Role-playing game is free. Freely redistributable RPG systems. What is Free Software (Free Software)? Freely redistributable definition
Free software(SPO) - software that the user has the right to install, run indefinitely, as well as this free use, study, distribution and change (improvement) is legally protected by copyright using free licenses.
History
When the first computers appeared, then all programs for them were open source software in the sense that this concept is now implied. For example, the cost of software installed on IBM computers was included in the price of the hardware.
In 1969, the US government announced that the inclusion of free software in a hardware bundle violated the principles of competition. Therefore, in the 1970s and early 1980s, the software industry began to use technical measures to prevent the study and modification of software, and in 1980, copyright law for computer programs was passed.
In 1983, Richard Stallman, a member of the MIT Labs hacking community artificial intelligence, announced the start of the GNU Project, disenchanted with the consequences of changing the culture of the computer industry. In January 1984, software development began for the GNU operating system and the Free Software Foundation was created. Richard Stallman developed free software and the concept of free software in order to provide freedom to copy software for everyone.
The term open source (open source) was created much later, in 1998 by Eric Raymond and Bruce Perens, who believed that the term free software in English language ambiguous, because can mean both "free" and "free", and therefore confuses many commercial entrepreneurs.
Definition of free software
"Free software" means freedom, not price. To understand this concept, you have to imagine “free speech”, not something free.
There are four types of freedom for users of the program:
- The program can be freely used for any purpose (" zero freedom»).
- You can study how the program works and adapt it for your own purposes (“ first freedom"). The condition for this is the availability of the source code of the program.
- You can freely distribute copies of the program - to help a friend (" second freedom»).
- The program is free to improve and publish an improved version - in order to benefit the entire community (" third freedom"). The condition for this third freedom is the availability of the source code of the program and the possibility of making modifications and corrections to it.
Only a program that meets all four of the listed principles can be considered free software, that is, it is guaranteed open and available for modernization and fixing errors and defects, and has no restrictions on use and distribution. It must be emphasized that these principles only stipulate availability source codes of programs for general use, criticism and improvement, and the rights of the user who received the executable or source code of the program, but do not in any way stipulate monetary relations associated with the distribution of programs, including do not imply gratuitousness either... On the contrary, free software can be distributed (and distributed), charging a fee, but observing the criteria of freedom: each user is given the right to receive the source code of the programs at no additional cost (except for the cost of the carrier), modify them and distribute further. Any software whose users are not granted such a right is proprietary, notwithstanding any other conditions.
Although free security systems have been around for a long time, they have never been used as widely as the operating system. Linux system and the Apache web server. John Pescatore, director of research related to Internet security at Gartner, noted that among the security systems in use, freely redistributable tools now account for 3-5%, but by 2007 this figure may increase to 10-15%.
The main reason for this potential is the quality of numerous free security packages. “Some common defenses are well supported, and many developers are offering new tools and templates for them. In a sense, these solutions compete with commercial tools, ”said Eugene Spafford, director of the Center for Education and Research in information security Purdy University.
Free software products include free tools that can be downloaded from the Internet, packages for which vendors offer commercial support services, and additional tools that come with commercial products.
The most popular tools include Netfilter and iptables; intrusion detection systems such as Snort, Snare and Tripwire; security vulnerability scanners such as Kerberos; firewalls, in particular T.Rex.
Some businesses have even started using open source security systems to keep their critical infrastructure secure.
Growing interest
IT professionals have been using open source security to varying degrees for about 15 years. There is growing interest in such tools now from large companies, security consultants and service providers who can tailor such software to the needs of specific users. For example, EDS began using Astaro's free security toolkit to secure the front-end component of several credit union websites that offer transaction processing capabilities.
