it, they are just confirming that you are the author. We are not relying "on the security of the crypto system to ensure they can't do that" as we want them to do that.

What we don't want them to decrypt is a message that I encrypted with person-x's public key, but as only person-x has his private key to decrypt it with, we are safe. Sure, in this instance, we "rely on the security of the crypto system to ensure they can't do that", but that's no different than a private key system where we rely on the security of the crypo system...

Did I misunderstand what you were trying to say?

Also in the news ... (5, Funny)

BrianRoach (614397) | more than 3 years ago | (#34877088)

In a related story, Trend Micro also noted that Windows has been far more secure than Linux for years due to it being closed source ...

Re:Also in the news ... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34877256)

They then politely ignored inquiries as to why their software was needed to protect superior closed-source systems...

Re:Also in the news ... (2)

Opportunist (166417) | more than 3 years ago | (#34878114)

To make it even MORE secure, while there's pretty little you can do to make Linux more secure, it's just utterly pointless and hopeless to try to improve the security of such a system, no AV could hope to create a product that could possibly aid the security of this!

I'm not lying here! That statement is true and you know it. It's all in the wording... ;)

Re:Also in the news ... (0)

SailorSpork (1080153) | more than 3 years ago | (#34877482)

Also, this just in! PS3's closed-source hardware encryption keys are also completely secure, and removing their "Other OS" option has helped Sony gain consumer's trust and leading market share!

Right. (3, Informative)

DWMorse (1816016) | more than 3 years ago | (#34877092)

Right. And the color yellow is more secure than the color blue.

Re:Right. (5, Funny)

dkleinsc (563838) | more than 3 years ago | (#34877284)

It is if you're Sir Gallahad of Camelot at the Bridge of Death [youtube.com] .

Re:Right. (0)

Anonymous Coward | more than 3 years ago | (#34877352)

Right. And the color yellow is more secure than the color blue.

Piss will stay in a bottle, but the sky....

Re:Right. (0)

Anonymous Coward | more than 3 years ago | (#34877548)

It almost has to be. There is no way to be less secure than blue. I mean even beige is no less secure than blue and we all remember what a fiasco beige turned out to be.

indeed (3, Insightful)

chichilalescu (1647065) | more than 3 years ago | (#34877094)

people are less secure because attackers know that hitting them on the head with a rock will kill them. that's why there should be no biology taught in school, right?

Re:indeed (4, Insightful)

Dunbal (464142) | more than 3 years ago | (#34877216)

And also rocks should be banned.

Re:indeed (1)

djsmiley (752149) | more than 3 years ago | (#34877456)

and all heads removed, *just in case*

Re:Rocks Banned (1)

TaoPhoenix (980487) | more than 3 years ago | (#34877784)

+1 Garage

Re:indeed (1)

Opportunist (166417) | more than 3 years ago | (#34878066)

But they protect us from tigers!

um no (0)

Anonymous Coward | more than 3 years ago | (#34877098)

Actually the opposite is true, if everyone knows how something works more people can call out the bullshit and fix the problem. With closed source problems can exist that linger forever because no one

Re:um no (2)

GameboyRMH (1153867) | more than 3 years ago | (#34877346)

Parent was obviously using a closed-source operating system.

Except the hackers know more about (0)

Anonymous Coward | more than 3 years ago | (#34877106)

the underlying code than trend micro.

Re:Except the hackers know more about (0)

Anonymous Coward | more than 3 years ago | (#34877330)

The closed source that is.

Old discussion (1)

natehoy (1608657) | more than 3 years ago | (#34877116)

First, no one who reads this is suddenly going to be convinced either way. Either you feel that making the code obscure makes it harder to find bugs, or you feel that making the code open makes it easier to fix them. Both are true, for various levels of vendor responsiveness in closed-source code and level of active involvement in open-source code.

If you have a vendor who actively solicits and rewards bug/vulnerability reports, puts a lot of time and money into fixing them, and keeps their source closed, you'll probably have about the best security possible. In the real world, it's not so black and white.

Having said all that, this is pure astroturfing. GAAAAAHHHHH!!! THE FUCKING SCARE MONSTER'S GONNA GET YA IF YOU DON'T BUY OUR SHIT!!!! BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!

