Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
If it's good enough for the NSA, it's good enough for you.
Eh. Two of the three ads served on this page since I first viewed it are Microsoft ads.
;)
Never understood why people didn't like KDawson, but approving articles from known professional trolls with links to Twitter(not to mention the fact that other Slashdot admins post Twitter's articles) smells funnny. There's always a market in people you love to hate
Actually, it's not true.
You should read this article http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357
Microsoft did use code from BSD, but it was licensed from UCB (via Spider Software) and predates the first open source versions of BSD's network stack, as evidenced by the copyright dates. And Windows Network stack is not based on it anymore.
If you need web hosting, you could do worse than here
Did you ever monitor a project maillist? I'm constantly amazed at the nit-picky details that must be addressed before a patch is accepted. The submitter is held to an incredibly high standard.
I've worked in a commercial outfit, and if it worked, we shipped.
The quality control that a patch goes through, the ruthless dissection of programming style, usefulness, and clarity is something I've never seen in a commercial environment.
http://www.sans.org/top20/#z1
The critical flaws that were reported this year in Office products:
* Microsoft Excel Remote Code Execution (MS07-002)
* Microsoft Outlook Remote Code Execution (MS07-003)
* Microsoft Word Remote Code Execution (MS07-014)
* Microsoft Office Remote Code Execution (MS07-015)
* Microsoft Excel Remote Code Execution (MS07-023)
* Microsoft Word Remote Code Execution (MS07-024)
* Microsoft Office Remote Code Execution (MS07-025)
* Microsoft Outlook Express and Windows Mail (MS07-034)
* Microsoft Excel Remote Code Execution (MS07-036)
* Microsoft Excel Remote Code Execution (MS07-044)
* Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
* Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
While all operating systems are affected...
Linux has two mentions on the entire page while other operating systems just go on and on and on.
With Open source, MANY eyes are looking at it finding problems and fixing them.
With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.
Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.
At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)
---
However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.
You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
DHS - linux
FBI - linux
Navy - linux
Air Force - linux
Wonder why those agencies are using such an "unsecure" platform...?
The argument that "anyone can read the code and hack you with ease" is false. To win the argument, one must explain the relationship between a _cypher_ (implemented in a program) and a _key_ (generated by a program). Secure programs are written such that even their *authors* can not hack them. The reason is because these programs do not directly provide security. Instead, for example, they may help users generate unique digital keys. Is is the combination of this digital key and the program itself (ie. the cypher) that provides security. Reading the source code will _not_ give the reader the key required to breach someone's privacy, especially if the program is good and can produce trillions of different and complex keys, each of which take a long time to test. Conversely, closed sourced programs are generally scrutinised by far fewer people, and as such they are generally less able to perform with the same speed, efficiency and reliability of their open source alternatives, including security related programs described above.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.
Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.
Strangely enough, that hasn't happened with linux & openbsd.
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
My pics.
If I were in that situation, I'd cite:
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
And I'm sure several others.
If open source is good enough for Cisco to use for Firewalls that you'd need to secure your network, you'd think it's secure enough for the common man?
Any references where Windows was used for firewalls to secure the rest of the network?
I'm not sure if I'd take the combative approach but the point is that even if you went 'proprietary' and wiped out all open source servers, put windows on 'em - what would you put in front to firewall them? Another windows box? Or a Cisco ASA? So, did you really get rid of Open Source?
You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)
It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.
Even the compiler attack you mention has now been countered (see also Schneier's interesting discussion of double compilation). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.
I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.
A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Well there's an old quote you could pull out.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.
This might be a way to explain it to your clients.
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
This is Slashdot. Common sense is futile. You will be modded down.
I'm still waiting for a Debian security update to break anything.
OpenSSL?
Couldn't they keep releasing patches as holes were discovered and simply provide the means for their clients to decide when to install them at their discretion?
Yes, thats how it always worked, and still does.
You seem to be suggesting that at one point that Microsoft would 'force' (somehow) customers to apply the patch. This has never been the case and doesnt even make sense.
The piece you're missing is that once MS releases a patch, the black hats reverse engineer the patches, and within a few days to a week can have a working exploit in the wild.
So in the real world, exploits for a patch necessarily follow the release of that patch by a few days to a week.
In that situation (which describes the real world situation) its much better to lump them all together and do them once per month.
The exception is when there are active exploits going on in the wild already. At that point, there's no downside to releasing the patch.
"They used to release as they patched, but that was even more problematic"
Translation: Admins were sick and tired of rebooting servers on a daily basis.
Rather than do the impossible and redesign their OS from the ground up to make the constant rebooting issue irrelevant, they did the only thing possible wh
Clump all their updates into bundles so that reboots were "scheduled" and admins got used to the cycle.
"You can't fight in here, this is the war room!"