Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.
How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?
Open source is verifiable. Closed source is not.
Open source is verified, by many people, who discuss it in public. Closed source is not.
Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
Just point out how much more secure Firefox is than IE, or OpenBSD is than Windows, or any other hundreds of examples. The proof isn't hard to see, especially when it's Microsoft trying to argue.
Great Intellect...
.
Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...
Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.
He may be lurking hereabouts, but if not, here's his bio. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.
The Army reading list
I'm sure in enterprise things can be different but working for a small/medium sized developer I know my CEO isn't so un-clued in that I couldn't explain something like this over drink and have a good laugh.
But then we've used Oracle and seen what happens when cost and bad economics limit your businesses growth. Let them smoke our RHEL and MySQL licensing, maybe their getting something out of the ink.
Better yet, when your PHB approaches you why don't *you* ask him to point out a security situation that *wasn't* caused or aggravated by something that wasn't open source.
Just because some idiot says it's true doesn't mean anything.
Quack, quack.
If it's good enough for the NSA, it's good enough for you.
Open source software is like any report in an academic journal.
While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.
Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.
Plus, tell them to examine their sources; the bias is obvious.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
The proof is in the pudding. Who gets hacked more ? Who suffers from worms and viruses constantly ? Who has to run anti-virus and anti-malware software ?
I had a professor say that kind of thing in class once. He said that "Linux will never be as secure as Windows because it's open source. Anyone can see the source code and use it to hack your computers."
It was completely involuntary on my part, but I let out a loud, and I do mean LOUD, "WHAT?".
He turned and looked at me, I said "I'm sorry but that's not correct. Look at OpenBSD, it's open source too and there has been exactly one remote exploit in a default install in the past six years. Microsoft wishes that Windows had that kind of track record." He stammered and stuttered and then moved on with his lecture.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Do you need any more blatant example than that?
Name the next largest 'nix worm after the Morris worm.
In my 15+ years using Linux, various BSDs, and other open source software, I can't recall even once where someone asked me to "prove" that my tools were secure.
Show them it's more secure than Closed source software.
Show them statistics about compromise and Virus infections of Windows servers.
Show them statistics about compromise and Virus infections of servers running open source OSes.
Construct "model" servers implemented according to system defaults and providing all required services (but with no extras installed)
For example, e-mail: A FreeBSD 6 server running postfix MTA, A Windows 2000 server running IIS SMTP Service.
Show them the probably impact that would be expected to both servers if no Vendor security updates were ever applied (based on Worms and viruses that were in the wild).
Show them statistics about the number of remotely exploitable vulnerabilities that were discovered that would actually impact the two model servers.
Show them the impact of actually protecting the Windows 2000 server from vulnerabilities with constant updates VS the few updates required to protect the fairly ironclad FreeBSD 6 server.
Consider the historic frequency of updates required to keep a system secure, and the downtime impact of constant reboots to apply updates.
Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.
How or why would a cracker-hacker break into a company, re-write their software (i.e. Open Office) to put a vulnerability in it, and then sit around waiting for the software to fail, when instead they can just exploit defects in closed source software?
So the answer would be it is easier to crack closed source software because it is poorly maintained (i.e. time and budget constraints) and there is no peer review. The open-source nature doesn't make software easier to crack (unless the vulnerabilities in it are flagged with comments pointing them out), but it does make software easier and more likely to be fixed if there are vulnerabilities found.
2 points.
Camping on quad since 1996.
I work for a SaaS company, and when we go through the inevitable rounds of security discussions any mention of open source software can be met with grumbles and a big discussion justifying it's use with some of our larger customers. Fun times!
..show them the numbers. Microsoft Windows' security flaws since 1995 vs that of Linux
this is probably the most boring sig in the world
Some are secure and others are not. What is secure now could become insecure later, and vice versa.
Nothing replaces good auditing and vigilance.
Colorless green Cthulhu waits dreaming furiously.
Well the plus side about Microsoft being an illegal monopoly is that practically everybody knows how bad it is. Ask them if they worry about viruses and spyware on their home Windows machine. Then point out the server versions are the same with a few extra apps thrown in. Point out that Linux has never had a virus and was designed to be multi-user unlike Windows.
If they point out a flaw in a crappy PHP app then point out that the same flaw exists if you run it under Windows. Some people associate a few major PHP apps with Linux even though it's really platform agnostic.
Phillip.
Property for sale in Nice, France
Arguably there is a disadvantage to open source software which gives the attacker something to analyze. Peer review is great, but remember the Debian OpenSSL vulnerability? If your customer is concerned, treat their concerns seriously. Remember who the boss is.
I would recommend the only way to be certain is to hire a pen-testing company. Have a team of dedicated professionals try to exploit your software. If they succeed, you learn how to improve your systems to secure them, if they fail, you look good. Either way you win.
Remind them what patch Tuesday is about. Them ask them about MS transparency on disclosing unpatched bugs. How many patches were applied to IE and is it yet secure?
Open Source, due to it's open nature, means more people able to repair vulnerabilities much faster. Look at the years it took microsoft to patch vulnerabilities that would enable critical systems to be taken over remotely. Microsoft has a finite crew to find and report bugs, holes and vulnerabilities. I work tech support. Want to know how many people fall victim to virii that exploit vulnerbilities that date back to Windows 98? Open Source also means that when things go wrong, the buck stops here. You can repair it, or work with someone to repair it, while with Microsoft you are victim to their schedule, their level of priority. Your vulnerability not critical enough, bottom of the pile you go.
I can count on 1 hand the number of Linux vulnerabilities that, once discovered, took over a month to repair. I cannot count on both hands + feet the number of Windows vulnerabilities that continue to plague us over a decade after discovery.
Karma Whoring for Fun and Profit.
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
Well, how safe does that make you feel? Someone guesses it and all your security goes out the window? Here's the claim made by AES, and possibly by extension open source: We have a thousand eyes watching us, everyone knows how we work since it's published, and we're still secure. How's that for tough?
And, yes, more logically valid arguments like stats between number of open and closed source vulnerabilities found and other things suggested by other posters.
If a security system uses modern cryptographic methods that are considered secure, there should be little difference if the method is known (as it would be in open source) or not. This is because one of the criteria for a secure cryptographic system is that they are secure even when an attacker knows the system used, and has information to mount a known plain-text attack. Of course this works best in theory, and in a real life application it might not be that simple. But at least in cryptography the justification that "our method of security is unknown to attackers" is considered weak.
Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.
Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.
Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.
The Kai's Semi-Updated Website Thingy
Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.
This is a better question than most here will give credit, regardless of how sleazy it is that MS sales reps are using it as a tool.
;-)).
The real focus needs to be determined. Is the question whether open source software development methodology is inherently vulnerable? Or is the question whether open source project X is more vulnerable than proprietary project Y?
I'll address my thoughts on the open source methodology, and the argument I use in these discussions.
Software security is reliant on a couple of key factors. Obscurity is the first one most people think of, and despite the prevailing feeling, obscurity is an excellent security control that protects against certain types of attacks. However, reliance on obscurity for security is not a good idea because over time most secrets are disclosed.
Good security architecture relies on robust security controls that maintain integrity even when attackers are fully aware of the mechanism's internal working. Perhaps it helps to think of it this way, imagine two people walking down the street. One is alone and vulnerable but in disguise and very hard to recognize. He's relying on obscurity for security, and it will probably work. The other person is surrounded by bodyguards and the entire region for miles around is swarming with more guards and surveillance teams. He's relying on a robust security control (really controls) and it doesn't matter if attackers no the details, they still aren't going to have an easy time getting through to him.
So open source projects are no insecure because they are open, and in fact many would argue that their very openness provides insurance against stupid decisions to use weak security controls and protect them only through obscurity (a classic move of proprietary systems, just think of the old MS password hashing scheme, or a dozen other proprietary security controls that turned out to be too weak to withstand public scrutiny).
The vulnerability numbers bear out this basic concept with more vulnerabilities relating to Windows systems than to *nix systems despite *nix systems running many more critical systems. I'd have to say that this is in large part because the underlying security controls of *nix systems are dissected by obsessive compulsive geeks, like us.
To convince your boss that FOSS is OK, do some research on vulnerabilities reported in the NVD. A (very) informal check shows about 1200 vulnerabilities tied to Linux and 1400 tied to Microsoft. I'd suggest doing more, and better, research than that before sitting down with the CEO to discuss this but the numbers seem to be on your side.
I'll end by saying that FOSS products are not always secure, and the open source development methodology is not inherently secure if the development community is too small to provide competent, and unbiased, security reviews of the software. A very large project, like Apache or Ubunut, is likely to fair well when compared directly to IIS and Windows. A smaller open source project, like a contributed module to Drupal, may be riddled with problems simply because not very many people took the time to look at it before deployment. That is one advantage of a commercial company, they (should) have a good QC/QA program to make sure bad products don't get shipped (they get sold to Microsoft who can ship crap with impunity
Anyways, it should be an easy argument with NVD numbers to back you up and the concept that security through strong algorithms and good architecture is more important than security through obscurity.
Like trees blowing in the wind.
M$ = communism - every thing behind closed doors
open source = democracy - everything in the open
just can't explain the bush era
There are a plethora of articles out there about open-source and why it's more secure.
In the end, though, you have to address each customer's concerns directly.
If they have a concern, answer it.
If they are looking for some type of certification, tell them how much it's going to cost.
If they are looking for guarantees, ask them what guarantees they get with these "other" secure produts they are considering. If they in fact DO get guarantees, which I doubt, than that's a legitimate point of competition.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.
Some drink at the fountain of knowledge. Others just gargle.
Mmm Hmm.
And how many times have you heard about worms on Microsoft, the 'more secure' closed source OS?
And how many times have you heard about viruses getting through on the Linux systems I helped you set up?
Since Linux is the main system used for internet servers, you would think dangerous criminals would hit it first, right?
The reason you haven't heard of it lately is they did. Unix and Linux ironed all this stuff out 20 years ago - the last Unix worm that got famous was the Morris Worm. Huey Lewis and the News were big, there were still hair bands, and Republicans still had a reputation as being fiscally responsible.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Show them the costs of 'securing' windows versus Linux and Open source. Once the see the savings, perceived security of MS is less important. Money talk BS walks.
Half of writing history is hiding the truth.
Do your taxes on an open source tax prep application, sign your name on the dotted line, and send it to the govt. I'm not talking about 1040EZ. I want you to do a full on 1040 with deductions, interests, AMT, the whole works. That uneasy feeling you have in your gut right now is what CIOs feel when you want to put mission critical open source systems in their network.
