Open Source software vs. Proprietary software

Locked

In keeping up with the Open Source software movement, I’ve come across a single, basic flaw.

The only way to ensure that your executable is as it should be, is to perform a comprehensive review the source code and to recompile it yourself.

I can, very easily, set up a distribution web site that contains both the source code and compiled executables, complete with my own hooks in the executables that will do whatever I want them to. The typical user will download the executables, maybe even the source, but will never perform a compile, and I certainly won’t have my hooks in the source that they can review.

Without a complete review of the source code and an independent compile yourself, you have absolutely no assurance that the code you are running matches the source code that it’s supposed to. Should that code damage or otherwise compromise your system, what’s your recourse? Rebuild your system.

In addition, if you have the time and intellect to review and completely understand the source code, why are you wasting your time downloading someone else’s product when you can make your own with the same level of effort?

By example, let’s say you download a copy of Firefox, and it’s been tweaked with a hack that allows an external user into your system. You’re browsing around the internet and everything is great, then one you realize that you’ve lost all of your data. During a post-mortem, you discover that Firefox was the culprit, so you go after the developers at Mozilla. Oops! The signature of the executable doesn’t match ANYTHING the original developers have ever released. They’re not responsible. Time to rebuild your system.

Now let’s say that you’re running proprietary software and the same thing happens. During the post mortem you discover the culprit is the ABC product from XYZ company. The file signatures are compared and, sure enough, they match. XYZ company is clearly responsible, so they will be inclined to assist you in determing the exact cause and fixing the problem, as well as you (possibly) having a legal recourse against XYZ company.

This is both a level of protection and a level of assurance that the program will perform as expected.

Companies today are very paranoid (and rightly so) about system intruders and industrial espionage. With this in mind, why would you turn to Open Source software?

Topic

Check sums before installing

In reply to Open Source software vs. Proprietary software

Most open source code comes with checksums to begin with, and if downloaded from a legitimate site should be hack-free. Check the hash prior to installing. A bit of responsibility outweighs potential legal hassles later.

The high cost of proprietary software is driving people to seek alternatives, and those so driven often find that there is some pretty great software out there for little to no cost. Used with the proper precautions (checksums, reviews, backups) open source can leave proprietary in the dust. Great help can often be found in forums dedicated to such software, though sometimes it is hit and miss. But you won’t be generally charged for support, unlike some companies, unless it is used in a business.

Valid checksums

In reply to Check sums before installing

The problem is that I can just as easily generate my own checksum (most I’ve seen use MD5) for the “tainted” executable. That leaves only the code review, which again is only worth the effort if you’re going to perform your own compile. Even if I were to provide a build module of any sort, the code for it must be reviewed as well.

Personally, I do use some open source software, and I did download the source. Although I didn’t perform a complete code review or even compile the source myself, I went to the “main” site for the software, located one of their approved mirrors, downloaded the binaries and the checksum, then I visited *all* of the other mirror sites and downloaded their checksums (for the same version). If all of the checksums match, that provides me with some assurance that an individual programmer didn’t inject malicious code. It still doesn’t prevent the original author(s) from doing the same, but there’s at least a level of reasonability.

Not the same issue

In reply to Valid checksums

This is not an issue of trusted code then, but of trusted URLs…and MS has no more protection against DNS poisoning and Phishing attacks than anyone else.

You just raised another issue

In reply to Not the same issue

You’re issue doesn’t address trusted code at all, just trusted URL’s.

Since the primary distribution method of Open Source software is via download, I perceive both issues as a greater threat to the validity of the Open Source software than to Microsoft software.

Microsoft’s primary distribution is through retail outlets. The odds are in Microsoft’s favor that the CD’s in their packaging will not be replaced by a retail vendor. In fact, Microsoft’s biggest threat comes from piracy, not the Open Source Community, and even the pirates aren’t injecting malicious code into the products (yet).

Trusted code, think twice…

In reply to You just raised another issue

Piracy is MS best ally. If all people who uses MS products really where required to pay, they would just go for alternatives or MS would already decreased their prices. Take away piracy, then market rules would force this change, leaving commercial products on a one-to-one with FOSS.

If you are paranoid about code, and your point stands on malicious intention and conspiracy theory, I have a question for you:

Couldn’t it be all flaws that any product (OSS or Commercial) has and are found, are backdoors they left intentionally ??

If so, OSS at lease has a greater auditing base than commercial software. (Have you seen THE NET?)

Actually, MS uses piracy to increase market share

In reply to Trusted code, think twice…

I lived in Bolivia, SA for 3.5 years, and during the first two years, I noticed that EVERYONE was switching over to Microsoft products. Previously, you had mostly Word Perfect, Novell, etc…

Well, the reason for the switch was that Word Perfect and Novell were actively pursuing all software pirating there. Microsoft wasn’t.

After gaining a large share of the pirating market, MS went in and started chasing down the piraters and going after all of the companies with the illegal copies of MS software.

At that time… retail prices of MS products were DOUBLE what the same software was selling for in the US. i.e. from my old spreadsheets 😉 MS Office Standard purchased from the US and shipped to Bolivia was $475 fob, purchased from MS Argentina (via MS Select) the price was $895 (not quite double, but close).

MS W2k Server, Bolivian Price $2143, US price, $1372.

This is in a country that is considered one of the poorest in the Western Hemisphere (average FAMILY monthly income = ~$100).

MS uses piracy to establish market share, then they come in and charge outrageous prices to gain significant profits.

You’re way off base, and off topic.

In reply to Actually, MS uses piracy to increase market share

Examine your own statements. Individuals and businesses in Bolivia switched (your word) from Word Perfect and Novell to Microsoft.

That means that they either purchased the Word Perfect / Novell software or, as you imply, they pirated it.

It stands to reason that Word Perfect and Novell were pursuing the pirates because they were losing money. Microsoft wasn’t involved because they weren’t the ones losing money.

Suddenly, the pirates realized that Word Perfect and Novell were getting “too close”, so they switched to Microsoft products. Now Microsoft started losing money in the region and their own marketing people saw companies running Microsoft products that had been pirated. The Microsoft response? Start pursuing the pirates. Just like Word Perfect and Novell.

As for the price difference, I’ve seen Microsoft product prices vary that much from vendor to vender just here in the United States. That a foreign country has a high price tag is no surprise. Shop around or, better yet, contact Microsoft directly and work out a purchase/support/upgrade agreement.

If that’s not to your liking, turn to Open Source Software (whew! I thought I’d never get this back on topic). There are OS’s, complete office software, management utilities, collaboration tools, etc. available at little or no cost.

CD’s vs Internet

In reply to You just raised another issue

Don’t know if this is covered somewhere else(haven’t read all the posts), but are you saying that you distrust Open Source because you download it over the internet? Where you have to use checksum’s to verify code and there can be DNS spoofing etc.

But because Windows comes in a box from a store its more reliable, e.g. hasn’t been replaced with something malicious …

Then instead of downloading linux from the internet. Why not buy one of the tested stable releases, burnt onto CD’s and sold at stores. I know that you can buy Mandrake in that form at least.

I believe that before being added to a linux dist, all software is tested/audited not only by the organisations programmers but also by many independant programers – people cant just add in their code in a reliable distribution. So any programs/code being added is checked by multiple people.

As for someone actually at the organisation adding malicious code before the product ships, there is as much chance of that happening at MS as any other place.

cheers

james

Then it’s not OSS vs proprietary

In reply to CD’s vs Internet

I totally agree with james. If KaceyR’s main complain about trustability of libre software is that it’s primary method of distribution is download vs. pre-burned CD’s or preinstalled copies, then his rant should also be directed to shareware, carityware, and even A LOT of proprietary software vendors who choose to force users to download their utilities directly from their main site once the user has paid.
Some of those software writers also have “trusted mirrors” or “bussiness partners mirrors” across the world… how can you say none of them will inject something into the program?? If I download something from tucows or download.com or anything, how can I rest sure a cracker hasn’t broken into the site and replaced original version with a malicious one???
The key is: be it proprietary, OSS or “shared”, you MUST compare and verify checksums and file sizes gotten directly from the main site of the project. If it’s shareware, carityware or libreware, it’s still your obligation as user not to candidly trust whomever says it’s the original software the offered at their site until you verify that it sure is or the opposite.

Furthermore, speaking about hidden backdoors: just remember windows 3.11 had a secret function (revealed when decompiling the program, of corse) called _MS234_NSKey (or something like that) that never got explained, some say NSA forced microsoft to put a backdoor on their product just in case… acording to what i’ve read, that piece of code hasn’t been found on 95/98, etc. But – do you really think it vanished?
I personally don’t, me thinkest M$ guys just hide it better now…
And since its code is hidden, you can never really know…

Bug fix cycle

In reply to Then it’s not OSS vs proprietary

Just a thought but how many of you bought a cd each time MS ran an upgrade – I know that I downloaded XP SP2!

AV, single point of failure.

In reply to You just raised another issue

I fear you’re putting a bit too much faith in MS doing The Right Thing. They’re human too (despite appearances to the contrary ;-).

I remember a Dev CD that was spread by MS which was virus infected. Not sure about it now, but they also had to resort to Unix (yes) to ensure their CD production line was safe from infection.

At which point we hit an interesting problem: by extension of your own argument, MS has two huge single point of failure in their patch strategy: the certificate and the single source.

Anyone hacking the cert will set up the platform for a huge problem. But even if we (very naively) assume that will never happen. pray tell me, where will I go to find out? MS won’t admit to it for some time, and they’re a single source.

In contrast, the very wide and distributed nature of OSS makes for a great degree of redundancy. I can pull sources from various sites and compare them. It is up to me which code I trust, and with OSS I have one further advantage: the authors are actually accessible.

Even with the best imagination you can’t call MS accessible. I worked for a company who is in the top 10 best MS clients globally, and even they had problems.

Furthermore, with OSS, *I* get to pick the supplier as well as the distro method. If you’re requiring trusted source, you buy a packaged solution. If you’re confident of your own abilities you go for the technically more complex stuff like Debian or Gentoo. You actually have a choice, which in itself stimulates quality (frankly, I don’t think most OSS people realise the impact the disappearance of MS would have: who would they compete against? ;-)..

Good point – look at the history

In reply to AV, single point of failure.

Where would MS be if the history of the PC was all about protection of proprietary rights? The PC (I suggest) spread so fast because IBM allowed the clones to develop. If you still wonder how it happened so fast just look at one of the technical handbooks that shipped with the first IBM PC’s.

MS has developed a lot of good software but they did not invent the spreadsheet, the word processor, the database or …….

Yes, but…

In reply to You just raised another issue

[soap box on]MS has so many security holes nobody has to inject any malicious code, it’s easier to just hack it. [soap box off]

One of the attractors for Open Source for me is that many vendors I am forced to use can’t keep up. The bundled software they ship with their OS is sometimes several versions behind, and many times the very buggy versions I’m trying to stay away from. I download source from the original site, verify checksums, and compile. The binaries are often built for the lowest common denominator so you gain speed and can check for incompatibilities in compiling for your system. The source also allows you to tweak if required, and debug problems if necessary.

There’s also a lot of Open Software that does things you just can’t find anywhere else.

No matter what you buy or download, the rule is still “buyer beware”.

Actually…

In reply to You just raised another issue

I agree that all of the issues you raise are of concern. My disagreement is with your contention that they do not effect proprietary software. More and more software is available for immediate download so the trusted source issue is relevant for all software. You mentioned that MS relies on retail channels – again this is really just another trusted source. Where did the retailer obtain the software, is it actually the “good” code distributed by the manufacturer. Did someone tamper with the program during manufacture. These are all points that you have raised for Open Source – they are also valid for proprietary software. Oh, and if you have a copy of that software that came through grey channels (unbeknownst to you) I doubt you will get anywhere in a lawsuit with the software company since they did not control that distribution channel and should be able to prove that the software was tampered with. So all in all it’s pretty much a wash in my book. You have to determine your trusted sources, then you still really need to verify that the software has not been tampered with. This is actually easier to do with OS software since you have multiple sources to check without repurchasing and you can do diffs on the source (if you want).
Sorry for the run on sentences.

GPG signatures

In reply to Valid checksums

If you are a ‘normal’ user, you will be using a package manager such as RPM. The package manager will check not only that the checksum of the downloaded file is correct, but that it’s signed by a known GPG digital signature.

Of course a malicious provider can calculate their own MD5 sum, and they can provide /a/ signature as well. But they can’t provide Red Hat’s signature or Novell’s, or the signature of the Debian QA team.

This system has been in place for at least three years.

borderline incompetent

In reply to Check sums before installing

You use terminology that reflects you’re somewhat familar with the field, but the way you’re putting that terminology together reflects incompetence. If you get open source or freeware items, you go to legitimate sites. Sites like sourceforge.com and snapfiles.com are legitimate. This issue is logically identical to downloading a “Microsoft patch” from an unknown and illegitimate site, and then complaining that it has messed up your system. This concern basic professional procedures. Download from legitimate sites!

Is it your contention

In reply to borderline incompetent

that no legitimate site can be compromised?

Contention

In reply to Is it your contention

“Can” is a dangerous word. Any site can be compromised. A more informed set of questions might be.
1. How hard is the site to crack.
2. How likely are the administrators to catch and rectify the intrusion.
3. If the site in question is hacked how likely are you to hear about it.

IMHO Most commercial software vendors (MS especially) lack the credibility of say Sourceforge.

My humble counter opinion

In reply to Contention

I don’t believe that, as an example, Sourceforge has any better administration or protection from hacking than Microsoft, but I will grant you that Sourceforge would be *significantly* more open in informing their users that an intrusion occurred, when it occurred, how it occurred, how the problem was rectified, and what steps to take if you visited during the active intrusion.

Reply To: Open Source software vs. Proprietary software

In reply to borderline incompetent

You obviously don’t understand the concept of open source. If you down load a “tweaked” version of Firefox from vendor X, you get what you asked for. Open source software has either reputable corporations or organizations behind them. All contributions (your tweak) are submitted to the host for testing and inclusion into the next version. The host may at times also publish patches that include fixes or new drivers. Download only from the host organization!

The Question was…

In reply to Reply To: Open Source software vs. Proprietary software

Seems we’ve deviated from the original purpose of this post. A comparison of OSS versus Proprietary SW.

sd_bert – yes you’re correct this is the nature of OSS “its open” – thats the point. This topic is very near and dear to my heart because as a chief engineer and program manager within my company I’m tasked with developing IT solutions for our customers and always have to look at a solution on both its technical merits as well as its cost. When I have a customer thats business is reliant on its ability to see and manage their network I can’t count on OSS. I agree that the OSS concept is a wonderful forum for bringing together new ideas and collaberation but eventually that idea has to be gathered and devleoped into something that will become both supportable and their in a releasable format when you need to be. Not here today and gone tomorrow.

Oh yeah…

In reply to The Question was…

I forgot Sendmail was here yesterday and gone today, just like Bind, Postfix, Squid and Apache.

Poof… just like that, I woke up and they were all gone.

He’s right, we’d better stay away from the “here today, gone tomorrow” oss.

sarcasm alert

In reply to Oh yeah…

Very good point. People that make claims that MS software only seems more vulnerable because more people attack it, since it’s more widely used, and people that make claims that OSS is necessarily fly by night, clearly don’t know their history or the current state of IT. More than 60% of the Web runs on Apache, which is an open source solution, receives more attacks than any MS product, and yet survies largely unpurturbed while IIS goes down every few months in the hundreds due to some worm or virus. Meanwhile, projects like Apache, BIND, Sendmail, and even Linux, all very widely deployed and heavily used, have effectively been around as long as, or longer than, Windows.

In very few words, you’ve made a very telling point.

Here today, gone tomorrow

In reply to The Question was…

Do you mean that M$ stays supporting their product from now until you whenever? I know I’ve heard that support, updates, and patches for NT and 2000 actually will be gone tomorrow (almost literally). What will that leave as an option for businesses relying on that software? Other than an expensive upgrade they may not be able to afford or don’t want to make.

That sounds as here today gone tomorrow as you can get. Why doesn’t M$ offer to support their old work for pay, they already have trained staff for it and it should pay for itself as long as they charge what it’s worth. Unless their only motivation is to force business into their new products, which makes me wonder which is the more risky investment to count on- M$, whose products are expensive and will lag in support in 4 years (maybe less) or Open Source, which offer (mostly) free products or reasonably priced ones that are constantly tested and retested for flaws and exploits and that are subsequently updated and patched frequently. Plus, if one Open Source OS were to fall into disfavor or be forgotten, what is your cost to implement a new version? Whatever the cost will come in way under M$ cost….

Don’t get me wrong…I don’t mean to be M$ bashing. I use Win 98 and XP at home (plus I have been learning to use Red Hat) and I use Win 2000 at ITT. I have had good experience with everything post Win 95 (except for a few security issues). I just think MS is going to be forcing companies to look at other alternatives, like Linux, if they try to force companies to buy their new products because they’ve pulled the plug on support, instead of buying them on the virtue of better services, support, and system performance. Being treated with respect and good service will inspire greater loyalty. Current policy will leave companies wondering if Server 2003 will still have support in 2006 or 07, or will they be forced to buy the new OS MS comes out with in 3 years?

gone only when it’s no longer needed

In reply to The Question was…

First of all, that was very much on-topic. The original topic of discussion related to the security and trustability of the open source distribution model (which, as many have pointed out, is much more similar to closed source software distribution models than MS-inspired disseminators of FUD like yourself would have us believe). sd_bert made some very relevant, salient points in regards to that original topic.

Secondly, you seem to have this whole software longevity thing utterly backwards. In comparison to the potential lifespan of a given product line, it is the commercial, proprietary, closed-source software vendors that are fly-by-night operations, not the open source projects. When a business decides to discontinue a product line, discontinue support, or otherwise cease making it available, or even goes out of business entirely, that vendor’s software effectively vanishes. All users of that software will be left high and dry. Open source software, meanwhile, will last as long as anyone gives a damn about it, and if someone gives enough of a damn about it they can ensure that it even continues to be updated, upgraded, and supported. It’s more than some bizarre testground for hair-brained ideas: it’s a crucible for rendering of ideas down to their essential, enduring concepts, and it is the perpetuation of the successful ideas by ensuring that it is always freely available.

If the source is open, it cannot disappear just because some vendor gives up on it or disappears. If Red Hat goes out of business, there will still be a Linux (and, for that matter, a Fedora Linux and a number of Red Hat Enterprise Linux clones). The same goes for SuSE, Mandrake, and all the other commercial Linux vendors. Purely community-driven distributions, like Debian and Gentoo, will probably never dry up until long after Microsoft has been forgotten.

Linux has been around for as long as any viable example of Windows, and will continue to be around for many years to come. It is built upon a strong tradition of stability and security in Unix, using the same sort of community effort that originally spawned Unix itself in the late ’60s. Windows is the upstart, and it lacks the potential longevity of open source products because it cannot long outlast the interest and existence of its vendor.

Your statements betray a profound lack of understanding of the implications of an open source development model. I recommend you learn more about a subject before holding forth on the matter as though you’re an expert. I would recommend Microsoft do the same, but I already know that the corporation doesn’t much listen to its customers.

Wow…

In reply to gone only when it’s no longer needed

Are we expecting UNIX to die tomorrow? Don’t think so. HP/IBM/SUN/usoft – probably not. It’s called evolution my friend and the patent process. Please don’t discount me as unread and unfamiliar. It’s my job to be on the pulse of IT and development trends as a chief engineer and IT architect. I personally enjoy OSS just am not able to deploy it to a customer base…

sad

In reply to Wow…

That was a sad excuse for an attempt to dodge my points. Try addressing what I said, rather than simply dismissing them with some sort of irrelevant declaration of your supposedly broad knowledge of the subject. You painted a picture for us of open source software as incapable of enduring, as unlikely to be here in a few days’ time, et cetera. I pointed out where you had that backwards.

Then, you try this dodge of the subject.

You are Right On K

In reply to Check sums before installing

I have to agree that the chances of OSS being tampered with are much greater than the code from IBM or MS being tampered with. The source code is out there for the taking.

HOWEVER – By saying that, I don’t want anyone to think that I don’t trust OSS. There are a LOT of good intentions and good people in the OS communities. There is only a very few hackers who are low enough to infect a software package.

One point I would like to make is that I run into a LOT of problems with COMMERCIAL packages that simply do not work or mess up several other programs during installation. My SBC Yahoo install programs did that to me. It seems like these commercial software houses (Microsoft included) have a tendency to release a product before it is completely tested because they need the cash flow. No real malicious intent – just plain old greed.

on the other hand

In reply to You are Right On K

If someone grabs the source for an open source program and modifies it so that it has a back door coded into it, then yes, that person will have taken advantage of the availability of source code to create an exploit. Then what? He might be able to give it away, but anyone that trusts his version over that of the original provider (the software project from which he got it) is basically begging to get compromised software.

When someone writes code, it doesn’t just magically end up a part of an open source project. Open source software projects have many, many eyes on their code all the time. People check and debug each others’ code regularly. Something like what I described would be easily caught, long before it was ever included in the official code for distribution in an OSS project.

Your point is . . . pointless, I’m afraid.

Probably because

In reply to Open Source software vs. Proprietary software

With the Monster end of town namely Microsoft you are in exactly the same position as you are with unknown open source code the only difference is that MS just might put out a patch but you will not be covered for any finical loss.

Col

That’s not entirely true

In reply to Probably because

(I get a bid wordy here, sorry)

My contention is that the open source software could contain deliberately malicious code that is intended to compromise or destroy your system.

Although Microsoft is both the biggest player and the biggest bully on the field, they’re underlying goal is to get people to trust their products enough to buy them, so that Microsoft can become even bigger.

The Open Source Community has a noble goal. To create robust, friendly, and affordable software for everyone. The only way for them to compete with Microsoft on any scale is to utilize time and resources donated by programmers from all over the world (and the occasional company who’s willing to suck up a bit of a tax write-off, but I’m ok with that, too).

Unfortunately, the Open Source Community development methodology perpetuates it’s own problem. John Q. Public can look at a Microsoft product and say “This is from that behemoth in Redmond, so at least I’ll know who to blame or who to call, and they’re website usually has updates that are easy to install”, whereas the Open Source product has (hopefully) a support website, possibly a blog or a newsgroup, with a place to post questions. Most of the time the answer will come from a programmer telling the John Q. Public to make some program change in the source code that will fix it on his system and recompile the product. The problem is, John Q. Public may not have the software to perform the compile.

This makes the Microsoft product significantly more desirable, even though the cost is significantly higher. If it’s a corporation of government organization, they will not only utilize the Microsoft product, but they will have something that the Open Source Community can not compete with. A service level agreement. With Microsoft, these agreements typically will state that the organization will stay no more than one version out of current, and Microsoft will provide priority services for trouble shooting and patches, with the ability to open x number of trouble tickets per licensing year.

Although the cost is higher, Microsoft still comes out on top as the more stable and more reliable product vendor.

I have to disagree here

In reply to That’s not entirely true

Actually Unix is by far the most stable OS that has so far been used and it still has a major following mainly on the large server side of the market which MS just can not hope to address.

However being a “Certified MS Partner” I do sell Software Assurance to my customers who insist on running Windows and other MS products because they believe that it is the only OS or program that is useful to them. Windows has a definite advantage on this side of things as all the third party software houses write code to run on Windows.

S an example just about every company uses the same accounting package as their accountant/Tax Adviser as it is just cheaper to send a data file over to the accountant rather than reams of paper which then has to be converted back into the Accountants accounting package and then back again to the companies accounting program after it has been audited. So as almost every accountant runs Windows these companies are forced to run Windows as well as the same version of whatever accounting package is used by their accountant.

Quite a few of these business are MS only as it makes the licenses far cheaper but they still run things like MYOB and Corel Draw as MS doesn’t have comparable applications but every thing that MS makes that they require they run.

However with Software Assurance which is miles cheaper than just buying the product outright the company is effectively a Beta Tester for new MS products. I can still remember the spiel about just how secure 2003 Enterprise Server was when it was released and 2 weeks latter there was a patch for a critical flaw. Now MS would have you believe that they didn’t know about the problem at the release and took less than 2 weeks to write a fix for the problem after it was found.

Well as the first patch affected IE6 I find that very hard to believe but then again I believe very little of what the sales people from any company tell me.

Col

Your example works the other way

In reply to I have to disagree here

I am the IT Manager for an accounting firm. I have entertained the idea of open source before (working for accountants means the cost of everything is always a big factor), but it is just not feasible for us as we have to support the software that our clients use. We have to be able to run MYOB, Quickbooks, etc. so that we can read client data files. So far we haven’t had a data file that comes from an open source app and I can’t see it happening in the near future.

People in the IT industry get very worked up about arguments over open source vs proprietary, but the fact is that the vast majority of computer users don’t care. They just want something they are comfortable with and that gets the job done for them.

