Linked by Hadrien Grasland on Fri 14th Jan 2011 14:58 UTC, submitted by Debjit
GNU, GPL, Open Source "Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software is inherently less secure. When talking about the security of smartphones, Chang claimed that the iPhone is more secure than Android because being an open-source platform, attackers know more about the underlying architecture."
Order by: Score:
I love this one...
by Neolander on Fri 14th Jan 2011 15:04 UTC
Neolander
Member since:
2010-03-08

...it just sums up perfectly one of the reasons why I think antivirus manufacturers should be banned from the face of the Earth. As soon as possible, and definitely.

Now, if only we could get a similar quote from the head of McAfee... You know, just for the fun of it.

Edited 2011-01-14 15:06 UTC

Reply Score: 8

RE: I love this one...
by kaiwai on Sat 15th Jan 2011 04:00 UTC in reply to "I love this one..."
kaiwai Member since:
2005-07-06

...it just sums up perfectly one of the reasons why I think antivirus manufacturers should be banned from the face of the Earth. As soon as possible, and definitely.

Now, if only we could get a similar quote from the head of McAfee... You know, just for the fun of it.


I sometimes wonder whether the majority of the worms/trojans/virus's that exist out there are the result of anti-virus companies creating these infections to justify their continued existance in much the same way that one see's in the US where 'conditions' are created to sell medication - if you're shy apparently it isn't personality trait, it is apparently a 'treatable illness' :/

Reply Score: 3

Yeha yeah yeah
by Soulbender on Fri 14th Jan 2011 15:25 UTC
Soulbender
Member since:
2005-08-18

Yadda yadda yadda. Another clueless executive decides to create bad PR by flaunting his own ignorance. News at 11.

Reply Score: 4

Back to the Future
by dbolgheroni on Fri 14th Jan 2011 15:34 UTC
dbolgheroni
Member since:
2007-01-18

An argument from 90's. Nice.

Reply Score: 7

UltraZelda64
Member since:
2006-12-05

Oh wait, I run Linux, so I wouldn't need to.

Really, Trend Micro seemed like a step above McAfee and Norton years ago as a company, but they're quickly decimating their own image with their latest actions. Now they're right up there with the big boys as a company I would never recommend, and in fact would recommend against. I don't remember if I ever paid for and used their suite in the past, but now I hope I didn't.

Well, there's always Microsoft Security Essentials, which so far is probably better at staying out of its way and nagging you (no paid "subscriptions"). Too bad little Windows fleas like these guys would have a shit fit and cry "antitrust" to the legal system if Microsoft bundled their malware/virus protection program with Windows, as in an ideal world should be done. In an ideal world, no matter what some pathetic "anti-virus" company says, improved security of an operating system should always be allowed, under any circumstances... even despite antitrust concerns. It should be an exception.

Sorry Chang, Windows vs. Everything Else doesn't support your claim of security through obscurity ruling over open code.

Trend Micro, you are not needed any longer. Go f*** yourselves.

Edited 2011-01-14 15:43 UTC

Reply Score: 14

We... Have... A winner !
by _QJ_ on Fri 14th Jan 2011 16:06 UTC
_QJ_
Member since:
2009-03-12

Steve Chang, the Chairman of Trend Micro, wins the price of LCCOY ("Less Credible Chairman Of the Year") !

Reply Score: 3

zimbatm
Member since:
2005-08-22

that says it all

Reply Score: 9

UltraZelda64 Member since:
2006-12-05

Yep. The only thing "less secure" when people use open-source operating systems is Chang's and his company's shareholders' wallets. And if enough people use these systems, their jobs.

And by "open-source operating systems," I mean typically non-commercial, more secure ones by design that just don't need companies like his. Anything but his biggest market, Windows.

Reply Score: 3

Come on...
by vodoomoth on Fri 14th Jan 2011 16:23 UTC
vodoomoth
Member since:
2010-03-30

give the guy a break. What else would anyone expect him to say? He should have kept his "words of wisdom" to himself though.

Reply Score: 3

RE: Come on...
by UltraZelda64 on Sat 15th Jan 2011 14:43 UTC in reply to "Come on..."
UltraZelda64 Member since:
2006-12-05

give the guy a break. What else would anyone expect him to say? He should have kept his "words of wisdom" to himself though.

