Fighting Claims That Open Source Is Insecure?

Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

Security through obscurity is no security at all

[TheWoozle]

Ask your customer a simple question in reply:

Does that fact that closed source software hides it's defects mean that it doesn't have any defects?

Or, how about the really important one:

Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?

bank vault example

[192939495969798999]

Here's an example with bank vaults. Suppose I have two identical looking bank vaults, one showing the schematic and one hiding it. Which one can you exploit more easily? The vault showing the schematic has nothing to hide... if it's secure, then seeing the schematic doesn't make getting through a foot of steel any easier. However, the one not showing the schematic might have reason not to show it from a security standpoint, i.e. that little screw in the back of the vault, that if you just were to unscrew it, you could break in. Whether the system is strong or weak, open source will expose that. So from a security standpoint, your system's strength doesn't lie in its obscurity, it lies in your ability to disclose exactly what it is doing and still not be compromising its security.

Strong security discloses the facts, i.e. : "here's the pile of money, and there's the guy that will shoot you if you try to take the money."

If you want to be substantive

[hey!]

then simply note that that the assumption being made is that all software is flimsy. The point of open source is to subject software to examination so that it is strenghtened.

Here's a good analogy. If I walk into my local bank branch, I can see the bank vault behind the tellers. The massive, foot thick steel door stands wide open, and if you look, you can see the network of gears and lever bars that are needed to for a person of ordinary strength to drive home the dozen massive two inch hardened steel bolts that secure the vault when locked.

Now, the design of the door mechanism might useful information for me if I wanted to break into the vault. The bank is placing this information in full view in part to reassure its customers. But it also deters people like me from even trying. Yes, it reveals potential vulnerablities, but on balance the message to me is that there are more practical ways to make a buck.

Being confident enough to expose your vulerabilities is a good sign, not a bad one.

Hiding vulnerabilities is not a sign of strength. If the customer can't see for himself or through an agent that a piece of software is secure, why bother making it secure? And hiding source code doesn't hide vulnerabilites. A burlgar can make use of floor plans if he has it, but not having floor plans is no deterrant. Furthermore, unlike you, hackers can reverse engineer the source code, so the only party left in the dark is you.

Here's a good question to ask: has the software vendor subjected his product to a responsible and independent third party security audit? Why not? Companies disclose source code all the time under NDA, so there's no risk there. And it isn't expensive in the grand scheme of things, unless they audit reveals the sofware to be so insecure the vendor has to throw a lot of it out.

Peoplesaywhat?

[HomelessInLaJolla]

> because 'anyone can read the code and hack you with ease' they are being told

Hm. In the open source arena, if someone is reading your code, they've obtained it legally. Most people who read OSS code do so to improve the code--not specifically for the purpose of creating a full-fledged exploit with it.

In the Windows world, if someone is reading your code then they are either: 1. an employee of Microsoft or 2. someone who stole the code. In the first case they're ethically barred (not supposed to. *ahem*) from using their corporate knowledge to hack you. In the second case they've already established themselves as a criminal.

Which situation makes you feel more comfortable about knowing that other people can read your code? I choose OSS.