See Full Story
In case you live on the moon, what happened last week was that a small amount of Microsoft source code was leaked to the Web. Microsoft eventually confirmed the leak, but that hasn't stopped the barrage of commentary from the open-source community, which waxed eloquent on why the exposure of Microsoft code to the Web was a disaster for the company. But that leak has also generated concern about the very openness of open-source software. I've been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.
Just a quick note.
Do a search for rob enderle on Google.
First 2 things that come up are sites flaming enderle for his lack of knowledge and his bad journalism. His own company site comes in third...
does that tell you anything about the relevancy of what he says or thinks?
Nothing much I can do about this, the first site is a guy that didn’t like my suggesting that Apple might move to x86 (remember NEXT was x86) and pointed out correctly that while I did call the smaller iPod right, I didn’t know that Hitachi had dropped their drive prices by a whopping 50% and so guessed wrong on the drive inside. Regardless, I missed on that part. I remain a big fan of the mini-iPod.
The other site, which is getting really old, is by a guy that just took a dislike to me years ago (evidently a reporter called me on a topic instead of him and he has had it in for me ever since). Nothing I can do about that, but his company does the Blog package that Google uses and his stuff tends to percolate to the top as a result.
Getting attacked goes with this job, I’ve kind of gotten used to it.
Given that with Open Source you can *see* the source at least it's possible to be sure there's no problem.
With closed source, you don't have that right. You have the prime example in SCO. Here's a company that is trying to sell licenses for GNU/Linux when:
1) They haven't proven anything yet.
2) Outside of the stuff the claim there is other code in Linux as well written by different people, whose copyright they *don't* control and whose copyright they are violating.
3) They don't own the UNIX source, per the agreement with Novell as there was no explicit transfer of copyrights to SCO.
How can we be sure that a proprietary product doesn't include unlicensed code? The answer: we can't.
So I ask: Can Closed-Source survive an audit?
I doubt it.
This is off topic. The topic is financial audits, and this is just misdirection. This poster hasn’t even defined what kind of audit he is talking about. Kind of makes you wonder what else he or she (where do these names come from?) doesn’t know. But this has nothing to do with this column.
1) "a source-code leak generates a huge amount of discussion about why source code on the Internet is a bad thing."
Actually, the discussion is about why a _source code leak_ is a bad thing, not whether or not source code _on the 'net_ is a bad thing. The danger is in whether or not your trade secrets, methods or code can be stolen or used by competitors as much as it is about your code getting exploited by unscrupulous crackers. For the Open Source community, those 'trade secrets', 'methods' and 'code' are explicitly allowed to be used (although not stolen), so the only danger is having it exploited. This brings us to where your opinion falls flat;
2) "Remember that the open-source community uses the thousands-of-monkeys method to ensure security".
Ignor the inferred insult in this statement and take it at face value, and let us see if it works. You stated "…a small amount of Microsoft source code was leaked to the web", yet less than 24 hours later one of those 'thousands-of-monkeys' found a vunerability. It would seem, Rob, that a single monkey banged his keyboard for a few hours, and helped Microsoft find a mal-formed sentence that creates a vulnerability (I guess Shakespear they are not).
3) "If there is even a chance that someone who has not been properly qualified touched a financial application or the platform on which that application resides, IT will fail the audit."
Really, the entire audit argument is fallacious, but I'll play along - You'll of course fail if someone is not qualified to touch a financial application or platform, because you've failed the physical or network security requirements for the audit - NOT because the person who _wrote_ the application is suspect. Furthermore, a financial audit is not a software audit - the methods may be the same, but the requirements are not.
4) "You had to ensure that no one who wasn't approved at the proper level touched anything that impacted a critical piece of corporate IP or had even a glancing relationship with financial reporting."
Interesting point, but deeply flawed and puts Microsoft in a poor position - if you were a financial services company and ran your application on Windows software, would your audit include checks on everyone who ever had access to the Microsoft campus or servers, whether they be employees or not? Even so, since Microsofts code has been leaked, wouldn't you fail any audit by default for using Microsoft software that has now been 'touched' by people not 'approved at the proper level'? How would this be different from RedHat? IBM? Anyone else using Linux?
5) "I would have had a field day with open-source software, where patches are often received or discussed with outside entities who actually could work for foreign governments or competitors, where collaboration could easily be reinterpreted as collusion, and where the very mention of the thousands of people looking at a product would result in a front-page comment in an unsatisfactory audit."
I'm sure you would, but you'd still be wrong, and biased. Patches are audited by the 'thousand-monkeys' as they come in, even by Americans, and if that patch doesn't have a name on it it will likely be discarded before it's even considered. You could suggest that it might hint at collusion, but since collusion by definition is a "secret agreement between two or more parties for a fraudulent, illegal or deceitful purpose", and Open Source is done in public, that would seem to be a pretty stupid suggestion. How would one 'collude' on a patch if a thousand monkeys were watching?
In short Rob, this was a fine bit of "'coulda' woulda' shoulda'", but your suggestions and conclusions are based entirely on personal bias, not personal experience. And what I find ammusing is that you've entirely avoided the comments made by analysts like yourself, who addressed the leaked code instead of the 'advocacy group' you fingered as having made a monumental blunder by scoffing at that leaked code;
"It's sad that it was released, and it's sad it was written so [badly] from a security standpoint" -- Forrester Research's Director Michael Rasmussen.
While most of this shows no experience or knowledge of audit what so ever I’ll address this on a point by point basis (kind of hard to take someone called Sgt. Jake seriously):
1) The reason I said this was a bad thing was it was shifting resources which appeared to be targeted primarily at financial practices to IT audit before CIOs had thought through the related exposure. It isn’t that the leak was a bad thing, but that the Open Source community made the related exposure to their own platforms more visible.
2) I didn’t make up the saying and there was no intent to imply that Open Source programers were monkeys. The fact that a vulnerablity was found is good, but has nothing to do with the point being made. This is simply missdirection.
3) By properly qualified I meant that their identity was known (employees of a providing company are generally accepted as a group). This issue here is how do you insure that someone in accounting is not improperaly accessing the system as part of a process that may be occuring over the internet. There is no trust relationship with Linux, and unless you are operating under something like the indemnification agreement from HP my belief is that you are exposed to audit.
4) This is simply a restatement of point #3, and would have the same response. As an auditor you may accept a vendor at face value, though I do know of some (government) that will go in and look at the vendor’s practies. The belief is you can so often this is not done.
5) All of this would have to be fully documented and proven. Just your saying it would make no difference to the auditor. You would have to show that these people are who they say they are and that there is no reasonable way they could be anyone who would be blocked by policy from this access. This just shows that you have no audit experience.
According to linuxinsider board rules, personal attacks are not allowed.
>kind of hard to take someone called Sgt. Jake seriously
If that's not a personal attack I don't know what is. Almost every single one of my posts gets edited. How can crap like this make it to the board? I swear, I think the editors of the stories screen the posts for their own stories. Rob is such a hypocrit. Complaining that everyone attacks him blah blah blah, yet he's the first to dish out a personal insult.
How can I take someone with a name like Rob seriously?
I guess this would be true of that were his or her real name and I knew that. This just looks like another fake name to me and “Jake” is one of the names that are used to describe a toilet. If it is the guys real name I apologize, he wrote me and I got the sense that this wasn’t his real name, but I could be wrong.
[don't ask how I ended up here again, but here I am...]
Jake is my real name (toilet?!), I was a Sergeant in the United States Marine Corps. It's far more descriptive of me than any other nick-name and easier to type. And I'm paranoid about my personal information so I typically don't post my last name. Call me a freak.