The guy doesn't deserve a break. He's sitting on a giant cushion of cash that continues to increase in size as he spreads completely bullshit FUD upon people. And don't forget his company's past actions. Remember the patent lawsuit against ClamAV? Yeah... shows how much they care about YOUR security, when they don't want you to be able to protect yourself from viruses with an anti-virus program that THEY didn't make. F*** them. They're every bit as bad as the "big two" anti-virus companies these days. They've made it very clear that the security of their bottom line is more important than the security of their customers.

Reply Score: 4

Trend Micro Said This?!
by segedunum on Fri 14th Jan 2011 16:46 UTC
segedunum
Member since:
2005-07-06

ROTFL.

Reply Score: 4

Well, I admit he's right
by LraiseR on Fri 14th Jan 2011 16:54 UTC
LraiseR
Member since:
2005-07-12

Of course closed source is inherently more secure, after all nobody ever found a crypto fuckup that exposed the root key of the PS3, while the nasty open source openssl is clearly vulnerable and no respectable site would ever use it as security layer!

What say you? OpenSSL has been fixed eons ago and Geohot released the keys? NONSENSE! ;)

Reply Score: 10

Comment by AnythingButVista
by AnythingButVista on Fri 14th Jan 2011 17:11 UTC
AnythingButVista
Member since:
2008-08-27

The only "validity" I see in his speech comes from the fact that while in Linux security patches arrive quickly to the end user, in Android you have to wait not only for Google or someone else to patch the Android source, but then for your phone manufacturer and wireless provider to release said patch to end users. An exploit can take longer to get patched on a mobile phone so it can cause more harm than on desktop or server Linux.

Reply Score: 3

RE: Comment by AnythingButVista
by Neolander on Fri 14th Jan 2011 17:14 UTC in reply to "Comment by AnythingButVista"
Neolander Member since:
2010-03-08

But that's not a flaw of the open-source model. Only one of the Android ecosystem.

Edited 2011-01-14 17:18 UTC

Reply Score: 6

RE[2]: Comment by AnythingButVista
by sorpigal on Fri 14th Jan 2011 17:34 UTC in reply to "RE: Comment by AnythingButVista"
sorpigal Member since:
2005-11-02

More like a flaw in the support departments of the phone manufacturers. You can only hand the ready-made fix to Motorola, you can't force them to give it to their users.

Reply Score: 4

Neolander Member since:
2010-03-08

That's why I said "ecosystem". The Android ecosystem is Google + the manufacturers + the community. If one of those makes mistakes, the whole OS' reputation suffers.

Edited 2011-01-14 17:39 UTC

Reply Score: 1

project_2501 Member since:
2006-03-20

unless there's a good governance gateway in place to take contributions but to vet them.

Reply Score: 3

RE[2]: Comment by AnythingButVista
by kaiwai on Sat 15th Jan 2011 04:12 UTC in reply to "RE: Comment by AnythingButVista"
kaiwai Member since:
2005-07-06

But that's not a flaw of the open-source model. Only one of the Android ecosystem.


Agreed hence I think the whole idea of calling 'Android' opensource is a giant fraud from top to bottom - to me 'open source' means grabbing a phone and upgrading it without the need to having install a 'root kit' just ot get access to a device that I paid for.

With that being said being open source doesn't automatically make it more secure any more than something being closed source making it automatically more secure.

Reply Score: 2

Bill Shooter of Bul
Member since:
2006-07-14

If you code two systems with equal amounts of similar buffer overflow vulnerabilities, I'll grant that you'd exploit the open source one first.

However, the attacker's advantage to exploit the open source program decreases with the number of non-malicious people that view the code. So the open source security is a function of the amount of people there are reviewing the code. It may start off less secure than the closed source one, but become more secure over time.


The closed source one may have less people reviewing it. And thus less chance to remove the vulnerabilities. This is especially compounded if they developers believe its less vulnerable due to its closed source. Prior to XP Service pack 2, Microsoft had a culture of insecure coding and insecure review system. They've gotten a lot better because they don't believe what this clown said. They know they have cross hairs on them, and attackers have become very good at probing for vulnerabilities in closed source binaries.

Reply Score: 2

Somewhere else I read
by Lennie on Fri 14th Jan 2011 18:14 UTC
Lennie
Member since:
2007-09-22

"This comes a week after Trend Micro released a mobile security app for Android."

