Technology

OPINION

Can Open-Source Software Survive an Audit?

In case you live on the moon, what happened last week was that a small amount of Microsoft source code was leaked to the Web. Granted, small is relative. The leaked code consisted of more lines than I’ve ever written in my life, but early measurements had it at about 15 percent of Windows 2000.

Evidently, the leak was done by a vendor that uses the code to facilitate running applications written for Windows on Linux and Unix. Microsoft eventually confirmed the leak, but that hasn’t stopped the barrage of commentary from security experts, journalists, analysts and, amazingly enough, the open-source community, which waxed eloquent on why the exposure of Microsoft code to the Web was a disaster for the company.


EDITOR’S NOTE (February 20, 2004): Rob Enderle is responding to comments about this column in the talkback forum. Scroll to the end of the article to participate in the discussion.


Now, don’t get me wrong. Like the President of the United States, Microsoft has a huge credibility problem, which means that every time almost anything happens to the company, folks come out of the woodwork to espouse nefarious motives and catastrophic outcomes. They are almost never right, but it does make for interesting reading.

Silver Lining in the Leak

As it turns out, this leak might be a cloud with a silver lining for Microsoft. Much like the effect of the U.S. presidential primaries on the party in office, a source-code leak generates a huge amount of discussion about why source code on the Internet is a bad thing. And because the origin of these negative comments is largely the open-source community — or folks who appear aligned with the open-source community — the source-code leak is having the interesting side effect of causing people to question the security of open source in general.

This has to be one of the least intelligent moves I’ve ever seen from an advocacy group — and I’ve seen some whoppers.

Remember that the open-source community uses the thousands-of-monkeys method to ensure security. This method hearkens back to the college theory about a thousand monkeys who — if given all eternity and endless typewriter ribbon — eventually type out the complete works of Shakespeare.

The open-source community argues that with thousands of eyes looking at the code, the code is much more robust and the security of the resulting products is near absolute. Any CIO or CFO who hasn’t heard that this is the method of the open-source community will probably be reaching for the heart-attack pills about now.

The Impact of Sarbanes-Oxley

The open-source advocates have been able to maintain the thousand-monkey argument largely because the opinion was widely held that open-source software benefits from lots of volunteers and is therefore more secure than proprietary closed-source software. But Enron, and particularly Sarbanes-Oxley, has turned this notion on its head with a vengeance. I’ve been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.

That is because, in an audit, you have to be able to certify every part of an application. If there is even a chance that someone who has not been properly qualified touched a financial application or the platform on which that application resides, IT will fail the audit. Corporate boards are motivated to take draconian measures when this happens to protect their own assets.

Until the Microsoft problem surfaced, IT had time to think through this issue and look for ways to mitigate it because the audit was clearly going to be focusing more on physical controls than electronic ones — under the assumption that one was a greater exposure than the other — and because the initial staffing for any audit function is financial, not IT-based.

However, the increased awareness this issue has generated should cause some of the teams to reassess their adoption of open-source software. The reason this idea came up — outside of the fact that some of Microsoft’s source code made it onto the Internet last week — is that I had lunch with a friend of mine who is in the executive search business. She specializes in CFOs and other financial executives. Right now, apparently, the hottest job on the market is Audit Manager.

Audit Managers in Demand

This lunch, which happened around the time that the code leak became public, caused me to tread back along memory lane and recall how we set up IT audits and what we looked at. When an audit happened, you had to document every place code came from and every place it went.

You had to ensure that no one who wasn’t approved at the proper level touched anything that impacted a critical piece of corporate IP or had even a glancing relationship with financial reporting. And you had to make sure there was no obvious collusion going on that violated the separation of duties controls that existed to protect the company.

I would have had a field day with open-source software, where patches are often received or discussed with outside entities who actually could work for foreign governments or competitors, where collaboration could easily be reinterpreted as collusion, and where the very mention of the thousands of people looking at a product would result in a front-page comment in an unsatisfactory audit.

Internal Audit Practices

Not only was I a field audit manager, but I’ve spent a lot of time over the last several years teaching IT organizations how to survive internal IT audits. Few, it seems, have actually had this experience, and many don’t understand it or its related risks.

An internal audit’s goal is to find problems. Therefore, they tend to be incredibly harsh in their review and have no bias toward open source or Microsoft — or Apple, for that matter. Their authority comes directly from the audit board, and they can actually cause nearly any employee to be fired on the spot if their findings indicate the employee significantly violated a critical policy. Even if that violation was unintentional, termination could still be the outcome.

So, in the face of the Microsoft code leak, I have to think the old saying that people in glass houses shouldn’t throw stones applies here very well. My sense is that these stones, tossed by the open-source community, will be coming back like boomerangs with booster rockets.

I predict that in the near future, a large number of folks relying on open-source software will suddenly see that while auditors can be funny, when it comes to source-code leaks — including the entire source code freely available in the open-source community — they have no sense of humor whatsoever.


Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a company founded on the concept of providing a unique perspective on personal technology products and trends.


41 Comments

  • Just a quick note.
    .
    Do a search for rob enderle on Google.
    .
    First 2 things that come up are sites flaming enderle for his lack of knowledge and his bad journalism. His own company site comes in third…
    .
    does that tell you anything about the relevancy of what he says or thinks?
    .
    peace.

