Dealing with Corporate FUD About Linux?

Lumpy asks: "After this morning's IT conference call, Linux was once again attacked here in the company by the upper management as 'a threat' to our company security. With articles, like the recent one from Information Week, fueling the Upper management with outdated information and half truths, how does an IT professional defend his position and educate upper managers to take those articles with a tiny grain of salt and trust their experts? Should we as professionals expect to be attacked for our decisions, even though Linux has prooven itself (time and time again), for over 5 years in our company? How do you deal with all of the baseless claims, that your superiors may read in the mainstream media?"

my advice

[kebes]

Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.

You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."

Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.

You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.

Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.

Re:my advice

[Reality+Master+101]

To be honest, you're not really thinking like a businessman, you're thinking like a programmer.

You don't say "Home Depot" may go out of business in 5 years, and then use it as a reason that you will no longer be able to buy 2x4s.

That's because Home Depot doesn't support the 2x4s for the foreseeable future. A better analogy is using them for their contractor services -- if anything goes wrong with your floor installation, you know Home Depot will be around to complain to.

Open source. If push comes to shove, hire a person or two to fix what needs to be fixed, even if Torvalds is gored to death by angry reindeer.

OSS advocates bring this up a lot, but what a business person hears when this is said is, "Yeah, they're admitting this business will gone in a couple years, and then I'll have to go into the software business, and I don't freaking WANT to be in the software business. I want to sell my widgets. I'll go with someone that won't force me to be in the operating system business."

Business types understand business, which comes down to money. If you want them to buy into something, then express how it either saves money, or produces more money. If you can't make that case, then maybe your argument isn't as strong as you think.

Give them reasons to switch

[danmart]

Fight the FUD with benefits to the company for switching to linux. Here is a nice list of 25 reasons to use linux in your organization from the linux information project. They also have a list of success stories with links for companies that successfully switched to linux.

"Could be..."

[techno-vampire]

From TFA:

Even that doesn't mean a business is completely out of the woods regarding Linux security. Customers could be using an unpatched Linux-based network-connected multifunction printer or have on their network an obscure tool that a programmer found on a Web site and is using unbeknownst to anyone, leaving the door open to problems. "All it takes is one mistake to open the entire enterprise up," warns Alan Paller, research director at the SANS Institute.

There's a lot here about how something "could be" going on that's a security hole on a Linux box, but no mention that the same thing could just as easily be a security hole on a Windows box. There's also not one, single word about all the other things that could be security holes on Windows that don't affect Linux, such as opening attachments from strangers, browsing to the wrong website and so on. FUD, and nothing else.

I tried hard at the windows shop i was at

[DaedalusHKX]

OLD NEWS
Enough time has passed, I can now freely say this out loud about my previous employer :)

Seems now, the fellow wanted me back, but was offering shitty pay, a few months ago that is.

Overall, man said he was switching to linux, and they got contracts, where I'd have to even have TS clearance. I'd love to help move an entire half of a state's government machines to Linux but sadly, I'm NEVER working for that outfit again. I fear being entangled by contracts far too much. I also have bills to pay, taking a pay cut to go back to all the stress is simply not worth it. He wanted me bad enough to offer a raise, but he still couldnt match or promise me guaranteed employment.

In regards to the topic at hand.

Let them know about security, let them also know that what you hear from M$ salesmen is not necessarily true. Also, remind them TWO KEY TOPICS.

TOPIC ONE
Closed Source vendors only reveal the holes they are FORCED to reveal because they've received publicity, via exploits or proof of concept exploits. Open Source projects see note1, on the other hand, publicize any holes and POSSIBLE holes and they usually have a MUCH faster turnaround for a patch and one that works, as we can all remember how well some of the M$ patches work.

note1 notice I said projects vs vendors, OSS ppl don't sell you anything, you CHOOSE to use it, and nobody takes your lunchmoney because of it.

TOPIC TWO
Remember that the biggest issue with windows is that it was a one user system, non network aware, and designed for absolute integration. You cannot remove a component easilly without breaking several (if not the entire system). Remind them also that the biggest issue with integration is that an attack only needs to target the lowest trusted component. This is why "userland" apps in linux behave differently than desktop apps in windows. Linux is, at heart, a Unix and so is BSD, and thus the apple os X, but that is another subject. Which means Linux is inherently a capable server, designed as such, and also designed to be modular, which means you can kill the front end, all of its subprocesses, and restart it, without rebooting the machine and killing any work any non front end users might have been doing via SSH or some other custom app you might have.

Since most users have to work as local machine administrator, as opposed to domain administrator, Windows automatically allows the user to install software and modify any non domain specific settings. As should be obvious to anyone, the moment a user runs a virus or trojan, or spyware and what have you, the local machine admin has been compromised. Windows XP, even after many "fixes" to the well known "Shatter Attack" see note2 STILL suffers from this vulnerability.

note2 a windowed program with even a guest account with NO privileges can hijack any root process running inside another window. To this day winlogon is a system/root process that still suffers from this problem, and you cannot disable it and STILL use windows, there are slipstreamed cds with NO graphics console, but they are pure servers, and have to be command or remote administered, no pretty front end for users.

In the end while Linux and BSD may have their flaws, at the very least they are more quickly fixed, the fixes are more than just a port block, like the Microsoft solution to Winnuke (which was a popular script kiddie port 139 icmp attack) or just plain lies (as is the case, apparently with the Shatter Attack. Granted for Shatter attacks to work, the user running the trojan must have guest access or better to the machine, or trick a legitimate user into running a compromised app but, heh, use your imagination. How often do foolhardy users run things they are not supposed to such look at porn, download "bonzi buddy" or "weatherbug" or any such crap? Spyware and trojans get around via users themselves since real hackers have better things to do, like write code for linux ;-)

~D