Slashdot Mirror
Fighting Claims That Open Source Is Insecure?
Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
I think one of the most powerful ways to demonstrate open source is to show people how much they are using without even knowing it.
On a couple of occasions I've spoken to IT people who have said things like "we'd never touch open source because..." and then I've been able to point out multiple ways they use it without realising it. If they use google, if they use email, if they use many websites, then they're using open source software. Many bits of hardware contain open source code (wifi boxes for instance). Many companies are using Apache for their web sites without realising it.
Another good argument is just to spout off a list of Fortune 500 companies who use open source to run their websites. "it's secure enough for IBM, but not secure enough for you?" is the type of argument that's difficult to counter. Very often they just don't know much about it.
The problem you have to fight in people who say things like "open source is insecure" is their ignorance.
Ask your customer a simple question in reply:
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?
Or, how about the really important one:
Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
"'anyone can read the code and hack you with ease'"
Likewise, anyone can read the code and repair it with ease.
High-profile projects run by responsible people will benefit from the "many eyeballs" approach and be better quality than if they were closed-source run by a team of a few or dozens of people.
The FUDsters do have a point when it comes to out-of-date or low-profile software:
If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.
The moral of the story:
1) Stay current with security patches
2) Hide what you use from the adversary. If they don't know you run ObscureWebServer 1.0, they don't know to try attacking it first. Keep them guessing.
3) Make sure the official vendor/caretaker takes reports of security breaches seriously and is willing to consider patches from the community
above all,
4) Don't depend on your software's security to protect your assets. Make sure you have good backups. Train your employees against social engineering attacks.
Security is but one of many factors that go into the open/closed source decision.
For me, two of the biggest factors are:
1) if the product is abandoned or sunsetted, I can maintain it myself or hire someone to maintain it
2) If I don't care about paid-for support, I can use the product on as many machines as I want without worrying about "product activation" or getting sued.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You can also make an analogy to government using the parent's ideas. Would you rather have an open, transparent government where you can inspect each and every process or would you rather have a closed, secretive government where anything can happen without your knowledge?
Love sees no species.
I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security.
Try IBM,
http://www-1.ibm.com/linux/opensource/
Download some of the report PDFs and send them to your clients.
This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told.
I'd have your sales rep call your clients and let them know that your company shares thier concern. At the same time remind them of SQL Slammer, Code Red, Melissa, Blaster, etc. Point out all the other companies using OSS products, Google, Wall Street, etc.
Of course I'm just a programmer, so take my comments with a grain of salt.
Enjoy,
It's just the normal noises in here.
One word:
botnets
Then you can explain how it's actually the closed source OS that is the most damaging.
Hell, just show them some apache logs that are still constantly being hit by things like IIS servers still infected with Sasser, years after it should have been eradicated.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
then simply note that that the assumption being made is that all software is flimsy. The point of open source is to subject software to examination so that it is strenghtened.
Here's a good analogy. If I walk into my local bank branch, I can see the bank vault behind the tellers. The massive, foot thick steel door stands wide open, and if you look, you can see the network of gears and lever bars that are needed to for a person of ordinary strength to drive home the dozen massive two inch hardened steel bolts that secure the vault when locked.
Now, the design of the door mechanism might useful information for me if I wanted to break into the vault. The bank is placing this information in full view in part to reassure its customers. But it also deters people like me from even trying. Yes, it reveals potential vulnerablities, but on balance the message to me is that there are more practical ways to make a buck.
Being confident enough to expose your vulerabilities is a good sign, not a bad one.
Hiding vulnerabilities is not a sign of strength. If the customer can't see for himself or through an agent that a piece of software is secure, why bother making it secure? And hiding source code doesn't hide vulnerabilites. A burlgar can make use of floor plans if he has it, but not having floor plans is no deterrant. Furthermore, unlike you, hackers can reverse engineer the source code, so the only party left in the dark is you.
Here's a good question to ask: has the software vendor subjected his product to a responsible and independent third party security audit? Why not? Companies disclose source code all the time under NDA, so there's no risk there. And it isn't expensive in the grand scheme of things, unless they audit reveals the sofware to be so insecure the vendor has to throw a lot of it out.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
"Ask your customer a simple question in reply:
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?"
To attain exactly, what?
Just to follow your argument, here comes the obvious answer to your "counter-question":
Of course closed software has its defects. But then, its defects are hidden, aren't they? So they are obviously more difficult to exploit, and I prefer to have a software its defects are difficult to exploit rather than one which is easy to exploit. I'm questioning my confidence on your ability to have the things done if I have to explain to you such an obvious thing!
"Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?"
Hummm... at the end of the day, a USA corporation may be held legally liable. Do you really expect me to try to recover damages from a stinky teenager deep in Soviet Russia (where teenagers stink you) that happened to develop some seemingly cute software in his spare time?
No, the answer has been already told. If they really are paying attention at such stupid arguments like those from 'M$ drones', they are ignorant about these issues, and the best course of action is enligth them in such a way they can understand:
Look at IBM: they extensively use open source and it seems they are not going into bankrupcy anytime soon.
Look at Google: they critically use open source, they have an ashtounding computer-base all around the globe and still it doesn't seem like they are hacked everyday, do they?
You can ask a question *then*:
Look at IBM or at Google, or at almost every Fortune 100 out there; they do well using open source. Don't you find suspicious the only ones pesting about open source are companies (Microsoft and its VARs) that *do* would go bankrupcy if open source took the computer world for a raid?
> because 'anyone can read the code and hack you with ease' they are being told
Hm. In the open source arena, if someone is reading your code, they've obtained it legally. Most people who read OSS code do so to improve the code--not specifically for the purpose of creating a full-fledged exploit with it.
In the Windows world, if someone is reading your code then they are either: 1. an employee of Microsoft or 2. someone who stole the code. In the first case they're ethically barred (not supposed to. *ahem*) from using their corporate knowledge to hack you. In the second case they've already established themselves as a criminal.
Which situation makes you feel more comfortable about knowing that other people can read your code? I choose OSS.
the NPG electrode was replaced with carbon blac
You might say, yes yes, I know about all that, but you can't actually do that in practice. I would bet, though, that some of the early electronic calculators were proven correct. The people making them in the very beginning were probably interested in such things. Perhaps some apps running on MIT LISP machines were also proven (LISP is easiest to prove, and the MIT AI lab people are the type to do it), although in this case it is unlikely that the entire platform up to the app was also proven. So it is not so cut and dried as to allow you to say that there are no completely secure apps. Reasonable, useful apps today, probably none are completely secure, since I doubt that any kernels are completely secure if for no other reason. But nonetheless, it is possible to have 100% bug free, 100% secure software.
SIGSEGV caught, terminating
wait... not that kind of sig.