It's true, I've never actually been an auditor, but I go through software and process audits about twice a year, for 6 years now (financial industry and all). -- Don't know if you'll ever see this, so I'll defer the debate, but I still say you're calling your _perceptions_ about open source fact, and your perceptions are wrong. If you want to know who wrote something in your code, look at the public mailing list to see who wrote it. Don't trust it? Take it out. Or use SE Linux (made by the NSA), or another distribution that's trying for government certifications.
In short - just because people are adding to Linux every day doesn't mean your code on your machines is changing every day. You pick when and where to update, and you can audit every bit and byte if you so choose.
In fact, let's try this one - Let's do a security audit on a webserver in your org. You can run a complete linux kernel in under 1.44 mb. A cut down apache can be run in less than 2 mb (or so I once read). Throw on SSH (commercial - 3.5 mb), and you have a webserver serving public pages securely in less than 10 mb. Compare that to IIS running on WinXP and tell me which one would pass an audit faster. Even if you stripped down IIS and XP to bare bones [serving the same locked down function as the linux/apache combo), 10 MB of code (that includes the source code) shouldn't prove to be too much of a challenge for anyone to audit.
Now - let's update that software. A vulnerability is found in the Linux kernel, and at some point is patched. Do a background check on the person who wrote the patch? I think it runs about $500. Can't verify that person? Hire a security firm to audit the patch and see if anything is wrong (or hire someone to work around it for you). Maybe $2500? $5000? [This is assuming that you NEED the patch at all - if your kernel is that stripped down the chances are prety slim].
Vulnerability in your windows server is found. Microsoft releases a patch. If you had to audit the people who wrote it, or the patch itself it would cost you too. But if you trust Microsoft, then $0. But you'll probably have to take all the other patches with it, and strip it down again to keep it secure. The costs would (in my opinion) balance, but even if they didn't, I'd still trust my 10 mb over the IIS combo. And since most of my audits [not all of them, but most] came out shining, I'll trust my experience.
Besides - have a good auditor like Delloite and Touche to guide you in what you failed at matters far FAR more than the software you're using. I'd go so far as to say it doesn't matter what you use as long as you do it right. Which to me says that your frantic alarmist hand waving is just you being paranoid - something that usually happens when you're unprepared.
It must be nice to be a professional troll; ignorance doesn't matter and may even be an advantage, because ignorant gaffes are effective at provoking response.
The old notion about monkeys at typewriters had to do with randomness; programmers studying code do not act randomly, and Enderle's conflation of the two has no purpose save to give him a chance to call OSS programmers monkeys.
I think the best response is that of Thomas Huxley to "Soapy Sam" Wilberforce: "If, then, the question is put to me would I rather have a miserable ape for a grandfather or a man highly endowed by nature and possessed of great means of influence and yet who employs these faculties and that influence for the mere purpose of introducing ridicule into a grave scientific discussion, I unhesitatingly affirm my preference for the ape."
I note also that Enderle is ignorant of a basic notion of security that goes back to the nineteenth century and Auguste Kerckhoffs. Kerckhoffs wrote in the context of cryptology, but today it would likely be expressed as "'security through obscurity' doesn't work."
Oh Rob, you're such a card! No sentient being on the planet is going to be swayed by your 2 watt sophistry. No one ever needed MS code to wreak havoc previously, as recent events clearly illustrate. I'm sure the DOD is just mortified that they didn't consult you before deploying Linux! For more on Rant for Rent Rob, read:
One thousand monkeys given enough time and an endless typewriter ribbon end up writing Shakespeare's plays... probably the best piece of literature written in the history of mankind.
The column I've just read can be probably achieved using just eleven monkeys and forteen minutes, or so...
A Monkey Ron!!??
You're comparing the thousands of programmers that donate hundreds of thousands of man hours to making sure Linux code is good, solid and secure Monkeys!!!???
Seriously, I expect an apology from this.
Oh and by the way Ron, all the Audit models and standards you talk about have management softwares stamped and approved for them that run on...guess what...LINUX.
Now how is that possible...there must be a mistake somewhere.
A quick perusal of the Sarbanes-Oxley Act reveals no obvious references to requirements for computer software; rather, the term "audit" in that act is quite narrowly defined to include auditing of financial statements. You fail to make any connection between the legislation and your scenario of code audits.
Furthermore, could you provide something more specific than, "...amazingly enough, the open-source community, which waxed eloquent on why the exposure of Microsoft code to the Web was a disaster for the company" when trying to make your point? The open-source community is quite diverse, and I would argue that there is no clear single viewpoint coming from the community as a whole on the matter of the code leak.
<<<Remember that the open-source community uses the thousands-of-monkeys method to ensure security. This method hearkens back to the college theory about a thousand monkeys who -- if given all eternity and endless typewriter ribbon -- eventually type out the complete works of Shakespeare..>>>
You disgrace yourself with statements like that, Rob. But let's take this apart for a moment. What method is taken by closed-source, proprietary vendors to ensure security? What assurance does anyone outside those companies really have that the software they're buying is secure? What steps can I, as a customer of Microsoft, for instance, take to ensure that Windows Advanced Server 2003 isn't susceptible to buffer overflow exploits in any area? And to bring it all home, if Sarbanes-Oxley requirements (I'm suspending disbelief here) mandate code reviews for open-source software, what of closed-source software used? It gets a free pass because someone decided that Microsoft is one of the good guys?
You've really failed to make a convincing argument in this viewpoint column, in my never-to-be-humble opinion. You have succeeded, however, in stringing together quite a lot of inflammatory half-truths which bear all the earmarks of flamebait: vague innuendo, definitions taken out of context and literally _no_ specific quotations supporting your thesis. But I suppose that's why it's labeled "Viewpoint" rather than "Latest News".
NOTE TO MODERATORS: this board tool needs work! I have never had trouble separating paragraphs in other discussion forums like here!
So, you glanced at Sarbanes-Oxley and concluded there are no IT sections. This tells me you have never actually been through an audit or understand the process. What Sarbanes-Oxley has done is given Internal Audit a blank check, my point was that, as far as I can tell, Open Source (well mostly Linux) was likely safe initially because much of the hiring that was going on, at least initially, financial in nature. IT was coming, but it wasn’t a priority. However, the visibiltiy (granted from my perspective) now being given this issue is changing the hiring practice. An IT Internal Auditor has to assur that all aspects of the financial reporting structure are secure. The concern is less about theft, though that is a concern, than it is about financial irregularities. So security has to be something that can be shown to be either adequate or, if not adequate, accepted by the appropriate signature authority. (For instance there are rules surrounding what level of executive is required to approve a risk and, often, what department they must reside in). Typically one of the things you can get fired on the spot for is violating signficantly this signature authority.
Now, I want to point out that much of my thought process actually came from a coversation I had with the IBM folks on the Trusted Computing Group board. What they told me led me to conclude that Linux would not pass an IBM internal audit because the patch process was not trusted. Now audit just needs to be able to maintain an argument that something can happen, they don’t have to prove it did happen. This is because their role is to prevent problems, they are not a replacement for law enforcement. Another way of saying this is, during an Audit you must prove yourself inocent (you actually have the burden of proof).
So, everyone that accesses a financial system must be documented and have the appropriate authority for what it is they are doing. The system must be secure, not from viruses (that could be part of a compliance audit but not a financial one), but from manipulation (granted a virus could open a back door, I’m just pointing out that it’s the back door not the virus at issue). That manipulation could be from a competitor (make them look better), an employee (increase stock value), or a an investor (there is a widely held belief that organized crime manipulates stock prices).
One of the things the system must show is that at no time could a programmer and a data entry employee be the same person. But, under the “everyone looks at Linux” rule, how do you insure that someone working on a patch isn’t someone who actually has data entry responsibility. I mean email@example.com who just helped you fix a systems bug could, in fact, be Phil in accounting. We won’t go into the practices associated with sharing code out of the company to address problems, but those that have been through audits will realize that I’m just at the tip of this iceberg.
