SoylentNews is people
SoylentNews
There's a minor media dust-up over which is worse, Open-source vulnerabilities, or Poor Enterprise IT Security?
On Tuesday, 15 May, ZDNet quoted from a Black Duck study and opined that the problem was the "Open-source vulnerabilities", posting an article entitled Open-source vulnerabilities plague enterprise codebase systems.
Vulnerabilities including the bug reportedly responsible for Equifax's data breach are still common elements of open-source systems used in the enterprise... the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos...
Wednesday, May 16th, TechRepublic answered with Enterprise IT shouldn't blame open source for their own poor security practices:
Even if we set aside the fact that Black Duck sells tools and services to root open source out of your enterprise... Open source vulnerabilities will often get disclosed earlier than those in managed software [and] its up to IT to apply the patches.
In other words, open source developers are doing their best to write good software, publish notices when bugs are found, and then fix those bugs. What the open source world cannot do, however, is fix inept IT practices. Despite the headlines, it's not the open source world's problem that so many want to use the software but can't be bothered to apply updates.
Is the problem more one, or the other, or both? Or is it the insistence on calling free software "Open Source," referring to just one freedom of many?
(Score: 4, Insightful) by Anonymous Coward on Thursday May 17 2018, @09:11PM (2 children)
Kinda like asking which is larger, blue or potatoes.
(Score: -1, Offtopic) by Anonymous Coward on Thursday May 17 2018, @09:44PM (1 child)
Something was amiss. The building's external appearance was that of an ordinary preschool, yes, but something about it was off. That "something" might have been the event that was taking place inside the building. It was a truly grand event, but only by investigating further could one determine what sort of event it was.
There was a group of ten men, and several preschool teachers confronting them. It appeared as though the teachers were pleading with the men, who all had menacing scowls on their faces. One could instantly tell that the men were unhappy about what the females were saying to them. No, they were furious. What was happening?
The men's rights were being indiscriminately violated. You see, the men decided to host a Men's Rights Extravaganza in the preschool, and these teachers - these sows - were attempting to stand against them. As a result, the men viciously smashed the teachers' faces in until their motion was gone. They had emerged victorious over evil.
Even after those insects were exterminated, the men's frowns remained yet still; their fundamental rights had been violated, after all, and it would take some time to recover. However, the men knew they couldn't let evil win by allowing it to dictate their lives, so they decided to carry on with their event. Yes, they would carry on to thoroughly enjoy the delicacies that the preschool had to offer; all 105 of them.
The first step was to barricade all the exits so that none could escape. The second step was to gather all of the toys in the largest room in the school. The third step was for the men to enjoy themselves. Oh, yes, they would enjoy themselves, but in different ways. You see, the men - who were all friends - each had their own preferences and methods of entertainment.
One of the men enjoyed violating the children face-to-face while slowly twisting their tiny necks until they snapped. He did this very, very slowly, so as to inflict the greatest amount of terror and suffering possible. But before their necks snapped, he ensured that the children saw his orgasm face, which was absolutely terrifying.
There was another man who had gathered a group of children - no, toys - and forced them to vote on who the man would play with next, effectively turning them against one another. Naturally, refusing to comply with the game would result in an excruciatingly painful punishment. One by one, the man violated and beat the children until they were silent.
Then there was another man, whose name was Youngson. Among all the men, he was possibly the most unique, and also the most vicious. Youngson would start by violating a child to the maximum extent possible. Then, after he was finished with that, he would slowly rip apart their genitals using a pair of needle-nose pliers; he would do this in such a way as to inflict the most suffering possible. Finally, he would hang the children upside down and beat them with a baseball bat as if they were pinatas. Truly, one has to praise Youngson for his uniqueness.
Some of the children found a window that the men forgot to block off and escaped out of it. However, this was revealed to be a trap, and good old Skinny Jackson was waiting for them; waiting to violate them. Those children's screams continued for hours, as a punishment for their insolence.
Things like this were happening everywhere in the preschool. No one interfered. No, no one could interfere even if they were present. To do so would be the highest caliber of bigotry imaginable. Due to this, the men could feast until nothing remained.