They sure have to be concerned over security. I don't know for sure, but google has to be right up there, probably the largest, 500 buhzillion servers running.... Let's check.... What do they run? Aww, gee, would they do that if it was insecure? Is google dumb, or smart? Does IBM push open source? Well, yes they do. Is IBM dumb, or smart, would they push inherently stupid and insecure software? What runs on the bulk of the worlds supercomputers used by top companies and research organizations and universities and nations? I just looked, 439 out of the top 500 run linux. Ask those MS scaremongers if all these advanced eggheads would run linux or open source if it was inherently insecure.
Just start throwing some big names, big computers and big projects out there that deflate the MS bluster. Then tell them you are now on their "do not call" list, to stop spamming you, and to stop wasting your time. Really, this is 2009, any company/PHB that would fall for such retarded scare tactics about open source has no business using anything more modern than an abacus and an ink quill.
Disagree. Security is not a static rating but a process; part of that process is fixing found problems. Guess which is easier to fix: the stuff you've got the source to, or the stuff you have to wait 6 months before the vendor acknowledges as flawed.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.
5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.
ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)
This is a general principle of security in general: something is only truly secure if it remains secure even when you know exactly how it works. Anything else is "security by obscurity"
Closed source software is like a mysterious lock where you have no idea how it works. You can take the company's word that it's secure, but really you just don't know. One day someone may just show up able to waltz right into your house. If the design of the lock is public for everyone to see, you can examine it yourself if you're knowledgeable in such things, or else rest secure knowing that plenty of knowledgeable people have deemed the lock good enough for their homes
That's my favorite way of explaining open source to non-computer people
Don't discuss the attack, that's just playing into the hand they gave you.
What I would point out is the monthly patch cycle you buy into with MS.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.
What do you do when you can't prove your case? You discredit the opposition, of course!
Microsoft make a great opposition; they've got a wonderfully lacklustre history of security. You should be able to make your clients tremble in fear at the thought of replacing their flawlessly running systems.
Invite your customers to think for themselves, instead of relying on the say-so of others. With 6 years of faultless service, that's a big ace up your sleeve. Get them to consider that fact, and ask them if it really sounds like they're running an insecure system. Surely they can draw conclusions from that.
Lastly, you may want to bring up current Microsoft security bugs, how long it can take them to fix, and how often the fix causes other issues. Then dangle the carrot: with open source, you can fix the problem yourself, or hire someone to do it. No complete dependence on another party. You can change things as you want or need. That's a huge advantage to some people.
http://www.sans.org/top20/#z1
The critical flaws that were reported this year in Office products:
* Microsoft Excel Remote Code Execution (MS07-002)
* Microsoft Outlook Remote Code Execution (MS07-003)
* Microsoft Word Remote Code Execution (MS07-014)
* Microsoft Office Remote Code Execution (MS07-015)
* Microsoft Excel Remote Code Execution (MS07-023)
* Microsoft Word Remote Code Execution (MS07-024)
* Microsoft Office Remote Code Execution (MS07-025)
* Microsoft Outlook Express and Windows Mail (MS07-034)
* Microsoft Excel Remote Code Execution (MS07-036)
* Microsoft Excel Remote Code Execution (MS07-044)
* Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
* Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
While all operating systems are affected...
Linux has two mentions on the entire page while other operating systems just go on and on and on.
With Open source, MANY eyes are looking at it finding problems and fixing them.
With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.
Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.
At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)
---
However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.
You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
First: Point him to the many 'patches' that are availiable in order to get certain licence check features out of certain applications. People _do_ modify closed source software. It's a bit harder, but it's done.
Second: Just point him at average times between the discovery of a bug and a fix beeing availiable.
Third: Make him prove that there are no backdoors in closed source software. Backdoors are a lot easier to find in open source software so the risk of them beeing found is way bigger. Microsoft has a track record of putting in malicious code in their software. One example is Windows 3.x checking if it's MS-DOS or DR-DOS, and refusing to run propperly if it's DR-DOS.
Well, only if you assume no malicious attempts or lazyness on the side of the programmer.
DHS - linux
FBI - linux
Navy - linux
Air Force - linux
Wonder why those agencies are using such an "unsecure" platform...?
The argument that "anyone can read the code and hack you with ease" is false. To win the argument, one must explain the relationship between a _cypher_ (implemented in a program) and a _key_ (generated by a program). Secure programs are written such that even their *authors* can not hack them. The reason is because these programs do not directly provide security. Instead, for example, they may help users generate unique digital keys. Is is the combination of this digital key and the program itself (ie. the cypher) that provides security. Reading the source code will _not_ give the reader the key required to breach someone's privacy, especially if the program is good and can produce trillions of different and complex keys, each of which take a long time to test. Conversely, closed sourced programs are generally scrutinised by far fewer people, and as such they are generally less able to perform with the same speed, efficiency and reliability of their open source alternatives, including security related programs described above.
Sun, IBM, and several others are MAJOR contributors. Why would they contribute to something that's so insecure? Why would Google spend millions of dollars every year to fund Summer of Code? Why would MySQL be one of the most popular RDMBS, and Apache, THE most popular web server? The list goes on...
What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.
1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.
Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"
You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."
2. Explain why openness is helpful
Them: "Yeah, so what should we do?"
You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."
3. Mention that serious people have a big stake in making this work.
You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."
4. Reassure them that people are thinking hard about this.
Them: "Yeah, but if anyone can see it..."
You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."
5. Point out the obvious.
Them: "But what happens if someone tries to slip something in, and is really good at it?"
You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."
All the technology in the world won't hide your lack of vision, talent, or understanding.
There are secure versions of Linux as for Windows and I know that everybody knows it but the main source of vulnerability on server side is not the OS itself but the misconfigurations. That said, not to evade the question, I believe that from a general point of view, Linux is considered to be more secure than Windows. There are several reasons to that. - Even though Windows has made huge progress in security field during past several years, Windows is still the target Os of choice for hackers and criminals (IMO the main reasons being economics and the difficulty of securing huge windows code base). This makes the exposure to the possible attacks on Windows higher than on Linux side. - Linux has less exposure, IMO the main reason is not because of lesser vulnerability per line of code ratio but mainly because there are less hacks/exploits available on the criminal market for Linux. There is an increase in attacks on Linux servers using Apache-Php but still a hardened Linux server is considered to be safer compared to Windows. There are many more containment measures possible on Linux than on windows. - All major Linux distros now have security modules already integrated (which can be loaded/unloaded for performance needs). These modules are somehow difficult to use. Some examples are Red Hat + SeLinux, Suse + AppArmor etc. These distros provide MAC, RBAC etc. They've been used to achieve high degrees of Common Criteria evaluations: EAL4+ for Red Hat/Oracle (http://www.oracle.com/technology/deploy/security/seceval/security-evaluations.html), EAL4+ for Suse/IBM (http://www.novell.com/news/press/archive/2005/02/pr05013.html) etc. Naturally, this is not the entire Linux distros which have been certified but a particular distro with defined applications and software. BTW, Windows has also achieved these levels of security. This shows that Linux can get at least as secure as Windows.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.
Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.
Strangely enough, that hasn't happened with linux & openbsd.
just because you can see the source code doesn't mean it's hackable. But for very large, complex programs, that's absolutely true. There's only two possibilities with them. 1, any random person can view the source code but the entire enormous application is absolutely 100% perfect and there is literally no way to hack it (yeah right). 2, any random person can view the entire source code, find a bug nobody else found yet, and use it to exploit the program. It's really as simple as that. For smaller programs, it is possible for the source code to be literally perfect but for something the size of Open Office not to have a single security hole at all is ridiculous. And being able to read the source code sure helps a lot more than just guessing at things that might be exploits. Yes, professional programmers and hackers are working on the project so they find security holes all the time then patch them but it still holds true that being able to view the source helps the bad guys a lot!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
You don't exactly say what the tech level of your customers are but I'd suggest:
1. First tell them it is a great question. Explain to them that your company is very serious about security and they should always feel comfortable asking any question about your architecture, methods,etc..
2. Explain one of the reasons you use Linux is because of your concerns about their security.
3. Be able to link/show them the percentage of infected windows computers compared to Linux. This link should be from a highly reputable news source. (e.g. http://www.nytimes.com/2005/08/17/technology/17virus.htmll) This is the only stat they need to see.
4. Avoid any evangelism about open source. Most likely they don't care, they want a solution and a provider they can trust.
5. Finally take this as an opportunity to build a better relationship with your customer. The fact that they called you rather than switching providers means they *want* to trust you. Leave them with the feeling that they can.
I don't buy the line that open source is "better because everyone is checking for bugs" line, but the bottom line point from my perspective is that the openness of a specification does not, in fact, make it easier to intrude upon an implementation of that spec. A completely valid argument -- and possibly a persuasive one as well, if the boss is smart - involves the comparison of an open and strong encryption algorithm vs and weak but closed one. This is where wars are won. If security through obscurity can't keep wartime governments in power, it probably doesn't do much.
First, collect a library of Windows-related security breaches in the last year, paying particular attention to ones that made major headlines or that cost companies money and/or reputation. When your customers call, hand them that library as evidence that it's not open-source that has the major, public security problem. Then tell them to ask that Microsoft rep to identify the last major security breach involving the open-source software they run, and to provide the third-party references of the sort that you provided to substantiate the existence of the problem. Be prepared for the MS rep to provide examples of vulnerabilities that were patched before a breach occurred, and note to your clients that you're giving examples of breaches that actually happened after customers took every precaution recommended by the vendor.
If you really want to sandbag the MS rep, collect a library of the few open-source-related breaches that've happened. Give your clients a side-by-side of the two, which should make it glaringly obvious which of the two has the better track record. One thing you can point to here are cases such as Firefox vulnerabilities where the vulnerability existed and could be exploited only when the software was running under Windows and didn't exist when the software was run under other OSes (indicating that the flaws are specific to the proprietary Windows environment). Doing this yourself undercuts the MS rep when he tries to brush it off with "But open-source has problems too.".
Argue Loudly
It's the best answer you can give.
Help stamp out iliturcy.
Sun, IBM, and several others are MAJOR contributors. Why would they contribute to something that's so insecure?
They are collaborating with alien life forms that are trying to weaken the technological infrastructure of Earth.
Why would Google spend millions of dollars every year to fund Summer of Code?
They are giving young people a bit of feel-good educational employment just like Jim Jones gave his followers free Kool Aide.
Why would MySQL be one of the most popular RDMBS
Because people can't afford Microsoft SQL server.
1) I'd ask them what has the security experience been over the period you have supported them? While headline after headline has been in the paper about Windows exploits, botnets and viruses, what has happened with their installation.
2) I'd inform them that Google runs on Linux. Do they think Google knows what they are doing.
3) I'd tell them to talk to one of the people who is selling the windows services, and ask them to detail the costs of converting to MSFT, and what the security measures required would be. I think they'll blink after they get the price tag.