Re:Old discussion (2)

Dunbal (464142) | more than 3 years ago | (#34877246)

BUY ANTIVIRUS NOW OR JESUS KILLS A PUPPY!!!!

Sheesh. I mean honestly. How could you?

Note for the humor impaired, please see the sig I have been using for the past 6 years or so

Re:Old discussion (1)

djsmiley (752149) | more than 3 years ago | (#34877474)

I have sigs turned off, you insensitive clod!

Re:Old discussion (1)

rvw (755107) | more than 3 years ago | (#34877470)

If you have a vendor who actively solicits and rewards bug/vulnerability reports, puts a lot of time and money into fixing them, and keeps their source closed, you'll probably have about the best security possible. In the real world, it's not so black and white.

And that one vendor is..... Google! (Except of course that their source is open.)

Feh (4, Interesting)

Pojut (1027544) | more than 3 years ago | (#34877134)

They were doing this malarkey at my office a couple of years ago. They were spending all kinds of money on licenses on some sound program from Adobe (it was only going to be used to edit down calls that we recorded in our call center...so, yeah. We didn't really have huge requirements.) I tried convincing them to just use Audacity, but their response was "it's open source, anyone could mess with it, it was probably made by some guy in china, it's free which means it sucks, etc." ::eyeroll:: I tried telling them about how widespread its use is, and how it was made by a former Carnegie-Mellon-current-Google-employee, but they weren't having none of it.

Re:Feh (4, Insightful)

Opportunist (166417) | more than 3 years ago | (#34878042)

Wrong approach. It took me a while to wrap my mind around the mindset of the execs, but their reasoning seems to follow two logics when it comes to software:

1. If it doesn't cost anything, it can't be worth anything.
2. If there is no company behind it, we can't sue anyone if it fails.

It's near impossible to show them that 1 is untrue and that 2 is a wet dream at best.

Underlying Archecture (3, Insightful)

EXTomar (78739) | more than 3 years ago | (#34877154)

It doesn't matter if one person or everyone in the world knows the underlying architecture. If the underlying architecture is junk then the problem is the underlying architecture instead of if it is closed or open source.

Why does most spyware goes past norton and Mcrapie (1)

Revek (133289) | more than 3 years ago | (#34877162)

and Trend. I spend all my time cleaning up machines that have those products installed and they still get hosed. Its really kind of nice knowing that as long as they exist I will be able to make a living.

Re:Why does most spyware goes past norton and Mcra (2)

jgtg32a (1173373) | more than 3 years ago | (#34877184)

To be fair those are the big three and anyone writing spyware/viruses is going to have a copy of them and won't release their product until it gets past them

Re:Why does most spyware goes past norton and Mcra (1)

Opportunist (166417) | more than 3 years ago | (#34878020)

And as long as MS produces OSs, I'll be able to make a living coding AV software.

Imagine a world of OSS only. Can you see how we'd be out on the street selling pencils and apples?

Closed source gives me a job! Hurray for CSS!

Consider the source (5, Insightful)

Just Some Guy (3352) | more than 3 years ago | (#34877178)

That's nice. Of course, I tend to associate Internet security firms with SEO consultants, astrologers, and anyone else who makes a living off fear and ignorance.

Re:Consider the source (1)

ducomputergeek (595742) | more than 3 years ago | (#34877494)

With SEO....yeah most of the consultants are playing off ignorance, but from past experience, there are some out there that are worth their weight. Once you've done all the technical things with mod_rewrite/etc. the rest becomes content and making sure the keywords in the meta match what is in the body and that is an art. On one e-commerce site, we went from page 6 on google to the bottom of page 1 within weeks after a gal came in and rewrote all the website text. This was after 3 months of those of us in the technical area trying to do it. We paid her $15k for about 2 weeks worth work, which I thought was highway robbery. But the result was going from ~$15k month in sales from the website to ~$35k a month.

Well Mr. Bigmouth Smartypants (3, Interesting)

Cornwallis (1188489) | more than 3 years ago | (#34877180)

I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...

