Slashdot Mirror
How To Argue That Open Source Software Is Secure?
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.
How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?
Open source is verifiable. Closed source is not.
Open source is verified, by many people, who discuss it in public. Closed source is not.
Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
.
Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...
Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.
He may be lurking hereabouts, but if not, here's his bio. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.
The Army reading list
I'm sure in enterprise things can be different but working for a small/medium sized developer I know my CEO isn't so un-clued in that I couldn't explain something like this over drink and have a good laugh.
But then we've used Oracle and seen what happens when cost and bad economics limit your businesses growth. Let them smoke our RHEL and MySQL licensing, maybe their getting something out of the ink.
Better yet, when your PHB approaches you why don't *you* ask him to point out a security situation that *wasn't* caused or aggravated by something that wasn't open source.
Just because some idiot says it's true doesn't mean anything.
Quack, quack.
If it's good enough for the NSA, it's good enough for you.
Open source software is like any report in an academic journal.
While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.
Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.
Plus, tell them to examine their sources; the bias is obvious.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
The proof is in the pudding. Who gets hacked more ? Who suffers from worms and viruses constantly ? Who has to run anti-virus and anti-malware software ?
I had a professor say that kind of thing in class once. He said that "Linux will never be as secure as Windows because it's open source. Anyone can see the source code and use it to hack your computers."
It was completely involuntary on my part, but I let out a loud, and I do mean LOUD, "WHAT?".
He turned and looked at me, I said "I'm sorry but that's not correct. Look at OpenBSD, it's open source too and there has been exactly one remote exploit in a default install in the past six years. Microsoft wishes that Windows had that kind of track record." He stammered and stuttered and then moved on with his lecture.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I'd just suggest rolling on the floor in hysterical laughter, just sobbing until your chest hurts whenever anybody says that to your face. Maybe after a couple of times, people will get the idea.
For anybody too dense to get it, show them the You Tube clips of Gates & Seinfeld.
Faster! Faster! Faster would be better!
Show them it's more secure than Closed source software.
Show them statistics about compromise and Virus infections of Windows servers.
Show them statistics about compromise and Virus infections of servers running open source OSes.
Construct "model" servers implemented according to system defaults and providing all required services (but with no extras installed)
For example, e-mail: A FreeBSD 6 server running postfix MTA, A Windows 2000 server running IIS SMTP Service.
Show them the probably impact that would be expected to both servers if no Vendor security updates were ever applied (based on Worms and viruses that were in the wild).
Show them statistics about the number of remotely exploitable vulnerabilities that were discovered that would actually impact the two model servers.
Show them the impact of actually protecting the Windows 2000 server from vulnerabilities with constant updates VS the few updates required to protect the fairly ironclad FreeBSD 6 server.
Consider the historic frequency of updates required to keep a system secure, and the downtime impact of constant reboots to apply updates.
Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.
2 points.
Camping on quad since 1996.
Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.
Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.
Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.
The Kai's Semi-Updated Website Thingy
Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.
Some drink at the fountain of knowledge. Others just gargle.
Mmm Hmm.
And how many times have you heard about worms on Microsoft, the 'more secure' closed source OS?
And how many times have you heard about viruses getting through on the Linux systems I helped you set up?
Since Linux is the main system used for internet servers, you would think dangerous criminals would hit it first, right?
The reason you haven't heard of it lately is they did. Unix and Linux ironed all this stuff out 20 years ago - the last Unix worm that got famous was the Morris Worm. Huey Lewis and the News were big, there were still hair bands, and Republicans still had a reputation as being fiscally responsible.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Disagree. Security is not a static rating but a process; part of that process is fixing found problems. Guess which is easier to fix: the stuff you've got the source to, or the stuff you have to wait 6 months before the vendor acknowledges as flawed.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.
5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.
ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)
This is a general principle of security in general: something is only truly secure if it remains secure even when you know exactly how it works. Anything else is "security by obscurity"
Closed source software is like a mysterious lock where you have no idea how it works. You can take the company's word that it's secure, but really you just don't know. One day someone may just show up able to waltz right into your house. If the design of the lock is public for everyone to see, you can examine it yourself if you're knowledgeable in such things, or else rest secure knowing that plenty of knowledgeable people have deemed the lock good enough for their homes
That's my favorite way of explaining open source to non-computer people
Don't discuss the attack, that's just playing into the hand they gave you.
