Slashdot Mirror
Dealing with Corporate FUD About Linux?
Lumpy asks: "After this morning's IT conference call, Linux was once again attacked here in the company by the upper management as 'a threat' to our company security. With articles, like the recent one from Information Week, fueling the Upper management with outdated information and half truths, how does an IT professional defend his position and educate upper managers to take those articles with a tiny grain of salt and trust their experts? Should we as professionals expect to be attacked for our decisions, even though Linux has prooven itself (time and time again), for over 5 years in our company? How do you deal with all of the baseless claims, that your superiors may read in the mainstream media?"
Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.
You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."
Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.
You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.
Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.
These were the other topics on the conference call
-Reminder to keep up with the latest COBOL and FORTRAN standards. Sharpen those programming skills.
-A notice that the Data General minicomputer is going to have its batches put onto the new IBM System 36.
-A work crew is going to be on floor 3 pulling Arcnet cable through the walls. Since there's asbestos in the walls, it may be disturbed. Hint: a lint brush can take asbestos right off your suit if some should land on you.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Powerpoint. Like it or not, if upper-management sees it in Powerpoint then it is the God's truth.
One never knows when one might need a rotten tomato... - King's Quest IV: Heir Today, Gone Tomorrow
Title from TFA: "A report warns of security vulnerabilities, raising the question of whether the open-source model can provide bullet-proof software"
What you might say: We get reports of security vulnerabilities on Microsoft products on a weekly basis, and there is unfortunately no such thing as bullet-proof software. Just recently Microsoft opted not to release an automatic update related to a virus before the virus went active, which would indicate that, contrary to what comes out of the PR department, Microsoft's commitment to security is not significant.
(I know the last sentence can be somewhat deceptive and there's more to the story, but if they're going to flap their lips when they're clueless, I doubt they'll catch it).
Wrap up with: No, Linux isn't perfect. There is a risk of vulnerability in every product. Microsoft, Apple, Unix, Linux, all of them carry some risk. It's our job to assess the risks and find the safest, most secure software that meets the company's productivity needs. It's what we do every day.
120 characters for a sig? That's bloody useless.
Hold your ground and respectfully disagree. Then seek out reputable reports backing up your position. If you are right and you respectfully, calmly and clearly explain why to others you will almost always prevail.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
If your upper management is still believing FUD about linux after all this time, there's nothing you're going to say to them to disuade them. These guys just like believing garbage. You say you've been using linux for 5 years in the business, so someone must believe in it. Just ignore what the upper management is saying since it doesn't sound like they're micro-managing things down to the level of "we aren't using linux, period". Continue to make the right decisions about what OS to use and justify them with good evidence. Don't worry about the personal opinions of upper management, since they shouldn't be making those technical level decisions, and they should know that.
On a personal note, at one job I had the CTO once said "we'll never use Linux in the Enterprise". About one year later we were running ten low end linux servers to replace a single, very poor performing AIX machine. The CTO ate his words and admited the mistake. A lot of these guys just like to talk big just so people think they know what they're talking about.
AccountKiller
Linux has prooven itself (time and time again), for over 5 years in our company? How do you deal with all of the baseless claims, that your superiors may read in the mainstream media?
Show them the proof within your own company. If it's proven itself within the company already, then don't direct them to outside reports showing how great Linux is. Gather data proving how great it's been within the company. If you can show remote breaking statistics, for example, and no one has ever gotten in, you can show it's great at preventing breakins. Management will care most about what's happening at their own company. Show exact proof that it's working there.
Developers: We can use your help.
Ask them if they've ever read a media story about something they knew a lot about. Ask them how much of it the media got right. Ask them why they think it would be any different with respect to IT.
-- Alastair
Honestly I have never really had a problem with the FUD. There are so many articles and studies surrounding Linux that its fairly simple to dig up better studies, or facts showing why the biased ones are biased. Or you can simply do demonstrations. The tricky one for me is the more experienced/educated users. Windows admins that have been doing it for some years are much harder to convince of the merits of any *nix based OS. I know alot of /. folks don't like to think about it...but there really are some very sharp people that only use Windows. Most of the ones I run into latch on to one little gem of Windows knowledge and tout they are experts, but I have run into quite a few that really do understand the ins and outs of that operating system very well and can get it to impressive things through registry manipulations and other things.
The only change I can believe in is what I find in my couch cushions.