Information security systems integrators admit that users are attracted by the low price of freely distributed tools. For example, Richard Mayr, Managing Director of R2R Informations und Kommunikations, noted that his company has been offering its commercial firewall... However, the data collected shows that 75% of the company's customers prefer free analogs. Guardent offers a $ 1.5K monthly subscription to Internet security services, based on its Security Defense Appliance. The solution combines commercial components such as the Cisco Systems PIX firewall and freeware components such as iptables, Nessus, and Snort. A similar service relying solely on commercial products can cost around $ 10,000.
At the same time, C2Net Software, which recently acquired Red Hat, has developed its commercial Stronghold Secure Web Server based on Apache and OpenSSL, a free toolkit that implements socket and transport layer security protocols and contains a common cryptographic library. destination.
According to defense consultant Paul Robichaux of Robichaux & Associates, organizations that are making special requirements legal protection, such as those in health and finance, are unlikely to use open source tools. Instead, they are likely to continue to depend on manufacturers to blame for breaches of protection. Robichaux believes that open source security solutions will be more likely to be used by consulting and service firms that already know and trust the tools, as well as companies whose IT departments have already tried such solutions.
Freely redistributable remedies: pros and cons
Let's compare free and commercial tools in terms of cost, quality, and technical support.
Expenses. One of the main advantages of free software tools is that they are less expensive than commercial products. Such systems are distributed free of charge or at very low prices, and, in addition, they either do not provide for licensing fees at all, or these fees are much lower than for commercial products. However, some users have learned from their own experience that the statement “you get what you paid for” is fully applicable to free tools.
However, Buddy Baxter, technical manager for infrastructure solutions for credit unions at EDS, believes that if a product is more expensive, it does not mean that it will be more secure. According to him, EDS can install a security system based on Astaro software tools, which will cost four times cheaper than a commercial product from Check Point Software Technologies.
Quality. Guardent's chief technology officer, Jerry Brady, has confirmed that some of the free security tools are as good (if not better) than their commercial counterparts. For example, he said the Nessus vulnerability scanner provides better distributed processing, remote launching and scheduling capabilities than many commercial products. “By using this open source methodology, you can focus more on the things that really matter. For Nessus, distribution issues are much less of a priority than code quality issues, ”he stressed.
However, Markus Ranum, security expert and head of NFR Security, objected: “I don’t think the software is of high quality just because it’s free. In fact, it is targeted development that makes a product a quality product. And openness does not guarantee this in any way. "
Spafford agrees with him: “The reliability of a product is primarily determined by its quality and support. Was it well designed? Did its developers adhere to strict discipline and did they add too many features to it? A lot of free software is created by people who don't have the experience, tools, time, or resources to do it as thoroughly as a truly highly reliable environment requires. ”
Proponents of open source solutions argue that a lot of people study open source, so they are able to detect problems much faster than a limited circle of developers creating a commercial product of a particular company. “There are many more people who can find and fix bugs in open source software,” said Mike Curtis, research director at Redsiren Technologies, an information security services provider.
In addition, as Curtis noted, free software developers can respond more quickly to security flaws they find than commercial companies simply because they are less busy and are not bureaucratic. "Free software developers are more interested in fixing the bugs they find than adding new features for the next release," he says.
However, Ranum disagrees with him: “Based on my own experience, I can confirm that very few specialists really study the code thoroughly. They usually just look at the description files. The first open source firewall toolkit I created was used by about 2,000 sites to varying degrees, but only ten people provided feedback or patches. So I would not rely on the openness of the software, ”he said.
Many proponents of closed source believe that quality is more important than the number of people studying it in finding bugs in a program. They argue that the software experts of the manufacturer who work on their products do better than those who study the free packages.
Spafford shares his opinion. “Many free software components have been found to have bugs after being used and studied hundreds of thousands of times over the years. Errors were not detected simply because those who viewed the code did not have the necessary skills to do so. In many cases, users study the code in order to adapt it to their needs, and not in order to analyze it in detail, ”he said.
Support. Proponents of commercial software argue that their vendors, unlike open source organizations, offer customers support services and other resources to use in case of a problem. However, this approach also strengthens the position of those who offer support services to users of free security software.