Linux grew at a time when audit, particularly IT audit was in sharp decline, that situation has suddenly changed and my view is that there are a large number of CIOs who are in for a very rude awakening in the next few months. But this is simply a heads up, if you have thought through this, or if most of your financial systems are on AIX, HP-UX or Solaris you may be OK (though I would certainly suggest you do some audit readiness work even then). If not, its your job, you make your own choices.
You actually make your self look more and more ridiculous as you go on. Every argument you apply could happen with closed source and you wouldn't know. The ONLY difference with open source is that you can know you pass or fail. If you are saying that all you have to do to pass an audit is say "I have checked all I can and it is OK" then the best way to pass an audit is to hire an external company to do it all for you. Of course they could rob you blind and leave you destitute. destitute but well auditted.
Open source contributions are PUBLIC; since they are public you know who made them, therefore you know if they are data entry staff. You do not know that your chief clerk's husband sister bookemaker or lover isn't in charge of patching WinXP or 2003 server edition. Therefore according to your theory you cannot possibly pass an audit.
There is no point whatsoever applying an argument to open source software and ignoring it for closed source.
It may have come to your attention that all the financial institutions lock their doors with locks of known design. I doubt their security auditors would be overly happy if they said "we can't tell you what sort of locks they are, its a secret but the supplier says they are pretty good". Especially when the newspapers are full of reports breakins at banks with the same locks.
If a company takes the finacial auditting seriously they can appoint an auditor to check the whole of the open source software to ensure there is no back door, can they do that if they use Windows?
By this I can tell you have never actually been audited. You would know the reasons why this doen’t happen to propriatary products otherwise. Audit programs were initially created in the 70s and 80s when mainframes were king and IBM embodied security (not that they don’t today, no slam intended). The security we are talking about is security over the financial information not the security over the code itself. What you need to assure is that no one that has access to any of the control points in a system is the same as a person how has access to the data in the system. While a Microsoft employee could be moonlighting in accounting, it is incredably unlikely. But what are the chances that “beaner” who is working with you on a system patch, is really “Bob” in accounting? All the guy would have to do is create a name and be aware of a problem (and most problems transend departments) to bypass what might otherwise be an acceptably secure system.
Remember, as an auditor I don’t have to prove anything I just have to show that it is reasonably possible that something can happen and my audience is the board and the CFO both of which are non-technical and probably not Open Source advocates.
Your last comments confirm you don’t understand how audit works. A known lock design, in a security audit, would be either blanket accepted or not depending on vulnerablities, but if you developed your own lock from scratch that would have to be reviewed and approved at a very granular level. It is the way the process works and it favors propriatary offerings because it allows a propriatary offering to be signed off on as a package. When you break the package up, using your own teams, or outside teams, each aspect must be be reviewed for adequicy. This is simply the way it is done.
It amazes me how many people posting have no idea what so ever how an audit is done. It really showcases how poorly funded these efforts have been over the last few years and makes you wonder what the auditors will find once they ramp up.
Rob, you say "While a Microsoft employee could be moonlighting in accounting, it is incredably unlikely"
And you also say "Remember, as an auditor I don?t have to prove anything I just have to show that it is reasonably possible that something can happen"
So by your own reasoning Closed Source software is just as likely to fail to an audit as Open Source software.
How do you know who employees of the company which has written a crucial part of you Accounting software are ? Do you know whether the work was done by employees of that company or outsourced elsewhere ? Do you know whether this company is incorporating portions of free code ( i.e. not GPL'd Open Source Code ) and whether they are also including any patches for those parts from 3rd parties ?
Certainly it is remotely possible that an accounting package could have been written by the guy in accounting who placed a back door in it. It is also incredibly unlikely.
Why? Because he is only one person and the odds of him being in your company are very small. But in Open Source, a guy in accounting could present himself as an expert on line and find his way into the process after the fact. Also, typically, an accounting package is out of scope, while an accounting employee is not. This is just practical, audit teams are small and have a lot of ground to cover going in and reviewing every package, beyond making sure that the person who approved the package did so properly, is just not practical.
So while you may be right that it is remotely possible, kind of in line with your being able to flap your arms fast enough to fly, for an audit proprietary software is generally accepted if the purchase was at arms length.
You see, to survive an audit you kind of need to know what is tested and what isn’t. Traditionally proprietary software gets a pass, custom software (and Open Source falls in this group) needs a deeper review and, based on posts like this one, I expect it would fail almost immediately if this person is representative of the thought process in your shop.
You miss the point that, yes, although it IS possible that Bob from accounting could possibly be the guy that writes a patch, it IS more than unlikely because a person good anough at programming to create patches for Linux is more likely to work in programming that he is to work in accounting.
You are also missing the fact that the contributors identity are known and made public. How easy would it be to verify the ID of all the contributors against say, a database of company employees...Not very difficult.
And you are also missing the fact that, just because Bob in accounting made a patch, the code to the patch and the code of the application can be verified for any so called security breatch.
You're just plain wrong and I suspect that whoever you were talking to that gave you the idea for this piece probably mentionned a possible worst case senario, and you ran with it...anything to discredit OSS.
So, you are saying, that in your company anyone that contributes to the OSS package you are using is run against the employee database? Wow, I don’t believe you, but that doesn’t matter, if you are doing this you are likely better off then most. Be aware, in cases like this, it would be unusual for the contributor to really use their real name but, if they weren’t, it probably wouldn’t be caught in an audit.
The fact that you were checking all of the names of OSS contributors against the database; that would impress me as an auditor (assuming you actually did it that is….).
Actually once again you are simply wrong, secret source programmers are usually rather more geographically concentrated than open source. Thus if you live in a closed source town you are much more likely to be connected to a closed source programmer than you are to an open source one. Further it will be much easier for the closed source programming team to collude amongst themselves since they probably share an office, go to the pub together after work etc..
Any worthwhile auditor will know that open source software is in general much more secure then secret source rivals, this isn't conjecture or hypotesis but simple fact. Check the number of commercial computers sending spam to your mailbox because someone inserted a backdoor into them in January.
I have as it happens been involved in financial, software and safety audits. In all of them the computer systems have been noted and in none of them has the programming philosophy been questioned. It is of course noteworthy that the recent strengthening of US auditting practice has been occassioned because well paid, well qualified, well respected employees of companies that kept their methods secret conspired together to defraud people who had no way of checking what they were doing. It would seem to me that any auditor would be better employed worrying about that route. You also imply that Open Source software is akin to something one assembles oneself, however this is emphatically not the case, most open source packages are backed by large companies who are as likely to be trusted as any closed source company.
Remeber an auditor is employed to protect you, not to make your life difficult. What a good auditor would say about any software package he did not understand is "Bloggs accountmate is being used in the toggleflogetting department, we are not acquainted with this package and suggest you check its provenance." They should also, as a matter of routine state "We were unable to check if all computers used within this department had had all security patches applied promptly, we also suggest the IT department subscribe to a security information service" what they are extremely unlikely to do is say "This software is open source so its insecure" because to do so would leave them open to action for slandering the software's supplier.
It would of course greatly help auditors if some reputable technological journal ran a security comparison of financial software security across all platforms, I hope if they do so they will join MicroSoft's shared source scheme and review the code revealled to them, they would have to note any sections which did not contain the author's name and position in the company, and especially note the many incorporated sections of external code. Including of course any open source code they re-use.
