OSNews: http://www.osnews.com/story/24262/Trend_Micro_Chairman_Claims_Open_Source_Software_Is_Insecure Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Thu, 23 May 2013 18:18:14 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com I love this one... http://www.osnews.com/thread?457916 http://www.osnews.com/thread?457916 ...it just sums up perfectly one of the reasons why I think antivirus manufacturers should be banned from the face of the Earth. As soon as possible, and definitely.

Now, if only we could get a similar quote from the head of McAfee... You know, just for the fun of it.Edited 2011-01-14 15:06 UTC Fri, 14 Jan 2011 15:04:00 GMT donotreply@osnews.com (Neolander) Comments Yeha yeah yeah http://www.osnews.com/thread?457923 http://www.osnews.com/thread?457923 Yadda yadda yadda. Another clueless executive decides to create bad PR by flaunting his own ignorance. News at 11. Fri, 14 Jan 2011 15:25:00 GMT donotreply@osnews.com (Soulbender) Comments Back to the Future http://www.osnews.com/thread?457925 http://www.osnews.com/thread?457925 An argument from 90's. Nice. Fri, 14 Jan 2011 15:34:00 GMT donotreply@osnews.com (dbolgheroni) Comments Remind me to never get a Trend Micro "security product. http://www.osnews.com/thread?457927 http://www.osnews.com/thread?457927 Oh wait, I run Linux, so I wouldn't need to.

Really, Trend Micro seemed like a step above McAfee and Norton years ago as a company, but they're quickly decimating their own image with their latest actions. Now they're right up there with the big boys as a company I would never recommend, and in fact would recommend against. I don't remember if I ever paid for and used their suite in the past, but now I hope I didn't.

Well, there's always Microsoft Security Essentials, which so far is probably better at staying out of its way and nagging you (no paid "subscriptions"). Too bad little Windows fleas like these guys would have a shit fit and cry "antitrust" to the legal system if Microsoft bundled their malware/virus protection program with Windows, as in an ideal world should be done. In an ideal world, no matter what some pathetic "anti-virus" company says, improved security of an operating system should always be allowed, under any circumstances... even despite antitrust concerns. It should be an exception.

Sorry Chang, Windows vs. Everything Else doesn't support your claim of security through obscurity ruling over open code.

Trend Micro, you are not needed any longer. Go f*** yourselves.Edited 2011-01-14 15:43 UTC Fri, 14 Jan 2011 15:40:00 GMT donotreply@osnews.com (UltraZelda64) Comments We... Have... A winner ! http://www.osnews.com/thread?457931 http://www.osnews.com/thread?457931 Steve Chang, the Chairman of Trend Micro, wins the price of LCCOY ("Less Credible Chairman Of the Year") ! Fri, 14 Jan 2011 16:06:00 GMT donotreply@osnews.com (_QJ_) Comments Guy benefiting from scared people, says scary thing http://www.osnews.com/thread?457933 http://www.osnews.com/thread?457933 that says it all Fri, 14 Jan 2011 16:12:00 GMT donotreply@osnews.com (zimbatm) Comments Come on... http://www.osnews.com/thread?457938 http://www.osnews.com/thread?457938 give the guy a break. What else would anyone expect him to say? He should have kept his "words of wisdom" to himself though. Fri, 14 Jan 2011 16:23:00 GMT donotreply@osnews.com (vodoomoth) Comments Trend Micro Said This?! http://www.osnews.com/thread?457943 http://www.osnews.com/thread?457943 ROTFL. Fri, 14 Jan 2011 16:46:00 GMT donotreply@osnews.com (segedunum) Comments Well, I admit he's right http://www.osnews.com/thread?457945 http://www.osnews.com/thread?457945 Of course closed source is inherently more secure, after all nobody ever found a crypto fuckup that exposed the root key of the PS3, while the nasty open source openssl is clearly vulnerable and no respectable site would ever use it as security layer!