    • I think Rob has gotten to the point of comical. He is like Tim Mullen in that, he can’t just let people be happy using open source. Almost everyone who uses open source _chooses_ to do so. This is not the case with Windows. He likes to use a lot of "what ifs". What if this happened, or this happend, or this happened. Open Source has benefits right now. And it will most definatly have benefits in the future. Apache is the most widely used webserver, shouldn’t we see a million and one exploits for it? We don’t though. That seems a bit paradoxial. What Rob also leaves out is the fact most exploits found for windows are NOT found by Microsoft. They are found by independant researchers such as Eeye. I think Rob is cute. He’s like a little kid. When he’s loosing and argument he gets all flustered and throws in "I know you are but what AM I?"

      • It’s kinda funny that everytime I post something about Rob being fired from IBM it gets edited. In fact, this has to be at least the 5th time my posts have been edited because I mentioned he was fired from IBM. I wonder why? I mean it is true. He was fired from IBM. Subsucent that, he started his business there and become vengeful toward them. I wonder if he edits these posts himself. (btw, I’ll be AM azed if this post ever makes it.)
        —–
        [MODERATOR’S NOTE: We edit posts that are off-topic. Unverified personal attacks about an individual rather than his or her ideas is a direct violation of our terms of service for posting to our discussion boards.]
        —–
        From Rob Enderle:
        |
        One of the things that troubles me a great deal about the Open Source
        movement is the tendency for character assassination. If you say
        something they don’t like they will fabricate stories about you that are
        virtually impossible to disprove. One of the reasons that, here in the
        US, the legal system puts the burden of proof on the prosecution is that
        it is almost impossible to prove a negative. Had I been fired from IBM
        I could prove that, I’d likely still have the termination latter, but
        since I resigned (actually starting at Dataquest the Monday after my
        last day at IBM) there is no termination letter and, unlike the military
        IBM doesn’t issue an "honorably discharged" paper.
        |
        This is the kind of thing that thugs do, they use blackmail to force the
        outcome they want, and in this case, the threat is clear: "Stop saying
        the things you are saying or we will find a way to destroy you".
        |
        I find it fascinating that an organization can be this disingenuous,
        for, while these Open Source advocates seem to advocate "freedom" what
        they actually do is use force to insure that the only freedom you have
        is the freedom to agree with them, making another word more appropriate
        "oppression".
        |
        So much like this group says of SCO, if I was fired, where is the proof?
        If you know who fired me you should be able to name names and a
        termination letter would exist. Since I wasn’t and it doesn’t this is a
        lie that proves you to not only be no better then you allege SCO to be,
        but arguably worse because they actually do have evidence and,
        apparently are telling the truth. (Doesn’t mean they will win, but it
        does suggest you are worse then you allege them to be).
        |
        I have been and continue to be a member of the IBM advisory council; it
        would seem strange that someone that was fired as these thugs and liars
        allege would be retained in this way. I suppose I should be thankful
        that so far the threats of violence have been just that, as they clearly
        are executing on their threats of character assassination.

        • Who cares if you were fired from IBM or not Ron. Do you sincerely believe that you speak the unbiased truth?
          I mean seriously. It’s all lies. If I wanted to and if I had the time, I could get documented proof that claims exactly the opposite of what you say. What is the OSS community supposed to do when it gets blatent obvious lies thrown at it? Tell you you did a good job and keep it up?
          I agree that personal attacks and threats are out of line, but what the hell do you expect? You provoque people and people respond. Cause and effect Ron. You throw the ball don’t expect at least SOME people to try and hit it right at you.
          Me personally, I don’t blame you for writing this stuff. If it’s what you really think then what the hell, you’re entitled to your opinion just like everybody else. I rather blame the editors for not doing their jobs and publishing borderline slanderous garbage…
          Have a nice day.

          • Why is it so much worse for the Open Source movement to indulge in character assassination than for the closed source? This is an article in which you label open source programmers as monkeys and then you get upset if people attack you!
            Personally I do not approve of abuse of any kind, and would tend to ignore anyone who indulges in it. However your highly provocative and utterly misguided piece is given a prominence it doesn’t deserve making it hard to ignore.
            Of course much open source software can survive an audit, being open source it gets auditted all day every day. It isn’t written by everyone adding code willy-nilly but by people submitting code that is reviewed and discussed (often for far longer than is desirable for those wanting a new feature) and then carefully inserted by the package maintainer who is not a hidden company flunky but a publically available individual who answers to his peers for the quality of the code.
            NO closed source software can survive an audit. This is by definition. If it is closed source YOU CANNOT AUDIT IT. (I apologise for shouting but your polemic has got under my skin)
            This simple truth completely negates your whole article. If, and it seems more than a little unlikely, US accounting rules require a company to do a full software audit on all their systems, open source, or better still free software, is the only choice open to them.
            There is no way for you to find out who wrote your MicroSoft software, nor any way for you, as a law abiding citizen to check its quality. Howver the bad guys almost certain have all the code, either by reverse engineering or by hacking in and pinching it, bad guys do these sort of things you know. I cannot think of a single example of MicroSoft closing a software hole before it was pointed out to them by an external agency, if their code were open to audit they would have to find faults themselves and patch them or lose all credibility.
            Surely it is not asking too much that you should think about what you write?

