Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.
How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?
Open source is verifiable. Closed source is not.
Open source is verified, by many people, who discuss it in public. Closed source is not.
Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
Just point out how much more secure Firefox is than IE, or OpenBSD is than Windows, or any other hundreds of examples. The proof isn't hard to see, especially when it's Microsoft trying to argue.
Great Intellect...
Absolutely! I provide the sources for everything that I install, along with links to where I got it from. Of course, the fact that they cannot ascertain the reliability of the source code for themselves is a *huge* opportunity for me: I offer certification and auditing services as well :)
NOT as part of a normal installation, of course.
When they complain, I simply point out that this is the same as what they'd get from Microsoft, except that getting access to their source code is a lot more expensive.
It's a beautiful thing: Not only do I not have to pay anything for the software, I get to charge them labor to install it for them (which is pure profit from my perspective). Then, if they want source code verification or auditing, well, that's just more money, too!
I love Open Source Software!
.
Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...
Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.
He may be lurking hereabouts, but if not, here's his bio. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.
The Army reading list
I'm sure in enterprise things can be different but working for a small/medium sized developer I know my CEO isn't so un-clued in that I couldn't explain something like this over drink and have a good laugh.
But then we've used Oracle and seen what happens when cost and bad economics limit your businesses growth. Let them smoke our RHEL and MySQL licensing, maybe their getting something out of the ink.
Better yet, when your PHB approaches you why don't *you* ask him to point out a security situation that *wasn't* caused or aggravated by something that wasn't open source.
Just because some idiot says it's true doesn't mean anything.
Quack, quack.
If it's good enough for the NSA, it's good enough for you.
Open source software is like any report in an academic journal.
While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.
Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.
Plus, tell them to examine their sources; the bias is obvious.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
The proof is in the pudding. Who gets hacked more ? Who suffers from worms and viruses constantly ? Who has to run anti-virus and anti-malware software ?
I had a professor say that kind of thing in class once. He said that "Linux will never be as secure as Windows because it's open source. Anyone can see the source code and use it to hack your computers."
It was completely involuntary on my part, but I let out a loud, and I do mean LOUD, "WHAT?".
He turned and looked at me, I said "I'm sorry but that's not correct. Look at OpenBSD, it's open source too and there has been exactly one remote exploit in a default install in the past six years. Microsoft wishes that Windows had that kind of track record." He stammered and stuttered and then moved on with his lecture.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I'd suggested turning that table right around. Theres gotta be easy access to statistics regarding virus and attacks on both platforms. With the market share split like it is, my money is on Linux looking allot prettier.
Conversely, volunteer to perform some automated penetration testing on their platforms and show the results to them. Go so far as to target some of their windows boxes too if they have any.
Be sure to point out that source code being publicly available means more friendly eyes take the time to warn developers about problems than with windows systems. The vast majority of competent security buffs aren't malicious hackers, but have a genuine interest in making their own systems more secure.
and finally, This might even be grounds for a defamation of character lawsuit. These firms are deliberately belittling your product and/or services and doing harm to your business model without providing hard evidence.
Just look at the open encryption standards.
Would anyone argue that closed source encryption is more secure than open source?
Do you need any more blatant example than that?
Name the next largest 'nix worm after the Morris worm.
In my 15+ years using Linux, various BSDs, and other open source software, I can't recall even once where someone asked me to "prove" that my tools were secure.
Show them it's more secure than Closed source software.
Show them statistics about compromise and Virus infections of Windows servers.
Show them statistics about compromise and Virus infections of servers running open source OSes.
Construct "model" servers implemented according to system defaults and providing all required services (but with no extras installed)
For example, e-mail: A FreeBSD 6 server running postfix MTA, A Windows 2000 server running IIS SMTP Service.
Show them the probably impact that would be expected to both servers if no Vendor security updates were ever applied (based on Worms and viruses that were in the wild).
Show them statistics about the number of remotely exploitable vulnerabilities that were discovered that would actually impact the two model servers.
Show them the impact of actually protecting the Windows 2000 server from vulnerabilities with constant updates VS the few updates required to protect the fairly ironclad FreeBSD 6 server.
Consider the historic frequency of updates required to keep a system secure, and the downtime impact of constant reboots to apply updates.
Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.
How or why would a cracker-hacker break into a company, re-write their software (i.e. Open Office) to put a vulnerability in it, and then sit around waiting for the software to fail, when instead they can just exploit defects in closed source software?
So the answer would be it is easier to crack closed source software because it is poorly maintained (i.e. time and budget constraints) and there is no peer review. The open-source nature doesn't make software easier to crack (unless the vulnerabilities in it are flagged with comments pointing them out), but it does make software easier and more likely to be fixed if there are vulnerabilities found.
2 points.
Camping on quad since 1996.
I work for a SaaS company, and when we go through the inevitable rounds of security discussions any mention of open source software can be met with grumbles and a big discussion justifying it's use with some of our larger customers. Fun times!
..show them the numbers. Microsoft Windows' security flaws since 1995 vs that of Linux
this is probably the most boring sig in the world
Some are secure and others are not. What is secure now could become insecure later, and vice versa.
Nothing replaces good auditing and vigilance.
Colorless green Cthulhu waits dreaming furiously.
Argue that it is MORE secure, not that it is just secure. And then if they ask why, explain the idea of many eyes looking at it. You have no idea what's in the closed source.
Well the plus side about Microsoft being an illegal monopoly is that practically everybody knows how bad it is. Ask them if they worry about viruses and spyware on their home Windows machine. Then point out the server versions are the same with a few extra apps thrown in. Point out that Linux has never had a virus and was designed to be multi-user unlike Windows.
If they point out a flaw in a crappy PHP app then point out that the same flaw exists if you run it under Windows. Some people associate a few major PHP apps with Linux even though it's really platform agnostic.
Phillip.
Property for sale in Nice, France
Arguably there is a disadvantage to open source software which gives the attacker something to analyze. Peer review is great, but remember the Debian OpenSSL vulnerability? If your customer is concerned, treat their concerns seriously. Remember who the boss is.
I would recommend the only way to be certain is to hire a pen-testing company. Have a team of dedicated professionals try to exploit your software. If they succeed, you learn how to improve your systems to secure them, if they fail, you look good. Either way you win.
Remind them what patch Tuesday is about. Them ask them about MS transparency on disclosing unpatched bugs. How many patches were applied to IE and is it yet secure?
Open Source, due to it's open nature, means more people able to repair vulnerabilities much faster. Look at the years it took microsoft to patch vulnerabilities that would enable critical systems to be taken over remotely. Microsoft has a finite crew to find and report bugs, holes and vulnerabilities. I work tech support. Want to know how many people fall victim to virii that exploit vulnerbilities that date back to Windows 98? Open Source also means that when things go wrong, the buck stops here. You can repair it, or work with someone to repair it, while with Microsoft you are victim to their schedule, their level of priority. Your vulnerability not critical enough, bottom of the pile you go.
I can count on 1 hand the number of Linux vulnerabilities that, once discovered, took over a month to repair. I cannot count on both hands + feet the number of Windows vulnerabilities that continue to plague us over a decade after discovery.
Karma Whoring for Fun and Profit.
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
Well, how safe does that make you feel? Someone guesses it and all your security goes out the window? Here's the claim made by AES, and possibly by extension open source: We have a thousand eyes watching us, everyone knows how we work since it's published, and we're still secure. How's that for tough?
And, yes, more logically valid arguments like stats between number of open and closed source vulnerabilities found and other things suggested by other posters.
If a security system uses modern cryptographic methods that are considered secure, there should be little difference if the method is known (as it would be in open source) or not. This is because one of the criteria for a secure cryptographic system is that they are secure even when an attacker knows the system used, and has information to mount a known plain-text attack. Of course this works best in theory, and in a real life application it might not be that simple. But at least in cryptography the justification that "our method of security is unknown to attackers" is considered weak.
Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.
Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.
Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.
The Kai's Semi-Updated Website Thingy
Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.
This is a better question than most here will give credit, regardless of how sleazy it is that MS sales reps are using it as a tool.
;-)).
The real focus needs to be determined. Is the question whether open source software development methodology is inherently vulnerable? Or is the question whether open source project X is more vulnerable than proprietary project Y?
I'll address my thoughts on the open source methodology, and the argument I use in these discussions.
Software security is reliant on a couple of key factors. Obscurity is the first one most people think of, and despite the prevailing feeling, obscurity is an excellent security control that protects against certain types of attacks. However, reliance on obscurity for security is not a good idea because over time most secrets are disclosed.
Good security architecture relies on robust security controls that maintain integrity even when attackers are fully aware of the mechanism's internal working. Perhaps it helps to think of it this way, imagine two people walking down the street. One is alone and vulnerable but in disguise and very hard to recognize. He's relying on obscurity for security, and it will probably work. The other person is surrounded by bodyguards and the entire region for miles around is swarming with more guards and surveillance teams. He's relying on a robust security control (really controls) and it doesn't matter if attackers no the details, they still aren't going to have an easy time getting through to him.
So open source projects are no insecure because they are open, and in fact many would argue that their very openness provides insurance against stupid decisions to use weak security controls and protect them only through obscurity (a classic move of proprietary systems, just think of the old MS password hashing scheme, or a dozen other proprietary security controls that turned out to be too weak to withstand public scrutiny).
The vulnerability numbers bear out this basic concept with more vulnerabilities relating to Windows systems than to *nix systems despite *nix systems running many more critical systems. I'd have to say that this is in large part because the underlying security controls of *nix systems are dissected by obsessive compulsive geeks, like us.
To convince your boss that FOSS is OK, do some research on vulnerabilities reported in the NVD. A (very) informal check shows about 1200 vulnerabilities tied to Linux and 1400 tied to Microsoft. I'd suggest doing more, and better, research than that before sitting down with the CEO to discuss this but the numbers seem to be on your side.
I'll end by saying that FOSS products are not always secure, and the open source development methodology is not inherently secure if the development community is too small to provide competent, and unbiased, security reviews of the software. A very large project, like Apache or Ubunut, is likely to fair well when compared directly to IIS and Windows. A smaller open source project, like a contributed module to Drupal, may be riddled with problems simply because not very many people took the time to look at it before deployment. That is one advantage of a commercial company, they (should) have a good QC/QA program to make sure bad products don't get shipped (they get sold to Microsoft who can ship crap with impunity
Anyways, it should be an easy argument with NVD numbers to back you up and the concept that security through strong algorithms and good architecture is more important than security through obscurity.
Like trees blowing in the wind.
M$ = communism - every thing behind closed doors
open source = democracy - everything in the open
just can't explain the bush era
There are a plethora of articles out there about open-source and why it's more secure.
In the end, though, you have to address each customer's concerns directly.
If they have a concern, answer it.
If they are looking for some type of certification, tell them how much it's going to cost.
If they are looking for guarantees, ask them what guarantees they get with these "other" secure produts they are considering. If they in fact DO get guarantees, which I doubt, than that's a legitimate point of competition.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.
Some drink at the fountain of knowledge. Others just gargle.
Mmm Hmm.
And how many times have you heard about worms on Microsoft, the 'more secure' closed source OS?
And how many times have you heard about viruses getting through on the Linux systems I helped you set up?
Since Linux is the main system used for internet servers, you would think dangerous criminals would hit it first, right?
The reason you haven't heard of it lately is they did. Unix and Linux ironed all this stuff out 20 years ago - the last Unix worm that got famous was the Morris Worm. Huey Lewis and the News were big, there were still hair bands, and Republicans still had a reputation as being fiscally responsible.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Show them the costs of 'securing' windows versus Linux and Open source. Once the see the savings, perceived security of MS is less important. Money talk BS walks.
Half of writing history is hiding the truth.
Can software be written that has no security flaws?
If a piece of software is flawlessly coded, then it's source being open has no impact on its security.
Do your taxes on an open source tax prep application, sign your name on the dotted line, and send it to the govt. I'm not talking about 1040EZ. I want you to do a full on 1040 with deductions, interests, AMT, the whole works. That uneasy feeling you have in your gut right now is what CIOs feel when you want to put mission critical open source systems in their network.
They sure have to be concerned over security. I don't know for sure, but google has to be right up there, probably the largest, 500 buhzillion servers running.... Let's check.... What do they run? Aww, gee, would they do that if it was insecure? Is google dumb, or smart? Does IBM push open source? Well, yes they do. Is IBM dumb, or smart, would they push inherently stupid and insecure software? What runs on the bulk of the worlds supercomputers used by top companies and research organizations and universities and nations? I just looked, 439 out of the top 500 run linux. Ask those MS scaremongers if all these advanced eggheads would run linux or open source if it was inherently insecure.
Just start throwing some big names, big computers and big projects out there that deflate the MS bluster. Then tell them you are now on their "do not call" list, to stop spamming you, and to stop wasting your time. Really, this is 2009, any company/PHB that would fall for such retarded scare tactics about open source has no business using anything more modern than an abacus and an ink quill.
Disagree. Security is not a static rating but a process; part of that process is fixing found problems. Guess which is easier to fix: the stuff you've got the source to, or the stuff you have to wait 6 months before the vendor acknowledges as flawed.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.
5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.
ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)
This is a general principle of security in general: something is only truly secure if it remains secure even when you know exactly how it works. Anything else is "security by obscurity"
Closed source software is like a mysterious lock where you have no idea how it works. You can take the company's word that it's secure, but really you just don't know. One day someone may just show up able to waltz right into your house. If the design of the lock is public for everyone to see, you can examine it yourself if you're knowledgeable in such things, or else rest secure knowing that plenty of knowledgeable people have deemed the lock good enough for their homes
That's my favorite way of explaining open source to non-computer people
Don't discuss the attack, that's just playing into the hand they gave you.
What I would point out is the monthly patch cycle you buy into with MS.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.
What do you do when you can't prove your case? You discredit the opposition, of course!
Microsoft make a great opposition; they've got a wonderfully lacklustre history of security. You should be able to make your clients tremble in fear at the thought of replacing their flawlessly running systems.
Invite your customers to think for themselves, instead of relying on the say-so of others. With 6 years of faultless service, that's a big ace up your sleeve. Get them to consider that fact, and ask them if it really sounds like they're running an insecure system. Surely they can draw conclusions from that.