“The support service gives more reliable guarantees to the client and allows him to provide assistance. You can define a service level agreement (SLA) and let the manufacturer choose the right tooling and help customers adapt to changes in technology, ”Brady said.
Other questions. Some proponents of closed source believe that the availability of open source code makes it much easier for hackers to figure out how to overcome such defenses. However, apologists for free solutions argue that this is not the case, since hackers are able to break the protection organized with the help of commercial products. At the same time, they note that the free security tools are easier to customize because they have their source code.
Notable open source projects
Let's take a look at some important free security tools.
Kerberos
Kerberos authentication and encryption technology ( http://www.mit.edu/kerberos/www) was developed at the Massachusetts Institute of Technology and "released" in 1987. Since then, this technology has become the standard that deals with working group Common Authentication Technology Working Group formed under the Internet Engineering Task Force.
Freely redistributable versions of Kerberos are offered for Macintosh, Unix, and Windows platforms. Commercial implementations are created by Microsoft, Oracle, Qualcomm and a number of other companies. Microsoft has drawn criticism from industry professionals by integrating a version of Kerberos into Windows 2000 that does not fully comply with the standard.
Snort
Snort ( www.snort.org) is considered one of the most popular free security tools. According to estimates by Marty Reusch, lead developer of Snort, this application is used by 250-500 thousand people. This software has a group of active supporters and very detailed documentation.
Snort is a lightweight network intrusion detection system capable of real-time analysis of traffic and packets registered on IP networks. Released in 1998, Snort helps identify potential security breaches by performing protocol-based packet sniffing and pattern matching searches on content. The system is capable of detecting probe activity and detecting various security breaches such as buffer overflows, covert port scans, and attacks using a common gateway interface.
Snort runs on a variety of platforms, including FreeBSD, Linux, macOS, Solaris, and Windows.
Snare
System Intrusion Analysis and Reporting Environment is a hosted intrusion detection system designed for Linux systems. Alliance InterSect Alliance ( www.intersectalliance.com), which brings together security consultants, developed and released Snare in November 2001.
Snare uses dynamically loadable module technology to interact with the Linux kernel at runtime. By using only those modules that are necessary for a specific task, Snare reduces the load on the host system. And since Snare is loaded dynamically, users don't need to reboot the system or recompile the kernel, as with some Linux enhancements.
Tripwire
Purdy University's Spafford and then-student Jin Kim developed the Tripwire Academic Source intrusion detection system, which has been downloaded by over a million users since its release in 1992. Tripwire ( www.tripwire.com), which Kim founded, later completely overhauled the program, turning it into a closed source commercial product. Tripwire offers free version for Linux, but sells commercial versions for Unix platforms and Windows NT.
Nessus
Nessus ( http://www.nessus.org) is a security vulnerability scanner that allows you to remotely check the security of a website. The Nessus developers released this toolkit in April 1998. Nessus supports POSIX-compliant servers with Java, Win32, and X11 clients.
Saint
The Security Administrators Integrated Network Tool is a vulnerability scanner (see Figure 1) that works with most flavors of Unix, including Linux. The scanner is based on Satan's free security defect analysis tool (Security Administrator's Tool for Analyzing Networks). Saint ( www.saintcorporation.com) has ditched older versions of the scanner, but sells the newest version, as well as SAINTwriter for generating custom reports and SAINTexpress for automatic update protection defect signatures.
Netfilter and iptables
The free software development team has prepared Netfilter and iptables for integration into the Linux 2.4 kernel. Netfilter ( www.netwilter.org) gives users the ability to track feedbacks associated with a network intrusion, thereby revealing the fact that the system is under attack. Using iptables ( www.iptables.org) users can define the actions to be taken by the system if an attack is detected.
T.Rex
T.Rex () is a free firewall software released by Freemont Avenue Software in 2000. It runs on AIX, Linux and Solaris platforms and is currently used by about 31,000 users.