What say you? OpenSSL has been fixed eons ago and Geohot released the keys? NONSENSE! ;) Fri, 14 Jan 2011 16:54:00 GMT donotreply@osnews.com (LraiseR) Comments Comment by AnythingButVista http://www.osnews.com/thread?457953 http://www.osnews.com/thread?457953 The only "validity" I see in his speech comes from the fact that while in Linux security patches arrive quickly to the end user, in Android you have to wait not only for Google or someone else to patch the Android source, but then for your phone manufacturer and wireless provider to release said patch to end users. An exploit can take longer to get patched on a mobile phone so it can cause more harm than on desktop or server Linux. Fri, 14 Jan 2011 17:11:00 GMT donotreply@osnews.com (AnythingButVista) Comments RE: Comment by AnythingButVista http://www.osnews.com/thread?457954 http://www.osnews.com/thread?457954 But that's not a flaw of the open-source model. Only one of the Android ecosystem.Edited 2011-01-14 17:18 UTC Fri, 14 Jan 2011 17:14:00 GMT donotreply@osnews.com (Neolander) Comments RE: Guy benefiting from scared people, says scary thing http://www.osnews.com/thread?457956 http://www.osnews.com/thread?457956 Yep. The only thing "less secure" when people use open-source operating systems is Chang's and his company's shareholders' wallets. And if enough people use these systems, their jobs.

And by "open-source operating systems," I mean typically non-commercial, more secure ones by design that just don't need companies like his. Anything but his biggest market, Windows. Fri, 14 Jan 2011 17:23:00 GMT donotreply@osnews.com (UltraZelda64) Comments RE[2]: Comment by AnythingButVista http://www.osnews.com/thread?457957 http://www.osnews.com/thread?457957 More like a flaw in the support departments of the phone manufacturers. You can only hand the ready-made fix to Motorola, you can't force them to give it to their users. Fri, 14 Jan 2011 17:34:00 GMT donotreply@osnews.com (sorpigal) Comments RE[3]: Comment by AnythingButVista http://www.osnews.com/thread?457959 http://www.osnews.com/thread?457959 That's why I said "ecosystem". The Android ecosystem is Google + the manufacturers + the community. If one of those makes mistakes, the whole OS' reputation suffers.Edited 2011-01-14 17:39 UTC Fri, 14 Jan 2011 17:38:00 GMT donotreply@osnews.com (Neolander) Comments Both sides are a bit exagerated. http://www.osnews.com/thread?457963 http://www.osnews.com/thread?457963 If you code two systems with equal amounts of similar buffer overflow vulnerabilities, I'll grant that you'd exploit the open source one first.

However, the attacker's advantage to exploit the open source program decreases with the number of non-malicious people that view the code. So the open source security is a function of the amount of people there are reviewing the code. It may start off less secure than the closed source one, but become more secure over time.


The closed source one may have less people reviewing it. And thus less chance to remove the vulnerabilities. This is especially compounded if they developers believe its less vulnerable due to its closed source. Prior to XP Service pack 2, Microsoft had a culture of insecure coding and insecure review system. They've gotten a lot better because they don't believe what this clown said. They know they have cross hairs on them, and attackers have become very good at probing for vulnerabilities in closed source binaries. Fri, 14 Jan 2011 18:12:00 GMT donotreply@osnews.com (Bill Shooter of Bul) Comments Somewhere else I read http://www.osnews.com/thread?457964 http://www.osnews.com/thread?457964 "This comes a week after Trend Micro released a mobile security app for Android."