Lastly, you may want to bring up current Microsoft security bugs, how long it can take them to fix, and how often the fix causes other issues. Then dangle the carrot: with open source, you can fix the problem yourself, or hire someone to do it. No complete dependence on another party. You can change things as you want or need. That's a huge advantage to some people.
http://www.sans.org/top20/#z1
The critical flaws that were reported this year in Office products:
* Microsoft Excel Remote Code Execution (MS07-002)
* Microsoft Outlook Remote Code Execution (MS07-003)
* Microsoft Word Remote Code Execution (MS07-014)
* Microsoft Office Remote Code Execution (MS07-015)
* Microsoft Excel Remote Code Execution (MS07-023)
* Microsoft Word Remote Code Execution (MS07-024)
* Microsoft Office Remote Code Execution (MS07-025)
* Microsoft Outlook Express and Windows Mail (MS07-034)
* Microsoft Excel Remote Code Execution (MS07-036)
* Microsoft Excel Remote Code Execution (MS07-044)
* Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
* Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
While all operating systems are affected...
Linux has two mentions on the entire page while other operating systems just go on and on and on.
With Open source, MANY eyes are looking at it finding problems and fixing them.
With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.
Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.
At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)
---
However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.
You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
First: Point him to the many 'patches' that are availiable in order to get certain licence check features out of certain applications. People _do_ modify closed source software. It's a bit harder, but it's done.
Second: Just point him at average times between the discovery of a bug and a fix beeing availiable.
Third: Make him prove that there are no backdoors in closed source software. Backdoors are a lot easier to find in open source software so the risk of them beeing found is way bigger. Microsoft has a track record of putting in malicious code in their software. One example is Windows 3.x checking if it's MS-DOS or DR-DOS, and refusing to run propperly if it's DR-DOS.
Well, only if you assume no malicious attempts or lazyness on the side of the programmer.
I believe the technical term is called "anecdote".
DHS - linux
FBI - linux
Navy - linux
Air Force - linux
Wonder why those agencies are using such an "unsecure" platform...?
The argument that "anyone can read the code and hack you with ease" is false. To win the argument, one must explain the relationship between a _cypher_ (implemented in a program) and a _key_ (generated by a program). Secure programs are written such that even their *authors* can not hack them. The reason is because these programs do not directly provide security. Instead, for example, they may help users generate unique digital keys. Is is the combination of this digital key and the program itself (ie. the cypher) that provides security. Reading the source code will _not_ give the reader the key required to breach someone's privacy, especially if the program is good and can produce trillions of different and complex keys, each of which take a long time to test. Conversely, closed sourced programs are generally scrutinised by far fewer people, and as such they are generally less able to perform with the same speed, efficiency and reliability of their open source alternatives, including security related programs described above.
Sun, IBM, and several others are MAJOR contributors. Why would they contribute to something that's so insecure? Why would Google spend millions of dollars every year to fund Summer of Code? Why would MySQL be one of the most popular RDMBS, and Apache, THE most popular web server? The list goes on...
What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.
Set up a MicroSoft server and client and see how long it takes for crapware to find its way onto their system...then remove it and tell them to shut up.
The locks on your house are wide open. They're based on designs many decades old, and the locks themselves may be decades old. If you want them changed, someone nearby has all the parts in a van, or you can learn how to change them yourself. People have made various alterations and improvements, which are published and protected from commercial exploitation for a limited time so eventually everyone can benefit from them.
You can get inexpensive locks which work well and can be easily serviced, or you can get elaborate expensive locks which fewer people understand and cost more to repair.
1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.
Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"
You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."
2. Explain why openness is helpful
Them: "Yeah, so what should we do?"
You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."
3. Mention that serious people have a big stake in making this work.
You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."
4. Reassure them that people are thinking hard about this.
Them: "Yeah, but if anyone can see it..."
You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."
5. Point out the obvious.
Them: "But what happens if someone tries to slip something in, and is really good at it?"
You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."
All the technology in the world won't hide your lack of vision, talent, or understanding.
There are secure versions of Linux as for Windows and I know that everybody knows it but the main source of vulnerability on server side is not the OS itself but the misconfigurations. That said, not to evade the question, I believe that from a general point of view, Linux is considered to be more secure than Windows. There are several reasons to that. - Even though Windows has made huge progress in security field during past several years, Windows is still the target Os of choice for hackers and criminals (IMO the main reasons being economics and the difficulty of securing huge windows code base). This makes the exposure to the possible attacks on Windows higher than on Linux side. - Linux has less exposure, IMO the main reason is not because of lesser vulnerability per line of code ratio but mainly because there are less hacks/exploits available on the criminal market for Linux. There is an increase in attacks on Linux servers using Apache-Php but still a hardened Linux server is considered to be safer compared to Windows. There are many more containment measures possible on Linux than on windows. - All major Linux distros now have security modules already integrated (which can be loaded/unloaded for performance needs). These modules are somehow difficult to use. Some examples are Red Hat + SeLinux, Suse + AppArmor etc. These distros provide MAC, RBAC etc. They've been used to achieve high degrees of Common Criteria evaluations: EAL4+ for Red Hat/Oracle (http://www.oracle.com/technology/deploy/security/seceval/security-evaluations.html), EAL4+ for Suse/IBM (http://www.novell.com/news/press/archive/2005/02/pr05013.html) etc. Naturally, this is not the entire Linux distros which have been certified but a particular distro with defined applications and software. BTW, Windows has also achieved these levels of security. This shows that Linux can get at least as secure as Windows.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.
Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.
Strangely enough, that hasn't happened with linux & openbsd.
Let's face it - we all know how to get our hands on the Microsoft source code, just some of us have no interest, some of us are interested but choose to go with the law that generally forbids it, some of us even care about the ability to honestly deny ever having seen it!
But if I wanted to "read the source code and hack with ease" - yeah, I'd download the Microsoft source code. Linux gets patched too quickly!
just because you can see the source code doesn't mean it's hackable. But for very large, complex programs, that's absolutely true. There's only two possibilities with them. 1, any random person can view the source code but the entire enormous application is absolutely 100% perfect and there is literally no way to hack it (yeah right). 2, any random person can view the entire source code, find a bug nobody else found yet, and use it to exploit the program. It's really as simple as that. For smaller programs, it is possible for the source code to be literally perfect but for something the size of Open Office not to have a single security hole at all is ridiculous. And being able to read the source code sure helps a lot more than just guessing at things that might be exploits. Yes, professional programmers and hackers are working on the project so they find security holes all the time then patch them but it still holds true that being able to view the source helps the bad guys a lot!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
You don't exactly say what the tech level of your customers are but I'd suggest:
1. First tell them it is a great question. Explain to them that your company is very serious about security and they should always feel comfortable asking any question about your architecture, methods,etc..
2. Explain one of the reasons you use Linux is because of your concerns about their security.
3. Be able to link/show them the percentage of infected windows computers compared to Linux. This link should be from a highly reputable news source. (e.g. http://www.nytimes.com/2005/08/17/technology/17virus.htmll) This is the only stat they need to see.
4. Avoid any evangelism about open source. Most likely they don't care, they want a solution and a provider they can trust.
5. Finally take this as an opportunity to build a better relationship with your customer. The fact that they called you rather than switching providers means they *want* to trust you. Leave them with the feeling that they can.
I don't buy the line that open source is "better because everyone is checking for bugs" line, but the bottom line point from my perspective is that the openness of a specification does not, in fact, make it easier to intrude upon an implementation of that spec. A completely valid argument -- and possibly a persuasive one as well, if the boss is smart - involves the comparison of an open and strong encryption algorithm vs and weak but closed one. This is where wars are won. If security through obscurity can't keep wartime governments in power, it probably doesn't do much.
First, collect a library of Windows-related security breaches in the last year, paying particular attention to ones that made major headlines or that cost companies money and/or reputation. When your customers call, hand them that library as evidence that it's not open-source that has the major, public security problem. Then tell them to ask that Microsoft rep to identify the last major security breach involving the open-source software they run, and to provide the third-party references of the sort that you provided to substantiate the existence of the problem. Be prepared for the MS rep to provide examples of vulnerabilities that were patched before a breach occurred, and note to your clients that you're giving examples of breaches that actually happened after customers took every precaution recommended by the vendor.
If you really want to sandbag the MS rep, collect a library of the few open-source-related breaches that've happened. Give your clients a side-by-side of the two, which should make it glaringly obvious which of the two has the better track record. One thing you can point to here are cases such as Firefox vulnerabilities where the vulnerability existed and could be exploited only when the software was running under Windows and didn't exist when the software was run under other OSes (indicating that the flaws are specific to the proprietary Windows environment). Doing this yourself undercuts the MS rep when he tries to brush it off with "But open-source has problems too.".
Argue Loudly
It's the best answer you can give.
Help stamp out iliturcy.
Sun, IBM, and several others are MAJOR contributors. Why would they contribute to something that's so insecure?
They are collaborating with alien life forms that are trying to weaken the technological infrastructure of Earth.
Why would Google spend millions of dollars every year to fund Summer of Code?
They are giving young people a bit of feel-good educational employment just like Jim Jones gave his followers free Kool Aide.
Why would MySQL be one of the most popular RDMBS
Because people can't afford Microsoft SQL server.
1) I'd ask them what has the security experience been over the period you have supported them? While headline after headline has been in the paper about Windows exploits, botnets and viruses, what has happened with their installation.
2) I'd inform them that Google runs on Linux. Do they think Google knows what they are doing.
3) I'd tell them to talk to one of the people who is selling the windows services, and ask them to detail the costs of converting to MSFT, and what the security measures required would be. I think they'll blink after they get the price tag.
Sad to say, even if Windows was more secure, most people will balk at the expense if they're already running a solid linux based infrastructure.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Closed source applications have to be audited with fuzz testing and other techniques, and this means that bugs can hide from the "white hats" (or the company) for a long time. Look at the bug fixed by MS08-067; it was discovered in the wild as part of a trojan and is now at the center of one of the biggest worm breakouts in history. Open source software can be fully audited by third-parties, including through techniques such as static analysis. I am not anti-closed source per se, but calling it somehow more secure because it "can't be verified" is the opposite of the truth. Tell your customers to talk to a security professional, not a salesman.
gives an advantage over not knowing what the app is doing. when you know what is happening you can defend in real time what is going on
I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.
I propose a thought experiment: Have the client envision a box into which you place a kitten. Which method of keeping the kitten "safe" is better? The windows methodology is to tape the box shut while the linux methodology is to leave the box open. Now ask the client to envision placing the kitten/box system in a college dorm representing the hostile world. I predict that in the Windows world the box gets ignored or worse kicked down the stairs whereas in the Linux world the kitten defends itself and or finds a compatible human slave to care for it.
Much is the same in the computer world, a closed box does not make something "secure" it just limits what the kitten or your application can do, while an open box can encourage people to foster your kitten. Security comes from the provision of the necessities of life (warm building, food, water, clean litter, string and blanket) and five pointy ends for the kitten and while for software it is testing and an uncompromised (audited) host.
What agency is that?
If you don't know if "open source" is secure, then why would you want to argue the point to a customer? Your bias should not preclude your understanding.
Just haul up Google, type in "virus" and count the number of instances targeting Microsoft vs. Linux. That should convince anyone. alternately, do "WIN32 virus" vs. "Linux virus"
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
My pics.
See, that is the issue - the vendor. If you have oss or closed source, you're reliant on a vendor to fix. Though Apache is oss, I doubt very much that Joe's Cafeteria, using - say htpd - is going to know how to fix a bug any more than they'd know how to fix a flaw in ISS.
The Kai's Semi-Updated Website Thingy
Too much to say but short summary of the answer:
1. Use Cryptography argument, Open and visible is secure because you see algorithm where as proprietary could be just xor.
2. Use OpenBSD as the example OS model to follow for security by design. Is Linux Secure? Depends on which Distro and how deployed.
3. Check SANS (wwww.sans.org) for their take.
4. Use CVE and Bug Track counts comparisons.
5. Another is use Metasploit for which has the most public exploit code vectors by count only.
Ask them if they usually trust what salespeople tell them?
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
How do you verify that this is the code that is on your machine? After an update?
The strongest security is the one you get from everybody in the company being loyal and well educated about what they should and shouldn't do. Of course, you don't post your passwords on a sign outside, but that is about as much secresy as it is worth the effort to maintain, I think. Apart from that - if we know that Microsoft's security strategy uses "protocol X" and open source uses the same, what is the real difference? Only that in open source you can potentially inspect the implementation and verify that it doesn't contain inherent weaknesses that allow you to circumvent it. You can't do that with closed source, you have to trust the supplier; the big question then is: can you?
Open source works along the same lines as the open, scientific discourse that has brought us from pre-industrial society to the present day. If we had relied on secret research, we would still have lived in the mud; romantic, perhaps, but no computers. Or compare open societies to closed ones: are countries like Sweden, Germany and Switzerland less secure than, say, Burma? The only ones that feel more secure in Burma are the ones in power, but the country as a whole is less secure, as far as I can see.
You should also note that criminals who want to benefit from security holes have their ways of getting source code of closed source software. When they have that it will be must more dangerous than them having source code of open source software. This is and will be one of the best arguments against Microsoft.
What comes to your observion about new tactics from MS-side, I've seen the same. We have big customers using open source tecnologies and they've been recently contacted by other ISVs telling them how dangerous their choices are.
Of course MS is correct, you dont have the source so you cant exploit it. I feel secure every time I play a game of battlefield 2 knowing that hackers out there dont have the code therefore they cant cheat. Or that the blaster worm was a figment of my imagination. Proprietary code, mmmmm good stuff!!!
Find out the names of the operating systems and software running on the systems involved in the huge security bungles that have made headlines in recent years.
If open source software tops the list, so be it.
But I think you're going to see the name Microsoft come up quite often.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.
The government (DoD, DOE, etc.) extensively uses Linux in high security environments.
http://www.redhat.com/solutions/government/commoncriteria/
Also, the fact that SELinux was developed by the NSA to process classified data would be important to note.
That combined with cost make Linux more than able to compete with any Microsoft or Apple product.
Linux AV = ClamAV
Just because there are less holes found doesn't mean that they are smaller. When Windows has a hole, people go "I'll just have to wait for another patch. Again..." while with Linux it's more of "Oh God no!".
Sort of like car crashes(Windows holes) vs airplane crashes(Linux holes).
You also seem to have forgotten that in closed source software, only the company can fix it. And bad guys are still going to find flaws.
With open source, the good guys find and fix flaws faster.
In both cases, the hackers still find bugs.