Sad to say, even if Windows was more secure, most people will balk at the expense if they're already running a solid linux based infrastructure.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Closed source applications have to be audited with fuzz testing and other techniques, and this means that bugs can hide from the "white hats" (or the company) for a long time. Look at the bug fixed by MS08-067; it was discovered in the wild as part of a trojan and is now at the center of one of the biggest worm breakouts in history. Open source software can be fully audited by third-parties, including through techniques such as static analysis. I am not anti-closed source per se, but calling it somehow more secure because it "can't be verified" is the opposite of the truth. Tell your customers to talk to a security professional, not a salesman.
I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.
I propose a thought experiment: Have the client envision a box into which you place a kitten. Which method of keeping the kitten "safe" is better? The windows methodology is to tape the box shut while the linux methodology is to leave the box open. Now ask the client to envision placing the kitten/box system in a college dorm representing the hostile world. I predict that in the Windows world the box gets ignored or worse kicked down the stairs whereas in the Linux world the kitten defends itself and or finds a compatible human slave to care for it.
Much is the same in the computer world, a closed box does not make something "secure" it just limits what the kitten or your application can do, while an open box can encourage people to foster your kitten. Security comes from the provision of the necessities of life (warm building, food, water, clean litter, string and blanket) and five pointy ends for the kitten and while for software it is testing and an uncompromised (audited) host.
Just haul up Google, type in "virus" and count the number of instances targeting Microsoft vs. Linux. That should convince anyone. alternately, do "WIN32 virus" vs. "Linux virus"
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
My pics.
See, that is the issue - the vendor. If you have oss or closed source, you're reliant on a vendor to fix. Though Apache is oss, I doubt very much that Joe's Cafeteria, using - say htpd - is going to know how to fix a bug any more than they'd know how to fix a flaw in ISS.
The Kai's Semi-Updated Website Thingy
The strongest security is the one you get from everybody in the company being loyal and well educated about what they should and shouldn't do. Of course, you don't post your passwords on a sign outside, but that is about as much secresy as it is worth the effort to maintain, I think. Apart from that - if we know that Microsoft's security strategy uses "protocol X" and open source uses the same, what is the real difference? Only that in open source you can potentially inspect the implementation and verify that it doesn't contain inherent weaknesses that allow you to circumvent it. You can't do that with closed source, you have to trust the supplier; the big question then is: can you?
Open source works along the same lines as the open, scientific discourse that has brought us from pre-industrial society to the present day. If we had relied on secret research, we would still have lived in the mud; romantic, perhaps, but no computers. Or compare open societies to closed ones: are countries like Sweden, Germany and Switzerland less secure than, say, Burma? The only ones that feel more secure in Burma are the ones in power, but the country as a whole is less secure, as far as I can see.
I said experiential because I meant experiential--not anecdote. I was not describing a specific incident or event.
http://dictionary.reference.com/browse/experiential
Camping on quad since 1996.
Find out the names of the operating systems and software running on the systems involved in the huge security bungles that have made headlines in recent years.
If open source software tops the list, so be it.
But I think you're going to see the name Microsoft come up quite often.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.
Linux AV = ClamAV
Just because there are less holes found doesn't mean that they are smaller. When Windows has a hole, people go "I'll just have to wait for another patch. Again..." while with Linux it's more of "Oh God no!".
Sort of like car crashes(Windows holes) vs airplane crashes(Linux holes).
You also seem to have forgotten that in closed source software, only the company can fix it. And bad guys are still going to find flaws.
With open source, the good guys find and fix flaws faster.
In both cases, the hackers still find bugs.
Closed source is Security through obscurity vs Kerckhoffs' principle
With open software you don't have to take the salesmans word that some expert in Elbonia has pronounced it to be of high quality.
Are these clients suckers who fall for every vacuum cleaner and encyclopedia salesperson who comes knocking? Do they believe everything a used car salesperson tells them? These people are supposed to be sophisticated business managers.
So, that they are suddenly questioning OSS after it has worked fine for them for years suggests bias. The typical business person just doesn't believe in OSS business models, and will happily swallow any tripe that shores up this prejudice. To them, OSS is highly uncertain and experimental. What do they do if the software breaks? They persistently think there's no one they can turn to for help when in reality they can turn to anyone they want to because the source is open.
This doubt of OSS is just like Europe's continual doubts that the radical democratic experiment being attempted in the New World could last, could work. Until the late 19th century, Europeans were always seeing events as reasons to predict the imminent demise of the US. To them, the US was a weak, corrupt, thieving, uneducated backwater place constantly stealing technology from Europe. They really thought that the US must surely collapse soon. Winning the Revolutionary War was excused because the US had French help. Then the US beat the snot out of the Barbary pirates so thoroughly that the ships of other nations started flying the US flag in those waters, yet they still didn't believe in the US. Just a fluke. Britain burning the US Capitol in 1812 was of course taken as more proof that the US wasn't a real nation. The way the French Revolution ended, with Napoleon as a ruler as absolute as Louis XVI was, suggested that the US would eventually go the same way. Surviving the Civil War at last began to convince the skeptics. Lincoln's 2nd Inaugural was held up as proof that the US could indeed produce thinkers and writers equal to anyone from Europe. Railroading had advanced more in the US than anywhere else in the world. Among the many reasons the Transcontinental Railroad was built, and the manner of its building, was to demonstrate US technological and business organizational superiority and to show the world that the Civil War had not crippled the US.
And yet there were still skeptics who chorused loudly every time the US economy sank. Said, with some justification, that the US was just too crude and unsophisticated, too freewheeling and dangerously uncontrolled in its handling of finance and economics. As the US grew in might, these voices sounded ever more hollow. Possibly the Great Depression was the last time serious doubts of this sort were entertained.
Ask these business folks if they would have bet against the US in 1880, or against the North in 1861. If they wouldn't, then ask why they are inclined to bet against OSS today.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Instead of trying to dissuade them, just lay out the risks you know about, and then say, "if you choose to ignore my advice and change directions, don't hesitate to call me when you have issues". They'll be back.
Look at all the "respected" finance firms that either no longer exist, are close to death, or turned out to be giant scams. The root to all this were complicated processes that lacked the necessary transparency. When something started to break, no one could determine which parts in the system were still valid, so everything grinded to a halt.
The moral of the story is that complicated systems need to be transparent, regardless of their industry. Assume the worst of what you and other vested parties are unable to see. Not being able to see the problem is worse than the problem itself.
Sdelat' Ameriku velikoy Snova!
There are plenty of peer reviewed research papers showing Linux is more secure than windows.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Have a magic show... Have your assistant "Show" two padlocks to the audience and demonstrate how they are both solid...
That's closed-source.
Now pass the padlocks around for everyone to test them... Suprise, one of them opens with a little effort... And you can see the lock has been filed back.
That's open source.
In a closed source model, you don't get to verify the security yourself, so you're trusting the vendor. In this case, the magician, the assistant, or his plant in the audience.
In an open source model, you can make up your own mind based on being able to actually see what's going on. You can test the padlock.
If someone mentions that even with proprietary software you can "inspect" things with an agreement, point out others who don't have the same agreement might spot things you missed, then give the better padlock to an "outsider" who has a "standard" key for it... This demonstrates that not everyone knows where to look
for the vulnerabilities and only when many eyes work together can you be sure that it's really secure.
Real-world analogs work particularly well :)
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
Basically you're screwed.
Microsoft has given you a task that is outside of currently known computer science.
Microsoft can't give more than just their word either, but by being sneaky they've put the burden of proof on to you.
No software(aside from a few trivial examples in research labs) is currently secure, and you can't even really estimate security in software, because security bugs by their nature are unknown.
...and that is all I have to say about that.
http://jessta.id.au
If I were really trying to spin up a counter-FUD campaign, this would be a significant part of my delivery. Yes, anybody can read the source to open source software. But, people can also read the source to Windows, thanks to leaks and the Shared Source program. If somebody find a bug in open source software, they have permission to tell the author, or even submit a patch. If somebody does the exact same thing with windows, they would never tell Microsoft, because they would need to do a lot of explaining about where they got the source. Sure, some unhelpful people will read the source to open source software, but *only* unhelpful people will read the source to closed source software. (And, of course, the devs themselves.)
You hold a full security audit by an external creditable auditor on your system.
What you need is a Slashdot Car Analogy(TM). Ask your clients whether they would feel more comfortable driving a regular car, or a car where the hood was welded shut so you couldn't open it and check out the engine. Has been said many times before, I know, but at least it should get them thinking.
It doesn't matter what OS you're using if you don't have some process in place to keep yourself up-to-date with security updates. Both Linux and Windows will have more security bugs exposed in the future. A good thing about Windows is it does auto-update by default; I don't know if the various linux distributions have a similar sort of system, if they do, good.
Well, you can also have access to Windows source if you have in the thousands of CALs and to many licenses to count with the enterprise technet account and you harass your rep whom is in good standing you can sometimes be shown the source.
(And you need to sign more NDA's than I ever thought existed)
but the $20 is much more affordable than the millions required to do it the other way.
Your big mistake... and honestly its a pretty common one among techies... is you are worrying too much about what to tell them and not enough about how. I know people and know computers... and bringing the two together isn't hard. You just have to remember that, unlike machines, people care as much about your tone of voice, your body language, your cadence, your word selection, etc as they do about the actual point you are making. They care as much or more about these things than they do about the raw data.
It's a shame I didn't see this post sooner cause you will probably never read this but I have been working as a computer tech professionally for over 10 years. In that time I have discovered that I have a talent for sales and I can make my sales without bending the truth or leaving out important details because my honesty not only engenders trust but my entire attitude and approach is geared toward helping the customer make the individual best decision for their circumstance... not selling the current item that nets me the best commission or advancing my pet agendas.
Make the client feel comfortable that you aren't just telling them what you are because your company demands it of you or you have some fetish towards open source. Care about the clients well being... you're not trying to sell a product, you are trying to help them make the best decision for their selves that can be made. They know their circumstances and you know the industry and when they come to you to show them how the industry can help with their circumstances you make sure they come out on top. The thing is that this might mean telling them to go with a competitors product. This honestly might mean telling them to go with closed source.
Honestly, you have already admitted to telling clients open source is more secure than closed source without having any facts to back you up (or at least none you are willing to show clients). I personally believe that open source is more secure than closed... but I can back that up if I have to and I feel confident my reasoning is sound enough to share with a client. You need to be able to too.
If you aren't willing to listen to a customer and honestly consider their point with the possible result being telling them that closed source is better int their case... then you need to be one hell of a hustler. Used car salesmen in tuxedo type hustler. Otherwise you have already lost simply because MS got there first and the people they hired to get them there first really are that kind of hustler.
