8 reasons to choose commercial library instead of open-source one

This article has been written with security in mind and is about security of your business and of software development in general. 


Open-source software (i.e. software offered under free licenses with freely accessible source code) gains popularity day by day. The reason is obvious – price drops for the end-user software make it harder to invest cash into software development beforehand. And in case of in-house activities stiffer IT budgets make programmers choose code snippets of unidentified quality.

However while open-source libraries and code snippets seem to have zero initial cost of use, they start to consume resources later, during life cycle of your software. And commercial libraries can offer more than you can think of.

I will focus on professionally developed commercial solutions: putting a price tag on your code piece doesn't magically turns the code into the industry-level commercial product. Commercial library must be evaluated thoroughly to answer the question of how professional it is. Not everything with a price tag is good, that's obvious. But if it's commercial, chances are great that you will get the things missing in open-source offerings.
Let's review what exactly commercial software (and specifically component and class libraries for software developers) can offer, and then discuss objections and counter-objections.

Read more on CodeProject.com

And as promised, my reason #8:


Investment in future 

The “save tomorrow for tomorrow, think about today instead” mantra has brought humanity to the edge of ecological catastrophe. Apple's bias towards end-users (which is just a cloak for desire to sell more hardware) has hut the whole software industry badly. People are used to pay 0 to 1 dollar for software and then ask “what? Do I have to pay another $0.99 for a new version of the software title that I've been using for 3 years? Are you insane?”. That attitude poisons the industry and slows down innovation. For some time the race for the first places in the AppStore and Play Store will make developers invest their time and resources into software titles, but calculations and studies show, that this race is more of a lottery with a little chance for small developers to succeed.

Paying for software and motivating the users to pay as well is a culture of consuming the software which will let the ISV industry, and especially small vendors, continue to innovate in future and do this with satisfactory budgets.

Finally, if you don't pay for books you read, writers will stop writing and there will be no new literature to steal to read. If nobody pays for software now, there will be no skilled vendors in 5-10 years and no good and sophisticated software. Unlike music records, software vendors can't give software away for free and do something else for living – that's not a viable business model. So they will simply go out of business, and the world will become full of open-source stuff, unsupported and of unknown quality.

Advertising and sanity

While not directly related to IT security or crypto, this topic also applies to all businesses working in IT security business. 

I was looking to place advertisement of our security-related product for developers on certain well-known site for developers. Target market, you know (well, kind of). However, the approach to business used by this site has shocked me. In year 2013 they still offer only banner advertisement on pay-per-view basis (and they are not alone in this mistake, BTW).

We all know well, that banners don't work as they are being blocked by ad blockers, which nowadays are built into browsers. CTR of 0,01% (yes, one click per 10K views) is a common result due to multiple reasons.  So pay-per-view banner advertising just doesn't pay to advertisers. $3000 per sale generated by such advertising is far beyond the common sense.

As ads don't work, this site seems to not get many advertisers. And what do they do? Instead of exploring other possibilities in site monetizing, instead of providing context-based or audience-based ads (including text and video ads) they .. sky-rocket prices and set minimum spending limits, trying to squeeze the income from those lonely advertisers.

And I could understand if they were a site for paying audience, that really generates good sales. In opposite, this is the site devoted and biased towards lovers of free lunch and open-source.

One would say that instead of writing this I would need to go and find some other place to advertise at and stop complaining. Well, yes, and that's what I am doing. But I want to turn everyone's attention to inadequate business decisions made by some web sites, and how those design decisions lead to lose-lose situation.

About utter incompetence of malware "analysts" and journalists

Prerequisites: 

We have a software product, named RawDisk. This is a kernel-mode driver which is used to perfom several security-sensitive operations regarding access to disks on sector level for both reading and writing. In particular it can be used to write filesystem internal structures, MBR itself. Uses of such driver are numerous - from performing search across the disk to performing optimization of the disk to backups of locked files and more. The driver is signed with a code signing certificate. Our customers embed the driver to their software. We perform certain inspection of the customer base, i.e. we would not sell the product to individuals or to customers with no clear identification (without an address, phone etc). This is done to prevent misuse of the driver. Also, the driver can be bound to particular EXE file names to further harden misuse.

Story:

Some not identified script kiddies have crafted a malware which wipes victim's disks. To do actual wiping they have used our driver, probably stolen from some of our clients software (I am ommiting copy control technical details here for security).

The malware was discovered by several security companies. Only two of them, McAfee and Symantec, properly identified the driver as being stolen from legitimate software. Kaspersky Labs and several other wanna-be-specialists from other companies have made conclusion that those script kiddies managed to create the driver and sign it using "stolen private cryptographic key of EldoS Corporation" which is complete bullshit, that misleads people and takes analysis in wrong direction of searching for kernel-mode developers  (though script kiddies most likely are not capable of creating kernel-mode code).

Now some journalists have copy-pasted the above mentioned bullshit in their articles, without checking.

NONE of the above security companies contacted us for cooperation in identifying the source of the signature and/or the driver. NOBODY bothered to contact us about possibly stolen private key. NO journalist requested additional information or comments from us. Moreover, analysts from McAfee, which sent us a brief note about malware, didn't ever respond to our offer to find out where the driver has leaked from.

I claim this to be utter incompetence of those "security specialists" and journalists. And when you decide to buy some "security software" to protect your computer, think if you can trust people who don't want to find the roots of the problem, who are not interested in details of the case and who don't really stand for security.

Pros losing confidence in hard tokens

I was always a proponent of hardware security devices due to their hard to copy or steal undetected nature. The human factor, though, seems to play the biggest role in this form of authentication as well, and here's why:

Pros losing confidence in hard tokens

I should notice that hardware token such as OTP generator is no security by itself. Such devices must be password- or PIN-protected, so that if the device is lost, it becomes useless. PKCS#11 devices (USB cryptotokens and cryptocards) include such protection on board, and probably this is why they are not mentioned in this articles. Simple access control devices such as pass cards, don't have sufficient protection though. And this can lead to lowered confidence in all types of devices, including strongly protected ones

Possible alternative to CA hierarchy

Convergence. If you didn't hear about it before, don't worry - so did(n't) we. This is a new invention presented on a conference just a couple of months ago. It aims to make MITM (man-in-the-middle) attacks, which are necessary to make use of the fake SSL certificate, useless. How does it do this?

MITM attack is local, i.e. it can affect usually a limited number of clients. Other clients (in other areas of the world) are not affected. So if our client calls other clients (called notaries here) and asks "do you see what I see?" (i.e. do you get the same certificate from that site), it ensures that the certificate is authentic OR it detects MITM attack. Of course, there exist some technical complexities here, but they are just minor details.

Convergence is a good case of proper use of peer-to-peer technologies, which makes complex (and expensive) CAs completely unnecessary.

The only question left is "who will guard the guards". If MITM can fake server's certificate, how do you ensure that notary's response to your request has not been forged? MITM attacker will quickly pay attention to forging notaries' certificates as well and producing valid response. So the large number of notaries is required, with possibility to switch them on the fly for each new request which needs validating.

Read more details about Convergence on Convergence homepage