Well with every business that I consult for

In reply to Your example works the other way

The answer is always the same.

We have to use MYOB Quickbooks or whatever because our accountant uses it.

While I’m not advocation switching to Open Source what I’m saying is that Windows does have the market sown up by the simple fact that the third part software houses only write code for Windows. Shock horror I’m stating the obvious!

Do you remember what MS did to Corel and their Open Source Product?

Col

You said it right

In reply to Your example works the other way

All of my clients don’t care or want to use open source programs. Every once in a while I have run into a programmer or IS manager talking about how great it is, but as soon as the users begin training on the test platform poof it s gone. Open source is a hobby that some day may be a viable resource. It doesn’t currently belong in the business world

Hang on a second…Think Server Side

In reply to You said it right

I agree that OSS is not ready for the desktop…yet. But really, neither was Windows 3.0. I thing it will eventually get there.

My other point is that OSS is great for servers. I bet if you were to look, that there is a greater percentage of Internet servers that are OSS than Windows based. I’m thinking Linux as the base running Apache(Web Server), BIND(DNS Server), MRTG & Nagios (Network Monitoring) just to name a few.

I use Linux alot, the biggest draw back I find is when something does actually break (usually from me playing) that I have to go learn how to do it again because the server has been up and running so long and I forgot the details of how.

You took the words out of my mouth

In reply to Hang on a second…Think Server Side

But I would like to add that a lot in not all the complicated ones of the special effects that we see in movies are not performed on a Windows Platform but on Linux based computers.

There is a place for everything in the business and some just need the raw power that the Linux platform deliver in not having a lot of unnecessary code being run to look all nice and pretty at the expense of computer performance.

Col

I hear ya!

In reply to Hang on a second…Think Server Side

I have the same issue with my servers. Something just broke and I don’t have a clue how to fix it, because it’s been so long since anything broke ;).

Doh!

In reply to Hang on a second…Think Server Side

Oops wrong spot.

Ridiculous

In reply to You said it right

That is just your opinion. And frankly it’s an ill-informed and ignorant one at that. Plenty of businesses use open source software and servers. They’re smart because they are saving money and their software actually works. If you think open source is a hobby, why is it that SCO is trying to sue the entire civilized world of Linux and unix users. Pull your head out of your a$$, Linux is here to stay, and when users become saavy enough and start to see there are better alternatives, Microsoft will finally be put in their place.

It’s pretty sad that a company can charge more for it’s software than the hardware it runs on. Shame on Microsoft. All hail open source!

Depends on the admin

In reply to I have to disagree here

How stable operating systems depends mainly on the admin (providing the hardware is stable). I work in an environment that supports Sun, Apple, Wintel, and Linux (Sun and Intel) solutions. I support Wintel and Apple solutions myself. with that said a friend of mine is desperately trying to leave Sun because he is tired of going out and fixing Sun hardware/OS problems due to lack of proper Q&A over the past year. Our organization is trying to get a way from Linux because it has started to cost more to support than Windows. If you work for the federal government hackers do not care what platform you are using, they want the data or to bring down a system. MS is not on the same scale as SUN, not all true! It is true that MS does not support the number of processors that Solaris supports but outside of that it is arguable as to the scalability of the OS or network applications.

When researching a solution all platforms must be evaluated in order to determine which is a viable production environment. Government News ? one of the top Java developers switches from JAVA to the .NET frame work stating reasons that .net is faster to deploy and less expensive to manage.

Business (workstations): the business industry is built on Wintel! SAP, Oracle and Gelco to mention a few have tried to get there applications to work on other platforms than Wintel and IE but not with much luck. One thing that must be understood is what takes place during backend processing and how the data is formatted on the client. M.S.I.E. utilizes 6 dll?s that helps the client process the information, whereas Motzilla/Netscape us unable to manage the info. (SAP-Java: when using SAP-Java on Macintosh OS 10.x the password is sent in the clear. Apple will try to tell you that it is compressed, which is true but compressed is not encrypted.)

Software Assurance: Not only cheaper but this can be leveraged to send admins to training (QuickStart) for less than the standard pricing. Server side does not apply, must be client.

Back to the original question of Open Source vs. proprietary! We have had more than a few problems where when using Linux the local admin modifies the kernel which presents support issues along with patching problems. You will lose support and now have to add creating patches to the admins task list.
All aspects of a solution must be researched before making a decission on the platform.

strange comparisons

In reply to Depends on the admin

Comparing the Windows platform with halfway decent administrators and the Linux platform with some imbecile going around modifying the kernel for no good reason is ludicrous. What kind of broken-down human resources department do you have that hires some joker that is creating support issues by making kernel modifications on production systems? Never mind, that was rhetorical. The answer is, obviously, “not a very good one.”

It’s true that the administrator has a great deal of influence on the stability and security of the systems under his supervision. Basically, you have to take the lesser of the platform’s and the administrator’s capabilities as your assumption of system stability and security. If your admin is skilled enough, he’s only limited by the platform. If he’s not skilled enough, he can actually bring the platform’s stability and security down with him.

The upper limits of the Windows platform’s stability and security are far below those of Unix systems (including Linux), due to simple matters such as feature bloat in the system architecture and legacy vulnerabilities. If you’ve got a good enough Windows administrator, your Windows platform systems can be utilized to their greatest potential and be fairly secure, stable systems, aside from having to restart them every couple of weeks to be sure they don’t collect performance loss due to memory leaks and similar issues. With a similarly skilled Linux administrator, Linux platform systems can easily outperfrom the Windows system and, more to the point, are capable of so much more stability that there are Linux systems running today that haven’t been restarted since the mid-’90s, including professional production-environment servers.

By the way, your commentary about porting Oracle to Linux is full of crap. Oracle is available, and stable, on Linux. I haven’t looked into Gelco (no need to, yet, in my work), but I suspect you’re missing some useful facts there as well.

I’ll grant you that .NET framework (or, at least, C#.NET) is probably a step up from Java. Considering that Java is not open source, though, and that there is an open source version of the .NET framework (called Mono), I don’t think your point holds much water there.

As for workstation security: Unix systems will interoperate with any networking capabilities that Windows supports. I’m running a Windows/Linux homogenous network, of which this very computer (Debian GNU/Linux workstation) is a part. The harsh reality is that Windows systems are no more secure, and generally less secure, than Unix systems. Furthermore, if you’ve got MacOS X systems sending passwords in the clear, they’re not configured very damned intelligently for networking. Again, it comes down to the administrator.

In other words, you’re right: system stability and security depends on the admin. It’s not because the platform doesn’t matter, though. It’s because a bad admin can bring down the best system.

MS has Trusted Computing? (HAH!)

In reply to That’s not entirely true

KaceyR says “This is from that behemoth in Redmond, so at least I’ll know who to blame or who to call,” Have you not heard of the compromise of the MS Verisign certificate a year or so ago? There is no such thing as absolute trust on the internet. Wake up and smell the Java! Just because the URL says MicroSoft, doesn’t prove it’s from MS (esp. if you’re still using IE, as you must on a MS website.)

Microsoft FUD

In reply to That’s not entirely true

Microsoft is so paranoid about Open Source because it offers a
standards based alternative that is hard to compete with.
Companies are doing well adding services and support for OSS.

The fundamental issue is that Microsoft is behaving like a
criminal organization, with predatory practices and anti-
competitive behavior. Once Microsoft is broken into separate
companies where their monopoly position can’t be used
inappropriately, then much of this FUD will go away.

Where is the DOJ?

FUD and Free

In reply to Microsoft FUD

Every time someone wants the Gov’t to handle MS, I just shake my head. I can think of an equal amount of poor management decisions that has helped MS. Novell and Word Perfect come to mind, what a screw up that was. If you haven’t been around long enough to remember, it was the constant crashing of WP 6.x (yes even in DR DOS) that was it’s demise, it sure wasn’t MS Word.
What concerns me more, is this mantra of free with open source and then no one can understand why all the I.T. good paying jobs are heading over the border. Gee, I wouldn’t want to R&D anything with my resources either if there was no reward to it. Nothing in the world is free, I wish people would stop making I.T. a “free service”.

OSS is not free, true, but…

In reply to FUD and Free

Well, just remember “there ain’t no such thing as a free lunch”. Someone, somehow, somewhere has to pay for OSS…
That’s exactly why OSS people rejected the term “free software” – it’s unnecesarily ambiguous. Me personally, I prefer to say “liber software”, most others just “open source”… a matter of choice.
However, there IS still a benefit from it: development costs are distributed almost equally among all the participants…
Imagine we were to recreate windows in an OSS form… what would be the costs of it? paying enough to a team of, let’s say, 2 thousand programmers during at least 5 years to enable them to dedicate full time to the project…
Perhaps one million dollars, if not more… very few companies could do that… and… in order to let it out for free??? No way man!!!
However, if a companies subsidises not one thousand, but just one (its employee) and puts it to work on the project on his spare time… and another one does the same… and 2 thousand other companies do the same…
Total cost of development remains the same (millions of dollars) but for each company the costs of its involvment are ridiculously low… and when the project is over… they get a wonderful product!!! and the cost “paid” for it was indeed very free… and they get in-house expertise on the product (their home programmers) as well as direct support for free…

And business with OSS is not licensing software, but services… business model is: I give out for free my product, you can adapt it the way you want, but I’ll only help you if you pay me…

So don’t worry, either as programmer or as support staff, in an “all OSS” world there’ll still be plenty of job for us…

The issue is your contention is flaw

In reply to That’s not entirely true

I think what you said “open source software ….”
are just some few of OSS community, Not the whole OSS. So it’s understandable what you said just like somthing happen in our living that there are thiefs, police and judges. AS the goal is diffrent between MS and OSS,I wouldn’t like to put them on the same table. However I’m always thankful for OSS what give us much diversity and horsepower to create and enjoy it.

Payment for losses

In reply to That’s not entirely true

Hmmm, the last 10 times my pc was rendered useless by a security hole in IE, I can’t recall getting money from MS. Besides that, have you ever read the EULA for any of their software? They don’t guarantee it will do anything at all much less that they’ll pay for problems. You have to look at both types of software and be smart about installing and maintening both.

not all companies are Microsoft…

In reply to That’s not entirely true

While it’s true that Microsoft does seem to try to fix the most
glaring bugs and security holes in Windows in a reasonably
amount of time, not all companies do such a good job. What if
you spend hundreds of dollars on a closed-source IDE, only to
discover that it won’t work with your favorite closed-source
compiler, and then find that both the IDE manufacturer or the
compiler manufacturer blame each other and refuse to fix
anything? Or, for that matter, if one or both of the companies
go out of business and the source code to their products is lost?

Closed-source software is prone to this sort of dead-end
situation in a way that open-source software is not.

Communities and Goverments going OSS

In reply to That’s not entirely true

Living not in the States but in Europe, I can tell you, that there is a significant trend of goverments and communities to change to OSS.

An example would be the German city of Munich, which is converting its appr. 20000 workplaces to OSS, the German goverment and goverments of some German states are deep into the evaluation of a change to OSS.

The reasons for this change is not for money. Installation, training, adaption of existing applications to OSS consumes also large amounts of money. But the advantage of being in charge of exactly what code is running on the PCs and not being dependent any more from a single point of source seems have pitched the decision of Munich and other German cities in the direction of OSS.

And coming back to malicious or just unwanted features within a program, why do you think programs like XPAntiSpy are created by users of Window XP. Who knows what information Windows/Office/etc. collect and send out every time I go online?

Reply To: Open Source software vs. Proprietary software

In reply to That’s not entirely true

“Microsoft still comes out on top as the more stable and more reliable product vendor.”

This HAS to be a troll. Nobody is that stupid.

not necessarily

In reply to Reply To: Open Source software vs. Proprietary software

If you’ve operated in the commercial software world long enough with no experience with the open source model, you’ll probably develop some habits of thought processes that don’t track with open source software. Keep in mind that the quote you indicated refers to Microsoft as being a “more reliable . . . vendor” than the open source community.

That shows more of an assumption of similarity between Microsoft and the open source community in terms of product marketing and support. Such parallels are invalid, but the habit of thinking in those terms is one that is somewhat understandable for anyone that has been too locked into the commercial, proprietary, closed source vendor model of distribution. Because certain software platforms compete, people that are used to vendor association with products starts to think of the organization/community behind those software platforms as being competing vendors. Thus, such misconceptions arise.

The truth is that the open source community isn’t ANY kind of vendor. Open source software doesn’t need vendors, just as seawater doesn’t need vendors. It’s there: all you need is a cup in which to collect it.

People used to a vendor model of distribution are comfortable with vendors. They look at vendorless distribution and all that’s there for them to point a finger at is the development community. Thus, they start pointing at the distributors as this chaotic aggregate of not visibly connected little handsful of people, and they say “Look! That doesn’t look like a reliable vendor at all!” It’s true: that doesn’t look like a reliable vendor. It doesn’t look like a vendor of any kind, but they don’t get that far in reasoning because, upon realizing it doesn’t look like a reliable vendor, they gloss over the possibility of looking at the wrong thing.

It’s not stupidity — it’s misunderstanding.

This is a “Straw Man” scenario (looking for a scape goat?)

In reply to Open Source software vs. Proprietary software

Shifting the blame is not a “Business need.” Good security begins with responsible downloads. If all you want to do is find a “fall guy” for the bad code, let’s balme the dufus that failed to check the signatures on the downloaded code…oops, in your scenario, that would be you.
I guess anyone that can write or review code, or administer a workstation even, should be able to check a signature on what he downloads, huh?

Yes, it is

In reply to This is a “Straw Man” scenario (looking for a scape goat?)

Unfortunately, that’s exactly what the client wants in the event that something does go wrong.

As a consultant, if the customer wants to be able to point a finger, I’ve got to give them a target to point at and I don’t want to be that target.

As I pointed out in another post in this discussion, just checking the signature of your download from the one site is not a sufficient check on the off-chance that the site you download from was a fake.

Hmmm..

In reply to Yes, it is

Seems to me that as the consultant you should be responsible for the choices you give a company. If you don’t feel comfortable with them, why are you suggesting them to someone else?

It’s not a matter of my comfort.

In reply to Hmmm..

It’s a matter of theirs. If my client is doesn’t trust a company or a technology, it’s beneficial to me to find (or create) an alternative.

And if your client does trust a company

In reply to It’s not a matter of my comfort.

With an abysmal security record who’s problem is it then?

Col

Tag

In reply to And if your client does trust a company

You got me on that one. 🙂

but it should be

In reply to It’s not a matter of my comfort.

I’ve lost clients insisting that they have something that they didn’t like for security’s sake. I am the person they look to for recommendations of software that will work well in their environment. I need to be familiar and comfortable with what I am recommending.

I am also the first person they call when something isn’t working right – not the software vendor. I’m the one that winds up making the phone calls to tech support or, in the case of open source, posting my question in the forums. By the way, I’ve yet to have a problem go unsolved using forums and newsgroups.

As a professional, it would be grossly negligent of me to download something onto a clients computer without first fully testing it and learning to configure the software properly. If a software I downloaded wreaks havoc in my test environment, I’m not going to turn around and recommend it to a client.

The fact is, I would be remiss in my duties if I did not explore all options for my clients – open source or proprietary. There is no “one size fits all” for everyone. Each client has a unique situation that requires a different approach. It is my job to know what’s available and where it would be best implemented. If you’re worried about downloads getting hacked, burn a copy of a known good download for installing on your clients computers.

It never is

In reply to but it should be

Even if I’m comfortable and confident that the Open Source solution is secure and can handle whatever they throw at it, if the clients perception of Open Source is that it’s dangerous, it will never fly.

I’ve actually had a case where an Open Source solution was a near perfect fit, but the IT director heard the words Open Source and killed it then and there. They went instead with a commercial product that only met about 40% of their needs. On the flip side, I did make good money writing add-ons to the commercial software to make it fit their business.

Hmm…

In reply to It never is

Who is going to support those add-ons? you? Who will be financially responsible if they mess up? you?

Response to Hmmm..

In reply to It never is

Nope. The contract was a work for hire. They own the code. If something gets messed up after they’ve accepted the code (they have a lengthy review process), it’s on them. Unless, of course, they opt to bring me back in to figure out what went wrong.

Stupid Max Message Level

In reply to It never is

So let me get this straight. It doesn’t matter at all if you feel comfortable suggesting a program? How does that work?

On the topic of the add-ons. They shot down Open Source to just end up getting add-on code from you? Who the hell is going to support that, since as you say it was a work for hire? On top of that why’d they hire you to write them if they can handle it from there? You’re obviously a much better salesman than a consultant.So let me get this straight. It doesn’t matter at all if you feel comfortable suggesting a program? How does that work?

On the topic of the add-ons. They shot down Open Source to just end up getting add-on code from you? Who the hell is going to support that, since as you say it was a work for hire? On top of that why’d they hire you to write them if they can handle it from there? You’re obviously a much better salesman than a consultant.

Reply to Andrew Frye

In reply to It never is

They could have written all of the add-ins in-house. They have the ability, just not the time.

The funniest part is that their standard contract states all work as work for hire, where they exclusively own the code. They even provide a hold harmless clause for me once the code has been accepted.

They do this because they try to market all of their software to other organizations. If they didn’t own it all, they couldn’t do it.

Needless to say, I maintain a good relationship with this client!

You are getting close Kacey

In reply to It never is

“I’ve actually had a case where an Open Source solution was a near perfect fit”

As a vendor and someone who my customers depend on, it is my duty and obligation to not only “Propose” solutions, but to sometimes “Sell” solutions. For example, I will often times recommend (almost argue) that my customer use Stomp backup software rather than one of those 24.95 packages. Why?? Because the software has been around for a long time and I know that it works – and works well. I know this is not OSS vs proprietary, but it is the same principle. If the OSS package does a better job, then it is your obligation to install it over any lesser product. Quality comes FIRST – Then Price.

“On the flip side, I did make good money writing add-ons to the commercial software to make it fit their business.”

And here is your sales pitch. I have yet to come across a customer who would not prefer a better “Price” in the long run. Price includes purchase price + setup costs + training + down time getting the software to work properly + custom patches to make it do what they want + + + . What would “IN THE END” cost the customer LESS.

The Problem is…

In reply to It’s not a matter of my comfort.

Good point K. The problem here though is that typically there’s not even a company or cohesive product [technology] to point to when offering an OSS solution to a customer. There’s a reason that proprietary SW can be [as its not always] expensive. The cost to develop and provide support for the technology or product suite isn’t free. As a VAR I’m in the business of taking best of breed COTS SW and tailoring it to operate as a cohesive solution that meets the cusotmers needs. In a way I’m developing an OSS type of solution [the glueware if you will]. But I’m expected to support that solution and the glue throughout its lifecycle to include version enhancements. OSS in its traditional form can’t provide that. Today its here but tomorrow it may not be.

I have no idea where you get these arguments.

In reply to The Problem is…

You said (and I quote you directly) “OSS in its traditional form can’t provide that. Today its here but tomorrow it may not be.”

You’re full of it. Successful open source solutions will outlast successful proprietary closed-source solutions. It’s the nature of the beast: proprietary solutions disappear when their vendors do. Open source is eternal, so long as there is still any demand for it. If there isn’t any demand, of course, it dries up, but in that case: who cares?

You seem to have some kind of misconception of OSS as though it were a singular, monolithic organized effort, like Microsoft. It’s not. Any sort of support you want can be found, almost guaranteed, in open source solutions. Any support you find with closed source software can be found with open source software, with the possible exception of extortionary “support”. The reason, of course, is that leverage for extortionary action is nonexistent with open source software. If you don’t like the service you get from one provider, you can always find another. Unlike Microsoft’s monopoly on core Windows support, neither Red Hat nore SuSE has any monopoly on Linux support. Nor does the Linux kernel development team. In fact, because of open source software, you can find core support for even proprietary Unix systems that rivals that of their vendors.

Without opening the source of the Windows platform, you’ll never get that kind of wide-ranging support for Windows, and you’ll never get the same longevity out of it. As I said in response to another post of yours, you have the whole shebang backwards.

But this applies to ALL computer use, anyways!

In reply to Yes, it is

There IS no safe computing anymore. Get used to it. You can be as secure and circumspect as you like, and all it takes is 5 minutes of a visisting relative surfing to trojan infested porn sites, and your efforts are for naught.

Also, software vendors DON’T always take responsibility for their software. My step-father went ahead and installed SP2 for XP on his laptop, and it’s never worked right since. He tried to call Microsoft for help, and they wanted to charge him $30 an hour for tech support for a product THEY released and recommended.

It’s up to the end user to verify that the site they are visiting is valid. Typing http://www.mozilla.org is pretty foolproof. Following a link out of a spam email is not.

If your clients can’t understand that, take their computer away and give them a calculator. It’ll be less frustrating for them in the long run. Or spend some time doing user education.

Pointing fingers never solves anything, unless you’re a lawyer.

Regards,
Gryf

I agree and disagree

In reply to But this applies to ALL computer use, anyways!

No, the software vendors don’t always take responsibility for their software, and I agree that it’s ludicrous for Microsoft to charge anything for helping someone get XP SP2 to work properly.

As for http://www.mozilla.org being pretty foolproof, one of the threads of this discussion talks about when a DNS server has been compromised allowing someone to fake a site such as http://www.mozilla.org. Is it likely? Probably not. Is it rare? Extrememly. Is it possible? Absolutely. That’s why it’s important to not only try to verify where you are, but what you’re getting.

Reply To: Open Source software vs. Proprietary software

In reply to I agree and disagree

This was my point, although the tea had not kicked in completely when I wrote that.

There IS no safe computing, just as there is no privacy on the web. Many, many users don’t realize this. Any data transmitted online has the capability of being intercepted or mis-directed. User education is the only way to effectively combat this problem and win this war (and it IS a war). Have you seen the DDoS attacks on the Spyware Removal sites/forums?

Heck, bank sites are being re-directed, and that’s much more likely than someone making a whole new Firefox. Besides, why spend all that time going after 5% of the browsing population, when there’s still that big ole 85% of Microsoft clients to go after.

I guess I just think you’re chasing after ghosts with this. It’s like that old ‘international date line’ problem… 😀

But all efforts to raise awareness are to the good, in my mind.

Cheers!
Gryf

Case in point

In reply to Reply To: Open Source software vs. Proprietary software

Found this seconds after finished posting. Form wouldn’t let me edit.

Banner Ad hijacking:

http://news.zdnet.com/Bofra+burrows+in+through+banner+ads/2100-1009_22-5462862.html?part=rss&tag=feed&subj=zdnn

Finger Pointing

In reply to Yes, it is

That’s the problem, you show us a scenario in which you are clearly at fault then try to find a way to shift the blame to someone else. Sorry, you’re in the frame. Please clear your desk and leave your security pass at the desk on the way out.

Your scenario might have been of more value if you compared like with like. What happens when you download a “closed source” product and later found that its checksums did not match those of a file from the manufacturer’s site.

Reply To: Open Source software vs. Proprietary software

In reply to Yes, it is

For goodness sakes, let it go already.

How many times have you ever heard that a legitimate site was “overtaken” by hackers, and then the site was flooded with fake software with built-in backdoors, and then nobody ever caught it?

The answer is simple: it has never happened.
In the unlikely event that a legitimate site gets hacked, the worst that usually happens is a couple hours of downtime while they sort it out. In 99% of all “site hacks” it’s nothing more than a DoS attack.

Have you ever heard of a single case where a company’s site was taken over and then infused with a bunch of fake software?

I know I haven’t, and I’m willing to bet nobody else has either.

As many people have already told you, the answer to your “problem” is very simple: check your signatures before and after you download.

Big Pockets

In reply to Reply To: Open Source software vs. Proprietary software

People just want to blame the big pockets.

Most problems are configuration issues anyways. We’ve got this guy I know that run around cusring Bill Gates all the time and it ends up being that he misconfigured AD… not Bill’s fault.

People like Kacey or whatever her name is just want someone to pay when she screws up. Plain and simple. You can’t make the linux guys pay, so screw them.

Unfortunately, even with commercial software, if you read the print in most EULAs, they won’t pay you a dime, either.

SCO yesterday, anyone???

In reply to Reply To: Open Source software vs. Proprietary software

And how different is changing a file from changing an image? Not at all.

Black Hats changing your files, to attack you users, most probably has happened. I guess the risk should be ’bout the same for open source software, as for proprietary.

And while you install windows an suchlike from a physical media, like a cd, do you also get all you updates on physical media? If not, what prevents a blackhat from infecting the update site? Wether this update site is windows update, or up2date… doesent really matter.

