Greentext

This has nothing to do with security, and everything to do with liability.

You can't really sue an open source project using a proper license, they disclaim any liability or warranty, meaning the buck stops with you.

If you hire a software development firm and pay for them to build software for you, you will have a different license, the software company can just repackage open source software into their own UI and branding, take the money and declare bankruptcy if their customers try to sue them.

The customers are mostly happy, they get to tick the box that they have a support contract for the software and a company is liable if shit hits the fan. The software development company is happy, they get money for doing very little actual work.

The open source project probably doesn't know about the abuse of the license and thus mostly doesn't care.

Had that discussion before. Was attacked because I use a f&os lib from GitHub instead of a paid and licensed one, the latter somehow meaning it's error free. Spoiler alert: it wasn't. Or at least their usage wasn't.

this is supposed to be more secure because it costs money

It makes blaming someone really easy though and that's all that matters in a corporate world.

My org told me “you can’t install open source software”

Everyone uses Firefox

I just want OpenShell

It's "more secure" because there's a specific company to blame when it goes wrong.

Every day I wake up I thank God I'm not an MBA 🙏

Honestly, a policy of "no free-of-charge software installed on workstations except FOSS" might improve security a bit and probably without doing all that much damage to the day-to-day workings of the company.

For that matter, if my employer instituted a policy of "no software except FOSS", my own particular job probably would be a surprisingly small adjustment. As long as they were willing to do the work to set up infrastructure and/or let us switch to FOSS alternatives that require third-party server providers as necessary. About all I can think of that's installed on my work machine that's proprietary is:

• Zoom
• A paid corporate VPN client
• A random program that I use to authenticate to Kubernetes clusters in use where I work (so I can use Kubectl)
• Chrome
• The Client Management software my company uses (the software they use to remotely administrate the company-provided machines -- force install shit without telling you, spy on you, nag people who have computers that aren't actually used to return them, wipe your computer if you report it stolen, etc)
• And, of course, bios, proprietary firmware blobs, etc

Beyond that, I honestly can't think specifically of anything else proprietary installed on my work machine. My personal computers have far less proprietary software installed than the above list.

Worked for a company that had a similar policy against free software, but simultaneously encouraged employees to use open-source software to save money. I don't think upper management was talking to the IT department.

Everyday my misnathropy is justified

There is an entire sub-industry and probably thousands of jobs being propped up by this stupid way of thinking about software. I can't be mad at it because it pays the bills for a few of my friends...

It's not more secure, it's so they can offload blame and have people to sue if/when something ugly happens. Liability control, essentially.

We had to pay for fucking Docker container licenses at my last job because we needed an escalation to the vendor in case our SMEs couldnt handle things (they could), and so we had a vendor to blame if something out of our control happened. And that happened: we sued Mirantis when shit broke.

My last boss got rid of the pfSense routers because "open source is not secure". I argued that pfSense has been vetted over and over and over again. Nope. "Everyone can see the source code." That's the fucking point!

TBF, pfSense isn't the fastest routing, but at our small company is was more than sufficient.

Anon works for my company? Because they did exactly this with the same excuse.

Don't forget your new 32 character/symbol/number/nordic rune passwords that will need to be changed every 17 days.

My previous employer was bought by a huge company. I liked it in the small company, because I had freedom to do what was needed without much questions, and I was trusted to make the relevant decisions and purchases. Kind of a "Costs be damned, get it done in a reasonable amount of time" kind of arrangement.

When we came under the big corpo, we got an email instructing us to list all the software we used/needed, so that it could be added to the whitelist that big corpo worked with. Anything not in the whitelist simply couldn't run.

I gave them the list, but spoke to my on-shore It guy that out in the field we often needed to install something that we didn't need before on short notice, and waiting for a ticket to be resolved for an administrative matter had the potential to stop production.

They found it easier just to make an exception for my work PC. I just had to promise not to VPN in to the office while running "weird" stuff, otherwise the higher ups would get upset.

That's fine. I had my own VPN for only the stuff I needed anyway. I VPNed into offshore production systems on a daily basis. I needed to VPN I to the office once or twice. Plus in my book, the "main" VPN client is what I consider weird software. My shit was basically a wrapper around openvpn.

EDIT: To be fair, the huge corpo employer wasn't unreasonable. It was just so large with so many employees that strct security implementations were needed for IT to have some sort of control. I was technically also IT, but I only dealt with field equipment, so that IT could focus on "normal" stuff. They trusted me to handle my end, they handled theirs, and we usually cooperated fairly well when our systems "met".

“If you’re not paying for the product, then you are the product.”

The phrase has its uses, but shit like this is what happens when it's taken to the extreme.

I am becoming increasingly more appreciative of the fact that I have root access to "my" company provided work device.