          • Corporate information security is not only about technical improvements or administrative processes. One has to also reach a level of assurance that is acceptable in terms of business goals and IS policies. To gain any assurance at all one simply has to audit things somehow.
            Auditor’s job is to check that written corporate policies, procedures and standards are followed.
            If the corporate policies include some technical requirements the auditor surely will see to it that things happen accordingly.
            The lesson here is that one shouldn’t mix auditing and assurance with technical details like closed source vs. open source discussion. Most important is to choose wisely *what* to audit and *how* the audits are performed (audit subjects and methodology).

          • "The community" has never insulted you, unless you wish to be considered as part of the same community as Darl McBride and similar. Some people have and when they do so they are wrong and very likely to be condemed by other members of the open source community.
            However I haven’t seen any closed source advocates complain about your insulting open source developers, does this mean all closed source developers are tarred by the same brush you apply to their open surce brethren?

          • Okay, I’ll address the spelling cheapshot by asking you personally write a 200 word text, in french(my native tong) withou any help from friends or a dictionary. And then we’ll see who can make more fun of who’s grammar in their second language.
            .
            Thanks.
            .
            And I’m sorry if I hurt your ego. It’s just that you really don’t ever propose any solutions do you. You throw an argument out there, you stand behind it, you’ll even argue people who disagree, but solutions, workaround nope.
            Nothing
            nada. That’s just the way it is.
            People and systems are much more flexible than that. A failed audit doesn’t mean you trash what you got and start over. It doesn’t mean you close the shop either.
            It means the auditor gives you a list of exactly why you fail and if he’s any good, he also gives you a list of corrections. You get to do the work, make the corrections and your next audit passes.
            And that’s something you fail to mention.

          • "The fundamental argument being made is that if I AM going to say things the community disagrees with then I deserve whatever happens to me"
            .
            And once again, you’re completely wrong. I didn’t say you deserved anything. You can reread my statement if you want. the word "deserve" does NOT appear anywhere.
            .
            What I wrote was, you have to expect it. you know? Expect, as in " regard something as probable or likely".
            If I remember correctly, I’ve never called you names, except maybe liar…hmmm okay sorry about that, I’ll refrain myself in the future…
            I’ve never made threats or even insinuated that other people should or even said you deserved anything. Don’t play the victim with me sir. I’m not anti M$ or corporate or anything. And I’m not a fanatic defender of OSS. Hell I’m not a fanatic anything. But I strongly disagree with what you say, and since I have been given a forum to voice it, why the hell not…

          • You actually make your self look more and more ridiculous as you go on. Every argument you apply could happen with closed source and you wouldn’t know. The ONLY difference with open source is that you can know you pass or fail. If you are saying that all you have to do to pass an audit is say "I have checked all I can and it is OK" then the best way to pass an audit is to hire an external company to do it all for you. Of course they could rob you blind and leave you destitute. destitute but well auditted.
            Open source contributions are PUBLIC; since they are public you know who made them, therefore you know if they are data entry staff. You do not know that your chief clerk’s husband sister bookemaker or lover isn’t in charge of patching WinXP or 2003 server edition. Therefore according to your theory you cannot possibly pass an audit.
            There is no point whatsoever applying an argument to open source software and ignoring it for closed source.
            It may have come to your attention that all the financial institutions lock their doors with locks of known design. I doubt their security auditors would be overly happy if they said "we can’t tell you what sort of locks they are, its a secret but the supplier says they are pretty good". Especially when the newspapers are full of reports breakins at banks with the same locks.
            If a company takes the finacial auditting seriously they can appoint an auditor to check the whole of the open source software to ensure there is no back door, can they do that if they use Windows?

          • According to linuxinsider board rules, personal attacks are not allowed.
            .
            >kind of hard to take someone called Sgt. Jake seriously
            .
            If that’s not a personal attack I don’t know what is. Almost every single one of my posts gets edited. How can crap like this make it to the board? I swear, I think the editors of the stories screen the posts for their own stories. Rob is such a hypocrit. Complaining that everyone attacks him blah blah blah, yet he’s the first to dish out a personal insult.
            .
            How can I take someone with a name like Rob seriously?

          • Dear Rob
            To clarify, "SOX" (Sarbanes Oxley) only applies to entities traded on a US stock exchange, (Yes, I AM ignoring the FDIC issues re holding companies) Therefore Section 404 will only apply to those entities.
            These "public entities" are only part of the US GNP, and depending on who you talk to (SBA, etc)are not on a cummulative basis the largest US employers or the greater contributor to the GNP.Therefore most companie using financial software are not effected by SOX or by your article.
            Having done IT audits pursuant to 404, I AM required to test the compliance software used by the public entity. In my opinion if you do not, how can you attest to it working?
            I have as much problem with a system based on Linex as with windows. The issue is access to the system. Microsoft puts out a patch, the companies I audit have IT procedures before they randomly apply that patch. Same with Linex.
            If you issue is the outside security of the financial system, both software is vulnerable. If your issue is internal manipulation, I always assume that they are both vulnerable. At times I have found that both systems do not pass section 404 audit, yet more times than most either software based system will pass.
            as for your comment about the CFO or Audit Committee, as you are aware Sox requires the audit committee to have knowledgeabout how financial systems and audits are done. I have found them to be very knowledgable about IT audits (after all they would be the ones to sign your consulting contract)
            Lastly first name is peter, cpa is my occupation, and I AM registered with the PCAOB