Closed source is Security through obscurity vs Kerckhoffs' principle
With open software you don't have to take the salesmans word that some expert in Elbonia has pronounced it to be of high quality.
Since we're talking about operating systems here, only a handful of people can actually understand OS/Kernel level code. Let alone make a single change that will be useful, or fix a bug without ####ing up. 99% of slashdot can't audit #### (and given the odds I'd say you cant do it either) and wont ever come close to understanding or patching the kernel. The percentage of competent people might have been higher here at some point, but lately its just filled with morons who "think" they understand technology, business, economics but are in most cases 2nd rate sysadmins / developers who wouldnt know a virtual thunk if it hit them in the nads. Given these facts the community cant do jack #### till one of the kernel devs fixes the problems. Either way I don't understand why users should be forced to "beta test" (aka entire linux community) or file bugs or fix anything AT ALL.
Commercial companies like MS run tons of tests becase every piece of code is used in about 600 million differerent ways on millions of different configurations just 1 hour after its been deployed. Given those odds, I'd say they're doing a damn fine job. If anyone feeling warm and fuzzy about [insert OS here] head over to secunia or some other security site.
Are these clients suckers who fall for every vacuum cleaner and encyclopedia salesperson who comes knocking? Do they believe everything a used car salesperson tells them? These people are supposed to be sophisticated business managers.
So, that they are suddenly questioning OSS after it has worked fine for them for years suggests bias. The typical business person just doesn't believe in OSS business models, and will happily swallow any tripe that shores up this prejudice. To them, OSS is highly uncertain and experimental. What do they do if the software breaks? They persistently think there's no one they can turn to for help when in reality they can turn to anyone they want to because the source is open.
This doubt of OSS is just like Europe's continual doubts that the radical democratic experiment being attempted in the New World could last, could work. Until the late 19th century, Europeans were always seeing events as reasons to predict the imminent demise of the US. To them, the US was a weak, corrupt, thieving, uneducated backwater place constantly stealing technology from Europe. They really thought that the US must surely collapse soon. Winning the Revolutionary War was excused because the US had French help. Then the US beat the snot out of the Barbary pirates so thoroughly that the ships of other nations started flying the US flag in those waters, yet they still didn't believe in the US. Just a fluke. Britain burning the US Capitol in 1812 was of course taken as more proof that the US wasn't a real nation. The way the French Revolution ended, with Napoleon as a ruler as absolute as Louis XVI was, suggested that the US would eventually go the same way. Surviving the Civil War at last began to convince the skeptics. Lincoln's 2nd Inaugural was held up as proof that the US could indeed produce thinkers and writers equal to anyone from Europe. Railroading had advanced more in the US than anywhere else in the world. Among the many reasons the Transcontinental Railroad was built, and the manner of its building, was to demonstrate US technological and business organizational superiority and to show the world that the Civil War had not crippled the US.
And yet there were still skeptics who chorused loudly every time the US economy sank. Said, with some justification, that the US was just too crude and unsophisticated, too freewheeling and dangerously uncontrolled in its handling of finance and economics. As the US grew in might, these voices sounded ever more hollow. Possibly the Great Depression was the last time serious doubts of this sort were entertained.
Ask these business folks if they would have bet against the US in 1880, or against the North in 1861. If they wouldn't, then ask why they are inclined to bet against OSS today.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Instead of trying to dissuade them, just lay out the risks you know about, and then say, "if you choose to ignore my advice and change directions, don't hesitate to call me when you have issues". They'll be back.
1) Most O.S.S. Contributors do it for the challenge and pride.
2) O.S.S. Releases are (usually) not govern by a corporate release schedule or politics, they (the development staff) work on it until they feel it's ready for testing in the wild, collect responses from other tech savvy individuals and attempt to correct issues.
3) The target customer is usually the personnel writing the software in the first place, it may be as broad or as focused as the task at hand and the personalities of the people involved. They usually have a direct interest in the issues involved in the problem they are solving, where as a wage slave may only be motivated by their wages. Software for the People, By the People.
Then, if they have software engineers or anything that is developed (including hard goods); What is done when the boss over them (VP/Shareholders/Venture Capitalist) tells them that it needs to go to market NOW, "We don't care if it's not finished and may Crash/Explode/Cause Massive Fatalities/Cats and Dogs living together, we need to get to market first!"; What will he/she do to meet those demands? Will they ship that product knowing fully that it's faulty? Then ask him if any other vendor is any different when budgets are invovled? Unless they are Military CMMI 5, as them how much QA is done on their own product, how much is ignored due to the cost of such.
Now step back and admit, "There are bugs and will always be bugs in software, OSS or Proprietary code, who is more likely to fix it, or if the company does go bankrupt, who owns the code to fix it."
You know they never thought all those systems would be around that would experience the Y2K, how long do you really expect your systems to last?
Look at all the "respected" finance firms that either no longer exist, are close to death, or turned out to be giant scams. The root to all this were complicated processes that lacked the necessary transparency. When something started to break, no one could determine which parts in the system were still valid, so everything grinded to a halt.
The moral of the story is that complicated systems need to be transparent, regardless of their industry. Assume the worst of what you and other vested parties are unable to see. Not being able to see the problem is worse than the problem itself.
Sdelat' Ameriku velikoy Snova!
How to argue that open source is secure? MS doesn't make open source software. I don't understand the question.
There are plenty of peer reviewed research papers showing Linux is more secure than windows.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Have a magic show... Have your assistant "Show" two padlocks to the audience and demonstrate how they are both solid...
That's closed-source.
Now pass the padlocks around for everyone to test them... Suprise, one of them opens with a little effort... And you can see the lock has been filed back.
That's open source.
In a closed source model, you don't get to verify the security yourself, so you're trusting the vendor. In this case, the magician, the assistant, or his plant in the audience.
In an open source model, you can make up your own mind based on being able to actually see what's going on. You can test the padlock.
If someone mentions that even with proprietary software you can "inspect" things with an agreement, point out others who don't have the same agreement might spot things you missed, then give the better padlock to an "outsider" who has a "standard" key for it... This demonstrates that not everyone knows where to look
for the vulnerabilities and only when many eyes work together can you be sure that it's really secure.
Real-world analogs work particularly well :)
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
Basically you're screwed.
Microsoft has given you a task that is outside of currently known computer science.
Microsoft can't give more than just their word either, but by being sneaky they've put the burden of proof on to you.
No software(aside from a few trivial examples in research labs) is currently secure, and you can't even really estimate security in software, because security bugs by their nature are unknown.
...and that is all I have to say about that.
http://jessta.id.au
If I were really trying to spin up a counter-FUD campaign, this would be a significant part of my delivery. Yes, anybody can read the source to open source software. But, people can also read the source to Windows, thanks to leaks and the Shared Source program. If somebody find a bug in open source software, they have permission to tell the author, or even submit a patch. If somebody does the exact same thing with windows, they would never tell Microsoft, because they would need to do a lot of explaining about where they got the source. Sure, some unhelpful people will read the source to open source software, but *only* unhelpful people will read the source to closed source software. (And, of course, the devs themselves.)
Every decade or so the NSA looks for a new encryption standard. Previously it was DES and now it is AES. One of the requirements is that the algorithm be available for public review and criticism. Does that mean it is insecure?
One of the main tenants of software security engineering is that security should not depend on the source code being hidden, or obscured. By this, open source and close source can both be quite secure but open source has the advantage of having many eyes from varied fields looking at it to make sure the implementation is secure. How you use it is another story, and that is where the problems can come with both open and closed source. Security by obscurity is no a valid argument and this is what you should get across. Ask any security expert and they will tell you the same thing.
http://en.wikipedia.org/wiki/Security_through_obscurity
The wikipedia article has some good references and a slashdot article that may help
http://slashdot.org/features/980720/0819202.shtml
If Microsoft was secure, they would not reelase critical patches, or having given name to black tuesday.
Microsoft uses closed source to cover up the bugs and mistakes, and they do not seem to have too much luck doing so. Open Source allows the users to find and fix the problems.
Also be aware, that major parts of Active Directory validation (Kerberos) is based on the Open Source kerberos.
The closed source TCP/IP implementation from Microsoft was so bad, that they dumped it in Windows 2003, and instead replaced it with the Open Source TCP/IP stack from FreeBSD.
Microsoft uses Open Source in their products, why can't their customers ?
yeah, we ain't got shit... except firewalls... and.. anti-virus....
just because we dont need them doesn't mean they don't exist.
http://www.microsoft.com/resources/sharedsource/productsourceprogram.mspx means that the source of Microsoft products are available to government and educational institutions. Many of the people who qualify for access would also have the necessary skills to exploit vulnerabilities.
You hold a full security audit by an external creditable auditor on your system.
What you need is a Slashdot Car Analogy(TM). Ask your clients whether they would feel more comfortable driving a regular car, or a car where the hood was welded shut so you couldn't open it and check out the engine. Has been said many times before, I know, but at least it should get them thinking.
It doesn't matter what OS you're using if you don't have some process in place to keep yourself up-to-date with security updates. Both Linux and Windows will have more security bugs exposed in the future. A good thing about Windows is it does auto-update by default; I don't know if the various linux distributions have a similar sort of system, if they do, good.
Well, you can also have access to Windows source if you have in the thousands of CALs and to many licenses to count with the enterprise technet account and you harass your rep whom is in good standing you can sometimes be shown the source.
(And you need to sign more NDA's than I ever thought existed)
but the $20 is much more affordable than the millions required to do it the other way.
I have seen several comments that say you shouldn't counterargue against this.
Well I would! Just point out Microsoft's track record, basically point out they are not one to throw stones. I would also comment that, in contrast to "everyone can see the code" being a BAD thing, it means these security flaws are found and fixed BEFORE people start hacking them, unlike in Windows where they are found and exploited, THEN (usually after a month!) Microsoft patches it. I would also comment how hackers now know to wait *1* day after patch Tuesday to exploit holes.
Also, make sure you ARE using secure software. Microsoft's partners are obviously FUD'ing their asses off, but there IS certainly shitty, bug-ridden, security-hole-filled open source software just like there is closed source... The big stuff should be good, but "uncle bob's extra-nice php script" might warrant some attention.
Your big mistake... and honestly its a pretty common one among techies... is you are worrying too much about what to tell them and not enough about how. I know people and know computers... and bringing the two together isn't hard. You just have to remember that, unlike machines, people care as much about your tone of voice, your body language, your cadence, your word selection, etc as they do about the actual point you are making. They care as much or more about these things than they do about the raw data.
It's a shame I didn't see this post sooner cause you will probably never read this but I have been working as a computer tech professionally for over 10 years. In that time I have discovered that I have a talent for sales and I can make my sales without bending the truth or leaving out important details because my honesty not only engenders trust but my entire attitude and approach is geared toward helping the customer make the individual best decision for their circumstance... not selling the current item that nets me the best commission or advancing my pet agendas.
Make the client feel comfortable that you aren't just telling them what you are because your company demands it of you or you have some fetish towards open source. Care about the clients well being... you're not trying to sell a product, you are trying to help them make the best decision for their selves that can be made. They know their circumstances and you know the industry and when they come to you to show them how the industry can help with their circumstances you make sure they come out on top. The thing is that this might mean telling them to go with a competitors product. This honestly might mean telling them to go with closed source.
Honestly, you have already admitted to telling clients open source is more secure than closed source without having any facts to back you up (or at least none you are willing to show clients). I personally believe that open source is more secure than closed... but I can back that up if I have to and I feel confident my reasoning is sound enough to share with a client. You need to be able to too.
If you aren't willing to listen to a customer and honestly consider their point with the possible result being telling them that closed source is better int their case... then you need to be one hell of a hustler. Used car salesmen in tuxedo type hustler. Otherwise you have already lost simply because MS got there first and the people they hired to get them there first really are that kind of hustler.
In the end it comes down to convincing the customer that your top allegiance (after yourself) is to them. Telling them that will just make you look fake... so you will have to convince them some other way. That is the secret of being good at sales. Having a really good understanding of your clients' wants and needs and being knowledgeable enough to sound like you could write books on the subject your discussing are both major pluses as well.
Also... though im sure it was said in the avalanche of text that came before me... point out two things to the clients. First off it is not possible to "prove" that a product is more secure than another. There are factors beyond imagining involved in a product being or not being secure. Thus them asking for proof is from you or from the MS people is not easy to come up with an honest answer that is very convincing without first explaining a number of things.
As for what to say... start the theory behind why open source is more secure. Theories are not proof but when you get right down to it there is no proof that the faster you move through space the slower you move through time... but we have theories and those theories are themselves backed up by evidence. Those theories have been applied time and time again in the real world to create working technologies like microwaves and electron microscopes. And these theories point to the slowing passage of time in any cased where the passage of space increases. From there move into
Well... Uh... I hope Open Source doesn't make them vulnerable, we have the US Department of DEFENSE embracing it...
http://arstechnica.com/open-source/news/2009/02/department-of-defense-launches-open-source-site-forgemil.ars
I always compare it to how you could judge/audit a bank's security.
Bank #1
The bank manager gives you a full blueprint laying out each path to the vault and how those paths are secure. Next, they show you the construction of the vault, how thick the steel is. They move on to show you how the locks work and explain why they they chose those type of locks.
Bank #2
The bank manager assures you that the vault is definitely in the building and that it is absolutely secure. However, they state that it would undermine their security to provide you any additional details.
Which bank would you feel more safe about putting your money in?
Spooooon!!!!!
Agreed. However, with just a little research, whoever's doing the tech for Joe's Cafeteria can find out where to report that bug and, once reported it will probably get fixed a lot faster than a bug in a closed source program.
Good, inexpensive web hosting
Readable code is a good thing. Why are they arguing otherwise? :)
http://2stepsback.wordpress.com/2007/10/22/get-out-linux/
Point your client to this article.
Once they've read it they might be willing to ask their MS reps why their company would invest 100 million bucks in a venture where they're actively SUPPORTING migration to OSS products.
I'd LOVE to hear the rep's answer to that.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
The Microsoft firewall is so perfect
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi
They're getting scared now.
Help stamp out iliturcy.
And yet neither is inherently more or less secure.
Good code is secure code, whether it is open or closed.
The OP should be asking how to argue whether ANY software is secure. I believe this qualifies as mis-framing the debate (again).
