Comment What does Sage actually say on the subject? (Score 1) 223
The actual article are very different from the obvious slant that exists in the posting summary. It's also unclear whether the original poster actually read Sage or simply relied on comments from the Robert McMillan article in PC Advisor. Either way, I've read both and McAfee doesn't seem to be targeting open source in any way that's unfair or incorrect (read for yourself):
"Paying a price for the open-source advantage" is not the cover story, but rather the cover text describing the subject matter for Vol 1 Issue 1 of Sage. Here are the contents:
- Security Trends and Events of the Last Six Months [Technical Article]
- Good Intentions Gone Awry [Feature Article]
- Money Changes Everything [Feature Article]
- Open-Source Software in Windows Rootkits [Technical Article]
- Building Better Bots [Feature Article]
- Is Open Source Really So Open? [Opinion / Editorial]
- Vulnerability Bounties [Opinion / Editorial]
- Will the Worm Eat the Apple? [Technical Article]
In this Issue:
The Open Sourcing of Threats
Open source is an important and powerful force in today's networked world. From basic tools
and utilities to applications and operating systems to the foundation of the Internet itself, opensource
products have created tremendous value.
The fundamental tenets of the movement are quite simple:
"When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. This rapid evolutionary process produces better software than the traditional
closed model at a speed that, if one is used to the slow pace of conventional software development, seems astonishing." 1
Belief in the open source philosophy approaches an almost religious zeal in its most ardent proponents. However, like any powerful tool, open source can also be used for malicious purposes, particularly in security. Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information--especially in the realm of computer and network security, where the desirable degree of openness in the sharing of vulnerability and threat information and the role of open source in the production of
malware are significant points of contention.
As Dmitry Gryaznov explains in "Good Intentions Gone Awry," malware authors have been collaborating and sharing source code, using books and bulletin board systems and, eventually, ftp sites and the Web, since soon after the first computer viruses appeared in the late 1980s. Gryaznov also quantifies the significant impact that such sharing has had on the production and proliferation of malware.
Igor Muttik continues the narrative in "Money Changes Everything," in which he presents ample evidence of a vibrant and sophisticated open-source community actively engaged in the development and dissemination of both new and repackaged malware. The bundling of threats and the use of obfuscating tools (to thwart security scanners) offer clear evidence that modern malware is the product of
collaborative efforts.
The advent of bot herders and their botnets, however, signals a change in the character of and intent of malware. Though malware authors started sharing and collaborating 20 years ago, the degree of process maturity and quality of code in those early threats was never comparable to that of commercial software products. As a result, most malware was, by comparison, poorly written, prone to failure, and ultimately ineffective. Michael Davis' "Building Better Bots" confirms that this situation has changed. Bot malware is now developed with the same methodologies and tools used
to produce marquee open-source products such as Firefox, Apache, and MySQL. Driving this charge toward professional quality code are the fi nancial rewards that a large botnet can
earn for its master, whether from sending spam, injecting adware, participating in a Distributed Denial of Service (DDoS) attack, or performing some other contracted nefarious activity.
Today's threat environment has materially changed from years past. The professionalization of malware coupled with the powerful open-source model is creating a formidable, profitable, and criminal adversary for security professionals. The fundamentals are in place for this new industry to thrive, virtually guaranteeing that malware will continue to become more robust, more sophisticated, more plentiful, harder to combat, and more dangerous.
Reactive security measures are unlikely to keep pace as these trends unfold. Though patching processes are improving and the window of malware opportunity between a patch's release and its widespread adoption is shrinking, targeted exploits that capitalize on previously undisclosed vulnerabilities are already uncomfortably common. Remediation--which by definition occurs after the fact--is also becoming more difficult. Mike Danseglio, a security program manager at Microsoft,® shocked many at the InfoSec World Conference in April 2006 by stating fl atly, "When you are dealing with
rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit."2
There are no easy solutions. Thankfully, current security measures have thus far managed to contain many of these threats. However, as malware continues evolve and proliferate, prevention and proactive security may become the only ways to stop infections before they cause irreparable damage to systems and businesses.
Open source is not to blame for the current security trends, though it is a critical enabler for malware. In light of the ways malefactors use open source, perhaps the time has come to re-evaluate long-standing beliefs about full disclosure and absolute adherence to the open-source creed. Similarly, the security community may need to revise its traditional strategy of containing threats by controlling and restricting information, as it tries to compete with an open-source malware community that is becoming better organized, better funded, and more effective than ever.