What I would point out is the monthly patch cycle you buy into with MS.
Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.
The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.
http://www.sans.org/top20/#z1
The critical flaws that were reported this year in Office products:
* Microsoft Excel Remote Code Execution (MS07-002)
* Microsoft Outlook Remote Code Execution (MS07-003)
* Microsoft Word Remote Code Execution (MS07-014)
* Microsoft Office Remote Code Execution (MS07-015)
* Microsoft Excel Remote Code Execution (MS07-023)
* Microsoft Word Remote Code Execution (MS07-024)
* Microsoft Office Remote Code Execution (MS07-025)
* Microsoft Outlook Express and Windows Mail (MS07-034)
* Microsoft Excel Remote Code Execution (MS07-036)
* Microsoft Excel Remote Code Execution (MS07-044)
* Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
* Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
While all operating systems are affected...
Linux has two mentions on the entire page while other operating systems just go on and on and on.
With Open source, MANY eyes are looking at it finding problems and fixing them.
With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.
Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.
At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)
---
However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.
You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
DHS - linux
FBI - linux
Navy - linux
Air Force - linux
Wonder why those agencies are using such an "unsecure" platform...?
The argument that "anyone can read the code and hack you with ease" is false. To win the argument, one must explain the relationship between a _cypher_ (implemented in a program) and a _key_ (generated by a program). Secure programs are written such that even their *authors* can not hack them. The reason is because these programs do not directly provide security. Instead, for example, they may help users generate unique digital keys. Is is the combination of this digital key and the program itself (ie. the cypher) that provides security. Reading the source code will _not_ give the reader the key required to breach someone's privacy, especially if the program is good and can produce trillions of different and complex keys, each of which take a long time to test. Conversely, closed sourced programs are generally scrutinised by far fewer people, and as such they are generally less able to perform with the same speed, efficiency and reliability of their open source alternatives, including security related programs described above.
What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.
1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.
Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"
You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."
2. Explain why openness is helpful
Them: "Yeah, so what should we do?"
You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."
3. Mention that serious people have a big stake in making this work.
You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."
4. Reassure them that people are thinking hard about this.
Them: "Yeah, but if anyone can see it..."
You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."
5. Point out the obvious.
Them: "But what happens if someone tries to slip something in, and is really good at it?"
You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."
All the technology in the world won't hide your lack of vision, talent, or understanding.
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.
Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.
Strangely enough, that hasn't happened with linux & openbsd.
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
You don't exactly say what the tech level of your customers are but I'd suggest:
1. First tell them it is a great question. Explain to them that your company is very serious about security and they should always feel comfortable asking any question about your architecture, methods,etc..
2. Explain one of the reasons you use Linux is because of your concerns about their security.
3. Be able to link/show them the percentage of infected windows computers compared to Linux. This link should be from a highly reputable news source. (e.g. http://www.nytimes.com/2005/08/17/technology/17virus.htmll) This is the only stat they need to see.
4. Avoid any evangelism about open source. Most likely they don't care, they want a solution and a provider they can trust.
5. Finally take this as an opportunity to build a better relationship with your customer. The fact that they called you rather than switching providers means they *want* to trust you. Leave them with the feeling that they can.
Sun, IBM, and several others are MAJOR contributors. Why would they contribute to something that's so insecure?
They are collaborating with alien life forms that are trying to weaken the technological infrastructure of Earth.
Why would Google spend millions of dollars every year to fund Summer of Code?
They are giving young people a bit of feel-good educational employment just like Jim Jones gave his followers free Kool Aide.
Why would MySQL be one of the most popular RDMBS
Because people can't afford Microsoft SQL server.
1) I'd ask them what has the security experience been over the period you have supported them? While headline after headline has been in the paper about Windows exploits, botnets and viruses, what has happened with their installation.
2) I'd inform them that Google runs on Linux. Do they think Google knows what they are doing.
3) I'd tell them to talk to one of the people who is selling the windows services, and ask them to detail the costs of converting to MSFT, and what the security measures required would be. I think they'll blink after they get the price tag.
Sad to say, even if Windows was more secure, most people will balk at the expense if they're already running a solid linux based infrastructure.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
My pics.