My point is, if you want a ‘puter that is tamper proof, get thee an abacus. Otherwise, take due caution.

ouch

In reply to This is a “Straw Man” scenario (looking for a scape goat?)

tsia

nonsense

In reply to Open Source software vs. Proprietary software

As an example of how your argument falls down, let’s take a look at a 100% free software solution.

The computer I’m using right now has Debian GNU/Linux installed on it. All software on it comes from the official apt archives provided by the Debian maintenance teams. It is all open source. It is all more trustworthy than Microsoft software.

Everything that ends up in these official archives is reviewed by Debian maintainers. It’s all certified by them for stability, compatibility, and security. It doesn’t use a browser prone to security holes to get updates, the way Windows does, so that there has never (to my knowledge, at least) been a problem with apt archives being spoofed, whereas such spoofing goes on all the time with Microsoft.

I don’t even need to address the fallacies and FUD in your post. One example is all it takes.

Your example is flawed.

In reply to nonsense

BDWolfman’s response of 11/15/2004 shoots you down. You really have no more assurance that the “official apt archives” is the real one. If someone happened to nail the DNS server that got you there, it could easily be a fake.

As for your preference to insult and degrade rather than discuss, go swallow a bullet.

Your attitude needs work.

In reply to Your example is flawed.

Considering your belligerent attitude, I’ll simply comment briefly on your need to check your words and ignore the weak attempt at an argument. Specifically, I have no preference to “insult and degrade rather than discuss”, and find your implication that I do to be humorous and ironic when immediately followed by your suggestion that I “swallow a bullet”.

I owe you an apology for that

In reply to Your attitude needs work.

Definitely one of those days that I should have taken a break instead of typing.

Here I try to create a discussion that doesn’t degrade into a series of flames, and I’m the first to light up.

Sorry about that.

apology accepted

In reply to I owe you an apology for that

I’m typically more impressed by the ability to recognize and admit a mistake than by simply not noticing someone making any mistakes ? since we all make them. Anyhow, thanks for the apology.

case closed

In reply to I owe you an apology for that

You have no business discussing anything in a professional forum after what I just read.

In fact, this particular comment — both in substance and style — is a perfect example of why my visits to TR have are down to a few a year at most.

Someone let me know when the adults are once again in charge.

slack

In reply to case closed

He recognized his error in judgment and apologized. I’m inclined to cut him some slack.

A question of respect?

In reply to Your example is flawed.

Can the official apt archives be faked? yeah, maybe, but not easily.
Can Microsoft be trusted? yeah, maybe, but not easily.

I see it coming down to respect. If you don’t have any respect for the source of your software, you can’t trust them. The open source community has been flat out earning the respect of people outside the IT profession, and Mircosoft has been flat out trying to keep it inside the IT profession.

Swallow a Bullet?

In reply to Your example is flawed.

DNS poisoning is not the issue here, the same can be said for Microsoft’s website. You’re grasping at straws as far as I am concerned.

As for swallow a bullet? I have one for you. Get off the pipe.

RE: Your example is flawed,

In reply to Your example is flawed.

Ahhh, if you only understood Open Source. Both apt and now yum for Fedora have built in security protection. They perform md5sum checks on the software, and you can obtain the software from multiple repositories. But the biggest and safest test is that the files are GPG signed by the repository site.

For someone to be able to oull off a shrade as you suggest many things would have to be comprimised. I’m not saying that this could not happen, but the likely hood of it happening is remote because there is so much involved.

I would also ask

In reply to RE: Your example is flawed,

Why bother going to all that bother for such a small section of the market?

Wouldn’t it be far more profitable to do something like this to MS who has the lions share of the market? That way the person/s involved would be doing far more harm than a couple of OSS applications. The reality of this is that OSS is only a very small section of the market and the really big section is MS and Windows so unless you are downloading some OSS that runs on Windows which has been compromised there is very little point in the exercise.

Col

not that again

In reply to I would also ask

I get sick and tired of people on both sides of the issue pretending that there’s any security in obscurity. There isn’t. It doesn’t work. A minimum critical mass must be reached for writers of malicious code and system crackers to take notice of it, to be sure, but Linux reached that point somewhere in the mid-’90s and has only grown since then. Unices in general have been at that point since the ’70s.

In fact, open source Unix webservers claim the largest share of the market. Apache holds a clear majority of webserver market share, running on Unix systems. A great many of those systems are Linux distributions or BSD OSes, all of which are open source. Linux servers outnumber Windows systems by a fair amount in the Internet server market, and Apache so thoroughly outnumbers IIS as to make your comments laughable.

Really, the greatest number of attacks on Microsoft systems that isn’t also made up of attacks on open source systems is made up of nothing more than spyware, adware, and email virus infection. Linux servers on the Internet get attacked as much as Windows servers do (because Windows servers reached a minimum critical mass necessary to draw attacks there, even though Unixlike systems hold a vast lead in numbers), but they are almost never compromised due to a more secure architecture.

Please stop propagating that absurd, apocryphal idea that obscurity provides any meaningful kind of security advantage for open source software. By doing so, you undermine the credibility of the actual security advantages to be had from open source software.

Sorry, but Debian was compromised

In reply to nonsense

http://www.linuxsecurity.org/articles/organizations_events_article-8446.html

Blue

Replying to my own reply

In reply to Sorry, but Debian was compromised

But this shows one of the places where the open source community excels: Communicaiton. The news of this hack was realeased, along with all details. In addition, since developers and other experts have access to the code, they can figure out what’s what. An opaque company like MS, deep in denial about it’s own security, can’t respond like that.

Blue

exactly

In reply to Replying to my own reply

Debian’s servers were broken into, but the Debian project members quickly detected the attack, checked the archives, and ensured that the important bits were uncompromised. Meanwhile, we don’t even know how many times Microsoft servers have been compromised.

And repaired?

In reply to Sorry, but Debian was compromised

Anyone get all the bugs out of Windows 95 yet? The bug was found and repaired.

You might consider learning to read…

In reply to Sorry, but Debian was compromised

The article stated that the archives were *not* compromised.

So someone broke into a handful of boxes there – it’s rare, but not unthinkable.

Noone ever said that Linux et al was impossible to hack, just that it’s rather difficult.

Windows, on the other hand, spreads ’em for any Thom, Dick or Harry.

Bix

Problem One – Linux

In reply to nonsense

Well apo problem one here is I could never get away with proposing Linux. I’m actaully a HUGE UNIX fan – preferably the Solaris variety. I propose this for all customer solutions that require a 4 9’s or higher SLA uptime. Unfortunately with the weekly maintenance boot required of W2K I can’t use it in critical scenarios as I’ve outlined above. In my design sets I’ll typically place EM solutions on Sun/Solaris and Email/File/Print on W2K or higher. I’d probably be laughed out of the briefing room if I even proposed Linux…good stuff but needs a little more maturity to run with the big dogs IMHO.

two problems with that

In reply to Problem One – Linux

1. Linux is as mature as Windows. More so, even. For one thing, it has been around almost exactly as long as any kind of usable Windows OS. For another, it is built upon an operating system tradition that stretches back no less than 35 years. That’s about double what Windows has going for it in terms of “maturity”.

2. That proprietary solution you think is such a great answer, Solaris, is capable of a little more in certain circumstances than Linux, and far less in others. Aside from that, however, the open source development model is so successful and promising that Sun is actually pushing to release an open source version of Solaris. Follow the tech news, read the writing on the wall: the truly reputable proprietary software vendors (Novell, IBM, Oracle, Sun, et cetera) are investing heavily in open source software development. That’s not because Linux solutions and other open source software projects are “immature”. I’d like you to explain how open source software like Apache (sixty-some percent of web servers), BIND (ties the entire Internet together), and Slashdot (a website that receives so much traffice on the Web that any time it links to another website, that website usually gets hit with so much traffic that it can’t handle it, often referred to as “the slashdot effect”) aren’t “mature” enough.

Perhaps it’s not open source software that needs to mature. Perhaps it’s the narrow attitudes of your colleagues in the briefing room, who seem to have swallowed all of the FUD that has been spoon-fed to them by Microsoft and its cousins. You’ve been fed a line, and you bought it without actually looking into the facts.

Duh,

In reply to Open Source software vs. Proprietary software

the time to compare the md5 checksum or other “signature” is BEFORE you install the software.

Furthermore with proprietory “closed source” software, you also have no way of knowing if the developers have put in the same kind of malevolent “hooks” to your machine.

And even furthermore, the typical EULA that accompanies that kind of of crappy product usually explicity states the software is not fit for any kind of use and specifically absolves the developing company of any kind of liability.

There goes your law suit, nit.

Legal Recourse

In reply to Duh,

You still have a legal recourse against a proprietary software maker. It may be harder to pyrsue or prove, but I cannot think of a court that would not award the person triely harmed by a malicious program, regardless of the license. And doesm’t open source apply the same license arangnement? You Wit.

The fact s that with proprietary software, you know where the malicious code was placed in your program. With open source you do not. It could be the original developer, one of the unknown persons that contributed source, or even the distributing server. Give me proprietary, locked down software any day.

While in Theory you may be correct

In reply to Legal Recourse

The fact of the matter is that you will be tied up in courts for the next 20 years after the original decision is made and you happily win.

If you where really hurt financially by malicious code or even badly prepared code the simple fact is that you wouldn’t have the available funds in the first place to start the action and in a worst case scenario the Software house could not afford a Precedent to be set so they would fight you tooth and nail all the way to your grave.

There is a very old adage in the legal arena and it goes something like this “He who has the money wins!” If you think for a single nanosecond that the Court System is there to offer Justice you are living in a fools Paradise as the fact is they are there for the benefit of the Legal Eagles and the Judiciary nobody else.

Col

Settling

In reply to While in Theory you may be correct

Of course, if the Company really feared setting a precedent, they may be more willing to settle out of court and tie it to a nondisclosure agreement.

As for the Courts being exclusively for Big Money, there have been way too many suits won by the Little Guy suing Companies like AT&T, MCI, Microsoft and IBM to be dismissed.

True but with the Non-Disclosure Agreements

In reply to Settling

You have to do it all from scratch and it is very expensive and time consuming. Even if you know of a specific case in question you can not use it because of the Non-Disclosure clause.

Col

Legal Recourse?

In reply to Legal Recourse

Can you tell us how many people Microsoft has reinbursed for Millenium? How many proprietary software companies have been successfully challenged? Truth is when something goes bad, usually it’s to cost intensive to trace the origination. I think this is a very poor argument indeed. You are paying for the software to function, would you keep a car that ran some of the time or hold the manufacturer responsible?

Why use Open Source, you ask?

In reply to Open Source software vs. Proprietary software

Because for the cost of one person recompiling the source code, then distributing the product (Firefox, OpenOfice, etc.) to the entire enterprise, you can save millions in license fees. Those are jobs that can stay here, better equipment that can be purchased, etc.

In addition, there are people out there writing apps with open source code that charge only for the added value they provide. For that, you get a greatly discounted application AND the guarantees you attribute to proprietary software.

By the way, proprietary license agreements always have a “hold harmless” clause in them that says you can’t sue for damages if they crash your system.

The savings won’t be what you think

In reply to Why use Open Source, you ask?

What about the code review? Your savings scenario assumes that the code is a-ok. Maybe it’s not. You don’t know unless you perform a detailed review.

You’re right that the proprietary licenses usually have a “hold harmless” clause, but there are limitations to that clause that vary from state to state. The same holds true for the “No Warranty” clause (which the GPL also contains).

As for Open Source software keeping jobs here in the USA, any company that’s going to send jobs overseas will do so regardless of where the software is coming from.

I’m not trying to imply that Open Source software is an unworkable idea, but I get tired of people jumping on the band wagon because of the word “free”. If the software works for you, and you’re reasonably assured that you’re not getting something insidious, go for it. But don’t knock the proprietary software just because people want to be paid for their effort. Many times their effort results in a better product.

Speaking of overseas jobs, try taking a look at the locations of the authors of most Open Source projects. They’re from all over the world. So it’s not a stretch of imaginiation that the use of Open Source software could, possibly, promote overseas outsourcing of programming jobs.

I see know …

In reply to The savings won’t be what you think

Can you tell me then, why MS open his code to goverments ? Does’t it tell you, maybe, just maybe, the open source way has made a point there ?

I can assure, people who professionaly promote open source won’t tell you is free, in fact if you visit http://www.gnu.org they clearly state “Free as in Freedom”. Open Source is an option, as cooking/preparing food is an option against “maccaroni&cheese”.

The world is not the US, did you know there are people, like me, who live outsite US and also need a job ?

The world is not the US huh?

In reply to I see know …

The world might not be the US, but the world certainly turns to the US every time they need help or to be bailed out. How does anything about the US keep you from getting a job in your country? If you can’t find work in your country, maybe you should blame your own government or your own citizens.

blame

In reply to The world is not the US huh?

Whether or not you have any good point somewhere in the back of your brain about keeping jobs domestic, you have made zero good points here. Really, exhorting others to spend all their time looking for people to blame rather than looking for a job is a pretty asinine thing to do.

Seems you didn’t undertand my point…

In reply to The world is not the US huh?

Politics is not my field, just wanted to clear what you understood me.
I was telling US is not the world, because the author of the article is trying to say that Open Source is bad because it might get IT jobs to compete around the globe… I do not agree nor see a point in Open Source being a danger to US.

On the contrary, there have been some report that the natural monopoly MS represents posses a greater risk to US, and this you can google out…

Furthermore, see Germany for example, they are promoting OSS projects clearly, and even Oracle and Microsoft have a lot of development being done outside US, not to say, what is done in the US seems to be done by people from abroad.

And by the way, I do have a Job (thanks god, education, experience and ethics) and I am not complaining, nor stating that US messes with other countries. I did not intented my comment to be interpreted in a political sense, sorry if it seemmed so.

It seems you have missed the point of the article

In reply to Seems you didn’t undertand my point…

As the author of the article I am telling you that my point is not to say that Open Source software is bad or has anything at all to do with the job market.

The point of my article is to open a discussion about the pros and cons of Open Source software versus proprietary software with the goal of providing further insight into the pros of Open Source software, and identify ways to mitigate the cons.

In order to foster a discussion, I’ve presented the article from the point of view that Open Source software presents a significant risk. I believe that I’ve accomplished my goal.

I will also be using this discussion in the future to point out to my clients that there are others with the same concerns that they have, who have found acceptable solutions to their worries and are now using Open Source software to their benefit with a significant savings in cost.

Kind of see your point

In reply to It seems you have missed the point of the article

I kind of see your point, but I do not undertand how you intented to do a “versus” propietary, when in no moment you have stated the risks that propietary software have, neither see you point any pros to Open Source.

You cannot conclude, from all the postings if OSS is worth or not taking into consideration, you cannot conclude propietary software is better either, the first part maybe for the biased original article, the second one, because it depends on each case and circunstances.

I do not thing Open Source, Oracle neither MS has the answer to our problems, they just give the tools. There is a very interesting comparison made by Bernard Golden, of Navica that gives the difference in the approach of both software models, that I thing make clear that you have to consider this, your way of managing IT and your technical capacities to choose one or the other. There will never be a winner in this race.

Yes – the US is not the wolrd

In reply to The world is not the US huh?

You say the world always turns to the US when it needs anything done. The only reason it does tht is because the Yanks are (most probably) already there, and the cause of the problem.
Most often-touted slogan: “Yankee go home!”

Yup, they’re already there.

In reply to Yes – the US is not the wolrd

Check your history. Us Yankees INVENTED the integrated circuit and the software industry.

And before you ask; yes, the integrated circuit was developed for the US Military. It’s an example of military technology that makes its way to the private sector.

How can TR still focusing on this disc.

In reply to Yup, they’re already there.

I’m really frustrated of receiving today an email pointing again at this this discussion when your (kaceyR) has make an international politics issue …

How can you think you are defending a technological point by guarding a country’s contribuytion ? There is NO relation.

off-topic

In reply to Yes – the US is not the wolrd

This is WAY off-topic, and not productive. Care to change the subject back to something relevant?

Open Source a Doom

In reply to The savings won’t be what you think

I cannot agree less with KaceyR’s observations.The fact that Open source is “free” is what is making people to lean towards this kind of activity. Besides, think about it, it is being run by a group of technical folks whose passion is “Technology..”. There in lies the whole problem. Every solution presented has a technical solutions rather than what is required for today’s business. Open source is good but not unless it is owned and supported.With a bunch of technical folks involved in rapid fire coding, legal and business aspects could be an oversight.

I find it interesting that you use the word “DOOM”

In reply to Open Source a Doom

When that is the name of the virus that affects MS update site.

However more to the point while it is true that Open Source is not ready for the desktop yet or more correctly the End Users are not ready for Open Source.

It is a big hit in the high end server market which MS is trying to crack with their Windows 2003 Enterprise Server and their Trusted Computing Model which incidental is the most secure OS that MS has ever built but it still required a patch within 2 weeks of its release and has had several since then.

In that section of the market Unix/Linux rules and there is currently no likely hood that MS will be moving in in the foreseeable future.

Col

Internet Servers

In reply to I find it interesting that you use the word “DOOM”

Yes, a huge number of servers on the Internet now run Linux. I would suggest to you that the primary reason for this has nothing to do with the quality or the availability of the software.

When the Internet was being developed, the operating system being used for the experiment was Unix. You know, the expensive software that prompted Linus Trivalds to develop an alternative (and yes, the Internet started as an experiment sponsored by the US Defense Advanced Research Projects Agency, DARPA for short, hence the original name of DARPANET).

As the Internet became more and more successful, more companies started putting servers on the Internet using the same technologies that created it in the first place. Later, as Linux was becoming more robust, many of them began to discover that they don’t really need an OS with an annual licencing fee in six digits. So they switched.

factually inaccurate

In reply to Internet Servers

The Internet didn’t start on Unix. It moved to Unix (all Unix-like OSes, as opposed to the trademarked, named OS known as UNIX) because that was the best tool for the job. The Internet started on the PDP-10 with OSes like TOPS-10, TOPS-20, MULTICS, ITS, and SAIL.

Your entire point falls apart. This has nothing to do with legacy compatibility and everything to do with using the right tool for the job. Even Windows systems approach POSIX compliance, and have the feature set necessary to act as servers for the Internet. They’ll support BIND (developed in open source, by the way), DNS, and web services. The reason Unix is used in an overwhelming majority of cases is two-fold: total cost of ownership, and system security and stability characteristics.

In fact, the reason that Unix ended up being the backbone of the Internet is that DARPA specifically chose BSD Unix as the successor to the PDP-10 OSes. The reasons for that choice might surprise you. One had to do with the clean, solid OS architecture. The other had to do with the fact that the source code for the OS was open.

I stand corrected.

In reply to factually inaccurate

Even I miss my historical points from time to time.

So are you trying to say MS

In reply to Internet Servers

Uses Linux with their recently acquired Hot mail?

It was my belief that when MS insisted on switching from Linux to Windows they had massive problems and lost existing users in droves never to return.

Col

Internet servers and Microsoft

In reply to Internet Servers

Having supported both windows & OSS in an ISP I know which is right and its not down to original package cost. Windows & IIS have a large number of flaws, Apache & UNIX like OS have far fewer and on the whole less serious exploits because nothing runs as root. Ask any ISP which box needs rebooting most frequently it won’t be the UNIX like one.

The key thing here is whether the operating system has been designed from the ground up as secure and with a good audit trail, I don’t believe any version windows qualifies due to the compromises it makes to accomodate third party software developed for previous versions.

If you go for shrinkwrapped code from a repuatble supplier like Novell,HP or IBM then IMHO you are no more at risk than using Microsoft SW. As for legal recourse as already explained above you have no chance. Look at the Internet Explorer bundling case, if the DOJ can’t chastise Microsoft then who can?

As to jobs going abroad, look who is investing billions in moving support & development jobs there – its not the OSS teams.

disagree

In reply to I find it interesting that you use the word “DOOM”

I’m afraid I don’t buy the MS claim that Server 2k3 is their most secure OS. Many of its exploits haven’t been identified yet. It solves a lot of exploits that existed in earlier Windows OSes, but I’m sure it creates a lot more that nobody has (publicly) identified yet. I rather suspect that Windows 2000 Server makes a more-secure OS than Windows Server 2003.

I could be wrong, though. You might be right. Judging by the fact that XP looks like Swiss cheese beside Win2k, though, and it’s the intermediate step between 2k and 2k3, that doesn’t really bode well for 2k3’s security.

I wish I could disagree with you on this one

In reply to disagree

But I can’t. Based upon the Windows 2003 security flaws already discovered, I certainly won’t be ditching any firewalls or proxies any time soon, and I have to agree that my Windows 2000 servers seem a lot more secure than a Windows 2003 server.

You misunderstand me

In reply to disagree

That is exactly what I was saying at the release of 2003 MS claimed that they had tested it fully and found no problems but 2 weeks latter they had a patch out for it.

The current MS model is to me a sinking ship that is attempting to bail out the incoming water faster than it gets in but of course there are far more holes than buckets to move the water away with.

I just find it funny the way that MS tries to make people think that they are a believable company when it comes to security. I have yet to see any of their products which do as they say when released and they all have a multitude of Undocumented Features which in anything else would be considered as flaws.

Col

Yes it is a signal of DOOM

In reply to I find it interesting that you use the word “DOOM”

To your point, Linux is not running any serious application. It is only popular with the technical folks and a case is always presented that it is free and cheap. I have known of a number of instances where companies following the fee and cheap model fell flat on their face. On the flip side, if Microsoft released a product and if it did have bugs we can look forward to a fix. Who the hell is answerable in the ‘Open Source’ market? In a nutshell it belongs to all and owned by none. You said it, Microsfot released a patch in 2 weeks is a testament to their commitements around their product. I am know Microsoft fan or follower but simply drawing comparisons between a succesful company is not in good taste.

DOOM? You play too many video games.

In reply to Yes it is a signal of DOOM

“Linux is not running any serious application.”

Oh really?
Apache Web Server (around 60% of the Web)
DNS
BIND
Oracle
Most hardware firewalls

As for bugs: Linux bugs, if and when they happen, are often fixed within a few hours. When was the last time that happened with any release of Windows? Don’t bother answering. The correct answer is “never”. Two weeks is a terrible turn-around on security patches for an OS in common use.

When I first saw the title of your post, “Yes it is a signal of DOOM”, I thought someone was responding to you with sarcasm. Do you have any idea how ridiculously melodramatic, and completely out of touch, you “sound”?

DOOM

In reply to DOOM? You play too many video games.

I really don’t care what you think.

I understand your passion for “Open Source”, but that doesn’t prove that Microsoft’s model is flawed or is wrong.

Bottom line is it is still unreliable to look forward to a product which is owned by all and responsible for none.

How many times have you seen all the servers that you talk about being down for “Maintenance”. Dah!! if that tells u something.

re: DOOM

In reply to DOOM? You play too many video games.

“How many times have you seen all the servers that you talk about being down for ‘Maintenance'”

I don’t even know what you’re trying to say. I realize this must be due to some kind of language barrier. English, it would seem, is not your first language. I’d like for you to clarify what you’re saying so that I can respond to it.

It has occurred to me that you might be trying to say something about the reliability of the open source servers to which I referred, but considering that your implicit assertion (if that’s what you mean) is without any merit I think that you probably actually meant something else.

Rapid-fire coding?

In reply to Open Source a Doom

With no push to get-it-out-the-door-damn-it, OS/FS never comes out of the oven ’til it’s either fully cooked or as an acknowledged beta so people can test it and provide feedback.

One need only compare and contrast this to the “Ready. Fire! Aim…?” development model MS uses to see that your argument is baseless and devoid of merit.

Bix

Owned and supported

In reply to Open Source a Doom

“Open source is good but not unless it is owned and supported.”

Oh really???

What about the Alphabet? It is very much open source. But according to You the Alphabet would ve good only if it was owned and supported.

Well, the alphabet is such a good product, that it does need very little, if any support.

You should broaden Your perspectives!

Depends on what you call savings…

In reply to The savings won’t be what you think

What of the cost of excessive upgrades, the cost of many, often unworkable, patches, the cost of downtime, the cost of moral? You don’t address all those costs when you promote proprietary software. OpenSource is an outstanding alternative in most, but not all, environments. That is why the movement is growing. It has lower costs across the board.

Free as in speech,

In reply to The savings won’t be what you think

not as in lunch. A concept the Moral Majority and the Busheviks disparage but have yet to kill.

The savings with OS/FS can be huge so long as you have the expertise to make things work.

So can the savings to a company which maintains its own fleet rather than going to the dealership for service.

If, on the other hand, you throw untrained fools at your infrastructure, you get what you deserve – whatever OS and applications are involved.

Bix

greater control over the app.

In reply to Why use Open Source, you ask?

I dont really agree to the argument that if u have the knowledge
then why not to develop the code. I have developed drivers
taking the base of the open source. It is nice coz one gets a
good start and the initial learning curve is easier to manage.