Perspectives
The widespread use of free security systems is hampered by a number of complexities and problems.
Fear of open text
Some companies are wary of purchasing free software because it is not developed by a specific company and is not supported by the software they are used to purchasing. Because of this, David Moskowitz, chief technology officer at the consulting firm Productivity Solutions, predicts that many open source tools will only start to be used after they have been self-tested by IT professionals and rolled out gradually across the enterprise.
Backdoor fear
Since the source code is open source, some companies fear that hackers will create backdoors in open source tools through which they can enter systems. Robichaux remarked on this: “This is one of the most serious obstacles to widespread adoption of open source software. However, this does not mean at all that such a fear is justified and has real ground. However, some companies require that all free software used in their departments be built from scratch, without any pre-built or downloaded packages. "
Certification
Certification of a product by authorized government organizations can give a serious impetus to its widespread use. The US government requires security systems and other information technology products to pass the Federal Information Processing Standard by the National Institute of Standards and Technology (NIST) before they can be purchased by US government agencies.
Compliance testing costs can range from tens to hundreds of thousands of dollars. All of this can make it difficult for open source organizations (and usually on a very modest budget) to certify their technology. In fact, as Annabel Lee, director of the NIST Cryptographic Module Validation Program, noted, she is not aware of any freeware that has passed the certification.
Ease of use and management
Free software vendors tend to prioritize functionality over usability and management. As a consequence, these applications are sometimes difficult to deploy and difficult to manage. For example, as Reusch noted, "Installing and managing Snort can be quite difficult, especially if you don't have a lot of experience writing Unix tools."
Pescatore explained the situation as follows: “In the case of free tools, most of the knowledge accumulates in the heads of the people who use them, while the manufacturers of commercial solutions are forced to put this knowledge into the product. I don’t think the free tools will ever go mainstream. Most people prefer the simpler approach. "
All of this forms a small but rapidly growing market for defense systems integrators and service providers such as Guardent, Redsiren and Silico Defense. These companies can offer management tools and thereby hide the complexity of the freely available products from users, and provide a guaranteed level of service and support.
Astaro strives to create a complete security infrastructure that integrates numerous open source technologies into a single, easy-to-use interface. Ernst Kelting, President of Astaro America, emphasized: “Users do not want to work with software that does not offer support services. We take on this burden and free our clients from possible difficulties. "
Conclusion
Simon Perry, vice president of security systems at Computer Associates, believes that the use of free security products will grow, albeit not in large corporations... Organizations that develop free software do not have the resources or management tools needed to integrate the integration required to provide security across many different platforms, as large companies do, he said.
An interesting trend in the open source security market could be the development of business models that combine open source with specialized hardware, commercial foreground tools, and / or service level guarantees. For example, Brady noted that manufacturers could combine their knowledge of hardware optimization with open source technology to create products such as set-top boxes that support secure, fast connections.
Cox emphasized that “the rate of adoption of free source code will grow as the development model supports the rapidly changing structure of the Internet and security. Responsiveness to feature requirements, new attacks and bug fixes are difficult to achieve in a closed source environment. ”
However, Pescatore believes that the share of revenue from all security products generated from the sale of commercial free tooling support services will grow from 1% to just 2% by 2007. In particular, this is because many companies will use free toolkit rather than commercial open source packages.
One of the dangers associated with source code tools is that users may succumb to a false sense of complete security by counting on the code being analyzed by many experts. According to Dan Geer, Kerberos developer and chief technology officer at @Stake, which offers security services, “Providing a product in source doesn’t mean it’s bug-free, it’s just less likely to have a bug. But this is not a panacea. "
George Lawton ( [email protected]) is a freelance journalist.
George Lawton. Open Source Security: Opportunity or Oxymoron? IEEE Computer, March 2002. IEEE Computer Society, 2002, All rights reserved. Reprinted with permission.
The Ministry of Telecom and Mass Communications at the end of December published its views on the introduction of free software (SPO) in government agencies. The document lists the advantages of free products, the main of which are free and security. But is it really so?