Parts of this are accurate, an Open Source package accepted as a whole from a third party company would likely be signed off on as well. And, this writer, actually seems to have been through an audit. However, there is no likelihood that an auditor would ever actually review source (unless they are one heck of a lot better funded than I think) they simply would point to the exposure and, traditionally, a proprietary company’s products are out of scope and blanket approved. (A security audit might, and clearly should, call out known exposures as this writer pointed out).
Overall, though, this is still off point. My point was that until this big jump on Microsoft IT audit was still approaching the problem traditionally, they weren’t considering Open Source in a different class and weren’t even staffing up for it. My sense is that has changed, so the audits that “cricketjeff” refers to will likely be done differently now.
You will note, throughout his post, he makes broad claims that may not be supported. “Most Open Source Packages are backed by large companies” my belief is that, by number, most packages actually come from smaller firms (simply because there are more of them), but it is a belief neither of us has presented proof. Much of what surrounds Open Source are beliefs, folks telling other folks the way of the world. Audit does not give someone a pass just because they heard it from someone else.
Regardless of what I, or “Cricketjeff” say, if you haven’t done an audit assessment in awhile (Open Source or not) you should. If you are in a public company, Audit is coming and they are pissed.
I think Rob has gotten to the point of comical. He is like Tim Mullen in that, he can't just let people be happy using open source. Almost everyone who uses open source _chooses_ to do so. This is not the case with Windows. He likes to use a lot of "what ifs". What if this happened, or this happend, or this happened. Open Source has benefits right now. And it will most definatly have benefits in the future. Apache is the most widely used webserver, shouldn't we see a million and one exploits for it? We don't though. That seems a bit paradoxial. What Rob also leaves out is the fact most exploits found for windows are NOT found by Microsoft. They are found by independant researchers such as Eeye. I think Rob is cute. He's like a little kid. When he's loosing and argument he gets all flustered and throws in "I know you are but what am I?"
It's kinda funny that everytime I post something about Rob being fired from IBM it gets edited. In fact, this has to be at least the 5th time my posts have been edited because I mentioned he was fired from IBM. I wonder why? I mean it is true. He was fired from IBM. Subsucent that, he started his business there and become vengeful toward them. I wonder if he edits these posts himself. (btw, I'll be amazed if this post ever makes it.)
[MODERATOR'S NOTE: We edit posts that are off-topic. Unverified personal attacks about an individual rather than his or her ideas is a direct violation of our terms of service for posting to our discussion boards.]
From Rob Enderle:
One of the things that troubles me a great deal about the Open Source
movement is the tendency for character assassination. If you say
something they don't like they will fabricate stories about you that are
virtually impossible to disprove. One of the reasons that, here in the
US, the legal system puts the burden of proof on the prosecution is that
it is almost impossible to prove a negative. Had I been fired from IBM
I could prove that, I'd likely still have the termination latter, but
since I resigned (actually starting at Dataquest the Monday after my
last day at IBM) there is no termination letter and, unlike the military
IBM doesn't issue an "honorably discharged" paper.
This is the kind of thing that thugs do, they use blackmail to force the
outcome they want, and in this case, the threat is clear: "Stop saying
the things you are saying or we will find a way to destroy you".
I find it fascinating that an organization can be this disingenuous,
for, while these Open Source advocates seem to advocate "freedom" what
they actually do is use force to insure that the only freedom you have
is the freedom to agree with them, making another word more appropriate
So much like this group says of SCO, if I was fired, where is the proof?
If you know who fired me you should be able to name names and a
termination letter would exist. Since I wasn't and it doesn't this is a
lie that proves you to not only be no better then you allege SCO to be,
but arguably worse because they actually do have evidence and,
apparently are telling the truth. (Doesn't mean they will win, but it
does suggest you are worse then you allege them to be).
I have been and continue to be a member of the IBM advisory council; it
would seem strange that someone that was fired as these thugs and liars
allege would be retained in this way. I suppose I should be thankful
that so far the threats of violence have been just that, as they clearly
are executing on their threats of character assassination.
Why is it so much worse for the Open Source movement to indulge in character assassination than for the closed source? This is an article in which you label open source programmers as monkeys and then you get upset if people attack you!
Personally I do not approve of abuse of any kind, and would tend to ignore anyone who indulges in it. However your highly provocative and utterly misguided piece is given a prominence it doesn't deserve making it hard to ignore.
Of course much open source software can survive an audit, being open source it gets auditted all day every day. It isn't written by everyone adding code willy-nilly but by people submitting code that is reviewed and discussed (often for far longer than is desirable for those wanting a new feature) and then carefully inserted by the package maintainer who is not a hidden company flunky but a publically available individual who answers to his peers for the quality of the code.
NO closed source software can survive an audit. This is by definition. If it is closed source YOU CANNOT AUDIT IT. (I apologise for shouting but your polemic has got under my skin)
This simple truth completely negates your whole article. If, and it seems more than a little unlikely, US accounting rules require a company to do a full software audit on all their systems, open source, or better still free software, is the only choice open to them.
There is no way for you to find out who wrote your MicroSoft software, nor any way for you, as a law abiding citizen to check its quality. Howver the bad guys almost certain have all the code, either by reverse engineering or by hacking in and pinching it, bad guys do these sort of things you know. I cannot think of a single example of MicroSoft closing a software hole before it was pointed out to them by an external agency, if their code were open to audit they would have to find faults themselves and patch them or lose all credibility.
Surely it is not asking too much that you should think about what you write?
hehehehe See Rob, we can get under your skin too ;)
Who cares if you were fired from IBM or not Ron. Do you sincerely believe that you speak the unbiased truth?
I mean seriously. It's all lies. If I wanted to and if I had the time, I could get documented proof that claims exactly the opposite of what you say. What is the OSS community supposed to do when it gets blatent obvious lies thrown at it? Tell you you did a good job and keep it up?
I agree that personal attacks and threats are out of line, but what the hell do you expect? You provoque people and people respond. Cause and effect Ron. You throw the ball don't expect at least SOME people to try and hit it right at you.
Me personally, I don't blame you for writing this stuff. If it's what you really think then what the hell, you're entitled to your opinion just like everybody else. I rather blame the editors for not doing their jobs and publishing borderline slanderous garbage...
Have a nice day.
While I have to wonder about someone who can’t even spell my name correctly (I mean it is three letters, how hard could it be), but let me try to address this.
The fundamental argument being made is that if I am going to say things the community disagrees with then I deserve whatever happens to me. If it isn’t their version of the truth, then the personal attacks are my fault and all I have to do to stop the attacks is change my views. Or, from my perspective, if I will just lie, or in this case, cover up an exposure that I think exists then my personal pain will go away.
There is a name for this and I think that more effectively says what the community is becoming then I ever could.
"The fundamental argument being made is that if I am going to say things the community disagrees with then I deserve whatever happens to me"
And once again, you're completely wrong. I didn't say you deserved anything. You can reread my statement if you want. the word "deserve" does NOT appear anywhere.
What I wrote was, you have to expect it. you know? Expect, as in " regard something as probable or likely".
If I remember correctly, I've never called you names, except maybe liar...hmmm okay sorry about that, I'll refrain myself in the future...
I've never made threats or even insinuated that other people should or even said you deserved anything. Don't play the victim with me sir. I'm not anti M$ or corporate or anything. And I'm not a fanatic defender of OSS. Hell I'm not a fanatic anything. But I strongly disagree with what you say, and since I have been given a forum to voice it, why the hell not...
Sorry, I read this differently. Why should I “expect” to be attacked? Don’t get me wrong, you are right. People have gone out of their way to attack me, but why should I “expect” it? What about Linux attracts people who behave this way. But I disagree, “expect” used in this way implies a threat as in “if you disagree with me you should “expect” to be attacked”.