1 http://www.opensource.org/
2 Ryan Naraine, "Microsoft Says Recovery from Malware Becoming Impossible,"
eWeek, April 4, 2006. http://www.eweek.com/article2/0,1895,1945808,00.as p
"Paying a price for the open-source advantage" is not the cover story, but rather the cover text describing the subject matter for Vol 1 Issue 1 of Sage. Here are the contents:
- Security Trends and Events of the Last Six Months [Technical Article]
- Good Intentions Gone Awry [Feature Article]
- Money Changes Everything [Feature Article]
- Open-Source Software in Windows Rootkits [Technical Article]
- Building Better Bots [Feature Article]
- Is Open Source Really So Open? [Opinion / Editorial]
- Vulnerability Bounties [Opinion / Editorial]
- Will the Worm Eat the Apple? [Technical Article]
In this Issue:
The Open Sourcing of Threats
Open source is an important and powerful force in today's networked world. From basic tools
and utilities to applications and operating systems to the foundation of the Internet itself, opensource
products have created tremendous value.
The fundamental tenets of the movement are quite simple:
"When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. This rapid evolutionary process produces better software than the traditional
closed model at a speed that, if one is used to the slow pace of conventional software development, seems astonishing." 1
Belief in the open source philosophy approaches an almost religious zeal in its most ardent proponents. However, like any powerful tool, open source can also be used for malicious purposes, particularly in security. Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information--especially in the realm of computer and network security, where the desirable degree of openness in the sharing of vulnerability and threat information and the role of open source in the production of
malware are significant points of contention.
As Dmitry Gryaznov explains in "Good Intentions Gone Awry," malware authors have been collaborating and sharing source code, using books and bulletin board systems and, eventually, ftp sites and the Web, since soon after the first computer viruses appeared in the late 1980s. Gryaznov also quantifies the significant impact that such sharing has had on the production and proliferation of malware.
Igor Muttik continues the narrative in "Money Changes Everything," in which he presents ample evidence of a vibrant and sophisticated open-source community actively engaged in the development and dissemination of both new and repackaged malware. The bundling of threats and the use of obfuscating tools (to thwart security scanners) offer clear evidence that modern malware is the product of
collaborative efforts.
The advent of bot herders and their botnets, however, signals a change in the character of and intent of malware. Though malware authors started sharing and collaborating 20 years ago, the degree of process maturity and quality of code in those early threats was never comparable to that of commercial software products. As a result, most malware was, by comparison, poorly written, prone to failure, and ultimately ineffective. Michael Davis' "Building Better Bots" confirms that this situation has changed. Bot malware is now developed with the same methodologies and tools used
to produce marquee open-source products such as Firefox, Apache, and MySQL. Driving this charge toward professional quality code are the fi nancial rewards that a large botnet can
earn for its master, whether from sending spam, injecting adware, participating in a Distributed Denial of Service (DDoS) attack, or performing some other contracted nefarious activity.
Today's threat environment has materially changed from years past. The professionalization of malware coupled with the powerful open-source model is creating a formidable, profitable, and criminal adversary for security professionals. The fundamentals are in place for this new industry to thrive, virtually guaranteeing that malware will continue to become more robust, more sophisticated, more plentiful, harder to combat, and more dangerous.
Reactive security measures are unlikely to keep pace as these trends unfold. Though patching processes are improving and the window of malware opportunity between a patch's release and its widespread adoption is shrinking, targeted exploits that capitalize on previously undisclosed vulnerabilities are already uncomfortably common. Remediation--which by definition occurs after the fact--is also becoming more difficult. Mike Danseglio, a security program manager at Microsoft,® shocked many at the InfoSec World Conference in April 2006 by stating fl atly, "When you are dealing with
rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit."2
There are no easy solutions. Thankfully, current security measures have thus far managed to contain many of these threats. However, as malware continues evolve and proliferate, prevention and proactive security may become the only ways to stop infections before they cause irreparable damage to systems and businesses.
Open source is not to blame for the current security trends, though it is a critical enabler for malware. In light of the ways malefactors use open source, perhaps the time has come to re-evaluate long-standing beliefs about full disclosure and absolute adherence to the open-source creed. Similarly, the security community may need to revise its traditional strategy of containing threats by controlling and restricting information, as it tries to compete with an open-source malware community that is becoming better organized, better funded, and more effective than ever.
1 http://www.opensource.org/
2 Ryan Naraine, "Microsoft Says Recovery from Malware Becoming Impossible,"
eWeek, April 4, 2006. http://www.eweek.com/article2/0,1895,1945808,00.a