Re:Well Mr. Bigmouth Smartypants (1)

rvw (755107) | more than 3 years ago | (#34877516)

I guess I'm not gonna be renewing my network's TrendMicro licenses when they expire next month...

Really? Or in a month, you forgot about this, or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?

Re:Well Mr. Bigmouth Smartypants (1)

kiehlster (844523) | more than 3 years ago | (#34877578)

Well hey, if Microsoft Windows is so secure, why not go with MSSE?

Re:Well Mr. Bigmouth Smartypants (1)

jimicus (737525) | more than 3 years ago | (#34878120)

IIRC, it's not free for companies - in fact, it's really rather pricey.

Re:Well Mr. Bigmouth Smartypants (1)

Warskull (846730) | more than 3 years ago | (#34877662)

There are other options than Norton and McAfee, Kaspersky can be good in a smaller business.

Re:Well Mr. Bigmouth Smartypants (1)

NickFortune (613926) | more than 3 years ago | (#34877764)

or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?

ClamAV? [clamav.net] ClamWin? [clamwin.com] Works for me :)

Re:Well Mr. Bigmouth Smartypants (1)

mlts (1038732) | more than 3 years ago | (#34878048)

On home machines, Microsoft System Essentials. In the enterprise, Forefront. MS said that Forefront can effectively protect against the zombie horde, as well as ninja attacks in an ad campaign a few years back, and if that is true, just that ability is well worth the product's price.

HaHa its LART time (3, Insightful)

EasyTarget (43516) | more than 3 years ago | (#34877182)

@Mr Chang...

Repeat after me.. security through secrecy only works while your secret is, err, secret..

Now; how many engineers have worked on the iOS platform again? will they all keep it's secrets? Can you guarantee that? Do you realise that by keeping it secret Apple are also restricting the number of white hats that can notify them of security problems before they get exploited?

In modern business it seems the more someone is paid, the more drivel they spout.

Oh yeah? (2)

Eggplant62 (120514) | more than 3 years ago | (#34877198)

I say Steve Chuang is a money-grubbing bastard who steals money from his customers for a service they wouldn't need if everyone would migrate away from Windows and the closed-source hegemony. So there.

I'm shocked... (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34877200)

It completely fails to surprise me that an AV would have completely given up on the notion of security through technical correctness and have fallen back on the notion of security through obscurity.

The whole idea of OSS security(unlike, say, physical security) is that software bugs and errors are what introduce insecurities, that a technically correct system will be secure even if the attacker knows what it looks like(the same principle as in cryptography). This isn't true of physical systems; because physical materials always have finite strength; but software can(at least in theory, it rarely does) possess technical correctness.

I am, of course, totally unsurprised that an AV company would have completely given up on such a thing, and are falling back on obscurantism and endless layers of bandaids...

Misguided (1)

Anonymous Coward | more than 3 years ago | (#34877202)

I guess things like SHA-1, RSA and AES are also bad and insecure because they are "open", So obscurity is not security now, not that I'd expect much from an AV vendor that ultimately benefits from insecure systems.

lol (3, Interesting)

jimmerz28 (1928616) | more than 3 years ago | (#34877212)

I have to constantly find open source malware and virus protection because the server/client TrendMicro package we have at my employer doesn't catch anything.

Security Through Obscurity (3, Informative)

Lazareth (1756336) | more than 3 years ago | (#34877214)

What Chang is basically saying is that "security through obscurity is inherently more safe than proper implementation" - something that was proven wrong a long time ago. Sure, when you got the implementation right, open source or closed source, extra obscurity won't hurt other than possibly maintenance, but prioritizing it is a misapplication of resources.

Re:Security Through Obscurity (-1)

Anonymous Coward | more than 3 years ago | (#34877420)

Why not just solve the problem by making it open to "good guys", but disallowing it for the badguys. Surely, disallowing it would be very easy as we just have to put it into the GPL that using the software for malicous purposes is not allowed. This will help, since all the bad guys read the GPL and will surely not operate outside the given license.

people (1)

louic (1841824) | more than 3 years ago | (#34877226)

So why is this news? Stupid people say stupid things all the time.

Re:people (1)

TaoPhoenix (980487) | more than 3 years ago | (#34877898)

Never give malice the benefit of being mere incompetence.