Of course, the facts won't be found in your average MS website. Simply add to your blog, journal or whatever. Also, I'd suggest start hosting "open source" and "Linux" seminars during lunch. I've done it. In the past year or so, weve gone from zero linux servers (out of several hundred) to twelve full-time production RHE servers. I know it is a small amount, but it is a start.
The Kai's Semi-Updated Website Thingy
The so-called analysts are NOT. Plus, there's the SELinux distribution promoted by the NSA, and it's as secure as Fort Knox. (well that's what you can say. And certainly your boss can't contradict the NSA, can he? ;-) )
Fight the FUD with benefits to the company for switching to linux. Here is a nice list of 25 reasons to use linux in your organization from the linux information project. They also have a list of success stories with links for companies that successfully switched to linux.
At the company I used to work for there is no way any IT managers would mention Linux to their peers and no way that we would ever get any budget money for anything "Linux". But, as old servers were replaced or other PCs became available our department slowly started creating small, useful web apps, MySQL databases, etc. Eventually these apps made their usefulness expand beyond the IT department into the other departments.
As these users (managers, etc.) began to see the usefulness and robustness of these solutions eventually they learned that they were low cost, very stable and flexible solutions that helped the corporation. Oh, and BTW they eventually learned that they were Linux servers. They immediately gained respect.
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
Nobody ever got fired for buying from IBM.
:)
Simple as that IBM is pushing it. Linux is so not fringe anymore that anyone with a brain knows that it is a viable alternative for servers.
Companies that sell Linux distributions and offer support.
RedHat
Novell
Companies that sell servers with Linux installed.
IBM
Dell
SGI
Sun
Companies that use Linux
IBM
Google
Oracle
The idea that Linux is some kind of hippie hacker commune is so 90s...
There might be good reasons for your company not to use Linux but security really isn't one of them. If it is you should probably be running OpenVMS or OS/400. I dare someone to hack that
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
OLD NEWS :)
;-)
Enough time has passed, I can now freely say this out loud about my previous employer
Seems now, the fellow wanted me back, but was offering shitty pay, a few months ago that is.
Overall, man said he was switching to linux, and they got contracts, where I'd have to even have TS clearance. I'd love to help move an entire half of a state's government machines to Linux but sadly, I'm NEVER working for that outfit again. I fear being entangled by contracts far too much. I also have bills to pay, taking a pay cut to go back to all the stress is simply not worth it. He wanted me bad enough to offer a raise, but he still couldnt match or promise me guaranteed employment.
In regards to the topic at hand.
Let them know about security, let them also know that what you hear from M$ salesmen is not necessarily true. Also, remind them TWO KEY TOPICS.
TOPIC ONE
Closed Source vendors only reveal the holes they are FORCED to reveal because they've received publicity, via exploits or proof of concept exploits. Open Source projects see note1, on the other hand, publicize any holes and POSSIBLE holes and they usually have a MUCH faster turnaround for a patch and one that works, as we can all remember how well some of the M$ patches work.
note1 notice I said projects vs vendors, OSS ppl don't sell you anything, you CHOOSE to use it, and nobody takes your lunchmoney because of it.
TOPIC TWO
Remember that the biggest issue with windows is that it was a one user system, non network aware, and designed for absolute integration. You cannot remove a component easilly without breaking several (if not the entire system). Remind them also that the biggest issue with integration is that an attack only needs to target the lowest trusted component. This is why "userland" apps in linux behave differently than desktop apps in windows. Linux is, at heart, a Unix and so is BSD, and thus the apple os X, but that is another subject. Which means Linux is inherently a capable server, designed as such, and also designed to be modular, which means you can kill the front end, all of its subprocesses, and restart it, without rebooting the machine and killing any work any non front end users might have been doing via SSH or some other custom app you might have.
Since most users have to work as local machine administrator, as opposed to domain administrator, Windows automatically allows the user to install software and modify any non domain specific settings. As should be obvious to anyone, the moment a user runs a virus or trojan, or spyware and what have you, the local machine admin has been compromised. Windows XP, even after many "fixes" to the well known "Shatter Attack" see note2 STILL suffers from this vulnerability.
note2 a windowed program with even a guest account with NO privileges can hijack any root process running inside another window. To this day winlogon is a system/root process that still suffers from this problem, and you cannot disable it and STILL use windows, there are slipstreamed cds with NO graphics console, but they are pure servers, and have to be command or remote administered, no pretty front end for users.