The strongest security is the one you get from everybody in the company being loyal and well educated about what they should and shouldn't do. Of course, you don't post your passwords on a sign outside, but that is about as much secresy as it is worth the effort to maintain, I think. Apart from that - if we know that Microsoft's security strategy uses "protocol X" and open source uses the same, what is the real difference? Only that in open source you can potentially inspect the implementation and verify that it doesn't contain inherent weaknesses that allow you to circumvent it. You can't do that with closed source, you have to trust the supplier; the big question then is: can you?
Open source works along the same lines as the open, scientific discourse that has brought us from pre-industrial society to the present day. If we had relied on secret research, we would still have lived in the mud; romantic, perhaps, but no computers. Or compare open societies to closed ones: are countries like Sweden, Germany and Switzerland less secure than, say, Burma? The only ones that feel more secure in Burma are the ones in power, but the country as a whole is less secure, as far as I can see.
You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.
Look at all the "respected" finance firms that either no longer exist, are close to death, or turned out to be giant scams. The root to all this were complicated processes that lacked the necessary transparency. When something started to break, no one could determine which parts in the system were still valid, so everything grinded to a halt.
The moral of the story is that complicated systems need to be transparent, regardless of their industry. Assume the worst of what you and other vested parties are unable to see. Not being able to see the problem is worse than the problem itself.
Sdelat' Ameriku velikoy Snova!
I always compare it to how you could judge/audit a bank's security.
Bank #1
The bank manager gives you a full blueprint laying out each path to the vault and how those paths are secure. Next, they show you the construction of the vault, how thick the steel is. They move on to show you how the locks work and explain why they they chose those type of locks.
Bank #2
The bank manager assures you that the vault is definitely in the building and that it is absolutely secure. However, they state that it would undermine their security to provide you any additional details.
Which bank would you feel more safe about putting your money in?
Spooooon!!!!!
"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi
They're getting scared now.
Help stamp out iliturcy.
Comment removed based on user account deletion
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
This is Slashdot. Common sense is futile. You will be modded down.
You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.
The evil thing is, people don't ask about this, they assume it's fact and that's that.
"We" need to make sure this myth dies.
Open source is only as secure as the users who use it and the developers. Obviously having more developer/testers involved can make it easier to to find vulnerabilities... But for smaller projects it's difficult to tighten security if there are a small number of developers or people to report the insecurities. The same goes for closed source though, the only difference is that the vulnerabilities of open source are usually easier to find because the source is available.
Exactly. If you can't prove it's secure, then you must assume it's insecure. Penetration testing is a start. Code auditing and automated analysis, unit testing, honeynets, design by contract (including specification of what exceptions methods throw), and even mathematical proofs of code reliability would be better.
Of course, until most open source code has enough documentation to specify its intended purpose, so that you can actually test that it meets those specifications, most of this is a moot point.
OK you can say that the authour's background may bias him somewhat but then Microsoft's claims are open to the same criticism.
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
The best line though is that old favourite "well they would say that wouldn't they" particularly if you then explain the dependance Microsoft has on business and Office in particular.
On the other hand, you can also find out who the Microsoft vendors are that are making the claims and report them for false advertising or fraud. At best, the current situation i.e. which system is most secure, is debatable and at worst a matter of opinion and it will remain this way until a truly independant analyst manages to definitively show otherwise.
Hmmmmmm..... Deep fried and look like Squirrel.
06:35:53 up 299 days, 10:52, 6 users, load average: 0.00, 0.00, 0.00
Yeah, because I get hacked all the time on my open-source operating system.
Is Windows even *capable* of being up for ~300 days?
I wonder what MS is telling people about the multitudes of embedded devices out there that run Linux? Is MS telling people that their Cisco Home-tier stuff is vulnerable? Hmm?
I've had to deal with this FUD before with my clients. All it usually takes is an explanation that open source code is constantly being peer-reviewed and patches usually come within a day of discovering an error, whereas Microsoft takes weeks to months to patch the majority of their serious security flaws, and there is no external review process, so you never know if the patch is good.
I even ran a demonstration for a client once. I plugged a Windows box directly to the Internet (with Windows Firewall ON) and went for lunch with the client. The windows box had not only crashed during that time, but was completely un-bootable when we returned. I then plugged in the Linux router, and it has been on ever since... about 299 days, 10 hours, and 52 minutes.
With the risk of being modded into obscurity and burning all my karma:
Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.
Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.
IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.
The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.
You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.
Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.
Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.
Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Countermeasure: Education.
'anyone can read the code and hack you with ease.'