Sad joke (1)

seeker_1us (1203072) | more than 3 years ago | (#34877230)

The CEO of a computer security company parrots "security through obscurity." Well guess I won't trust any Trend Micro products.

TrendMicro makes junk (0)

Anonymous Coward | more than 3 years ago | (#34877236)

I've used some of Trend Micro's apps in the past and I have to say, they wouldn't know a security risk if it crawled up their collective butt and died. I like their centralized management console, but, aside from that, I've had nothing but bad luck with them. Their products tend to be heavy with ActiveX controls (no security issues there, I'm sure) and they don't generally seem to do a good job anyway. Even keeping right on top of updates, threats are constantly getting through and I have to set up a second perimeter control (a network appliance based on Linux and Tomcat, amusingly enough) to screen out the junk TM's products can't seem to find.

Not to mention the fact that I absolutely hate their licensing terms. I shouldn't have to buy multiple products in a "security package" that all address the same general category of threats just because those threats use different attack vectors.

This silly comment doesn't really influence my decision one way or another, but I seriously doubt I'm going to go with TM's products again once it comes time to either renew support or implement another option.

Re:TrendMicro makes junk (1)

djsmiley (752149) | more than 3 years ago | (#34877522)

What worries me is all you "sysadmins" who are admitting you are currently using trendMicro at all.

Balance (0)

trifish (826353) | more than 3 years ago | (#34877270)

First, everyone knows how much harder reading reverse-engineered code is compared to skimming a nice commented code.

Second, like it or not, but in some situations, security-through-obscurity actually works (i.e. increases the security). For example, on servers which the attacker can access only via the web browser and the web application UI.

Security 101 (1)

jcaldwel (935913) | more than 3 years ago | (#34877294)

Security through obscurity FTW! Everyone knows that is the best way to secure a system!

Security by obscurity? (3)

X10 (186866) | more than 3 years ago | (#34877300)

"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture."

And that guy is the chairman of a computer security company?

Re:Security by obscurity? (2)

gnasher719 (869701) | more than 3 years ago | (#34877404)

"iPhone is more secure than Android because being an open-source platform lets attackers know more about the underlying architecture." And that guy is the chairman of a computer security company?

Yes, the chairman who wants to sell his security software. If he had security software for the iPhone then we wouldn't hesitate one second to say "Android is more secure than iPhone because being an open-source platform lets everyone know more about the underlying architecture and fix security problems." If you asked him "Which is more secure, iPhone or Android", he'd ask you "what phone do you have?" and your phone would be the one that is less secure and needs his software.

Re:Security by obscurity? (1)

Opportunist (166417) | more than 3 years ago | (#34877934)

Don't confuse chairman with someone who actually knows shit about what his company produces. I've had my share of bosses that had NO clue about IT security whatsoever. Chang is no exception to this.

So, why not release for Android? (2)

phands (1679642) | more than 3 years ago | (#34877314)

Does this guy really expect to be taken seriously? He claims that iPhone is more secure than Android, and they still launched for iPhone???? I bet they're hoping that WIndoze Phone 7 gets some sales(however unlikely that seems right now), so they can scare the victims into buying their security app for that. I reckon that they are starting to see the end for windoze and the demise of their dismal, unnecessary businesses, so they're trying to scare up business elsewhere.

Really? Good heavens! (2)

i_want_you_to_throw_ (559379) | more than 3 years ago | (#34877318)

Good heavens! Oh my, a maker of anti-virus software for the most virus ridden system in the world claims OSS is insecure? Wow, the shenanigans couldn't be anymore obvious. Of course it's more insecure and it's in his best interest to say so. That's business folks! As always, follow the money. Trend Micro has been in bed with MSFT for a LONG time.