In the end it comes down to convincing the customer that your top allegiance (after yourself) is to them. Telling them that will just make you look fake... so you will have to convince them some other way. That is the secret of being good at sales. Having a really good understanding of your clients' wants and needs and being knowledgeable enough to sound like you could write books on the subject your discussing are both major pluses as well.
Also... though im sure it was said in the avalanche of text that came before me... point out two things to the clients. First off it is not possible to "prove" that a product is more secure than another. There are factors beyond imagining involved in a product being or not being secure. Thus them asking for proof is from you or from the MS people is not easy to come up with an honest answer that is very convincing without first explaining a number of things.
As for what to say... start the theory behind why open source is more secure. Theories are not proof but when you get right down to it there is no proof that the faster you move through space the slower you move through time... but we have theories and those theories are themselves backed up by evidence. Those theories have been applied time and time again in the real world to create working technologies like microwaves and electron microscopes. And these theories point to the slowing passage of time in any cased where the passage of space increases. From there move into
I always compare it to how you could judge/audit a bank's security.
Bank #1
The bank manager gives you a full blueprint laying out each path to the vault and how those paths are secure. Next, they show you the construction of the vault, how thick the steel is. They move on to show you how the locks work and explain why they they chose those type of locks.
Bank #2
The bank manager assures you that the vault is definitely in the building and that it is absolutely secure. However, they state that it would undermine their security to provide you any additional details.
Which bank would you feel more safe about putting your money in?
Spooooon!!!!!
Agreed. However, with just a little research, whoever's doing the tech for Joe's Cafeteria can find out where to report that bug and, once reported it will probably get fixed a lot faster than a bug in a closed source program.
Good, inexpensive web hosting
Readable code is a good thing. Why are they arguing otherwise? :)
http://2stepsback.wordpress.com/2007/10/22/get-out-linux/
Point your client to this article.
Once they've read it they might be willing to ask their MS reps why their company would invest 100 million bucks in a venture where they're actively SUPPORTING migration to OSS products.
I'd LOVE to hear the rep's answer to that.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
The Microsoft firewall is so perfect
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi
They're getting scared now.
Help stamp out iliturcy.
The OP should be asking how to argue whether ANY software is secure. I believe this qualifies as mis-framing the debate (again).
probably are developers who would rather help than hurt their projects. What a stupid idea that it would be otherwise.
It really trivialises the issue of security to say the open source is secure and closed source is not, or indeed vice versa. You really should not use ideology to evaluate the security of products and platforms.
It made me laugh when a poster here suggested that Apple's stellar security record is down to open sourcing of Darwin. What orthognal universe is that poster inhabiting?
Another thought: Debian OpenSLL.
No, it's all a lot more complex which is of course why software developers find it so hard, as evinced in their results.
Another thing that makes security hard is the pathetic protocols that we all rely on. It doesn't matter whether your code is open or closed source, you really won't have much success trying to secure inherently insecure protocols like DNS, SMTP etc.
The whole idea of closed-source being more secure is like arguing Darwinism vs evolution by a creationist. The creationist will always misrepresent evolution as Darwinism. However, unlike creationism evolution itself evolves based on scientific evidence. Yes, it once started as Darwinism, but evolved into a rather complex theory on the behavior of DNA (not known by Darwin), to also include punctuated equilibrium and random mutation.
The closed source approach relies on security through obscurity. Except that, not even closed-source is that obscure. They generally use closed toolkits and closed operating systems. So once a problem in a toolkit or OS is found, all derived products are vulnerable. What's more if you're not even limited. The vast number of attacks come from buffer-overflow exploits. Anywhere you can input is an opportunity for hacking. The problem is once a problem is found you have to wait for the vendor to release the patch. You have no other course of action. You become subject to their development prioritization and processes.
Now, the problem they do refer to in open source does exist. You can scan through code looking for an exploit. You'll probably find one. But is it exploitable? For that, it has to be connected to user input in some way. But once the problem is discovered ANYONE can issue the patch. You can even patch it yourself! But the reality is these kinds of bugs only get made by inexperienced programmers, and they only persist in low-volume projects. The good news is the intelligent hacker isn't going to be looking at low-volume projects, since he needs to find users of the project to exploit. Just about any software of any importance will have several people looking over it. Hopefully one of them will be able to fix it. I call it my "First Release Vulnerability Theory". Often created by individuals to scratch an itch, the proper QA is not put into it. But by the time it is widely adopted, it should have been scanned by enough eyes that at least the exploitable bugs are fixed.
Finally remember proper security works regardless of development model. This means protected networks, using proper passwords and cryptographic techniques. The hacker should never even get to a login prompt, much less get in past the login prompt (be it network or local console)
Most hacking today is either buffer overflow exploits or password guessing. Interestingly, neither closed nor opensource is able to deal with those in a distinctive way. Your best best is to never use an array in C or C++, always use a bounds-checked container (available in both open and close source models), and always have a strong password.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Comment removed based on user account deletion
"I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years."
Simply point out that they've been "test driving" open-source for 5-6 years.
Then go ahead and tell them they you'll switch over to Microsoft products, if they REALLY want you to. I'll bet my /. password, they will decline after pointing out the track record of what they have been using.
I know that EAL might not say that much, but it is a nice and clear concept. The most safe operating systems are those that are in fighter jets and all, with an EAL of 6+, there are a bunch of normal OSes valuated at EAL4+, most of them open source, but also windows 2000, and I belief windows xp. Windows vista thus far is evaluated at EAL1. So, right now just point your customers to these articles: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level http://gabriel.lozano-moran.name/blog/PermaLink,guid,4dc0e36a-d623-4a89-9ae6-da6edd0d55bb.aspx
This is superficially a very good approach from MS. Linux has 3 main issues on the security front:
- Made by hackers: the half-crazed asocial devs that make linux are the same demographics that hackers come from. Who says they're not doing both in one shot ?
- Nobody is responsible: who's gonna care when a vuln is discovered (especially since fixing vulns is no fun, and linux is developped for fun) or, worse, when I get a virus ? Why would the devs prioritize vuln fixing ?
- Everybody can see the flaws so vulns are so much easier and quicker to exploit.
The answers to that need to be both intuitive (we're talking to management types here), aggressive (let's not forget, Linux does have the security advantage), and thorough (we want to quash that canard for good, and not leave MS wiggle room). I would go with:
- It's smart from MS to rise that very important point. Security is very important and has been a problem recently.
- But, IT's mainly an MS caused problem: how many Windows viruses have you heard of ? How many Linux ones ? (back that one up with stats)
- Do you trust MS when say their product is safer ? Do you have or can you get proof it is (no: closed source)? Do they have a good track record ?
Actually, Linux has a security advantage:
- The gov/military use it. It has the highest security certification. (nobody cares it's in a fairly unsable config)
- big corporations support it and choose it for their own products: IBM, Oracle, Cisco
- if viruses are an issue, it's very important to have a diversified computing biosphere. Let's at least do 50/50, so that when the windows machines get infected again, at least the Linux PCs will still be working.
I would avoid getting too technical (admin rights, privilege escalation...)
The Cloud - because you don't care if your apps and data are up in the air.
Ah, but how do we know it is not true? Since it is closed source we can never be completely certain and just have to take someone's word for it....which is really the whole point of the argument for OS.
Because 1) Microsoft documents the heredity of their code well. They're not stupid. And B) the source code is widely available, both through legitimate channels like Microsoft's shared source programs and channels that are a bit shadier like bit torrent. Don't you think someone would have pointed anything embarrassing to Microsoft like this by now?
If Microsoft is so good at documentation why haven't they documented those 238 MS patents Linux and OpenOffice violate for the world to see? Why did it take MS years to provide to the European Commission all those documents the EC asked for?
Falcon
Should there be a Law?
Others here done a good job on the 'security' bit. Now, in these tough economic times, let's not forget the cold, hard cash.
If your existing customers are happy with their current installations, in terms of functionality, ease of use, maintenace and - of course - security, then why should they change?
That's why the m$ salespeople are pitching the 'security' line - you'd have to be really scared in order to pony up the huge cost of switching in today's tough times.
I'd (briefly) address the security question, then give the customer a rough cost of moving from FOSS to m$. Dont forget the cost of upgrading any hardware, (for Vista), if required and of course the anti-virus software, too ;-)
I keep reading reports on these sites (and have had a few consulting companies call me up) to point out how because microsoft isn't open source it's both insecure AND "immoral" (whatever THAT means in software!). They also point out that "TCO" is a scam invented by capitalist know-nothings, and that things MUST be free. They also keep pointing out how *I* can write patches to fix ANYTHING in Linux, no matter how complex! Isn't that what a vendor is for?
How can I stop this barrage of fud?
Refer to reports on vulnerabilities and how fast they are fixed (sometimes statistics is the only language tey undersand).
For example:
http://secunia.com/ shows that Ubuntu 8.10 (latest stable version) has 0% unpatched advisories (0 of 41 Secunia advisories: http://secunia.com/advisories/product/20299/) while at the same time Vista has 10% unpached (5 of 51 Secunia advisories http://secunia.com/advisories/product/13223/).
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
This is Slashdot. Common sense is futile. You will be modded down.
I like how you instantly assume that OP is located in the USA. And how easily I can discern this by you using the term "our nation". Something you might want to think about.
Exactly why is F/OSS better? It's subject to peer review. Some of the best programmers in the world have access to, and readily submit, code for F/OSS projects (not to say that EVERY F/OSS project is superior mind you). Look at why hackers use it. Aside from their ability to heavily modify their system, they're also extremely paranoid. I know plenty of hackers that contribute code and readily fix problems in F/OSS code because of their own paranoia. Look at why the DoD and NSA use it. Its laid out like an OS should. ACLs, chrooting, SELinux, all of these help make it much easier to protect their own systems. Want a really good blast at Microsoft? OpenBSD, its been around since 1994, there have only ever been 2 exploits off of the default config, and one of them was for a legacy version. Heck OpenBSD + pf is what the Defcon guys use. And quite damn honestly, code that's open source has met the firing squad. Hackers CAN see the code and compile it themselves, making it EASIER to find exploits, but yet Linux is regarded as far more secure just makes me think about how secure Linux REALLY is in comparison to NT. If you could place the NT Source code in the hands of someone competent I'm sure it would be hell for M$ (just when you thought it couldn't get any worse than MS08-067).
Agreed. However, with just a little research, whoever's doing the tech for Joe's Cafeteria can find out where to report that bug and, once reported it will probably get fixed a lot faster than a bug in a closed source program.
That varies. Some vendors are really good, better than the majority of OSS projects. But yes, others are crap-shovelers; in some cases, where I've had access to the code under NDA, the code has been bad enough that I've just been left speechless.
I think the real determinant on quality is actually the skill of the people who have time to work on maintenance and development; the whole closed/open debate is pretty much orthogonal to that, except in how open code means that it is more likely (though not guaranteed) for someone good to look at it.