In the end while Linux and BSD may have their flaws, at the very least they are more quickly fixed, the fixes are more than just a port block, like the Microsoft solution to Winnuke (which was a popular script kiddie port 139 icmp attack) or just plain lies (as is the case, apparently with the Shatter Attack. Granted for Shatter attacks to work, the user running the trojan must have guest access or better to the machine, or trick a legitimate user into running a compromised app but, heh, use your imagination. How often do foolhardy users run things they are not supposed to such look at porn, download "bonzi buddy" or "weatherbug" or any such crap? Spyware and trojans get around via users themselves since real hackers have better things to do, like write code for linux
~D
" What luck for rulers that men do not think" - Adolf Hitler
Google is "free" to use as a search engine, but any company that can "report revenue of $1.919 billion" for a single quarter can probably afford to pay the staff. I wouldn't advise asking your CEO when he last made almost two billion in a four month timespan, though.
Linux is "free" (as in price) if you get no assurance and minimal support. If, on the other hand, you want EAL4-rated Linux (certified for commercially-sensitive and confidential information for Government use in Europe and the US) with 24-hour support, fine-tuning of hardware and software, etc, then you pay a bit more. Same software, different parameters.
I'd argue that there are examples even the dimmest PHB can understand - some have been around long enough to just be accepted, others are so stinking rich that the arguments self-evidently don't hold.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
When selling Linux to corporate america, you just CAN'T do it using geek speak.
Managers use the same english words, but when you are a manager, your goal is to confuse and misdirect. NEVER take what a manager says literally, or try to respond to it logically. Managers make decisions based purely upon gut feeling and emotional reaction, then rationalize the decisions with vaguely related reports and misapplied studies.
Here are some simple translations:
Management Speak(M) to Engineerish(E)
1M) I'm concerned about linux security
1E)I dont understand linux and it makes me feel insecure
2M) I've heard that linux has security problems
2E) A rival vendor's sales rep in an expensive suit told me linux has security problems, I need someone in a more expensive suit to tell me he was wrong
3M) No one supports linux
3E) If a linux server crashes there is no linux sales rep to yell at and blame it on
4M) I need more data
4E) I want the information reduced to powerpoint slides and presented by someone with a nice butt in tight fitting clothes(gender varies)
5M) Lets discuss the issues involved
5E) I'm afraid to make a decision until the whole industry stampedes in that direction
6M) Is this the right business decision?
6E) Can I be fired for doing this?
"Sic Semper Path of Least Resistance"
I know it takes 10 times as many 'doze boxes to do the work of one UNIX server, but 10 Linux boxes? That must have been a heck of an AIX machine.
you had me at #!
5 years ago, when Bush came into office, he shut down the FBI from giving out information about cracked system except where required by law (basically, if a customer's CC is stolen). Just before that, a friend and I were going to start a web site that tracked these and then showed the relative risk to users. Since 40% of the https space was windows, then you should expect somewhere around 40% of all the stolen CCs. But it turned out that Windows accounted for more than 99 % of all stolen CCs (and this was in 2002; I think that windows now accounts for about 1/3 of https space).
So, pick up the report from Netcraft that shows the % of OS on the https sites (you have to pay for it). Then go to news.com and look for all the past stories of stolen CCs. All of the ones that I check for the last couple of years, turned out were Windows (more than hundred over the last 5 years).
Here is one other interesting test. Look at the netcraft of all the major banks and CC shops. Then look at all the CC processing sites that lost 100's of thousands of CC's. A few of the processing sites that were cracked (one in arizona, Florida, and nebraska) were running MS. Yet the CCs companies run *nix. Says a lot right there.
I prefer the "u" in honour as it seems to be missing these days.
By using Linux, I'm saving money on installation costs, CACLs and registration fees. I've trimmed down my development costs by using eclipse. No more helpdesk ADO/MDAC version issues that cost money to support.
:(
I've also saved a boatload of cash by switching the sales/marketing team to OpenOffice. We output all our client documentation using the OpenOffice PDF print driver.
With the savings, we hired two new programmers and have doubled our marketing budget so more people know about our products. We have one Windows machine left in accounting for Quicken
Food for thought.
Enjoy.
It's just the normal noises in here.
First they hire you as a professional, then they treat you as an ignoramous. This can't be. Tell the suit that if he doesn't trust your judgement, the very one he hired you for, he should resign giving his own bad judgement as the reason.