This is a bit of a tangent but: If I get told to look at the code of an OSS application to fix it one more time I'm going to punch somebody in the face. Just because I can, doesn't mean I should be expected to waste my time getting familiar with another code base that I likely have no interest in developing for.
I used to think the open vs closed source security debate was mostly theoretical, until I started working on a closed source project and saw what's considered security.
"just make it work, we can fix the rest in the service pack. it's mostly used on intranets after all."
"no, no, we wrote the client app ourselves so we can trust it"
"can you generate a certificate key pair we can bundle with the app for the for the customers who want ssl?"
"or we could just hash the password and a timestamp, that way we won't need a challenge"
"but if you type in a single quote, you get a javascript popup saying it's not allowed"
No, I'm not making it up. I wish I was.
probably are developers who would rather help than hurt their projects. What a stupid idea that it would be otherwise.
It really trivialises the issue of security to say the open source is secure and closed source is not, or indeed vice versa. You really should not use ideology to evaluate the security of products and platforms.
It made me laugh when a poster here suggested that Apple's stellar security record is down to open sourcing of Darwin. What orthognal universe is that poster inhabiting?
Another thought: Debian OpenSLL.
No, it's all a lot more complex which is of course why software developers find it so hard, as evinced in their results.
Another thing that makes security hard is the pathetic protocols that we all rely on. It doesn't matter whether your code is open or closed source, you really won't have much success trying to secure inherently insecure protocols like DNS, SMTP etc.
The whole idea of closed-source being more secure is like arguing Darwinism vs evolution by a creationist. The creationist will always misrepresent evolution as Darwinism. However, unlike creationism evolution itself evolves based on scientific evidence. Yes, it once started as Darwinism, but evolved into a rather complex theory on the behavior of DNA (not known by Darwin), to also include punctuated equilibrium and random mutation.
The closed source approach relies on security through obscurity. Except that, not even closed-source is that obscure. They generally use closed toolkits and closed operating systems. So once a problem in a toolkit or OS is found, all derived products are vulnerable. What's more if you're not even limited. The vast number of attacks come from buffer-overflow exploits. Anywhere you can input is an opportunity for hacking. The problem is once a problem is found you have to wait for the vendor to release the patch. You have no other course of action. You become subject to their development prioritization and processes.
Now, the problem they do refer to in open source does exist. You can scan through code looking for an exploit. You'll probably find one. But is it exploitable? For that, it has to be connected to user input in some way. But once the problem is discovered ANYONE can issue the patch. You can even patch it yourself! But the reality is these kinds of bugs only get made by inexperienced programmers, and they only persist in low-volume projects. The good news is the intelligent hacker isn't going to be looking at low-volume projects, since he needs to find users of the project to exploit. Just about any software of any importance will have several people looking over it. Hopefully one of them will be able to fix it. I call it my "First Release Vulnerability Theory". Often created by individuals to scratch an itch, the proper QA is not put into it. But by the time it is widely adopted, it should have been scanned by enough eyes that at least the exploitable bugs are fixed.
Finally remember proper security works regardless of development model. This means protected networks, using proper passwords and cryptographic techniques. The hacker should never even get to a login prompt, much less get in past the login prompt (be it network or local console)
Most hacking today is either buffer overflow exploits or password guessing. Interestingly, neither closed nor opensource is able to deal with those in a distinctive way. Your best best is to never use an array in C or C++, always use a bounds-checked container (available in both open and close source models), and always have a strong password.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Open Source - You can get a snotty reply when you report the vulnerability while everyone tells you, if it's such a big deal fix it yourself.
Closed Source - Threaten to not pay until they fix it.
Proofs of security are mostly impossible. The arguments should base on empiric facts, objectively interpreted. For example:
- How many days in the last year did the systems have to run in a vulnerable state, between the disclousure of a severe security hole and its fix. I mean a hole that really affects it and where its exploitation would for example give root privileges to completely corrupt the running software. Or with other categories: Single service affected, confidential data affected, "only" denial of service.
- What is the expected risk of successfully cracking it? What do statistics say about other servers running Windows, Unix, Linux?
- Because money is always a factor: What solutions wouldn't be possible that low priced or at all with windows? How much would management costs increase because of the inflexibility of the windows operating system?
If someone says that this view on security is too difficult, then tell him, that there is no true and useful simple answer like that of MS sales.
--
Lies, damned lies, and statistics
Comment removed based on user account deletion
"I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years."
Simply point out that they've been "test driving" open-source for 5-6 years.
Then go ahead and tell them they you'll switch over to Microsoft products, if they REALLY want you to. I'll bet my /. password, they will decline after pointing out the track record of what they have been using.
Point the companies to a list of outstanding security breaches of Windows and the like. Or responses like this is no bug, just a misbehaviour.
In OSS you may (mayhap even can) change any misbehaviour yourself or find someone doing so.
I know that EAL might not say that much, but it is a nice and clear concept. The most safe operating systems are those that are in fighter jets and all, with an EAL of 6+, there are a bunch of normal OSes valuated at EAL4+, most of them open source, but also windows 2000, and I belief windows xp. Windows vista thus far is evaluated at EAL1. So, right now just point your customers to these articles: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level http://gabriel.lozano-moran.name/blog/PermaLink,guid,4dc0e36a-d623-4a89-9ae6-da6edd0d55bb.aspx
If the source is closed only black hats and the makers of the software will see it.
If the source is open everyone can see it, white hats, black hats, gray hats, regular people.
Who do you entrust with the source ?
This is superficially a very good approach from MS. Linux has 3 main issues on the security front:
- Made by hackers: the half-crazed asocial devs that make linux are the same demographics that hackers come from. Who says they're not doing both in one shot ?
- Nobody is responsible: who's gonna care when a vuln is discovered (especially since fixing vulns is no fun, and linux is developped for fun) or, worse, when I get a virus ? Why would the devs prioritize vuln fixing ?
- Everybody can see the flaws so vulns are so much easier and quicker to exploit.
The answers to that need to be both intuitive (we're talking to management types here), aggressive (let's not forget, Linux does have the security advantage), and thorough (we want to quash that canard for good, and not leave MS wiggle room). I would go with:
- It's smart from MS to rise that very important point. Security is very important and has been a problem recently.
- But, IT's mainly an MS caused problem: how many Windows viruses have you heard of ? How many Linux ones ? (back that one up with stats)
- Do you trust MS when say their product is safer ? Do you have or can you get proof it is (no: closed source)? Do they have a good track record ?
Actually, Linux has a security advantage:
- The gov/military use it. It has the highest security certification. (nobody cares it's in a fairly unsable config)
- big corporations support it and choose it for their own products: IBM, Oracle, Cisco
- if viruses are an issue, it's very important to have a diversified computing biosphere. Let's at least do 50/50, so that when the windows machines get infected again, at least the Linux PCs will still be working.
I would avoid getting too technical (admin rights, privilege escalation...)
The Cloud - because you don't care if your apps and data are up in the air.
Ah, but how do we know it is not true? Since it is closed source we can never be completely certain and just have to take someone's word for it....which is really the whole point of the argument for OS.
Because 1) Microsoft documents the heredity of their code well. They're not stupid. And B) the source code is widely available, both through legitimate channels like Microsoft's shared source programs and channels that are a bit shadier like bit torrent. Don't you think someone would have pointed anything embarrassing to Microsoft like this by now?
If Microsoft is so good at documentation why haven't they documented those 238 MS patents Linux and OpenOffice violate for the world to see? Why did it take MS years to provide to the European Commission all those documents the EC asked for?
Falcon
Should there be a Law?
Others here done a good job on the 'security' bit. Now, in these tough economic times, let's not forget the cold, hard cash.
If your existing customers are happy with their current installations, in terms of functionality, ease of use, maintenace and - of course - security, then why should they change?
That's why the m$ salespeople are pitching the 'security' line - you'd have to be really scared in order to pony up the huge cost of switching in today's tough times.
I'd (briefly) address the security question, then give the customer a rough cost of moving from FOSS to m$. Dont forget the cost of upgrading any hardware, (for Vista), if required and of course the anti-virus software, too ;-)
It's quite simple to reply you... Microsoft wants to sell its own software and operating systems, all the others are competitors!
Talking about the UNIX longevity and about all the costumers that have already switched to Open Sources could help...
Those who do not understand UNIX are condemned to reinvent it, poorly.
Henry Spence
Funny, a colleague of mine who is MVP in security also advised against having a customer database in a opensource software...
I keep reading reports on these sites (and have had a few consulting companies call me up) to point out how because microsoft isn't open source it's both insecure AND "immoral" (whatever THAT means in software!). They also point out that "TCO" is a scam invented by capitalist know-nothings, and that things MUST be free. They also keep pointing out how *I* can write patches to fix ANYTHING in Linux, no matter how complex! Isn't that what a vendor is for?
How can I stop this barrage of fud?
Refer to reports on vulnerabilities and how fast they are fixed (sometimes statistics is the only language tey undersand).
For example:
http://secunia.com/ shows that Ubuntu 8.10 (latest stable version) has 0% unpatched advisories (0 of 41 Secunia advisories: http://secunia.com/advisories/product/20299/) while at the same time Vista has 10% unpached (5 of 51 Secunia advisories http://secunia.com/advisories/product/13223/).
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
This is Slashdot. Common sense is futile. You will be modded down.
I like how you instantly assume that OP is located in the USA. And how easily I can discern this by you using the term "our nation". Something you might want to think about.
Exactly why is F/OSS better? It's subject to peer review. Some of the best programmers in the world have access to, and readily submit, code for F/OSS projects (not to say that EVERY F/OSS project is superior mind you). Look at why hackers use it. Aside from their ability to heavily modify their system, they're also extremely paranoid. I know plenty of hackers that contribute code and readily fix problems in F/OSS code because of their own paranoia. Look at why the DoD and NSA use it. Its laid out like an OS should. ACLs, chrooting, SELinux, all of these help make it much easier to protect their own systems. Want a really good blast at Microsoft? OpenBSD, its been around since 1994, there have only ever been 2 exploits off of the default config, and one of them was for a legacy version. Heck OpenBSD + pf is what the Defcon guys use. And quite damn honestly, code that's open source has met the firing squad. Hackers CAN see the code and compile it themselves, making it EASIER to find exploits, but yet Linux is regarded as far more secure just makes me think about how secure Linux REALLY is in comparison to NT. If you could place the NT Source code in the hands of someone competent I'm sure it would be hell for M$ (just when you thought it couldn't get any worse than MS08-067).
Agreed. However, with just a little research, whoever's doing the tech for Joe's Cafeteria can find out where to report that bug and, once reported it will probably get fixed a lot faster than a bug in a closed source program.
That varies. Some vendors are really good, better than the majority of OSS projects. But yes, others are crap-shovelers; in some cases, where I've had access to the code under NDA, the code has been bad enough that I've just been left speechless.
I think the real determinant on quality is actually the skill of the people who have time to work on maintenance and development; the whole closed/open debate is pretty much orthogonal to that, except in how open code means that it is more likely (though not guaranteed) for someone good to look at it.
"Little does he know, but there is no 'I' in 'Idiot'!"
You ask them why they should trust a company that makes an emailserver that surrender and hand over the entire server to someone that send a very special mail. They have big architectual problems. That's what they find in the latest patch batch from Microsoft.
You have the classic difficulty of a computer expert trying to persuade decision-makers who are profoundly ignorant of how computers work (and, all too often, proud of it).
The Microsoft argument is entirely fallacious: in fact, the public availability of the source code is a strength, not a weakness. But how do you explain that quickly and clearly, to an audience that doesn't understand what you are talking about - when neither you nor they can admit that they don't understand? (Which would be the first step towards an honest and productive dialogue).
The good news is that more and more people (including, inevitably, some decision-makers) do understand something about how software works. We have companies like Amazon that couldn't earn a single red cent without their computers working as intended, and whose CEOs are quite clear about that - and consequently take the trouble to inform themselves about software.
Microsoft could be described as the company that made its fortune by exploiting the fact that most of its customers don't know anything about computers and don't want to. Fortunately, that has now become just one more reason why it is on the skids. In the long term, people will become educated about software if only because it is so important.
I am sure that there are many other solipsists out there.
Organize to have you and these vendors each bring along a system and a hacker. Their hacker tries to compromise your Free Software system, your hacker tries to compromise their windows system. That should settle it rather efficiently. Just to put a little doubt into anything the "I"SVs may say make sure your client reads this first http://www.linux.com/feature/131059
You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.
The evil thing is, people don't ask about this, they assume it's fact and that's that.
"We" need to make sure this myth dies.
Sometimes the best way to make people see what's going on is to shock them. Ask these two questions:
If they answer "yes" to either of these questions, then simply state that they are too susceptible to fear mongering and distortions of reality to convince otherwise. When they move everything to proprietary software and find the reliability of such solutions to be lower than what they've experienced the past 5-6 years, that will be their wake up call. They clearly need the experience of being deceived by these Microsoft shills to understand what the rest of us see as clear lies.
If they answer "no" to the above two questions, then all you should have to do is explain that the fear mongering from Microsoft-based businesses is the exact same technique that the was used by the Bush Administration and the Republican presidential campaign to create Fear, Uncertainty, and Doubt in the minds of The People to support their proprietary goals. Transparency in software, as in government, is what is needed. Open Source is all about transparency.
Yeah, and MS Windows never gets hacked or infected with viruses... IIRC, didn't MS recently advise people to start using something other than IE because someone had spotted a gaping hole in it? Probably not a good line to take with potential clients though, it's a bit mealy-mouthed and sinks to MS's level.
I seem to remember a study which indicated that "well run" projects were more secure in use than "not so well run" projects. Open Source projects like Linux and Apache have to be well run to function.
I guess that woud indicate that MS doesn't run its projects well...
(Copied from the wikipedia entry on "Kerckhoff's principle")
Bruce Schneier ties it in with a belief that all security systems must be designed to fail as gracefully as possible:
"Kerckhoffs' principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness, and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility."
"these people lie to you. They blatantly, professionally lie to you. Take a bit of time to ask for facts and check them, you'll see they are liars. This is a good enough reason not to buy anything from them."
"There are no antivirus for linux, because there are no efficient virus for it."
"Security updates stay free, and of the same (if not better) quality as Microsoft's"
"You don't see open source salesmen, yet, it spreads. Must be for some reason ?"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I would advice them to look Microsofts annual reports and see how the Windows and the Office are producing immense profits for the company. And even after substituting other unprofitable businesses the company is making unhealthy (competition wise) ammounts of profits. Are your clients willing to pay this much extra for the companys own claims of security?
