Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Argue That Open Source Software Is Secure?

Posted by kdawson on from the beyond-because-i-say-so-dammit dept.

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

5 of 674 comments (clear)

  1. *sigh* by faedle · · Score: 5, Informative

    If it's good enough for the NSA, it's good enough for you.

  2. Re:how to argue that closed source is secure? by cptdondo · · Score: 5, Informative

    Did you ever monitor a project maillist? I'm constantly amazed at the nit-picky details that must be addressed before a patch is accepted. The submitter is held to an incredibly high standard.

    I've worked in a commercial outfit, and if it worked, we shipped.

    The quality control that a patch goes through, the ruthless dissection of programming style, usefulness, and clarity is something I've never seen in a commercial environment.

  3. What does the government think? by Toe,+The · · Score: 5, Informative

    DHS - linux
    FBI - linux
    Navy - linux
    Air Force - linux

    Wonder why those agencies are using such an "unsecure" platform...?

  4. Re:how to argue that closed source is secure? by rtfa-troll · · Score: 5, Informative

    You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)

    It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.

    Even the compiler attack you mention has now been countered (see also Schneier's interesting discussion of double compilation). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.

    I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.

    A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  5. Re:Fight back by HungryHobo · · Score: 5, Informative

    Well there's an old quote you could pull out.

    If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.

    This might be a way to explain it to your clients.