          • My name is Patrick Lefebvre.
            I use Beaner as a handle because it’s been my nickname for roughly 10 years. It’s a very rough English translation of my last name.
            .
            I’m a systems administrator and an electronics technician. I’ve been in this business professionally for about 8 years but I did own my first computer in 1981, a TRS 80 from RadioShack. That I used to program in Basic.
            .
            I’m from Montreal and AM French Canadian.
            .
            I’ve spent pretty much all my "career" as a consultant working for either Pharmaceutical, Financial or biotech research companies. I use a lot more Microsoft products in my everyday life, but I’ve also been a Linux user since 1997.
            To you, maybe that makes me unqualified to argue or comment on anything you say. Maybe, even if I’ve been through financial IT audits, or have had to certify softwares for FDA compliance(cfr-part 11) or have been working in regulated environments pretty much all my career. Maybe I shouldn’t say anything when I think you’re wrong or mistaken or lying.
            .
            But I’m sorry, I can’t help it. Because you only wrote one side of the story. You’ll find a hole or a risk, witch I admit is usually there, and then you’ll exploit it to make a story without ever considering that there may be easy ways to prevent whatever doom you predict from happening. You’re the equivalent of a heckler, in your articles, you often point out flaws and risks. But that’s where you stop you analyses. You don’t tell people how it could be prevented or fixed. Franckly, you’re not ver constructive, or helpfull or even informative for that matter. We can all stand on the sidelines and scream at the refs and we’ve all been guilty of doing it. But when people scream solutions back at you maybe some people need more lessons in listening.
            Oh and just like you, I’ve stated my opinions, on your piece that is, and I stand behind them.

          • Actually once again you are simply wrong, secret source programmers are usually rather more geographically concentrated than open source. Thus if you live in a closed source town you are much more likely to be connected to a closed source programmer than you are to an open source one. Further it will be much easier for the closed source programming team to collude AM ongst themselves since they probably share an office, go to the pub together after work etc..
            Any worthwhile auditor will know that open source software is in general much more secure then secret source rivals, this isn’t conjecture or hypotesis but simple fact. Check the number of commercial computers sending spam to your mailbox because someone inserted a backdoor into them in January.
            I have as it happens been involved in financial, software and safety audits. In all of them the computer systems have been noted and in none of them has the programming philosophy been questioned. It is of course noteworthy that the recent strengthening of US auditting practice has been occassioned because well paid, well qualified, well respected employees of companies that kept their methods secret conspired together to defraud people who had no way of checking what they were doing. It would seem to me that any auditor would be better employed worrying about that route. You also imply that Open Source software is akin to something one assembles oneself, however this is emphatically not the case, most open source packages are backed by large companies who are as likely to be trusted as any closed source company.
            Remeber an auditor is employed to protect you, not to make your life difficult. What a good auditor would say about any software package he did not understand is "Bloggs accountmate is being used in the toggleflogetting department, we are not acquainted with this package and suggest you check its provenance." They should also, as a matter of routine state "We were unable to check if all computers used within this department had had all security patches applied promptly, we also suggest the IT department subscribe to a security information service" what they are extremely unlikely to do is say "This software is open source so its insecure" because to do so would leave them open to action for slandering the software’s supplier.
            It would of course greatly help auditors if some reputable technological journal ran a security comparison of financial software security across all platforms, I hope if they do so they will join MicroSoft’s shared source scheme and review the code revealled to them, they would have to note any sections which did not contain the author’s name and position in the company, and especially note the many incorporated sections of external code. Including of course any open source code they re-use.

          • You miss the point that, yes, although it IS possible that Bob from accounting could possibly be the guy that writes a patch, it IS more than unlikely because a person good anough at programming to create patches for Linux is more likely to work in programming that he is to work in accounting.
            You are also missing the fact that the contributors identity are known and made public. How easy would it be to verify the ID of all the contributors against say, a database of company employees…Not very difficult.
            And you are also missing the fact that, just because Bob in accounting made a patch, the code to the patch and the code of the application can be verified for any so called security breatch.
            You’re just plain wrong and I suspect that whoever you were talking to that gave you the idea for this piece probably mentionned a possible worst case senario, and you ran with it…anything to discredit OSS.
            As usual.

          • Rob, you say "While a Microsoft employee could be moonlighting in accounting, it is incredably unlikely"
            And you also say "Remember, as an auditor I don?t have to prove anything I just have to show that it is reasonably possible that something can happen"
            So by your own reasoning Closed Source software is just as likely to fail to an audit as Open Source software.
            How do you know who employees of the company which has written a crucial part of you Accounting software are ? Do you know whether the work was done by employees of that company or outsourced elsewhere ? Do you know whether this company is incorporating portions of free code ( i.e. not GPL’d Open Source Code ) and whether they are also including any patches for those parts from 3rd parties ?

          • To be pedantic it is hard to both lie and know nothing, but we will let that pass since I hold no candle for anyone making personal accusations. I have no knowledge of any threats of violence from any member of the open source community against you or any other person and I would certainly take exception to any such threats, and even stronger exception to any actual violence.
            I also take exception to your making broad characteristaions of this community in this way. There is currently a scurrilous attempt from SCO to charge companies for other people’s work, but by and large this does not result in open source supporting journalists calling this an attack by secret source companies, it is called an attack by SCO. MicroSoft is pedalling a batch of reports it commissioned as a truth campaign, but again this is characterised as an action by MicroSoft not by all supporters of their coding philosophy.
            If the threats you object to are in the nature of rather loose use of language it will be hard for you to complain about them as you very loosely insult others and wave that off not with an apology but with a repetition.
            Your analogy is, as you well know, utterly bogus. Open source developers are not illiterate primates randomly striking keys, nor are many secret source programmes comparable to Hamlet in their execution. It may be more accurate to compare the open source process with a thousand technical journalists and their editors producing a Times editorial. I hope you believe that with 999 of your colleagues and a good system of peer review you could achieve that.
            Your argumnets are, in my opinion, rather silly anyway, they are not helped by denigration of opponents.
            Incidentally you may feel that I AM writing this as a biassed member of the open source lobby, and it is true that I do use open source software, and largely support the methodology and AM probably biassed too, however I AM also "the inventor" on several dozen patents and patent applications and have contributed many times more lines to commercial secret source code than to any open source projects. I just feel the need to see some rather more balanced and thoughtful reporting of the issues involved.

