Trusting Open Source for Production...

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@BRRABill said:

@scottalanmiller said:

Let's also compare MS Office to LibreOffice. I get every type of support for LibreOffice that you can get for MS Office plus more. Again, the real world examples hold up that open source encourages better and broader support options. Closed source just gives you... less.

I still have the "fear" that an open source product will just go away, where MS Office just won't.

Though since they decommission it, it might as well, right?

I don't follow. As we had discussed offline, open source cannot go away. It's literally impossible. The fear of going away is purely a closed source concern. You were confused about which was which when we were discussing this. Open source is the only means of protecting against the fear that you have. Commercial products that people are still using actually go away all of the time. Open source cannot. It is as simple as that.

A great example would be Office 2003. That software isn't supported or available for sale anymore. And while OpenOffice in it's old form isn't really there any more, it's been replaced by LibreOffice.

Not replaced. OO is still very modern and up to date and competes with LO. OO is developed by the Apache Group.

oh, did they catch back up? I know when someone else took over the project for a while it went south, which is why LibreOffice even exists. I was unaware they had returned to parity, or near parity.

LO split off many years ago when Oracle bought Sun and got OpenOffice with the purchase. Oracle was not maintaining it well and so a group split off to form LibreOffice to protect OO from Oracle. The two were and have been developed in parallel ever since. Oracle immediately realized what they had done and donated the OpenOffice project to the Apache group who have run it for a very long time now. OO and LO now compete but there is talk of merging them as they are ideologically aligned.

scottalanmiller

One of the examples that I had used about why closed source was risky... Microsoft used to have a couple different operating systems including DOS and Xenix. Both were closed source and both did not fit into the Microsoft "world view". Neither is available today, in any form. Just gone.

IBM, likewise, did the same thing with OS/2 which was an extremely popular operating system.

Also BeOS, an independent operating system was closed source and when the company failed the OS and the entire ecosystem collapsed as there was no way to update, patch or maintain the system.

Closed source encourages "dead ends" in code. And even the vendors you feel like you can trust, Microsoft, IBM, Google, etc. shut down projects and products all of the time. It's a very false sense of security to feel that MS will not stop making or supporting products that no longer make sense to their bottom line. MS is a business and supporting old software is extremely expensive. And often old software isn't just expensive to maintain but might actively compete with newer products (which is why Xenix was killed off.)

BRRABill

@scottalanmiller said:

For those wondering where TrueCrypt went, it is now VeraCrypt as was mentioned above. Because the owners accidentally let TC fall into the PD it became de facto open source and got picked up and maintained instantly and audits continued making it still one of the most secure, most audited encryption suites out there. The open source project is hosted by none other than Microsoft themselves on CodePlex.

https://veracrypt.codeplex.com/

Hey that looks just like TC.

scottalanmiller

Another great example... at NTG we were one of the first ten Microsoft Small Business Accounting customers, and the very first to work with SBA and ADP for payroll integration. We used every SBA version from the first to... the last. Microsoft killed it off. It only ever had about three releases. It was a good product, far better than QB which was the only competitor at the time. We invested heavily in it and were "all in" in the Microsoft ecosystem using the products that they recommend and we were left dead in the water with no accounting package.

Not only was this a mainline MS product, it was a core part of the MS Office family. Microsoft most certain kills off products and few could be as high profile and critical from a non-server perspective as killing off the accounting and financial member of their MS Office family! If they were willing to discontinue SBA suddenly, nothing is safe.

travisdh1

@BRRABill said:

@scottalanmiller said:

For those wondering where TrueCrypt went, it is now VeraCrypt as was mentioned above. Because the owners accidentally let TC fall into the PD it became de facto open source and got picked up and maintained instantly and audits continued making it still one of the most secure, most audited encryption suites out there. The open source project is hosted by none other than Microsoft themselves on CodePlex.

https://veracrypt.codeplex.com/

Hey that looks just like TC.

Mostly, it is. Some newer encryption options is about the only difference.