As a project manager of software development arena, I always
liked the idea of using good design tools in combination to open
source and some standard i.e. UML etc or a person based dev,
when a single person is responsible for the product.

In the software development picture it is a boon to have
concepts like open source.

Is a proprietary vendor any more responsible?

In reply to Why use Open Source, you ask?

Is there really any better recourse for most commercial software? What if browsing the Internet with IE you automatically install some spyware and worms with the current iframe vulnerability. And through this your system is slows down and crashes, data is corrupted or deleted and your network and business is disrupted? Will Microsoft accept responsibility and “make it right”?

Don’t hold your breath…

If you’ve ever seen Microsoft’s legal agreement it basically states “no matter what – we’re always right, your always wrong”.

This analogy for firefox is really no different than the inherent problems with commercial software. While I agree in house support can be increased with open source, I think that there can be a balance in a network using open source in many places to augment a businesses security and functionality.

And I think firefox is definitely a step in the right direction.

Compilation vs builds

In reply to Open Source software vs. Proprietary software

A couple of points to note. Proprietary software in my experience is a closed book. You get updates and new versions without really knowing what yu get until you try. Having been burnt many times with upgrades from reputable companies that broke systems and didn’t work as promised (remember Windows ME), I trial and test before putting any upgrade/patch into production. Makes for a slow response but it saves time and frustration, and the integrity of the systems I look after. Even with Open source the same precautions apply, but it is an open book. I can talk to developers/list maintainers about issues with upgrades. I can recompile applications with different configurations to optimise.
My company has to pay for the same support with the commercial packages we run.
You get what you pay for.
The argument should not be about the licencing type but how good the product is and how good the support is. If it’s open-source, my experience is that fixes and support are far quicker than for the proprietary software, but that’s why we chose that product. It’s our choice and our responsibility.
Mix them up, and let the better products win.

Yes, I remember Windows ME

In reply to Compilation vs builds

Sort of the way one remembers a nightmare after waking up. Yikes!

I like your approach because it gives you not only a more solid product, but the chance to get it configured optimally for your environment.

Having said that, my clients all have Microsoft support agreements and we’ve been able to get responses, fixes, and configuration information in under three hours. Perhaps it’s because we’re all in western Washington, perhaps not. Of course, there is the cost of the support agreement ….

Safe Practice with Open Source

In reply to Open Source software vs. Proprietary software

Fair comment regarding the possibility of open-source code being malevolently doctored. However, the answer surely is to download open-source software (such as Firefox)only from the official developer’s website, where it is unlikely to have been ‘spiked’.

Another Flaw

In reply to Open Source software vs. Proprietary software

You bring up an extremely valid point about malware and open source. This is a similar to my continuing basic flaw about all open source practice: where do you turn to if the code does not work right? At least with proprietary software, you know that you turn to the company that provided the software. Where do you turn with open source? Where did the flaw come in? The original code? An extension? Someone’s one-off version that got distributed? A bad bit? And how soon do you get a replacement that you do not need to handle yourself? Again, with proprietary at least you know the chances are slim before the next version, but the chances are also good that it will be in that version. With open source, aside from doing it yourself and continuing to do it yourself, what are your options?

Don’t get me wrong, I am a programmer and love playing with code as much as any other. But I would not give a source to my father and tell him to compile and debug it.

But would you give a

In reply to Another Flaw

VB package to your father and tell him to compile and debug it?

Sorry that argument works both ways.

Col

Programmer Elite

In reply to But would you give a

My father, who is computer savvy, but not a programmer, would expect a good install program that would place an executable version of the program on his computer which he would use. If something went wrong with the program, he would contact the developer of the program and tell them about it, hoping for a fix.

If your point is that open source is only for the programmer elite, I think that you are missing the point of commercial programming.

No it wasn’t

In reply to Programmer Elite

My point was that in both cases you can get acceptable installs. And in both cases you might not as well but that there is always a fix possible and the developer weather they be a big corporation or a small software house will always attempt to come up with a fix.

Failing that there are the various user groups where questions can be placed. Incidentally the Windows User Group is a far better place to try than MS for answers.

Currently I’m doing a rewrite for a Debian install on a server platform with all SCSI HDD and an IDE CD ROM which isn’t recognized after the SCSI controller is loaded. But on the same piece of hardware the same thing happens with Windows which needs a rewrite to install.

What most of the “Programing Elite” are attempting to do is to create goods that are capable of being used by the complete novice so most take it for granted that the end user will have no experience and work accordingly.

Col

That’s Not My Impression

In reply to No it wasn’t

…of open source. Every time I ask this question, the answer comes back that someone in the user community will find an answer and give it to me [the novice user]. Great! Does that mean that I am now dependent on this user to give me the next version upgrade? Wjat will they supply — a code snippet or a compiled program? What if there are multiple programmers supplying updates to the code? Where do I [the novice] get the version that I can use? As far as I can tell, I am now dependent on that developer (those developers) that gave me my fix in the first version. What if the change is wrong? Who answers for the change?

Right now there are three or four major vendors of Linux, with at least a dozen different variants. Each variant has its own flavors, strengths and weaknesses. This is causing more fragmentation in the marketplace then cohesion. When I buy a Linux software package, I also have to know which [current] versions of the OS it is compatible with. With Windows and Mac, there is only one version.

Ummm…

In reply to That’s Not My Impression

According to the FSF that’s sort of the point. Freedom to choose what you want to use 🙂

his point

In reply to Programmer Elite

I have no idea where you got the impression from his previous post that HAL 9000 was saying that open source software was only for the programmer elite. I saw nothing in what he said that suggested such a thing. All he was saying was that the same problems you’d encounter with someone relatively computer illiterate when working with OSS would arise when working with proprietary software, such as Microsoft’s, as well.

The previous suggestion that OSS is more problematic for beginners because they shouldn’t be expected to be able to just compile a new binary to make things work is ridiculous, because one wouldn’t ask a beginner to just compile a new binary, whether working in Linux or Windows. If you continue to compare apples with oranges, you’ll continue to get wildly varying results. Don’t compare advanced tasks in OSS with beginner tasks in closed-source software if you want a clear comparison without bias.

People seem to have this strange belief that just because you CAN compile from source yourself, you MUST compile from source. That’s simply not true. There’s a wealth of precompiled binaries out there for software designed to handle basically every major task, and if you’re using a major Linux distro you’ll find versions of those precompiled binaries that will run on your system.

You Miss My Point

In reply to his point

The fact that there are binary libraries available with every major Linux distro is great! But it still does not change my assertion. Someone has to put code together to read those libraries and get the information out of it and display it to the user [The application.] My father is not going to accept a code snippet or source from another user and be able to find where in the application that it should go, then recompile the program so that it works.

The impression that I get from OSS is that this is The Solution. Yes, it is good that you can get multiple answers from different people, and that you can pick and choose the answer that you want to deploy. However, the greater part of an application’s audience is madeup of people that simply want to run the application and have it work. If it does not work, they want to know who to go to that is accountable.

I do not see this in OSS.

you lack understanding

In reply to You Miss My Point

Open source software development isn’t “The Solution”. It’s an effective way of finding and developing solutions that work.

If you don’t see a solution that will Just Work with someone behind it that end users can complain to, you aren’t paying attention. Try Red Hat, or SuSE/Novell, or Mandrake, for instance.

Well in that case they just

In reply to You Miss My Point

Rely on the makers or suppliers to make the developments available as service packs or whatever you chose to call them just like MS.

But unlike with MS you also have the ability to have a look see at what is going on in any piece of code. Very few write a version of Linux with all the Open Source Apps for themselves.

Col

Good to know that there are still people this stupid out there

In reply to Open Source software vs. Proprietary software

I have a neighbor who wandered off one night to “go to the store”. His girlfriend became worried several hours later and asked me to help her look for him. We checked the convenience store, the bowling alley and some bars. No sign of him. I told her not to worry. A week later, he did the same thing. She came by and asked to borrow the phone to call around to try to find him. No go. A couple of weeks later, she revealed the reason he had disappeared. He wasn’t at a topless bar. He is in the Army Reserves, and was doing “top secret work” for the U.S. Government that he couldn’t tell her about.

Are you her brother (or sister, Kacey is a little ambiguous)?

ouch

In reply to Good to know that there are still people this stupid out there

That was, er, harsh. Highly amusing, but harsh. The understated tone of it carries the humor nicely.

Would you download IE from other site but MS ?

In reply to Open Source software vs. Proprietary software

You are right thinks could go wrong, because it would be as stupid as downloading IE from a website different that Microsoft.

All OSS have a real HOME project site, sites such as SourceForge.NET take good pride in managin open source software in a even more transparent way that any commercial product. Also, someone already mentioned MD5 checksums.

So, if you download firefox from, let’s say “firefox.tweaked_EXAMPLE.com” site you MUST trust that source. Same when you HAVE to give your operating systema a plug-in to manage pop-ups, spyware or anything else.

If you apply a little brain and common sense you can rely on OSS and commercial software, if you are dumb to believe anything you read, I advise you to have a very good backup of your PC, no matter you are into OSS, commercial or both.

MS Fix the Problem??

In reply to Open Source software vs. Proprietary software

Let’s get real. System crashes and data loss happen every day. Systems that become unusable due to OS erros happen every day. The answer to these problems is not having a software company help you fix the problem. Rather, they tell you to reinstall the software/OS. Your lost data…It is lost. Legal recourse??What planet are you living on? MS has been responsible for more data loss than anything on this planet. When was the last time somebody sued MS because their software is defective?

hold MS responsible

In reply to MS Fix the Problem??

One particular case for which Microsoft should definitely be held responsible was the instance in which a Windows server crash nearly caused an 800-airplane pile-up. I have no clue why in a task where system stability can literally save lives a Unix-based solution that has been used successfully for years wasn’t simply upgraded, if necessary, rather than being replaced by a notoriously unstable OS. Whoever made this purchasing decision needs to be fired.

http://www.techworld.com/opsys/news/index.cfm?NewsID=2275

Unfair Comparison

In reply to Open Source software vs. Proprietary software

I feel that your comparison is somewhat unfair for a few reasons. The first being that proprietary software is just that, propietary. You are subject to whatever the producer wishes to put in the software and limited to the same. Spyware comes to mind. Your biggest argument seems to be that IF something were to go wrong THEN you would have recourse. With open source you have the choice of looking for problems prior to integrating it into your system. With executables you do not have the option. Anyone with any amount of skill CAN edit distributed executables and repackage for distrobution. If someone is smart enough to do so in open source they are very much able to do so in the executables. The “open source software movement” was started for reasons much bigger then “checking code” look at the Apache web server for example. It has evolved to a point where it is dominating the serving market. As mentioned in other replies there are methods of checking if a file has been comprimised, but nothing is secure unless you know exactly what has gone into it. Open Source is about control not cost, that’s what it boils down to almost any way you look at it.

I also would like to mention that just because some can read and write any given programming language DOES NOT mean you can do better or the same even. I take it you do not realise the amount of time involved in planning, writing, debugging, commenting and distributing software of any size. I personally could not of done nearly the job Mozilla has but I can understand their code……

a matter of trust

In reply to Open Source software vs. Proprietary software

KaceyR: “Companies today are very paranoid (and rightly so) about system intruders and industrial espionage. With this in mind, why would you turn to Open Source software?”

Several years ago, a long time commercial database product (Borland InterBase) was turned over to the Open Source community. Only after its public release was it discovered that an unpublished “back door” previously existed to bypass the security of both the DB and the OS it ran on.

How can you be sure that the same situation does not exist in other commercial products? Without access to the code, how will you ever know? With open source, at least the possibility exists that nothing similar will sneak by. But does this mean that everyone should eschew commercial software? Certainly not.

Open Source is not a cure-all, nor will commercial vendors ever drive the open code model away. The decision to implement one vs the other is a function of economics and trust. Do you trust the open source community more than you trust your vendor? Is the long-term TCO of open source greater or lesser than that of commercial programs? There is no right answer. Neither camp is 100% correct. It boils down to an individual’s decision in specific situations.

But this concept of individual choice and responsibility brings to mind another trap that KaceyR falls into. The claim is that the only way to know if an open source product is safe is to personally perform a code review. While speciously correct, the argument neglects the power of community and the monitoring and reporting that the collaborative open source environment provides. If living in a vaccuum, open source exploits — theoretical or otherwise — would have a field day. But the reality is that with millions of eyes in the open source community, such an exploit would not exist for long. One could be paranoid and demand a self-performed code review on every single open source app, but then I would expect such an individual to be testing their gasoline before filling their car’s tank just to be sure it wasn’t ethanol or diesel!

Lastly, KaceyR’s legal liability hypothetical was a bit of apples/oranges. A checksum-validated commercial product was compared to a checksum-failed open source project. Let’s turn that around and compare like items: a commercial vendor is no more likely to support a checksum-failed product than an open source provider is. As for the checksum-validated converse, while it may be technically true that legal recourse would be possible in the commercial situation, reality dictates that no-fault EULAs and the long legal process would render the point moot. Legal indemnification of commercial software serves mainly to bolster the trust-in-your-vendor argument.

Trust in whom you feel appropriate. It seems clear from the comments that KaceyR will live happily in the commercial world. Zealots, meanwhile, will run with Linux on their desk, Opie on their PDA, and Freevo on their DVR. The rest of us will continue to strike that balance of economics and trust.

You are correct

In reply to a matter of trust

It comes down to a matter of trust. Both the initial question of trust, and the resultant degree of trust.

You point out that I fall into the trap of neglecting the value of the Open Source Community itself monitoring the code. You’re right on the mark on this one. I don’t have sufficient trust in the Open Source Community as a whole to recommend to my clients the use of any Open Source package. The more I research the Open Source Community, the more it sounds to me that the community itself believes that people who would assist in the development of Open Source products are intrinsically trustworthy. I don’t share that opinion, and I hope that no project lead of any Open Source product feels that way.

I will, indeed, continue to trust in whom I feel appropriate. I develop software for companies that have no trust of the Open Source Community and that, for the moment, pays the bills. I will also continue to evaluate Open Source software using isolated virtual machines to gain trust in the product before I use it for myself or recommend it to a client.

what is trustworthy??

In reply to You are correct

You claim to have “researched” the Open Source community and deemed it untrustworthy, as if it is modelled after a giant community soda bottle and all it takes is one “bad egg” to backwash and spoil the drink. Yet anyone who knows the OSS development process realizes that a project is moderated at the origin (SourceForge for example) and all contributions are closely scrutinized and approved by the project leaders.

There has not been a single documented “back door” or spiked codebase in the life of the Open Source MySQL database product. Ditto Apache, Mozilla, etc. Yet Borland — a commercial developer — had a back door hidden in their InterBase product for years. So why is a commercial vendor more worthy of your trust than a volunteer coder working in a controlled OSS development process? Is software built with financial gain in mind instantly more trustworthy than free software borne out of necessity or the desire for geekly prestige?

Again, I’m not saying one is inherently better than the other, just that they are on equal ground and anything else is possibly just reflecting a personal bias. There are nefarious people in all walks of life. They are just as likely working at Microsoft as they are contributing to OSS.

They’re not all nice guys, but we know who they are

In reply to You are correct

It’s not that users of open source software believe that the developers are all nice guys, but that there is no way to hide your mistakes/ill intent in the open source development process. In an open source project you have to prove your competence and integrity daily, the proof is in the code you submit ( which has your name attached to it) and in the interactions you have with your fellow developers.

On any mainline open source project, there is generally a “vetting” process ( based on the quality of their code and their interactions with the other programmers ) that new developers go through before they are given write access to t he source code repository. Nobody applies code blindly that is emailed anonymously from the intenet.

You want professional accountability? You can trace any line of code in an open source project to an individual developer. Does the company making the proprietary software have the same recordkeeping methods? Do you as a customer have full access to those records? Can you email the developer of any section of code directly when you have a problem with that section?

I’ve used both proprietary and open source software for years, I prefer the open source software. It just makes my life easier to support it.

Agreed.

In reply to a matter of trust

You are right, the only thing I don’t like, is that I consider articles with such biased writers to be unappropiate if it is not stated clearly, specially if this comes to your inbox as if it where a fair evaluation…

It is worth to look at:
http://www.rebeccablood.net/handbook/excerpts/weblog_ethics.html

Whats the difference

In reply to Open Source software vs. Proprietary software

Basically, what you are talking about here is installing untrusted software. Regardless of whether the application is open source or shareware or freeware. The license isn’t the problem. You are installing software from a web site, so unless you trust the source, you run the some risk, regardless of the license. Besides, what to stop a “legitimate” ABC proprietary software company employee doing a similar thing? I mean how many “legit” companies collect “statistical” information.

Legal recourse against ABC or the open source web site for fraud, theft, damages, etc is the same. The benefit is that ABC is probably more visible and traceable than some anonomous FTP web site.

My point is – The issue with open source software at the moment is that it’s more freely available and the POTENTIAL for fraud is greater. A little it security dilligance here can mitigate this risk. – ie: a checksum verification from an independant source is a simple check to make sure your download is “origional”.

Well if you are so paranoid why download?

In reply to Whats the difference

With almost all Open Source you can purchase the CD’s , DVD’s from the vendor for reasonable prices just like you can purchase a similar product from any Software house no matter its name.

The case here seems to be that because I can download it for free it isn’t as safe as what I pay for but surely when you chose to pay for items from the makers shouldn’t they all have the same expected security ratings?

Col

disagree re: fraud potential

In reply to Whats the difference

I don’t see the potential for fraud being any greater. In fact, it’s lower, generally speaking. It’s more difficult to get away with fraud when the inner workings of everything you offer are made entirely, transparently available to public scrutiny. That’s one of the strengths of open source software, in fact, and is tied closely to the “many eyes” theory of debugging that works so well for open source software.

Don’t get it

In reply to Open Source software vs. Proprietary software

I’ve read all the posts till now and I don’t get the following –

1. Trusting any software is a question of faith and testing – Can we trust any/ all properietary software to be absolutely perfect – nope, same is true for OSS front – no difference here.

2. Will finding whose responsible for a coding problem in OSS or in MS or Borland etc. solve the problem in my plate now – nope, you’ve got to wait for someone to fix it, who pays that guy is irrelevant – no difference here.

3.If you are a corporate with service support – commercial OSS support and proprietary support is equally good – no difference here.

4. If you chose to download & install a software with no support identifed in advance – eg. freeware on MS or Linux – your support options are the same – NIL, if things go wrong its your funeral – no difference here.

5. Legal recourses are the same if you have the same support agreements in place – no difference based on platforms (OSS/ Proprietary).

Overall,the argument put forth is axiomatic since in simple words it says proper service agreements are useful to customers irrespective of the source/ ownership of the software installed – thats like saying 2 + 2 = 4, we all know it, so whats the big deal – I don’t get KaceyR’s issue – lets compare unsupported Proprietary software with supported OSS software – give me the supported software anyday, who cares about its origins.

I say, based on the lifespan you are looking for use whatever is functionally appropriate and cost-effective (over the lifecycle) IRRESPECTIVE of it belonging to the OSS world or proprietary – period.

accolades

In reply to Don’t get it

You make very good points. Good job.

Doesn’t get it

In reply to Don’t get it

What a gorgeous summation.

Ever read a software license?

In reply to Open Source software vs. Proprietary software

Almost every manufacturer, including Microsoft and the big ones have so many disclaimers that they are not worth the electrons they are written with.

They deny all responsibility for any losses.

(and this denial has spread to products beyond software – ever used a recent GPS – they come with a warning “not to be used for navigation” – I kid you not!)

There differences are:
1) You know the name of the company you paid in the first place
2) With open source, you can at least (in theory, if you have the talent and time) fix it; more likely someone else will fix it as a service to the community

The only incentive a company has to fix things is in the hope that you will buy their next version. And like junkies, we do … Microsoft are no longer fixing IE for anyone except XP users (and presumably Windows 2003 server). Thus we all have to pay or suffer the flaws that came from bad programming in the first place.

Let’s face it – most of the security holes are buffer overflows – documented as an issue to be addressed since the 1970s in most books on operating systems i.e. the issue has been known longer than most people have been programming.

The difference seems to be that the open source community learn more from history as they do not want to be shown up as lacking in knowledge; companies want to get product out of the door with minimum effort and maximum return.

Finally, I have to own up – I am not an open source person, I am hooked on MS and others; only time and intellect prevent me kicking the habit.

Licence…and an example..

In reply to Open Source software vs. Proprietary software

Check your licence on most software(commercial or opensource or free/shareware). There’s normally a big paragraph that says something like “if our program messes with your data and eats it, then we are not responsible”.

Have a look at what info Windows update sends to Microsoft about software installed on your machine. I believe you’ll find (via network sniffing) that it’s sending info about ALL software installed on your machine, even though the web page says it doesn’t!

Most open source publishers also send a checksum of the code (binary or source) so you can double check the validity of what you are downloading.

MS insecure software is costing consumers billions

In reply to Open Source software vs. Proprietary software

During the last 1 month I have been called upon to repair numerous hacked Windows 2000 and XP machines – yes Microsoft proprietary software. In addition to worms and trojan horses, every single machine contained at least one Internet Explorer browser hijack.

My clients receive absolutely NO recompense from Microsoft. So much for any advantage of proprietary software!

I’ve migrated every one of them to Mozilla Firefox, free open source software with proven superior security.

OSS is the frontier of innovation

In reply to MS insecure software is costing consumers billions

I’ve moved some of my systems over to OSS, including a laptop that ran ME when I bought it. I’ve been very happy with much of the OSS stuff I’ve tried. Much happier and less frustrated than the MS overpriced stuff

Back in 95, Bill Gates was saying that the net was a fad. The net was built on OSS software and open standards. Needless to say, it was a fad that stuck. You naysayers may scoff, but OSS has given computing much innovation. That innovation has been frequently coopted by corporations looking for profit.

When you keep in mind that a corporations cheif motive is profit, you understand the reason that their will always be weaknesses in proprietary code. Quality assurance is always about how buggy a product can they get away with. ALWAYS!

So don’t get fooled into thinking that just because you paid top dollar, that you got the best.

before anyone jumps on the profit comment

In reply to OSS is the frontier of innovation

It’s not entirely true that the chief motive of a corporation is profit. Corporations are actually promarily after market dominance. Pure profit is a close second. The reason for that is that the people in the boardroom have a harder time wrapping their brains around objective numbers, and like to see their investments compare favorably with competitors. That means that profit isn’t enough: the competition also has to fail.

The result is that corporate boards want to maintain market dominance. They want their corporations to pretty much own the industries in which they operate.

In any case, your main point stands: corporations are first and foremost motivated by market dominance (which includes a profit element). The important complement to that is that creators of open source software are first and foremost motivated by the desire to create good software.

I’d rather support the creation of good software than the creation of market dominance, especially since market dominance produces industry stagnation. More to the point, I’d rather reap the rewards of the development of good software. As such, I standardize on open source software here, using the best development platform available: an open-source Unix-like OS.

Nice …a voice of reason

In reply to before anyone jumps on the profit comment

I agree with you apo. But unfortuntately I don’t have the flexibility of OSS. To give it the green light I’d either have to:

1. take the code and control of it under my wing – thus no holding me [my company] responsible OR

2. hold another responsible [i.e. the proprietary SW vendor]

One or the other has to be in place before I could ever propose it to a customer. Its one thing when for personal use its another when someone else it relying on you.

vendor responsibility

In reply to Nice …a voice of reason

If an open source solution fits, but you need vendor support (or the equivalent), it exists. In fact, it is beginning to exist as an industry all its own. For custom Linux solutions on the enterprise scale with expert support, I recommend Progeny. Red Hat is the most popular choice, of course, and they reputedly provide excellent support for their enterprise Linux solutions.

Don’t buy into the MS fear, uncertainty, and doubt. Windows isn’t the only OS to have expert enterprise support behind it.

Its very simple…

In reply to vendor responsibility

When a SW solution whether it be a mgmnt suite, OS whatever reaches maturity, attains a rev control state, releasability, and support – it can then be considered. In essence at that point in time it moves from the traditional OSS model. You sight Progeny. If I went this route with the “expert support” and the “custom Linux solution on an enterptise scale” aren’t I essentially doing the same thing as if I went with Sun/Solaris and their support team?

yes

In reply to Its very simple…

Exactly my point. If you bought into enterprise support contracts, you’d be getting support similar in concept to that provided by Sun, or Microsoft, or IBM (who, by the way, also provides enterprise support for open source software). It does not move “from the traditional OSS model”, though. The OSS model is one of distributed software development, not of support contracts. The Linux kernel is an open source project, and it is supported by a number of very successful corporations.

The main difference is that, unlike something like Solaris or Windows, there’s more than one source for support that includes the deepest possible knowledge of the software package(s) in question. You’ll actually probably end up with better enterprise support for open source software than with closed source software, if you are willing to shop around.