Open source is only as secure as the users who use it and the developers. Obviously having more developer/testers involved can make it easier to to find vulnerabilities... But for smaller projects it's difficult to tighten security if there are a small number of developers or people to report the insecurities. The same goes for closed source though, the only difference is that the vulnerabilities of open source are usually easier to find because the source is available.
Closed source applications and OS's are NOT peer reviewed, you have only the developers word! What guarantees does the user have that proprietary software does as it is marketed to do!! No one knows how secure or insecure these applications may be. Security goes way beyond just being able to directly hack through a software vulnerability. What about the hundreds of thousands of Malware, Trojans, Viruses that attack closed source programs, steal your passwords, mail out your documents to arbitrary addresses, delete your data. And it is said proprietary software is SECURE - Please get real
Its the same old story.. Comparing apples and oranges but with the major risk of ignoring the truth. Where Microsoft tries to make things are user friendly as possible by closing as much "gaps" as possible, Linux (and other Unix (-like) systems) have always maintained the (compared to Windows) open structure. Meaning; you can logon using the commandline and do anything you want, but nowadays you can also do a lot using a GUI. But the main difference is that Unix is not so forgiving for making mistakes; it will easily allow you to trash your entire system if you feel like it.
What I'm getting at here is that one major risk with regards to using Unix(-like) systems can indeed pose a major risk to those who aren't fully familiar with the system yet consider themselves "pro" enough to take such a thing online. Enter the rootkits, malware and all nasty ickyness coming from that (in most cases YASR (yet another spam relay)). On these kinds of systems you have to know what you're doing, otherwise you get into trouble. And since most users tend to approach this in a Windows-like manner the danger is very real. Its ironic though that MS should warn for a situation which they've basically created themselves. Nothing new here..
Another risk factor, a lot minor but still present, is continuity. Like it or not but you average OSS project is prone to fall into this trap. You can't rely - per definition - on OSS to maintain their current standards and to continue on the same path. Or to put it more technical; not every project is /backwards compatible/ per definition. So there are real risks involved when adopting open source software. I'll skip the obvious ones because thats a common issues which seem only to be used for bashing. So yeah; while I agree that the whole thing seems silly its wise not to stick your head in the sand and pretend that nothing of what they say is untrue. Its all a matter of context and not to try to compare apples and oranges.
Linux is so secure with it's open-source software that the Russian Government is switching to RedHat... (A Whole Government!)
I think the real question is, how the hell can anyone think anything BUT open source software is secure?
WTF!
From http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
Myth: Open Source is Inherently Dangerous
The impressive uptime record for Apache also casts doubt on another popular myth: That open source code (where the blueprints for the applications are made public) is more dangerous than proprietary source code (where the blueprints are secret) because hackers can use the source code to find and exploit flaws.
The evidence begs to differ. The number of effective Windows-specific viruses, Trojans, spyware, worms and malicious programs is enormous, and the number of machines repeatedly infected by any combination of the above is so large it is difficult to quantify in realistic terms. Malicious software is so rampant that the average time it takes for an unpatched Windows XP to be compromised after connecting it directly to the Internet is 16 minutes -- less time than it takes to download and install the patches that would help protect that PC. [3]
As another example, the Apache web server is open source. Microsoft IIS is proprietary. In this case, the evidence refutes both the âoemost popularâ myth and the âoeopen source dangerâ myth. The Apache web server is by far the most popular web server. If these two myths were both true, one would expect Apache and the operating systems on which it runs to suffer far more intrusions and problems than Microsoft Windows and IIS. Yet precisely the opposite is true. Apache has a near monopoly on the best uptime statistics. Neither Microsoft Windows nor Microsoft IIS appear anywhere in the top 50 servers with the best uptime. Obviously, the fact that malicious hackers have access to the source code for Apache does not give them an advantage for creating more successful attacks against Apache than IIS.
That's not a good analogy to use. Knowing how an average cheap Master lock is made makes it *very* easy to hack, because the design is defective. I can pick the key locks in seconds, and the dial locks are similarly easy with a simple tool. Good locks confound me, but people with more skills can do it. And therein lies the rub: A well secured OS isn't a better designed lock. It's simply impervious regardless of the skill of the attacker.
The blueprints of a competently made vault door would be a better analogy, but it brings up too many memories of movie bad guys tunneling in... Which honestly is still an accurate analogy: If you can't break the security system by design, you circumvent it. But it doesn't make for a great argument.
This is exactly the point and the message you should feed back to them. With open source. they don't have to take your word for it. There is also the word of an entire community that is constantly examining the code and will blow the whistle as soon as they spot a problem. Or they can take the word of Microsoft, that their product really really is secure, honest, but no it can't be examined to make sure.
Yep, picking up the FUD campaign again. Maybe due to this?: M$ New PR Guy.
~Just as a thing fails if it lacks a kernel, so too it fails if it lacks a skin. ~ Rumi, Discourses
How do argue that closed source software is secure?
My argument. All software closed and open source have security flaws. You can look at the history of security patches in Windows to know that MS software is no more or less immune to security holes than any software.
So the question becomes no if a piece of software has holes but:
- How bad the holes are compared with competing
product.
- How likely the holes are to be exploited in a
way that hurts.
- How likely the software is to get holes plugged
before they are exploited in a way that hurts.
an advantage >active open source products have over closed source products is that very often the non-malicious folks that find a hole also provide to the developers a fix. Something that's not possible in closed source software.
Another chunk of ammunition is:
http://scan.coverity.com/rung2.html
which shows a pile of open source software projects that have submitted themselves to coverity's source code scanners and have climbed their ladder relentlessly plugging holes it's found.
This sort of data is naturally not available for most closed source projects.
Exactly. If you can't prove it's secure, then you must assume it's insecure. Penetration testing is a start. Code auditing and automated analysis, unit testing, honeynets, design by contract (including specification of what exceptions methods throw), and even mathematical proofs of code reliability would be better.
Of course, until most open source code has enough documentation to specify its intended purpose, so that you can actually test that it meets those specifications, most of this is a moot point.
OK you can say that the authour's background may bias him somewhat but then Microsoft's claims are open to the same criticism.
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
The best line though is that old favourite "well they would say that wouldn't they" particularly if you then explain the dependance Microsoft has on business and Office in particular.
On the other hand, you can also find out who the Microsoft vendors are that are making the claims and report them for false advertising or fraud. At best, the current situation i.e. which system is most secure, is debatable and at worst a matter of opinion and it will remain this way until a truly independant analyst manages to definitively show otherwise.
Hmmmmmm..... Deep fried and look like Squirrel.
It is difficult to formulate an answer that people can understand. They can barely understand what source code provides in the way of security risks so they tend to believe that it is a risk when informed.
So I might answer with names of big, reliable and well-known names of entities making heavy use of Linux. "If that were true, the NSA wouldn't use Linux in their sensitive operations, and Google wouldn't either. IBM has also staked their solid reputation on Linux. I just can't imagine why they would risk so much if it were unable to be locked down. You are confused with the difference between knowing how a lock works and a lock being easy to open without a proper key."
While that may be true, with oss you have the choice...
You can wait for the original vendor to fix it for you.
You can wait for an arbitrary third party to provide a fix.
You can fix it yourself.
You can pay an arbitrary third party to fix it for you.
Closed source only gives you the first option, open source gives you all 4. Just because you aren't capable of fixing it yourself, doesn't mean someone else won't do so and provide the fix.
With closed source, if the original vendor doesn't provide a fix you're screwed... With open source you always have a backup plan. You'd have thought having a backup plan and a second source would be standard practice in business or government procurements.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
06:35:53 up 299 days, 10:52, 6 users, load average: 0.00, 0.00, 0.00
Yeah, because I get hacked all the time on my open-source operating system.
Is Windows even *capable* of being up for ~300 days?
I wonder what MS is telling people about the multitudes of embedded devices out there that run Linux? Is MS telling people that their Cisco Home-tier stuff is vulnerable? Hmm?
I've had to deal with this FUD before with my clients. All it usually takes is an explanation that open source code is constantly being peer-reviewed and patches usually come within a day of discovering an error, whereas Microsoft takes weeks to months to patch the majority of their serious security flaws, and there is no external review process, so you never know if the patch is good.
I even ran a demonstration for a client once. I plugged a Windows box directly to the Internet (with Windows Firewall ON) and went for lunch with the client. The windows box had not only crashed during that time, but was completely un-bootable when we returned. I then plugged in the Linux router, and it has been on ever since... about 299 days, 10 hours, and 52 minutes.
Ask them what they think about this situation:
If you had two locks to choose from. One that is highly mainstream, which is sold at every hardware store and megamart across the country to which picking tools come with every toolbox and the maker of the lock only addresses flaws every couple of months
or
A lock that you had to get from a specialized "lock"-shop, which gives it to you for free if you promise to pay them to look after the lock every few weeks, whose tools are far more complicated to handle and whose training is largely focused on specialists.
Which one would you choose if you knew that millions of the standard locks are picked every day. That is as easy as I can break it down.
or do you prefer snake oil remedies for infections?
second: in Europe ( except UK ) you can sue the callers at the court for disturbance of business - and maybe up to fraud. If vendors place such calls and make such claims about unsafe FOSS, they have to deliver proof or they have to recall their statements publicly in media!
As I see it your holding two dual edged swords. In the one hand you have code that can be reviewed by everyone. If someone finds a security vulnerability and choose not to report it that's one edge. The other edge is that you have more eyes reviewing the code so in theory security vulnerabilities are more likely to be found and fixed. In the other hand you have code that a select group of people review. If a security vulnerability is found by the vendor or a third party it may or may not get reported and fixed. The "advantage" being since not everyone can review the code theoretically fewer security vulnerabilities will be found, that does not mean they don't exist.
In either case if you are wearing body army, i.e. defense in depth, if you loose your balance you'll not be as badly hurt.
The roots of education are bitter but the fruit is sweet. --Aristotle
Isn't the phrase "Microsoft Professional" an oxymoron?
"This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.'"
Wow. PGP can be hacked with ease? I'd like to see an example of that one.
Read a part of the MS EULA to your customers, without telling them which OS it applies to. At the point when MS disclaim every liability and all warranties, ask them if they would buy a car or kitchen appliance if it had a similar warranty? Only when they gasp with horror, reveal it's the MS EULA.
Ask your customers how many people have independently audited Microsoft's code and published the full results?
Ask them whether MS's code hasn't leaked out, so that its insecurities can't have been explored by untrusted parties (answer: no).
Ask them how long critical security vulnerabilities have typically lasted in Windows, especially IE, before being patched. http://secunia.com/advisories/product/11/
Ask your customers if they know how many people across how many companies have worked on the linux kernel and have verified code quality independently. http://www.linuxdevices.com/news/NS6925891609.html
Ask them if they know how long the average security flaw in Firefox has lasted before being fixed?
With the risk of being modded into obscurity and burning all my karma:
Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.
Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.
IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.
The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.
You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.
Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.
Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.
Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source.
I am a Microsoft Certified Professional and I work for a Microsoft Gold Certified Partner company. I'm not aware of any push nor have I seen material from Microsoft to encourage / support us making this push. Citation needed.
If somebody asked me if OSS was secure, I'd just give them this link. Why didn't Smidge207 think of that?
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/WEwXU8vwEqE/article.pl
Tell your customers and clients that any security system based on secret information is doomed to fail as soon as the secrets are distributed. If it's really secure it won't matter that the bad guy knows how it works. If words aren't enough, make a test case out of the guitar string company "Ernie Ball" that featured recently in /. Mr Ball points out a whole list of M$ propaganda and myths.
Gotta love these M$ guys. "That free shit over there that can be scrutinised is not as safe as our expensive shit here that relies on secrets and lawyers. By the way, do you have the newest version of our piece of expensive shit? If you don't have the latest version of our shit then TerrorPaedophileCommunists will e-rape your wife and kids (terms and conditions apply)."
This message was scanned by European governments and contains no terrorism.
He's talking about the web server. The first two weren't web site hacks, and the Air Force was back in 1996. The Navy web site hack was in 2003, and strangely, although the OS is reported as Linux, the web server for the last few years has been "Microsoft-IIS/6.0". I presume they're using a Linux load balancer and a Microsoft web server.
The NSA uses Linux. http://www.nsa.gov/research/selinux/
I think we're straying a bit OT. The original quesiton to which I was responding was whether or not OSS is more or less secure than non-oss software. I'll grant that fixing bugs in oss sofwtare - due to the numerous eyes looking at it - may be quicker.
Keep in mind, I'm writing this on a openSUSE laptop, running a combination of both OSS and non-oss software (vpnclient, outlook) and connecting occasionally to my corporate network an using KRDC to connect to a non-oss Vista workstation.
The Kai's Semi-Updated Website Thingy
Countermeasure: Education.
'anyone can read the code and hack you with ease.'
Use the opportunity to explain to them that if reading the code reveals possible hacks, then indeed the code sucks. Cryptography teaches us that knowing the algorithm doesn't give you an "in", unless the algorithm is flawed. Example: Knowing that the file was AES encrypted doesn't allow me to decrypt it (without the key), even though the AES algorithm is public knowledge.
You could also ask two provocative questions:
One: Why then are public standards public, if knowing how things work would make it easy to exploit them?
Two: If knowing the code makes it easy to hack you if there are bugs in the code - then what does Microsoft have to hide, by hiding the code? All the bugs that make hacking it so easy, perhaps?
Third alternative, you could point out that the source code to windows is widely available (lots of companies and university have source code licenses), and has in fact been leaked into the general public several times.
My preferred alternative would be "if you believe that shit, you're a lot dumber than I thought", but you probably can't say that to customers.
Assorted stuff I do sometimes: Lemuria.org
The Windows kernel source code is also available for audit and research purposes. Your organization just needs to sign up through Microsoft's Shared Source Initiative http://www.microsoft.com/resources/sharedsource/default.mspx. Many governments already have access to the source code for various Windows versions http://www.microsoft.com/presspass/press/2005/feb05/02-10NISTPR.mspx. Academic access to the source code was also used to port Windows so it would function under early versions of Xen (w/o hardware virtualization support) http://www.cl.cam.ac.uk/netos/papers/2003-xensosp.pdf & http://en.wikipedia.org/wiki/Xen. Access is probably not "free" in the sense that anyone can download it. But source is available.
