Proprietary security software is an oxymoron, says FSF

The reality is that this is almost certainly a simple error – something that Sullivan accepts: “We will avoid attributing this error to malice just yet, and wait for their correction.” At the time of writing, the FSF has not yet indicated that any correction has been made; and Microsoft has not yet responded to our request for a comment.

Nevertheless, the issue raises some interesting questions. Firstly, it should be said that there is little love between the two organizations. FSF is particularly concerned that the upcoming ‘Secure Boot’ facility in Windows 8 doesn’t evolve into a ‘restricted boot’ capability; that is, a facility that doesn’t just prevent malware from loading and running, but also prevents ‘unauthorized’ (for which, read ‘free’) software from loading and running.

Furthermore, Sullivan makes an interesting assertion: “Proprietary security software is an oxymoron -- if the user is not fundamentally in control of the software, the user has no security.” It is a clear plug for open source security: but is it valid? Nigel Hawthorn, now with MobileIron, but once with Blue Coat Systems, has little doubt – or patience. “I think the quote is rather ridiculous,” he told Infosecurity. “You can't write your own filtering or anti-malware or firewall software - you have to rely on a large company that has invested many man-years of effort to deliver the security you need.” He pointed out that companies like Blue Coat, which relies heavily on ‘reputation’ systems, “take updates from users very seriously and review and change ratings as soon as they can.”

Trend Micro’s director of security research Rik Ferguson gets to a similar position from a more philosophical route. The author, he said, “conflates two notions, that ‘proprietary’ equates to ‘no user control’. That is demonstrably not the case, he adds, “although it is not surprising that an organization that promotes open source software would choose to make the point in that way.” Trend Micro is itself no stranger to free and open source security software, having recently donated Hijack This to the FOS community.

Ferguson believes that ‘user control’ (something that Microsoft promises for Secure Boot) is more important than user access to source code. “Many users neither know nor need to know what source code is.” But he even considers the concept of ‘user control’ to be open to debate. “Who is the user?” he asks. “The person sitting using the enterprise laptop while out on the road, connecting to unknown networks and browsing wherever he sees an interest? Or is it the network admin, in charge of setting policy and securing the organization?”

Full control is thus something entirely subjective, he says. “Should a consumer be able to whitelist sites, for example, that have been tagged as bad? With the right warnings, absolutely, yes. That is full control – but it does not require open source software.” But, he adds, “Should an enterprise user be able to override the security settings of the network administrator as regards corporate policy? No – because then it would no longer be corporate policy it would be corporate recommendation.”

So, he concludes, “Can proprietary software provide full security? Yes,” provided that proprietary software is fully configurable by the owner of the license. “Do false positives happen? Sometimes, yes. But what is important is the speed and accuracy of the response from the company making a false positive.”

What’s Hot on Infosecurity Magazine?