          • I do not hide at all, I use the name cricketjeff on all websites simply because my surname is Green and there is far too often a Jeff Green registered there when I join and remembering which places I AM JeffGreen and which I AM some other combination is too much effort. If you do a search for Jeff Green and Cricket on any decent search engine you would find plenty of links to my email address.
            I have been involved both in this type of audit and many others and can only say that the auditors involved (from several of the worlds largest accountancy groups) have never had any problem with open source software, and I can see no reason why they would. Their concern is twith the security of the process, they would look to see that it was supplied by a reputable organisation, and Red Hat IBM or even Debian would meet that requirement and that my process for using it was properly documented and the documentation adhered to. Maybe you have only been audited by small firms with little experience or training.
            Although I have no problem with anyone defending their property this is not what SCO group are doing, however this wasn’t my point it was to point out that you may not wish to be associated with every secret source advocate because of the actions of a few, if you prefer I will substitute MyDoom authors, they certainly believe in keeping their code secret, are you comfortable with being tarred with that brush?
            Incidentally in the UK at least, as well as many other countries sending invoices for monies mot owed is a crime and threatening legal action without cause is a crime both here and in the US. Linux and much other free software includes many borrowings from BSD, as did ATT, this was the cause of ATT effectively losing their action against BSD in the early 90s. Borrowing from BSD was expressly permitted by their license.

          • LMAO! Who threatened you? Who implied threats? Who blackmailed you? Who sent you a death threat? Who left dead cats on your front door? Nobody wants to shut you up. You act like there’s an open source mafia holding you over a bridge telling you if you don’t shut up accidents happen. NOBODY CARES. What people do care about is when you lie. The fact that you get so upset when someone says something about you that isn’t true, yet you spout out lies like they are skittles is truly ironic.
            .
            Come back to us when you can _prove_ you’ve been threatened and blackmailed. It’s the internet Ron, if you think the internet is a place where people actually care about you, well maybe you’ve got some growing up to do, boy.

          • Dear Rob,
            I appreciate your article, but would like to make a few points concerning your vision on the audit business. I have first hand experience at undergoing IT audits, and have first hand knowledge of the internal workings of some of the leading Audit companies.
            With or without SOX, the fact is that most of the large Audit companies have divested their "Information Technology" branches over the last couple of years. This has two important effects on your problem: Most auditors don’t know the difference between kazaa and oracle applications. And certainly don’t know if I AM talking about the database or the application when I talk about Oracle. The second point is that the few people these companies have who do know their stuff (or at least some of it) cannot be charged to the customer for a full days work because the customer won’t pay for it. So this usually ends up with a college graduate receiving a list with maybe 5 to 10 questions to take up to the IT department (and get laughed at). Now even if I take this guy seriously and I tell him we are running SAP or oracle applications on an oracle database, we have XYZ backup method, we have abc procedure for ensuring only qualified individuals have access to the erp application, bla bla bla…. he will go out there very happily, and maybe I’ll see him next year with the same list. And all the time, he didn’t bother to ask me if the server was running windows, unix or linux.
            That is the reality, and SOX won’t change that a bit. And please explain to me how this graduate is going to get me fired for not changing the backup tapes according to procedure, when he wouldn’t even recognize a backup tape….
            I wanted to point out one more thing which I find a totally unsatisfactory answer on your part in the discussion above. You claim auditors will be content with software written by a company because you can check the company’s procedures etc. Well if you check Microsoft’s history and procedures concerning security and stability, I cannot see how you can draw any satisfactory conclusions.
            Speaking as a non US citizen, I can only see benefits for non US countries If according to you US companies will need to buy overpriced/underperforming software, just to satisfy SOX. And you wonder why so much IT work is being outsourced…

          • Thanks, I clearly didn’t know about your name. It is used to make fun of Hispanics here in California so if you visit you may want to leave the name at home.

            Your comment on fixing problems hit a nerve, I agree, and I’ll try to focus some space on fixing the problems going forward rather then just calling them out. That is advice I used to give myself, so I find it impossible to argue with.

            People who don’t stand behind what they write aren’t worth anyone’s time, so I appreciate that, and I appreciate your post.