Free is free?
There is a widespread belief that free software is free at the same time. In the document of the Ministry of Telecom and Mass Communications this thesis is used:Firstly, it is cheap and anti-corruption. Open source software does not require license fees for each installed copy of the software.
However, IT experts, including open source founder Richard Stallman, disagree. Stallman himself repeats the phrase at each of his speeches:
Free means free, but not free. And none of this is equal to Open Source. These are three concepts that should not be confused.
There is no need to go far for examples that confirm this opinion. More recently, Dell has agreed to pay Microsoft royalties for using Android and Chrome OS on its devices. The Redmond-based corporation owns a number of technology patents that are used in open source projects created by Google.
The same Stallman published, in which he called to support the campaign for the "release of Android", that is, for the publication of the source codes of the operating system (and its creator, Google, is not going to do this).
Ultimately, open source software may be free for the end user, but in the case of corporate products and mass installations, things are not so simple. A company can participate in the development of the product it needs and send its fixes to a common repository - or (if during the process of "finishing" the product, there was a way out of the GNU license), hire its own dedicated development team to support the fork. As you might guess, this path has little to do with being free.
Free software is more secure
Since, as we just found out, free software, free software and open source are three completely different things, it seems that one of them should be more secure than proprietary products. In fact, this is not the case.The document of the Ministry of Telecom and Mass Communications says that closed products are less secure, since they contain undocumented features:
Many proprietary applications from well-known manufacturers contain undocumented features, which is potential threat.
But after all, many of the open (free, free) applications also contain undocumented functions. Developers do not always have time (and do not always want) to properly document the capabilities of their project. Moreover, a number of documented functions (for example, or) are also potential threats.
A separate question that needs to be answered is what are "undocumented functions", does a menu item, say, not described in the documentation, fit this definition? If it comes about "undeclared opportunities", then there must be a process for their declaration. If vulnerabilities are implied, then this is a completely different topic.
In fact, in order to increase the confidence in the safety of the code, it is enough to follow a simple algorithm:
- There must be an "extreme" who is responsible for this security (internal or external, for example, a software manufacturer).
- The person in charge must receive the appropriate assignment.
- It must be provided with the necessary means and tools!
- You need to implement secure development (SDL), configuration management and vulnerability management.
In the case of the backdoor at RSA, it turned out that the company was paid by the NSA - that is, the culprit was found. But where the Heartbleed vulnerability came from in the SSL package is still unclear.
On the other hand, free software is easier to adapt to changing conditions. Of course, the installation of "closed and non-free" Windows on HMI in ICS systems is an obvious mistake, which has led to the fact that many systems have not yet closed the CVE-2010-2568 vulnerability, through which the Stuxnet worm spread. ... Using an "open" system would allow you to develop your own patch, but this also requires a development team that costs money.
Should the state develop Russian Open Source
Another excerpt from the document of the Ministry of Telecom and Mass Communications, which contains the thesis that free software corresponds to national interests:Fourth, the use of open source software takes into account national interests. Despite the fact that the creation of free software is inseparable from the world community of developers, services for their adaptation, implementation, support and development are provided, as a rule, by national firms, which is more beneficial to the state and society.
It turns out that the "redesign" of Open Source (even in violation of the GPL) is rightly in the interests of the country, but the creation of its own technology from scratch, which for some reason is not open source software, does not meet such interests.
In Russia, there are very few companies like ALT Linux that do everything right and according to the letter of all licenses and laws of open source software. On the whole, the development of a "package of free domestic software" is, perhaps, a bright task, but clearly not a priority.
Here I would like to turn to another popular topic - the creation of a "domestic OS".
No operating system needed!