Who would have thought it. :-)

(Somewhere else is the slashdot.org summary about the same claim, I didn't even want to read the article it probably is in the article as well)Edited 2011-01-14 18:21 UTC Fri, 14 Jan 2011 18:14:00 GMT donotreply@osnews.com (Lennie) Comments RE[4]: Comment by AnythingButVista http://www.osnews.com/thread?457966 http://www.osnews.com/thread?457966 unless there's a good governance gateway in place to take contributions but to vet them. Fri, 14 Jan 2011 18:16:00 GMT donotreply@osnews.com (project_2501) Comments Wolf http://www.osnews.com/thread?457967 http://www.osnews.com/thread?457967 Wolf states, "Free range chickens are easier to catch than those in the chicken coops." Fri, 14 Jan 2011 18:21:00 GMT donotreply@osnews.com (fretinator) Comments trendmicro? is it a virus? http://www.osnews.com/thread?457975 http://www.osnews.com/thread?457975 Just a while ago I had a zyxelrouter at a customer that had a "security app" from trendmicro. The thing kept popping up in the middle of any programmsession on windows, it took me 2 days and a lot of emails to get this removed.

So I consider trendmicro-security as malware. Fri, 14 Jan 2011 19:13:00 GMT donotreply@osnews.com (Janvl) Comments Linux.. http://www.osnews.com/thread?457982 http://www.osnews.com/thread?457982 This would be a perfect time to seize the opportunity to create a "titanium av solution" for all those insecure open source operating systems..

They can stop selling for that cashcow Windows, it's so damn secure! Fri, 14 Jan 2011 20:50:00 GMT donotreply@osnews.com (Brunis) Comments The problem with public companies http://www.osnews.com/thread?457984 http://www.osnews.com/thread?457984 This shows that board members are not expected to know anything about the business they are tasked to oversee.

The financial crisis is the prime example of this.

It really is odd that there is a class of professions where relevant field experience is irrelevant. It is also the same class that never has to worry about unemployment. Fri, 14 Jan 2011 21:14:00 GMT donotreply@osnews.com (AaronD) Comments RE: The problem with public companies http://www.osnews.com/thread?457985 http://www.osnews.com/thread?457985 Can someone explain me what the meaning of "public companies" is in this context ?

I'm pretty sure that it does not mean what I think it means (a company owned by the state). Fri, 14 Jan 2011 21:26:00 GMT donotreply@osnews.com (Neolander) Comments RE[2]: The problem with public companies http://www.osnews.com/thread?457986 http://www.osnews.com/thread?457986 Publicly-traded companies, owned by public shareholders: http://en.wikipedia.org/wiki/Public_company Fri, 14 Jan 2011 21:31:00 GMT donotreply@osnews.com (siride) Comments RE[3]: The problem with public companies http://www.osnews.com/thread?457987 http://www.osnews.com/thread?457987 Thank you very much ! Fri, 14 Jan 2011 21:38:00 GMT donotreply@osnews.com (Neolander) Comments RE: I love this one... http://www.osnews.com/thread?458077 http://www.osnews.com/thread?458077
...it just sums up perfectly one of the reasons why I think antivirus manufacturers should be banned from the face of the Earth. As soon as possible, and definitely.

Now, if only we could get a similar quote from the head of McAfee... You know, just for the fun of it.


I sometimes wonder whether the majority of the worms/trojans/virus's that exist out there are the result of anti-virus companies creating these infections to justify their continued existance in much the same way that one see's in the US where 'conditions' are created to sell medication - if you're shy apparently it isn't personality trait, it is apparently a 'treatable illness' :/ Sat, 15 Jan 2011 04:00:00 GMT donotreply@osnews.com (kaiwai) Comments RE[2]: Comment by AnythingButVista http://www.osnews.com/thread?458080 http://www.osnews.com/thread?458080
But that's not a flaw of the open-source model. Only one of the Android ecosystem.


Agreed hence I think the whole idea of calling 'Android' opensource is a giant fraud from top to bottom - to me 'open source' means grabbing a phone and upgrading it without the need to having install a 'root kit' just ot get access to a device that I paid for.