          • [don’t ask how I ended up here again, but here I AM …]
            Jake is my real name (toilet?!), I was a Sergeant in the United States Marine Corps. It’s far more descriptive of me than any other nick-name and easier to type. And I’m paranoid about my personal information so I typically don’t post my last name. Call me a freak.
            It’s true, I’ve never actually been an auditor, but I go through software and process audits about twice a year, for 6 years now (financial industry and all). — Don’t know if you’ll ever see this, so I’ll defer the debate, but I still say you’re calling your _perceptions_ about open source fact, and your perceptions are wrong. If you want to know who wrote something in your code, look at the public mailing list to see who wrote it. Don’t trust it? Take it out. Or use SE Linux (made by the NSA), or another distribution that’s trying for government certifications.
            In short – just because people are adding to Linux every day doesn’t mean your code on your machines is changing every day. You pick when and where to update, and you can audit every bit and byte if you so choose.
            In fact, let’s try this one – Let’s do a security audit on a webserver in your org. You can run a complete linux kernel in under 1.44 mb. A cut down apache can be run in less than 2 mb (or so I once read). Throw on SSH (commercial – 3.5 mb), and you have a webserver serving public pages securely in less than 10 mb. Compare that to IIS running on WinXP and tell me which one would pass an audit faster. Even if you stripped down IIS and XP to bare bones [serving the same locked down function as the linux/apache combo), 10 MB of code (that includes the source code) shouldn’t prove to be too much of a challenge for anyone to audit.
            Now – let’s update that software. A vulnerability is found in the Linux kernel, and at some point is patched. Do a background check on the person who wrote the patch? I think it runs about $500. Can’t verify that person? Hire a security firm to audit the patch and see if anything is wrong (or hire someone to work around it for you). Maybe $2500? $5000? [This is assuming that you NEED the patch at all – if your kernel is that stripped down the chances are prety slim].
            Vulnerability in your windows server is found. Microsoft releases a patch. If you had to audit the people who wrote it, or the patch itself it would cost you too. But if you trust Microsoft, then $0. But you’ll probably have to take all the other patches with it, and strip it down again to keep it secure. The costs would (in my opinion) balance, but even if they didn’t, I’d still trust my 10 mb over the IIS combo. And since most of my audits [not all of them, but most] came out shining, I’ll trust my experience.
            Besides – have a good auditor like Delloite and Touche to guide you in what you failed at matters far FAR more than the software you’re using. I’d go so far as to say it doesn’t matter what you use as long as you do it right. Which to me says that your frantic alarmist hand waving is just you being paranoid – something that usually happens when you’re unprepared.
            Sgt_jake

          • Dear Rob,
            I appreciate your candid response. And I agree that Linux is not the only open source software out there, and neither is Microsoft the only closed source company. But they both serve as recognisable examples.
            I think the whole discussion boils down to perception. The perception that a company is more trustworthy than the open source community. In my opinion the main difference is that you could theoretically (if you had deep pockets) sue the software company, where you would find it hard with the open source community …
            I find it a pity that people trust a legal entity who has some poor guy in a programming sweat shop write code, but not someone who writes code after hours, for free, just because he wants to write the best code…
            I hope you can help start educating people to see the insanity of the situation.

          • Thank-you for your honesty.
            A little flexibility and some suggestions would go a very long way into making your strong positions more acceptable to everyone myself included.
            Have a nice day.

          • hahaha ok, whatever Ron, no one cares anymore. You can live in your little troll world, no one really cares anymore.
            .
            >I don’t believe Linux is worth killing for
            .
            I’ve lived in Albania Ron. I’ve seen people die. Give us an example of this violence you’ve seen up close. If it is something trivial I think you owe a lot of people apologies. Somehow you don’t seem as the type who grew up in a war torn country or in the ghetto’s where you couldn’t go to school without fear of being stabbed. Prove me wrong…

          • OK, so what you are saying is that because you saw death that Linux is worth killing for. What is your point here? That you have seen more violence so it is more acceptable to you?

            Why should you even want to bring this up? I don’t think you have to be confronted with violence at this level to want to avoid it. How much more than 911 or Columbine do any of us really need? If you have been there you would know how painful these memories are, I’m starting to think there are some of you who have "cruelty" as a middle name.

            But, that aside, I watched someone shot and dropped (I’m an ex-cop), have been through advanced weapons training (but never actually had to shoot anyone), was threatened with rape as a child, and had a spear gun pointed at my own midsection by someone clearly prepared to use it. Oh, and I changed careers because of a guy and a shotgun who took exception to something that his wife’s manager’s said to her (I wasn’t the manager, but he couldn’t find that guy so he started figuring any manager would do). Does that qualify, and if not, what would, in your mind qualify me to object to threats of violence or to try to prevent it?

            This is one of the coldest posts I have ever seen.

            Oh, and its Rob, not Ron….

          • >OK, so what you are saying is that because you saw death that Linux is worth killing for.
            .
            Where did I say this? Show me exactly where I said this?
            .
            You’re such a joke. You are an ego manic. Your not important enough for anyone to want to hurt. The ironic thing is, I haven’t seen one post here suggesting anyone would want to hurt you. Not a single one. Yet on the other hand, you have brought up violence many times. And you have also urged posters to reveal personal information about themselves, including their full names. You have hinted that you have weapons training and you were an ex-cop who has been decensitized to death. People who live in glass houses, Ron…

          • For a guy who can’t spell a three letter name you seem to have a lot to say, much of it in questionable taste.

            So basically if you don’t see it in a post it must not exist (email, it does exist).

            You don’t understand that certain posts are blocked.

            You asked me if I had experienced violence first hand, and then you use that experience to conclude "I AM desensitized to death". The inherent cruelty in such a statement is almost beyond belief.

            And yes I do ask people to identify themselves, I find that when people aren’t hiding behind fake names they will behave and further a discussion.

