You misunderstand what I'm saying. I'm not saying that paying money buys
you security. What I am saying is it is an issue of accountability. You
mistook my analogy for an argument in favor of commercial software. The
point is, corporations will often pay more $$ for less quality if they have
someone to hold accountable when something does go wrong. And all software,
commercial, open-source, or otherwise will eventually have problems.

And if the vendor fails to provide the answers/support needed, a user can
take their business elsewhere. Now you say that's "a suboptimal solution"
when you're losing $$. Well, what recourse do you have if Snort fails?
None at all. At least the threat of taking my business elsewhere means
something when a vendor faces losing $$. And this means I have at least
some leverage to get my problems solved. Who loses $$ if I stop using
Snort? What obligation does anyone have to fix my problem if Snort fails
me? (these arguments lose water due to companies like Sourcefire out there,
but at this point, this argument is more about open-source than Snort in
particular)

Should a commercial product fail in its intended functionality, then by all
means get rid of it and get one that does. But the open-source folks make
the exact same mistake that they accuse commercial vendors of making. Just
because you pay for it doesn't make it better, and just because it's
open-source doesn't make it better. Ultimately, the goal is to have a
functioning product.

But all other things being equal (or close to equal), CEOs and CFOs want
accountability. There is no way a company needing air-tight security is
going to rely on newsgroups for support. You simply can't tell a wacko from
a genius half the time (look at the answers we see on these very lists). So
unless you can afford in-house expertise, (which is still hard to come by
when talking open-source, no matter what is on everybody's resume these
days), companies want someone to hold accountable. And they should.

Again, my point is simply this. The reason many companies don't trust
open-source products is not because they believe commercial products are
inherently better or more secure, but because they want someone they can
hold accountable. That's all I'm saying. I'm not necessarily even trying
to defend the logic. I'm just saying people misunderstand the logic.

You're arguing why the logic is flawed. Fine. I just see a lot of people
claiming that companies think commercial products are inherently better or
more secure, and that's not the reason (in most cases anyway) why many
companies don't use open-source products.

Ok? Ok.

Brownfox

-----Original Message-----
From: jeffmx1-sfba.mail.home.com [mailto:jeffmx1-sfba.mail.home.com]On
Behalf Of Jeff Nathan
Sent: Friday, December 07, 2001 4:45 PM
To: kbrownfoxhome.com
Cc: Nate.Duzenberrymortgage.wellsFargo.COM;
Keith.McCammoneadvancemed.com; bugtraqfunky.seifried.org;
focus-idssecurityfocus.com
Subject: Re: IDS recommendations

Kevin Brown wrote:
>
> I think people misunderstand why corporations frequently aren't
comfortable
> relying on open-source products. It's not that these companies believe
> commercial products are inherently better, but rather it is an issue of
> accountability (which is a component of support).
>
> I've worked with companies who will pay more $$ for Cisco because they
> continually give them outstanding support that they can count on (your
> mileage may vary). A lot of companies just aren't comfortable relying on
> newsgroups and mailing lists for tech support. If you have the in-house
> expertise, great, but not everyone does.
>
> I wish I could give a better example, but the point is still one of
> accountability. If you have a problem, and $$ is on the line, you want
> someone you can trust to give you an answer. That's not to say that every
> vendor gives good support, but that's partly why you pay them the big
bucks.
> And if they don't give you the answers you need, you take your business
> elsewhere.
>
> BTW, I think some of Jeff's statements work in reverse. Just because
> something is open-source doesn't mean it's better either. ;-)
>
> Brownfox
>
> Keep in mind that none of my statements are meant to be an indictment of
> Snort or its usability in a large corporate environment.
>

Kevin,

A support contract is not the same as financial accountability. In the
event of monetary loss due to the poor functionality of a vendor
product, the support contract buys you nothing. A company can take
their business elsewhere, absolutely, but that doesn't solve the interim
problem of the vendor product being non functional and possibly causing
additional exposure to your environment. Companies like cisco might
provide great support, but has your support contract improved the
functionality or overall security of their products?

This is yet another bit of helplessness large companies suffer. As they
feel they can only do business with established business partners, they
incorrectly believe a support contract will somehow improve security.
When money is on the line and the failure of a vendor to develop a
functional or secure product is the cause of the failure, the contract
will neither recoup your own financial loss nor will it resolve any
severe functional failures. In the case of products used to secure a
multi-billion dollar enterprise, functionality of security products is
paramount. A contract will neither guarantee my network ID system
detects attacks nor provide any mechanism to recoup financial loss.

So if we turn to accountability, the only accountability here is that
when there is a problem, there is someone to call and ask questions of.
If the questions aren't satisfactory what recourse do you have? As
previously mentioned you can decide to not renew your contract, but when
you're already losing money this is a sub optimal solution.

There is a definite need for support contracts as there are occasions
where a question needs answering or a problem needs solving and you
don't have the answer. Vendors obviously have an interest in keeping
their customers happy when providing support and thus ensure revenue. I
want to be clear on the fact that I agree that support contacts are
important. However, as I've gone to great lengths to describe above, a
support contract cannot compensate for a dysfunctional product.

If an organization is interested in commercial support of snort,
Sourcefire has been offering snort support for some time (and you can
bet it's superior to other snort support offerings out there). From
what understand they're offering a top level support option as well.

-Jeff

--
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]