I just did a GSEC bootcamp where the instructor used the argument that China has access to the Windows source code to stir people's security concerns up. No-one seemed bothered by China's access to Linux, BSD, or other FOSS kernels. It was kind of comical.
Like most security issues it can be framed as a question of trust. You trust a bunch of people you probably don't know personally to audit the Linux kernel, trust your government to audit the Windows kernel, or trust Microsoft to do the right thing. Seems like you need to trust strangers.
Or I guess you could go paranoid and build your own secure operating system...do you trust your compiler and hardware maker? Maybe I better start my own chip fab and compiler project?
Closed source: Hey, I wanna buy your car. Here's a gift card. Yeah, it still contains $20k! Trust me!
Open source: Hey, I wanna buy your car. Here's $20k in cold, hard cash. Yeah, sure, use your pen and UV light on it if you like.
Subject says it all. Several fighter planes of the French air force had to be grounded because their Windows-based computers got infected by a virus.
Malware creators don't need source code to find vulnerabilities. However, knowing that your source code can be seen by the world gives a really strong incentive to write code that not only is good, but that is obviously good. Take as an example the recent Zune disaster where all Zunes had problems with the 29th of February. That bug was caused by code that was just written in a stupid way. Any experienced programmer would have known just by looking at the code from a distance that this bit of code was "asking for trouble". It looked like code that was written by someone with no understanding of the problem and modified again and again until it mostly worked. Which wasn't good enough. Open source applications avoid that kind of code, because you don't want the whole world to see that you don't know your stuff.
Considering they are coming from an uninformed "I will believe the big company when it speaks" paradigm, you could come back with "Well, you may want to consider that Cisco Intrusion Detection Systems have been based on Linux for years and they have even started using Linux for the OS for thier Firewalls and new switches, as well as the Opensource Antivirus ClamAV as part of the Desktop security solution 'Cisco Security Agent'".... While the statements itself say nothing regarding the security of these products it certainly is attacking the mindset of the purchasing goons for your company with something they will relate to. Disclaimer: Yes I do work for Cisco.
meridian at tha.net
The fact that the Department of Defence is moving towards using more and more opensource software is one of the easiest facts to point out in support of the secure nature of opensource.
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
I once encountered a product that protected some internal information with the RSA algorithm. The key was the product of two large prime numbers. The large prime numbers were the tenth prime number above 2^63, and the tenth prime number below 2^60. Looks like they took their large primes from Knuth's "Art of Computer Programming". I factored the product using pen and paper :-)
One thing sales people often forget is that using fear does not help make sales. It slows the sales process. I suppose this tactic is good for delaying the inevitable or poisoning the well so if you lose so does the competition. Here's how it works:
Cust: We're thinking about going with MySQL for that database instead of SQL Server.
Sales: MySQL is open source and people can get the source code and easily hack it.
Cust: Hmm. I've never heard that. The other vendor said that I should't trust MS SQL because it has a history of being hacked and no one outside MS has audited the code.
Sales: Sounds interesting. Here's our contract. Do you need to borrow my pen?
Cust: Not yet. I'm going to research this further.
Sales: (head explodes)
-- $G
Anyone can see the machine code on your closed-source software and hack you with ease.
Security through obscurity is worthless. These are blatant, obvious lies.
Life would be easier if I had the source code.
How to argue that open source is secure? You don't.
You can't argue that open source, in general is secure or insecure, nor can you argue the same for proprietay code, in general, it's a stupid argument.
Availability of source does not mak3e something inherently more or less secure, it just makes something potentially easier to fix by someone who isn't the vendor (asuming they have the knowledge and expertise to do so, of course).
Similarly, proprietary code is not inherently more or less secure, it just removes the fix it yourself option, but on the other hand, makes it potentially easier for the vendor to fix things, because you haven't mucked around with the system.
Open source is probably is the better option if you want to be able to fix it yourself if need be. Proprietary code seems to be the better choice if you'd rather have somebody else do it for you, which is why the long term support plans (and I mean 10+ years longterm, Solaris-style) are so attractive.
Arguing that open is _inherently_ better than closed or vice versa on solely on the basis of being open or closed is a stupid argument. Think of it, if it was obviously secure by design, why would you need advise on how to argue it? You seek advise on how to argue it because there is no obvious argument. Ultimately though, it's about what best suits your needs and best suits the task. Open source doesn't win at everything, and propriatary doesn't lose at everything.
And with all this expenditure, here http://yro.slashdot.org/article.pl?sid=09/02/10/2012201
they now (within the economic crisis) are trying to make more money back by making all sorts of people swallow some unproven facts....
The problem comes from when M$ feels the crunch and has to resort to even more evil tactics then usual. Open source is actually safer, because the code is open for all to see, who in their right mind (expert opinion here) after finding a flaw, would not wake the community up to it, and help by fixing it, because if he doesn't someone else will, and get the credit for it.... so I don't agree with M$ on this one...they are just strapped for cash...maybe they should stop spending so much on crappy ideas, and more on reorganization of the company infrastructure.
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/ This site adresses your concers about windows vs linux.
Windows on a mac is Windows under Supervision. - Frank Soltis(Chief Scientist/Designer of AS400)
How To Argue That Closed Source Software Is Insecure?
You are secured in your castle because you have a tall wall around it. Now you can have two types of walls, one with shrubs and plants on both sides, so you cannot really see the wall, and the other one without them, you see the wall cleanly. If there is a hole in the wall, you cannot easily see it in the hidden wall, but it's also more difficult for the attackers. If there is a hole in the clean wall, the attackers can easily see it, but so can you. Which wall would you prefer?
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
there wouldn't be any bugs found in closed source software... right? Morons who claim this have no brain with which they think. If "seeing" the code was the only way to exploit bugs then microsoft would never have had a bug.... ever. Neither would Oracle's closed products, or IBM, or anybody else. If that was all it took to prevent exploitable holes from being found OSS wouldn't have a chance. Fortunately any ten-year-old can run a fuzzer and overflow a buffer and demonstrate the fallacy here. OSS just means anybody can find and report it if they are so inclined. If closed-source was the end-all-be-all then Patch Tuesday, which even non-techies know about, would not exist. Period.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
How do you verify that this is the code that is on your machine? After an update?
See if you can still hack it.
Who are you going to believe? The monopolist who sells the most insecure operating system on the planet, or the US Department of Defense, which has some of the highest security requirements anywhere?
DOD launches site to develop open-source software
By Doug Beizer, Jan 30, 2009
link
Defense Department officials have launched a new Web site where developers can work on open-source software projects specifically for DOD, David Mihelcic, the chief technology officer for the Defense Information Systems Agency (DISA), said today.
The new site, named Forge.mil, is based on the public site SourceForge.net which hosts thousands of open-source projects, Mihelcic said at an AFCEA Washington chapter lunch in Arlington, Va.
âoeIt is really is SourceForge.net upgraded to meet DOD security requirements,â Mihelcic said.
Quite Simple...just ask them how many Linux viruses they have heard about as compared to Windows viruses. FUD...two can play at this game.
Besides, when you are arguing the best position is to be on the offensive... so don't make the mistake of trying to defend with valid reasons, because if you are being defensive you have kind of lost the confidence of the third party listener who thinks you are just giving excuses unless they are competent enough to understand the reasons and details you provide.
When I first started using Linux in '93, more or less under the table, I heard much the same thing. Some in my management and with my customer's Government org would say much the same thing. It was an ingrained belief by those whose first experience with a computer was a DOS or Windows computer. They often believed that a Windows-based computer was the only computer ever invented or that was ever useful.
Many of these are now in their 40's and 50's and in management (PHBs and the like). This is a play directly to those.
People like me who chose to remain technical and use Linux + open source can be easily marginalized by a dictate by a PHB if the PHB reads a couple of articles that say open source is insecure. The advantages we have today are:
1) 15+ years of Linux, BSD, Apache, etc.
2) Adoption of Linux, etc. by IBM, Apple, Oracle
3) NSA-supported SeLinux
4) NASA supported Beowulf
5) Microsoft's continued battle with viruses
6) Google and Wikipedia to get the truth out
Obviously, MS MAKES you reboot, Linux doesn't. That does NOT translate to 'it is ok not to reboot your linux server after patching'.
Consider, you install a patch due a security hole in a library which you have loaded into Apache as a sharable object. Until you AT LEAST restart the application the vulnerability is STILL there and still active.
Now, when this vulnerability is in some widely used shared library (oh, say like libstdc) then you pretty much might as well reboot, even if TECHNICALLY you might be able to clear it from memory without doing so.
All things considered it is just plain safer to restart your server after applying patches. Same goes for workstations, though it is obviously not really a big deal there.
If you apply patches, reboot. All MS did was make it official, which basically forces admins to do what they absolutely need to do anyway. It is a non issue.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
For Dutch customers, there's an excellent and highly piblicised example why open source is better than closed proprietary algorithms: the new public transit chip card (OV chipkaart).
This new chip card, is meant to become the new univeral standard for paying for public transit in Netherland. Big project, and needed to be secure, to they hired a company with their own, secret, proprietary encryption system to handle it.
Anyone who knows anything about encryption can see the next step coming: as soon as it became big and the first chip cards became available, real expert started testing the security, and it was quickly broken. Several times, by different people, in different ways.
There's lots of other problems with this new chip card, they went way over budget, there are privacy issues, detection gates behave erratically etc, but this single issue, using private amateur encryption instead of an established and well tested system, is just really amazingly stupid.
It's already in production in Rotterdam. You have to use the card, no other option. And everybody knows it's insecure.
Ok, with open source it should be a lot easier for bad guys to identify and even insert security holes.
However, security holes are a severe problem mainly when we don't know about them. Once we know about them, workarounds and fixes can be devised. And, in the case of open source, it is much easier to find and fix security holes.
The holes are found by the community or the maintainer and generally the existence is made public pretty much immediately whether it's a small or large hole. Closed source you might wait months before you hear of it and still longer for a fix. Open source you know RIGHT NOW, and if it's a popular piece of software a fix is probably in the works within minutes of hitting the bugtracker.
Now an argument could be made that this doesn't work well for smaller, less popular projects. Maintainers might have dissapeared, and there might not be enough people who know the code to produce a prompt fix from the community. Ok, fine, I won't argue against this. However, closed source apps put out by companies in similar situations will suffer the same problem. No company is behind it that has the resources to fix problems. With open source, you can at least hire someone to fix your unmaintained app. Sure it might be expensive, but at least you have the option, with closed source, you're just screwed if it's mission critical.
Its all about talking to people in terms they can understand/relate to. For instance, if you are talking to an accountant, then give this scenario about filing (their personal) taxes:
Would you rather give it to a company that would have one (unnamed) "professional" prepare and send it, but you nor anyone else could look at the final document submitted.
OR
Would you like to give it to an entire group of professionals who will all take a look at it, discuss and then allow you to see what they did and even ask questions as to why they chose the decisions they made. Afterwards, you would still not be obligated to use it.
Sometimes even the most basic "computer" analogies will go over non-techie's heads, so you have to find a way to adapt the reason(s) you personally user OSS to their "mindset."
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
i like how every foreigner on here has to jump on someone who mentions anything about the US. don't like it? go find a site in your region that covers the same topics.
from the fucking FAQ
something you might want to think about.
check some of the recent posts here, about super secure networks being hacked... then use Netcraft (heh!) to show which OS they run.
That should prove your point.
It does make it easier to hack when the source code is available (though saying it can be done "with ease" is certainly hyperbole). However, it also makes it easier for good guys to find and fix security issues as well. But in the end they're advocating "security through obscurity." There are numerous references available about why security through obscurity doesn't really work.
Here's some advice for you! Tell all those half-assed IT employees you work with, to stop kidding themselves, in thinking they are "Information Technology" professionals. You wouldn't call the Stanley Steemer guy a technology professional would you. NO, of course not, because he doesn't know how the steam cleaner works, he just works it. Same goes for all those Microsoft lackeys, they are all just a bunch of lame jerk-offs who were too lazy to get training in any real technologies, so they spend enormous amounts of money on buying software solutions that somebody else built, that don't even come close to meeting 100% of their organization's business needs. Microsoft is big business, and as history has shown us in the past, anyone who can spend big, will go to no end in squashing it's competitors, especially if that competitor is a workforce capable of producing higher quality software for a fair wage.
Remember that the mere fact of being a Microsoft Partner does not make someone a Microsoft lackey. I own an IT company and we're a Microsoft Partner - this is an acknowledgment of the fact that almost all of our clients have significant deployments of Microsoft OS and application software, and that some of the line of business applications they use depend on Microsoft infrastructure.
Nevertheless, my company is an Open Source advocate, and we do all we can to encourage adoption of Linux and Open Source solutions where it's appropriate for our clients. We deploy websites using Joomla, and deploy a lot of apps that use the LAMP stack, and put an Untangle Internet gateway in our client sites.
To be sure, there are partners out there who practice pushing Microsoft to the exclusion of all others, but not everyone does that.
It's equally as true that there are Open Source zealots for whom there is no middle ground - Linux and Free Software is more of a religious commitment for them.
Most of us however live in the real world of reasonableness and prudence, trying to find the best fit for a client without regard to ideology. We see ourselves as Open Source advocates, even evangelists, but we also are cognizant that doing business in today's world means supporting clients who are still depended on Microsoft.
The only response to this sort of thing is a good hearty belly-laugh. When you finally calm down, you can point out the history of successful open-source Unix worms and viruses (one, the Morris worm which affected BSD among others), and the ongoing history of successful Windows worms and viruses (a recent Wall Street Journal should mention at least one).
This is a quote from Bruce Schneier and is related to cryptosystems, and the analogy is certainly valid for a good crypto algorithm like Rijindale (or whatever the spelling).
But both proprietary and open source software HARDLY provide THIS level of security. Security flaws are constantly being discovered everywhere, its only that Microsoft is remarkably lazy in patching them.
The proper analogy would be putting the letter in a safe, choosing a good combination (if the admin is anywhere near competent), then putting the safe in a public place in the middle of New York for everyone to keep trying out combinations. The safe has a number of micro fractures that can be pried open if you know where they are.
The difference in quality of different safe vendors is how fast they glue over the fractures as soon as they become know.
This is one of those peeves of mine that comes up almost daily.
Open Source means that the bad guys will find flaws and destroy you!!!