These great, righteous men may have had their differences, but they were all fighting for one cause: Freedom. Truly, their moral compasses always pointed them in the right direction. In fact, their moral compasses always seemed to point in but one direction: At children.
Twelve hours. One could hear the men's moans and shouts of pleasure continue for twelve full hours. It was twelve hours of pure pleasure for the men, and twelve hours of terror and agony for the children. One might even say that it was twelve hours of men's rights.
The group of men was seen leaving the school, yawning and stretching as they did so. Thoroughly satisfied, the men walked off into the sunset. They walked off, never once looking back at the silent school...
(Score: 2) by Sourcery42 on Friday May 18 2018, @04:30PM
If you are unfortunate enough to come across this shit, don't mod it troll or offtopic. Mod it spam so it gets dealt with appropriately.
(Score: 1) by suburbanitemediocrity on Thursday May 17 2018, @09:21PM (7 children)
much?
(Score: 5, Insightful) by aristarchus on Thursday May 17 2018, @09:37PM (6 children)
What's worse? False equivalencies, or commercial interest funded journalism?
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @09:46PM
These days they are one in the same usually. So both?
(Score: 1, Informative) by Anonymous Coward on Friday May 18 2018, @07:45AM
You are missing the point - how much did Equifax contribute to the Open Source world?
And how much did they take from it by their utterly evil business practices damaging OSS developers?
Equifax are spawn of the devil, and richly deserve a stake through the heart. The fact that this did not happen is evidence that governments involves are completely corrupt. There is a complete failure of the system of government in almost all known countries. This is a much bigger problem than a few bugs in some old software.
Forget OSS - concentrate on you local "elected" "representative" - "debug" him/her (possibly with sharks and lasers?).
(Score: 1, Informative) by Anonymous Coward on Friday May 18 2018, @07:55AM (2 children)
Yeah. We've mention that source of FUD before.
S/N latecomer requerdanos (5997) must have missed it.
** It's been a while since I last saw Roy bust Black Duck.
I hadn't gotten to Roy's quasi-daily news digest today, but, sure enough, he's all over this. [googleusercontent.com] (orig) [techrights.org]
It's in the page title and 3 items under the subheading Pseudo-Open Source (Openwashing), in turn under the heading Free Software/Open Source.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by aristarchus on Friday May 18 2018, @08:15AM (1 child)
Well done, gw_eg! Now is there any chance that we could have our eds trained in the fine art of detecting Micro$oft shill submissions, and not accepting them? They seem to be quite adept at rejecting aristarchus submissions, so a mere substitution of the triggering stimulus should be sufficient. Unless they are actually getting paid?
(Score: 0) by Anonymous Coward on Friday May 18 2018, @09:03AM
Hmmm. You have be digging through my archives.
Dr. Roy (years before he got his PhD in Computer Science) had a page he called the The Free Software Credibility Index on his site which was then called BoycottNovell.
My bookmark was so ancient that when I created it, hyphens still worked with wildcards 100 percent in Google cache URLs.
Re-did those 2 things but I'm not getting the URL of the cached page to resolve for me.
Maybe it's just a crap server near me that hasn't updated and you'll have better luck.[1]
cache [googleusercontent.com] (orig) [techrights.org]
Again: Only an example of what is needed; horribly out of date.
(I see dead people['s names].)
[1] Used to be able to put 1 of Google's several numerical domains in the URL to bypass that sort of crap. No mas.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday May 18 2018, @08:16AM
I even have a boilerplate bookmark I'll share with folks to avoid the smeghead stenographers (definitely NOT journalists) at zdnet who reprint this crap.
The S/N comments engine is STILL broken WRT UTF8-ized quote marks in hyperlinks, so you'll have to copy&paste.
google.com/search?q=site:zdnet.com/article/enterprise-codebases-plagued+"By.*.*.for.*.May"
(Charlie Osborne in this case.)
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @10:22PM (1 child)
What's worse? Poor enterprise security. Why? Because any shop with poor security does not necessarily run any open source software (with or without vulnerabilities).
Now, trying to equate the two is simply ridiculous. Anyone trying to undermine the open source community can try to taint it with a comparison to something as notoriously insufficient as enterprise security ... but just because they ask this type of question doesn't mean the two are in the same ballpark, or area code, or even time zone.
