For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.
We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.
The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.
Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.
What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.
Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.
The people that work in the IT field know about upgrading and updating computer equipment. The SMB owners.. not so much.
I’ve had a couple interesting experiences recently with clients. I was busy trying to tell them that Windows XP was no longer going to be supported and that they should get new PCs. One client wanted pricing also for upgrading their current Core2 Duo PCs. We got them quotes for both, showing a difference of $800 total between upgrading multiple PCs and just getting new ones. Now we wait to see if they make the right choice.
The other client flat out told me that his server and PCs should last them 10-15 years. Nothing I said changed that idea in his mind. I fear for this client as they already have been hacked (see my previous post about that), and of course are setting themselves up for more pain like that.
I let my clients know that every 3-5 years they should be getting new computer equipment. Not only will they get faster machines with newer OSes that should be more secure, but their efficiency will be as good if not better, and they will have machines that are back under warranty. Now I understand that in a world where big ticket purchase do tend to last a long time (Cars, TVs, Appliances, etc…), they feel that should be the same way with computers. Add on that leasing the equipment doesn’t make a lot of sense financially either. So what is one to do, outside of explain to them the reality of the situation.
First off, set a hard date for when you will stop supporting the older OSes, and let your clients know that date. This not only gives them a solid time frame for which to make the changes, but puts the pressure on them.
Second, explain how going to newer equipment makes sense. Touch on speed of the new machines, security, warranties, and that the competition won’t wait for them to catch up.
Finally, let them know that the cost to upkeep the old equipment is not worth it. In the long run they save more by staying current with their equipment, especially as parts become rare.
There is no way to force a company to purchase newer equipment. The bottom line on all of this is to get the higher ups to understand that old equipment hurts the company in the long run. Hopefully, they are willing to listen to you, after all they have brought you on as the expert.
The DMCA (Digital Millennium Copyright Act) is a powerful tool for copyright holders. Take down notices get served to many websites daily to remove infringing items, yet many are false positives. Will the DMCA harm cloud computing? I think its a good possibility.
I recently read an interesting article on SC Magazine about a security researcher who had her MediaFire account suspended for 36 hours because of a DCMA notification. The infringing files she had on the account for years, and were malware files that had been or were being researched by her and others. There is also the case of speeches from the recent political conventions been taken down off You Tube because of automated filters to prevent DMCA take down notices. The amount of false positives reported to the news outlets it a small portion of what actually is out there, but they tend to make big news.
So what does this all have to do with killing the cloud? The answer is quite a lot. If the filters and DMCA searches are conducted in a way that can breed a lot of false positives, such as just going by file names and sizes, then what is to prevent a DMCA notice and fight over a companies private files that have the same name as some other companies files? Better yet, what if something is named too similar to something from the entertainment industry? a presentation that uses music, hey there can be a DMCA takedown notice right there if a file scanner digs into it, or if you leave the name of the song in the filename.
The idea being that all these notices can help make people gun shy about moving or even using the cloud. Copyright is needed, yet has been blown way out of proportion in its longevity. Life of the artist plus 75 years is way to long, considering that copyrights were meant to foster innovation, not to allow someone to sit back on their laurels. Now we see that it can affect researchers which are reaching to the cloud to help analyze items in a file. This can affect not only the infosec area but other areas such as medicinal or other science research. All this because one is guilty until proven innocent. This can and will affect the future in more ways than we can see at this time.