Analyst Rob Enderle has been writing a lot of columns recently dissing Linux and open source, but that's not the message I take away from those columns. The message I take away is that you can't solve security problems by installing a product.
Enderle makes the point explicitly in a series of colunns he's been writing for us about corporate security policies.
The current entry: You Are Your Worst Security Liability: While IT managers scramble to buy products to guard against external threats, they're ignoring the enemy within: Their own errors in setting up network security."
- Your Boss And Grumpy Co-Workers Are Your Worst Security Liabilities: Watch out for two-legged network security threats, including upper management who think the rules don't apply to them, and disgruntled employees, ex-employees, and soon-to-be-ex-employees.
- Your Employees Are Your Worst Security Liabilities: Your employees are probably more of a security liability than asset. And it's your hindquarters on the line. Analyst Rob Enderle provides tips and web resources on how to maximize your most valuable security defense: the two-legged kind.
Do you detect a theme here? I knew you could. You are college educated, after all.
Last week, we published an article by the prolific — and, apparently, suicidal — Mr. Enderle: Buying The Firefox Hype: Firefox is an untested, unproven, unsupported product. Users looking for an MSIE alternative should wait for Netscape's innovative new browser release.
Now, I'm an enthusiastic user of Firefox. Sure, the security is far better than Internet Explorer, but that's not why I use it. It's free, too, but that's not why I use it. I use it because it's the best, with tabbed browsing, extensions supporting mouse gestures and other features that make it far and away the slickest and most powerful tool for web browsing.
But, still, I am not an enterprise. Sure, I am a user of an enterprise network, but I am pretty much self-supporting. Nor do I provide tech support for anyone.
And that's Rob's point, and why I, ultimately, agree with Rob: It's a big job for an enterprise to change software, even if the software is free, and a relatively simple thing that the overwhelming majority of users will already know how to use, like a web browser. The new software needs to be tested; in particular, Firefox needs to be tested to ensure it will work with essential Web-based applications. (Hint: if the application requires ActiveX to run, the answer is "no.") It needs to be installed on every user's desktop. Some users will require support, and some will mess things up royally, and that requires support too. All of which requires staff time, which is another way of saying it costs money.
Rob makes a similar point in his new article, "You Are Your Own Security Liability." He lists Firefox and Linux as two of the biggest mistakes that security administrators make. Then he explains: actually, the mistakes aren't installing Firefox and Linux, they're installing that software thoughtlessly, without thinking through the implications. Firefox and Linux aren't the problems, the problem is thinking that security can be solved by products.
Rob has been an outspoken critic of Linux and open source. I wonder: if he wants to gets hate mail, wouldn't it be easier to just say mean things about Oprah?
P.S. In his most recent column, Rob casually mentions, "When I worked as a bodyguard.... " He's always letting these little bombshells drop about his colorful background, in casual discussion. I knew he worked in law enforcement, and had a military background, but had no idea he was once a bodyguard. In future columns, I expect to see things like: "When I was one of the stars of 'The Brady Bunch'.... " "When I played keyboard with the Rolling Stones at Altamont.... " "When I walked on the moon with Neil Armstrong.... "
Rob may have a colorful background, but so do I! I once worked at Taco Bell!
Mitch Wagner is editor of Security Pipeline.