Dashrender

@travisdh1 said:

@BRRABill said:

@scottalanmiller said:

For those wondering where TrueCrypt went, it is now VeraCrypt as was mentioned above. Because the owners accidentally let TC fall into the PD it became de facto open source and got picked up and maintained instantly and audits continued making it still one of the most secure, most audited encryption suites out there. The open source project is hosted by none other than Microsoft themselves on CodePlex.

https://veracrypt.codeplex.com/

Hey that looks just like TC.

Mostly, it is. Some newer encryption options is about the only difference.

Does it support booting in UEFI based OSes yet?

travisdh1

@Dashrender

@Dashrender said:

@travisdh1 said:

@BRRABill said:

@scottalanmiller said:

For those wondering where TrueCrypt went, it is now VeraCrypt as was mentioned above. Because the owners accidentally let TC fall into the PD it became de facto open source and got picked up and maintained instantly and audits continued making it still one of the most secure, most audited encryption suites out there. The open source project is hosted by none other than Microsoft themselves on CodePlex.

https://veracrypt.codeplex.com/

Hey that looks just like TC.

Mostly, it is. Some newer encryption options is about the only difference.

Does it support booting in UEFI based OSes yet?

I don't think so, at least not yet. I'm not sure that they are trying to get a UEFI key from Microsoft or not.

scottalanmiller

I think that pretty typically people are using it on data partitions and not on boot ones. Keep all data secured in one place but not worrying about the OS itself.

scottalanmiller

I searched their site but found no reference to UEFI supported or otherwise.

Jason

I always thought TrueCrypt was for File Level encryption rather than FDE.

BRRABill

See in my craziness I like FDE because I'm always worried about what products leave behind.

Dashrender

@Jason said:

I always thought TrueCrypt was for File Level encryption rather than FDE.

TC supported FDE Through at least XP if not through 7. But I know it never supported Windows 8/8.1 etc.

scottalanmiller

What timing... Microsoft "pulls a TrueCrypt" with Windows 7. You thought it couldn't happen with Microsoft? It just did.

Remember, it is closed source that allows this to happen. Open Source is protected from this kind of thing.

http://www.forbes.com/sites/gordonkelly/2016/01/02/microsoft-windows-7-problems/

Dashrender

@scottalanmiller said:

What timing... Microsoft "pulls a TrueCrypt" with Windows 7. You thought it couldn't happen with Microsoft? It just did.

Remember, it is closed source that allows this to happen. Open Source is protected from this kind of thing.

http://www.forbes.com/sites/gordonkelly/2016/01/02/microsoft-windows-7-problems/

WHAT? I have to call BS @scottalanmiller. They did not pull a TrueCrypt. It's not like this morning we woke up to find a sign on MS.com that said - Windows 7 is not secure/trustable/whatever TC's site said the day the developers decided to get out of that game.

Is MS pushing people - users - to Windows 10, heck yeah they are, and they are shoving hard. But considering Windows XP, and how long it took the majority to move to Windows 7/8/8.1, can you blame them?

And in this situation, you have one similar to Linux - a free path to a new version. There isn't even any cost involved.

Of course that last part - we know that's BS, there's cost involved. Your time, internet bandwidth, your failout plan, etc... these things aren't free, even if they don't cost you dollars from your wallet, they cost you in other ways.

I'm guessing that OS X users in very high numbers upgrade to the latest version of OS X shortly after it comes out, otherwise I'm guessing Apple would find some way to force them to move or remain unsupported to minimize their support requirements.

Look at the number of Android 2.x devices that are still out in the world that will NEVER be updated, yet are vulnerable to attack. It's basically another platform akin to Windows XP non SP, or SP1 that just became virus spewing monsters

Yes we as a society are being shoved forward, but frankly I don't have an issue with this.

scottalanmiller

@Dashrender said:

WHAT? I have to call BS @scottalanmiller. They did not pull a TrueCrypt. It's not like this morning we woke up to find a sign on MS.com that said - Windows 7 is not secure/trustable/whatever TC's site said the day the developers decided to get out of that game.

What TC did was make crazy claims that their software was insecure in the hopes that people would move to a different product (we don't know who encouraged them to do this or what their agenda was but it was totally obvious what happened) based on a lack of adequate ongoing code updates for things that had not yet been discovered.