"Little does he know, but there is no 'I' in 'Idiot'!"
You ask them why they should trust a company that makes an emailserver that surrender and hand over the entire server to someone that send a very special mail. They have big architectual problems. That's what they find in the latest patch batch from Microsoft.
You have the classic difficulty of a computer expert trying to persuade decision-makers who are profoundly ignorant of how computers work (and, all too often, proud of it).
The Microsoft argument is entirely fallacious: in fact, the public availability of the source code is a strength, not a weakness. But how do you explain that quickly and clearly, to an audience that doesn't understand what you are talking about - when neither you nor they can admit that they don't understand? (Which would be the first step towards an honest and productive dialogue).
The good news is that more and more people (including, inevitably, some decision-makers) do understand something about how software works. We have companies like Amazon that couldn't earn a single red cent without their computers working as intended, and whose CEOs are quite clear about that - and consequently take the trouble to inform themselves about software.
Microsoft could be described as the company that made its fortune by exploiting the fact that most of its customers don't know anything about computers and don't want to. Fortunately, that has now become just one more reason why it is on the skids. In the long term, people will become educated about software if only because it is so important.
I am sure that there are many other solipsists out there.
Organize to have you and these vendors each bring along a system and a hacker. Their hacker tries to compromise your Free Software system, your hacker tries to compromise their windows system. That should settle it rather efficiently. Just to put a little doubt into anything the "I"SVs may say make sure your client reads this first http://www.linux.com/feature/131059
You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.
The evil thing is, people don't ask about this, they assume it's fact and that's that.
"We" need to make sure this myth dies.
Sometimes the best way to make people see what's going on is to shock them. Ask these two questions:
If they answer "yes" to either of these questions, then simply state that they are too susceptible to fear mongering and distortions of reality to convince otherwise. When they move everything to proprietary software and find the reliability of such solutions to be lower than what they've experienced the past 5-6 years, that will be their wake up call. They clearly need the experience of being deceived by these Microsoft shills to understand what the rest of us see as clear lies.
If they answer "no" to the above two questions, then all you should have to do is explain that the fear mongering from Microsoft-based businesses is the exact same technique that the was used by the Bush Administration and the Republican presidential campaign to create Fear, Uncertainty, and Doubt in the minds of The People to support their proprietary goals. Transparency in software, as in government, is what is needed. Open Source is all about transparency.
Yeah, and MS Windows never gets hacked or infected with viruses... IIRC, didn't MS recently advise people to start using something other than IE because someone had spotted a gaping hole in it? Probably not a good line to take with potential clients though, it's a bit mealy-mouthed and sinks to MS's level.
"these people lie to you. They blatantly, professionally lie to you. Take a bit of time to ask for facts and check them, you'll see they are liars. This is a good enough reason not to buy anything from them."
"There are no antivirus for linux, because there are no efficient virus for it."
"Security updates stay free, and of the same (if not better) quality as Microsoft's"
"You don't see open source salesmen, yet, it spreads. Must be for some reason ?"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I would advice them to look Microsofts annual reports and see how the Windows and the Office are producing immense profits for the company. And even after substituting other unprofitable businesses the company is making unhealthy (competition wise) ammounts of profits. Are your clients willing to pay this much extra for the companys own claims of security?
Open source is only as secure as the users who use it and the developers. Obviously having more developer/testers involved can make it easier to to find vulnerabilities... But for smaller projects it's difficult to tighten security if there are a small number of developers or people to report the insecurities. The same goes for closed source though, the only difference is that the vulnerabilities of open source are usually easier to find because the source is available.
Closed source applications and OS's are NOT peer reviewed, you have only the developers word! What guarantees does the user have that proprietary software does as it is marketed to do!! No one knows how secure or insecure these applications may be. Security goes way beyond just being able to directly hack through a software vulnerability. What about the hundreds of thousands of Malware, Trojans, Viruses that attack closed source programs, steal your passwords, mail out your documents to arbitrary addresses, delete your data. And it is said proprietary software is SECURE - Please get real
From http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
Myth: Open Source is Inherently Dangerous
The impressive uptime record for Apache also casts doubt on another popular myth: That open source code (where the blueprints for the applications are made public) is more dangerous than proprietary source code (where the blueprints are secret) because hackers can use the source code to find and exploit flaws.
The evidence begs to differ. The number of effective Windows-specific viruses, Trojans, spyware, worms and malicious programs is enormous, and the number of machines repeatedly infected by any combination of the above is so large it is difficult to quantify in realistic terms. Malicious software is so rampant that the average time it takes for an unpatched Windows XP to be compromised after connecting it directly to the Internet is 16 minutes -- less time than it takes to download and install the patches that would help protect that PC. [3]
As another example, the Apache web server is open source. Microsoft IIS is proprietary. In this case, the evidence refutes both the âoemost popularâ myth and the âoeopen source dangerâ myth. The Apache web server is by far the most popular web server. If these two myths were both true, one would expect Apache and the operating systems on which it runs to suffer far more intrusions and problems than Microsoft Windows and IIS. Yet precisely the opposite is true. Apache has a near monopoly on the best uptime statistics. Neither Microsoft Windows nor Microsoft IIS appear anywhere in the top 50 servers with the best uptime. Obviously, the fact that malicious hackers have access to the source code for Apache does not give them an advantage for creating more successful attacks against Apache than IIS.
That's not a good analogy to use. Knowing how an average cheap Master lock is made makes it *very* easy to hack, because the design is defective. I can pick the key locks in seconds, and the dial locks are similarly easy with a simple tool. Good locks confound me, but people with more skills can do it. And therein lies the rub: A well secured OS isn't a better designed lock. It's simply impervious regardless of the skill of the attacker.
The blueprints of a competently made vault door would be a better analogy, but it brings up too many memories of movie bad guys tunneling in... Which honestly is still an accurate analogy: If you can't break the security system by design, you circumvent it. But it doesn't make for a great argument.
This is exactly the point and the message you should feed back to them. With open source. they don't have to take your word for it. There is also the word of an entire community that is constantly examining the code and will blow the whistle as soon as they spot a problem. Or they can take the word of Microsoft, that their product really really is secure, honest, but no it can't be examined to make sure.
Yep, picking up the FUD campaign again. Maybe due to this?: M$ New PR Guy.
~Just as a thing fails if it lacks a kernel, so too it fails if it lacks a skin. ~ Rumi, Discourses
Just look at the open encryption standards.
Would anyone argue that closed source encryption is more secure than open source?
I'm pretty sure the same people would make exactly that same claim. I've heard it before.
I've yet to see ignorance about a subject stopping commercial or pointy hair types making definitive claims about pretty much anything.
May contain traces of nut.
Made from the freshest electrons.
Exactly. If you can't prove it's secure, then you must assume it's insecure. Penetration testing is a start. Code auditing and automated analysis, unit testing, honeynets, design by contract (including specification of what exceptions methods throw), and even mathematical proofs of code reliability would be better.
Of course, until most open source code has enough documentation to specify its intended purpose, so that you can actually test that it meets those specifications, most of this is a moot point.
OK you can say that the authour's background may bias him somewhat but then Microsoft's claims are open to the same criticism.
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
The best line though is that old favourite "well they would say that wouldn't they" particularly if you then explain the dependance Microsoft has on business and Office in particular.
On the other hand, you can also find out who the Microsoft vendors are that are making the claims and report them for false advertising or fraud. At best, the current situation i.e. which system is most secure, is debatable and at worst a matter of opinion and it will remain this way until a truly independant analyst manages to definitively show otherwise.
Hmmmmmm..... Deep fried and look like Squirrel.
It is difficult to formulate an answer that people can understand. They can barely understand what source code provides in the way of security risks so they tend to believe that it is a risk when informed.
So I might answer with names of big, reliable and well-known names of entities making heavy use of Linux. "If that were true, the NSA wouldn't use Linux in their sensitive operations, and Google wouldn't either. IBM has also staked their solid reputation on Linux. I just can't imagine why they would risk so much if it were unable to be locked down. You are confused with the difference between knowing how a lock works and a lock being easy to open without a proper key."
While that may be true, with oss you have the choice...
You can wait for the original vendor to fix it for you.
You can wait for an arbitrary third party to provide a fix.
You can fix it yourself.
You can pay an arbitrary third party to fix it for you.
Closed source only gives you the first option, open source gives you all 4. Just because you aren't capable of fixing it yourself, doesn't mean someone else won't do so and provide the fix.
With closed source, if the original vendor doesn't provide a fix you're screwed... With open source you always have a backup plan. You'd have thought having a backup plan and a second source would be standard practice in business or government procurements.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
06:35:53 up 299 days, 10:52, 6 users, load average: 0.00, 0.00, 0.00
Yeah, because I get hacked all the time on my open-source operating system.
Is Windows even *capable* of being up for ~300 days?
I wonder what MS is telling people about the multitudes of embedded devices out there that run Linux? Is MS telling people that their Cisco Home-tier stuff is vulnerable? Hmm?
I've had to deal with this FUD before with my clients. All it usually takes is an explanation that open source code is constantly being peer-reviewed and patches usually come within a day of discovering an error, whereas Microsoft takes weeks to months to patch the majority of their serious security flaws, and there is no external review process, so you never know if the patch is good.
I even ran a demonstration for a client once. I plugged a Windows box directly to the Internet (with Windows Firewall ON) and went for lunch with the client. The windows box had not only crashed during that time, but was completely un-bootable when we returned. I then plugged in the Linux router, and it has been on ever since... about 299 days, 10 hours, and 52 minutes.
Ask them what they think about this situation:
If you had two locks to choose from. One that is highly mainstream, which is sold at every hardware store and megamart across the country to which picking tools come with every toolbox and the maker of the lock only addresses flaws every couple of months
or
A lock that you had to get from a specialized "lock"-shop, which gives it to you for free if you promise to pay them to look after the lock every few weeks, whose tools are far more complicated to handle and whose training is largely focused on specialists.
Which one would you choose if you knew that millions of the standard locks are picked every day. That is as easy as I can break it down.
or do you prefer snake oil remedies for infections?
second: in Europe ( except UK ) you can sue the callers at the court for disturbance of business - and maybe up to fraud. If vendors place such calls and make such claims about unsafe FOSS, they have to deliver proof or they have to recall their statements publicly in media!
As I see it your holding two dual edged swords. In the one hand you have code that can be reviewed by everyone. If someone finds a security vulnerability and choose not to report it that's one edge. The other edge is that you have more eyes reviewing the code so in theory security vulnerabilities are more likely to be found and fixed. In the other hand you have code that a select group of people review. If a security vulnerability is found by the vendor or a third party it may or may not get reported and fixed. The "advantage" being since not everyone can review the code theoretically fewer security vulnerabilities will be found, that does not mean they don't exist.
