How To Argue That Open Source Software Is Secure?

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

turn tables

[TheSHAD0W]

How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

Re:turn tables

[Pav]

I'm not sure "counter-spin" is the right tactic. Sure, you can offer some counter arguments, but personally I'd suggest the customer do an Internet search with something like "windows linux security". Microsoft has advertising muscle, editorial influence and sales teams... but despite this many people in-the-know choose open source specifically for security - an Internet search should make that clear. It will also demonstrate your integrity.

Re:turn tables

[TubeSteak]

How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

What the argument really boils down to is this:
Open Source - You/I/We/The Community can audit the code and fix problems now
Closed Source - Wait for the vendor (MS) to release a patch (once a month) if the vendor thinks it is worth patching

Re:turn tables

[Roger+W+Moore]

Ah, but how do we know it is not true? Since it is closed source we can never be completely certain and just have to take someone's word for it....which is really the whole point of the argument for OS.

Re:turn tables

[the_womble]

It does not invalidate the point that the bugs were fixed in the open source versions and not in the MS version.

Other points to make:
1) Open = open to independent security audits. I think the Open BSD audit covers other people's code, so there is at least one example of it happening.
2) MS code has been leaked, and other code is deliberately shared with selected people. The bad guys probably have ways of getting hold of a lot of MS source code; whereas open source is available to you as well.
3) Track record. Not just Windows vs Linux, but IIS vs Apache etc.

Re:turn tables

[JWSmythe]

    An obvious one would be....

    "So, why do my non-public facing workstations constantly get viruses; my public facing Windows machines get exploited; yet my non-public facing Linux machines have no security problems; and my public facing Linux machines have never been exploited. They're all patched in accordance to the distribution guidelines."

    To appease the C-level folks, good documentation and quantification of the instances of security problems will make them happy.

    "We spent 5,000 man hours last year cleaning up exploit problems on properly patched Windows machines, yet we spent 20 hours investigating potential security problems on the open source machines and found them to be simply user error. Per machine they equate to 50 hours per Windows machine, and 0.01 hours per open source machine.

    In the last fiscal year, the TCO per machine on average, including cost of licenses, upgrade licenses, maintenance, and required security response for Windows machine was $800, while it was only $2.50 per open source machine. Hardware costs are not accounted into this, as the open source users are happy with the superior performance achieved versus the Microsoft based counterparts."

    Those numbers are just yanked out of thin air. Fill them in with the appropriate numbers for your network.

    If you can provide a brief yet complete statement like that, it won't matter what the sales minions say, you have factual data to back up your side. Scare tactics aren't as good as hard evidence. Well, except in court. Juries will believe anything if you wrap it up right.

Re:turn tables

[shutdown+-p+now]

What the argument really boils down to is this:
Open Source - You/I/We/The Community can audit the code and fix problems now
Closed Source - Wait for the vendor (MS) to release a patch (once a month) if the vendor thinks it is worth patching

Careful with your phrasing! This can easily be twisted to:

Open Source - there are no experts, just you/I/we/the community hacking on the code; problems will be fixed only when someone is bothered enough, and even then you have no guarantee he knows what he's doing. No support for the fix either.

Closed Source - wait for the well-paid experts to release a thoroughly tested patch. If there are any problems, call support.

And when it comes to marketing, it doesn't matter if it's true or not; it only matters what the customer hears last, and what he is more likely to believe...

Re:turn tables

[fl1ckmasterflex]

Actually, these days .. "backdoors" aren't so obvious to look for. A simple buffer overrun could turn into an exploit. In the case of C++, exception records on the stack could be manipulated using exploits in code totally unrelated to the actual place of interest so that a nice helper function of your choosing gets called during stack unwind when there is an exception during execution..

Heck, if you got mad skillz, you could potentially corrupt server memory by messing with the powergrid of the building. I plan to do this before I die.
------------
"Solar winds predicted this week, use only the highest quality of tinfoil's to wrap your disks in and protect your data!"

Re:turn tables

[isorox]

Have you personally gone through the millions of lines of code in the Linux kernel to make sure that there isn't a backdoor? No? Then you're just taking someones word for it.

I haven't gone through the designs of a 747 either, and I haven't checked that the plane I'm about to board matches those designs. Even if I did, I wouldn't know what I'm looking for.

Fortunatly I trust that many independent people have been through those designs, and I trust the the qualified pilot has checked the plane out. More importantly, I trust that if the pilot is wrong, he suffers the same consequences I do.

Re:turn tables

[DarkProphet]

FWIW, I like Linux and FOSS, but I don't totally hate Microsoft or Windows as a rule.

