Roger Halbheer on Security » OpenSource

I sold my soul to Google, can I get it back?

Roger Halbheer — Mon, 13 Dec 2010 08:45:01 +0000

Well, this question was not asked by me but by a guy called Joe Wilcox on Betanews: I sold my soul to Google, can I get it back?. He raises a few points I never really thought of:

While the organizations all charge something, not one puts content behind a true paywall. To do so would prevent Google search bots from indexing the content.

So, basically the way search engines work (and this is not limited to Google I guess), limits the way you can drive business models – obvious but I never looked at it that way. The challenge is how do you balance “free” with still earning money? Joe quoted an Open Letter by Bill from 1976:

Most of you steal your software…One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free?

To be fair: Even though I love my job, I do not work for free – I expect Microsoft to pay me for the work I do – and so far they keep doing it.

The conclusion is:

Google’s free worldview and business approach is fundamentally changing the value of content and other intellectual property produced at cost. I’ll end with this question: Should people be paid for things they produce?

It is actually an interesting philosophical debate to look at – something, which should be discussed without the usual emotions in but on a factual basis.

Roger

Support and OpenSource

Roger Halbheer — Tue, 28 Sep 2010 07:04:18 +0000

I know that I am not an OpenSource expert and to be completely clear: I do not want to complain at all but I would definitely think whether I would bet my company’s business processes on it… Let me give you my story:

March this year I migrated my blog from a SharePoint based solution to an OpenSource solution and never ever regretted it. I actually enjoy it. I described the whole migration here: Migrating My Blog. I enjoy all the different possibilities WordPress is giving me and by running on Windows Server 2008 R2, I am easily able to operate it.

So far, so really good – but… I now wanted to upgrade PHP to the latest version and I failed. I installed it, made sure that the php.ini file is back in place, restarted the machine and:

Since then I tried everything: Removing all my plug-ins, trying to look at the PHP log (which was accidentally switched on, grew tremendously but when I needed it, nothing was written in there) etc. etc. – no success. Luckily, I run my blog in a Hyper-V environment, which allows me to take a Snapshot and then fall-back to configuration I know that it works.

I started to post in the wordpress.org forum and did not get any response so far.

So, honestly, for my blog it is ok and as I said above, I do not want to complain as I did not pay for it and it is really cool stuff! But it is not business critical (even though I see a fair amount of hits every day – thanks to you all) but if I would have to run my business on it, there are two options: Either I hire a team, which has in-depth knowledge of the stuff or I just hope (which is probably not a good option for a business).

I am just a little bit frustrated. At the moment I am back to the working environment and will take another try, once I find some time to drill down further (or get a good idea from the community).

Roger

Open Source and Hackers

Roger Halbheer — Wed, 09 Jun 2010 11:45:32 +0000

The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is “As defenders get out their patches, the attackers have more incentive to move on to a different exploit,” Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

Migrating My Blog

Roger Halbheer — Sat, 06 Mar 2010 14:54:56 +0000

If you are a regular reader of my blog, you might have been surprise today – but yes, it is still my blog

From time to time I am looking into different ways of doing things. I ran my blog until now on SharePoint 2007 and an extension I found on Codeplex, which is part of the Community Kit for SharePoint called Enhanced Blog Edition. The reason for that was that I did not like the blog offered by SharePoint natively.

Now, I wanted to do a real revolutionary thing – for a Microsoftie : I wanted to migrate the blog on a Linux server with OpenSource software. I have to admit I failed. I started to play with the SUSE Enterprise Server (remember, we have a partnership with Novell). I set it up on my Hyper-V and it worked fairly soon without too much problems. The problems came as a Microsoftie wanted to add what is needed to run a blog and integrate the SUSE Server into Active Directory. I just gave up after spending a couple of hours and rolled back my plan – at least for the OS.

So, I decided to install Windows Server 2008 R2 and from there on wanted to experience the OpenSource side. Now, the blog runs in Windows Server 2880 R2, PHP, MySQL and WordPress. Until now, I really like WordPress as it gives me a lot of flexibility with all the PlugIns – more than I actually need. The only real hassle I had was the migration of the blog posts but finally even that worked….

So, for you nothing should change. Basically even the RSS-feed should still work even though the default feed now has a new URL but I used URL Rewriter to map.

So, if you experience any issue, please get in touch with me (see the About page)

Roger