I Must Totally Disagree…

In reply to OSS is the frontier of innovation

I have to totally diagree with this post. As a chief engineer I have used proprietary applications in new and inventive ways for the past 10 years. I work very closely with the developing engineers of these companies to help them make their products better. Its NOT the goal of a proprietary vendor to get away with anything [thats just bad business]. SW will be released unfortunately with oversights that have to be patched [its just the nature of SW and the myriad of code involved]. As for the frontier…using proprietary SW solutions in inventive ways have now twice put me up for patents [hows that for the frontier].

disagree all you like

In reply to I Must Totally Disagree…

You keep saying you’re “a chief engineer”. OF WHAT are you “a chief engineer”? Actually, never mind. I don’t give a damn. Argument from authority fallacies don’t interest me.

I’ve used proprietary solutions innovatively as well. In fact, I still do. I find that, on average, open source solutions tend to be BY FAR the better-developed solutions, however. Furthermore, developers are in charge of themselves with open source projects, and you can contact them directly, discussing changes and additions on equal footing with them, and even submit additions or changes of your own if you happen to be a software vendor. The flexibility, accessibility, and transparency of the OSS development model is, generally speaking, far superior to closed source development.

There are, of course, exceptions. There are exceptions to every rule. By and large, I use what is appropriate to the task at hand. I don’t like being held hostage by proprietary solutions, however, and when all else is equal I tend to lean toward the open source solution.

Even leaving that aside, however, and judging solely on the technical merits of the solutions available, the OSS solutions are almost universally preferable. I’ll consider a closed source solution when appropriate, but experience tells me that more often than not I’ll find open source solutions to be the better fit and, if it doesn’t fit perfectly, I have the option of making it fit in ways I can’t with closed source software.

Vendors, contrary to your stated perception here, are always looking for ways to “get away with” something, at least when they’ve become entrenched corporate vendors. First and foremost, they’re trying to get away with the least possible financial investment, because doing so maximizes profits. Anyone that claims otherwise is either badly misguided or lying.

I’m very disappointed…

In reply to disagree all you like

I was actually enjoying our engagement until now. Firstly, I should say I design worldwide US federal network management systems and the operations centers these architectures are housed in. Whether it be VPN, VoIP, SONET ATM, legacy technologies, across the platforms and OS’s [you name it], I and my engineering teams design and build management solutions to bring real-time statising of literally hundreds of thousands of nodes to the desktop in a common operational framework. I probably won’t be using a downloaded copy of linux to have this new mgmnt infrastructure ride upon it. In some cases unfortunately we don’t take our contracts into seat mgmnt [if you understand what that even means] and so I have to be very concerned about the future and supportability of my solutions when I turn them over to the customer.

Hopefully this begins to shore things a little for you – know thats it getting a little “off-topic” but I was figured I needed to add the rest of the picture since you were mis-interpreting many of my comments.

good

In reply to I’m very disappointed…

I’m always pleased when I disappoint a FUD devotee.

So don’t use “a downloaded copy or linux[sic]”. Use a vendor-supplied set of CDs with documentation, if you want to. The fact that there are Linux distributions available for download doesn’t change the fact that there are distributions available in shrinkwrap, in developer membership mailings, and so on. You make it sound like more choice is a bad thing.

Avoid your ad-hominem distractions if you don’t want my complete contempt, by the way. Trying to insinuate that I don’t know the terms associated with my field does nothing to endear you to me. I simply don’t feel it necessary to explain how grand and important I am in order to bolster failing arguments.

Being matter of fact

In reply to Open Source software vs. Proprietary software

First case : i work with Open source, i loose anything, i have to rebuild my system, hard to find someone responsible, it’s true, but…
Second case : i work with, call it SoftKKro and i loose anything too; shall i do something against SoftKKro ? Sorry i’m not rich enough to pay lawyers and i have no time to loose (did any user ever got any money back or repair from an editor in such a case ?), i’ll just reinstall my system with more Open Source software and less SoftKKro. That’s all.

I’m sorry

In reply to Being matter of fact

I know this is petty, but it’s more annoying than these pathetic which-is-better arguments.

The word is lose; as in, to have lost. Loose would imply that it needs tightening.

ack

In reply to I’m sorry

That has been bugging me ever since I first saw it. Thanks for bringing it up.

You’re not alone in being bothered by that.

Wierd topic on an MS oriented site or is it wierd ?

In reply to Open Source software vs. Proprietary software

The fact that your site is MS oriented is not new or onknown (who disagrees/is blind should stay that way). It is interesting that you post this related to the launch of Firefox 1.0 which is one of the most advertised open source product !
Maybe someone should enlight me about this or maybe not.
Anyway, leaving jokes aside, questioning that a software developing model is flawed or not is useless if that model works in real life and was tested before it is:
1) useless
2) waists time of readers
3) hey you’ve just waisted my time 2
bye

It’s neither interesting nor surprising.

In reply to Wierd topic on an MS oriented site or is it wierd ?

I started this discussion after reading the posts about the release of Firefox 1.0, where the original article was asking the community if they would switch from IE.

You should never fall into the trap of thinking that any software development model is beyond question. If a development model is never questioned, how can it be improved?

I agree

In reply to It’s neither interesting nor surprising.

Technologies should always be tested and questioned. I’m more inclined to choose OSS, though, if only because I can test it, review it, read it, fold spindle and mutilate it, to my heart’s content. I’m more inclined to choose OSS also because when I question it, I’ll get answers based on technical realities rather than marketing and FUD.

If Microsoft comes up with a new product that I think is better than any OSS solution, I’ll probably consider using it (at least until it’s surpassed by an OSS solution, which it will eventually be).

I even use Win2k Pro occasionally. If nothing else, Windows OSes are useful for those who have to support clients with Windows systems.

Propoietary vs. Open Source, not vs. MS .

In reply to Wierd topic on an MS oriented site or is it wierd ?

I’m not sure the security issues of open source are really so much greater than the risks associated with proprietary software. The key is the adminstration of the software. No system, even proprietary, is secure unless it is securely managed.
Ever wonder how much proprietary code incorporates portions of open source assembled to meet the needs of the vendor ?

what liability? what help/support? read the EULA

In reply to Open Source software vs. Proprietary software

most companies disclaim all liability in the click-wrap agreement, so there’s no advantage there.

some firms provide compensation up to the cost of the software (which you also get with open source, since you didn’t pay for it). MS will give you $50 over that.

since i value my time quite highly, i try not to use proprietary s/w. in my experience, OSS tends to be higher-quality, more quickly fixed, and more actively developed.

as always, there are exceptions to this in OSS, as there are exceptions to the low-value-for-money generalization in proprietary software. for example, the Apple iBook is a great value for money. an IBM iSeries is great value, same with AMD64.

my 20 years of support experience tell me MS is mostly buggy crap. i love their keyboards, though. that’s it, really.

I have to agree here

In reply to what liability? what help/support? read the EULA

Has MS ever released a piece of software that actually worked as they said it would without a lot of Undocumented Features?

However on the hardware side of things they do have their name on some really great stuff!

Col

MS hardware vs. software

In reply to I have to agree here

Microsoft makes a joke for an operating system, but it also makes the best trackball on the market. Go figure.

Apples to Oranges

In reply to Open Source software vs. Proprietary software

You’re comparing apples to oranges here. If you downloaded and installed an “improved version” of Internet Explorer from an anonymous third party, then you clearly would either a) be willing to take responsibility or b) foolish. If you want assurance that the software is what you want, and it’s in a critical position (not just a little internal helper app or something), get it from your distribution vendor, who you are paying for support. Then you have a legal recourse as normal, you have a support recourse, and you’re comparing like things. You made the mistake of assuming that open source software is just free (as in beer) proprietary software with nobody behind it. If you are doing it correctly for mission-critical positions in a business, it’s not.

Well actually

In reply to Apples to Oranges

You can not really be sure that when you click on the Windows Update you are really getting a MS site as it could be spoofed.

The only really way you can be sure that you are getting the real thing is to order the CD’s from the maker. Just how many people actually check the MS download site for its accuracy? And how many people check the actual MS download before installing it?

Col

ditto, the other way around

In reply to Well actually

You can also, of course, get software directly from Linux retailers, if you really want to have corporate assurance that your software is not compromised. In addition, because it’s open source, the corporate backers will A: have to keep prices reasonable to stay competitive (less than $100 for an OS, as compared to the $300ish that MS is charging these days) and B: find it very difficult to lie convincingly about the software they provide.

While we’re at it, download servers run by Microsoft use MS OSes, and download servers run by open source software companies and projects use open source OSes. Meanwhile, proxy and firewall security for open source software companies and projects is on open source OSes, and the proxy and firewall security for Microsoft is handled by a third-party service provider that uses open-source OSes.

When Microsoft bought Hotmail, they tried to switch the system from, er, BSD I think it was, to a Windows OS. They failed. No Windows server OS yet developed can handle the resource management needs, particularly as applies to remote management procedures (effectively what you’re using when you visit the Hotmail site to manage your account) because of the bandwidth waste in Windows OSes.

This is classical

In reply to Open Source software vs. Proprietary software

I have one time checked that this attack vector is even not covered by Common Criteria, but it is a classic:
Ken Thomson’s Reflections on Trusting Trust:
http://cm.bell-labs.com/who/ken/trust.html

This goes for so much

In reply to Open Source software vs. Proprietary software

The point is that you have been compromised in both cases. Policies must be in place to decide which software and what type of contingencies. When hacked becuase of a bug in IE or Mozilla based software (as example), it needs to be corrected in a way that the risk analysis done by the company. In reality a company who wishes to persue an opensource company for liability should fire their whole management team.

KaceyR you right in your reasoning, but this issue should be handled on a higher level.

PS dont download from warez sites use the opensource site 🙂

No difference now than in 1984

In reply to Open Source software vs. Proprietary software

Open Source is how Microsoft and others started.

What is the problem with using Open Source if you are a responsible IT person?

You should never just download anything, even upgrades, to a live operating system until it has been tested on a stand alone system first. The expensive proprietary systems have crashed more than one system because of an “OOPS, we forgot to” when releasing an update or patch.

Besides, Open Source is less dangerous than the BHO’s (Browser Helper Object) which infest your IE Browser. Once a malware is compiled as a BHO Microsoft IE opens your entire operating system to its manipulations. The BHO can even make itself a Protected System File.

So, there goes the safety of a commercial product.

You’re comparing apples and oranges here…

In reply to Open Source software vs. Proprietary software

The original scenario is inherently biased. First, your Firefox example: “During a post-mortem, you discover that Firefox was the culprit …[but] The signature of the executable doesn’t match ANYTHING the original developers have ever released.”

Now, your proprietary example: “During the post mortem you discover the culprit is the ABC product from XYZ company. The file signatures are compared and, sure enough, they match.”

Switch the two. If the signatures on Mozilla matched, you’d have pretty good legal ground for restitution and Mozilla would be more than willing (I’m sure) to help identify and correct the problem. But if your proprietary software’s signatures didn’t match, how much help do you think you’d get from that company?

Others have raised the valid question of trusted download sites, but just because something is burned on a CD and sealed in a box doesn’t mean it hasn’t been compromised, just that whoever did the compromising did it before the CDs were burned.

I agree with the hypothesis that open source will tend towards greater reliability. Unfortunately, because closed source can’t be independently verified, this is a debate that will rage for many years to come.

I also have an issue with the idea that companies are “paraniod about system intruders and industrial espionage.” If that were true, there wouldn’t be near universal Internet access at most places of business (and before you even bring it up, firewalls, proxies and net filtering still equals near universal Internet access) not to mention PC accessibility. Companies today are worried about the same things they’ve always been worried about: public perception and stock value. As long as a press release on the evils of “hackers” will maintain them, there won’t be any real move towards secure systems

You are totally correct here

In reply to You’re comparing apples and oranges here…

I can remember a new CAD package that I bought quite a few years ago now and for some reason I ran a Virus Scanner over the CD I stopped the scan after it had found 25 different and very virulent Virus.

A phone call to the maker was at first unbelieved until a sent them a copy of the printout of the partial scan. Apparently it was on their system where the fault was as they where infected without knowing of it and when they passed the ISO image onto the CD Makers they had been infected as well.

The old story of accept nothing, believe nothing and expect nothing is a very good adage and should be more carefully followed.

Also every big company isn’t the slightest bit concerned about actual security but only the perception of security as if the public believe that things are secure they are happy no matter what is actually happening.

Col

too true

In reply to You are totally correct here

Corporate closed-source software developers don’t care about actual security. Their motivation involves selling software, not providing a good product. This means that public perception of security is far more important to them than actual security, and often their money is better spent on marketing to that end than on software testing and development.

Partnering is the Key

In reply to Open Source software vs. Proprietary software

With Open Source you still need a corporate partner who will step up to the plate and give you open source that is secure.

One way to prevent problems with Accessing via The Internet is to purchase your Open Source on CD from the provayor directly.

I invite you to read the following regarding Open Source Security. I think it addresses this issue as much as it can be addressed because we are trying to discuss several unknowns on both sides of the issue.

http://www.novell.com/linux/security/mission.html

good link

In reply to Partnering is the Key

That’s a point that I’ve been trying to make for some time ? that you can have the corporate backing you want, even with OSS. You’re not left twisting in the wind just because the software is open source, if you don’t want to be.

The difference is that you also know exactly what the software contains because it’s open source, and it gets more peer-review, not to mention that Unix is just a better platform for most purposes.

Even More Good News

In reply to good link

I just saw this article today and it adds even more information to this topic. Not sure how long the link will be good for..

The title of the article is
Linux Kernel Review Shows Far Fewer Flaws
By Dennis Fisher
December 14, 2004

http://www.eweek.com/article2/0,1759,1741077,00.asp?kc=ewnws121504dtx1k0000599

ooooh . . . !

In reply to Even More Good News

That’s another good article. Thanks for the link!

According to these numbers, by the way, the average commercial software package suffers something on the order of one hundred times as many flaws per thousand lines of code as the Linux kernel. I’m amused.

I’m not amused.

In reply to ooooh . . . !

But I am impressed. It serves up some proof positive that, sometimes, the more cooks in the kitchen, the better the meal.

It’s also impressive to note that, as stated in the article, once the auditing of the kernel software began, they say a ten times decrease in the number of bugs. That means that before the audits began, Windows was approximately 10 times more buggy than the Linux kernel.

As I said, impressive.

Let’s be honest in this question…

In reply to Open Source software vs. Proprietary software

The real issue here sounds to me like the same old Microsoft slander against Linux Distributions. While I agree that there is a risk if you download open source software from certain websites that deal in pirated software. The same thing could be said of Microsoft Windows. Also, if you are using many of the p2p application to get your downloaded software. There are many distributions like LINUX which have legitimate websites that allow you to download their distribution software for free, that do not seem to have the malicious codes that you seem to be referring to. I personally have both Proprietary and Open Source software running on different systems(i.e. WindowsXP, and ELX LINUX. I seem to have more problems with malicious attacks(i.e. virus’s, worms, and other security issues) on the MS WINDOWS system than I do with the LINUX system. To point a finger at Open Source and say that they have malicious codes that will screw up your computer is just bunk. You need to look at the other 4 fingers that are pointing back at you. Take the security problems that Microsoft seem to constantly have. They are Proprietary software, yet they seem to constantly have security issues, which makes you constantly having to download “security updates”. May I suggest that if you’re a company or business IT or Owner that you set up a nat firewall and a software firewall on your server. Then install a different software firewall on each of your different pc’s. This will keep the hackers busy trying to figure out which way to go to get into your systems. Or better yet, maybe you need to format your systems and install Open Source software such as LINUX. I am not pushing Linux distributions, but I am impressed by the growth they are having as of the past couple of years. I am just a “Windows Dummy” and I was able to install the Elx Linux on my pc with the standard “default” install. Within 5 minutes of the installation being finished, I was surfing the internet, and sharing files from my windows pc to the Linux system( and this was my 1st attemt ever and didn’t know anything about Linux). I have been running this Elx Linux for only 1-1/2months( with a total of about 8 hrs of playing around trying to learn some of the basics),yet I have been using Windows distributions for over 4 yrs(started on windows 3.11, then windows 95, then 98 s.e., then me, then windows 2000, then windows xp, and windows server 2003. I am only an A+ certified(should be known as “windows certification” with hardware repair)tech. As long as there is Proprietary software, there will be hackers, virus’s, worms, and other malicious codes. Open Source software actually is fairly safe, and much more stable in most cases, than the Proprietary software. It is my opinion that Open Source just keeps the proprietary guys like Microsoft working at developing better software. If Linux Distributions can be so stable, and with less virus’s(or other malicious codes), for so cheap, why cann’t the proprietary guys develope a more reliable sosftware.

When has MS ever taken responsibility for anything?

In reply to Let’s be honest in this question…

Seriously, when? Is there a case I’m not aware of MS ever stepping up to the plate and compensating a user who was damaged by some problem with one of their products?

Backups. Code checksums. Acceptance of (and preparation against) normal risk. At least with open-source, anything nasty that someone tries to insert will potentially be caught.

Seems Like the Same “Help” I get from Bill Gates

In reply to Open Source software vs. Proprietary software

Strawman set up! It seems like the same “Help” I get from Bill Gates. If you don’t keep backed-up and keep your system locked-down against intrustion, youve got trouble anyway.

The overflows inherent in MS’s products provide ample opportunies for intrusions.

Not quite true.

In reply to Seems Like the Same “Help” I get from Bill Gates

Actually, you can get far better help from OSS community efforts than you can from Microsoft. Join a local LUG mailing list. They’re everywhere, and they’re full of knowledgeable, friendly people willing to share their Linux expertise for free.

That’s tough to beat.

Proprietary software

In reply to Open Source software vs. Proprietary software

Proprietary software can have the same thing happen to it that open source can do. If you are downloading an update for a piece of software the web site could be spoofed and you can end up in the exact same boat that you can with open source.

Why Are You Looking for Jonah?

In reply to Open Source software vs. Proprietary software

The basis of the argument is the same as the sailors on the ship taking Jonah away from Nineva. Why are we so often looking for someone to blame? The one of the basic tenets of America and it’s cousin, the open source software movement, is personal responsibility.

The corollary is community assistance.

I’ve not once had a problem that was insurmountable because there were so many people in community fora who were willing to help me resolve it.

You should first determine kind of issue you are looking for. If it is having a tool that works then your choices are Open Source or Proprietary.

If you are looking for free support, then your choice is Open Source. If you are looking for someone to blame so you can wheedle free support out of them, then Proprietary is the way to go!

You can

In reply to Open Source software vs. Proprietary software

>>The only way to ensure that your executable is >>as it should be, is to perform a comprehensive >>review the source code and to recompile it >>yourself.

The difference is, you can.

Or you can trust an independent organization, or hundreds of independent organizations, that did.

indeed

In reply to You can

. . . and “the only way to ensure that your executable is as it should be” for closed-source, proprietary software is to, err, um.

Well. I guess you can’t. You’ll just have to take someone’s word for it.

What about the voting machines?

In reply to Open Source software vs. Proprietary software

What about the code for voting machines?

If the code isn’t available, the results could easily be manipulated.

I used to laugh at people gambling on “video poker” – after all, the results are what was programmed, not “honest” like real cards or dice.

So, unless the source (and procedures for the object) are available for review, how can any voting be honest?

Considering that 35 % to 40 % of my income is spent by the government, it seems that open source for voting machines is an economic requirement.

good point

In reply to What about the voting machines?

There have already been exploits and designed-in “backdoors” discovered in proprietary, closed-source voting software solutions.

Hmmm…

In reply to What about the voting machines?

Australia has a system which is open source, has paper backup and is one hundred percent reliable.

Many attempts to hack it both as tests and by bad people – have failed.

As far a poker machines, the code is required to pass a peer-review process and is actually quite “real”

A pseudo-random number is generated from noise on the power-line, user input et cetera – it’s very random – and then used to “shuffle” the “cards.”

This shuffled deck is then played, both by you and by the expert-system which is the poker machine.

It’s all quite honest, except for how well the machine plays.

It’ll play less well to hook you, then turn into a shark.

Still, the deal’s fair and forthright.

Bix

Hooey

In reply to Open Source software vs. Proprietary software

The, ahem, ‘article’ states: “Without a complete review of the source code and an independent compile yourself, you have absolutely no assurance that the code you are running matches the source code that it’s supposed to. Should that code damage or otherwise compromise your system, what’s your recourse? Rebuild your system.”

What the article does not state is how one gains access to closed source code in the first place —
Not checksums, the original source code.

Rather strange post

In reply to Open Source software vs. Proprietary software

It seems rather funny that KaceyR picked a web browser as his example. Has he forgotten the sheer number of security holes found in Internet Explorer? Perhaps he has never read the EULA? Never had his system victimized? Has he ever tried to contact Microsoft for support when an IE exploit has toasted his system? Keep that credit card ready.

Eeyup, proprietary software is obviously going to be more secure and reliable — not.

As for his comment that being able to review and understand the source code as somehow equating to the ability and/or desire to write that same source code yourself? Another fine example of “does not follow”.

Not funny, on purpose.

In reply to Rather strange post

If you’re goal is to attack Microsoft, would you attack a product like MASM (Macro Assembler) that most people don’t even know exists, or would you attack Windows XP? Obviously, you would attack Windows XP, because no one else would know what you’re talking about.

In order to foster this discussion (and since it sparked this line of thought in the first place), I aimed for the current Open Source high profile software, Firefox 1.0.

I don’t believe that this discussion would have had near the input if I hadn’t had the luck of being able to post it just after the release of Firefox.

To answer your questions;
No, I haven’t forgotten the security holes, but I have mitigated their risk.

Yes, I’ve read the Microsoft EULA (for Windows XP Pro) in it’s entirety, and even paid for a copyright attorney to provide me with a legal review of it (that’s what I pay a retainer for).

No, I’ve never had my system victimized. I keep an up to date hardware firewall, software firewall, virus scanner, and I regularly review my system access logs (I have a very nice logging firewall).

No, I’ve never contacted Microsoft about an IE exploit toasting my system, because it never has.

In fact, the only time my system has been toasted is when I do it all by myself. Shame on me, but that’s what my backup is for.

The question of security and reliability are secondary in this discussion to trust. Most businesses tend to be more likely to trust a known company than an unknown (to them) group of people from around the globe. Take your average retail store owner. If you want to sell the owner a system that incorporates the cash register, inventory, ordering, and payroll processing, you can probably find all of the software you need in the Open Source community, but without a name like IBM or NCR on the hardware, the store owner will never buy it. Why? Trust. The IBM and NCR names have an implied level of trust because of the size and success of the companies. I hate to break it to you, but things like that matter. Does it matter to the store owner who wrote the software? Nope. As long as they can call the company who’s logo appears on the hardware, they’re happy.

On to the code review:
If I’m reviewing code that may contain, for example, an IP packet exploit, I had better be able to recognize it. If I can, there’s a pretty darn good chance that I can write an IP packet manager. If I can’t, what am I using to assist me in the code review? If I have nothing to assist me, then this is where I need to have a level of trust of whomever reviewed the code from the vendor (proprietary or Open Source).

Responsibility

In reply to Open Source software vs. Proprietary software

It seems to me, you have to assume responsibility for your actions. You should know from whom you are downloading your software. If you don’t, then “let the buyer beware”! Don’t go blaming anyone else for your poor judgement. There’s a place for both propretary and open source. Know your sources for both.

Total lack of understanding of Open Source.

In reply to Open Source software vs. Proprietary software

Your posting reflects a complete and utter lack of understanding of how the open source community works.

You talk about “the author” as being one person who can inject whatever he likes – this simply doesn’t happen (for all the reasons you have listed – and more). What happens in the real world is that hundreds of good programmers spend many hours writing pieces of a program which then are reviewed by hundreds of other good programmers for functionality, correctness and completeness before they are added to the main code-base. If a back-door or some other sort of malicious code were to be integrated into a piece of open source software, it would have to pass inspection by (and hence be a conspiracy of) several hundred people (it’s about as likely as it happening at Microsoft). That’s why open source development/deployment is a multi-layered approach – it works for everyone.

You talk about the availability of source code as being a security measure so that you can do a complete rebuild and be sure of the “cleanness” of the executable. Also not right. Source code is provided so that people can customize a system to their needs if the out of the box distribution doesn’t. If this includes tweaks that break your systems, it’s your own programmers fault and you need top find another one. Checksums are provided to validate an executable against the copy that an Open Source organization says is the real one – if it doesn’t match, you downloaded ine installer from some questionable source. Stick to the real ones and you’ll never get yourself into trouble.

You state that if you can understand it – you can write it yourself, which is ridiculous in itself. I can understand all of the source code that makes up Microsoft Word (the millions of lines of it). It would take the rest of my natural life to type it in – much less debug a rewrite of it. Great idea that doesn’t work in the real world.

