Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
McAfee's new security journal: Sage is not sage
Share
Print
CommentsThree things are made clear in the first issue: First, there is a financial motivation to today's malware, which should be obvious already. Second, McAfee Avert Labs thinks full disclosure is a bad idea. Finally, and unfortunately, the Sage editorial staff feels it is okay to conflate open source software development with the security problems that plague the world of proprietary software.
How can they do that? Well, by redefining the meaning of open source, for one thing. In the Editor's Note at the front of the issue, Kevin J. Soo Hoo explains his take on open source:
In this issue, we examine the darker side of open source. By open source, we refer to the free and unconditional sharing of source code and ideas. We look at how the social norms and tools of the open-source movement have been usurped by the malware-writing community and applied to the development of ever-more dangerous and virulent creations.
Sounds a bit like Humpty Dumpty, to me. Remember the famous line from "Through the Looking Glass" by Lewis Carroll? Humpty Dumpty tells Alice, "When I use a word, it means what I choose it to mean." Kevin J. Soo Hoo claims the same privilege by redefining open source.
But it is a useful literary technique. At least it is if your goal is to vilify open source in order to create a straw man to set upon, rather than face the core issues at the heart of the plethora of plagues which visit ordinary computer users around the globe. Especially if said condition creates and perpetuates the very reason for your existence.
I am not hammering on a minor point, an inconsequential observation. The redefinition of the term allows the Sage editors to say things like:
Belief in the open source philosophy approaches an almost religious zeal in its most ardent proponents. However, like any powerful tool, open source can also be used for malicious purposes, particularly in security. Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information -- especially in the realm of computer and network security, where the desirable degree of openness in the sharing of vulnerability and threat information and the role of open source in the production of malware are significant points of contention.
Under that editorial umbrella, writers like Michael Davis are free to assert that the key differences between traditional and open source development include:
- Features are specified and decided by the same people writing the code
- Contributors choose the features or bugs they want to fix. No work is assigned by a manager
- No direct roles are assigned to contributors. No one is necessarily dedicated to quality assurance or a certain area of the code base
- No project plan, milestones, or deliverables are set. Releases are ad hoc and normally initiated by new features and bug fixes
While some items in the list above are true for some open source projects, none of them are universally true for open source or free software. IBM, Oracle, Hewlett-Packard, and many other global IT firms pay and manage developers who are producing open source code for projects such as Apache, the Linux kernel, and journaling file systems, using traditional management techniques for planning, architecture, design, and test. Some projects, such as GNOME, take up some traditional management techniques and set milestones on their own; Davis either doesn't know enough about open source projects to actually be discussing the topic, or he's deliberately painting open source as amateurish. You decide.
Marcus explained in the briefing last week that while some things in Sage might invite controversy and or criticism, a more careful reading of the text would reveal that Sage was not actually spreading FUD. One of the things he may have been referring to are the inflammatory titles and secondary titles used throughout the issue.
The cover page, for example, includes the phrase "Paying a price for the open-source advantage." The secondary title to an article called "Money Changes Everything" is "Malware authors leverage open-source model for profit." Another story is called "Open-Source Software in Windows Rootkits," and another asks "Is Open Source Really So Open?" The title of the final piece is "Will the Worm kill Apple?"
One thing -- perhaps the only thing -- I believe that Sage has gotten right is that open source methodology has improved both the quality and the time-to-market metrics for malware, just as it has for traditional software applications.
If you are a typical Windows user, un- or ill-informed about what free software and open source are all about, you'll probably lap up Sage because its deceptions go right over your head and it allows you to feel warm and fuzzy about using proprietary software like Windows and McAfee products instead of that evil open source, or even the hybrid evil of Mac OS X. I'm sure the Windows trade press and Microsoft's public relations folks will like it, too. Watch for selective quotes from Sage appearing on Microsoft.com or in Microsoft ads in the near future.
But if you are knowledgeable about open source software, or the debate over full-disclosure in the world of computer security, you'll find Sage one-sided and lacking in substance. Open source is the least of Microsoft's security problems. McAfee's business model depends upon that teeming cesspool of insecurity, however, so it shies away from the real issues and fundamental causes. McAfee wants to address those issues in the same way the pharmaceutical firms want to see the threat of AIDS disappear.
In this first issue, Sage goes beyond simple disingenuousness and attempts to frame open source as the fall guy for all the ills wrought by malware. Glib? Certainly. Superficial? Beyond question. Sage? No.
Comments
on McAfee's new security journal: Sage is not sageNote: Comments are owned by the poster. We are not responsible for their content.
So by this logic, if we ban Open Source and it's methodologies the virus/malware infestion would dissapear. Or is it that Mcafee is so scared that its Vindows graveytrain is disappearing that it's talking up some FUD in the customers.
