Slashdot Mirror
Dealing with Corporate FUD About Linux?
Lumpy asks: "After this morning's IT conference call, Linux was once again attacked here in the company by the upper management as 'a threat' to our company security. With articles, like the recent one from Information Week, fueling the Upper management with outdated information and half truths, how does an IT professional defend his position and educate upper managers to take those articles with a tiny grain of salt and trust their experts? Should we as professionals expect to be attacked for our decisions, even though Linux has prooven itself (time and time again), for over 5 years in our company? How do you deal with all of the baseless claims, that your superiors may read in the mainstream media?"
Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.
You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."
Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.
You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.
Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.
Fight the FUD with benefits to the company for switching to linux. Here is a nice list of 25 reasons to use linux in your organization from the linux information project. They also have a list of success stories with links for companies that successfully switched to linux.
Even that doesn't mean a business is completely out of the woods regarding Linux security. Customers could be using an unpatched Linux-based network-connected multifunction printer or have on their network an obscure tool that a programmer found on a Web site and is using unbeknownst to anyone, leaving the door open to problems. "All it takes is one mistake to open the entire enterprise up," warns Alan Paller, research director at the SANS Institute.
There's a lot here about how something "could be" going on that's a security hole on a Linux box, but no mention that the same thing could just as easily be a security hole on a Windows box. There's also not one, single word about all the other things that could be security holes on Windows that don't affect Linux, such as opening attachments from strangers, browsing to the wrong website and so on. FUD, and nothing else.
Good, inexpensive web hosting
OLD NEWS :)
;-)
Enough time has passed, I can now freely say this out loud about my previous employer
Seems now, the fellow wanted me back, but was offering shitty pay, a few months ago that is.
Overall, man said he was switching to linux, and they got contracts, where I'd have to even have TS clearance. I'd love to help move an entire half of a state's government machines to Linux but sadly, I'm NEVER working for that outfit again. I fear being entangled by contracts far too much. I also have bills to pay, taking a pay cut to go back to all the stress is simply not worth it. He wanted me bad enough to offer a raise, but he still couldnt match or promise me guaranteed employment.
In regards to the topic at hand.
Let them know about security, let them also know that what you hear from M$ salesmen is not necessarily true. Also, remind them TWO KEY TOPICS.
TOPIC ONE
Closed Source vendors only reveal the holes they are FORCED to reveal because they've received publicity, via exploits or proof of concept exploits. Open Source projects see note1, on the other hand, publicize any holes and POSSIBLE holes and they usually have a MUCH faster turnaround for a patch and one that works, as we can all remember how well some of the M$ patches work.
note1 notice I said projects vs vendors, OSS ppl don't sell you anything, you CHOOSE to use it, and nobody takes your lunchmoney because of it.
TOPIC TWO
Remember that the biggest issue with windows is that it was a one user system, non network aware, and designed for absolute integration. You cannot remove a component easilly without breaking several (if not the entire system). Remind them also that the biggest issue with integration is that an attack only needs to target the lowest trusted component. This is why "userland" apps in linux behave differently than desktop apps in windows. Linux is, at heart, a Unix and so is BSD, and thus the apple os X, but that is another subject. Which means Linux is inherently a capable server, designed as such, and also designed to be modular, which means you can kill the front end, all of its subprocesses, and restart it, without rebooting the machine and killing any work any non front end users might have been doing via SSH or some other custom app you might have.
Since most users have to work as local machine administrator, as opposed to domain administrator, Windows automatically allows the user to install software and modify any non domain specific settings. As should be obvious to anyone, the moment a user runs a virus or trojan, or spyware and what have you, the local machine admin has been compromised. Windows XP, even after many "fixes" to the well known "Shatter Attack" see note2 STILL suffers from this vulnerability.
note2 a windowed program with even a guest account with NO privileges can hijack any root process running inside another window. To this day winlogon is a system/root process that still suffers from this problem, and you cannot disable it and STILL use windows, there are slipstreamed cds with NO graphics console, but they are pure servers, and have to be command or remote administered, no pretty front end for users.
In the end while Linux and BSD may have their flaws, at the very least they are more quickly fixed, the fixes are more than just a port block, like the Microsoft solution to Winnuke (which was a popular script kiddie port 139 icmp attack) or just plain lies (as is the case, apparently with the Shatter Attack. Granted for Shatter attacks to work, the user running the trojan must have guest access or better to the machine, or trick a legitimate user into running a compromised app but, heh, use your imagination. How often do foolhardy users run things they are not supposed to such look at porn, download "bonzi buddy" or "weatherbug" or any such crap? Spyware and trojans get around via users themselves since real hackers have better things to do, like write code for linux
~D
" What luck for rulers that men do not think" - Adolf Hitler
This was debunked quickly.1 42317870
http://www.groklaw.net/article.php?story=20051231
They are using those numbers as the bases of their arguement that linux is becoming less secure. Those numbers are not just for linux but also AIX, Apple, FreeBSD, Solaris, Linux, and a few more OS. Also the list has a ton of flaws counted more then once.
Take note of all of his points and the points from the article and then email upper management your regular "security synopsis" making sure you address all those points. You could make him aware during the meeting that you have read that article and that your systems are already secured against the issues raised. But don't attack the credibility of the publication, story or author, it could be embarassing for him. The security synopsis shouldn't look like a rebuttal, but rather a professional and never emotional business document. You should let upper management slowly come to that conclusion themselves that the publication is hype, once they see that time and time again, you can show that the points of the stories do not apply to your setup.
Make sure you read what he reads and include those security issues in your regular security synopsis which you send well in advance (days) of these meetings which upper management attend. He will be less likely to address something as being an issue if you have already addressed it as being irrelevant. There will be less egg on face if he is the hysterical type and you won't be in a position where you have to get him to back down from something he said to the firm.
I should not need to mention regular updates to management, because it should be a given. Management needs the info so that they can manage the big picture. If you don't give them the info, then they go looking for it in the best places they know. And since they're not techie types, that's publications put out with advertiser interests. Microsoft advertises a LOT in the sorts of publications that management reads.
I know it takes 10 times as many 'doze boxes to do the work of one UNIX server, but 10 Linux boxes? That must have been a heck of an AIX machine.
The p595 supports up to 64 processors, 2 TB of memory and hundreds of PCI-X slots. AIX 5 supports both 2 and 10GB Fiberchannel interfaces as well as InfiniBand. The whole system can run 64bit from end to end. Multipathing works correctly. The VFS features in AIX work. JFS2 is reliable and offers decent performance. IBM's HACMP solution isn't pretty, but it works.
Linux doesn't offer any 64bit fiberchannel HBAs because the hardware isn't available. Multipathing on Linux is far from production ready. The core filesystem abstraction in Linux is incapable of addressing connectivity issues. EMC's PowerPath stuff looks like it might help with this, but it doesn't appear to completely solve the problems. None of the VFS solutions on Linux appear to really work as advertised. JFS on Linux is ok, but the other options suck. ext3's performance is lacking, xfs has known data-loss issues with large filesystems under crash conditions, and reiser4 is a long way from production ready. I'm not aware of any solution which provides HA failovers on Linux, although both Zen and vmware are talking about doing it in their next major release.
I guess it depends what you're doing with the boxes. We run highly available, high transaction rate, medium size (about 100GB) postgresql databases for OLTP. AIX on pSeries has helped us reach 4x9s availability. SuSE Linux on quad Opterons had acceptable performance for smaller databases, but we couldn't get it to deliver the availability.
That being said, I'd bet on Linux boxes for networking stuff or applications where you could use clustering.