By the way, you do know “beaner” here is California is a racial slur right? I’m not Hispanic, but, if this isn’t your name, I would hope you might consider another. Not a slam, just a comment you may be from another part of the world and this could, in fact, be your name.
Okay, I'll address the spelling cheapshot by asking you personally write a 200 word text, in french(my native tong) withou any help from friends or a dictionary. And then we'll see who can make more fun of who's grammar in their second language.
And I'm sorry if I hurt your ego. It's just that you really don't ever propose any solutions do you. You throw an argument out there, you stand behind it, you'll even argue people who disagree, but solutions, workaround nope.
nada. That's just the way it is.
People and systems are much more flexible than that. A failed audit doesn't mean you trash what you got and start over. It doesn't mean you close the shop either.
It means the auditor gives you a list of exactly why you fail and if he's any good, he also gives you a list of corrections. You get to do the work, make the corrections and your next audit passes.
And that's something you fail to mention.
You’re kidding; you’re going to argue that in France you can’t tell the difference between Rob and Ron. I accept it was a mistake but pulling the “I speak two languages” card is overkill. Of course, I’m lucky to get English right most of the time, so you have my admiration for even being able to do this.
You make an excellent point though. As an Auditor I used to hate my peers who would simply go in, shoot the poor ducks in the barrel and leave without any consideration for the fact that most of the problems were probably due to the fact the organization being audited hadn’t been given the resources to do the job right. It was incredibly sad.
When I joined, my team worked 6 day weeks with 14 hour days (and half day on Sunday) our mission was not only to find the problems but to help fix them. (One of the first things I did when I took over field management is cut down on the hours and find ways for the team to have fun, my view is you simply can not do a quality job if you kill your people months on end).
But we always tried to make sure blame went where it belonged, if corporate was at fault then corporate got the hit (though I often was overruled on this one aspect).
I’ve been kind of on a personal mission to show that I can’t be blackmailed into changing a position (the threats have upset me at a very deep level). I think I’ve made that point and it is time to be more measured. So, going forward I will, in fact, try to take your advice and provide more of the other side and, at the very least, make suggestions on how to address the problems I raise.
Thanks for pointing this out.
Thank-you for your honesty.
A little flexibility and some suggestions would go a very long way into making your strong positions more acceptable to everyone myself included.
Have a nice day.
"The community" has never insulted you, unless you wish to be considered as part of the same community as Darl McBride and similar. Some people have and when they do so they are wrong and very likely to be condemed by other members of the open source community.
However I haven't seen any closed source advocates complain about your insulting open source developers, does this mean all closed source developers are tarred by the same brush you apply to their open surce brethren?
I never said a thing about “being insulted” someone lied about my job history who clearly has no knowledg whatsoever of it. However, it is the implied threat that I take objection to, this community too often takes view that anyone who disagrees with them is fair game for anything including threats of violence. I take broad exception to that.
There was no intention on my part ot insult anyone with this column. The “1000 monkeys” was not intended to be literal, the reference just seemed to be appropriate because of the numbers. Some of my best friends are monkeys and I would never insult them in this way. (Now that is an insult, but just by example, and intended to be humorous).
To be pedantic it is hard to both lie and know nothing, but we will let that pass since I hold no candle for anyone making personal accusations. I have no knowledge of any threats of violence from any member of the open source community against you or any other person and I would certainly take exception to any such threats, and even stronger exception to any actual violence.
I also take exception to your making broad characteristaions of this community in this way. There is currently a scurrilous attempt from SCO to charge companies for other people's work, but by and large this does not result in open source supporting journalists calling this an attack by secret source companies, it is called an attack by SCO. MicroSoft is pedalling a batch of reports it commissioned as a truth campaign, but again this is characterised as an action by MicroSoft not by all supporters of their coding philosophy.
If the threats you object to are in the nature of rather loose use of language it will be hard for you to complain about them as you very loosely insult others and wave that off not with an apology but with a repetition.
Your analogy is, as you well know, utterly bogus. Open source developers are not illiterate primates randomly striking keys, nor are many secret source programmes comparable to Hamlet in their execution. It may be more accurate to compare the open source process with a thousand technical journalists and their editors producing a Times editorial. I hope you believe that with 999 of your colleagues and a good system of peer review you could achieve that.
Your argumnets are, in my opinion, rather silly anyway, they are not helped by denigration of opponents.
Incidentally you may feel that I am writing this as a biassed member of the open source lobby, and it is true that I do use open source software, and largely support the methodology and am probably biassed too, however I am also "the inventor" on several dozen patents and patent applications and have contributed many times more lines to commercial secret source code than to any open source projects. I just feel the need to see some rather more balanced and thoughtful reporting of the issues involved.
To be accurate if you lie about what you do know it is still lying. He represented that he knew I had been fired. That is a lie, he doesn’t know, and I know this because I wasn’t fired.
SCO really isn’t part of this discussion, but realize there are a lot of firms who make money off of other folks work. If you don’t like that move to another country where that isn’t true, oh wait, there is no such place. You didn’t write UNIX or Linux, and many of the underlying ideas owe their roots back to MVS and VM folks who have long been forgotten. SCO bought something, they have the right to defend what they bought, as I’m constantly reminded, a lot of folks died for those rights and it isn’t up to you, your “community”, or me to deny them these rights. It may turn out they didn’t acquire what they think they did. In this country you are entitled to your day in court. They can also bill anybody they want, and you can refuse to pay those bills. Frankly, when I had the Client/Server software service for Dataquest it was common knowledge that Linux borrowed heavily from UNIX, the BSD folks used to point this out as a potential future problem. I’m guessing a lot of people have shorter memories than I do.
The “1000 monkeys analogy” is used for a number of things, to my recollection this is the first time I’ve seen anyone try to argue that the “monkey” part was the main message. If you want to take offense there is nothing I can do to prevent that, it wasn’t intended to be read that way. The intent was to say that in audit the number of reviewers makes no difference if none of them are approved or can be documented as actually having done the review. More important it flags what is a significant financial audit exposure, it doesn’t mitigate it. It does, once again, show you have never actually been anywhere near an audit like this.
Once again, the threats I object to are nothing more than blackmail and showcase what appears to be a wide spread belief with any group like this, that people who disagree are not entitled to the same rights as people who agree. And I, and I would hope, most US citizens, would take offense to that.
Finally, if you are so well thought of, why don’t you use your own name? For a community that is so pro “open” why so many fake names, what is it you are hiding?
LMAO! Who threatened you? Who implied threats? Who blackmailed you? Who sent you a death threat? Who left dead cats on your front door? Nobody wants to shut you up. You act like there's an open source mafia holding you over a bridge telling you if you don't shut up accidents happen. NOBODY CARES. What people do care about is when you lie. The fact that you get so upset when someone says something about you that isn't true, yet you spout out lies like they are skittles is truly ironic.
Come back to us when you can _prove_ you've been threatened and blackmailed. It's the internet Ron, if you think the internet is a place where people actually care about you, well maybe you've got some growing up to do, boy.
I’m sorry, and you know this how?
Gosh do you think for a moment these folks are using their own names?
How would I prove this to you? How would you know I didn’t make up the letters? I mean your community wouldn’t believe that SCO had a DOS attack, they hired a college to prove it, they did, and the college had a DOS attack for doing it. Do you think that was a coincidence?
Really, what point would it serve for me to lie about this?
However, I don’t think I’m actually at risk. I think someone at SCO will likely be physically attacked first and my hope is that if enough of us point this out that outcome can be avoided. Of course, I also hope that if I am the first in line, that outcome can be avoided as well.
While I do believe that freedom of speech is worth dieing for, I don’t believe Linux is worth killing for. I’ve seen too much violence up close and personal for trivial reasons and honestly believe that we will shortly see someone cross that line. My honest hope is it can be prevented.
hahaha ok, whatever Ron, no one cares anymore. You can live in your little troll world, no one really cares anymore.
