You're obviously very young or have worked for smaller companies, which is why you think that their status as "convicted monopolist" makes any difference to anyone. If their products didn't fill a need which there was not a better product available to fill, trust me, they wouldn't retain the business they do.

No one cares about ideology or even ethics. What they care about is making money. Windows fits into some big but very specific niches, and it performs that role extremely well. That's why it's still around.

That's also why it's been pushed out of certain segments of the market: because it *doesn't* do certain things very well. The key is the evaluation of the requirements of the project to determine what is the best fit.

Working in security, I deal with it all, all the time. I would say that operating system is probably the least important factor in judging the success of an implementation. One company I worked for had a network that was divided in half. Half the network was the officially supported infrastructure and included both windows and linux. Windows was 100% of the desktop infrastructure, and a mixture of OSes powered the server infrastructure. It worked amazingly. It accommodated extreme-novice users, who had way more important things to worry about than what OS was on their desktop, extremely well. Once they got their patching routine down, it was surprisingly resistant to worms and viruses. It was actually extremely impressive.

Then there was the other side of the network which ran from datacenters in closets and servers under peoples desks. It was a mixture of windows and linux and I would say a solid 60% of it was dismally run. Constant compromises and virus infections. Extreme resistance to common sense security precautions. Blatant outrage when servers were taken offline because they were affecting other life-and-death critical machines, etc. No patching at all. A complete lack of understanding of what they were even running, much less what version. I could go on and on.

The point is, shitty administrators make for shitty implementations regardless of OS. Good administrators make for good implementations, regardless of OS. Good administrators choose the best tool for the job and use it. Shitty administrators are ideologues who will force a tool to do a job that it's not that good at.

My response is that of an engineer who has run into multiple instances where open source software was tried in enterprise scale implementations and there were serious issues which we were not able to get a resolution for. Posting a message about performance problems with an agent running on domain controllers for an 80,000 node network and hoping that someone will eventually get around to fixing it is not what most companies consider, "support". They are looking for someone's feet to hold to the fire. Not that that model works 100% of the time, either (I'm looking at you Cisco!), but for the most part it does. It also provides a company with (some) assurance that the project isn't going to just die and leave them in the lurch.

Meanwhile, I continue to see heavy use of open source operating systems which are supported by various vendors in areas where it makes sense to use them. Sometimes commercial closed source products work better, sometimes they don't.

There has been a failure (in some areas, but not others) to respond to what the market has asked for with open source products. In many cases this is probably because the originators of the project really aren't seeking worldwide market domination, which is an extremely laudable way of going about things. In others, it's because the community doesn't acknowledge what is important, or isn't aiming to accommodate certain levels of implementations. Writing products for small to medium businesses is a lot easier than writing them for titanic enterprises. There's nothing wrong with making that distinction, and there's nothing wrong with leaving those markets for closed source projects to jump on.

What there is something wrong with is making the decision an ideological black and white choice and ignoring the requirements of the project completely.

Not really. Your implication is that your opinion on the matter trumps what companies spending millions and millions of dollars believe is valuable.

Most enterprises run both Windows and open source operating systems these days. They do this because each is better suited to different tasks, not because of some ideological crusade.

1.) You aren't allowed to use open source software because there's often no support or "community" support for it. With closed source products you can also require the company selling the software to have an independent code review done and (depending on your clout) provide some version of the results to you for review. If you could use open source, you would cost an enormous amount of money doing code review on someone else's code. No one wants to spend the money to do this, because it would only prevent a tiny minority of compromises.

If you "trust" all the software you install, whether it's open or closed source, you have already lost the battle.

2.) The symptoms of this malware would be readily apparent. TeamViewer traffic was picked up and flagged by default in the last signature based IDS I had access to. Why do you think it's impossible to install malware on open source products? Are you going to do a complete code review every time a new version or patch comes out? Are you running HIDS software on every single machine in your organization to prevent modification of the binary after its installed? What are you doing to prevent phishing and spear-phishing attacks which are the means that most attackers use to get a foothold in an organization and have been for more than 40 years now?