It can be an avenue for attack... (1)

ducomputergeek (595742) | more than 3 years ago | (#34877328)

...especially if someone takes an OSS app that is compilable and adds few backdoors etc. and puts it up on mirrors. Yeah, check the checksums. I do, but how many non-tech geeks know even how to do that? Last company I worked for we provided service contracts for an OSS app and got it PA-DSS certified, fixed a bunch of problems, added features, and most importantly signed our binaries. Most OSS project don't and a lot of times are in a format where that is difficult.

oh that old argument again (1)

Col. Panic (90528) | more than 3 years ago | (#34877354)

every time someone thinks that closed source is better we have this debate. many eyes = better security

Closed or open, code is available (1)

SiaFhir (686401) | more than 3 years ago | (#34877422)

I guess he's never heard of a decompiler?

Well, it is less embarassing... (1)

CCarrot (1562079) | more than 3 years ago | (#34877432)

I guess, if nobody actually gets to look at your source, you're not opening yourself up to ridicule and scorn for the shoddy coding practices and multitude of exploitable errors...

No, the real ridicule comes when hostile crackers discover those exploitable errors through brute force or reverse engineering and, well, exploit them.

Sure, sometimes it can be a case of too many cooks and all that, but when it comes to hunting for security holes I'd think it just plain makes sense to have as many friendly eyes on the code as are willing to spend the time.

Complicated... (1)

spinkham (56603) | more than 3 years ago | (#34877436)

This is complicated.

First, open source vs closed source:

Security problems are just a very nasty subset of quality control issues. Quality code is a function of the quality of programmer, tooling, time schedule, etc.
Open source vs closed source is only one part of that equation, and though I believe it matters, it's not a determining factor BY ITSELF.

Second, Android VS iphone. There's 2 most likely attack vectors today: Browser bugs, and trojans downloaded on purpose that do something other then what they claim.

Android fairs worse then iOS on both of these. Both have lots of flaws in the browsers, but Apple is much better about actually allowing their users to patch their own phones(which just blows my mind, I admit, because they are still slow, but it happens.. Android patching rarely happens).

Both have malware available, but it's easier to distruibuite for Android.

Note that neither has a lick to do with opensource vs closed source, it's timely (though SLOW by desktop standards) software updates and quality control vs carrier locked, no-updates-ever and free for all downloading.

He may have a point about Android (1)

mlwmohawk (801821) | more than 3 years ago | (#34877492)

I have been giving the whole security argument some thought lately, and I think security through obscurity has merit in the short term. It should be obvious that security holes can be found quicker when you have the source than when you don't. All products have security flaws. All products tend to have more security problems initially and they get corrected over time.

Where open source helps is almost like homoeopathy, to cure your disease, you basically force your body to have symptoms in order to get the immune system working overtime. Open source exacerbates the security threat, initially, finding (and fixing) more of the security holes, that every product has, more quickly. So, at inception, an open source program or package would seem to have way more security holes up front, but once the initial wave passes, it will have far fewer. Closed source, on the other hand, never gets that initial wave, and their security holes get discovered regularly over time, usually very quietly.

A couple cycles of open source, and you'll have something tested to be secure. Using Windows as an example, you'll never be able to have any way to quantify the risk in a closed source package or product.

I call FUD (1)

TomTraynor (82129) | more than 3 years ago | (#34877506)

If that was true then why do we have so many holes in Windows? That is closed source and everytime I turn around there is another security hole that has to get patched. I have dual boot machines at home and most of my time doing patches is for the windows side of things. On the other side of things my Linux boxes at home don't have as many problems with security and when a hole is found a patch is done much more quickly than I could even hope for in Windows.

It has all of the sound of a security vendor trying to scare people into going with a product that they know has problems and then sell them more of their offerings to 'protect'.

Security by obscurity is not security at all. Open source allows anyone to review the code and if there is a problem then a patch can be proposed and the hole is closed quickly. With closed source we don't know (unless you have a disassembler and can read assembler code) what is there and are dependant on the vendor doing timely patches.

One other observation. Security is not absolute, it is a process. This goes for both open source and closed source. What is secure today is not necessarily secure in the future. When holes are found they need to be analysed and fixed.

