Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
If it's good enough for the NSA, it's good enough for you.
Eh. Two of the three ads served on this page since I first viewed it are Microsoft ads.
;)
Never understood why people didn't like KDawson, but approving articles from known professional trolls with links to Twitter(not to mention the fact that other Slashdot admins post Twitter's articles) smells funnny. There's always a market in people you love to hate
Actually, it's not true.
You should read this article http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357
Microsoft did use code from BSD, but it was licensed from UCB (via Spider Software) and predates the first open source versions of BSD's network stack, as evidenced by the copyright dates. And Windows Network stack is not based on it anymore.
If you need web hosting, you could do worse than here
Did you ever monitor a project maillist? I'm constantly amazed at the nit-picky details that must be addressed before a patch is accepted. The submitter is held to an incredibly high standard.
I've worked in a commercial outfit, and if it worked, we shipped.
The quality control that a patch goes through, the ruthless dissection of programming style, usefulness, and clarity is something I've never seen in a commercial environment.
DHS - linux
FBI - linux
Navy - linux
Air Force - linux
Wonder why those agencies are using such an "unsecure" platform...?
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
My pics.
If I were in that situation, I'd cite:
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
And I'm sure several others.
If open source is good enough for Cisco to use for Firewalls that you'd need to secure your network, you'd think it's secure enough for the common man?
Any references where Windows was used for firewalls to secure the rest of the network?
I'm not sure if I'd take the combative approach but the point is that even if you went 'proprietary' and wiped out all open source servers, put windows on 'em - what would you put in front to firewall them? Another windows box? Or a Cisco ASA? So, did you really get rid of Open Source?
You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)
It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.
Even the compiler attack you mention has now been countered (see also Schneier's interesting discussion of double compilation). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.
I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.
A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Well there's an old quote you could pull out.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.
This might be a way to explain it to your clients.
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
This is Slashdot. Common sense is futile. You will be modded down.
I'm still waiting for a Debian security update to break anything.
OpenSSL?
"They used to release as they patched, but that was even more problematic"
Translation: Admins were sick and tired of rebooting servers on a daily basis.
Rather than do the impossible and redesign their OS from the ground up to make the constant rebooting issue irrelevant, they did the only thing possible wh
Clump all their updates into bundles so that reboots were "scheduled" and admins got used to the cycle.
"You can't fight in here, this is the war room!"