            You can have the final word, I don’t deal with people who aren’t honorable, and you have nothing to be proud of here.

          • There’s no secure system and GNU/Linux is closer to be safe if compared with Windows, so you can’t post "Can the Open Source pass an audit?"… Well… you could, you did it. But Open Source is a valid alternative too. I know who made the linux kernel (Linus B. Torvalds) and I know who packaged my Slackware distribution (Patrick Volkerding) and I know who’s programming my system on GTK+, a creation from the guys of GIMP: See GIMP.org to see who made the libraries. So if you make audits, then you know of GNUmeric… GNUMERIC is far from being a bad open source software, it makes exact matches when you divide 3 by 4, because it doesn’t save "0.75", it saves "3/4". If you don’t get this, well… it can be more precisse than excel and other kller apps. So I decided you to say you’re a simple mortal, as I usually AM , and recognize you were wrong. If I AM … send me a comment and explain me what an audit is…

          • DarkProximity : "There’s no secure system and GNU/Linux is closer to be safe if compared with Windows, so you can’t post "Can the Open Source pass an audit?"
            Says who?
            Where do you get this outlandish idea that somehow Linux is more secure than Windows from?
            Show me your audited facts and figures from an unimpeachable source. ( Hint: Don’t go quoting me the notorious linux liar and bomb thrower David Perens, ok?).
            Nothing could be further from the truth!
            The exact opposite is in fact true.
            Figures from CERT regularly prove that Windows in fact does have far less security break breaches than Linux, despite the fact that there is at least 100 times as many Windows computers out there connected to the internet than Linux computers. The latest figures from <b>mi2g, a UK-based security consultancy, Linux servers were attacked 13,654 times in January, compared with just 2005 attacks for Windows-based servers.!!! </b> (http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/41813/windowspaulthurrott_41813.html
            )Chew on that one, pal!
            Your cliams simply don’t stand up to scrutiny and your figures just don’t add up.

          • I’m a computing technician and I test computer software, so I have a different vision. Obviously you noticed two things that appear to be opposite. There’s no secure system, as I said, implies that there will always be a form to enter and by definition, Internet was designed to be insecure. If you want maximum security, you just need to disconnect the main computer from the other ones… But if you have a well-configured server, you will not have problems.

            My fundaments to post that Linux is really more secure than Windows are technical, I don’t trust statistics because "statistics are the science that say if you have two cars and I don’t have any, then both of us have one car" and "the researches said that 90% of the statistics are false". So, tell me… can you have viruses on Linux? do you have RPC bugs on Linux? In a good Linux setup, you don’t have those things. Can I check your Linux box? what version of apache are you running? did you know that apache must run DSO mods in /usr/libexec/apache instead of /usr/libexec?.

            In Windows, we have some interesting things: Windows 2000 allows a user to run programs which are not installed. For example: (and just an example because I can’t remember another one) All the users in a computer lab learned that if you have mIRC 32bit on a disk, you can execute it without installing, so you have an excellent tool for chatting that fits on two diskettes. There are two forms to fix it: One, to deny access to the diskette drive (where will the users save their works?). Two, to deny access from the server. Well… The program still has access to be executed on Windows… for all users. Windows Update always carry problems. I think the only GUI Desktop Environment carrying problems with update is Windows, because they don’t use source patches but binary ones. This carry registry problems, security holes, and so… So, can you tell me if "security" exists in Windows? I think it just exists as a word in the Encarta Encyclopedia and in the Micro$oft Office dictionaries

            I need to leave now… then I’ll finish my explanation, ok?

          • Continuing with my idea: GNU/Linux has better features that Windows doesn’t have: a better permissions system, very low cost, compatibility with more hardware (not just x86) and a continue development that makes a solid system. What does Windows have and Linux don’t? Windows is easy to configure (it has less options) and it’s not difficult to work with. But a good configured Linux has less probabilities to be owned by strange hands.

            Ah, and I readed your page: "…coupled with inadequate training and knowledge about how to keep that environment secure when running vulnerable third-party apps…" hmmm… sounds like "I don’t know Linux but I’ll read Linux for Dumbs". There are lots of documents on how to use SSL to transfer data and how to deny access to some users. It all depends on security policies applied.

            Security is not just about preventing hacking attacks. It’s about hacking, stability, virus avoiding, prevention of data losing, etc. And you attack just one of these items.

            A good design of a system doesn’t take a short period of time. But I made some systems running under Linux that passed several security testings without any problem. So, why it can’t pass an audit? Because of the programmers who work on making contributions are "anonymous"? (Miguel de Icaza is the leader of the Gnome Project; Linus B. Torvalds is the Linux hacker; Patrick Volkerding made Slackware Linux.)

            Finally, some open source apps can still not pass an audit. But, in a more technically point of view, Close development is in the same position so don’t try to compare them. It will be always different.