That's exactly what MS did here, right? Exactly. Except that in the MS case we know which product they are doing this to promote rather than having to guess.

TC was not insecure. Nor is Windows 7. In both cases, the vendors claimed that they were vulnerable due to a lack of future patches or updates or technologies for issues not yet arisen.

I see them as completely the same. In what way to they differ other than the trivial fact that MS has to provide "support" but that is very limited and does not cover most security concerns and that TC fell to public domain and was able to be supported and the entire concern bypassed? That makes TC the lesser of the two problems here, in reality.

scottalanmiller

@Dashrender said:

Is MS pushing people - users - to Windows 10, heck yeah they are, and they are shoving hard. But considering Windows XP, and how long it took the majority to move to Windows 7/8/8.1, can you blame them?

Is that any different than TC? We don't know what product they were pushing people to, but clearly they were hoping that their customers would go somewhere.

Dashrender

A major difference is that MS is giving you a place to go, and that place is free. TC didn't even make a suggestion, instead they just said that the code might be unsafe, and they up and slip in a second!

MS put the word out (though frankly not good enough in my mind) that the end of security updates was coming for Windows XP, yet people didn't move away - at least not quickly.

The move to Windows 10 looks to be more like a move to iOS - assuming your hardware will support it, you'll get updates forever.

Which brings to mind - how does Apple handle iPhone Gen 1 products? Can you update to iOS 9? I recently read that there is or might be a lawsuit against Apple claiming that Apple intensionally puts in code to make iOS 9 run slower on older hardware to hopefully force people to buy new hardware - is this true?

I'm not sure about you, or the other readers here, but I'm a bit afraid of old hardware staying online, being yet another device that can be powned and used as an attacker on the web.

Short of moving to a subscription based solution, I'm not sure how we solve this problem. I can't imagine that people want to be forced into a hardware refresh requirement though subscription fees and of course new hardware will come with the latest and greatest software - but hell, it's happening with O365, and streaming music, etc. As a society we are moving away from owning things and moving toward a rental type setup. Sure there are many things that you still buy (Scott's million and one games, and movies on Vudu, etc) but renting seems to be the wave of the future.

Though with rentals - if the musicians and their publishers are to be believed, the creators barely make anything on these deals. So who knows.

scottalanmiller

@Dashrender said:

A major difference is that MS is giving you a place to go, and that place is free. TC didn't even make a suggestion, instead they just said that the code might be unsafe, and they up and slip in a second!

But there were places to go, including free ones and including their own code which was then maintained by others. It seems a pretty trivial difference to use "they told us the alternative" as the difference in the behaviour.

scottalanmiller

@Dashrender said:

MS put the word out (though frankly not good enough in my mind) that the end of security updates was coming for Windows XP, yet people didn't move away - at least not quickly.

And that's all that TC did, too. Just a bit more dramatically acting like the end of official updates was a big deal when, in fact, it was not, because updated ended up still coming and an audit showed no update was needed.

I don't see how the history behind XP is relevant. That their warnings went unheeded is a different issue. This is about calling something currently well maintained "insecure" based on a theoretical, future loss of support.

scottalanmiller

@Dashrender said:

Which brings to mind - how does Apple handle iPhone Gen 1 products? Can you update to iOS 9? I recently read that there is or might be a lawsuit against Apple claiming that Apple intensionally puts in code to make iOS 9 run slower on older hardware to hopefully force people to buy new hardware - is this true?

Gen 1 stops around iOS 5 or 6. I know you can't install 7. It's not slow, it just doesn't even install. Can't remember if it was 5 or 6 which was the last version, but pretty sure it was actually 5. They stopped updating a long time ago.

OS vendors have made OSes bloated in the closed source space for a very long time as an incentive to sell new hardware. That's been a standard tactic. It doesn't require anything special, just no effort to clean up and be really efficient. It's a dangerous tactic that left closed source OSes dangerously exposed to leaner open source options.

This is why people feel like each version of Windows must be slower than the one before even though every OS since Windows 7 has been faster than the one before. Microsoft had to chance tack and work like Linux getting more efficient with each release rather than less. But from Windows 1 through Windows ME and Windows NT 3.1 through Windows Vista, each version had always gotten slower.