With that being said being open source doesn't automatically make it more secure any more than something being closed source making it automatically more secure. Sat, 15 Jan 2011 04:12:00 GMT donotreply@osnews.com (kaiwai) Comments This is not a controversy http://www.osnews.com/thread?458143 http://www.osnews.com/thread?458143 Steve Chang is simply wrong. Sat, 15 Jan 2011 13:33:00 GMT donotreply@osnews.com (lemur2) Comments RE: Come on... http://www.osnews.com/thread?458154 http://www.osnews.com/thread?458154
give the guy a break. What else would anyone expect him to say? He should have kept his "words of wisdom" to himself though.

The guy doesn't deserve a break. He's sitting on a giant cushion of cash that continues to increase in size as he spreads completely bullshit FUD upon people. And don't forget his company's past actions. Remember the patent lawsuit against ClamAV? Yeah... shows how much they care about YOUR security, when they don't want you to be able to protect yourself from viruses with an anti-virus program that THEY didn't make. F*** them. They're every bit as bad as the "big two" anti-virus companies these days. They've made it very clear that the security of their bottom line is more important than the security of their customers. Sat, 15 Jan 2011 14:43:00 GMT donotreply@osnews.com (UltraZelda64) Comments So what code is secure? http://www.osnews.com/thread?458193 http://www.osnews.com/thread?458193 I think one of the OSnews articles was about how long an annual test takes to hack into the major OS's. Seems every year they fall in less than an hour. Sat, 15 Jan 2011 17:50:00 GMT donotreply@osnews.com (jefro) Comments RE: So what code is secure? http://www.osnews.com/thread?458198 http://www.osnews.com/thread?458198 Nowadays, most desktop operating systems require several GBs of HDD space only to offer very basic functionality. At this level of bloat, it's impossible to make code secure ;) Sat, 15 Jan 2011 18:15:00 GMT donotreply@osnews.com (Neolander) Comments RE[2]: So what code is secure? http://www.osnews.com/thread?458242 http://www.osnews.com/thread?458242 This is a lame excuse for bad coding.

Many security errors can be easily backtracked to C errors with memory handling.

If another, more safe, systems programming language was in widespread use, many security issues would not happen.

I dream of the day that C and C++ get replaced by a more safer systems programming language.

Sadly, that may take a few generations, if ever. Sat, 15 Jan 2011 20:05:00 GMT donotreply@osnews.com (moondevil) Comments RE[3]: So what code is secure? http://www.osnews.com/thread?458261 http://www.osnews.com/thread?458261 To be suitable for low-level programming, a programming language should have very low runtime requirement and not hide the CPU's power. This is why makes C and derivatives so attractive.

Putting some checks each time a pointer is accessed or modified, as an example, is not acceptable at kernel level, nor is dropping pointers altogether. The best we can do is having "smarter" compilers, which do a more in-depth analysis of the code and notice more suspicious behaviors. But that would result in massive compilation slowdowns.

For higher-level layers, using more safe languages is doable, on the other hand. But at this level, there is something much more important which we don't do yet : massive sandboxing. Limiting app capabilities to what they need in order to operate is by far the best way to minimize the impact of exploits (because there will always be some, no matter which languages people code in) Sat, 15 Jan 2011 21:03:00 GMT donotreply@osnews.com (Neolander) Comments RE[4]: So what code is secure? http://www.osnews.com/thread?458343 http://www.osnews.com/thread?458343 Again that is plain nonsense.

Ada, Modula-2, Modula-3, Oberon, Alef have proven that you can have a more safe programming language and write OS with them. The amount of written assembly was no different if the OS were written in C.


Sadly from these list, only Ada survived and thanks to DOD.

Many programmers prefer to save typing than having their programs perform safely. Only if you never studied proper OS design can you be lead to believe that C is the only way.

There were OS being written in higher level languages before C came into existence, and surely there will
have other systems languages eventually replacing it.

I like C, but I really feel it is about time to get it replaced with a safer systems programming language.

That is why I really hope Microsoft gets successful with Singularity ideas. I am also watching how Go and D evolve over time. Sun, 16 Jan 2011 07:31:00 GMT donotreply@osnews.com (moondevil) Comments RE[5]: So what code is secure? http://www.osnews.com/thread?458348 http://www.osnews.com/thread?458348
Ada, Modula-2, Modula-3, Oberon, Alef have proven that you can have a more safe programming language and write OS with them. The amount of written assembly was no different if the OS were written in C.