            /* Windows users just use Windows, Linux users are Linux lovers */

  • Given that with Open Source you can *see* the source at least it’s possible to be sure there’s no problem.
    With closed source, you don’t have that right. You have the prime example in SCO. Here’s a company that is trying to sell licenses for GNU/Linux when:
    1) They haven’t proven anything yet.
    2) Outside of the stuff the claim there is other code in Linux as well written by different people, whose copyright they *don’t* control and whose copyright they are violating.
    3) They don’t own the UNIX source, per the agreement with Novell as there was no explicit transfer of copyrights to SCO.
    How can we be sure that a proprietary product doesn’t include unlicensed code? The answer: we can’t.
    So I ask: Can Closed-Source survive an audit?
    I doubt it.
    GJC

  • It must be nice to be a professional troll; ignorance doesn’t matter and may even be an advantage, because ignorant gaffes are effective at provoking response.
    The old notion about monkeys at typewriters had to do with randomness; programmers studying code do not act randomly, and Enderle’s conflation of the two has no purpose save to give him a chance to call OSS programmers monkeys.
    I think the best response is that of Thomas Huxley to "Soapy Sam" Wilberforce: "If, then, the question is put to me would I rather have a miserable ape for a grandfather or a man highly endowed by nature and possessed of great means of influence and yet who employs these faculties and that influence for the mere purpose of introducing ridicule into a grave scientific discussion, I unhesitatingly affirm my preference for the ape."
    I note also that Enderle is ignorant of a basic notion of security that goes back to the nineteenth century and Auguste Kerckhoffs. Kerckhoffs wrote in the context of cryptology, but today it would likely be expressed as "’security through obscurity’ doesn’t work."

  • Oh Rob, you’re such a card! No sentient being on the planet is going to be swayed by your 2 watt sophistry. No one ever needed MS code to wreak havoc previously, as recent events clearly illustrate. I’m sure the DOD is just mortified that they didn’t consult you before deploying Linux! For more on Rant for Rent Rob, read:
    http://daringfireball.net/2003/12/enderle

  • One thousand monkeys given enough time and an endless typewriter ribbon end up writing Shakespeare’s plays… probably the best piece of literature written in the history of mankind.
    The column I’ve just read can be probably achieved using just eleven monkeys and forteen minutes, or so…
    Regards,

  • A Monkey Ron!!??
    You’re comparing the thousands of programmers that donate hundreds of thousands of man hours to making sure Linux code is good, solid and secure Monkeys!!!???
    Seriously, I expect an apology from this.
    Oh and by the way Ron, all the Audit models and standards you talk about have management softwares stamped and approved for them that run on…guess what…LINUX.
    Now how is that possible…there must be a mistake somewhere.

  • A quick perusal of the Sarbanes-Oxley Act reveals no obvious references to requirements for computer software; rather, the term "audit" in that act is quite narrowly defined to include auditing of financial statements. You fail to make any connection between the legislation and your scenario of code audits.
    Furthermore, could you provide something more specific than, "…amazingly enough, the open-source community, which waxed eloquent on why the exposure of Microsoft code to the Web was a disaster for the company" when trying to make your point? The open-source community is quite diverse, and I would argue that there is no clear single viewpoint coming from the community as a whole on the matter of the code leak.
    <<<Remember that the open-source community uses the thousands-of-monkeys method to ensure security. This method hearkens back to the college theory about a thousand monkeys who — if given all eternity and endless typewriter ribbon — eventually type out the complete works of Shakespeare..>>>
    You disgrace yourself with statements like that, Rob. But let’s take this apart for a moment. What method is taken by closed-source, proprietary vendors to ensure security? What assurance does anyone outside those companies really have that the software they’re buying is secure? What steps can I, as a customer of Microsoft, for instance, take to ensure that Windows Advanced Server 2003 isn’t susceptible to buffer overflow exploits in any area? And to bring it all home, if Sarbanes-Oxley requirements (I’m suspending disbelief here) mandate code reviews for open-source software, what of closed-source software used? It gets a free pass because someone decided that Microsoft is one of the good guys?
    You’ve really failed to make a convincing argument in this viewpoint column, in my never-to-be-humble opinion. You have succeeded, however, in stringing together quite a lot of inflammatory half-truths which bear all the earmarks of flamebait: vague innuendo, definitions taken out of context and literally _no_ specific quotations supporting your thesis. But I suppose that’s why it’s labeled "Viewpoint" rather than "Latest News".
    NOTE TO MODERATORS: this board tool needs work! I have never had trouble separating paragraphs in other discussion forums like here!

  • REPOST FROM a Yahoo! message board:
    <<I’ve been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.>>
    If such emails exist, it testifies as to how misinformed many of your readers must be by now. Informatica’s PowerCenter is a $200,000 Sarbanes-Oxley compliance tool which runs on Linux. Proofpoint’s email filtering tool was designed in part for Sarbanes-Oxley compliance, and runs only on open source operating systems. Proofpoint was founded by the former CTO of Netscape, who one would expect to have some idea of CIO concerns. Documentum’s ECM, a major compliance tool, will run on Red Hat. The InterIM messaging product, designed for HIPAA and Sarbanes-Oxley security compliance, runs only on Linux. The list of such products go on and on. If Linux inherently violates Sarbanes-Oxley, why are so many compliance packages written for it?
    No mention of the HIPAA privacy rule deadline, which was the 14th, and which is in conflict with many Microsoft EULAs?
    It honestly AM azes me that you still present yourself as a journalist.

  • > The open-source advocates have been able to maintain the thousand-monkey argument
    Rob,
    Come on. You really expect folks to believe that you are unbiased? That you really don’t hold a special little grudge against those who dare disagree that there might be something other that MS?
    Your argument pre-supposes that those eyes must be completely ignorant of the value or utility of what they are seeing. You therefore must think that there are less folks available in the world who can program in Visual Basic than there are directly employed by Microsoft and dedicated to hacking Windows.
    The fact that outsiders *can* see and use and audit the code is completely independant of whether they *will*.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels