Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?
Open source is verifiable. Closed source is not.
Open source is verified, by many people, who discuss it in public. Closed source is not.
Just point out how much more secure Firefox is than IE, or OpenBSD is than Windows, or any other hundreds of examples. The proof isn't hard to see, especially when it's Microsoft trying to argue.
Great Intellect...
Absolutely! I provide the sources for everything that I install, along with links to where I got it from. Of course, the fact that they cannot ascertain the reliability of the source code for themselves is a *huge* opportunity for me: I offer certification and auditing services as well :)
NOT as part of a normal installation, of course.
When they complain, I simply point out that this is the same as what they'd get from Microsoft, except that getting access to their source code is a lot more expensive.
It's a beautiful thing: Not only do I not have to pay anything for the software, I get to charge them labor to install it for them (which is pure profit from my perspective). Then, if they want source code verification or auditing, well, that's just more money, too!
I love Open Source Software!
The proof is in the pudding. Who gets hacked more ? Who suffers from worms and viruses constantly ? Who has to run anti-virus and anti-malware software ?
Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.
I'd put the emphasis on 'Compare'.
Print two lists. One containing all the critical vulnerabilities that have been reported in the last twelve months, along with numbers of exploited machines worlwide. The other will be a list of how many of these vulnerabilities have affected your supported machines.
If you've been doing your job well, the second list will be a blank page.
Crumb's Corollary: Never bring a knife to a bun fight.
Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.
I don't think they are aiming to battle on the concept of 'security' but rather the easily exploitable human characteristics of fear and susceptibility. This is, to a knowledgeable person, an obvious attempt at spreading rumor/mudslinging to create a widescale negative buzz among the weeble peoples.
I also heard Obama is a Muslim?
Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.
Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.
Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.
The Kai's Semi-Updated Website Thingy
Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.
Mmm Hmm.
And how many times have you heard about worms on Microsoft, the 'more secure' closed source OS?
And how many times have you heard about viruses getting through on the Linux systems I helped you set up?
Since Linux is the main system used for internet servers, you would think dangerous criminals would hit it first, right?
The reason you haven't heard of it lately is they did. Unix and Linux ironed all this stuff out 20 years ago - the last Unix worm that got famous was the Morris Worm. Huey Lewis and the News were big, there were still hair bands, and Republicans still had a reputation as being fiscally responsible.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Not all academic journals are equal, and open-source vetting would span the gamut between well respected and not-to-be trusted (phpBB anyone?) Your comments read as if Microsoft doesn't have competent experts and linux does, which could also be argued both ways.
I don't think there's any need to exaggerate the security of open source software. One of my clients was recently burned due to Debian/Ubuntu's openSSL changes (utter disregard for security) that led to their servers being taken down, and a lot of hassle and explaining to be done. The sysadmins on the job weren't on top of their security updates, and Debian was not vetting their code properly.
Linux security relies on its system administrator. A good sysadmin with a bunch of linux boxes will be able to run a secure network, while negligent ones, such as those I've dealt with recently, can create security nightmares with linux. Same goes for Windows, really.
So, the most important thing you need to show your customers is that you are reliable, on top of your profession, and have the knowledge and confidence to stand behind your open source products. The weakest link in any network, be it Windows or Linux, is those that administer it.
Disagree. Security is not a static rating but a process; part of that process is fixing found problems. Guess which is easier to fix: the stuff you've got the source to, or the stuff you have to wait 6 months before the vendor acknowledges as flawed.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.
5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.
ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)
Don't discuss the attack, that's just playing into the hand they gave you.
What I would point out is the monthly patch cycle you buy into with MS.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.
# Many firewall/routers run linux. If linux is good enough to protect your windows machines from intrusion, then a logical person would conclude an open source operating system such as linux is more secure.
Many firewall/routers run a highly stripped down version of linux.
It does not follow that an OSS OS is more secure.
[Fuck Beta]
o0t!
I wonder if that's because suddenly companies are trying to save money by moving to open source software? And this is a pre-emptive response by the people who have the most to lose?
"I think it would be a good idea" Gandhi, on Western Civilisation
1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.
Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"
You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."
2. Explain why openness is helpful
Them: "Yeah, so what should we do?"
You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."
3. Mention that serious people have a big stake in making this work.
You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."
4. Reassure them that people are thinking hard about this.
Them: "Yeah, but if anyone can see it..."
You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."
5. Point out the obvious.
Them: "But what happens if someone tries to slip something in, and is really good at it?"
You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."
All the technology in the world won't hide your lack of vision, talent, or understanding.
It might be better to say that several large internet entities who employ the top people in tech obviously have a preference for Linux.
And then all you need to do is some large company name-dropping. Pointing out all the ways someone has already used Linux personally (without knowing it) would also be a help.
Here's one that comes to mind:
http://news.cnet.com/2100-1001-275155.html
I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.
The strongest security is the one you get from everybody in the company being loyal and well educated about what they should and shouldn't do. Of course, you don't post your passwords on a sign outside, but that is about as much secresy as it is worth the effort to maintain, I think. Apart from that - if we know that Microsoft's security strategy uses "protocol X" and open source uses the same, what is the real difference? Only that in open source you can potentially inspect the implementation and verify that it doesn't contain inherent weaknesses that allow you to circumvent it. You can't do that with closed source, you have to trust the supplier; the big question then is: can you?
Open source works along the same lines as the open, scientific discourse that has brought us from pre-industrial society to the present day. If we had relied on secret research, we would still have lived in the mud; romantic, perhaps, but no computers. Or compare open societies to closed ones: are countries like Sweden, Germany and Switzerland less secure than, say, Burma? The only ones that feel more secure in Burma are the ones in power, but the country as a whole is less secure, as far as I can see.
You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.
Look at all the "respected" finance firms that either no longer exist, are close to death, or turned out to be giant scams. The root to all this were complicated processes that lacked the necessary transparency. When something started to break, no one could determine which parts in the system were still valid, so everything grinded to a halt.
The moral of the story is that complicated systems need to be transparent, regardless of their industry. Assume the worst of what you and other vested parties are unable to see. Not being able to see the problem is worse than the problem itself.
Sdelat' Ameriku velikoy Snova!
"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi
They're getting scared now.
Help stamp out iliturcy.
You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.
The evil thing is, people don't ask about this, they assume it's fact and that's that.
"We" need to make sure this myth dies.
And as long as you treat this forum like a video game, you're part of the problem.
With the risk of being modded into obscurity and burning all my karma:
Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.
Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.
IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.
The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.
You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.
Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.
Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.
Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
All things considered it is just plain lazier to restart your server after applying patches
Fixed that for you.
Someone who is knowledgeable will be able to restart the appropriate services on a Linux box without going through a full reboot cycle. It's not hard to check the processes on a box to see if they're using the library which was updated.
To the best of my knowledge, it is impossible to do this in many cases with Windows, because you can't replace the file while it is in use (and forcibly unlocking the file to replace it has undefined behavior with any given program.)
I'd love to be proven wrong on that Microsoft bit, though. If there's a way to safely patch without having to restart, please let me know!
There is one area in security where MS Windows products fail compared to Linux and that is the exposed surface area for attacks.
Linux: One of the big advantages that Linux has over windows is that each distribution and most installations are so unique. Due to differences in defaults, and installation choices, there are huge differences in the configuration of one Linux server to the next. Most Linux server installations I have been exposed to do not install any type of GUI. Some are Red Hat, some SUSE, some Debian, some Ubuntu, some are custom purpose distributions such as IPCOP or SmoothWall firewalls. Some have SSH clients installed, some have iptables firewalls, some don't. If they have a web server, it might be apache, but it could also be lighthtpd. Databases that the application servers connect to could be MySQL or PostgreSQL or Oracle. If they have a mail server they may have sendmail or maybe postfix installed. They could be running 2.6.8 kernel, or 2.6.18, or 2.6.24, or 2.4.32 etc. There is no "typical" Linux installation.
Windows: On the other hand, Windows will almost always (nice feature in 2008 to install without it) have a GUI installed. If they are running an HTTP server it is most likely IIS. If you are running a mail server you can almost guarantee that it will be Exchange. Back end databases are almost always SQLServer or Oracle. You can also bet 50% or more are not patched up to date because the services provided by those servers are not in a cluster or behind a sprayer so the admins can't afford the downtime associated with the patch.
The main point is this. In the security realm, the larger the defined attack surface the more likely you are to be able to use one avenue to exploit and therefore compromise the server(s). Due to the wide differences in Linux distributions, and the fact the there is no "default" e-mail server, GUI, Window manager, scripting language, firewall settings, etc. that are common among all Linux installations. This means that a given attack or exploit will work on only a small percentage of Linux servers.
Compare that to Windows, where all servers essentially are configured identically within each release (Windows 2000, Windows 2003, ....). If they have a GUI installed it is the Windows GUI, it will have IE installed, it will have the Windows firewall, it will have .NET support installed, etc. This makes it much easier to exploit the server, because you have a large variety of services that are all identical running on every machine.
So it you exploit an IIS vulnerbility you can compromise the server running Windows. If you exploit an Apache vulnerability you may not be able to do anything on a Linux box because the Apache instance could by run in a chroot jail, SELinux or Bastille Linux configured.
The variety of products and distributions in Linux, while a little challenging from a SysAdmin standpoint at times, is actually an inadvertent security feature. Windows uniformity is helpful to Windows consultants and system admins, but makes for an easier to exploit product.
My two cents worth...
The only real way to measure real safety/security is with real numbers of how things actually work in the field. You can't deduce security. The only way to know how secure something is, is to measure the break-in rate. One important thing to understand about break-ins is that most are a result of end-user-mistakes. The main tool the U.S. and Britian used to break Inigma during WWII was thier knowledge that all German transmissions ended with the same phrase. The British used a brute force decoding, they simply tried every encoding sequence until they got one that decoded the last phrase to the content they knew it had. Operator error! The most common Windows and Linux attacks STILL rely on operator error.