Sadly from these list, only Ada survived and thanks to DOD.

According to my brother who had to use it in university, Ada is probably the most annoying language he ever used in his life, making the most simple thing insanely complicated to write. Maybe we should investigate this if we want to understand why so little people are using it nowadays.

Let's not get into conspiracy theories. If all those languages you mention have disappeared, it's because they failed to deliver in some way. I sure loved cutting my teeth on Pascal Object, but I can also understand why the world around me has chosen C(++) instead.

Many programmers prefer to save typing than having their programs perform safely.

If this way of thinking is so widespread among programmers, and there's no way to change it e.g. by educating them differently, then the tools must change to adapt themselves to the programmer, and not the reverse. Be it by creating a language which saves typing, is powerful, AND performs safely, or by putting better compiler checks on "unsafe" languages.

Only if you never studied proper OS design can you be lead to believe that C is the only way.

Well, where I studied OS design, there was no mention of a specific programming language. The examples happen to be written in C, for obvious reasons, but that's all.

There were OS being written in higher level languages before C came into existence, and surely there will
have other systems languages eventually replacing it.

Before C came in, there were overall a huge lot of OSs written in Assembly. What C managed to do was to introduce a big enough improvement over Assembly that it convinced many people to use it.

The problems which high level languages always have when used at a low level are :
-Realtime requirements
-Performance
-Control

C managed to give very high performance and a fair amount of control to developers, without forcing them to write a 40MB interpreter in Assembly first which would more or less totally void the point of using C at all. Plus it was more fun to play with than Assembly. That's why it was so successful.

I don't doubt that someday, a programming language will do to C what C did to Assembly. But it really has to address those three points and be as fun or more fun to use than C in order to succeed.

For my kernel, I mainly use C++, but I can understand why many people are not using it : its runtime requirements are quite high, which means that I either have to carefully avoid some language features or to implement some support code before the most trivial things work. And by today's standards, C++ really is a low-level language...Edited 2011-01-16 08:53 UTC Sun, 16 Jan 2011 08:52:00 GMT donotreply@osnews.com (Neolander) Comments RE[6]: So what code is secure? http://www.osnews.com/thread?458368 http://www.osnews.com/thread?458368 Before C existed, there were already a few operating systems written in BCPL, ALGOL and PL/I, even FORTRAN dialects, just to name a few old friends to everyone here that is old enough to remember them.

For example, do you know that the first versions of MacOS were written in a mixture of Pascal and Assembly?

C's success is a consequence of UNIX's widespread. At the time everyone wanted to play with UNIX, and coding for UNIX meant using C.

I am quite sure that without UNIX, C would never had become popular.

That was the main problem with the referred languages. For a language to be a successful systems programming language, it needs to be the official programming language for a successful operating system. Sun, 16 Jan 2011 12:19:00 GMT donotreply@osnews.com (moondevil) Comments RE[7]: So what code is secure? http://www.osnews.com/thread?458375 http://www.osnews.com/thread?458375
That was the main problem with the referred languages. For a language to be a successful systems programming language, it needs to be the official programming language for a successful operating system.

There's something which puzzles me in this conclusion. If I remember well, UNIX was not initially C-based, right ?

So why did Ritchie et al. decide to create C ? What was wrong with existing system programming languages on these days ? Why didn't they use the official programming language for a successful operating system instead of baking their own ?Edited 2011-01-16 13:01 UTC Sun, 16 Jan 2011 12:58:00 GMT donotreply@osnews.com (Neolander) Comments RE[8]: So what code is secure? http://www.osnews.com/thread?458437 http://www.osnews.com/thread?458437
So why did Ritchie et al. decide to create C ? What was wrong with existing system programming languages on these days ? Why didn't they use the official programming language for a successful operating system instead of baking their own ?