Your notion of "trust" is wide eyed and unrealistic. Security must be layered and standardized. It also must be practical, effective, financially reasonable, and comprehensive. This notion of open source software as the magic bullet that would have prevented this is incredibly silly.

Most companies don't have the resources to do really good code review on their own software, much less on every piece of software that comes in the door. The government has (unfortunately) many more resources, and they also have the clout to get source code or request independent code reviews on software which they buy. Actually, independent code reviews and penetration testing are becoming a part of most customer contracts now anyway, even between two regular businesses.

Support. That's why companies and government agencies choose closed source. Open source products which you can get support for can usually get a decent foothold. Open source products for which there is no support or "community" support won't be able to become as widely adopted. It's really not this complex ideological war.

I have no idea why the comments in this article are so focused on open source. Well, yes I do, it's Slashdot....but this breach could have been prevented or detected any number of ways. I've seen suspicious TeamViewer traffic in IDS consoles before. Why were these agencies not implementing basic security controls?

Using open source software isn't the magic bullet to prevent compromises. Even in closed source environments phishing and spearphishing are widely used to gain a foothold on a network. This technique is suddenly impossible because of a financially impractical code review procedure for every piece of software that comes in the door? C'mon.

The answer to these compromises is the same as it's always been. Layered security, standardized procedures, visibility into network traffic and systems, preventing employees from installing non-supported non-auditable remote access software, monitoring and auditing, etc. If these agencies somehow have the resources to do code review on every piece of software in their environment then, sure, that's an awesome layer to add to the process...but it's an expensive layer and one that addresses a problem that isn't a big risk in the grand scheme of things.

Because there's not really a great financial incentive to make the changes. The OS works well enough for what it is. The OS works well enough to garner pretty good market share. It could be better, but its pretty stable...stable enough to do its job.

It all comes down to money in the end.

High intensity low-time workouts, eh?

Well, that certainly flies in the face of every piece of research about weight loss.

You're much much much better off doing low intensity workouts (your heart rate in a specific zone) for longer periods of time.

I lost 70lbs after being heavy all my life. Here's the secret...

Eat fewer calories than you burn. ...that's it. There's no magic solution, there's no way around it, there's no pill or device or routine which will allow you to keep eating shitty food and not exercising and lose weight. You can eat nothing but chocolate bars and lose weight if you really want to.

Change the way you eat to something you can live with on a long term basis. Dieting doesn't work.

Putting a treadmill under your standing desk is an asinine solution. I can only imagine how much your boss was cringing when you asked them such a ridiculous question with a straight face. If I was your cube neighbor and you did that I would stab you. Like legit....I would take a knife and stab you.

One trick is that you don't have to kill yourself exercising to lose weight. You want your heart rate to be in a target zone, which is surprisingly not that hard to maintain. You won't lose weight faster by killing yourself going balls-to-the-wall. Find out what your target heart rate for weight loss should be and arrange to be in that target zone for an hour at least three times a week, or more if you insist on cramming that sludge into your body. I recommend swimming, it is unbelievable exercise and easy to stay in the weight loss zone.

The other thing is to weigh yourself all the time. Weigh yourself in the morning and at night. You will start to understand what you can and cannot do. You will start to understand how much exercise you need and how much you can eat.

It's not as hard as you think, but there are no shortcuts. Sack up and do it. You'll be glad you did. Life is better when you're thin.

You're in college. Go have fun. Get out of your room.

Does anyone actually think the administration had any intent of following through on what it said? This was a PR stunt to try and look like good guys. They knew very well that there were hiccups because of the treaty but, more importantly, that the change would never get past congress in the first place.

Why are people still so naive about how the government in this country works? Maybe I'm overly cynical, but I have a preeeeeeeeetty solid track record of predicting how these things will work out. The majority of people seem to think that these things are still decided by law and principle and opinion. They're not. They're decided by money and political wrangling.

