I recently bumped into an article written by Steve Smith, MD of IT Security firm Pentura. After reading only the 1st paragraph, I already came to the conclusion that either Mr. Smith is clueless or purposely disseminating falsehoods about OSS security. The rest of the article is an abomination peppered with inaccuracies and complete rubbish. The real kicker is that this article was hosted by the British Chartered Institute for IT (BCS) ITnow magazine. It’s quite strange for a supposedly decent industry body to associate themselves with such trash but looking through the comments from BCS members, it’s quite apparent that the BCS is no longer the body it used to be.
Let’s first take a look at BCS’ about statement:
BCS, The Chartered Institute for IT, promotes wider social and economic progress through the advancement of information technology science and practice.
How does one ‘promote wider social and economic progress’ by writing ineffectual articles like this one? Surely incorrectly disparaging OSS security ( as Steve appears to have done – I actually still don’t understand the point of this article ) does nothing to further the BCS’ agenda. Unless there is an ulterior motive here. It’s well known that FOSS software is a driver for economic and social progress – just look at it’s use in 3rd world countries and the benefits it brings to those areas of the globe. Does Steve really think that Rwanda, for example, can afford Microsoft’s software? And if they can’t, should they just forgo the ability to take part in the wider global Internet and computing culture? Of course not; FOSS gives everyone an equal footing! Anyone can, using FOSS, do anything others do with proprietary software. And often times more.
These FOSS users don’t have to spend a fortune on 3rd party software to try to secure their systems from security poor proprietary products nor are they at the mercy of these vendors’ belated security patches that don’t even address all the issues on that platform.
Second, let’s take a quick look at some of Steve’s statements:
Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world.
Er, yes they do Steve; any security expert worth their salt, knows that OSS has the lead over proprietary software in terms of security – have you not read the code quality reports coming from Coverity and others?
By its very nature, open source applications expose the source code used to write programs to examination by everyone, both attackers and defenders. Experts argue that keeping the source code closed provides an additional layer of security through obscurity.
They do? Where are these experts that you’ve consulted Steve? Come on Steve, the security by obscurity view was debunked and floored years ago already.
Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability.
That’s a joke or sarcasm I presume? Do you call it efficient when Windows users wait months and sometimes years for patches to security issues? Is Microsoft being transparent when they don’t respond to notifications of security issues in their software?
And so it goes on …
What’s quite interesting is that Luke Leighton’s critical ( yet entirely valid ) response in the comments section was watered down to a serious degree – BCS, are we no longer adults that we can decide for ourselves? What’s with the censorship? BCS says in response to the editing:
BCS is absolutely against censorship, but as a professional organisation we have a responsibility to remove expletives, profanity and any comment which could potentially be construed as libellous from our site.
What? Huh? You’re not serious …
Luke’s complete response is available on the advogato site. I leave you to make up your own mind but I’m sure you’ll come to many of Luke’s conclusions. And mine. Steve, are you in the employ of Microsoft? Or are you just plain ignorant about OSS security?