Apparently, B - the successor to BCPL and predecessor of C - was an awkward fit for the PDP-11. Take a look at the section entitled "The problems of B" from Ritchie's historical treatise:

http://cm.bell-labs.com/cm/cs/who/dmr/chist.html Sun, 16 Jan 2011 20:07:00 GMT donotreply@osnews.com (kerframil) Comments RE[9]: So what code is secure? http://www.osnews.com/thread?458444 http://www.osnews.com/thread?458444 From this section, what I extract is...
-B handled strings like crap (indeed, for coding something like UNIX where just about everything is a string, this sounds like a big issue ^^)
-B didn't handle floating point data properly, due to its will to treat everything as a word
-B's pointer mechanism was slow
-B was much slower than Assembly as a whole

So it sounds like we have a mixture of language limitations (lack of control) and heavy performance issues, particularly in terms of pointer handling.

Wouldn't we have the same issues with "safe" languages like C# or Java nowadays ?

I mean, I have a hard time picturing myself a scheduler written in Java, as an example, with GC kicking in and freezing the computer in the middle of a task switch.Edited 2011-01-16 20:32 UTC Sun, 16 Jan 2011 20:30:00 GMT donotreply@osnews.com (Neolander) Comments RE[10]: So what code is secure? http://www.osnews.com/thread?458460 http://www.osnews.com/thread?458460 Then please take some time to read about Oberon operating system:

http://www-old.oberon.ethz.ch/WirthPubl/ProjectOberon.pdf

The Spin operating system
http://www-spin.cs.washington.edu/

The Inferno operating system, which is partially programmed in Limbo
http://code.google.com/p/inferno-os/

The Microsoft Singularity project
http://research.microsoft.com/en-us/projects/singularity/

The Java Sqwak VM is mainly written in Java and runs on bare metal
http://labs.oracle.com/projects/squawk/

Just to name a few well known projects in the area of operating system research.Edited 2011-01-16 22:18 UTC Sun, 16 Jan 2011 22:17:00 GMT donotreply@osnews.com (moondevil) Comments RE[11]: So what code is secure? http://www.osnews.com/thread?458519 http://www.osnews.com/thread?458519 The fact that some people do have coded OSs in C# or Java in practice does not necessarily means that it is a good practice as a whole. I mean, I'm sure that some people have also written OSs in BASIC in the past just for the fun of it...

Unless, of course, there's a way to write some heavily stripped-down C#/Java code, without all the management overhead, for the lowest-level parts. I think I've read somewhere that it's what Singularity does. But that more or less voids the point of using those languages at all, in my opinion, since you'd get something like C(++) with a slightly tweaked syntax. In fact, it's even a bad idea, since it gives developers a false sense of security, and frustrates them when they realize that the simplest features of such languages are library-based.

Removing all the useless features which make mainstream desktop OSs gigabyte-large + stripping down kernels to the point where their sole task is to manage user processes + testing vital components heavily would be simpler and more effective, in my opinion.Edited 2011-01-17 08:46 UTC Mon, 17 Jan 2011 08:40:00 GMT donotreply@osnews.com (Neolander) Comments RE[12]: So what code is secure? http://www.osnews.com/thread?458572 http://www.osnews.com/thread?458572 Well at least Oberon and Inferno do have commercial users, so some people do think that they perform well enough for their tasks and are willing to pay for them.

http://www.vitanuova.com/inferno/
http://www.oberon.ethz.ch/partnerships/index

Maybe you should talk with their users and tell them how dumb they are to invest money in such OS. Mon, 17 Jan 2011 15:00:00 GMT donotreply@osnews.com (moondevil) Comments what... http://www.osnews.com/thread?458709 http://www.osnews.com/thread?458709 an utter idiot. geez, stupidity never ends. Mon, 17 Jan 2011 20:38:00 GMT donotreply@osnews.com (ropodope) Comments