Jump to content

It's an open-source world: ​78 percent of companies run open-source software


RV_

Recommended Posts

Black Duck Software and North Bridge's survey found open-source software in businesses everywhere, but few are managing it worth a darn.

 

Excerpt:

 

"More than 50 percent are not satisfied with their ability to understand known security vulnerabilities in open-source components, and only 17 percent plan to monitor open source code for security vulnerabilities.

 

All that is worrisome, but it's the last one that I find the most troubling. Companies are clearly indulging in magical thinking if they believe that OSS is free of security problems. It's that kind of blind-belief in OSS that led to the OpenSSL Heartbleed security fiasco.

 

Yes, it's great that OSS is becoming the enterprise's favorite kind of software. It's nice to know that businesses have finally seen the value in the open-source software development model I saw decades ago, but OSS is like any other tool. If you use it badly, it will end up hurting you."

 

The article in full is here: http://www.zdnet.com/article/its-an-open-source-world-78-percent-of-companies-run-open-source-software/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Another quote in the article: "All that is worrisome, but it's the last one that I find the most troubling. Companies are clearly indulging in magical thinking if they believe that OSS is free of security problems. It's that kind of blind-belief in OSS that led to the OpenSSL Heartbleed security fiasco."

 

The "blind belief"? What else do we have for anything unless we're all coders? This sort of rhetoric annoys me because most companies don't even employ coders. Why should they? Most companies buy their applications from companies that develop software and THEY employ coders.

 

Everyone has "blind belief". Pointing it out only in terms of open source software makes me wonder WTF these guys are up to.

 

WDR

1993 Foretravel U225 with Pacbrake and 5.9 Cummins with Banks

1999 Jeep Wrangler, 4" lift and 33" tires

Raspberry Pi Coach Computer

Ham Radio

Link to comment
Share on other sites

WDR, That blind belief thing is a real hoot! Microsoft and their astroturfing programs have used the spreading of fear, uncertainty and doubt to sell a lot of Microsoft product, their partners, either openly or supported by Microsoft advertising and inside access are doing the same thing. Ziff-Davis dumped their Linux stuff years ago, read their WiKi article for what they are today.

 

I have several Linux and BSD Unix systems here, all these systems have all of their software and updates coming from a single trusted provider. The source code is available for review, bug submission or even bug fixing if I care to participate, even if I don't others are looking at it and finding/fixing stuff. More and more open source companies are offering quite generous bug bounties to encourage folks to look for flaws too. Any fixes made are available for all of us to download, important ones are updated several times per day and routine new releases with new features and minor fixes vary from daily to monthly releases. Again all from the single trusted source. Far from perfect, things are missed, errors are made and flaws are found and exploited but once a problem is found it is fixed, patches are sent out and folks are told about the issues.

 

Compare that to Windows, how many Windows folks have only Microsoft software on their systems? How many Windows folks have never added a program to their system that wasn't digitally signed by a trusted source? How many Windows folks get routine, automatic security and update fixes for all of the software on their systems? How is Microsoft's reputation for rapidly fixing bugs found and providing information to the users about the issues found and fixed? When was the last time you saw a story about malware infested Windows software being spread around that wasn't instantly detected as altered from the original version by the internal digital signature. How about the last time you saw a story about an exploit on Windows that even bypassed all the add-on security tools that folks add to try to plug the holes in the Windows system?

 

Now open source isn't a cure for everything, lots of folks are running open source programs on Windows systems, that does create a real security issue since Windows doesn't offer a safe and secure update system for this non-Microsoft software and you can be exposed to security issues for a very long time unless you have someone actively involved in checking for updates for any added software (open or closed source) and applying them. Some Windows software like Notepad++ checks for updates when you start it or checks on a regular schedule like MailWasher, this checking offers a better level of protection which is a very good thing but not every program offers it.

 

I do have one Windows box here as I have been a tester for some Windows software for many years and haven't quite given it up yet. That box has three programs on it aside from what Microsoft provided, Notepad++, MailWasher and SQLite and while the first two do stay updated SQLite's updates require me to follow their website to see new releases, manually download and install them or be left running old stuff with known holes. Not good but I need the SQLite program to do my testing so I put up with it.

