Roadside (Internet) Security

I’m not quite sure of the marketing angle here. I’ve seen power pole posters used to “buy a 4 bedroom homes with quick transaction!”, “lose 30kgs in 4 weeks”, and promote “swedish tribute band – BAABAA”.

But trying to flog Windows anti-virus software from the roadside is a first. Maybe they’re trying to home in on a niche customer base that I am not aware of. I have to admit that I dubious of the integrity of software that is bought from someone who advertises with hand-painted posters as if it is a garage sale. Maybe it is all legit, though I have my doubts when the recommended retail price at Symantec is $99.99 and this can be had for a bargain at $30. I imagine Symantec don’t normally offer such deep discounts to their resellers. (And I am also assuming that this guy isn’t just selling a one-off unwanted licence).

Disclaimer: I have not contacted the seller, hence I am only giving my opinion on this advertisement. If you do follow through and make a purchase from them, don’t hold me responsible as to the software’s efficacy or otherwise.

Selling Norton Internet Security from a power pole - Victoria Rd, Ermington
Selling Norton Internet Security from a power pole - Victoria Rd, Ermington

Chief Illogical Officer?

Sometime you would have to wonder whether logic totally escapes CIOs. In an article making comment on the The Australian Open Source Industry and Community Report 2008 prepared by Waugh Partners, ZDnet put out an article entitled “Open source barred from Australian government”. What I found particularly curious was a comment from the CIO of the Australian Tax Office, Bill Gibson. In it, he says that he “is concerned that open source software could not be as easily scrutinised as proprietary software”. This is probably a paraphrase from an earlier published interview by Zdnet where he is quoted as saying – “We are very, very focused on security and privacy and the obligations that we have as an agency to ensure that we protect those rights of citizens’ information in that respect. So, we’ve continued to have concerns about the security related aspects around open source products. We would probably need to make sure that we will be very comfortable — through some form of technical scrutiny — of what is inside such a product so that there was nothing unforeseen there.”

So how does he “scrutinise” proprietary software? I guess at best, you might be able to get to see the source code, but the license to see is usually going to be under a NDA, and it is unlikely one organisation is really going to have the skills and resources to examine all the code. And even then there are going to be dependendent libraries that you may not be able to have source code access. But in most cases, you will only be able see your software as a blackbox. If you do perform security analysis you will always limited in what you can test in this case. I just don’t see how with a blackbox you can successfully search out all the nooks and crannies with a high level of confidence.

Only with open source code to you, and the “many eyes” out there, do you have the opportunity to truly scrutinise the code. You also then are able to create and receive patches for any found vulnerabilities. Clearly the bad guys have a similar opportunity to review the source, but the evidence overwhelming supports the idea that open source inherently is less likely to have hidden security flaws and is able react to unforeseen attacks with greater rapidity.

I would be really interested to find out who Bill Gibbons has been taking advice from on software security.