In the matter of import substitution, it is much more logical to pay attention not to the creation of your own operating systems and office suites, but to completely different areas. You need to start with something that has an ultimate goal, and there should be an opportunity to calculate the effectiveness of this "something". The operating system is clearly not "it".Desktops
Desktops, despite all their archaism, will remain a serious "devourer" of the IT budget in the corporate sector for a long time with an update cycle of 3-5 years. Considering that a significant part of the corporate sector in Russia is the public sector and related companies, the transfer of this niche to Russian products is quite real - you only need a strong-willed decision."Well, here, your Windows!" - the reader will say. Not at all! You need to start making a desktop with a processor. Moreover, we have it, and not bad. Yes, we are talking about Elbrus.
Already in the process of working on your own processor, along the way, you will have to solve issues with the creation of operating systems, programming languages and other elements of the ecosystem. In order for software manufacturers to want to write under the conditional "Elbrus", it is necessary that there is a demand for such products, and MCST could produce a sufficient amount of iron.
The already mentioned state-owned companies and their satellites can form the backbone of the first users. If software manufacturers (the same ALT Linux, or JetBrains) see prospects and a user base, they will not refuse to create a version for Elbrus (by the way, we are now porting PT Application Firewall to this processor) - at the same time, compatibility with “just Linux” and other platforms will appear.
All to the cloud
The trend towards "moving" many familiar applications to the cloud is undeniable: Excel, Word, and 1C are already there. A private "office" cloud would cover the needs of 90% of desktop users in the corporate sector. V currently such products are becoming more and more an ordinary substrate for the "Internet" itself. The most important desktop application is the browser, and creating it is not at all as difficult as the example of Opera or Yandex Browser shows.It would seem that everyone has moved to Chromium - but there is nothing wrong with that. If you take an existing platform as a basis, hang on it additional functions and provide a support cycle that will create a competitive product. And already in parallel, it will be possible to start creating your own Chromium, if necessary.
Iron Sky
Of course, other components are needed to create your own cloud, and the first problem here is the lack of hardware (the situation is especially sad with server platforms). There is no need to wait for a quick solution in this area, so at the first stages there is nothing wrong with using existing solutions.With network hardware, the situation is gradually improving, in the field of NAS is doing serious things, one cannot discount and “
Classification of programs according to their legal status
According to their legal status, programs can be divided into three large groups: licensed, shareware, and free distribution.
Licensed Programs. In accordance with license agreement the developers of the program guarantee its normal functioning in a certain operating system and are responsible for this.
Licensed programs are usually sold by developers in boxed distributions. The box contains CD-disks from which the program is installed on users' computers, and a user's manual for working with the program.
Quite often, developers provide significant discounts when purchasing licenses to use the program on a large number of computers or educational institutions.
Conditionally free programs. Some software firms offer shareware to users for advertising and marketing purposes. The user is provided with a version of the program with a certain validity period (after the expiration of the specified period of validity, the program stops working if no payment has been made for it) or a version of the program with limited functionality (in case of payment, the user is informed of a code that includes all the functions of the program).
Free software vendors are interested in widespread distribution. To such software include the following:
Free software. Many manufacturers of software and computer equipment are interested in wide distribution of software free of charge. These software tools include:
· New unfinished (beta) versions of software products (this allows them to be widely tested).
· Software products that are part of fundamentally new technologies (this allows you to conquer the market).
· Add-ons to previously released programs that fix found bugs or expand capabilities.
· Drivers for new or improved drivers for existing devices.
But whichever software you choose, there are general requirements for all software groups:
· Licensed purity (the use of the software is permissible only within the framework of the license agreement).
· Possibility of consultation and other forms of support.
· Compliance with the characteristics, configuration, class and type of computers, as well as the architecture of the computer technology used.
· Reliability and performance in any of the foreseen operating modes, at least in a Russian-speaking environment.
· Availability of an interface that supports work using the Russian language. English language interface is acceptable for system and tooling software.
· Availability of documentation required for practical application and development of software in Russian.
· Ability to use fonts that support Cyrillic.
The presence of a specification that stipulates all the requirements for hardware and software necessary for the functioning of this software.