(Score: 5, Insightful) by tftp on Friday May 18 2018, @12:32AM
Shops with poor security are more likely to run closed source software because they use sysadmins who are among the least enlightened ones. Those sysadmins, often doing part-time IT, look for easy solutions. They put the dvd in, answer a few very simple questions, verify that they paid the money - and then they are free to go. Anything happens, like an update to sharepoint that kills sharepoint - your problem, as that update has to be installed under the beat of a different tambourine. The Autoconfiguration of Exchange dies - your problem, as there are 277 different solutions that worked for different people (including complete reinstall.) The security log? Always full of garbage about something (sharepoint search service fails to start - what now?) The best practices analyzer? Often unhappy. For that reason inattentive sysadmins easily install the system and equally easily forget it while it works. Patches can break it, as they did so for me, and I paid dearly with my time trying to keep this pile of rotten bits running.
Shops that use F/OSS employ sysadmins that know a bit more and can look deeper. Usually they are not one of the engineers who happens to know how to boot from a DVD, but someone trained and assigned to do the IT. They have time and knowledge to track bugs and deploy needed patches onto all relevant computers. Unsurprisingly, they achieve better results than amateurs. The complexity of configuring open source s/w (see Bacula, for example) filters away those who seek solutions that are easy, shiny, and just a bit wrong.
(Score: 3, Insightful) by stretch611 on Thursday May 17 2018, @10:36PM (2 children)
The real issue is poor IT security... hands down.
Open Source software does have its vulnerabilities and zero day attacks. You are blind if you believe otherwise. Of course, they get patched and fixes are created. Even if the original developer is no longer around, being open source means that someone else can come around and fix the problem.
Then again you are just as blind if you think that closed sourced software is free from the same vulnerabilities. However, unlike open source, only the owners of the source code can do anything about it.
But the real problem is poor IT. After all, it doesn't matter if the faulty software gets patched or not, if your IT department is too inept to check for regular updates or too inept to actually apply the updates.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 3, Insightful) by Immerman on Thursday May 17 2018, @11:47PM
Or too inept to implement decades-old "best practice" procedures, so that they leave open gaping security holes which could easily be closed just by changing a setting somewhere.
And that's before we even get into the "in house" software, which is notoriously vulnerable even in security companies that should REALLY know better.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @02:58AM
Or too hamstrung by their "customers" that necessary updates and fixes cannot be done until next Thanksgiving Day and after 10 change control meetings have been called.
(Score: 4, Interesting) by krishnoid on Thursday May 17 2018, @10:49PM
It wouldn't be completely 'open source' any more, but ...
(Score: 3, Insightful) by Arik on Thursday May 17 2018, @11:28PM (1 child)
In a way it makes perfect sense to do everything as cheaply and quickly as possible with no real attention to security. When the infrastructure you rely on is inherently insecure, trying to bolt security on as an afterthought is so ineffective it's probably not worth your time.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday May 18 2018, @03:03AM
Why pay attention to security? At worse, you have to buy some people "identity theft protection." Only rapist incels care about security.
(Score: 3, Insightful) by Booga1 on Friday May 18 2018, @12:46AM
The premise is flawed as a comparison as many have already pointed out. You could rewrite it as:
(Score: 3, Insightful) by ElizabethGreene on Friday May 18 2018, @04:58AM
Poor Enterprise IT Security, hands-down no questions asked is absolutely /the/ problem. You can incompetently administer any system, Open or Closed source.
(Score: 1, Insightful) by Anonymous Coward on Friday May 18 2018, @07:20AM
Did I understand the question correctly?
Paraphrased: What's worse, software that gets fixed quickly or admins that fail to install the updates?
Is that what they are asking?
(Score: 0) by Anonymous Coward on Friday May 18 2018, @01:51PM
if you use closed source programs and you generate code or data that is worth x$ then indirectly the company/entity making the closed source program has value >=x$ just because your data can be held hostage at any time (by not supporting it in the future or not bug fixing).
in the case of open source programs, your valuable data is harder to be held hostage, because you could finance/sponsor a new born human to study computer programming and then let "it" study the open source to rescue your data ... or such.
thus the correct spelling remains m$