Slashdot Mirror
Fighting Claims That Open Source Is Insecure?
Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
I think one of the most powerful ways to demonstrate open source is to show people how much they are using without even knowing it.
On a couple of occasions I've spoken to IT people who have said things like "we'd never touch open source because..." and then I've been able to point out multiple ways they use it without realising it. If they use google, if they use email, if they use many websites, then they're using open source software. Many bits of hardware contain open source code (wifi boxes for instance). Many companies are using Apache for their web sites without realising it.
Another good argument is just to spout off a list of Fortune 500 companies who use open source to run their websites. "it's secure enough for IBM, but not secure enough for you?" is the type of argument that's difficult to counter. Very often they just don't know much about it.
The problem you have to fight in people who say things like "open source is insecure" is their ignorance.
"'anyone can read the code and hack you with ease'"
Likewise, anyone can read the code and repair it with ease.
High-profile projects run by responsible people will benefit from the "many eyeballs" approach and be better quality than if they were closed-source run by a team of a few or dozens of people.
The FUDsters do have a point when it comes to out-of-date or low-profile software:
If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.
The moral of the story:
1) Stay current with security patches
2) Hide what you use from the adversary. If they don't know you run ObscureWebServer 1.0, they don't know to try attacking it first. Keep them guessing.
3) Make sure the official vendor/caretaker takes reports of security breaches seriously and is willing to consider patches from the community
above all,
4) Don't depend on your software's security to protect your assets. Make sure you have good backups. Train your employees against social engineering attacks.
Security is but one of many factors that go into the open/closed source decision.
For me, two of the biggest factors are:
1) if the product is abandoned or sunsetted, I can maintain it myself or hire someone to maintain it
2) If I don't care about paid-for support, I can use the product on as many machines as I want without worrying about "product activation" or getting sued.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Open Source knows the source is going to be open. So the security model starts from knowing that will be the case.
Closed Source security thinks that no-one else knows what is in there. THINKS being the operative word. Maybe they've worked on that assumption, and just obscured the holes rather than fixed them. Maybe they've left some deliberate backdoors, on the grounds that no-one else knows they are there. Possibly not, but you don't know that.
The MS people are correct to say that it is easier to construct an exploit for one category of security hole if you've got the source. But that means that those sorts of holes don't get built in the first place.
"I Know You Are But What Am I?"
saying that software is 100% bug free, or not exploitable is a complete fallacy.
all software has bugs in it, there is no such thing as a completely secure application.
the point of open source software is the more eyes you have looking at code, the easier it is to find and patch these bugs...
the problem with closed source software is that the bugs aren't easily as found, and certainly not easy to patch, especially since only few have access to the source. So while the bugs exist, they go unfound, generally found first by some obscure hacker who may or may not have the best intentions.
To answer the articles question you have to point out the shortcomings of all programs, and that for ever malicious hacker scanning source code to determine flaws in any given open source project, there will most likely be any number more of benevolent people trying to stop him.
I find what Adobe said about software development for Linux simply being hard more interesting than the security question. My experience has been that most people expect any platform to not be as secure as they'd like the same way they've expected their computers to not be as stable as they'd like. The thing they need is good software and now Adobe is pointing out that writing and maintaining software for Linux is difficult because, despite some good efforts, there still is no standard definition for what a linux system is or contains...
Reality is nothing but a collective hunch.
I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security.
Try IBM,
http://www-1.ibm.com/linux/opensource/
Download some of the report PDFs and send them to your clients.
This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told.
I'd have your sales rep call your clients and let them know that your company shares thier concern. At the same time remind them of SQL Slammer, Code Red, Melissa, Blaster, etc. Point out all the other companies using OSS products, Google, Wall Street, etc.
Of course I'm just a programmer, so take my comments with a grain of salt.
Enjoy,
It's just the normal noises in here.
The fountain of knowledge that is Wikipedia has this article, http://en.wikipedia.org/wiki/The_Cathedral_and_the _Bazaar, which is interesting. Its an essay/book about open source development, and there is a link to the full text in the WP article. There's a chapter about why open development is good (from a quick look at te text), and I know I've read similar-minded texts on sites like gnu.org and fsf.org, but was unable to find them. I think Cory Doctorow has written some good articles about secrets and the management of them, but I think his are more DRM musings, though the same principles apply to proprietry software vs. open software.
Articles about why SSH etc. are secure, even though their inner workings are wide open to the world, may be helpful too.
Car analogies break down.
One word:
botnets
Then you can explain how it's actually the closed source OS that is the most damaging.
Hell, just show them some apache logs that are still constantly being hit by things like IIS servers still infected with Sasser, years after it should have been eradicated.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Along with any number of other good answers, I'd also point out that Microsoft has a very poor security track record and is hardly in a position to be making ominous threats about other people's security.
Here's a search for "Microsoft" on the Open Source Vulnerability Database. ("Open Source" here refers to the nature of the database, not covering only open source products.) Pop in any other large closed-source vendor you can think of and you'll find something. ("Oracle" is another personal favorite. It may have "Enterprise-class" performance, which I can't vouch for either way having never used it, but it sure doesn't have "Enterprise-class" security.)
I think the main problem with the implied argument is that you don't need source code to find security vulnerabilities (in fact it might not even be helpful given the other cracking techniques you can use), but you do need it to fix them, with rare exceptions.
You can also point out that, when bugs are found, they tend to be fixed very rapidly, frequently within hours of their discovery. Since the source code is available to everyone, anyone affected can create an update to fix the problem. This happens exceedingly rarely in the closed-source world, despite the large numbers of bugs encountered.
PHEM - party like it's 1997-2003!
You might say, yes yes, I know about all that, but you can't actually do that in practice. I would bet, though, that some of the early electronic calculators were proven correct. The people making them in the very beginning were probably interested in such things. Perhaps some apps running on MIT LISP machines were also proven (LISP is easiest to prove, and the MIT AI lab people are the type to do it), although in this case it is unlikely that the entire platform up to the app was also proven. So it is not so cut and dried as to allow you to say that there are no completely secure apps. Reasonable, useful apps today, probably none are completely secure, since I doubt that any kernels are completely secure if for no other reason. But nonetheless, it is possible to have 100% bug free, 100% secure software.
SIGSEGV caught, terminating
wait... not that kind of sig.