>I don't believe Linux is worth killing for
I've lived in Albania Ron. I've seen people die. Give us an example of this violence you've seen up close. If it is something trivial I think you owe a lot of people apologies. Somehow you don't seem as the type who grew up in a war torn country or in the ghetto's where you couldn't go to school without fear of being stabbed. Prove me wrong...
OK, so what you are saying is that because you saw death that Linux is worth killing for. What is your point here? That you have seen more violence so it is more acceptable to you?
Why should you even want to bring this up? I don't think you have to be confronted with violence at this level to want to avoid it. How much more than 911 or Columbine do any of us really need? If you have been there you would know how painful these memories are, I'm starting to think there are some of you who have "cruelty" as a middle name.
But, that aside, I watched someone shot and dropped (I'm an ex-cop), have been through advanced weapons training (but never actually had to shoot anyone), was threatened with rape as a child, and had a spear gun pointed at my own midsection by someone clearly prepared to use it. Oh, and I changed careers because of a guy and a shotgun who took exception to something that his wife's manager's said to her (I wasn't the manager, but he couldn't find that guy so he started figuring any manager would do). Does that qualify, and if not, what would, in your mind qualify me to object to threats of violence or to try to prevent it?
This is one of the coldest posts I have ever seen.
Oh, and its Rob, not Ron....
>OK, so what you are saying is that because you saw death that Linux is worth killing for.
Where did I say this? Show me exactly where I said this?
You're such a joke. You are an ego manic. Your not important enough for anyone to want to hurt. The ironic thing is, I haven't seen one post here suggesting anyone would want to hurt you. Not a single one. Yet on the other hand, you have brought up violence many times. And you have also urged posters to reveal personal information about themselves, including their full names. You have hinted that you have weapons training and you were an ex-cop who has been decensitized to death. People who live in glass houses, Ron...
For a guy who can't spell a three letter name you seem to have a lot to say, much of it in questionable taste.
So basically if you don't see it in a post it must not exist (email, it does exist).
You don't understand that certain posts are blocked.
You asked me if I had experienced violence first hand, and then you use that experience to conclude "I am desensitized to death". The inherent cruelty in such a statement is almost beyond belief.
And yes I do ask people to identify themselves, I find that when people aren't hiding behind fake names they will behave and further a discussion.
You can have the final word, I don't deal with people who aren't honorable, and you have nothing to be proud of here.
I do not hide at all, I use the name cricketjeff on all websites simply because my surname is Green and there is far too often a Jeff Green registered there when I join and remembering which places I am JeffGreen and which I am some other combination is too much effort. If you do a search for Jeff Green and Cricket on any decent search engine you would find plenty of links to my email address.
I have been involved both in this type of audit and many others and can only say that the auditors involved (from several of the worlds largest accountancy groups) have never had any problem with open source software, and I can see no reason why they would. Their concern is twith the security of the process, they would look to see that it was supplied by a reputable organisation, and Red Hat IBM or even Debian would meet that requirement and that my process for using it was properly documented and the documentation adhered to. Maybe you have only been audited by small firms with little experience or training.
Although I have no problem with anyone defending their property this is not what SCO group are doing, however this wasn't my point it was to point out that you may not wish to be associated with every secret source advocate because of the actions of a few, if you prefer I will substitute MyDoom authors, they certainly believe in keeping their code secret, are you comfortable with being tarred with that brush?
Incidentally in the UK at least, as well as many other countries sending invoices for monies mot owed is a crime and threatening legal action without cause is a crime both here and in the US. Linux and much other free software includes many borrowings from BSD, as did ATT, this was the cause of ATT effectively losing their action against BSD in the early 90s. Borrowing from BSD was expressly permitted by their license.
This explains a lot, you are talking external audit, as in the kind that didn’t catch Enron or Worldcom. I’m talking Internal Audit and it is a completely different beast. Internal Audit’s mission is to catch problems before External Audit does, it is vastly more invasive and focuses on internal controls to a much higher degree. It also focuses on the protection of intellectual property, something that the external teams do very seldom. It is an organization that has been crippled over the last two decades due to very bad executive decisions. These decisions were just reversed.
There is a world of difference between an Internal Audit team (that is well staffed and funded) and an external team. The time spent, the granularity of the review, and departmental risk is vastly higher with an Internal Audit.
Sorry about the name, no way for me to tell even if you are the same “cricketjeff” you say. It seems, and this is a personal observation, that for a group that uses the word “Open” there are a lot of folks who aren’t “Open” about who they are. Present company being an exception. There are so many kids on the forums it is becoming very hard to tell who is real and who isn’t.
REPOST FROM a Yahoo! message board:
<<I've been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.>>
If such emails exist, it testifies as to how misinformed many of your readers must be by now. Informatica's PowerCenter is a $200,000 Sarbanes-Oxley compliance tool which runs on Linux. Proofpoint's email filtering tool was designed in part for Sarbanes-Oxley compliance, and runs only on open source operating systems. Proofpoint was founded by the former CTO of Netscape, who one would expect to have some idea of CIO concerns. Documentum's ECM, a major compliance tool, will run on Red Hat. The InterIM messaging product, designed for HIPAA and Sarbanes-Oxley security compliance, runs only on Linux. The list of such products go on and on. If Linux inherently violates Sarbanes-Oxley, why are so many compliance packages written for it?
No mention of the HIPAA privacy rule deadline, which was the 14th, and which is in conflict with many Microsoft EULAs?
It honestly amazes me that you still present yourself as a journalist.
OK, when have you ever heard of a compliance package ever being audited? The audit process generally doesn’t look at the package, any more than if you use Quicken to do your taxes does an IRS auditor look at quicken. These packages can run on Linux because, typically, they would be outside of the scope if the audit. They are to point to problems and are not, typically, a direct part of the financial paper trail that creates the numbers being audited. Many of these packages run on Windows 9x as well, and I’m not aware of any large corporation who runs their financial systems on Windows 9x.
There is fundamental assumption that is being made about what I’m saying that is untrue. I’m not saying that, therefore, you need to switch to Windows to run your financial services. I am saying that if your systems are on UNIX (which is where most are) you probably should leave them there. But, wherever they are, you are not going to get a free pass from audit if you “believe” your systems are secure, you will need to prove it with solid documentation, rhetoric doesn’t cut it. If you are using Linux from HP and in compliance with their indemnification program, you may, in fact, be able to do that (you’ll still have to do the documentation) but if you are not (and couldn’t show documentation of a similar trust relationship for patches and updates), and were I running the audit, you likely would fail.
Corporate information security is not only about technical improvements or administrative processes. One has to also reach a level of assurance that is acceptable in terms of business goals and IS policies. To gain any assurance at all one simply has to audit things somehow.
Auditor's job is to check that written corporate policies, procedures and standards are followed.
If the corporate policies include some technical requirements the auditor surely will see to it that things happen accordingly.
The lesson here is that one shouldn't mix auditing and assurance with technical details like closed source vs. open source discussion. Most important is to choose wisely *what* to audit and *how* the audits are performed (audit subjects and methodology).
> The open-source advocates have been able to maintain the thousand-monkey argument
Come on. You really expect folks to believe that you are unbiased? That you really don't hold a special little grudge against those who dare disagree that there might be something other that MS?
Your argument pre-supposes that those eyes must be completely ignorant of the value or utility of what they are seeing. You therefore must think that there are less folks available in the world who can program in Visual Basic than there are directly employed by Microsoft and dedicated to hacking Windows.
The fact that outsiders *can* see and use and audit the code is completely independant of whether they *will*.
