How To Argue That Open Source Software Is Secure?

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

That's a new low

[Daishiman]

Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.

Go to the bug logs for your software

[wtansill]

Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.

Of course...

[QuietLagoon]

they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.'

.
Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...

Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.

I'd consider calling in Bruce Perens

[tcopeland]

He may be lurking hereabouts, but if not, here's his bio. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.

Think of it like an academic report

[TheSpoom]

Open source software is like any report in an academic journal.

While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.

Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.

Plus, tell them to examine their sources; the bias is obvious.

Antivirus

[lena_10326]

2 points.

1. The fact that an antivirus program combined with a firewall is mandatory for any windows box (closed source) to remain virus free for longer than 20 seconds connected to the internet, whereas linux (open source) requires no such antivirus program, is experiential proof that linux is more secure.
2. Many firewall/routers run linux. If linux is good enough to protect your windows machines from intrusion, then a logical person would conclude an open source operating system such as linux is more secure.

Windows is Open source on Balckhat sites already

[goombah99]

Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.

Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.

Ask your customers just some simple questions

[Johnny+Loves+Linux]

What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.

Re:turn tables

[sumdumass]

Many small shops like to think they are more important then they are. I don't know how many times I have had to switch to some other software because a partner found that a larger firm used something else just to find it willfully inadequate compared to what was being used before the 20 grand switch. This is true for law firms, Tax shops and accounting shops, insurance agencies and almost everything else I have worked with. They seem to think that using the software they use will give them the edge to be as profitable as they are.

The counter spin tactics that would probably be beneficial is something along the lines of Sun, IBM, Novel, and several other big Iron shops use OSS. Even the smaller shops mid level shops that use DB back ends use OSS like pervasive SQL, Oracle, MySQL, and so on. How is it that the large shops who spend the money for the Sun or Novel or IBM or Oracle servers that cost probably more then what they paid for IT in the last year don't have security concerns with Open-Source Software but a Microsoft rep who is attempting to sell you software and lock your into their specific version/line can convince you that it is unsafe?

I would still attempt to back that up with other facts concerning OSS usage like by Cisco, Zycell, and several other routing companies who provide industry leading security and routing products. I mean if the routers are configures correctly and capable of acting as a firewall, it's the first line of defense. And if their OSS servers and software aren't directly connected to the internet, then where is the worry because in order to hack them, you would need to bypass the routers or gain physical access to them.

Re:Fight back

Someone can correct me if I am wrong, but I believe Redhat EL 4/5 and Suse 10 have EAL4+. The + does not mean its EAL 5 and above, but rather EAL 4 with additional protection profiles. The generic Linux kernel does not have an EAL rating.

Windows 2000/XP/2003 has got the same (That is EAL4+). I am not sure about differences between the protection profiles though.

So watch out when you argue that point.

Note: AFAIK only 1 or 2 purpose designed OSs have ever got higher than that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Fight back

We deal with satellites and gather data from NASA, ESA, JAXA, several governmental intelligence satellites, IRIDIUM and GALILEIO among others.

Do we need tight security? I would say so.
Do we run mainly on Linux and open source? Yes.

Re:turn tables

[damburger]

In other words "Science - it works bitches"

As a physicist I am quite comfortable arguing the merits of evolution over creationism because I understand the strength of the process that favored the former over the latter. I don't have to see every single experiment performed in that area of research; I know dodgy research would've been (and has been) spotted.