As far as culpability and legal recourse are concerned, how much has Microsoft paid in fines and damages for all of the flaws and buffer over-run hacks that have showed up in their software? The answer is $0.00. After you do a post-mordem on your system and find that someone got in and did some damage to your system due to one of the plethora of errors in just about any Microsoft product – you should sue them for it and let me know how it turns out. I’d be interested to see how far you got. My guess is you end up with a bunch of huge lawyer bills and your legal tail tucked between you legs – yelping all the way home from court. Lets face it – even if you’re right – their lawyers can beat the crap outta your lawyers any day of the week. You’d be better off filing suit against Mozilla.org.

Read the EULA

In reply to Open Source software vs. Proprietary software

There really is no protection from prorietary software either. Read the EULA. Somewhere it will state that the software is provided as-is and use of this software is at your own risk. If the software company does mention any liability with use of their software it is for replacement value of the software only and not the hardware or more importantly the value of the data created with said software. Trying to recover damages from a software company because their product lacked the appropriate level of security is like suing a doctor for malpractice. Albeit suing the doctor is much easier. You will need access to the source code to see if there was any malfeasance; intended, overlooked, or if the company lacked due diligence in making sure their product is “safe”. Since proprietary source code is treated as a “trade secret” the software company cannot be forced into divulging their work by the courts for discovery purposes.

Tech Republic working for Microsoft??

In reply to Open Source software vs. Proprietary software

This has got to be the stupidest argument I have ever heard. “Tweaked” by a “hack” from “whom” downloaded from “where”? There is a whole lot of “assuming” going on here.

Lets just “assume” that I download a hacked version of IE, and it blows up my system. Is M$ really going to buy me a new system?

Cmon! Get with the program, you mindless borg agents.

Er, no.

In reply to Tech Republic working for Microsoft??

This wasn’t an official TechRepublic topic. It was posted by a visitor to the site. TechRepublic frontpaged it because it was generating a lot of discussion. I don’t think you need to blame TechRepublic for this.

A discussion worth having

In reply to Tech Republic working for Microsoft??

Whether this is a MS FUD attack or a well-meaning innocent comment by a knowledgeable person, it reveals the heart of the struggle between open-source and proprietary software. The struggle may never be resolved but this discussion is essential and enlightening. Thanks guys.

Injury vs injury+insult

In reply to Open Source software vs. Proprietary software

“Legal recourse”? Given the prevalence of shrinkwrap software licenses whose terms are not disclosed until money has changed hands, I assume you wrote that with tongue in cheek. Given the choice between injury and injury topped by insult, I choose the former.

Apples and oranges

In reply to Open Source software vs. Proprietary software

Was this just a ploy to start a discussion? I have both types of software in my shop and they have very similar disclaimers. What would XYZ company do for you if the signatures did not match like they didn’t in the open source scenario? Compare apples to apples.

An article versus a “ploy”

In reply to Apples and oranges

Isn’t it the purpose of any article published in a “Discussion Center” (you’ll see that written near the top of the page you’re viewing) to start a discussion?

Since you have both Open Source and proprietary software in-house, why don’t you pose your question to them? I, for one, would be interested in their response.

Yeah, right…

In reply to Open Source software vs. Proprietary software

KaceyR seems to forget that the license agreements on almost all software – MS or otherwise – promise nothing other than stiff penalties for violators.

These licenses specifically disclaim any waranties, and basically hamstring you even before you open the box.

Caveat emptor as a buisinedd model.

With GPG, MD5 sums et cetera, things are pretty good in the OS/FS world.

While they do not rule out malicious intent on the part of someone within a software house, neither does the MS production process.

Easter egg or back door – they’re both easily dooable.

OS/FS is reasonably well audited, and any problems are quickly spotted and fixed. Further, while you may not get a waranty, you do get at least two other things:

1) a product you can customize, change and use in any way you wish at no cost;

2) the assurance that the author wrote it because they wanted to, rather than had to.

That last is significant. A paid programmer as often as not will drudge through but have their mind always on Miller time.

An OS/FS programmer has a sense of working for the greater good, and knocks off when needed. OS/FS isn’t the product of tired people wanting to leave, but rather a labour of love.

Again, this helps ensure a decent product.

BTW, while I’m on a roll, as far as the whole patent thing, there’s an important argument everyone seems to miss:

Software patents came about because copyrights didn’t provide enough clout and some companies sought to abuse the patent process because the investigators typically don’t know what they’re at and will grant a patent for just about anything.

Further, patents can be incrememntal. The patent on the triangular loop on a cotter pin – and on the bent longer tine – are independent of the patent on the original cotter pin.

Try writing your own Harry Potter book and you’ll soon see the difference between patents and copyrights.

However (pregnant pause) patents only ensure that noone can use an idea for profit without permission. For profit…

OS/FS are inherrently not for profgit. Certainly, there are commercial and shareware apps for OS, er, OSs, and services are for profit, but the OS/FS in not.

If I want to copy a GE turbine down to the last rivet for my own use – or to give away – I can, at least under U.S. law. I just can’t sell it for more than I paid for the materials.

So, even were Linux, Mozilla, OOs et al to violate a slew of patents – which they don’t – it wouldn’t matter.

BTW, many of these patents ’bout which MS is whining include TCP/IP, UDP, NFS, FTP, POP, the double mouse click, using the tab key to switch betwen form elements… it’s BS.

Hell, the tab key’s been used for that since the first IBM System/360!

What about virii?

The typical argument from the MS Party Faithful runs thus:

> Windows is attacked so much more often than
> Linux is not because of its vulnerabilities
> but because of the size of the audience. If
> the numbers were reversed, we’d have a lot
> more viruses for Linux and Mac than Windows.

Spoken like a true neophyte.

Firstly, Linux is attacked far more frequently than Windows. You see, it’s in a majority position with server systems attached to the internet.

‘Course, very few of these attacks succeed – Windows succumbs with far greater regularity.

A great many bugs “attack” my windshield, too, but very few of those attacks are successful. Were I to install 1/4″ wire mesh [Windows] instead of glass, the frequency of penetration would likely increase.

Were Linux so easily cracked, some black-hat or other would occasionally bring down the entire internet and gain instant super-stardom.

As it is, script-kiddies with no real programming ability regularly compromise the Windows *minority* in server-space.

As for home Windows boxes, they are about as secure as an unlocked convertible left in Queens in a lighted, deserted area at night with the keys in the ignition, the top down and the signed pink taped to the wheel.

Their argument is akin to stating that if as many folks drove Ferraris as had Ford Explorers, they’d be involved is as many roll-over accidents.

The fact is that they [Unix and work-alikes as compared to Windows] are very different beasts, but sheeple such as they will never understand why any more than Jerry Falwell will ever see any good in Hinduism.

So, use OS/FS with confidence. At least it’s evolving by leaps and bounds, whather than being hidebound and stagnant.

Cheers,

Russ Bixby, geek of the plains

Power without wisdom is akin to an adze with a ruined edge, suited more to the vandal than the builder.

patents and OSS

In reply to Yeah, right…

One of the major problems with software patents as they pertain to open source software is in the survivability of the companies that help support OSS, like Red Hat and Novell. These companies do make a profit from OSS, and as such would be quite vulnerable to attacks based on supposed patent violations.

I think not

In reply to patents and OSS

Neither Red Hat nor Novell (a large patent holder, by the way) is creating open source software and selling it.

The stuff they sell is either proprietary management software – which may or may not involve TCP/IP, the double click or other “patented” software – and selling that.

Also, they sell services.

Going back to the turbine analogy, someone who builds generators for me to hook to my GE-copy turbine or another someone wrenching it for me is not liable to patent litigation.

Cheers,

Bix

not relevant

In reply to I think not

I’d dispute the claim that no corporations are creating open source software and selling it. RHEL and SuSE Linux are OS-and-software bundles that are (at least primarily) open-source, and both Red Hat and Novell are indeed selling these solutions. Much of the software these companies create and/or modify for use in their OS bundles is sown back into the OSS community, generally as GPL software. If you’ve heard of the RPM, you’ve heard of software that was created by Red Hat and made open source. The RPM is the single most commonly used software package format in use today in Linux systems. Even SuSE uses it.

That aside, however, I wasn’t even talking about them creating and selling software. I was talking about the fact that they profit from distribution of open source software (like the Linux kernel itself, as well as window managers, services, applications, and numerous utilites) that may become a target of later patent suits.

Re: Open Source software vs. Proprietary software

In reply to Open Source software vs. Proprietary software

You have a point with your post. However…

– Only download products (commercial or open-source) from a trusted site. You would not download Internet Explorer from http://www.crackz.net.ru would you?

– Test your system first before going live. Do not blindly trust marketing blah-blah (this goes for commercial and non-commerical products).

– Do not rely too much on the software supplier liability. I know trials and laywers are in big demand but you may have problem convincing people that a specific piece of software is solely responsible for the problem. Therefore you may have problem pointing your finger at someone.

– Last but not least. In practice Open Source software are as safe if not safer than commercial product. And this is a fact.

At the end of the day, what determines if a product is good or not is the employees who designed/produced it. A Microsoft employee may not be as enthusiastic and thorough in his/her work as an open-source coder who is fully dedicated to his/her project…

Reflections on trusting trust

In reply to Open Source software vs. Proprietary software

One interesting thing about being older is that you can remember things that have been said before. I submit a presentation from Ken Thompson from the ACM of 1995 that was itself a recollection from something done much earlier. It is the illustration of how to build an undetectable trojan horse that would allow the author to login to any UNIX system ever wrote. One notable quote is that “No amount of source-level verification or scrutiny will protect you from using untrusted code.” Read and weap:) http://www.acm.org/classics/sep95/

A very good point

In reply to Reflections on trusting trust

A point that applies equally to both Open Source and proprietary software.

It doesn’t matter how many sets of eyes are looking at it, if someone is clever enough, they can (this does not imply that they will) build something that will slip past scrutiny whether their working for Microsoft or a project in the Open Source Community.

There’s a solution for that…

In reply to Reflections on trusting trust

…and all us oldsters know ’bout it.

BTW, as someone who started designing and building his first computer – the processor itself, instruction set and all – one transistor at a time starting in ’72 when he was ten and first getting it to work two years later, I qualify as an oldster.

The following has actually been done for SELinux, by the way.

One uses “Tiny C” to build the C compiler and standard libraries from trusted source, then re-compiles the C compiler and libraries with the compiler they just built.

One then compiles everything else with this freshly built-by-itself compiler.

The Tiny C is in turn written in macro assembler, and the assembler is written simple assembler.

The simple assembler is written is straight machine code.

This provides a one hundred percent secure code tree, assuming one has properly audited the relevant sources.

While this does not account for the possibility of a hacked BIOS on the mainboard, a SCSI host adapter or some such, these are rare indeed, although not unheard of.

There was the case of a miscreant altering the operating software to an aftermarket keyboard, causing it to type out “Welcome Datacomp” (whatever in Hell that means) at random intervals.

It took me quite some time to discover that the root of that evil – this was on my own computer – was not a virus, trojan et cetera.

In other words, anything is possible, but things are not so dire as the FUD-meisters would have us believe.

Narf,

Bix

This article is asinine

In reply to Open Source software vs. Proprietary software

Notice the Open Source software didn’t come from the production version of the code automatically giving the person nowhere to go for support. Why would the developers of firefox help if the executables didn’t match the prod version.

And then, the proprietary code did match the original. And the nice friendly software manufacturer was ready, willing, and able to help. Yea right, try and call Microsoft with this type of problem if you don’t have one of their high-end support contracts. And even then!

I wonder how much this author was bribed to publish this type of non-sense from the proprietary software manufacturers?

Not one penny.

In reply to This article is asinine

I don’t accept bribes. If I did I would have made my fortunes years ago compromising systems and retired to a non-extradition country.

Instead, I continue to build my client base by writing software and being a consultant that they can come to with a question even if I’m not on contract to them at the moment.

Indeed!

In reply to This article is asinine

You read my thoughts .. this article is such bullshit FUD that it has to be the result of a bribe by MS to the author to ‘publish’.

It is so basically flawed on all accounts, that I have to view the author as being quite clueless (as evidenced by the lack of logic & reasoning), let alone simple real world business facts like: MS will rush to pay you for _any_ problem you have with their fat binaries.

Yeah right.

Is the TR just a subsidiry of MS now?

How bout another angle

In reply to Open Source software vs. Proprietary software

What happens if i ask u this: is corporate greed worse than personal greed?
You see, in OSS, there is a possibility of one or two bad apples injecting malicious code…however, in proprietary software, there is the possibility of one company with hundreds of programmers “forced” to inject malicious code which then cannot even be revealed !…or it could be quietly covered up or even modified before being opened to scrutiny!

That’s a good point

In reply to How bout another angle

Even if the malicious code was injected only by one disgruntled employee, it would be much easier for a large software company to cover it up, whereas it’s virtually impossible for the Open Source community to cover it up.

A hammer isn’t the always the best tool

In reply to That’s a good point

OSS vs. proprietary software is not the argument that should be made in my opinion. They are not mutually exclusive. For instance a small company desiring a low initial cost of ownership may be very happy to spend a few more man hours working with an OSS product. As the number of users and supported infrastructure grows, a larger company may see significant benefits (such as a reduction in administrative overhead) by being able to automate and manage servers, workstations and software at an enterprise level with the click of a button. Not to say that OSS cannot also perform that function, but many are not there yet. This might be because companies such as Microsoft have money to spend on focus groups to help determine the optimal design of their user interface, or the features which users desire.

MS as a single unit is only an illusion. For instance a support call under an SLA is actually routed to a call center, which could actually be a third party vendor. This is no different than hiring a consulting firm who specializes in a particular OSS, with an SLA.

Everyone would like to tell you that they have the most secure software. Certainly more eyes looking at code helps to find bugs and improve the design. However, with OSS _you_ can audit the source code if you desire. More than audit you can make changes where necessary. Certainly many people would judge this as impractical, but the ability is there. This further enables corporate software design policies to accept only maintainable code, which is less likely to have bugs that are often introduced with spaghetti like code.(and of course you have no idea what pre compiled code looks like in source form)

Many OSS projects have no product lifecycle announcements and may just disappear. But this is not unlike the .com’s. But unlike the .com’s, the code is there for you to develop if you desire. Further it may even be possible to find old OSS for a specific problem, even if it hasn’t been developed in a long long time.

This is certainly not to say the there is one correct application or operating system or that OSS is superior. You need the right tool for the right project. Unixish OS’s aren’t the best for everything, but neither is Windows. Sometimes you don’t get to choose, such as when a client or application requires something specific.

In my experience people would like to simplify things and form stereotypes. Free or low cost seems to imply a toy or a lack of professionalism. The same thing applies to security. People would like to have a construct that enables them to say that a product is provably secure. This is not possible. With an unlimited number of possibilities (possible input), we can only prove that software will react in a way which we have tested for. Thus a well designed OSS product is no more secure than a commercial product. (except that external input and review _might_ be from a larger or more diverse group). Thus the people using the software, wheather OSS or not, face the same security and development challenges.

Last but not least is the end user. They are possibly the weakest link in the chain, but often the source of profit for a company. Not only must users be trained how to use software (and OSS may have a different look or feel), but the proper procedures must also be in place to ensure that it is configured correctly and used per a company policy. It doesn’t matter how great your product, OSS or otherwise, is if no one can use it.

Well said.

In reply to A hammer isn’t the always the best tool

I think that your post also supports the perception that a lot of Open Source software is not ready for end users, and a lot of end users are not ready for Open Source software.

Nor would we.

In reply to That’s a good point

The OS/FS community tends to be pretty good about taking our lumps when due.

We don’t deny the problem, force customers to sign NDAs or utilize gag orders to keep our foibles out of the public eye.

We just pay our debts, fix the bugs and press on.

Bix

Open Source IS better.

In reply to Open Source software vs. Proprietary software

Obviously, Kacey has never read the shrinkwrap agreements with the software he uses. Not only is this argument spurious at best, most of the “commercial” software he uses, comes with clauses in the license agreement that allow the vendor to sue him if he even COMPLAINS about a problem with the software. The chances of an intrusion from Open Source is much smaller than that of proprietary because the community polices itself much more aggressively than the commercial vendors do. If such a hack as the one described were to find it’s way in to the product development stream, it would be uncovered, reported and corrected almost before it could be distributed. That is the STRENGTH of open source software, rather than it’s weakness. I would suggest, strongly, that Kacey review some of the license agreements for his critical applications. I suspect he will find he has no protection at all and little or no right of recourse if the software fails his company in a catastrophic fashion.

Its Just Lie – OSrc has better crypto checks than MS

In reply to Open Source software vs. Proprietary software

First: Digital signing of software packages is
long known to open source community and
IS/WAS USED for years. On many contemporary
distributions check is mandatory and you have
to knowingly say “yes-install-anyway” if signature
on software is incorrect. MS only recently with
XPSP2 gave similar funcionality to its userland.
Before XPSP2, checkin’ signatures was only for
activeX downloads and kernel level modules
(drivers). Usually turned off by users anyway.
More details: man your-package-manager.
If you dare to at last install Linux and see.

Second: Last time I saw licence agreement with
partial responsibility of sw vendor 20 years ago.
None vendors are responsible.

Third: as digital signature checking is default for
most open source distros/OSes, even in case of
compromise of sw package distibutor the time
gap to find it is very short. Ones I recall were
accordingly 6, 3 and 5 hours.

Fourth: even in case that compromised is the
very source of software, the developer himself,
anyone can and will find and _prove_ it. Why –
because anyone _has_source. Last time of such
happening was with a comm package. Found
by the OS community within a week. You never
will know whether your properly workin’ digitally
signed, heavily paid onscreen dildo has or has
not a backdoor.

This post is worsest FUD I saw since ‘TCO
campaign’.

ohir.

Perhaps you should read a few more messages

In reply to Its Just Lie – OSrc has better crypto checks than MS

You seem to be quick to disregard the discussion as a whole, but you’ve clearly not read all of the posts.

First: There are posts dealing with the possibility of faked binaries, complete with their own digital signatures.

Second: Pretty much everyone agrees that the license agreements do nothing more than provide fodder for laywers.

Third: See first above.

Fourth: No one has contended that the problem would not be discovered or fixed. In fact, the contention is that the Open Source Community would find the problem and provide a fix faster than a proprietary vendor.

“worsest” ????

Certainly I did.

In reply to Perhaps you should read a few more messages

First: if the signature is intact and is done with
vendor’s private key, binary – whether
backdoored or not – comes from vendor.
Regardless of source openess or price of the
software. That’s how cryptography signature
works.

Second: omitted. this point laughed by all, You
have understood.

Third: original post alluded that open source
software can not be trusted due to lack of
knowledge of origin; alluded that _only_ vendor
XYZ software can be checked cryptographically.

Excuse me, but I don’t believe that such a logical
flaw as seen in your post was unintentional. So I
called it real name. Truth is, that linux users has
had, had understood and were using digital
signatures on software packages long before
XYZ userland.

Fourth: You did. In original post.

ohir

Points

In reply to Certainly I did.

First: “… and is done with vendor’s private key…”. This is NOT always the case. There are MANY Open Source packages available that provide nothing more than an MD5 hash signature. Further, if the individual creating the problem happens to be someone who works for the vendor and is responsible for packaging, they will already be signing the tainted package with the vendor’s own private key.

Second: Okay, it does give us a chuckle.

Third: The original post only alluded to the possibility of a single person being able to “sneak” in a piece of malicious code, or to falsify the download site.

Fourth: I certainly did not. I questioned the responsibility factor of the vendor.

Re: points

In reply to Points

First: “There are MANY Open Source packages
available that provide nothing more than an MD5
hash signature…”.
There are only a bunch of XYZ packages
carrying digital signature. Rest of XYZ world
provides neither source nor signature on binary.
On the opposite, there are tens of thousands OS
software packages with both source and binary
signed. To name a few, RH or Mandrake Linux
distributions. Each and any package signed.

“…happens to be someone who works for the
vendor…” If this was maintainer, such tamper will
soon be discovered by author. If it was an
author himself – such case will be discovered as
soon as competing distro vendor will do a diff
over sources to see what competitor tweaked.
Such diffs are done routinely. Because there are
many vendors, because all have the code.

Fourth. Since years there is no responsibility (in
legal terms) of the vendor. But in buisness terms
responsibility in Open Source world is perfect.
One such a case may drive distro vendor out of
business. Today I am using Konqueror,
tomorrow I can switch to Firefox. Todays’
RedHat can be painlessly and with almost no
cost switched to SuSe, Mandrake or – with more
spending to next fifty different distros.

Being trojaned by XYZ emploee intails that you
may switch to.. hm.. to what vendor?.. Ah! XYZ
vendor.

ohir

This premise too ridiculous NOT to comment

In reply to Open Source software vs. Proprietary software

From the email newsletter topic:
FEATURED DISCUSSION: OPEN SOURCE SOFTWARE VS. PROPRIETARY SOFTWARE

I won’t quote the rest, but in reply to the points offered:

– You downloaded Firefox off an unknown third party site most likely AND you didn’t check the signatures first? That takes LESS time than what you go through for purchasing proprietary s/w, yet you didn’t do it… Consider it your punishment!

– If this happens with your proprietary s/w, do you REALLY think you will get anything but denial from the manufacturer?? You’ve obviously never tried this before 😉 It will take lawyers to get attention, and more $$ than you probably lost.

– AND, you should read the license agreement. I haven’t found one in which you don’t agree to hold them harmless and you agree that they are not responsible for any loss or damages. The MOST you should be entitled to is a REFUND of your purchase price according to your agreement.

Now, if you’re savvy enough, AND this is a legitimate problem with the open source program, you can check it. However, the initial premise is apples and oranges. In one case, it’s a distribution channel issue, which is not entirely open source related, and the other is a programming error. I think it’s interesting that in this scenario, the open software wasn’t flawed, but the other was.

Skip

Privacy Issues are Law Binding

In reply to This premise too ridiculous NOT to comment

First of if you were to download the file that was *hacked* then you would know where the server you got it from was. Or at least you should. If you knew who provided the file and was distrubiting the file that person is held responsible for file re-distrubution. Even under the GNU/GPL. If you lose data due to someones mal-content you have legal grounds for a privacy case against them. It’s not that open source is flawed it that’s people are flawed in intention. If your worried and don’t know what you are doing then don’t install the files if you trust the code.

I think it’s a beautiful concept that we are able to view and modify the source code to programs. Then we know exactly what they are doing to their system. You also have the option to fix that bug in that release or remove the software. It is highly unlikely that i browser hijack would install a trojan using fire fox.

It doesn’t support active x controls which a majority of torjans are installed through. And the web browser it self does act as a file server to the system. It’s a client, Microsoft I.E. doesn’t support file server or directly connecting through the web browser etheir. I.E. security flaws are obviously tied to the operating system itself. And Windows SP2 has taken great strides to warn you that you are running a file. I check it asked me three times before i wanted to run an executable downloaded. And one more when i rebooted and it was added to the *run* key in the registry.

I think it’s safe to say that you really need to trust the software that you use. and the Mozilla organization is a reputable company. Download from their servers or REGISTERED mirrros.

As for a hacked version, if you can pin-point the person who altered the code in a malicious intent. You will have legal grounds for invasion of privacy. At least here in Canada. I’m sure that the U.S. has similar laws.

i’m not trying to scare you away from open source. Like viruses and piracy education is Key. There are many people willing to help you learn the product you wish to use in the open source community. For free.

cheers.. and happy computing.
Adam

refunds

In reply to This premise too ridiculous NOT to comment

You get the same thing from OSS that you get from a proprietary software vendor, if you can prove it was the software at fault: you get a refund of the purchase price. If you downloaded OSS for free, you get a refund of your zero dollars. If you bought Windows XP Professional for about $300, you (might, if you’re really persistent) get a refund of your $300. In neither case are you going to get any compensation for downtime and lost data.

All software is inherently flawed

In reply to Open Source software vs. Proprietary software

Commercial vendors wouldn’t release patches if all software weren’t subject to human error and to the requirements posed by the enormously varied platforms on which software is expected to run. Your contention that companies’ concerns about intrusion and espionage should lead them in the direction of commercial and proprietary software flies in the face of the fact that it is precisely such software which is the source or conduit of most intrustions and malicious acts which occur in the modern computing environment.

Having said that, I take issue with a number of the other points you raise. First, a bug (intentional or otherwise) which causes the user substantial damage will result in no better assistance from commercial software vendors than from open source. Have you checked out the vendors’ liabilities in any commercial software licenses lately? If most corporate lawyers took their jobs seriously, or were asked for their opinions, very little commercial software would be purchased. Second, bugs are far more likely to be found and corrected when a large number of really motivated developers and users are involved than when a commercial entity is solely responsible for a quick response to a problem.