Have you personally gone through the millions of lines of code in the Linux kernel to make sure that there isn't a backdoor? No? Then you're just taking someones word for it.

True in theory, I guess, but the difference is that I -- or anyone I hire -- could audit the Linux kernel code at any time. The same simply isn't true for Windows. Even if it were possible to get access to the Windows kernel code, it sure wouldn't be free. With Windows, I have to take someone else's word for it. With FOSS, I have options to independently verify any such claims.

how to argue that closed source is secure?

[bugi]

Open source is verifiable. Closed source is not.

Open source is verified, by many people, who discuss it in public. Closed source is not.

Re:Go to the bug logs for your software

[grcumb]

Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.

I'd put the emphasis on 'Compare'.

Print two lists. One containing all the critical vulnerabilities that have been reported in the last twelve months, along with numbers of exploited machines worlwide. The other will be a list of how many of these vulnerabilities have affected your supported machines.

If you've been doing your job well, the second list will be a blank page.

Show them where it works

[Zigbigadoorlue]

Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.

Re:Of course...

[joocemann]

I don't think they are aiming to battle on the concept of 'security' but rather the easily exploitable human characteristics of fear and susceptibility. This is, to a knowledgeable person, an obvious attempt at spreading rumor/mudslinging to create a widescale negative buzz among the weeble peoples.

I also heard Obama is a Muslim?

No Software is More (or Less) Secure Due to Source

[filesiteguy]

Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.

Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.

Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.

This is easy

[garada]

Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.

Re:No Software is More (or Less) Secure Due to Sou

[oGMo]

Whether or not the source code is available does not make software less secure.

Disagree. Security is not a static rating but a process; part of that process is fixing found problems. Guess which is easier to fix: the stuff you've got the source to, or the stuff you have to wait 6 months before the vendor acknowledges as flawed.

Put in terms of ROI...

[phallstrom]

I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.

5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.

ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)

Fight back

[missing000]

Don't discuss the attack, that's just playing into the hand they gave you.

What I would point out is the monthly patch cycle you buy into with MS.

Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.

The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.

Re:Fight back

[Malc]

Microsoft have a shocking history of sitting on a known vulnerability for years, but saying that releasing monthly instead of immediately is a problem is to spread your own FUD. They used to release as they patched, but that was even more problematic and so they responded to their customer's needs. In most cases, exploits don't appear in the wild until Microsoft release a patch for it.

Re:Fight back

[rtfa-troll]

Don't discuss the attack, that's just playing into the hand they gave you.

Well; if nobody's discussing it, then no. If they do discuss it you should definitely be ready to discuss their specific points with the people who have heard them. Preparing in advance so those points seem silly at the time they are told is also good.

What I would point out is the monthly patch cycle you buy into with MS.

It should be remembered that whilst this doesn't work properly, it was introduced partly at the demand of corporate customers. Some of them still like the idea and so it's maybe not the strongest point. What is worth discussing.

• Linux has SELinux / iptables and other second level defenses which make many vulnerabilities easier to control
• Linux patch management is integrated for both standard applications and OS making the likelyhood of an unpatched system much less than on Windows;
• Linux patch management is flexible, allowing automated patching of systems on a self imposed schedule; e.g. desktops automatically, servers at night after warning.

If you do want to discuss Microsoft's patch cycle, discuss it in the light of specific problems it causes. You should know of a specific "zero day" unpatched vulnerability which should obviously be patched and hasn't been.

Re:Fight back

[LurkerXXX]

They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one.

Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against. When patches were coming out frequently (sometimes daily as I said), their testing teams would only get a start on one patch, when they'd have to begin the testing process again with another patch. Things stacked up in the queues and they blew a lot of money on large testing teams. They requesting less frequent, but scheduled patch releases from MS so that they could set a regular manageable cycle for testing. It's certainly a security risk, but the pointy-hairs and bean counters at the large corps thought it was a good risk for the dollar savings.

By attacking MS's patch cycle, you are attacking the pointy-hairs and bean counters at those companies you are trying convince open-source is good. Probably not the best approach.

Re:Fight back

[jd]

Oh, there's actually a much better ways to do things. Windows 2000 had its NIST certification withdrawn due to insecurities (you don't have to say those were fixed and it was revalidated).

Whereas Linux is certified at around EAL5 - one of the highest Government ratings for commercial software and above the standards needed for classified work. Linux also has security code by the NSA. They can't endorse it, being the Government and all, but would the NSA spend money on software they can't use?

Even NASA and the Department of Energy have spent millions on Linux systems and putting some of their most essential work in that environment. If it's good enough to secure our nation against terror, doesn't it have to be better than the system you're patching monthly and still getting break-ins on?