Who would have thought it. :-)

(Somewhere else is the slashdot.org summary about the same claim, I didn't even want to read the article it probably is in the article as well)

Edited 2011-01-14 18:21 UTC

Reply Score: 4

Wolf
by fretinator on Fri 14th Jan 2011 18:21 UTC
fretinator
Member since:
2005-07-06

Wolf states, "Free range chickens are easier to catch than those in the chicken coops."

Reply Score: 8

trendmicro? is it a virus?
by Janvl on Fri 14th Jan 2011 19:13 UTC
Janvl
Member since:
2007-02-20

Just a while ago I had a zyxelrouter at a customer that had a "security app" from trendmicro. The thing kept popping up in the middle of any programmsession on windows, it took me 2 days and a lot of emails to get this removed.

So I consider trendmicro-security as malware.

Reply Score: 2

Linux..
by Brunis on Fri 14th Jan 2011 20:50 UTC
Brunis
Member since:
2005-11-01

This would be a perfect time to seize the opportunity to create a "titanium av solution" for all those insecure open source operating systems..

They can stop selling for that cashcow Windows, it's so damn secure!

Reply Score: 1

The problem with public companies
by AaronD on Fri 14th Jan 2011 21:14 UTC
AaronD
Member since:
2009-08-19

This shows that board members are not expected to know anything about the business they are tasked to oversee.

The financial crisis is the prime example of this.

It really is odd that there is a class of professions where relevant field experience is irrelevant. It is also the same class that never has to worry about unemployment.

Reply Score: 2

Neolander Member since:
2010-03-08

Can someone explain me what the meaning of "public companies" is in this context ?

I'm pretty sure that it does not mean what I think it means (a company owned by the state).

Reply Score: 1

siride Member since:
2006-01-02

Publicly-traded companies, owned by public shareholders: http://en.wikipedia.org/wiki/Public_company

Reply Score: 4

Neolander Member since:
2010-03-08

Thank you very much !

Reply Score: 1

This is not a controversy
by lemur2 on Sat 15th Jan 2011 13:33 UTC
lemur2
Member since:
2007-02-17

Steve Chang is simply wrong.

Reply Score: 1

So what code is secure?
by jefro on Sat 15th Jan 2011 17:50 UTC
jefro
Member since:
2007-04-13

I think one of the OSnews articles was about how long an annual test takes to hack into the major OS's. Seems every year they fall in less than an hour.

Reply Score: 1

RE: So what code is secure?
by Neolander on Sat 15th Jan 2011 18:15 UTC in reply to "So what code is secure?"
Neolander Member since:
2010-03-08

Nowadays, most desktop operating systems require several GBs of HDD space only to offer very basic functionality. At this level of bloat, it's impossible to make code secure ;)

Reply Score: 1

RE[2]: So what code is secure?
by moondevil on Sat 15th Jan 2011 20:05 UTC in reply to "RE: So what code is secure?"
moondevil Member since:
2005-07-08

This is a lame excuse for bad coding.

Many security errors can be easily backtracked to C errors with memory handling.

If another, more safe, systems programming language was in widespread use, many security issues would not happen.

I dream of the day that C and C++ get replaced by a more safer systems programming language.

Sadly, that may take a few generations, if ever.

Reply Score: 2

RE[3]: So what code is secure?
by Neolander on Sat 15th Jan 2011 21:03 UTC in reply to "RE[2]: So what code is secure?"
Neolander Member since:
2010-03-08

To be suitable for low-level programming, a programming language should have very low runtime requirement and not hide the CPU's power. This is why makes C and derivatives so attractive.

Putting some checks each time a pointer is accessed or modified, as an example, is not acceptable at kernel level, nor is dropping pointers altogether. The best we can do is having "smarter" compilers, which do a more in-depth analysis of the code and notice more suspicious behaviors. But that would result in massive compilation slowdowns.

For higher-level layers, using more safe languages is doable, on the other hand. But at this level, there is something much more important which we don't do yet : massive sandboxing. Limiting app capabilities to what they need in order to operate is by far the best way to minimize the impact of exploits (because there will always be some, no matter which languages people code in)

Reply Score: 1

RE[4]: So what code is secure?
by moondevil on Sun 16th Jan 2011 07:31 UTC in reply to "RE[3]: So what code is secure?"
moondevil Member since:
2005-07-08

Again that is plain nonsense.

Ada, Modula-2, Modula-3, Oberon, Alef have proven that you can have a more safe programming language and write OS with them. The amount of written assembly was no different if the OS were written in C.


Sadly from these list, only Ada survived and thanks to DOD.