Actually I said nothing of the kind. In an Audit the organization being audited has the burden of proof. Just looking at these posts, how do you know who any of these people are? For all we know this could be a group of Chinese government employees, organized crime crackers, or a group of rogue investors who plan to use the Open Source expoits to pump the financials for the companies they invest in. All doubtful, but how would you show that none of this could happen?
Auditors tend to be very litteral, if you can’t prove it, it doesn’t exist, and simply looking at some of these names would suggest that there is an identity problem. I mean, I operate under my own name, why do you and others feel the need to hide yours? I never suggested that anyone was ignorant, though not being able to see that a lot of Linux came from UNIX does suggest that many of these eyes are closed, but Open.
Let me ask you this, I operate under my own name and stand behind what I say. Most of the folks posting do not, why is that? What is it you don’t want us to know?
I also wonder how many people read posts by people named “beaner”, “shadow255”, or “threeface” and wonder what qualifications they have to even comment. If you don’t know who someone is how can you trust what they say? Yet, people likely take code from similar entities without question. And this does speak to the core of the exposure, most failed audits result because the organization being audited simply does not understand what an audit is for, or how the process works. They assume they will pass and the result is never pretty.
My name is Patrick Lefebvre.
I use Beaner as a handle because it's been my nickname for roughly 10 years. It's a very rough English translation of my last name.
I'm a systems administrator and an electronics technician. I've been in this business professionally for about 8 years but I did own my first computer in 1981, a TRS 80 from RadioShack. That I used to program in Basic.
I'm from Montreal and am French Canadian.
I've spent pretty much all my "career" as a consultant working for either Pharmaceutical, Financial or biotech research companies. I use a lot more Microsoft products in my everyday life, but I've also been a Linux user since 1997.
To you, maybe that makes me unqualified to argue or comment on anything you say. Maybe, even if I've been through financial IT audits, or have had to certify softwares for FDA compliance(cfr-part 11) or have been working in regulated environments pretty much all my career. Maybe I shouldn't say anything when I think you're wrong or mistaken or lying.
But I'm sorry, I can't help it. Because you only wrote one side of the story. You'll find a hole or a risk, witch I admit is usually there, and then you'll exploit it to make a story without ever considering that there may be easy ways to prevent whatever doom you predict from happening. You're the equivalent of a heckler, in your articles, you often point out flaws and risks. But that's where you stop you analyses. You don't tell people how it could be prevented or fixed. Franckly, you're not ver constructive, or helpfull or even informative for that matter. We can all stand on the sidelines and scream at the refs and we've all been guilty of doing it. But when people scream solutions back at you maybe some people need more lessons in listening.
Oh and just like you, I've stated my opinions, on your piece that is, and I stand behind them.
Thanks, I clearly didn't know about your name. It is used to make fun of Hispanics here in California so if you visit you may want to leave the name at home.
Your comment on fixing problems hit a nerve, I agree, and I'll try to focus some space on fixing the problems going forward rather then just calling them out. That is advice I used to give myself, so I find it impossible to argue with.
People who don't stand behind what they write aren't worth anyone's time, so I appreciate that, and I appreciate your post.
To clarify, "SOX" (Sarbanes Oxley) only applies to entities traded on a US stock exchange, (Yes, I am ignoring the FDIC issues re holding companies) Therefore Section 404 will only apply to those entities.
These "public entities" are only part of the US GNP, and depending on who you talk to (SBA, etc)are not on a cummulative basis the largest US employers or the greater contributor to the GNP.Therefore most companie using financial software are not effected by SOX or by your article.
Having done IT audits pursuant to 404, I am required to test the compliance software used by the public entity. In my opinion if you do not, how can you attest to it working?
I have as much problem with a system based on Linex as with windows. The issue is access to the system. Microsoft puts out a patch, the companies I audit have IT procedures before they randomly apply that patch. Same with Linex.
If you issue is the outside security of the financial system, both software is vulnerable. If your issue is internal manipulation, I always assume that they are both vulnerable. At times I have found that both systems do not pass section 404 audit, yet more times than most either software based system will pass.
as for your comment about the CFO or Audit Committee, as you are aware Sox requires the audit committee to have knowledgeabout how financial systems and audits are done. I have found them to be very knowledgable about IT audits (after all they would be the ones to sign your consulting contract)
Lastly first name is peter, cpa is my occupation, and I am registered with the PCAOB
Nicely written, and well argued.
One point you made that I didn’t, and should have, is that SOX doesn’t apply to everyone. While Internal Audit is staffing up globally, there have been Enron like problems cropping up way to often, the focus of this piece should have been crisper and this is a valid criticism.
I was also working off of my own experience, and my experience is that compliance software is generally accepted as a package, you may test its use, but you seldom test its content. Nature of scope, but, in this case, you are more current then I am so I stand corrected.
Now, remember, my premise was that the increased focus appears to be putting more resources at looking at this problem. My expectation is that the implementation of OSS based systems did not take these audits into account, while older systems did (based on when they were implemented).
Regardless, I think you would agree that an audit assessment is in order and that just assuming that OSS is more secure (you indicated they were equally secure) would excessively risky.
On the final comment, an Audit Committee is knowledgeable about the financial aspects of an Audit but I’ve never found one to understand the IT aspects. If your experience is different I’d love to hear it, but that wasn’t mine.
Thanks you for your measured and well argued response.
I appreciate your article, but would like to make a few points concerning your vision on the audit business. I have first hand experience at undergoing IT audits, and have first hand knowledge of the internal workings of some of the leading Audit companies.
With or without SOX, the fact is that most of the large Audit companies have divested their "Information Technology" branches over the last couple of years. This has two important effects on your problem: Most auditors don't know the difference between kazaa and oracle applications. And certainly don't know if I am talking about the database or the application when I talk about Oracle. The second point is that the few people these companies have who do know their stuff (or at least some of it) cannot be charged to the customer for a full days work because the customer won't pay for it. So this usually ends up with a college graduate receiving a list with maybe 5 to 10 questions to take up to the IT department (and get laughed at). Now even if I take this guy seriously and I tell him we are running SAP or oracle applications on an oracle database, we have XYZ backup method, we have abc procedure for ensuring only qualified individuals have access to the erp application, bla bla bla.... he will go out there very happily, and maybe I'll see him next year with the same list. And all the time, he didn't bother to ask me if the server was running windows, unix or linux.
That is the reality, and SOX won't change that a bit. And please explain to me how this graduate is going to get me fired for not changing the backup tapes according to procedure, when he wouldn't even recognize a backup tape....
I wanted to point out one more thing which I find a totally unsatisfactory answer on your part in the discussion above. You claim auditors will be content with software written by a company because you can check the company's procedures etc. Well if you check Microsoft's history and procedures concerning security and stability, I cannot see how you can draw any satisfactory conclusions.
Speaking as a non US citizen, I can only see benefits for non US countries If according to you US companies will need to buy overpriced/underperforming software, just to satisfy SOX. And you wonder why so much IT work is being outsourced...
Thanks for the measured response.
OK, there is a big difference between external audit companies and Internal Audit organizations. Remember my premise was that at least some appear to be staffing up their IT side which would suggest that some, if not most, will be much more capable then they have historically been shortly. So, while I appreciate your comments on the big firms, they weren’t the focus of this piece. But, your are right, depending on the team, external audit organizations, in my experience, are often kind of clueless when it comes to IT (though the post by phfcpa above may indicate a change here as well).
Actually, my claim was they tend to “be” content with a package from a software company if that package is recognized as acceptable. They tend to blanket accept or reject. As an Internal organization you seldom are allowed the scope to look at an external company, it does happen, but it is the exception rather than the rule in my experience. I never said auditors were perfect, I’m just working from my own experience having been one.