Mcafee: Please stay with Vindows so as we can keep on endlessly selling you security fixes.
You would think that a purveyor of security products would know better than to REQUIRE personal info from prospective customers; I didn't even waste time clicking on their privacy-policy link -- I'd already lost faith in afore-said policy's relevence or trustworthiness. I guess that goes to show that contempt does breed contempt.
Deep, dark things exist in this world, including the benefits ms gets from neglecting security, and the money that rolls in for the virus companies every time somebody figures out a new exploit. Big money, dark places, all contribute to a very low rating. Of course, all these people are perfect innocent!
Perhaps you should learn the basic art of public speaking/writing if you need for your opinions to be taken seriously. You just distracted from the substance of your contribution by opening your statement with this gross stereotype. The article under discussion addresses an attempt to erroneously tarnish a certain entity (Open Source) and your contribution in defense of the said article opens with a broad brush painting a whole country and its people with tar - needlessly and unjustifiably so, if I may say.
If you were not so daft and bigoted, you'd have omitted that reference and, pehaps, one would have been tempted to actually read hat you have to say. Now, if you truly know that that particular country is more corrupt than, say, the shining beacon of probity called, oh.. I don't know... the US of A, I'd like to read the facts and figures - as long as you are not pulling them from the posterior.
Something tells me that you have no such facts, and that your opening statement was nothing but an infantile perpetuation of a stereotype, FUD, and blatant dis-information - the same thing this article was aiming to bat down.
Two and a half years ago--
On January 29th, 2004, TechNewsWorld published an article by Jay Lyman, <a href="http://www.technewsworld.com/story/32723.html" title="technewsworld.com">MyDoom.B Variant Spreads, Blocks Access to Security Updates</a technewsworld.com>. That article quoted McAfee Avert virus research manager Craig Schmugar:
Schmugar said the fact that both MyDoom.A and the MyDoom.B variant can be set to send spam Latest News about spam indicates a financial motive.
"Somebody's getting paid to do this," Schmugar said.
Despite this statement from a McAfee manager, another McAfee employee told a different story.
A week later, on February 5, 2005, the UK publication The Guardian, in <a href="http://technology.guardian.co.uk/online/security/story/0,,1144137,00.html" title="guardian.co.uk">Anatomy of a virus</a guardian.co.uk>, quoted Jack Clark, a technology consultant at McAfee Associates:
"Whoever wrote MyDoom is definitely a Linux fan."
That's a pretty unequivocal statement from McAfee's employee. Further, it appears that he was speaking on behalf of McAfee in the UK's popular press.
Fast forward to now--
This latest smear that Joe Barr reports on here is hidden behind McAfee's registration wall. I just don't really care enough to read it... unless it's actionable libel.
This is, I believe, eerily similar to what is happening in Massachusetts with OpenDocument. Marc Pacheco, a particularly nasty state senator in Massachusetts, just released a report from some commission that he was heading to investigate the state Executive branch's OpenDocument plan. I have read Pacheco's "report". It is full of invective and borders on personal attacks, especially against Eric Kriss and Peter Quinn. Of course, he's been careful not to reveal any direct ties to Microsoft, but the language that he has generally used to try to blast OpenDocument just happens to be the same language that Microsoft and their allies use. Fortunately, Gov. Mitt Romney told Pacheco where to stuff it.
The only reason people like Pacheco do this is the exact same reason why McAfee wrote their anti-open source "paper". They're somehow getting paid. Either it's directly, or it's campaign contributions, or their in-law's/nephew's/niece's business gets a nice, fat contract, or something like that.
Question A: WHO PROFITS FROM VIRUSSES?
Question B: WHO WRITES THESE VIRUSSES?
A=B
If everyone was told that you were a thief and liar is that a "so what" situation, too?
Go to <a href="http://tess2.uspto.gov/bin/gate.exe?f=login&p_lang=english&p_d=trmk" title="uspto.gov">http://tess2.uspto.gov/bin/gate.exe?f=login&p_lan<nobr>g<wbr></nobr> =english&p_d=trmk</a uspto.gov> and enter '(sage)[COMB] AND ("016"[IC] OR "042"[IC])' as a Free Form search for many, many more.
Vance
Mcafee's Sage
Posted by: Anonymous Coward on July 17, 2006 08:52 PMMcAfee Avert Labs debuts new security journal. The premier issue examines the role of open source in malware development."
:Begin Heavy Sarcasm:Yes, if I were starting a security journal, I would go off on a tangent instead of facing the fact that Microsoft is in league with the malware writers by creating insecure software and systems and refusing to change.:End Heavy Sarcasm: What pathetic FUD!
#