Not all users of open source pore over the source code; many, like myself, are happy to get their hands on high-quality, useful software which works and is FREE!!.

Finally, the risk of downloading a corrupted version of freeware is directly proportional to the professionalism of the IT staff in an organization. Just as most competent staffs have developed appropriate use policies for office computers (e.g. no games, no unauthorized software, no browsing of inappropriate web sites), a competent IT staff will download open source applications only from trusted sources. Why go anywhere else but Mozilla’s site to download Firefox? If you choose to visit unfamiliar sites to obtain software, the resulting carnage is solely due to your carelessness, not to an inherent flaw in open source software.

So, you want to be able to sue?

In reply to Open Source software vs. Proprietary software

Or, anyways, hold someone responsible for a breach of your system through their browser?

Have you had a situation where a breach of your network was caused by IE, and you were able to secure restitution from M$? I’d be willing to wager this is not as easy as you make it sound. Sure you have a legal recourse, but just you try taking advantage of it. Most business owners would rather rebuild their network than take M$ on in court. Unless you were referring only to other Really Big Companies? In which case i would agree with you that they should only use IE, or other “closed source” software. That would act as a check on M$ to help make sure they put out a good product. Small businesses should be able to use open source without any worries though.

You make an excellent suggestion to the makers of open-source software. Not that they should provide a compiler with their downloads, but that they need to demonstrate that their software can be relied upon to be “safe.” I don’t think it’s too far a stretch of the imagination to think that organizations like the Mozilla Foundation are capable of demonstrating self regulation. Lately, i tend to think that this is more likely than expecting any corporation to do it, muchless M$.

I must agree up to a point…..

In reply to Open Source software vs. Proprietary software

I tend to shy away form open source for this very reason you never know who’s been playing with the code.
At least with MS XP PRO they are continually fixing the problems, but when you have every man and his dog trying to find a hole then it is a bit unfair.
I do admit that I find MS prices a bit steep and would suggest if they want to step out piracy then they need to review the prices they charge.

Assumptions!!!

In reply to Open Source software vs. Proprietary software

Probably the most naive part of your complaint against Open Source is your assumption that commercial vendors don’t have their own “hooks.” At least you can compile from the source and see everything with Open Source if you want to. You can’t tell Big Bill, or Uncle Larry that you want to see under the covers.

As a matter of fact, MS has gotten caught with its hadn in the cookie jar more than once with special “features.”

Give me Open Source ANY day.

Assumptions revisited

In reply to Assumptions!!!

I would submit that you make the naive assumption that just because you can review the source code yourself, that you would be able to recognize every possible form of system “hook”.

Yes, Microsoft got caught (a lot) through the diligent use of firewalls and the occasional packet sniffer. I would utilize both in my environment regardless of the source of the software.

This does nothing to mitigate any vendor trust issue on either side.

Better not…

In reply to Assumptions revisited

…use those firewalls and packet sniffers with MS products now.

Doing so violates the DMCA, and you could get your nittle nubbies burned.

Bix

Good point.

In reply to Better not…

But I also don’t think that Microsoft is going start hunting down it’s big government customers (who *all* just happen to use firewalls and packet sniffers) any time soon. They usually try not to be self destructive like that.

While that’s true…

In reply to Good point.

…it leaves us depending on the Germans to tell us what Uncle Bill is shoving up the collective ass of his victims.

Bix

MT must have a great IT budget!

In reply to Assumptions!!!

I don’t think you can say the original post is naive, then go on to say you can see everything in open source without being naive yourself.
You can actually review ten’s of thousands of lines of code before you compile it? It’s not even a challenge to bury ‘hooks’ in something the size of say, openoffice.

The original question was contamination which is inherently more possible in open source downloads on a variety of ‘mirrors’ than it is from a trusted site. But using trusted sources (for any download) minimizes that risk.

Far as liability goes, pfft, you best have deep pockets to sue software companies for O&E.

Ah, but…

In reply to MT must have a great IT budget!

Quoth MikeFromCO:

> You can actually review ten’s of thousands of
> lines of code before you compile it? It’s not even
> a challenge to bury ‘hooks’ in something the size
> of say, openoffice.

However, there’s one salient fact you overlook: parallel policing goes hand-in-hand with parallel development.

One typically does not walk up and rob someone in the middle of a crowd unless they are very fleet of foot.

Why? There are a lot of witnesses, potential interlopers et cetera.

One needn’t read every line of source for every line to be read, regularly.

While there is a vague and slight possibility for trouble of the sort KaceyR sugests, this is far more likely on the proprietary side of the fence.

Simply put, the only cases on record involve closed-source software. A ratio of 1:0 is pretty hard to ignore.

Bix

Your example is not the greatest

In reply to Ah, but…

but your point about parallel policing is one of the stronger arguments favoring Open Source software.

If you really don’t think people get robbed in the middle of a crowd, you haven’t lived in New York, Chicago, or Los Angeles!

Unless one is fleet of foot…

In reply to Your example is not the greatest

…is what I said.

They don’t walk up, mug someone and then stand there counting their spoils.

That’s waht it’d be like to abrogate a popular piece of OS/FS, then sit back and wait for the credit card numbers to caravan in.

Bix

No difference.

In reply to Open Source software vs. Proprietary software

Seems to me this is an issue of the honest and reliability of the download site. Nothing else.

The issue is getting an executable that does not match the released executable. A proprietary software company or distributor could as easily put in the same hooks in the posted executable just as an open source company or distributor might.

Not nonsense

In reply to Open Source software vs. Proprietary software

Here is another case where I’m inclined to disagree with the author of the original post, but after reading some of the replies, I am left feeling that most of the respondents don’t appreciate how right he is. Open source has a cost model that is definitely not right for certain businesses because they can’t protect themselves well enough in the case of unmet expectations. It’s about whether the software does the required job at a desired level of cost. The risk associated with possible deficiency has a big impact on that cost.

One weakness of the open source model when it comes to business applications is that you need expert knowledge to make it work reliably. If something goes wrong, someone in the organization needs to be an expert or to navigate the labyrinthine world of open source to find one. You either need highly knowledgeable and experienced employees (and prepare to jump off a roof if they are lured away), or rely on a consultant. In effect, the service level agreement is not with the software manufacturer but with the expert services provider that does the install and management (be that an outside firm or internal employee or department).

This is the perfect arrangement for certain situations and not others. For businesses who would prefer to buy basic, shrink-wrapped software that interoperates well with software from other businesses but has no special features, the higher price and questionable stability are overshadowed by the lower maintenance costs. In some cases, open source is not only not the best option, it is a terrible strategy.

However, having an expert services provider accountable for software performance, instead of the manufacturer, could be a huge opportunity for cost savings, particularly if you needed an expert services provider anyway. That is where open source is and will remain a toolkit for quality, reliability, and innovation of terrific potential value.

nonsense

In reply to Not nonsense

“you need expert knowledge to make it work reliably”

You need expert knowledge to make any software, proprietary or not, work reliably in a production environment. If you don’t have experts tending to the reliability of your software, you’re asking for trouble. Without going into the inherent instabilities of many proprietary, closed-source solutions, regardless of how much you know about the platform when you use it, your statement is unsupportable in any meaningful manner.

I am a consultant, working with a professional consultancy in Florida. We provide on-site service to business clients regularly. Among those using heterogenous networks, with both Linux and Windows systems, we see how unapplicable your misunderstanding of the matter really is. When a Windows system breaks down, they have to call us to get it fixed. When a Linux system, er, well. If the Linux systems ever broke down, they would likewise have to call us to get them fixed.

The fact that many people think, as you seem to, that you don’t have to know anything to make use of a Windows system is one of the major reasons that security hasn’t been the sort of top priority in the eyes of the public that it should have been for the last twenty years. As a result, closed-source software companies have designed for bells and whistles rather than for security and stability. When people fail to be properly knowledgeable about system security, software tends to get designed more for eye candy than security when market dominance is the designer’s goal. Open source developers have other goals than that, like the desire to produce the best software they can. After all, most open source developers work on a project because they want to use the resulting software, not because they have been told to by a pointy-haired boss.

I have no idea how you figure that buying closed-source software in any way provides more software interoperability and lower maintenance costs. For one thing, you don’t explain it, and for another, my experience is the opposite.

RE: nonsense

In reply to nonsense

You’re right, I see that I didn’t draw a clear distinction between open source and proprietary software. I didn’t give a reason why open source software would necessarily require more expert knowledge to run than proprietary software. In fact, as some have pointed out, there are situations in which support of proprietary software requires more expert knowledge by its very nature.

I should said, instead, that one weakness of open source software is that it tends to require relatively more help from vendors of expert services, as distinct from the original software vendor, than proprietary software does. This is a practical result of the fact that creators of proprietary software are more concerned with marketing and packaging than their open source counterparts. Microsoft would not consider releasing any software without a carefully designed interface and a few wizards thrown in, and a clearly defined map for potential users to follow through installation, configuration, and use. Open source software makers are not nearly as concerned about such things.

I’m quite certain you still disagree, given what you’ve said. But I’m surprised that you feel that there is absolutely no sense in which this is true.

I think that PostgreSQL is a great and effective database package, particularly at its asking price. But I wouldn’t recommend it to the same set of users that I would recommend Microsoft’s SQL Server, for example. Both require expert knowledge to implement correctly. PostgreSQL, however, is esoteric to a degree that no commercial database package would ever be. Also, through no fault of PostgreSQL’s, Microsoft has spent millions promoting SQL Server and making it easier for users to find help resources, reducing the necessity to rely on people with specialized knowledge. I know from experience that it’s quite a bit easier to setup and use SQL Server than PostgreSQL in its raw form.

Of course, one could say that open source has plenty of alternatives to make up any such supposed deficiency. I could counsel someone to use MySQL instead, or to use PostgreSQL in the form of RHDB from Red Hat. But these are the exceptions that prove the rule. To the degree that these companies are exposing their proprietary code to public view, they are making up for it by positioning themselves as providers of expert services.

Since you are a consultant, you can certainly speak to the issue: is there really NO sense in which it would be easier to outfit an office with a dozen computers running Windows rather than Linux? This to me is an amazing statement. I would think that for it to be even approximately true, it would be necessary at the very least to make clear which distribution of Linux is to be installed. Just on the basis of factors which have really nothing to do with Linux in itself, that more people have experience with Windows or that Microsoft office software is more widely encountered, it seems reasonable to suppose that supporting Windows would offer fewer complications.

Just to make myself clear, I don’t think that this an inescapable feature of open source, nor do I think there’s anything wrong with using providers of expert services. But I do think that if someone has to provide basic computing services without a budget for consultants, that person may well find that the greater price of commercial software is more than worth it.

actually (using your DBMS example)

In reply to RE: nonsense

You haven’t really said anything untrue in this post. To be perfectly accurate in describing the relationship between Microsoft products and directly competing OSS products, it would probably be best phrased similarly to this:

Often, the knowledge entry barrier for deploying software at all is slightly higher for open source software than it is for professional proprietary software. The total amount of expertise required to deploy software correctly (meaning: stably, securely, and perhaps even functionally) tends to be the same, or perhaps even greater for professional proprietary software. As a result, the minimum effort and expertise required for deployment of the open source solution will typically render a more functional, stable, and secure product than the minimum required effort and expertise for depoyment of professional proprietary software of equivalent purpose.

Understand that there is a great deal more software available for the Linux platform than for the Windows platform. That software runs a broad range of functionality, from PostreSQL to a set of flat-file database scripts in Perl that someone whipped up in an afternoon. Microsoft’s stand-alone database software, by way of comparison, runs a much smaller range of functionality, between SQL Server and Access. SQL Server, by some measures, is more functionally complete than PostgreSQL, and by some measures is less functionally complete than PostgreSQL. Access, by any measure, is likely to prove to be more functionally complete than the hypothetical set of Perl scripts.

There are a couple of modifying points that need to be brought up in reference to those ranges of availability. One is that an amateur can muddle his way through setting up SQL Server without really learning a thing, but anyone managing to set up PostgreSQL either needs to come to the task with some competence already in hand or will learn something from the experience. That having been done, no production environment should ever trust either database for long under those conditions because of the hidden frailties and vulnerabilities that will exist in inexpertly deployed software of that complexity. PostgreSQL will tend to be more stable and secure under those conditions, but wearing a leather jacket as opposed to running around shirtless when many of your enemies are carrying swords isn’t really much protection. It takes experience, expertise, and a great deal of knowledge to maintain either DBMS as a secure, stable environment. Of those who have that level of expertise in both of them, the vast majority (I have no statistics to back this up: only my own experience and estimations) would prefer to choose PostgreSQL over SQL Server because of the platform(s) on which it will run, the eventual effort expended, and the long-run stability and extensibility of the software, to say nothing of the fact that whereas an amateur might need to contract outside help to understand the system, PostgreSQL is 100% free to the true expert.

That having been said, you also should realize something else about the way OSS development happens. Specifically, OSS is an extension of the Unix culture, where the preference is to create small tools that do one job and do it well, rather than create large tools that do many jobs and probably screw many of them up when they are put to a given purpose that their creators didn’t plan for. These small tools in Unix development are designed to be easily made to interact with other tools, so that meta-tools can be created whose job it is to basically tie several disparate tools together to achieve larger tasks. In proprietary software design, because tools are made large and incorporate a multitude of smaller functions, if you want a “large tool” effect that does something different than the task for which the large tool you already have was designed (even if it already has all the functionality you need, in terms of discrete internal capabilities), you have to buy another, separate, large tool that redundantly incorporates many of the same capabilities in its design. This, by the way, is part of the reason that Unixy OSes tend to run much leaner and faster, with less resource usage than Windows systems.

That being the case, I’m sure there are several graphical front-ends floating around for PostgreSQL, developed separately from PostgreSQL itself but designed to interoperate with it, that add the sort of functionality normally thought to exist only with MS SQL Server, and not with PostgreSQL. Some additional knowledge and/or effort might be required to get to the point of having the graphical, point-and-click interface from the point of thinking of “PostgreSQL”, if you aren’t just using RHDB from the beginning, but that is really the result of OSS “suffering” sort of a plague of freedoms: you have choices, options, and freedoms in choosing your software that greatly outnumber the individual pockets in your brain where you store decision options. Every time you start thinking about how you want to do something, you can just use the first tool you think of, but you can also research the matter and discover that there are (pretty much always) better ways to do it for your purposes. I think that it is in large part the fact that Windows platform administrators tend to fail to realize this wealth of options on the Linux platform that causes them to cling to the Windows platform much of the time. The Windows platform generally supplies exactly one option, and you force that option to fit your task. Doing similarly with OSS tends to be more work, because nobody ever set out to make every single tool cover every single forseeable need. Rather, each tool does one thing, and does it well, and by combining tools in the right way you should be able to achieve the Right Bundle of Tools for any given job in a far more effective fashion than with the equivalent situation in working with a Windows environment.

There are really two comparisons being made, generally, when comparing the two sides of this issue. One is the Unix vs. Windows comparison, and the other is the OSS vs. Commercial Proprietary Software comparison. There is a great deal of overlap between Unix and OSS, and a great deal of overlap between Windows and commercial proprietary software, so they tend to get confused, but there are times that it is useful to separate them in discussion. What I refer to in these debates as my preferred choice is generally the Unix plus OSS solution. When I do so, however, I try to do so in discussing the matter in terms of tendencies. I do not mean to portray any of this in terms of absolutes. It is possible for someone to create the bloated equivalent of Access as an OSS project for Unix (though highly unlikely) just as it is possible for someone to create the lean “one tool one job” equivalent of one of the several Perl scripts I hypothesized as a proprietary tool for Windows (though, again, highly unlikely, due largely to its probable unmaketability in a Windows environment). The tendencies to which I refer generally apply on the one hand just as much to Unix as to OSS, and on the other just as much to Windows as to commercial proprietary software, but those tendencies become very strong tendencies, often to the point that they can be treated for many purposes as certainties, when the Unix plus OSS combination of circumstances is set against the Windows plus commercial proprietary software combinatino of circumstances.

In summation: You’re right. It’s all just tendencies. I even carefully consider relevant Windows platform solutions using commercial proprietary software just as much as the Unix solutions using OSS whenever a new situation arises in which I must make a recommendation to a client. The more I learn about what is out there (and, really, I’ll never stop learning unless I choose to: the options are seemingly endless) in the OSS world, the less attractive the Windows platform options tend to become.

There are some flaws in your premise.

In reply to Open Source software vs. Proprietary software

“The only way to ensure that your executable is as it should be is to perform a comprehensive review the source code and to recompile it yourself.”

Not true. Certainly if you want to review the code to see if and how it does what you want it to do then you will want to review the source code. Otherwise, you can download executables and checksums from a reputable source and do the sane thing and check the checksum. To use your example, if you are downloading Firefox from a site that is not recognized or sanctioned by the Mozilla team then you are being foolish for no good reason.

“I can, very easily, set up a distribution web site . . .”

For what? If you have an open source project and you try to pull the stunt you described then the open source community will take care of you pretty quickly. News of a deception of this type would spread more quickly than any virus, worm, or Trojan you might create.

“In addition, if you have the time and intellect to review and completely understand the source code, why are you wasting your time downloading someone else’s product when you can make your own with the same level of effort?”

Just a second, I’m going to write your info down just to make sure no one I know will hire you if you apply for a developer’s position. The level of effort required to read and understand well written source code is nowhere near the level required to create well written source code. Your assertion flies in the face of good development practices, specifically the concept of reuse.

“The signature of the executable doesn’t match ANYTHING the original developers have ever released.”

Then you didn’t download and install Firefox, did you? You downloaded something that claimed to be Firefox from somewhere else.

“. . . ABC product from XYZ company. The file signatures are compared and, sure enough, they match.”

Unfortunately, this scenario is far more likely to occur than the open source scenario you described. You bought or received a flawed product from a company. The “file signatures” prove the product was flawed. Unfortunately, the product is proprietary, so neither you nor anyone else you know that doesn’t work for XYZ company can fix it. Now you’re stuck with a flawed product, lost and damaged data, and an End User License Agreement (EULA) that almost certainly says that the product was sold to you AS IS and that XYZ company cannot be held liable for any damage that results from the use of their software.

“Companies today are very paranoid (and rightly so) about system intruders and industrial espionage. With this in mind, why would you turn to Open Source software?”

I think I answered this already. 😉

An amusing side note…

In reply to There are some flaws in your premise.

Quoth KaceyR:

>> In addition, if you have the time and intellect
>> to review and completely understand the source
>> code, why are you wasting your time downloading
>> someone else’s product when you can make your
>> own with the same level of effort?”

Thus spake Dean0:

> Just a second, I’m going to write your info down
> just to make sure no one I know will hire you if
> you apply for a developer’s position. The level
> of effort required to read and understand well
> written source code is nowhere near the level
> required to create well written source code.
> Your assertion flies in the face of good
> development practices, specifically the concept
> of reuse.

The specification for COBOL was created at a time when the world was quite paranoid and very few of these paranoid people trusted “those long-haired, bnearded, sliderule-carrying, scientific computer types.”

A requirement was that a programme written in COBOL had to be understandable to a non-programmer.

That way you could get a trustworthy, short-haired, cleanshaven, all American Joe to verify that your system wasn’t passing your hard-earned buckaroos to the Ruskies.

That’s why it’s so verbose and clunky, although for form-stuffing, accounting and database stuff it’s great.

Bix

Reply To: Open Source software vs. Proprietary software

In reply to Open Source software vs. Proprietary software

Many of the arguments in this forum have to do with whether OS/FS is ready for prime time.

Concerning “enterprise ready,” I believe Unix et al (including Linux) is ready for the enterprise and that Windows is not.

Somewhere we’ve lost touch with what the enterprise is.

That a Linux infrastructure requires skilled management and some customization is no barrier to its being “enterprise ready.”

The enterprise isn’t Joe consumer who buys a computer, takes it home and expects it to unpack itself, waddle over to the ‘phone line, jack itself in and dial up AOL.

Enterprise computing was built on Unix, VMS, IBM mainframe systems and their kin, not the relative ignorance of the modern consumer.

BTW, “consumer” is in and of itself an evil word. We lost an important facet of this culture with the growing disuse of the word “customer” as in Microsoft-customer relations.

A retail store will spend thousands of dollars on custom counters and fixtures.

A larger company might spend a quarter of a million dollars per floor on buildout when they move into a building.

The enterprise needs a reliable, flexible IT infrastructure and that requires a substantial investment. Only recently has this been poorly understood.

The advantage gained by using comodity hardware and avoiding the costs of proprietary systems is lost when companies stop using comodity operating systems and infrastructure software in favour of a broken, proprietary operating envirnment.

Many pointy hairs bought the MS Party Line about “easy to install and manage” and their bald faced lies about security and reliability.

It never entered their empty little heads that inexpensive hardware breaks more often than do server grade systems and that the “network operating system” Microsoft hawks breaks more often than a Yugo. A mumbled “That’s the fault of the administrators” is the usual riff when things go horribly awry.

‘Course, when the “administrator” is untrained because “MS is easy to administer,” they really are in part to blame, but it is more the fault of marketroids, ignorant, “consumer grade” managers and the designers of the dysfunctional “NOS.”

In reality, the enterprise needs Mack trucks, IBM or comparable servers, Snap On tools, decent shelving, durable carpet et cetera.

Cheap doesn’t cut it. There are many nasty prhases such as “the easy way out” and “the path of least resistance.” There’s a reason for that, and MS is the “easy way out.”

People expect to expend no effort, and indeed do expend very little effort up front.

Then come SQLSlammer, MSBlast et cetera. Then comes a clogged registry and “old Windows disease.” Then come weekly patches which frequently break things. Then comes Windows Hell.

The enterprise needs to get off its collective duff and remember that it gets what it pays for, and that to get things done right it needs to do them itself.

Read the above as “a real IT infrastructure and the expertise to make it work,” rather than so-called “easy to use” crapware and toweringly ignorant “engineers.”

Being a EE I can say that. Software “engineers” and MCSEs frequently operate in an environment free of accountability.

I operate in an environment of accountability. If I screw up, a building might burn down and a thousand people die.

That’s what being an engineer is.

Reliability is not optional, and those who would sacrifice security and reliability in favour of a little temporary convenience deserve none of the above.

Cheers,

Bix

A word on OS/FS being “ready.”

In reply to Open Source software vs. Proprietary software

Many of the arguments in this forum have to do with whether OS/FS is ready for prime time.

Concerning “enterprise ready,” I believe Unix et al (including Linux) is ready for the enterprise and that Windows is not.

Somewhere we’ve lost touch with what the enterprise is.

That a Linux infrastructure requires skilled management and some customization is no barrier to its being “enterprise ready.”

The enterprise isn’t Joe consumer who buys a computer, takes it home and expects it to unpack itself, waddle over to the ‘phone line, jack itself in and dial up AOL.

Enterprise computing was built on Unix, VMS, IBM mainframe systems and their kin, not the relative ignorance of the modern consumer.

BTW, “consumer” is in and of itself an evil word. We lost an important facet of this culture with the growing disuse of the word “customer” as in Microsoft-customer relations.

A retail store will spend thousands of dollars on custom counters and fixtures.

A larger company might spend a quarter of a million dollars per floor on buildout when they move into a building.

The enterprise needs a reliable, flexible IT infrastructure and that requires a substantial investment. Only recently has this been poorly understood.

The advantage gained by using comodity hardware and avoiding the costs of proprietary systems is lost when companies stop using comodity operating systems and infrastructure software in favour of a broken, proprietary operating envirnment.

Many pointy hairs bought the MS Party Line about “easy to install and manage” and their bald faced lies about security and reliability.

It never entered their empty little heads that inexpensive hardware breaks more often than do server grade systems and that the “network operating system” Microsoft hawks breaks more often than a Yugo. A mumbled “That’s the fault of the administrators” is the usual riff when things go horribly awry.

‘Course, when the “administrator” is untrained because “MS is easy to administer,” they really are in part to blame, but it is more the fault of marketroids, ignorant, “consumer grade” managers and the designers of the dysfunctional “NOS.”

In reality, the enterprise needs Mack trucks, IBM or comparable servers, Snap On tools, decent shelving, durable carpet et cetera.

Cheap doesn’t cut it. There are many nasty prhases such as “the easy way out” and “the path of least resistance.” There’s a reason for that, and MS is the “easy way out.”

People expect to expend no effort, and indeed do expend very little effort up front.

Then come SQLSlammer, MSBlast et cetera. Then comes a clogged registry and “old Windows disease.” Then come weekly patches which frequently break things. Then comes Windows Hell.

The enterprise needs to get off its collective duff and remember that it gets what it pays for, and that to get things done right it needs to do them itself.