Re:Fight back

[hairyfeet]

Point out also that there was...what? 45 or so known holes that hadn't been patched( some known about for years) when MSFT abandoned Win9x/WinME. Sorry that I can't give you the exact count, but sadly most of the Win9x sites have gone poof into the ether of the Internet. But I would point out that unlike MSFT Windows where they can decide to pull your plug by simply not bothering to provide security patches or safer updated software (See Win2K and IE7 for an example) that with Open Source code that even if the company that originally produced it were to disappear tomorrow or refuse to support it you still have options.

And I would also point out that the vast majority of viruses are NOT on Open Source OSes, even though by their logic they would be easy pickings and with all those servers running Linux it would be a spammers wet dream, and yet despite this "security risk" of having the source code the vast majority of viruses and spyware, malware that causes billions of dollars in lost revenue due to repairs and security breaches, runs on only one OS: The closed source Windows. So if Open Source is a cause for hacking what is their excuse?

Re:Fight back

[turbidostato]

"Don't discuss the attack, that's just playing into the hand they gave you.
What I would point out is the monthly patch cycle you buy into with MS. "

I think you are right, but I'd go even a step further. Just as it is read:
"I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years"

Then I'd say: "Have your facts: all I can offer is my word and my 5-6 years track record, true. But once the Microsoft minion's word dust has settle what is it in reality *their* track record? Something like millions of malware-bloated systems? You are not buying words; you are buying facts."

Re:Fight back

[TheLink]

But the truth is Open Source Software is not automagically secure. There can be safes which have open design specifications that aren't secure - just no safecrackers have bothered looking at them.

Some OSS is secure, some aren't. Same for closed source.

To me the track record of the programmers involved will give you a better idea of whether a particular program is secure or not.

Analogy: someone who hasn't learnt how to write properly after 5 years of writing (or bothered to), is unlikely to write properly tomorrow. Whereas someone who keeps writing well is likely to still do so.

Re:Fight back

[ScuzzMonkey]

There are a load of fine suggestions in this thread which are well-constructed for logical minds, but I can't help but feel this tactic is best answered in kind: a gut-level fear-check. And so the best response isn't to sit down and try to explain the perils of security through obscurity, nor to try to sell additional security services, or to discuss patch cycles and the like, but instead to simply ask the client this: "When's the last time you heard on the evening news anything about a new virus, exploit, or vulnerability discovered in your Linux software? Now, how about Microsoft software?"

Overly simplistic? Absolutely. Sure to make them reconsider what the Microsoft vendors are trying to sell them on its supposed security? Definitely.

Re:Fight back

[erroneus]

If Microsoft "discovers" patches, that kind of scares me.

Vulnerabilities are not patched when they are discovered. Some are, others sit waiting acknowledgement for a very long time before they are addressed.

In any case, the only true and reasonable metric is track record.

So first, one needs to explain that source code does not necessarily mean vulnerabilities are visible or present any more than knowing how a lock works makes them insecure. That is a pretty challenging hurdle to overcome. Frankly, I am not sure how I would address that in a way that would be universally understandable. But that is the beauty of FUD. Fear is easy to do, but not easy to undo. And since Microsoft is the accepted "religion" speaking against it is blasphemy.

But it is easy to point to track record of security and it might be helpful to select some specific cases of known vulnerabilities in Windows that went unpatched for a very long time. It is also easy to point to the many, widely-known disasters that have occurred with Windows over the years... disasters that occur regularly without the use of source code proving that availability of source code is somewhat irrelevant.

In the end, there will be arguments for both sides and neither will make clear sense to the non-technical. Request a 3rd party penetration test and security audit and be sure your ducks are in a row.

Re:That's a new low

[squidinkcalligraphy]

I wonder if that's because suddenly companies are trying to save money by moving to open source software? And this is a pre-emptive response by the people who have the most to lose?

Understand the fear, and then address the concern.

[Hacksaw]

1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.

Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"

You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."

2. Explain why openness is helpful

Them: "Yeah, so what should we do?"

You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."

3. Mention that serious people have a big stake in making this work.

You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."

4. Reassure them that people are thinking hard about this.

Them: "Yeah, but if anyone can see it..."

You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."

5. Point out the obvious.

Them: "But what happens if someone tries to slip something in, and is really good at it?"

You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."

Use an Analogy...

[Rinnon]

I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.

buying the false argument

You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.

Yep

[symbolset]

"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi

They're getting scared now.

There is one HUGE thing people are overlooking

[RichiH]

You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.

The evil thing is, people don't ask about this, they assume it's fact and that's that.

"We" need to make sure this myth dies.

Don't

[benjymouse]

With the risk of being modded into obscurity and burning all my karma:

Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.

Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.

IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.

The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.

You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.

Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.

Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.

Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.