Just hype, move along (2)

ShadoeKnight (1311151) | more than 3 years ago | (#34877600)

He's not really wrong necessarily, but every piece of software is a new security risk. Games, email programs, you name it its a security risk. Its obviously just a bunch of PR to sell an app. Open Source's greatest risk is also its best potential strength. Because hackers and anyone else can see the underlying code, the security holes that a hacker may exploit will be patched in record time, possibly even by the hacker himself. Meanwhile closed source can only rely on internal resources, not a bad thing necessarily but different. The truth is that Open Source is great, but then again so is closed. Six of one half dozen of another. I really see plenty of room for these two differing development styles to coexist.

funny... (0)

Anonymous Coward | more than 3 years ago | (#34877606)

I am using TrendMicro products every day, and I would say they are a greater security problem than anything else in the world.

The real security risk (1)

roman_mir (125474) | more than 3 years ago | (#34877616)

The real risk is Trend Micro Chairman, to the security of your wallet.

Just don't give it to him.

mod Down (-1)

Anonymous Coward | more than 3 years ago | (#34877622)

a sMad world. Ast

He's right (1)

Errtu76 (776778) | more than 3 years ago | (#34877630)

Just take Windows vs Linux as an example. Everyone knows Windows is less of a security risk. It gets hacked less often, has the least amount of exploits and as a bonus even runs faster and more stable!

Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#34877638)

As he bend over, as he who did not realise its open source.

d'oh (1)

bug_reporter (1976664) | more than 3 years ago | (#34877686)

The sour grapes or better said "security by obscurity". That philosophy got Sony very far. Go-go TrendMicro !!!

AV Vendors are like those cleaner fish (0)

Anonymous Coward | more than 3 years ago | (#34877886)

OS manufacturers are like sharks, they don't care what they eat as long as they get enough of it.

AV vendors are like those cleaner fish, who have no purpose in life than to eat the little bits of shit between the sharks teeth.
No-one really cares what they say, cos everyone knows they just want a little bit more shit to eat.
The Sharks tolerate them, but only because its hides the fact they don't clean their own teeth.

Like Hunting in the Dark (1)

kiehlster (844523) | more than 3 years ago | (#34877978)

Using closed source software is like putting an admin in the woods at night with a thousand attackers and telling him to catch the attackers before they break into your treasure chest. By the time the admin catches one, the chest has already been looted and the admin spends the rest of his time patching up the loophole while the other attackers are already preparing their next break-in. A good admin shouldn't be measured by how well they handle damage control but how well they can analyze a new piece of software prior to business implementation. Obscurity is just another label for "I'm too lazy to look at source code, so I'm going to take out a giant insurance policy instead and hope that Snake Oil's interns weren't complete dunces when they wrote this software."

Re:Like Hunting in the Dark (2)

JSBiff (87824) | more than 3 years ago | (#34878146)

Is it reasonable to expect that every SysAdmin is an expert in programming to the degree necessary to thoroughly evaluate whether *working code* contains subtle bugs that can be exploited by a cracker? Don't get me wrong, I don't think the argument that proprietary software has an inherent security advantage is valid, but what I'm saying is that SysAdmin is a different job, with different skillsets, than is software development. Sure, there's a lot of overlap, but I don't think it's reasonable to say that every SysAdmin has to be a programming expert and validate security.

On the other hand. . . every company larger than some threshold size, probably should have security-trained programmers on staff whose job it is to security-audit the source code of programs which are being considered for implementation at the company, who can make a report that can guide the IT decision makers. In the case of open-source programs, the company might even consider having those programmers fix the bugs (if it's determined from their report that it makes business sense to fix found bugs instead of using an alternative solution), and submit those fixes to the program's 'official' maintainers.

That, however, still leaves small businesses, most of whom will not be able to afford to have a staff programmer to security audit their code. However, Open Source means they reap the benefits of the larger businesses' investments in auditing the code and fixing problems (which, the larger businesses might not find particularly fair, but otoh, those businesses too are reaping big benefits from their investments in the Open Source code - including better security and control over their own operations).

Translation (1)

Opportunist (166417) | more than 3 years ago | (#34877992)

Security through obscurity is better for our sales. OSS contains far too few bugs to make our products necessary.

(Not that TM produced any good protection software, to be blunt for a change. Sorry, but given the choice between TM, McAfee and Panda I'd probably choose... a bullet).

Nice Android you got there... (1)

frenchbedroom (936100) | more than 3 years ago | (#34878084)

it'd be a shame if something happened to it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?