Who would benefit from the ability to unlock phones? Consumers/voters. Who would lose? Cell Companies. Which is more important, looking cool to voters, or continuing to get the truckloads of money that an American politician must have to have even a ghost of a chance of winning an election? The answer is obviously the money, because without the money you can't get in the game in the first place. This form of corruption is so widespread that there really isn't a significant body of lawmakers who are really making an issue out of things like this, so why take a stand on something that you will never have to answer for in an election and will absolutely 100% lose you money that you need to win the election in the first place?

You must be a manager to have such a negative and limited point of view. If you look at the regs from the point of view of a manager, it's a checkbox to check. If you look at it from the perspective of a security engineer it's a driver to implement legitimate controls. All the regs have fluff and vagaries, but they all also have very useful requirements and provide a stick to make the business pay for reasonable controls.

It's also about liability. Sure, you can lie to your customers, but in addition to being unethical it means that if you have a breach you are in for a tremendous shitstorm. Comply with or, better yet, get ahead of the regs and you will be in a much stronger position to a.) not have a breach in the first place, b.) fare well in court if you do have a breach.

I totally agree that it doesn't solve all your problems. If your security people are telling you it does you need new security people. The problem is that keeping software up to date, auditing user permissions and doing other basic things doesn't have as big an impact as you might think.

Well...ok...keeping software up to date does...and I can certainly write a huge diatribe about that too that will be no less universal and impassioned.

But it's all about layers and it's all about getting ahead of regs and requirements. Turn security into a feature of the product, not something you bolt on at the last minute. The more we implement encryption universally the easier it will be for developers and the more mature key management solutions will be.

I get the point about the I/O heavy servers.

I don't agree with the always on server argument, though. Yes, it's not going to protect against many types of attacks, but it will protect against some and that is what's important. It's another layer. More importantly, it's a layer that is being increasingly asked for by customers whether or not any of us think it makes sense for a particular application. Building encryption in after the fact is an absolute nightmare and usually the costs and impact to production is going to be higher if you wait until you have to get it done in a month or you will lose a big deal. Better to implement it in the first place and put it in your marketing material so the question never even gets asked.

You're right about key management. Good point.

"Getting it wrong" in the implementation stage is a function of developers not viewing security as part of their job. I'm not saying that we can eliminate mistakes and develop perfect code every time, but you have to try. The more experience developers get with implementing it and the more universal it becomes, the fewer mistakes they're going to make when implementing it. Right now, it seems to be regarded as a novelty by most developers.

I don't buy the "false sense of security" argument at all, sorry. If it's not encrypted I can absolutely guarantee its not secure. If it's encrypted then at least that's one layer of protection to help mitigate issues at the many other layers they can occur.

I also don't buy that implementing encryption is going to double your time to market. That's another excuse used because the initial impact is large, but as developers gain experience with it the impact will be reduced.

Here's the thing with your other questions. When the product gets built, maybe the information isn't sensitive or regulated. It will be, though. This will happen either by the regs changing, because of new customer requirements, or because the scope of what the product is handling will increase. I see it every day. Developers don't seem to get eyes on the questionnaires that security gets from customers too often, but they should. Customers are asking VERY detailed security questions now and some have very very stringent requirements. So your choice is, a.) build security into the product and make it part of the value proposition or b.) wait until you get hammered by a customer and either have to reinvent the wheel in three months (or two weeks!) or, worse, lose the business. This happens over and over and over again but no one seems to understand that getting AHEAD of these requirements is going to save money in the long term.

Export restrictions are a valid point, that one I accept.

"If your server is rooted" is specious. If someone spearfishes an employee and gains remote access to their machine they will be able to bypass the firewall...so we shouldn't have firewalls? No, that's obviously not true. Integrity, audit, access control are critical almost no matter what data you are hosting. Even if it's not regulated data, your customers will eventually be asking.