In either case if you are wearing body army, i.e. defense in depth, if you loose your balance you'll not be as badly hurt.
The roots of education are bitter but the fruit is sweet. --Aristotle
"This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.'"
Wow. PGP can be hacked with ease? I'd like to see an example of that one.
Read a part of the MS EULA to your customers, without telling them which OS it applies to. At the point when MS disclaim every liability and all warranties, ask them if they would buy a car or kitchen appliance if it had a similar warranty? Only when they gasp with horror, reveal it's the MS EULA.
Ask your customers how many people have independently audited Microsoft's code and published the full results?
Ask them whether MS's code hasn't leaked out, so that its insecurities can't have been explored by untrusted parties (answer: no).
Ask them how long critical security vulnerabilities have typically lasted in Windows, especially IE, before being patched. http://secunia.com/advisories/product/11/
Ask your customers if they know how many people across how many companies have worked on the linux kernel and have verified code quality independently. http://www.linuxdevices.com/news/NS6925891609.html
Ask them if they know how long the average security flaw in Firefox has lasted before being fixed?
With the risk of being modded into obscurity and burning all my karma:
Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.
Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.
IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.
The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.
You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.
Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.
Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.
Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source.
I am a Microsoft Certified Professional and I work for a Microsoft Gold Certified Partner company. I'm not aware of any push nor have I seen material from Microsoft to encourage / support us making this push. Citation needed.
If somebody asked me if OSS was secure, I'd just give them this link. Why didn't Smidge207 think of that?
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/WEwXU8vwEqE/article.pl
Tell your customers and clients that any security system based on secret information is doomed to fail as soon as the secrets are distributed. If it's really secure it won't matter that the bad guy knows how it works. If words aren't enough, make a test case out of the guitar string company "Ernie Ball" that featured recently in /. Mr Ball points out a whole list of M$ propaganda and myths.
Gotta love these M$ guys. "That free shit over there that can be scrutinised is not as safe as our expensive shit here that relies on secrets and lawyers. By the way, do you have the newest version of our piece of expensive shit? If you don't have the latest version of our shit then TerrorPaedophileCommunists will e-rape your wife and kids (terms and conditions apply)."
This message was scanned by European governments and contains no terrorism.
The NSA uses Linux. http://www.nsa.gov/research/selinux/
I think we're straying a bit OT. The original quesiton to which I was responding was whether or not OSS is more or less secure than non-oss software. I'll grant that fixing bugs in oss sofwtare - due to the numerous eyes looking at it - may be quicker.
Keep in mind, I'm writing this on a openSUSE laptop, running a combination of both OSS and non-oss software (vpnclient, outlook) and connecting occasionally to my corporate network an using KRDC to connect to a non-oss Vista workstation.
The Kai's Semi-Updated Website Thingy
Countermeasure: Education.
'anyone can read the code and hack you with ease.'
Use the opportunity to explain to them that if reading the code reveals possible hacks, then indeed the code sucks. Cryptography teaches us that knowing the algorithm doesn't give you an "in", unless the algorithm is flawed. Example: Knowing that the file was AES encrypted doesn't allow me to decrypt it (without the key), even though the AES algorithm is public knowledge.
You could also ask two provocative questions:
One: Why then are public standards public, if knowing how things work would make it easy to exploit them?
Two: If knowing the code makes it easy to hack you if there are bugs in the code - then what does Microsoft have to hide, by hiding the code? All the bugs that make hacking it so easy, perhaps?
Third alternative, you could point out that the source code to windows is widely available (lots of companies and university have source code licenses), and has in fact been leaked into the general public several times.
My preferred alternative would be "if you believe that shit, you're a lot dumber than I thought", but you probably can't say that to customers.
Assorted stuff I do sometimes: Lemuria.org
The Windows kernel source code is also available for audit and research purposes. Your organization just needs to sign up through Microsoft's Shared Source Initiative http://www.microsoft.com/resources/sharedsource/default.mspx. Many governments already have access to the source code for various Windows versions http://www.microsoft.com/presspass/press/2005/feb05/02-10NISTPR.mspx. Academic access to the source code was also used to port Windows so it would function under early versions of Xen (w/o hardware virtualization support) http://www.cl.cam.ac.uk/netos/papers/2003-xensosp.pdf & http://en.wikipedia.org/wiki/Xen. Access is probably not "free" in the sense that anyone can download it. But source is available.
I just did a GSEC bootcamp where the instructor used the argument that China has access to the Windows source code to stir people's security concerns up. No-one seemed bothered by China's access to Linux, BSD, or other FOSS kernels. It was kind of comical.
Like most security issues it can be framed as a question of trust. You trust a bunch of people you probably don't know personally to audit the Linux kernel, trust your government to audit the Windows kernel, or trust Microsoft to do the right thing. Seems like you need to trust strangers.
Or I guess you could go paranoid and build your own secure operating system...do you trust your compiler and hardware maker? Maybe I better start my own chip fab and compiler project?
Closed source: Hey, I wanna buy your car. Here's a gift card. Yeah, it still contains $20k! Trust me!
Open source: Hey, I wanna buy your car. Here's $20k in cold, hard cash. Yeah, sure, use your pen and UV light on it if you like.
Subject says it all. Several fighter planes of the French air force had to be grounded because their Windows-based computers got infected by a virus.
Malware creators don't need source code to find vulnerabilities. However, knowing that your source code can be seen by the world gives a really strong incentive to write code that not only is good, but that is obviously good. Take as an example the recent Zune disaster where all Zunes had problems with the 29th of February. That bug was caused by code that was just written in a stupid way. Any experienced programmer would have known just by looking at the code from a distance that this bit of code was "asking for trouble". It looked like code that was written by someone with no understanding of the problem and modified again and again until it mostly worked. Which wasn't good enough. Open source applications avoid that kind of code, because you don't want the whole world to see that you don't know your stuff.
Considering they are coming from an uninformed "I will believe the big company when it speaks" paradigm, you could come back with "Well, you may want to consider that Cisco Intrusion Detection Systems have been based on Linux for years and they have even started using Linux for the OS for thier Firewalls and new switches, as well as the Opensource Antivirus ClamAV as part of the Desktop security solution 'Cisco Security Agent'".... While the statements itself say nothing regarding the security of these products it certainly is attacking the mindset of the purchasing goons for your company with something they will relate to. Disclaimer: Yes I do work for Cisco.
meridian at tha.net
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
I once encountered a product that protected some internal information with the RSA algorithm. The key was the product of two large prime numbers. The large prime numbers were the tenth prime number above 2^63, and the tenth prime number below 2^60. Looks like they took their large primes from Knuth's "Art of Computer Programming". I factored the product using pen and paper :-)
One thing sales people often forget is that using fear does not help make sales. It slows the sales process. I suppose this tactic is good for delaying the inevitable or poisoning the well so if you lose so does the competition. Here's how it works:
Cust: We're thinking about going with MySQL for that database instead of SQL Server.
Sales: MySQL is open source and people can get the source code and easily hack it.
Cust: Hmm. I've never heard that. The other vendor said that I should't trust MS SQL because it has a history of being hacked and no one outside MS has audited the code.
Sales: Sounds interesting. Here's our contract. Do you need to borrow my pen?
Cust: Not yet. I'm going to research this further.
Sales: (head explodes)
-- $G
Anyone can see the machine code on your closed-source software and hack you with ease.
Security through obscurity is worthless. These are blatant, obvious lies.
Life would be easier if I had the source code.
And with all this expenditure, here http://yro.slashdot.org/article.pl?sid=09/02/10/2012201
they now (within the economic crisis) are trying to make more money back by making all sorts of people swallow some unproven facts....
The problem comes from when M$ feels the crunch and has to resort to even more evil tactics then usual. Open source is actually safer, because the code is open for all to see, who in their right mind (expert opinion here) after finding a flaw, would not wake the community up to it, and help by fixing it, because if he doesn't someone else will, and get the credit for it.... so I don't agree with M$ on this one...they are just strapped for cash...maybe they should stop spending so much on crappy ideas, and more on reorganization of the company infrastructure.
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/ This site adresses your concers about windows vs linux.
Windows on a mac is Windows under Supervision. - Frank Soltis(Chief Scientist/Designer of AS400)
How To Argue That Closed Source Software Is Insecure?
You are secured in your castle because you have a tall wall around it. Now you can have two types of walls, one with shrubs and plants on both sides, so you cannot really see the wall, and the other one without them, you see the wall cleanly. If there is a hole in the wall, you cannot easily see it in the hidden wall, but it's also more difficult for the attackers. If there is a hole in the clean wall, the attackers can easily see it, but so can you. Which wall would you prefer?
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Who are you going to believe? The monopolist who sells the most insecure operating system on the planet, or the US Department of Defense, which has some of the highest security requirements anywhere?
DOD launches site to develop open-source software
By Doug Beizer, Jan 30, 2009
link
Defense Department officials have launched a new Web site where developers can work on open-source software projects specifically for DOD, David Mihelcic, the chief technology officer for the Defense Information Systems Agency (DISA), said today.
The new site, named Forge.mil, is based on the public site SourceForge.net which hosts thousands of open-source projects, Mihelcic said at an AFCEA Washington chapter lunch in Arlington, Va.
âoeIt is really is SourceForge.net upgraded to meet DOD security requirements,â Mihelcic said.
Obviously, MS MAKES you reboot, Linux doesn't. That does NOT translate to 'it is ok not to reboot your linux server after patching'.
Consider, you install a patch due a security hole in a library which you have loaded into Apache as a sharable object. Until you AT LEAST restart the application the vulnerability is STILL there and still active.
Now, when this vulnerability is in some widely used shared library (oh, say like libstdc) then you pretty much might as well reboot, even if TECHNICALLY you might be able to clear it from memory without doing so.
All things considered it is just plain safer to restart your server after applying patches. Same goes for workstations, though it is obviously not really a big deal there.
If you apply patches, reboot. All MS did was make it official, which basically forces admins to do what they absolutely need to do anyway. It is a non issue.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
For Dutch customers, there's an excellent and highly piblicised example why open source is better than closed proprietary algorithms: the new public transit chip card (OV chipkaart).
This new chip card, is meant to become the new univeral standard for paying for public transit in Netherland. Big project, and needed to be secure, to they hired a company with their own, secret, proprietary encryption system to handle it.
Anyone who knows anything about encryption can see the next step coming: as soon as it became big and the first chip cards became available, real expert started testing the security, and it was quickly broken. Several times, by different people, in different ways.
There's lots of other problems with this new chip card, they went way over budget, there are privacy issues, detection gates behave erratically etc, but this single issue, using private amateur encryption instead of an established and well tested system, is just really amazingly stupid.