Actually, since one can safely assume that there are far more good people out there than bad, Open Source means that the flaws will be found and fixed before there's much damage.
This is surely better than the typical MS or Apple response to security issues, which is first to deny them, second to take eons to issue a patch, third to schedule patches months down the road so that new exploits are revealed and unleashed shortly after patch day.
Me? I'd say Open Source wins this, hands down. I'll take the fixes in minutes approach over the we don't think it's broken, and if it is we'll let you know sometime in the next few months approach.
cheers,
You could point out that the code is reviewed by many times more good people than bad, that you don't hear daily about exploits and virus' found for Linux, that patch management is a critical part of ANY OS.. ...OR...
You could answer their claim by saying that "even Microsoft recognizes the importance, and the value, of OSS as they proudly proclaim on the Microsoft and Open Source website at http://www.microsoft.com/opensource/heroes/default.mspx ." That, at least to me, seems to be the best starting point for the argument.
That should disarm their argument and provide you with an opportunity to provide some REAL data on the subject, and (as an obvious bonus) make them looks like the fools that they are.
. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Simple.
Tell the customer to simply ask the FUD spreading mongrel this question:
"Sir/Ma'am, this software is open source. Please show me the portion of the code which exposes the vulnerability you are speaking of. Oh, you can't provide a specific example? Why not? After all, it IS open source. I'm sorry, if you are unable to read a computer program & ID the problem spot, why would I believe you even know what you are talking about?"
Or something similar.
When they called my business this is essentially what I asked the person, who promptly hung up on me.
Remember the CanSecWest contest?
http://it.slashdot.org/article.pl?sid=08/03/29/1414218&from=rss
This post is absolute garbage. First of all, you cannot blame Microsoft for something a MCP does. I am a MCP and I am not doing this. As a matter of fact, for the project I am on, I am architecting a solution using .NET 3.5, MVC Framework (A Microsoft open-source project), NHibernate (open source), JQuery. The Microsoft MVC Framework embraces open-source and actually includes JQuery (non-Microsoft).
The easiest way I'd see to get out of this is to remind people who got these calls that MS is essentially warning them against their (MS's) competition.
Once that fact sinks in, they'll likely be much less likely to swallow this kind of FUD - after all, would they trust Ford if a Ford dealer came to them and warned them against their Toyota ("it's foreign-made, everyone will be able to hack your car"), suggesting that they buy a Ford instead?
Chances are that most everyone would be able to see through that.
You cannot argue that either closed or open source is secure. Each project has different security profiles. You can have a highly secure open source product that's harded against attack. You can have proprietary products that are also secure. However, security is continual process. So which avenue do you want to bet on to deliver timely patches for newly discovered flaws?
Banks (all the major ones worldwide), oil companies (both in the service side and producers), education institutions, government agencies and uncountable private companies in many other industries.
None of them have gone through all the code at once for sure, but for example one company I know about found problems with the "top" utility, checked the code, fixed it, and the guy that found the problem was given permission to release the fix.
The same company found a major problem with a very important infrastructure service around 5 or 6 years ago. The software provider tried to help, but the only developer that really knew anything about the bit of code relevant to the problem was always too busy doing something else, so the client company had to redesign its whole regional infrastructure in order to accommodate for the shortcomings of the software.
If that company had have access to the code it had enough money to hire 2 or 3 programmers full time for a couple of months, in order to sort out the problem (it would have been cheaper).
This effect accumulates and benefits *everybody*, the benefits are based in user need rather than in the needs of a software provider.
IANAL but write like a drunk one.
Any company that is worried about security also probably gets audited from time to time. With this in mind, it's easy to make a *real* argument against these tactics (not the impotent "just laugh at them" arguments the rest of the posters here seem to favor). You simply explain to them that open source code is constantly getting audited, and can be audited by anyone and everyone who wants it. Companies inherently understand why audits are needed and what their purpose is. It's the same for open source software.
How do you know MS documents that well?
Unless you have worked there and seen their code you really don't know this, and if you do and are talking about it here, most likely you are breaking an NDA or similar gagging agreement. So which one is it?
Does everybody have access to MS code using the shared source programs? (let me answer: No).
As for mentioning leaked code in BitTorrent as an equivalent to properly open source code, well, I will not comment, the embarrassment is on you for even mentioning it.
IANAL but write like a drunk one.
This depends on the products your clients are using:
1) You might preface with a list of MS vulnerabilities in comparative products: (This should be easy to find on the net. Does not need to be recent.)
Do you use MySql or Postgres: make a brief paper of vulnerabilities against Access + MySQL
Linux (Core) vs MS Windows X, Y; Z
Office suite vs. Office suite(s)
2) Then you might want to prepare a (preliminary) cost estimate to convert to Microsoft Products. (Seat of pants will do.)
3) Estimate how much it will cost to prepare a "good" version of 1;2 above.
Go to Client meeting;
a) You understand your clients concerns with security, and are more than willing to work with them to address these concerns. ... looking at MS code is more profitable for bad guys, but hey ... you will get them the results they authorized expendatures for.
b) You have brought with you a comparison of known vulnerabilities between some relivant products, which will naturally show that your product is more secure (use total number of vulnerabilities found, average time from vuln found to patch, whatever makes it look good for you) - which you don't really want to discuss, since they are reprints from the net.
c) If they want to go to MS, you are willing to help them - you estimate it will cost $hardware+$oftware+$time, which may be a lot but security is worth it.
d) You have been a trusted IT advisor/implementor for years, and really want to address their concerns raised by this marketing tactic.
e) If they are willing to use open source code backed by Microsoft, and the NSA is willing to use OpenSource - you don't have concerns about it, at least with the products your clients are using - other open source products will have to be re$earched.
f) Exactly what are their concerns, and how much time (Money) would they like to have you spend researching it to create proper documentation to address exactly those concerns.
g) Obviously, you are not too concerned about the system security - or you would not have implemented it that way, without caveats up front.
h) If they are really concerned, they can caugh up several thousand for penitration testing from $buddy-of-yours.
i) btw. anyone can disassemble microsoft's code with an open source disassembler as well
j) You are always happy to meet with client$ to address their concerns.
d)
The community includes the likes of IBM, Sun, Red Hat, Cisco, Nokia and many others.
Anybody suggesting amateurism would be lying by their teeth.
IANAL but write like a drunk one.
Point them at the relative numbers of known security breaches, outstanding known security loopholes and relative times to patch, between IE and, say, Firefox.
Ditto the number of virusses and other security loopholes between Windows and Linux.
Comment removed based on user account deletion
I run a consulting company and frankly I would rather use Open Source FreeBSD in particular for all my clients but some request Windows if I get the same if I deploy Linux or BSD that I do with Windows don't care what I do as long as I get my money.
If you look at the complexity of Windows, and the simplicity of Unix you will notice why Windows has so many flaws and Unix does not. But to flame a company just because it has more holes than others is just ignorance. Some things Windows does better than both FreeBSD and Linux and that is being a popular OS.
I use FreeBSD as my workstation and Windows as a gaming box, I don't worry much about holes and try to enjoy the OS as much as I can, but I will not invest the 370 for Windows 7 this time. :)
Operating systems contribute to security, but they are just a part of the big picture.
I would say that the most secure NSA-custom operating system in the world in the hands of someone who knew little about how to use it was far less secure than the least-secure OS you can think of (say, MSDOS) skillfully deployed in a secure infrastructure.
I feel that the security of your company rests more on the experience of your IT management team than on any single hardware or software component.
If your team knows how to use Linux securely it easily trumps using any unfamiliar platform in a potentially insecure manner.
If I were microsoft I would tout that it is supposedly easier to hire and retain trained microsoft geeks than trained Linux geeks. To my mind, perhaps a more rational point and harder to argue back against.
Don't read this as a rant against MSDOS, for all I know it was tremendously secure, easy to assimilate, still somewhat familiar to many older IT staff and I doubt virus writers support it any more. So yeah - by all means migrate to MSDOS for the security benefits.
Nullius in verba
Okay, so maybe I should have qualified it with "when used correctly." Closed source won't protect you if your administrator password is "password" any more than openssl can protect you from using a 128 bit RSA key.
What I meant to say is more along the lines of "we invented our own crypto, and we can't give you the documentation for it because doing so would make it crackable," or generally "we depend on security through obscurity." But the point is taken.
Microsoft is full of hot air, and it's easily demonstrable.
It seems, that people know that programs are made of code, which is then transformed to an executable form "somehow". But not that this executable form is just another form of code. And just as easy to change. You only have to know a different language... to do a different thing. That's all.
We, the community of experts, should make it perfectly clear when others are asking, in interviews, articles, and so on, that computers *only* accept plain code commands, that everyone can change. And that these commands are just another programming language. Nothing special. Especially nothing protected.
I will make this clear to my friends from now on.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Them: "I'm worried about BLANK."
You: "Don't you worry about BLANK; let me worry about BLANK."
or
You: "BLANK? BLANK!?! You're not looking at the big picture!"
I remembering going to a microsoft conference a few years back and was given marketting material on "get the facts" which is a website http://microsoft.com/getthefacts hosting 3rd party case-study in favour of microsoft technology over linux. I made a lot of my friends laugh at them simply by telling them this website existed and I gladly gave them the promotional material as a gift =)
Microsoft looses a lost of credibility by only presenting this one-side of the story and as long as they deny that alternatives have their advantages in specific scenarios nobody will take them seriously and it's a shame cause I personally love most microsoft products but such practices makes me wanna make fun of them.
In the open source world... you're bleeding edge. That means sometimes you get cut... but the overwhelming majority of the time, you're ahead of the curve. In the closed-source Windows world, you are never ahead of the curve... meaning the malware/hackers that are will always have the advantage over closed-source software with fixed update intervals.
I was explaining the pros and cons of using OpenVPN for an end-user "dial-up" SSL VPN, or using the Juniper SA 2500, to my boss the other day. One of the questions that came up: "do you think OpenVPN is safe, even though it is open source?". The thing you have to understand is that we based our product line on Linux. CentOS to be exact. This question left me a little dumbfounded and frankly a little pissed off. Open source is secure because everyone (read: the community involved in producing the software) can read the code a remove bugs and security holes, right??? I thought about it for a few days and did a little research into why this attitude has crept in among the higher-ups. Aside from the perceived lack of a business model, why would these guys feel this way about open source? I eventually formulated this response: it depends. Depending on the specific project, the number of developers in the community, code security review practices on the source itself, and market penetration of product, an open source project can be the pinnacle of secure source, or it can be the worst. Firefox? I would bet my reputation on it. PHPBB? We've all been bitten by this one. OpenSSL? Absolutely. OpenVPN? Maybe. OSS is not entirely secure simply because it is open.
with nuts big enough to have 'frank and candid discussions' with those Certified Microsoft Professionals and then doggedly climb on up the chain of lies.
If you want guaranteed security, Microsoft is not for you.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just get Congress to declare a bounty on the MS Sales & Marketing folk as part of the economic stimulus package!
There are some great comments on this issue here. Someone should combine them into a nice easy-to-read one to two page document and post it here.
I didn't see anyone posting a link to such a document.
I would simply advise them security is much like an onion it is the sum of all its layers that makes a network truly secure. I would explain to them this is how you protect the systems from the starting lines with routers and firewall as well as other network things such as vlans. And then more internal things such as antivirus and anti maliware and email/website filtering. A person has to be able to get into the systems via physically getting on the premise or exploiting a vulnerability. With proper network design and proper patching threat can be almost entirely eliminated in many cases(never 100% for anyone).
Just cause windows is closed source does not make a windows network more secure in fact windows biggest weakness is its popularity and exploits do get found and when they do it can be bad due to the large install base, but windows has a healthy patch response time record. Open source isn't really better per say other than via obscurity(some is better than windows some is worse)and issues generally get fixed quick but there is so much control and so many options these issues can easilly be worked around when the do occur. But the bottom line is most issues result in negligence to patch and that is both open and close source. Most website out there on the web are running on a Unix derived open sourse OS so I think that says something.
These people you work for...they are simple minded. All you have to do is print out a list of Linux malware, and then print out a list of Windows malware. Place both stacks (well, the sheet of paper that says Linux and the stack that says Windows) next to each other in front of them, explain what each stack is, and then ask them "Which one seems more secure to you?"
Don't take life so seriously. No one makes it out alive.
There is one area in security where MS Windows products fail compared to Linux and that is the exposed surface area for attacks.
Linux: One of the big advantages that Linux has over windows is that each distribution and most installations are so unique. Due to differences in defaults, and installation choices, there are huge differences in the configuration of one Linux server to the next. Most Linux server installations I have been exposed to do not install any type of GUI. Some are Red Hat, some SUSE, some Debian, some Ubuntu, some are custom purpose distributions such as IPCOP or SmoothWall firewalls. Some have SSH clients installed, some have iptables firewalls, some don't. If they have a web server, it might be apache, but it could also be lighthtpd. Databases that the application servers connect to could be MySQL or PostgreSQL or Oracle. If they have a mail server they may have sendmail or maybe postfix installed. They could be running 2.6.8 kernel, or 2.6.18, or 2.6.24, or 2.4.32 etc. There is no "typical" Linux installation.
Windows: On the other hand, Windows will almost always (nice feature in 2008 to install without it) have a GUI installed. If they are running an HTTP server it is most likely IIS. If you are running a mail server you can almost guarantee that it will be Exchange. Back end databases are almost always SQLServer or Oracle. You can also bet 50% or more are not patched up to date because the services provided by those servers are not in a cluster or behind a sprayer so the admins can't afford the downtime associated with the patch.
The main point is this. In the security realm, the larger the defined attack surface the more likely you are to be able to use one avenue to exploit and therefore compromise the server(s). Due to the wide differences in Linux distributions, and the fact the there is no "default" e-mail server, GUI, Window manager, scripting language, firewall settings, etc. that are common among all Linux installations. This means that a given attack or exploit will work on only a small percentage of Linux servers.
Compare that to Windows, where all servers essentially are configured identically within each release (Windows 2000, Windows 2003, ....). If they have a GUI installed it is the Windows GUI, it will have IE installed, it will have the Windows firewall, it will have .NET support installed, etc. This makes it much easier to exploit the server, because you have a large variety of services that are all identical running on every machine.
So it you exploit an IIS vulnerbility you can compromise the server running Windows. If you exploit an Apache vulnerability you may not be able to do anything on a Linux box because the Apache instance could by run in a chroot jail, SELinux or Bastille Linux configured.