Read the above as “a real IT infrastructure and the expertise to make it work,” rather than so-called “easy to use” crapware and toweringly ignorant “engineers.”

Being a EE I can say that. Software “engineers” and MCSEs frequently operate in an environment free of accountability.

I operate in an environment of accountability. If I screw up, a building might burn down and a thousand people die.

That’s what being an engineer is.

Reliability is not optional, and those who would sacrifice security and reliability in favour of a little temporary convenience deserve none of the above.

Cheers,

Bix

wow…

In reply to Open Source software vs. Proprietary software

I think you are worrying about something not worth worrying about.

Even if you don’t examine the code, plenty of people do. If the author were being shady and it’s a popular enough piece of software that more than a handful of people are using it… it wouldn’t stay a secret for long.

Try Red Hat

In reply to Open Source software vs. Proprietary software

If it is assurance you are looking for, get a red hat enterprise system with support. You are guaranteed to get a stable system with code that is not downloaded.
That’s the great thing about open source, it gives you options.

Trojan software is not a flaw of the host software!

In reply to Open Source software vs. Proprietary software

There is so much claims of an opperating system or software
being less secure simply because a trojan was created for it,
similar to the argument of this topic’s author. Come on.
Anyone can create a trojan software for any system, no matter
how secure, simply because it works on the principle of fooling
the less knowledgeable into a false sense of security. You can
create a trojan program which erases all the files in a directory
and call it chkdsk.exe, post in on the internet, and surely
someone will download it and use it. Does it mean that DOS or
Windows is the culprit? Off course not – it is that person’s
ignorance and poor security practice. When someone knocks on
your door claiming to be the police, do you open it and let him
in without checking his identification?
Open source software is not anymore prone to trojan attacks
than closed-source software, as I can easily virus-infect a
windows software and distribute it on the internet.
The point has already been said in another reply – that it is plain
common sense that you only download software, whether open
or closed source, from trustworthy sites.
To the topic author, please, do not spread FUD about Open
Source when it is obvious that you are just trying to put down
something you do not know much about. Open source software
is driving a lot of innovation that we do not see in proprietary
software, and is also providing the market competition that is
bringing software pricing to a more reasonable level.

Since when is a Trojan a flaw?

In reply to Trojan software is not a flaw of the host software!

Trojan software is never a flaw. It’s carefully cultivated, and the trojan code will probably work as well, if not better, than the host software.

We’re not, necessarily, talking about a system utility, but a trojan stuck into the core of the product itself.

As for the downloading of software only from trustworthy sites, trust of the source is primary to the discussion.

Trusted Origin of Application

In reply to Since when is a Trojan a flaw?

Kacey,
I fail to see how if “trust of the source [origin] is primary to the discussion” how this applies only to open source. Does not trust apply equally well to both closed and open source applications?

In fact, you bemoaned that you have to eyeball open source code for any backdoor/trojans contained therein. I can understand that would be a pain if you felt the need. But at least you can. How are you going to do that with closed source exactly?

Foxfire

In reply to Since when is a Trojan a flaw?

… interesting that you should use Foxfire (FF) as a for-instance … I am a management consultant (mostly business plans), have used the net alot on a day to day basis since 1996 … been totally a Microsoft user, do somje programming, for my own consumption … have XP, but sp2 such a hastle went back to Win2000 Pro…

… gradually over time problems have gotten worse and worse with viruses, and more recently spyware (have all the protection programs, firewall, etc) … downloads of MS upgrades were extremely aggravating in that frequently programs I had been using no longer worked …

last summer was, reading a discussion like this of what programs to employ to combat adware (Spybot, Spyguard,etc), someone said the best way around the problems was Foxfire, so downloaded it and installed it from the Moziila site …

… since July I have had zero problems with viruses or spyware of any kind, no more MS updates … Foxfire is alot cleaner and faster, and the adblock feature is terrific ….

… never had given Open Source much thought, but because of this experience I sure am now … this discussion is really an excellent one, has given me all sorts of insights into the various pros and cons … as to whether the internet community is ready for Open Source, I can say for sure that Foxfire is … interesting, 4-5 months ago, there were various sites that I couldn’t access properly with FF, had to use IE, but now almost all those sites work !! … think the big surge of FF usage over the last few months has influenced sites to reprogram to industry standa

re: trojans

In reply to Since when is a Trojan a flaw?

This actually brings up a very important point, particularly as regards using MS software in preference to Unix-based open source software, and most specifically as regards your chosen example of using IE in preference to Firefox.

Unix software, for the most part, forces the user to make a conscious choice to trust a source before any new code is accepted, “installed”, and run on the user’s system. Open source software in general follows that lead. Firefox in particular is effectively barred from downloading and installing software with access to anything outside of Firefox itself, because it doesn’t incorporate ActiveX and other misfeatures of IE.

ActiveX cuts out the middleman. All those security issues that you would blame on lusers in a Unix environment (such as a Linux OS) are allowed to develop without even requiring any user interaction. If a given website loads with an ActiveX control, for instance, that installs a trojan horse on your system, it’s too late — you’ve already opened yourself up to system compromises. If you won’t blame IE for the problem, you can’t blame the user.

If, on the other hand, you’re willing to ascribe the vulnerability to IE, where it belongs, you’ll once again find yourself in a position to blame the end-user. The reason, of course, is that the user has used IE, a known vulnerable system. IE is, in effect, a trojan horse all its own, interacting with malicious code on the web in a manner detrimental to the stability and security of the user’s system. The decision to use IE, then, becomes a violation of intelligent security policy.

double speak detected a.k.a. MS-FUD

In reply to Since when is a Trojan a flaw?

i am sorry, but it seems like you are contradicting yourself(and you sound a lot like u r working for Microsoft)… allow me to quote u : “As for the downloading of software only from trustworthy sites, trust of the source is primary to the discussion.”

now, why don’t you ask all the ppl here, whom they trust more? Software that you can pry open, line by line or software that you can’t even peek into legally?
It’s like asking us to buy a car and not open up the boot, even when the car has stalled 😉

Go figure!

Managing Complexity

In reply to Open Source software vs. Proprietary software

KaceyR, you guys in the Micro$oft FUD Department miss 2 points:

It’s about managing complexity. Either you pay someone – like Micro$oft – to take care of all your problems for you, and accept what you get, or you pay some attention to things like checksums, and automake, and take charge of your life. Hit a reputable site and look at LibraNet to see how painless this can be.

And it just doesn’t happen. For all you Linux-will-fail doomsayers, when did a large segment of THAT Open Source society ever get hit? Even with 3 times the web server presence of Micro$oft IIS, it’s Micro$oft that makes the news.

Furthermore…

In reply to Managing Complexity

…how many people are migrating from OS/FS to Windows…?

Going away, my royal ass. The original premise is as flawed as a block of decomposed granite.

Bix

“Going away, my royal . . .”

In reply to Furthermore…

I got a good chuckle out of that. Thanks.

Both are Good…..

In reply to Open Source software vs. Proprietary software

It is just a matter of choice.

You might be sleeping right now, KaceyR, but I am posting my reply anyway. You might read it when you have the time.

From what I have read on all the reply from different members, and your reply to them, I think you already know what is the answer to your question: “With this in mind, why would you turn to Open Source software?”

First-party vendors like Microsoft makes good products, but sad to say, they release it without thoroughly testing it. That is why from a Retro-Active Company, they have become Reactive. And they made a vow to be Reactive. You know what I mean.

Opensource software is meant to be free. With scuh a multitude of developers doing their part to produce a very good and stable software. But all to this, there is a catch. It is prone to abuse. That is why they have a host, like Linus. The host, or, hosts, has the final say to this. that is why there are corporations investing on opensource software. Need I say more? Oh, you know where this is going.

In your example, with Firefox, will you download it from an untrusted source? Of course not. Maybe you just misunderstood open source software, or maybe not? Example is RedHat, there are rumors then that the boot sector modifications they make looks like a virus. But since they are a legit company, they ensure their users that it is not. And it is proven and justified.

Again, it is just a matter of choice. There are dangers in using opensource software, but do you think there is none with proprietary software?

Having said my piece, I rest my case. I hope this enlightens.

Thank you for paying attention.

In reply to Both are Good…..

You’re right. I do already know the answer to my own question. What I didn’t have, that I have now, is a resource in a public forum that supports my conclusion.

I didn’t decide to post the article on TechRepublic by accident, but the timing (with the release of Firefox) was sheer luck.

I have several clients who enjoy the posts here, so I titled it in a way to grab their attention and wrote it to reflect their own level of uncertainty about Open Source software.

I must say, it has taken on a life of its own that I never expected, much less to have made it as a front page discussion!

I think (that is to say, I hope) that they will read all of the posts and decide to give Open Source a chance.

Open Source

In reply to Open Source software vs. Proprietary software

You can always take a cheap shot trying to poke a hole in a product but at least you don’t risk a broken leg falling into the many holes a typical Windows system provides.

I’m ex-Microsoft server level tech that had ran bugs from NT5 that became what is known as 2000 Server/Pro during the last of the 90’s. Sure that was pre-RC1 but we were still patching NT 4 – people still want SP7 on that. It would be at SP12 by now. I still love 2000 Server/Pro but find Linux has over 40 years of history to become secure and a world to draw from for expertise.

Bottom line is any server needs to be hardened and is not a machine for “browsing around the Internet”.

As for personal machines – rebuild XP a couple times a year or run Open Source and take a tiny chance on your scenario. Load XP from CD (or network share) and by the time you can get Service Packs and security updates applied, you have a significant chance of contracting Bagle, Sasser or their many variants.

There never has or ever will be a connected machine that cannot be compromised if someone wants in bad enough. I will gladly choose Linux.

If your legal recourse demonstration meant anything – there would be no Microsoft at this point. Too many ambulance chasing attorneys would have given their right arm to have a class action suit with the world as members.

40 years…?

In reply to Open Source

You do know your history, Sir. Most folks assume that Unix sprang into being in ’70 and stood on the shoulders of nothing else.

However, I must disagree about whether or not a connected box can be hacked.

Limit the number of ports about which the thing cares, plug every single buffer overrun and provide no remote execution, management or login features and a box might be totally secure.

In any event, I believe that unhackable without “luser assistance” is a realizable goal.

It’ll also be less fancy, but hey – it’s a server.

Cheers,

Bix

40 years . . . ?

In reply to 40 years…?

I keep forgetting we’re in the 21st century already.

OSS is about Transparency

In reply to Open Source software vs. Proprietary software

Well, the point here is…OSS is all about transparency and community team work. It is always better in the long run for 100 of us to move a step ahead together than to have 1 of us go 100 steps ahead of the rest.
I do agree that it’s not in the best of selfish interests to develop on an OSS platform and in certain cases, proprietary software still has a role to play but i see its days as numbered…VERY numbered considering the fact that even 10 year olds can develop full-fledged websites nowadays 😉
The ball has rolled and it’s not stoppable anymore nor is it reversible.

While we’re talking about paranoia……

In reply to Open Source software vs. Proprietary software

Since we seem to be dealing with KacyR’s paranoia about the “possibility” of foul play, how do we know you, KacyR, are not a shill for Microsoft. It would be a great ploy to send out the Microsoft minions to perpetrate the politics of fear on all us little IT developers et al out here. A little seemingly innocent reasoning, a ad nauseum thread about the dangers (omigosh!) and next thing you know, the fearful people run into the arms of big momma Microsoft.

There is sooo much open source out there right now running mission critical websites, apps, and infrastructure that you point is pointless.

Truth is, there is to guarantee no matter what you do. Microsoft costs companies billions in lost time and meaningless effort in updates that should never have had to be done.

It is an issue of who you want to control the store….them….or you?

You make a good point.

In reply to While we’re talking about paranoia……

Of course, you also sound a little like a consipiracy theorist.

I’ve already identified, in previous posts, what my intentions for the discussion are. You either believe that, or you believe that I’m a Microsoft agent seeking to instill fear in the hearts of the Open Souce community (yeah, right).

So, much like Open Source software, the choice is yours.

no paid shill

In reply to You make a good point.

I, for one, don’t believe you’re a Microsoft paid shill. A lot of what you’ve said would fit, but I think they’d yank your funding for a few things you’ve said.

Wonderful Theory

In reply to Open Source software vs. Proprietary software

Your premise represents a theory. One that can be validated by the available data. Which has a better track record of security?

Windows with daily crashes, hourly virus attacks, lost data (or data locked into a proprietary format I can’t access without MS permission).

Or Linux (or Firefox, or Open Office or Evolution or Samba, etc) that never seems to crash or require a reboot. Never seems to suffer a virus attack. Which leaves my data in an open format that I can access with other non-proprietary tools.

If you answer Windows – you are obviously not paying attention. And if you aren’t paying attention, why are you wasting our time on your stupid opinions?

History repeats again

In reply to Open Source software vs. Proprietary software

hmm…let’s go for a little history lesson, years ago, MS gave the big boys of tech a good thumping by providing low-cost software that(ahem!) kinda worked. MS did give us, the little guys, the chance to own PCs. Now, MS has become one of the big guys, the greed has set in, and MS wants it all, so…what do we, the little guys do? Open up a new avenue, create history again by levelling the playing field…it’s called revolution and it is the way the little guys make a statement, collectively…it is unstoppable, because it is the very innate human desire to be free !
All those who failed are those who try to suppress freedom!

Fraud of a Straw Man

In reply to Open Source software vs. Proprietary software

I think that KaceyR is just trying to stir the pot and rattle everyone’s cages.

The argument proposed is faulty and misdirected. If you obtain Open Source software from an unknown source without checking its contents, you might as well start buying Micro$oft products on blank CDs from some guy in an alley at midnight.

It doesn’t matter what ‘brand name’ the product carries. When you obtain products that aren’t identified from strangers you don’t know – don’t be suprised when you get burned!

Poring through all of this, I have a question…

In reply to Open Source software vs. Proprietary software

Early on, KaceyR made the point that open source could be vulnerable to malicious hacks because it was harder to verify sources. Lot of people didn’t think this was true due to checksum verification.

But KaceyR mentioned that malice and determination could contrive a hacked executable that could pass a checksum test. I didn’t see any specific rebuttal (maybe I missed it). Is this true? Just curious.

it’s true

In reply to Poring through all of this, I have a question…

One can always counterfeit something. One can always overcome encryption. One can always strike at a protected target.

All it takes, in the case of the most individuated, most strongly encrypted, or most protected targets is a great deal of expertise and a great deal of effort.

Using checksums to verify your software downloads actually serves two purposes. One is to ensure that the download occurred without loss or corruption due to line noise, network issues, et cetera. The other is to ensure that you got the right files from the right people.

In the latter case, the checksum’s usefulness is directly tied to the diligence of the user. It takes more than just downloading a checksum and a file from a single, random website to be certain that you’re getting the genuine article. Cross-comparing checksums from different sites and choosing your download sites carefully to ensure maximum accuracy in the checksum’s results when compared against the downloaded file(s) has an effect on just how useful the checksum is.

Security, ultimately, comes down to the user’s actions. Where security matters are managed as much as possible by way of a rigid, opaque system, as Microsoft does it, the user’s decision to use the software that comes from that system is, in effect, the user’s decision in regards to security. When that rigid, opaque system’s security is penetrated and compromised, it is in part the user that is to blame for having chosen an unsecure method of accessing software, just as much as it is in part the user that is to blame when he chooses to download software from a given website without checking the site’s credentials, or without double-checking the file(s) downloaded using checksums.

There is a very narrow range of options in terms of determining how much security can be had from the rigid, opaque method, because much of the security-assurance methodology is handled where the user cannot even see it, let alone influence it. OSS, by being transparent and flexible, allows a wide range of choices on the matter, from “much less secure and easier” than (for instance) the Microsoft way of doing things to “much more secure and requiring more effort and attention”.

I don’t know enough about the other people who are posting here to be able to tell you how thoroughly they’ve thought this through, but as a professional IT consultant I must deal with issues of software and procedural security every time a solution is examined, in some depth. As a result, the core concepts of security become important to the performance of my job, and the above-summarized understanding of how security procedures work represents those concepts in practice. The ultimate conclusion is that there is no hard and fast answer to the question of whether any given approach is “secure”. One can only refer to a given approach as tending to be “more secure” or “less secure” than another.

If you approach the matter in a reasonably security-conscious manner, without sacrificing your ability to get things done efficiently, there is no general security disadvantage in acquiring software through the typical OSS channels as compared to acquiring it through the usual shrinkwrapped commercial channels. The key difference is that you can be a complete knucklehead as security is concerned and still get the exact same security assurance from shrinkwrap as if you made a conscious decision in that regard. One can easily achieve the same effect by simply purchasing shrinkwrapped packages of OSS, as well, of course (as some people have pointed out in this discussion). RHEL and SuSE are two examples of how the exact same channels can be used as employed by, for instance, Microsoft.

So. If you can get the same level of security without generally detrimental increase in effort in either case, other issues become more important. One of these other issues is, for some people, whether you can achieve an even greater level of security, even if it involves much greater effort: for the most part, the Microsoft answer is “no”, and the OSS answer is “yes”. That particular issue isn’t of much use to many, however, so still other issues come into play, such as system stability, ease of use, functionality, extensibility, forseeable project longevity, and so on.

In other words, the technical answer to your question is this: Yes, it’s true, literally speaking. That would generally require credulity on the part of the person accepting the checksum test and a great deal of effort on the part of the person providing the hacked executable. The existence of a checksum, however, is only the beginning, as how you use the checksum can greatly increase its security benefit, and other matters of trust in security pertain the the matter as well. When all is said and done, you can generally get quite enough security in the vectors by which you receive software in either development and distribution model to suit your needs, and as such your decision-making effort is typically better directed at other issues.

Hopefully, that helps explain the situation to your satisfaction. Thanks, by the way, for asking intelligent questions.

I think so

In reply to Poring through all of this, I have a question…

I seem to remember reading somewhere (possibly Schneier) recently, that spoofing an MD5 checksum has been demonstrated, but that there is already a proposed replacement for MD5.

open source is not about assurance, neither is the proprietary

In reply to Open Source software vs. Proprietary software

Neither open source nor proprietary software guarantees anything.

I have never seen any of the proprietary software guarantee anything. Even to the point of making you agree by forcing you to press ‘I agree’ button or implicitly agree that if you do install, you are not ever going to sue the company for any features that damage your data.

But open source at least guarantees that you can look at the source code, modify it as you see fit, or at least know that there are many people looking at the inside and hope for some assurance.

The issues that are given only occur if the software is downloaded in binary form from a non-official download site, which is equivalent to buying a proprietary software from a shady vendor (probably a pirate, who knows), which would have exactly the same problem if it happens to contain malicious malware. In this case, you cannot ever sue the original vendor at all.

At least open source allows you to download the source code from an official site, compile it any way or form you want, then execute it. This is very easy for an open source platform.

Are you for real?

In reply to open source is not about assurance, neither is the proprietary

Pirates – LOL.

Ever hear of HPOV[HP], NetView[IBM], Tivoli[IBM], HPUX[HP], Solaris[Sun], Oracle, Sybase, DB2 – any of these? They are expensive to develop, enhance, and maintain and are standards that our industry uses and counts on in the IT management sector [all proprietary BTW].

What is your customers assurance that he’s just spent millions of dollars on a solution [tried and true – POC/Benchmarked etc] that it will work tomorrow if you start tinkering with it [to your comment of seeing the code and modifying]. Most proprietary COTS SW comes with extensions for customization as needed without jeopardising the app.

news flash

In reply to Are you for real?

OSS generally is extensible in the same way and, even better, if you decide to modify the core app itself and it doesn’t work out you can always just get it again, for free.

Keep in mind that Linux, as the canonical example of OSS, comes from the same roots and offers the same functionality as HPUX, AIX, Solaris, SCO UNIX, System V, and all the rest of the Unices, proprietary or otherwise. In fact, the fastest supercomputer in Europe is an IBM product built on Linux using clustering technology.

Whole cities in Europe and Asia are standardizing on Linux. The US government is involved in the SELinux project. Microsoft’s own websites are protected by a third-party proxying service provider that runs BSD (an open source Unix very similar to Linux) on its servers.

You might want to catch up with the real world. OSS is a more serious professional option than you seem to realize.

Very argumentative…

In reply to news flash

Apo you might want to can it with the get up to speed crap. Unfortunately most of the programs that I’ve designed and put to the field can’t be talked about in these forums [for the case in point] but the examples you sight above are small fry my friend. In many cases when you’re a successful engineer [such as myself] you work with these ‘prorietary’ vendors to help them develop their code to support you’re customers needs [I’m the middle guy in this case]. Why you ask would I do that, because OSS isn’t accepted by the big paying population – READ UP BUDDY. By working with the vendors I can have the applications enhanced [in many cases working the coding mods side by side with them myself] and in the end a supported solution [by the original vendor] that can safely be sold to the customer.

unsupportable nonsense

In reply to Very argumentative…

Everything you’ve said flies in the face of demonstrable, visible facts of the industry. Big paying population? Really?

International banks, rendering farms for the major studios, governmental agencies, Google, US government military contractors, even Microsoft itself are using open source solutions. Are you forgetting that IBM is making money hand over fist rolling Linux-based mainframes out their door?

You seem to have this impression that the term “open source” equates to “rinky dink”. Linux and BSD, both open source projects, are Unix OSes. They have all the robustness, stability, and security of any Unix system, and more flexibility. In fact, OpenBSD, one of those open source OSes you would so quickly dismisses, is widely regarded as perhaps the most secure networking OS in the world.

DNS and BIND, on which the Internet depends more heavily than any other pair of software packages, are open source. Perhaps you aren’t aware of the fact that they’re open source technologies.

Your dismissive attitude toward OSS indicates either a lack of knowledge or a lack of scrupulous honesty.

This premise too ridiculous NOT to comment

In reply to Open Source software vs. Proprietary software

From the email newsletter topic:
FEATURED DISCUSSION: OPEN SOURCE SOFTWARE VS. PROPRIETARY SOFTWARE

I won’t quote the rest, but in reply to the points offered:

– You downloaded Firefox off an unknown third party site most likely AND you didn’t check the signatures first? That takes LESS time than what you go through for purchasing proprietary s/w, yet you didn’t do it… Consider it your punishment!

– If this happens with your proprietary s/w, do you REALLY think you will get anything but denial from the manufacturer?? You’ve obviously never tried this before 😉 It will take lawyers to get attention, and more $$ than you probably lost.

– AND, you should read the license agreement. I haven’t found one in which you don’t agree to hold them harmless and you agree that they are not responsible for any loss or damages. The MOST you should be entitled to is a REFUND of your purchase price according to your agreement.

Now, if you’re savvy enough, AND this is a legitimate problem with the open source program, you can check it. However, the initial premise is apples and oranges. In one case, it’s a distribution channel issue, which is not entirely open source related, and the other is a programming error. I think it’s interesting that in this scenario, the open software wasn’t flawed, but the other was.

Skip

Looking for someone to blame?

In reply to Open Source software vs. Proprietary software

So far, your main argument seems to be that IF something went wrong and IF you lost data from a bad open source project, there would be nobody to blame…

The assumption being that with a “real” company, you would have someone to sue in the event of data loss. If you’re using commercial software and it breaks, causing you to lose money… then there should be someone to SUE to get that money back.

I don’t know about you, but I’ve NEVER heard of a successful lawsuit against microsoft for lost data, time, or money. I HAVE heard hundreds of complaints about lost productivity, downtime, and even lost DATA that was caused by their malfunctioning commercial software.

As a side note, read the license agreements that come with open source code… there are no guarantees. You accept the risk that the products might not work. By using open source software, you legally agree to NOT hold the makers liable for the (mis)use of their products.

Thank goodness, because I think we’ve had more than enough frivolous lawsuits to last us a millenia… people suing McDonalds because the coffee was too hot (140 F), suing a bike manufacturer because there was no warning label saying “Dangerous to ride this bicycle in the dark on the freeway”, and other such nonsense. And I won’t even mention SCO and their witch hunt.
.
Open Source has no legal guarantees… but a MUCH cleaner track record than 95% of all commercial products that do.

You take your pick — is it more important to you to use a product that costs more (but comes with defunct, unenforceable legal guarantees), or a product with no guarantees but a shining track record?

Granted, OSS isn’t ready for the desktop, and most users don’t care what software they use as long as it works… but blindly adhering to corporate products because it’s “safer” is like shooting up with a sterilized needle… harder to get AIDS, but you’re still in for a trippy ride.

Not ready for the desktop . . . ?

In reply to Looking for someone to blame?

I beg to differ. This message was posted from my desktop system, using a 2.4GHz P4 with a fully-supported Radeon 9500, running Debian GNU/Linux. I’m using the Firefox browser. I have OpenOffice, several instances of software design environments (part of my