I also never said that you needed to buy proprietary software to pass the audit, and particularly never said Microsoft software. Most of the financial systems I know of run on UNIX (some on MVS and AS400). My personal recommendation would be to leave them there until you complete an audit assessment and know if you can, for sure, mitigate the risks. I actually believe the risks may be overcome, but not unless someone takes the effort to do so.
Interesting how so many people just assume that if you are suggesting Open Source has a problem, you mean Linux (which is generally true in my case, I’m a personal fan of BSD), and that you favor Microsoft as the alternative. I favor whatever is best for a certain situation, I’d be hard pressed to argue that, if I’m trying to survive an SOX audit, that AS400 wouldn’t be my preferred platform but I’ll leave that for another day.
I appreciate your candid response. And I agree that Linux is not the only open source software out there, and neither is Microsoft the only closed source company. But they both serve as recognisable examples.
I think the whole discussion boils down to perception. The perception that a company is more trustworthy than the open source community. In my opinion the main difference is that you could theoretically (if you had deep pockets) sue the software company, where you would find it hard with the open source community ...
I find it a pity that people trust a legal entity who has some poor guy in a programming sweat shop write code, but not someone who writes code after hours, for free, just because he wants to write the best code...
I hope you can help start educating people to see the insanity of the situation.
Interesting point, one of my common sayings is “perception is 100% of reality” and changing that perception is a good goal when you need to move the ball like this. But, you have to remember, like the court, an audit is largely artificial. Auditors can’t look at everything, they use their skills to take a small amount of data and form a conclusion on your unit. It is more like an art than a science, and surviving and audit is dance that successful managers now must master (if they are, or plan to work at a public company).
This is one of the strange things about an audit, if you know how they are done, even if you are incredibly screwed up, you can pass, if you don’t, you could be comparatively well run but fail. It depends on the team of course. I tended to run teams with CMAs, CPAs, and MBAs so we played heads up ball, but most internal teams are remissioned line employees who have to live by the Audit program. Under SOX, the audit program just became a bible.
The big problem Open Source has is proof; unless the audit program has been modified to deal with it the team will likely just flag it as a variance and move on. Problem is, you probably won’t be in the room when the variances are taken to the Audit Committee and, trust me, they don’t like them particularly if the auditor gets creative with the potential exposures. Basically what you have to do is identify the relevant risks, make sure that they can be quantified, have the appropriate manager sign off on them, and do what you can to mitigate them.
But, someone needs to do this work before the auditors start their pre-audit work.
I used to teach audit strategy, here are a couple of quick rules (this may be good for a future column).
1) Don’t lie, it will get you and the horse you rode in on fired.
2) Leave something for the auditors to find (they will keep looking until they find something and, in auditors, creativity is a BAD thing).
3) Don’t be defensive, focus on the solution and not the problem (for god sakes don’t argue with or threaten an auditor). Anyone with a short temper should be on a vacation during the audit.
4) Make audit preparedness a regular part of your internal process, it not only leads to a more secure shop but you’ll sleep better at night.
5) Finally, realize that the audit is not a personal attack and the auditors have one of the most miserable jobs in the company. Sometimes a little empathy will do wonders for the final report.
There's no secure system and GNU/Linux is closer to be safe if compared with Windows, so you can't post "Can the Open Source pass an audit?"... Well... you could, you did it. But Open Source is a valid alternative too. I know who made the linux kernel (Linus B. Torvalds) and I know who packaged my Slackware distribution (Patrick Volkerding) and I know who's programming my system on GTK+, a creation from the guys of GIMP: See GIMP.org to see who made the libraries. So if you make audits, then you know of GNUmeric... GNUMERIC is far from being a bad open source software, it makes exact matches when you divide 3 by 4, because it doesn't save "0.75", it saves "3/4". If you don't get this, well... it can be more precisse than excel and other kller apps. So I decided you to say you're a simple mortal, as I usually am, and recognize you were wrong. If I am... send me a comment and explain me what an audit is...
DarkProximity : "There's no secure system and GNU/Linux is closer to be safe if compared with Windows, so you can't post "Can the Open Source pass an audit?"
Where do you get this outlandish idea that somehow Linux is more secure than Windows from?
Show me your audited facts and figures from an unimpeachable source. ( Hint: Don't go quoting me the notorious linux liar and bomb thrower David Perens, ok?).
Nothing could be further from the truth!
The exact opposite is in fact true.
Figures from CERT regularly prove that Windows in fact does have far less security break breaches than Linux, despite the fact that there is at least 100 times as many Windows computers out there connected to the internet than Linux computers. The latest figures from <b>mi2g, a UK-based security consultancy, Linux servers were attacked 13,654 times in January, compared with just 2005 attacks for Windows-based servers.!!! </b> (http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/41813/windowspaulthurrott_41813.html
)Chew on that one, pal!
Your cliams simply don't stand up to scrutiny and your figures just don't add up.
Continuing with my idea: GNU/Linux has better features that Windows doesn't have: a better permissions system, very low cost, compatibility with more hardware (not just x86) and a continue development that makes a solid system. What does Windows have and Linux don't? Windows is easy to configure (it has less options) and it's not difficult to work with. But a good configured Linux has less probabilities to be owned by strange hands.
Ah, and I readed your page: "...coupled with inadequate training and knowledge about how to keep that environment secure when running vulnerable third-party apps..." hmmm... sounds like "I don't know Linux but I'll read Linux for Dumbs". There are lots of documents on how to use SSL to transfer data and how to deny access to some users. It all depends on security policies applied.
Security is not just about preventing hacking attacks. It's about hacking, stability, virus avoiding, prevention of data losing, etc. And you attack just one of these items.
A good design of a system doesn't take a short period of time. But I made some systems running under Linux that passed several security testings without any problem. So, why it can't pass an audit? Because of the programmers who work on making contributions are "anonymous"? (Miguel de Icaza is the leader of the Gnome Project; Linus B. Torvalds is the Linux hacker; Patrick Volkerding made Slackware Linux.)
Finally, some open source apps can still not pass an audit. But, in a more technically point of view, Close development is in the same position so don't try to compare them. It will be always different.
/* Windows users just use Windows, Linux users are Linux lovers */
I'm a computing technician and I test computer software, so I have a different vision. Obviously you noticed two things that appear to be opposite. There's no secure system, as I said, implies that there will always be a form to enter and by definition, Internet was designed to be insecure. If you want maximum security, you just need to disconnect the main computer from the other ones... But if you have a well-configured server, you will not have problems.
My fundaments to post that Linux is really more secure than Windows are technical, I don't trust statistics because "statistics are the science that say if you have two cars and I don't have any, then both of us have one car" and "the researches said that 90% of the statistics are false". So, tell me... can you have viruses on Linux? do you have RPC bugs on Linux? In a good Linux setup, you don't have those things. Can I check your Linux box? what version of apache are you running? did you know that apache must run DSO mods in /usr/libexec/apache instead of /usr/libexec?.
In Windows, we have some interesting things: Windows 2000 allows a user to run programs which are not installed. For example: (and just an example because I can't remember another one) All the users in a computer lab learned that if you have mIRC 32bit on a disk, you can execute it without installing, so you have an excellent tool for chatting that fits on two diskettes. There are two forms to fix it: One, to deny access to the diskette drive (where will the users save their works?). Two, to deny access from the server. Well... The program still has access to be executed on Windows... for all users. Windows Update always carry problems. I think the only GUI Desktop Environment carrying problems with update is Windows, because they don't use source patches but binary ones. This carry registry problems, security holes, and so... So, can you tell me if "security" exists in Windows? I think it just exists as a word in the Encarta Encyclopedia and in the Micro$oft Office dictionaries
I need to leave now... then I'll finish my explanation, ok?