Tag: open source

The good, the bad and the ugly of the proprietary software model

January 15, 2022 /

The last article discussed the advantages and disadvantages of the Open Source software model. We even listed some uncomfortable truths regarding its economic viability and how it could be more expensive than many proprietary products. Despite being an Open Source zealot, I want to start with the statement that I still think proprietary software is sometimes better than Open Source ones. We can not compare my case with the average customer because I have spent the last 18 years working in IT – aka I want much more control over my system than the standard PC user. At the same time, when I can, I strongly avoid using proprietary software because I want to know what runs on my device or have the ability to review it if I wish. But let me list the good, the bad, and the ugly of using proprietary software:

The good

  • Legal responsibility: Wishing or not proprietary software vendors are obliged by law in most countries to take care of their customers and the data coming with the usage of the software. And yeah, many governments try defending their citizens and their data.
  • Better support: No one will pay for proprietary software if support is not included in the price. The difference to the Open Source vendors is that you receive some hours of first-level support with the cheapest plans, which is better than nothing.
  • Centralization: Having a more centralized way of management has advantages such as faster development speed, faster decision-making process, and fewer intrigues. 
You can see a comparison between BlackBox and Whitebox software on the diagram. Open Source software is considered Whitebox because everyone can see and review its logic. On the other side, proprietary is considered as BlackBox because to analyze its behavior, analysts must use reverse engineering techniques

The bad

  • You should pay for it: One of the bad things regarding proprietary software is that people should pay for it. And the main problem is not the cost but businesswise; when you are using something you don’t have access to, you introduce a critical business dependency. What happens if suddenly this software vendor disappears?
  • Closed ecosystem: Decisions are made by the company’s owners producing the software. Customers usually do not have control or involvement in feature design and implementation. 
  • More complicated collaboration: If two companies want to work together, they should sign a contract, and by signing this contract, they “decide” how their partnership will happen. By not having a ready-for-use framework, lawyers must review every agreement and make sure that both sides are happy with it.

The ugly

  • Sometimes less secure: Proprietary software has the same security problems as Open Source software. Many hackers are pretty adept in reverse engineering and finding security holes. Additionally, proprietary vendors must pay for security audits and could not rely on an ecosystem of hardcore software engineers to do that for them.
  • Lousy support for smaller customers: The bigger a software vendor becomes, the lousier its support becomes for its small customers. And this equals them to the Open Source software vendors without support for their free plans. And yeah, there is a reason for the number of jokes regarding the quality of support provided by given operating systems manufacturer :-).
  • Weaker legal defense: The bigger a software vendor becomes, the more legally powerful it is. And this leads to fewer opportunities for its small customers to search for justice. Usually, the side with the bigger pool of resources is the winning one in legal battles.

In conclusion, there is no significant difference between proprietary and Open Source software models. The only meaningful difference is that customers could legally claim stuff easily from smaller proprietary vendors. However, once the vendor becomes too big, they hire better lawyers, and experienced lawyers are pretty good at defending corporate interests. Other than that, the tradeoff for the end customer is first-level support versus free usage.

The good, the bad and the ugly of Open Source software model

January 9, 2022 /

I want to start this post with the statement that I am a fierce supporter of Open Source, and all of my computers, servers, and smartphones are using different flavors of Linux. For the last ten years, I have used Windows ten times at most, all of this because some software vendors have been neglecting the Linux ecosystem for years. Other than that, I have no wish or necessity to touch Mac or Windows for anything rather than testing web or mobile apps. 

At the same time, I want to strongly emphasize that Open Source as a model has its problems and that I believe no software development practice, Open Source or proprietary, is ideal. This post aims to list some of the advantages and disadvantages the Open Source model has. Despite its widely successful spell during the last 30 or more years, the model is somehow economically broken. But, let’s start with the lists:

The good

  • Open Source is almost free: Most open source projects provide free plans for casual users or tech-savvy customers by having an ecosystem. This way, a whole set of companies can build their business model based on these freemium plans and add value.
  • More openness: People working on open source projects must make an ecosystem. And people stay in any ecosystem only if the system is open to proposals and changes according to members’ needs. In another case, the ecosystem usually does not survive for long. Additionally, everyone can review the code and search for security holes.
  • Better collaboration: Legally speaking, if two organizations want to work together, they should sign a contract on every point they want to collaborate. Organizations already know how to work with the various Open Source licenses and do not need to reinvent the wheel for their specific case.