 

 

First rule of computer consulting:

Sell a customer a Linux computer and you'll eat for a day.

Sell a customer a Windows computer and you'll eat for a lifetime.

Link to comment
Share on other sites

Saw this today, it does look like MS is making an effort to secure stuff:

 

http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/

 

 

RSA 2015 On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard. We've taken a closer look.

The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.
Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.
These IOMMU features (outlined here by the Minix project) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.
If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.

 

If your computer is new enough to have the right management chips this could be nice.

 

It doesn't answer all the secure software issues but it sure beats "load and run anything" that is the current situation.

First rule of computer consulting:

Sell a customer a Linux computer and you'll eat for a day.

Sell a customer a Windows computer and you'll eat for a lifetime.

Link to comment
Share on other sites

Saw this today, it does look like MS is making an effort to secure stuff:

 

http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/

 

 

If your computer is new enough to have the right management chips this could be nice.

 

It doesn't answer all the secure software issues but it sure beats "load and run anything" that is the current situation.

If it weren't just another add-on I'd feel a lot better about it. What MS needs to do is take a page from Steve Jobs and completely rewrite the kernel using modern methodology and then give it a familiar GUI. If Windows 10 is just another version of the NT kernel then it will suffer from all the rest of the issues. If they've really fixed it, then that will be a big help.

 

WDR

1993 Foretravel U225 with Pacbrake and 5.9 Cummins with Banks

1999 Jeep Wrangler, 4" lift and 33" tires

Raspberry Pi Coach Computer

Ham Radio

Link to comment
Share on other sites

I was reading another article today on exploiting the actual hardware, not the software and that looks to be the wave of the future for well funded attackers. No matter how secure the software and how tightly controlled (digital signatures and such) if the underlying hardware gets hacked you are in deep trouble. A from the ground up redesign of the hardware and software is going to have to be done to keep a system secure in the future. Still the more they can do to make it hard for the crooks the better, at least they are trying now.

First rule of computer consulting:

Sell a customer a Linux computer and you'll eat for a day.

Sell a customer a Windows computer and you'll eat for a lifetime.

Link to comment
Share on other sites

I'm thinking of doing a piece on spoofing: URLs, email links, cell phones, etc. And how they work on different platforms and their link in Phishing attacks. Trying to find a good website first so I can just link to it. :P

 

WDR

1993 Foretravel U225 with Pacbrake and 5.9 Cummins with Banks

1999 Jeep Wrangler, 4" lift and 33" tires

Raspberry Pi Coach Computer

Ham Radio

Link to comment
Share on other sites

I was reading another article today on exploiting the actual hardware, not the software and that looks to be the wave of the future for well funded attackers. No matter how secure the software and how tightly controlled (digital signatures and such) if the underlying hardware gets hacked you are in deep trouble. A from the ground up redesign of the hardware and software is going to have to be done to keep a system secure in the future. Still the more they can do to make it hard for the crooks the better, at least they are trying now.

https://www.youtube.com/watch?v=tZZCY_-Rkcs

 

This link points to a video taken at blackhat 2014 and is a lecture on hardware hacking ARM devices. The basics revolve around using snippets of libc code to move data around in the stack and then execute them.

 

Need access to the hardware but if you have that (coughNSAcough) it's a cinch.

 

And thanks for taking advantage of my concentration span (oh, look! there's a pretty butterfly) to move me to something more interesting. The video sits for a long time but when it finally gets going the presenter is interesting and entertaining. The content is pretty cool, too. But, I am pretty sure they need physical access for all of this.

 

WDR

1993 Foretravel U225 with Pacbrake and 5.9 Cummins with Banks

1999 Jeep Wrangler, 4" lift and 33" tires

Raspberry Pi Coach Computer

Ham Radio

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

RVers Online University

campgroundviews.com

RV Destinations

Find out more or sign up for Escapees RV'ers Bootcamp.

Advertise your product or service here.

The Rvers- Now Streaming

RVTravel.com Logo



×
×
  • Create New...