It's already in production in Rotterdam. You have to use the card, no other option. And everybody knows it's insecure.
Ok, with open source it should be a lot easier for bad guys to identify and even insert security holes.
However, security holes are a severe problem mainly when we don't know about them. Once we know about them, workarounds and fixes can be devised. And, in the case of open source, it is much easier to find and fix security holes.
The holes are found by the community or the maintainer and generally the existence is made public pretty much immediately whether it's a small or large hole. Closed source you might wait months before you hear of it and still longer for a fix. Open source you know RIGHT NOW, and if it's a popular piece of software a fix is probably in the works within minutes of hitting the bugtracker.
Now an argument could be made that this doesn't work well for smaller, less popular projects. Maintainers might have dissapeared, and there might not be enough people who know the code to produce a prompt fix from the community. Ok, fine, I won't argue against this. However, closed source apps put out by companies in similar situations will suffer the same problem. No company is behind it that has the resources to fix problems. With open source, you can at least hire someone to fix your unmaintained app. Sure it might be expensive, but at least you have the option, with closed source, you're just screwed if it's mission critical.
Its all about talking to people in terms they can understand/relate to. For instance, if you are talking to an accountant, then give this scenario about filing (their personal) taxes:
Would you rather give it to a company that would have one (unnamed) "professional" prepare and send it, but you nor anyone else could look at the final document submitted.
OR
Would you like to give it to an entire group of professionals who will all take a look at it, discuss and then allow you to see what they did and even ask questions as to why they chose the decisions they made. Afterwards, you would still not be obligated to use it.
Sometimes even the most basic "computer" analogies will go over non-techie's heads, so you have to find a way to adapt the reason(s) you personally user OSS to their "mindset."
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
check some of the recent posts here, about super secure networks being hacked... then use Netcraft (heh!) to show which OS they run.
That should prove your point.
It does make it easier to hack when the source code is available (though saying it can be done "with ease" is certainly hyperbole). However, it also makes it easier for good guys to find and fix security issues as well. But in the end they're advocating "security through obscurity." There are numerous references available about why security through obscurity doesn't really work.
Remember that the mere fact of being a Microsoft Partner does not make someone a Microsoft lackey. I own an IT company and we're a Microsoft Partner - this is an acknowledgment of the fact that almost all of our clients have significant deployments of Microsoft OS and application software, and that some of the line of business applications they use depend on Microsoft infrastructure.
Nevertheless, my company is an Open Source advocate, and we do all we can to encourage adoption of Linux and Open Source solutions where it's appropriate for our clients. We deploy websites using Joomla, and deploy a lot of apps that use the LAMP stack, and put an Untangle Internet gateway in our client sites.
To be sure, there are partners out there who practice pushing Microsoft to the exclusion of all others, but not everyone does that.
It's equally as true that there are Open Source zealots for whom there is no middle ground - Linux and Free Software is more of a religious commitment for them.
Most of us however live in the real world of reasonableness and prudence, trying to find the best fit for a client without regard to ideology. We see ourselves as Open Source advocates, even evangelists, but we also are cognizant that doing business in today's world means supporting clients who are still depended on Microsoft.
The only response to this sort of thing is a good hearty belly-laugh. When you finally calm down, you can point out the history of successful open-source Unix worms and viruses (one, the Morris worm which affected BSD among others), and the ongoing history of successful Windows worms and viruses (a recent Wall Street Journal should mention at least one).
This is one of those peeves of mine that comes up almost daily.
Open Source means that the bad guys will find flaws and destroy you!!!
Actually, since one can safely assume that there are far more good people out there than bad, Open Source means that the flaws will be found and fixed before there's much damage.
This is surely better than the typical MS or Apple response to security issues, which is first to deny them, second to take eons to issue a patch, third to schedule patches months down the road so that new exploits are revealed and unleashed shortly after patch day.
Me? I'd say Open Source wins this, hands down. I'll take the fixes in minutes approach over the we don't think it's broken, and if it is we'll let you know sometime in the next few months approach.
cheers,
You cannot argue that either closed or open source is secure. Each project has different security profiles. You can have a highly secure open source product that's harded against attack. You can have proprietary products that are also secure. However, security is continual process. So which avenue do you want to bet on to deliver timely patches for newly discovered flaws?
Banks (all the major ones worldwide), oil companies (both in the service side and producers), education institutions, government agencies and uncountable private companies in many other industries.
None of them have gone through all the code at once for sure, but for example one company I know about found problems with the "top" utility, checked the code, fixed it, and the guy that found the problem was given permission to release the fix.
The same company found a major problem with a very important infrastructure service around 5 or 6 years ago. The software provider tried to help, but the only developer that really knew anything about the bit of code relevant to the problem was always too busy doing something else, so the client company had to redesign its whole regional infrastructure in order to accommodate for the shortcomings of the software.
If that company had have access to the code it had enough money to hire 2 or 3 programmers full time for a couple of months, in order to sort out the problem (it would have been cheaper).
This effect accumulates and benefits *everybody*, the benefits are based in user need rather than in the needs of a software provider.
IANAL but write like a drunk one.
Any company that is worried about security also probably gets audited from time to time. With this in mind, it's easy to make a *real* argument against these tactics (not the impotent "just laugh at them" arguments the rest of the posters here seem to favor). You simply explain to them that open source code is constantly getting audited, and can be audited by anyone and everyone who wants it. Companies inherently understand why audits are needed and what their purpose is. It's the same for open source software.
How do you know MS documents that well?
Unless you have worked there and seen their code you really don't know this, and if you do and are talking about it here, most likely you are breaking an NDA or similar gagging agreement. So which one is it?
Does everybody have access to MS code using the shared source programs? (let me answer: No).
As for mentioning leaked code in BitTorrent as an equivalent to properly open source code, well, I will not comment, the embarrassment is on you for even mentioning it.
IANAL but write like a drunk one.
This depends on the products your clients are using:
1) You might preface with a list of MS vulnerabilities in comparative products: (This should be easy to find on the net. Does not need to be recent.)
Do you use MySql or Postgres: make a brief paper of vulnerabilities against Access + MySQL
Linux (Core) vs MS Windows X, Y; Z
Office suite vs. Office suite(s)
2) Then you might want to prepare a (preliminary) cost estimate to convert to Microsoft Products. (Seat of pants will do.)
3) Estimate how much it will cost to prepare a "good" version of 1;2 above.
Go to Client meeting;
a) You understand your clients concerns with security, and are more than willing to work with them to address these concerns. ... looking at MS code is more profitable for bad guys, but hey ... you will get them the results they authorized expendatures for.
b) You have brought with you a comparison of known vulnerabilities between some relivant products, which will naturally show that your product is more secure (use total number of vulnerabilities found, average time from vuln found to patch, whatever makes it look good for you) - which you don't really want to discuss, since they are reprints from the net.
c) If they want to go to MS, you are willing to help them - you estimate it will cost $hardware+$oftware+$time, which may be a lot but security is worth it.
d) You have been a trusted IT advisor/implementor for years, and really want to address their concerns raised by this marketing tactic.
e) If they are willing to use open source code backed by Microsoft, and the NSA is willing to use OpenSource - you don't have concerns about it, at least with the products your clients are using - other open source products will have to be re$earched.
f) Exactly what are their concerns, and how much time (Money) would they like to have you spend researching it to create proper documentation to address exactly those concerns.
g) Obviously, you are not too concerned about the system security - or you would not have implemented it that way, without caveats up front.
h) If they are really concerned, they can caugh up several thousand for penitration testing from $buddy-of-yours.
i) btw. anyone can disassemble microsoft's code with an open source disassembler as well
j) You are always happy to meet with client$ to address their concerns.
d)
The community includes the likes of IBM, Sun, Red Hat, Cisco, Nokia and many others.
Anybody suggesting amateurism would be lying by their teeth.
IANAL but write like a drunk one.
Point them at the relative numbers of known security breaches, outstanding known security loopholes and relative times to patch, between IE and, say, Firefox.
Ditto the number of virusses and other security loopholes between Windows and Linux.
Comment removed based on user account deletion
But it is a good way of describing security though obscurity and security through your system actually being secure.
Which is the difference between closed and open source.
Operating systems contribute to security, but they are just a part of the big picture.
I would say that the most secure NSA-custom operating system in the world in the hands of someone who knew little about how to use it was far less secure than the least-secure OS you can think of (say, MSDOS) skillfully deployed in a secure infrastructure.
I feel that the security of your company rests more on the experience of your IT management team than on any single hardware or software component.
If your team knows how to use Linux securely it easily trumps using any unfamiliar platform in a potentially insecure manner.
If I were microsoft I would tout that it is supposedly easier to hire and retain trained microsoft geeks than trained Linux geeks. To my mind, perhaps a more rational point and harder to argue back against.
Don't read this as a rant against MSDOS, for all I know it was tremendously secure, easy to assimilate, still somewhat familiar to many older IT staff and I doubt virus writers support it any more. So yeah - by all means migrate to MSDOS for the security benefits.
Nullius in verba
Okay, so maybe I should have qualified it with "when used correctly." Closed source won't protect you if your administrator password is "password" any more than openssl can protect you from using a 128 bit RSA key.
What I meant to say is more along the lines of "we invented our own crypto, and we can't give you the documentation for it because doing so would make it crackable," or generally "we depend on security through obscurity." But the point is taken.
I've always found it curious that MS advocates supposedly are not ideology driven and open source advocates supposedly are by default.
If I produce a system that does X,Y and Z using Debian Linux (because I could) the first supposition is that I did it using Linux simply to kick back against "the man".
It's a branding thing...
"Redhat" is more acceptable than "Linux"
MySQL "open-sourcedness" is more acceptable than Linux's "open-sourcedness"
I think it boils down to the idea that things only have intrinsic worth if they are associated with another company.
Nullius in verba
Microsoft is full of hot air, and it's easily demonstrable.
It seems, that people know that programs are made of code, which is then transformed to an executable form "somehow". But not that this executable form is just another form of code. And just as easy to change. You only have to know a different language... to do a different thing. That's all.
We, the community of experts, should make it perfectly clear when others are asking, in interviews, articles, and so on, that computers *only* accept plain code commands, that everyone can change. And that these commands are just another programming language. Nothing special. Especially nothing protected.
I will make this clear to my friends from now on.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I remembering going to a microsoft conference a few years back and was given marketting material on "get the facts" which is a website http://microsoft.com/getthefacts hosting 3rd party case-study in favour of microsoft technology over linux. I made a lot of my friends laugh at them simply by telling them this website existed and I gladly gave them the promotional material as a gift =)
Microsoft looses a lost of credibility by only presenting this one-side of the story and as long as they deny that alternatives have their advantages in specific scenarios nobody will take them seriously and it's a shame cause I personally love most microsoft products but such practices makes me wanna make fun of them.
with nuts big enough to have 'frank and candid discussions' with those Certified Microsoft Professionals and then doggedly climb on up the chain of lies.