The bad

  • Lack of responsibility: Most Open Source software comes without any obligations for the authors. Whether there are security holes, bugs, or losses by using the software – authors are not responsible.
  • Too much decentralization: When a project becomes too popular, the lack of centralization increases politics and power struggles. By having multiple controlling bodies or boards of people governing the project, the number of interested parties increases and thus sometimes making the decision-making nightmare.
  • Lack of support: Some Open Source projects entirely lack technical or user support. Even if they offer support, the customer must pay too much money to get any meaningful help. The plans with the lower cost usually are not helpful enough.
On the diagram, you can see a standard crawler architecture diagram. Most of the products implementing this diagram would use Open Source components to speed up the development and lower the cost. They must live with the problems derived from using these components

The ugly

  • Sometimes less secure: Many projects do not have the proper set of resources to ensure their level of cybersecurity, despite being used by many people. A recent example of that is log4j – all major Java products use it, and at the same time, a big security hole was discovered a couple of weeks ago.
  • Complicated business model: Open Source is complex for monetization. Many products try surviving on donations or support. However, this monetization model does not scale as much as the proprietary one.
  • Legal mess: Usually, proprietary products step on Open Source ones to speed up the development time. This technique is used primarily in Start-Ups or consulting companies. However, this approach has its problems. What happens in a similar case such as log4j, where a security hole or a bug in one of your Open Source components leads to data leaks or financial losses? Who is responsible? By default, this is the user of the component, aka you.

In conclusion, Open Source is not for everyone. It could be more secure or with better support, but only if the code comes from a reputable software vendor. In all other cases, the user is left on its own to handle their security and support. Another question is whether the alternative (using only proprietary software) is better, but I will analyze this in another article.

Could Open Source be successful for Start-Ups

October 21, 2021 /

For a long time, I had this discussion with colleagues and friends about whether open source technologies, especially Linux, could replace all of your software needs. In the past, the main problem regarding using Linux was not mature enough ecosystem and being too complex to work with. However, after the introduction of Android (we could categorize it as a Linux distribution), things became less difficult, and many companies invested much of their time into making their products work on Linux. 

But still, something is missing. By official data, the Desktop Linux users are between 0.6 and 1.5% of the overall Desktop Users. And this is quite a low count of Desktop users. It seems free is not enough for business owners to make the shift. But let’s compare the traditional business software stack to what Linux can offer:

A typical modern office setup, in which there is a data center with servers, and all of the employees are using these servers to connect to their corporate network and use the systems
  • Microsoft Office and Outlook: LibreOffice is an excellent alternative for having an on-premise installation of the office software package. It usually has good compatibility with the original Microsoft Office and could open and edit files. Sometimes the styles of the original files are destroyed. In that case, one can use the cloud variant of Microsoft Office in a web browser. This way, we could avoid such issues. Additionally, Linux comes with Thunderbird, which is an excellent alternative to Outlook.
  • Zoom/Viber/Microsoft Teams/Slack: All of these have binaries for Linux, which means you could have the standard video conferencing apps installed on your machine and have the same experience as the Windows-native users. Additionally, they all support web browsers, which means no need for a native app for communication.
  • Exchange/Sharepoint: Most Linux distributions do not support an active directory out of the box. However, one German distro supported all the group policy features and made it possible for Ubuntu-based clients to connect to this active directory. The name of that distribution is Univention Corporate Server and could be used as a drop-in replacement for Windows Server.
  • Specialized Software: And usually, here comes the main problem with Linux. Most of the specialized software does not have builds for Linux. Some examples are Adobe Photoshop, Adobe Illustrator, 3D rendering software, most of the accounting software, most of the governments’ software, etc. Unfortunately, there are no signs of bringing this software to Linux soon. Fortunately, most of the workers in a given company do not need highly specialized software, and they could do their job in the web browser.

In conclusion, using Linux in the corporate environment has become more and more user-friendly. At the same time, I firmly believe that Linux could entirely replace the software stack for SMEs, excluding those using the specialized software. Fortunately, there is a shift in software development for going into the cloud, which could, even more, help the SMEs with the specialized software (some vendors are already moving their software in the cloud). Additionally, all Linux distributions support Firefox and Chrome out of the box. And as a final – during my coronavirus sick leave, I managed to open my X-Ray photos (DCM image format) on CentOS 8 (I have been using CentOS for the last up to 10 years) without installing anything. ImageMagick supported it out of the box.

Cybersecurity tactics for small teams – Hardware Device Security – part 2

October 14, 2021 /

As you can see from the previous paragraphs, there are multiple ways to penetrate your devices. In the following sections, I shall list some methods of making your devices more secure. You can find the previous part – here.