Many programmers prefer to save typing than having their programs perform safely. Only if you never studied proper OS design can you be lead to believe that C is the only way.

There were OS being written in higher level languages before C came into existence, and surely there will
have other systems languages eventually replacing it.

I like C, but I really feel it is about time to get it replaced with a safer systems programming language.

That is why I really hope Microsoft gets successful with Singularity ideas. I am also watching how Go and D evolve over time.

Reply Score: 2

RE[5]: So what code is secure?
by Neolander on Sun 16th Jan 2011 08:52 UTC in reply to "RE[4]: So what code is secure?"
Neolander Member since:
2010-03-08

Ada, Modula-2, Modula-3, Oberon, Alef have proven that you can have a more safe programming language and write OS with them. The amount of written assembly was no different if the OS were written in C.


Sadly from these list, only Ada survived and thanks to DOD.

According to my brother who had to use it in university, Ada is probably the most annoying language he ever used in his life, making the most simple thing insanely complicated to write. Maybe we should investigate this if we want to understand why so little people are using it nowadays.

Let's not get into conspiracy theories. If all those languages you mention have disappeared, it's because they failed to deliver in some way. I sure loved cutting my teeth on Pascal Object, but I can also understand why the world around me has chosen C(++) instead.

Many programmers prefer to save typing than having their programs perform safely.

If this way of thinking is so widespread among programmers, and there's no way to change it e.g. by educating them differently, then the tools must change to adapt themselves to the programmer, and not the reverse. Be it by creating a language which saves typing, is powerful, AND performs safely, or by putting better compiler checks on "unsafe" languages.

Only if you never studied proper OS design can you be lead to believe that C is the only way.

Well, where I studied OS design, there was no mention of a specific programming language. The examples happen to be written in C, for obvious reasons, but that's all.

There were OS being written in higher level languages before C came into existence, and surely there will
have other systems languages eventually replacing it.

Before C came in, there were overall a huge lot of OSs written in Assembly. What C managed to do was to introduce a big enough improvement over Assembly that it convinced many people to use it.

The problems which high level languages always have when used at a low level are :
-Realtime requirements
-Performance
-Control

C managed to give very high performance and a fair amount of control to developers, without forcing them to write a 40MB interpreter in Assembly first which would more or less totally void the point of using C at all. Plus it was more fun to play with than Assembly. That's why it was so successful.

I don't doubt that someday, a programming language will do to C what C did to Assembly. But it really has to address those three points and be as fun or more fun to use than C in order to succeed.

For my kernel, I mainly use C++, but I can understand why many people are not using it : its runtime requirements are quite high, which means that I either have to carefully avoid some language features or to implement some support code before the most trivial things work. And by today's standards, C++ really is a low-level language...

Edited 2011-01-16 08:53 UTC

Reply Score: 1

RE[6]: So what code is secure?
by moondevil on Sun 16th Jan 2011 12:19 UTC in reply to "RE[5]: So what code is secure?"
moondevil Member since:
2005-07-08

Before C existed, there were already a few operating systems written in BCPL, ALGOL and PL/I, even FORTRAN dialects, just to name a few old friends to everyone here that is old enough to remember them.

For example, do you know that the first versions of MacOS were written in a mixture of Pascal and Assembly?

C's success is a consequence of UNIX's widespread. At the time everyone wanted to play with UNIX, and coding for UNIX meant using C.

I am quite sure that without UNIX, C would never had become popular.

That was the main problem with the referred languages. For a language to be a successful systems programming language, it needs to be the official programming language for a successful operating system.

Reply Score: 2

RE[7]: So what code is secure?
by Neolander on Sun 16th Jan 2011 12:58 UTC in reply to "RE[6]: So what code is secure?"
Neolander Member since:
2010-03-08

That was the main problem with the referred languages. For a language to be a successful systems programming language, it needs to be the official programming language for a successful operating system.

There's something which puzzles me in this conclusion. If I remember well, UNIX was not initially C-based, right ?

So why did Ritchie et al. decide to create C ? What was wrong with existing system programming languages on these days ? Why didn't they use the official programming language for a successful operating system instead of baking their own ?

Edited 2011-01-16 13:01 UTC

Reply Score: 1

what...
by ropodope on Mon 17th Jan 2011 20:38 UTC
ropodope
Member since:
2011-01-17

an utter idiot. geez, stupidity never ends.

Reply Score: 1