The variety of products and distributions in Linux, while a little challenging from a SysAdmin standpoint at times, is actually an inadvertent security feature. Windows uniformity is helpful to Windows consultants and system admins, but makes for an easier to exploit product.
My two cents worth...
Check this out: http://tech.slashdot.org/article.pl?sid=09/02/11/160202 :(
There are some pretty good user comments there, explaining that sendmail also had critical remote exploitable vulnerabilities, but, because it was open-source, the bugs were quickly fixed and it was easy, fast and safe to update, whereas it's not always safe to update Windows, because the DLL hell can get a lot hotter and Windows updates always come after the software which is rarely updated to work along with the new Windows patches. OTOH, open-source is usually maintained in a different manner so when someone updates something, it's easy for everyone to see when, where and WHAT exactly has changed so that they may change their software accordingly. This is not possible with Windows, unfortunately
~T~
download.microsoft.com - linux
search.microsoft.com - linux
vista.gallery.microsoft.com - linux
MS wouldn't let associate sites use non-Windows, would they?
"She's furniture with a pulse"
Focus on the key element here. These are sales droids trying to create a market. People buy from people, its the oldest sales and marketing truth in what is a very thin book on sales truths.
Explain it to each and every client thats getting this nonsense why your proposition is better for them than the microsoft proposition. Sell the sizzle, not the steak.
I have sold IT products, software, services, Temporary Employment services, you name it, b2c and b2b and its the one addage and truth that does not change. Keep 'em tight, give them value add, and not just your products, but whats good for their business. You have to become the invisible employee. When you achieve that, you can't be dislodged, even if Microsoft Started giving away their services.
In Texas, the DTPA allows consumers (that's you, if your business has $25M assets) to file claims for things like this. If the Microsoft reps are making hard statements like "You are more vulnerable with open source" you can probably nail them. Other states probably have similar laws preventing sellers from making such bogus claims to sell product. And remember, friends, you may also be able to sue the Microsoft rep in their personal capacity.
Say you were given the task of live-testing bullet-proof vests from two manufacturers. One gives you full access to vest design, construction and material specs, the other tells you that you just have to trust him, the vest is safe. Which vest would you choose for the live-test ?
It's really thorough documentation that tells the compiler how to make the machine code for the software.
But the compiled software is machine readable too or it wouldn't run. The physical machine requires code in its own well documented format. Naturally this means that closed source is only less convenient to reverse engineer, not impossible. Relying on this inconvenience for security is not Best Practice. It doesn't make your computer more secure any more than the practice of restricting maintenance manuals keeps thieves from stealing your car.
Help stamp out iliturcy.
"Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
If you don't personally know of any reliable source of information that can be used to inform customers that the software is secure, why are you making the claim?
Practice this line: "While Windows would tell you that we are more vulnerable, I have to point out that it is susceptible to over 60,000 viruses, while there are only 40 known Linux virii. Further, a windows user has to update critical system patches as often as twice a month, whereas my linux system might need an update once. Ever. Instead they create a better version biannually.
Checkpoint Firewalls are run by 100% of the Fortune 500 companies, as well as most first-world police and military installations. Checkpoint Secure Platform, the OS for its flagship products such as VSX, is a Red Hat deriviative. Summary: The worlds premiere Military and Corporate Firewalls run on Red Hat Linux. Open source for the win. Nuff said.
one point that tends to get glossed over in this debate is that OSS is not inherently more secure than closed-source. Microsoft has a point that it is much easier to find and exploit a vulnerability when you have the source to look at. What they neglect to mention is that it is also easier and quicker to patch said vulnerability, if found by the right people.
That being said, I'll now turn my attention to the "track record" crowd. All software beyond "hello world" has vulnerabilities that are discovered and exploited or (eventually? hopefully?) patched, or possibly that go unnoticed throughout the product's entire life cycle. This is true for Operating Systems such as Windows and (gasp) linux, all the way down to word processors, spreadsheet applications, and even your little desktop calculator. Just because linux doesn't become compromised does not mean that it can't. The people who want to compromise your computer want to do so for some sort of personal gain, even if it's just to say "I can." That gain, whatever it may be, is proportional to how many machines / systems / networks the individual is able to compromise. Hence, a devastating majority of viruses, etc. target Windows exclusively, since it is the market-dominating platform.
I have been a linux guy for 5 years now. I, unlike many of my ilk, hope that Linux never overcomes Windows in the market, merely for the reason above.
The problem with closed source is that developers can get away with insecure designs. That may lead to a company culture of not striving for security.
Also, closed source enables the bosses to decide against fixing a flaw.
People are more inclined to take shortcuts if nobody's watching them.
Flaws and secrets have a tendency to bubble to the surface with time, so security-by-obscurity only gets you so far.
From teh OP-
"I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause?"
Maybe by, well, restricting access to the source code? The claims are completely true- there is absolutely NOTHING to prevent a hacker from going through the Linux source code and finding undocumented exploits.
So your question really becomes... how does one combat the truth?
But let's talk realistically. Your network is only as protected as your firewalls and network design. You are going to want a firewall between your servers and the internet (a "best" design wouldn't even connect to the internet, but that isnt always possible)... and ALSO between your servers and the internal user network.
So long as your firewalls are not compromised, and your network design is protecting your servers... it doesn't matter what OS your servers run. They can be running Windows for Workgroups for all anyone cares, and still be perfectly safe so long as network access is restricted. With some of the new routers, it's even possible to isolate your servers from EACH OTHER... which is more secure than most network security designers even dreamed of in the past: each server can be in it's own little space.
So in that respect, your answer is that the Linux servers are just as vulnerable as any of their servers.
... because 'anyone can read the code and hack you with ease.'
How about:
Open source has nothing to hide and so welcomes scrutiny of the code. If MS is so confident of their product, why don't they open-source it as well? If it's so well-designed as they claim, then it shouldn't matter if we can inspect because they won't find anything.
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
Isilon - FreeBSD
Juniper's JunOS - FreeBSD
NetApp - FreeBSD
Force10 - NetBSD
Of course open source software is secure BECAUSE everyone can read it, but for those who may not understand the link, here's my take on it.
Open source software is created and maintained by Geeks. Geeks love attention. Being geeks, the way they get attention is by posting messages online about the little discoveries they've made. If there is a security flaw in a piece of open source software, it's extremely likely that some geek will discover it, and the first thing he's going to do is brag about it, informing the whole world that he has found a problem. Then some other geek will promptly fix the problem, so he can brag about that.
This is not to say the occasional geek won't exploit a problem, but typically by the time the exploiter is off the ground, the fix is already in the works.
On the other hand are the Scoundrels. Scoundrels have something to hide. Other scoundrels have sneaky ways of finding out what is hidden, and using it in nasty ways. Scoundrels lie and say that their way is more secure (lie) because no one can see what's inside (lie).
And then there are the Clueless who fall prey to the Scoundrels. Geeks would like to rescume them from the lies of Scoundrels but typically lack the communication and persuasive skills required to sell the truth to the Clueless who find comfort in lies.
I'm sick of hearing about these events, like this fellow's dilemma. Why? Because there is no follow up. When this guy actually comes around to saying what happened and what advice he took, how do we know?
The MS folks are saying, "If the bad guys can see the source code, they can find a vulnerability." Of course this is only true if there's a vulnerability to be found. But I think to the non-technical, it can sound like "If the bad guys can see the source code, they can create a vulnerability." It certainly seems that this misunderstanding is being exploited.
The "Ping O' Death" was a glitch that affected a lot of operating systems-- every single UNIX-like, Mac System 7, Windows 95, Netware, DOS, and others. Even embedded devices like routers, scanners, and printers were susceptible. Basically, if you sent an IP address a "ping" packet that was larger than the legal size, whoever had that IP address would experience anything from a graceful reboot to an instant kernel panic or BSOD. There was a patch available for Linux only 2 hours, 35 minutes, and 10 seconds after an alert was posted to the mailing list. It took months for Microsloth to get its act together and fix the bug. During that time, pranksters had endless fun crashing computers with the click of a button. http://insecure.org/sploits/ping-o-death.html
This is not about FLOSS or Closed source software being insecure or secure.
This is about MS strategy of making money with customers Innocence and Ignorance.
FLOSS advocates should hire services of able politicians to counter the FUD.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
You don't need to *argue* anything. Ask what concerns your customers have as a result of this knowledge. Then address each of those points.
Don't assume you know what is going through your clients' minds...ASK!
Because you are their vendor, and a phone call comes in from J. Random MS Vendor trying to sell them something, they may ask you questions about it because you are their hired expert. Answer them truthfully and honestly. Chances are, the MCP rep won't have a chance because he's cold-calling and you have an established relationship.
Client: This MCP rep said his product was cheaper and has a higher ROI.
You: Of course he would say that; he's a salesman. Did he explain how his product was cheaper?
Client: Well, he said the lower cost of maintenence over the lifespan of the product was cheaper.
You: I'm sure. If you can clarify his specific statements, I'll be happy to go over them one by one and demonstrate why I think I offer a better value and a higher ROI.
Client: He also said his product was more secure.
You. Of course. There are many competing viewpoints on that. But what were his specifics on this? I would like to demonstrate how the security is in my favor, despite his warnings to the contrary...starting with the security of the servers I maintain for you! After all, I know your servers inside and out and how you use them. While the salesman knows he has a product to sell, and thinks you'll pay for it without the benefit your prior experience with my product.
And so on. FUD is nothing new and wasn't invented by Microsoft. Ignore the geeks saying "tell him this, tell her that." Listen to your clients' questions and treat them as such. You're there to provide a service to your client. The moment you stop doing that will open the door to any other salesman who calls.
do you know anyone trustworthy with access to MS code who could do a compilation of it resulting in binaries identical to the ones found on distribution media?
Who told you that OSS is less safe than closed sourceWho told you that OSS is less safe than closed source?
A representative of a company who wants to sell!
MS is known to have used a business tactics known as Fear, Uncertainty and Disorientation
Facts are:
MS source code can be obtained by Hackers/Crackers through illegitimate channels - the availability of source code is not an argument.
Thousands of experts monitor OSS source code and vulnerabilities are discussed in the open. Hackers recognizing vulnerabilities in MS source code are not to publish it, but to write exploits!
Number of successful attacks on MS and other closed source products in comparison to OSS products speaks for itself.
Average workload consumed per machine for remedy of exploitation coed ( malware removal ) was per Windows machines 20 manhours, for Linux machines 0.01 hours at a company running 5000 PCs
You can offer security tests and penetration tests to your costumer !
The largest institutions and companies where security is an issue use Linux
Contraindications - or failures of MS installations in the media:
Well, which would YOU think is more secure? On the one hand, you have a system whose source code is secret and closed. It is maintained by a handful of people who must work on all of the security flaws. They have even stated that there are flaws they simply will NEVER fix. Meanwhile that OS is run on many systems and is the target of most of the known attacks. Most people run it as administrator just to get anything done, making it MORE vulnerable. Or the system with an Open Source system. The code is freely available to look at by anyone, so anyone with the knowledge can check it for security flaws, or suggest fixes. No flaw is overlooked or ignored, because the support base is so much larger. There are almost zero viruses written to attack it, because they simply don't work, and those that do exist depend on the user to execute them. No one runs as administrator except the actual administrator, and then only when he needs to make changes! Besides, in testing, time after time, the Open Source solutions have proven to be more secure and harder to hack.
Open Source: Eroding the Digital Divide
The only real way to measure real safety/security is with real numbers of how things actually work in the field. You can't deduce security. The only way to know how secure something is, is to measure the break-in rate. One important thing to understand about break-ins is that most are a result of end-user-mistakes. The main tool the U.S. and Britian used to break Inigma during WWII was thier knowledge that all German transmissions ended with the same phrase. The British used a brute force decoding, they simply tried every encoding sequence until they got one that decoded the last phrase to the content they knew it had. Operator error! The most common Windows and Linux attacks STILL rely on operator error.
That's an interesting claim.
I was talking to a Microsoft employee last night.
He told me that he never saw a linux installation and he wouldn't even know what the screen looked like.
There is a bit of a credibility issue here I think.
I've had no end of problems with Windows security myself. On the other hand my Linux computers have given no headache.
So I think they're out of line here.
The fact that open source code is looked at by thousands of programmers (and yes, hackers) is what makes it so secure! Bugs are found and fixed quickly before exploits gain wide distribution. Now, whether you apply those patches or not is another thing entirely.
Seems like a long time ago I heard that Redmond was using Linux boxes to protect their servers. I would just laugh at their accusations as though they are
the "I am Windows" guy on the Mac commercial.
I would remind them who is the OS that has all the problems with Viruses and Malware. Ask them how many times have they had to reformat their home computer because XP got a virus.
dp
I've worked in security for a long time, and have yet to subscribe to the idea: security = endless patching
There is a lot of software which is inherently secure, and a lot of software which can _never_ be secure.
It also does not apply to all cases where software cannot be changed after deployment.
The most important metrics here seem to be: what the software is trying to do, and how many man hours are spent on each line.
If the software is trying to implement an insecure protocol, then no amount of patching will ever make that software secure.
In general, if you're trying to add pre-emptive security, then there's a good chance the whole solution may be flawed by design.
By pre-emptive security I mean blacklists of any kind. (antivirus, network addresses, memory diagnostics, certain types of input sanitizing)
Also, if you see the need of severely crippling the functionality of your software, it may also be a sign of a design flaw.
The problem with pre-emptive security is that there is obviously no way to pre-empt an unknown threat.
And when the threats are known, sooner or later your blacklists will begin to contain valid use-cases, therefore crippling the functionality of the whole solution, or even worse, your software keeps working as intended, but now contains famous security issues.
Let them see for themselves. Tell them to hire one of the MS partners to come and convert there systems to MS products. Ask them to get a money back guarantee in writing (which is essentially what they seem to be asking from you for their OSS systems). If they won't give them that, it ought to tell them something. If they do, tell them if they have any regrets later you'll be there to move them back (for a fee, of course).
You can bet that MS is probably involved. Kind of like how they gave some money to SCO via VC company. MS cannot stop OSS because a lot of MS partners are already starting to use OSS. I belong to a few MS UG's and they are actually demonstrating Linux and OSS software at their meetings. Microsoft's only real strength is on the client OS.