If you want guaranteed security, Microsoft is not for you.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just get Congress to declare a bounty on the MS Sales & Marketing folk as part of the economic stimulus package!
There are some great comments on this issue here. Someone should combine them into a nice easy-to-read one to two page document and post it here.
I didn't see anyone posting a link to such a document.
These people you work for...they are simple minded. All you have to do is print out a list of Linux malware, and then print out a list of Windows malware. Place both stacks (well, the sheet of paper that says Linux and the stack that says Windows) next to each other in front of them, explain what each stack is, and then ask them "Which one seems more secure to you?"
Don't take life so seriously. No one makes it out alive.
There is one area in security where MS Windows products fail compared to Linux and that is the exposed surface area for attacks.
Linux: One of the big advantages that Linux has over windows is that each distribution and most installations are so unique. Due to differences in defaults, and installation choices, there are huge differences in the configuration of one Linux server to the next. Most Linux server installations I have been exposed to do not install any type of GUI. Some are Red Hat, some SUSE, some Debian, some Ubuntu, some are custom purpose distributions such as IPCOP or SmoothWall firewalls. Some have SSH clients installed, some have iptables firewalls, some don't. If they have a web server, it might be apache, but it could also be lighthtpd. Databases that the application servers connect to could be MySQL or PostgreSQL or Oracle. If they have a mail server they may have sendmail or maybe postfix installed. They could be running 2.6.8 kernel, or 2.6.18, or 2.6.24, or 2.4.32 etc. There is no "typical" Linux installation.
Windows: On the other hand, Windows will almost always (nice feature in 2008 to install without it) have a GUI installed. If they are running an HTTP server it is most likely IIS. If you are running a mail server you can almost guarantee that it will be Exchange. Back end databases are almost always SQLServer or Oracle. You can also bet 50% or more are not patched up to date because the services provided by those servers are not in a cluster or behind a sprayer so the admins can't afford the downtime associated with the patch.
The main point is this. In the security realm, the larger the defined attack surface the more likely you are to be able to use one avenue to exploit and therefore compromise the server(s). Due to the wide differences in Linux distributions, and the fact the there is no "default" e-mail server, GUI, Window manager, scripting language, firewall settings, etc. that are common among all Linux installations. This means that a given attack or exploit will work on only a small percentage of Linux servers.
Compare that to Windows, where all servers essentially are configured identically within each release (Windows 2000, Windows 2003, ....). If they have a GUI installed it is the Windows GUI, it will have IE installed, it will have the Windows firewall, it will have .NET support installed, etc. This makes it much easier to exploit the server, because you have a large variety of services that are all identical running on every machine.
So it you exploit an IIS vulnerbility you can compromise the server running Windows. If you exploit an Apache vulnerability you may not be able to do anything on a Linux box because the Apache instance could by run in a chroot jail, SELinux or Bastille Linux configured.
The variety of products and distributions in Linux, while a little challenging from a SysAdmin standpoint at times, is actually an inadvertent security feature. Windows uniformity is helpful to Windows consultants and system admins, but makes for an easier to exploit product.
My two cents worth...
download.microsoft.com - linux
search.microsoft.com - linux
vista.gallery.microsoft.com - linux
MS wouldn't let associate sites use non-Windows, would they?
"She's furniture with a pulse"
Well said.
The only problem is, they may not call because of:
We are supposed to advise and protect them from unscrupulous people, not make them learn the lesson the hard way.
Still, you have a very good point.
Say you were given the task of live-testing bullet-proof vests from two manufacturers. One gives you full access to vest design, construction and material specs, the other tells you that you just have to trust him, the vest is safe. Which vest would you choose for the live-test ?
It's really thorough documentation that tells the compiler how to make the machine code for the software.
But the compiled software is machine readable too or it wouldn't run. The physical machine requires code in its own well documented format. Naturally this means that closed source is only less convenient to reverse engineer, not impossible. Relying on this inconvenience for security is not Best Practice. It doesn't make your computer more secure any more than the practice of restricting maintenance manuals keeps thieves from stealing your car.
Help stamp out iliturcy.
"Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
If you don't personally know of any reliable source of information that can be used to inform customers that the software is secure, why are you making the claim?
Practice this line: "While Windows would tell you that we are more vulnerable, I have to point out that it is susceptible to over 60,000 viruses, while there are only 40 known Linux virii. Further, a windows user has to update critical system patches as often as twice a month, whereas my linux system might need an update once. Ever. Instead they create a better version biannually.
Checkpoint Firewalls are run by 100% of the Fortune 500 companies, as well as most first-world police and military installations. Checkpoint Secure Platform, the OS for its flagship products such as VSX, is a Red Hat deriviative. Summary: The worlds premiere Military and Corporate Firewalls run on Red Hat Linux. Open source for the win. Nuff said.
Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.
Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.
Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.
I'm not sure I'm going to fall for that crap. I believe your "simply put" is wrong. I believe OS does automatically and inherently guarantee fewer vulnerabilities. The paradigm of OS development pretty much takes care of that. Beyond that is common sense attributed to experience. You can't even install Windows while plugged into the INet. You'll be compromised within 12 seconds even before you get a chance to logon.
I'm not a OS zealot but I'm not stupid either. And if someone attributes to me the label of zealot because I speak the truth that's their failing not mine. Your advice to sit down and shutup is offensive. OS is what it is. Speaking that truth no more makes the case worse for the acceptance of OS than disagreeing with GW made me a terrorist.
Of course, we're all allowed our opinion and that's mine.
-[d]-
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
Isilon - FreeBSD
Juniper's JunOS - FreeBSD
NetApp - FreeBSD
Force10 - NetBSD
The MS folks are saying, "If the bad guys can see the source code, they can find a vulnerability." Of course this is only true if there's a vulnerability to be found. But I think to the non-technical, it can sound like "If the bad guys can see the source code, they can create a vulnerability." It certainly seems that this misunderstanding is being exploited.
The "Ping O' Death" was a glitch that affected a lot of operating systems-- every single UNIX-like, Mac System 7, Windows 95, Netware, DOS, and others. Even embedded devices like routers, scanners, and printers were susceptible. Basically, if you sent an IP address a "ping" packet that was larger than the legal size, whoever had that IP address would experience anything from a graceful reboot to an instant kernel panic or BSOD. There was a patch available for Linux only 2 hours, 35 minutes, and 10 seconds after an alert was posted to the mailing list. It took months for Microsloth to get its act together and fix the bug. During that time, pranksters had endless fun crashing computers with the click of a button. http://insecure.org/sploits/ping-o-death.html
This is not about FLOSS or Closed source software being insecure or secure.
This is about MS strategy of making money with customers Innocence and Ignorance.
FLOSS advocates should hire services of able politicians to counter the FUD.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
do you know anyone trustworthy with access to MS code who could do a compilation of it resulting in binaries identical to the ones found on distribution media?
Who told you that OSS is less safe than closed sourceWho told you that OSS is less safe than closed source?
A representative of a company who wants to sell!
MS is known to have used a business tactics known as Fear, Uncertainty and Disorientation
Facts are:
MS source code can be obtained by Hackers/Crackers through illegitimate channels - the availability of source code is not an argument.
Thousands of experts monitor OSS source code and vulnerabilities are discussed in the open. Hackers recognizing vulnerabilities in MS source code are not to publish it, but to write exploits!
Number of successful attacks on MS and other closed source products in comparison to OSS products speaks for itself.
Average workload consumed per machine for remedy of exploitation coed ( malware removal ) was per Windows machines 20 manhours, for Linux machines 0.01 hours at a company running 5000 PCs
You can offer security tests and penetration tests to your costumer !
The largest institutions and companies where security is an issue use Linux
Contraindications - or failures of MS installations in the media:
Well, which would YOU think is more secure? On the one hand, you have a system whose source code is secret and closed. It is maintained by a handful of people who must work on all of the security flaws. They have even stated that there are flaws they simply will NEVER fix. Meanwhile that OS is run on many systems and is the target of most of the known attacks. Most people run it as administrator just to get anything done, making it MORE vulnerable. Or the system with an Open Source system. The code is freely available to look at by anyone, so anyone with the knowledge can check it for security flaws, or suggest fixes. No flaw is overlooked or ignored, because the support base is so much larger. There are almost zero viruses written to attack it, because they simply don't work, and those that do exist depend on the user to execute them. No one runs as administrator except the actual administrator, and then only when he needs to make changes! Besides, in testing, time after time, the Open Source solutions have proven to be more secure and harder to hack.
Open Source: Eroding the Digital Divide
The only real way to measure real safety/security is with real numbers of how things actually work in the field. You can't deduce security. The only way to know how secure something is, is to measure the break-in rate. One important thing to understand about break-ins is that most are a result of end-user-mistakes. The main tool the U.S. and Britian used to break Inigma during WWII was thier knowledge that all German transmissions ended with the same phrase. The British used a brute force decoding, they simply tried every encoding sequence until they got one that decoded the last phrase to the content they knew it had. Operator error! The most common Windows and Linux attacks STILL rely on operator error.
I've worked in security for a long time, and have yet to subscribe to the idea: security = endless patching
There is a lot of software which is inherently secure, and a lot of software which can _never_ be secure.
It also does not apply to all cases where software cannot be changed after deployment.
The most important metrics here seem to be: what the software is trying to do, and how many man hours are spent on each line.
If the software is trying to implement an insecure protocol, then no amount of patching will ever make that software secure.
In general, if you're trying to add pre-emptive security, then there's a good chance the whole solution may be flawed by design.
By pre-emptive security I mean blacklists of any kind. (antivirus, network addresses, memory diagnostics, certain types of input sanitizing)
Also, if you see the need of severely crippling the functionality of your software, it may also be a sign of a design flaw.
The problem with pre-emptive security is that there is obviously no way to pre-empt an unknown threat.
And when the threats are known, sooner or later your blacklists will begin to contain valid use-cases, therefore crippling the functionality of the whole solution, or even worse, your software keeps working as intended, but now contains famous security issues.
Let them see for themselves. Tell them to hire one of the MS partners to come and convert there systems to MS products. Ask them to get a money back guarantee in writing (which is essentially what they seem to be asking from you for their OSS systems). If they won't give them that, it ought to tell them something. If they do, tell them if they have any regrets later you'll be there to move them back (for a fee, of course).
You can bet that MS is probably involved. Kind of like how they gave some money to SCO via VC company. MS cannot stop OSS because a lot of MS partners are already starting to use OSS. I belong to a few MS UG's and they are actually demonstrating Linux and OSS software at their meetings. Microsoft's only real strength is on the client OS.