Hardware Security

There are multiple options for physically securing your laptop and smartphone. At the end of the article, I shall give multiple variants for your budget, but ideally, the essential hardware security upgrades are:

  • Secured Notebook Backpack: There are multiple hardware vendors for securing your laptop backpack. It is essential to know the standard branded bags do not offer enough security options. For example, most backpacks do not provide RFID protection and proper locking mechanism.
  • USB Port Lockers: Port lockers can keep your laptop safe from Rubber Ducky-based attacks. At the same time, port lockers are pretty interesting because they make attackers’ lives more complicated in case of steal. To access the USB port of the device, they have to break the locker, which can damage the USB port and make it unusable.
  • Hardware Tokens: Bussines series laptops usually come with internal TPM chips, which can encrypt your entire hard drive. It is terrific, but if you want better security, it is advisable to encrypt your most critical files using external USB hardware tokens.

Antivirus Software

The average number of new malware programs per day is around 450 000. It is an astonishing number and almost destroys the necessity of antivirus software. Still, it is crucial to understand that the goal of your Antivirus Software is to stop the most critical pieces of malware, but not all of them. Let me list some of the mechanisms your Antivirus Software uses to keep you safe.

  • Malware Database: Every Antivirus program comes with a malware database with different strains of already analyzed computer malware. As we already understood, there are around 450 000 new strains per day. Antivirus companies’ teams keep only the most dangerous strains in the database to keep with the speed of making new strains.
  • Malware Scanner: Usually, every malware tries to gain access to resources, which are not part of its resources pool. Antivirus software can monitor your operating system for such activities and can block them and finally notify you.
  • Operating System Files Hash Check: Some antivirus software can check whether there are changes in your operating systems and notify you and revert the system files for the previous state. It is especially true with Red Hat-based Linux distros.

Open Source

One of the reasons people choose Open Source is the level of security it offers. You can perfectly set up your business to use an open-source stack from the beginning. And this is not only the applications but the operating system and even your hardware. Especially Linux is a beautiful example of how an Open Source ecosystem can increase its security by being open. Instead of using pirated software, you download it from a free repo, which has the source code of the app already reviewed. Every major Linux distro has all of its packages signed, and the repo can verify them. But let me list the different advantages an open-source operating system has.



On the diagram, you can see a sample architecture of a Linux system. Usually, SELinux and AppArmor are working on the Kernel level. After version 4.4, Android has SELinux enabled by default.
  • SELinux and AppArmor: SELinux and AppArmor are kernel modifications and user-space tools added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy and streamlines the amount of software involved with security policy enforcement. Significantly, the fundamental concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA).
  • Open Source Repos: All the packages are part of the software repos, maintained by the distro authors. Bigger Linux distros such as Red Hat and SUSE support big security teams to find and patch holes.
  • Open Source Hardware: There are multiple open-source hardware initiatives, including PowerPC and ARM-based processors. It is essential to know those hardware devices attached to your PC come with drivers, and sometimes these drivers can be an entire operating system. For example, server-based Intel Xeon processors come with network-based remote access control.

Budget:

So after we have listed most of the penetration vectors which an attacker can take, we can finish the topic by creating a budget. We will focus the funding towards underfunded organizations with a limited budget for their cybersecurity program. The budget will be per employee.

  • Pacsafe Backpack (190$):  Pacsafe is a brand of travel equipment emphasizing anti-theft features. The company’s products include adventure backpacks, urban and leisure bags, women’s bags, photography bags, luggage, and travel accessories such as straps, cables, and locks. Their middle-end backpacks offer a pretty good level of security.
  • Business Series Laptop (1000$): For this one, I would choose Lenovo Thinkpad-based laptop. It supports TPM and will offer a good level of harddrive encryption. It is essential to mention here that you have to encrypt all of your storage drives, no matter SSD or HDD ones.
  • Laptop Operating System(0$): Here, we shall go with either CentOS or OpenSUSE. I would personally go with CentOS here because of the native SELinux support. If you want to use the Ubuntu operating system, you should live with AppArmor or set yourself SELinux. CentOS additionally support free Antivirus Sofware supporting all the listed features in the previous paragraphs.
  • Smartphone(200$): Here, we shall use any device, which supports LineageOS. LineageOS is an operating system for smartphones, tablet computers, and set-top boxes, based on Android with primarily free and open-source software. It is the successor to the custom ROM CyanogenMod, from which the devs forked it in December 2016. It offers a good level of privacy, including the complete removal of the Google Play Store for the most paranoid ones. Most of the devices officially supported are in the 200$ range.

With a total budget of around 1390$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. If you want to improve this setup further, you can add USB locks and hardware tokens. But, again, the improvement will not be much because, in case of hardware steal, hackers would have to break your TPM module, and the TPM modules are designed to resist this kind of attack.

To be continued