Use the opportunity to explain to them that if reading the code reveals possible hacks, then indeed the code sucks. Cryptography teaches us that knowing the algorithm doesn't give you an "in", unless the algorithm is flawed. Example: Knowing that the file was AES encrypted doesn't allow me to decrypt it (without the key), even though the AES algorithm is public knowledge.
You could also ask two provocative questions:
One: Why then are public standards public, if knowing how things work would make it easy to exploit them?
Two: If knowing the code makes it easy to hack you if there are bugs in the code - then what does Microsoft have to hide, by hiding the code? All the bugs that make hacking it so easy, perhaps?
Third alternative, you could point out that the source code to windows is widely available (lots of companies and university have source code licenses), and has in fact been leaked into the general public several times.
My preferred alternative would be "if you believe that shit, you're a lot dumber than I thought", but you probably can't say that to customers.
Assorted stuff I do sometimes: Lemuria.org
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
I once encountered a product that protected some internal information with the RSA algorithm. The key was the product of two large prime numbers. The large prime numbers were the tenth prime number above 2^63, and the tenth prime number below 2^60. Looks like they took their large primes from Knuth's "Art of Computer Programming". I factored the product using pen and paper :-)
For Dutch customers, there's an excellent and highly piblicised example why open source is better than closed proprietary algorithms: the new public transit chip card (OV chipkaart).
This new chip card, is meant to become the new univeral standard for paying for public transit in Netherland. Big project, and needed to be secure, to they hired a company with their own, secret, proprietary encryption system to handle it.
Anyone who knows anything about encryption can see the next step coming: as soon as it became big and the first chip cards became available, real expert started testing the security, and it was quickly broken. Several times, by different people, in different ways.
There's lots of other problems with this new chip card, they went way over budget, there are privacy issues, detection gates behave erratically etc, but this single issue, using private amateur encryption instead of an established and well tested system, is just really amazingly stupid.
It's already in production in Rotterdam. You have to use the card, no other option. And everybody knows it's insecure.
All things considered it is just plain lazier to restart your server after applying patches
Fixed that for you.
Someone who is knowledgeable will be able to restart the appropriate services on a Linux box without going through a full reboot cycle. It's not hard to check the processes on a box to see if they're using the library which was updated.
To the best of my knowledge, it is impossible to do this in many cases with Windows, because you can't replace the file while it is in use (and forcibly unlocking the file to replace it has undefined behavior with any given program.)
I'd love to be proven wrong on that Microsoft bit, though. If there's a way to safely patch without having to restart, please let me know!
Banks (all the major ones worldwide), oil companies (both in the service side and producers), education institutions, government agencies and uncountable private companies in many other industries.
None of them have gone through all the code at once for sure, but for example one company I know about found problems with the "top" utility, checked the code, fixed it, and the guy that found the problem was given permission to release the fix.
The same company found a major problem with a very important infrastructure service around 5 or 6 years ago. The software provider tried to help, but the only developer that really knew anything about the bit of code relevant to the problem was always too busy doing something else, so the client company had to redesign its whole regional infrastructure in order to accommodate for the shortcomings of the software.
If that company had have access to the code it had enough money to hire 2 or 3 programmers full time for a couple of months, in order to sort out the problem (it would have been cheaper).
This effect accumulates and benefits *everybody*, the benefits are based in user need rather than in the needs of a software provider.
IANAL but write like a drunk one.
Operating systems contribute to security, but they are just a part of the big picture.
I would say that the most secure NSA-custom operating system in the world in the hands of someone who knew little about how to use it was far less secure than the least-secure OS you can think of (say, MSDOS) skillfully deployed in a secure infrastructure.
I feel that the security of your company rests more on the experience of your IT management team than on any single hardware or software component.
If your team knows how to use Linux securely it easily trumps using any unfamiliar platform in a potentially insecure manner.
If I were microsoft I would tout that it is supposedly easier to hire and retain trained microsoft geeks than trained Linux geeks. To my mind, perhaps a more rational point and harder to argue back against.
Don't read this as a rant against MSDOS, for all I know it was tremendously secure, easy to assimilate, still somewhat familiar to many older IT staff and I doubt virus writers support it any more. So yeah - by all means migrate to MSDOS for the security benefits.
Nullius in verba
Say you were given the task of live-testing bullet-proof vests from two manufacturers. One gives you full access to vest design, construction and material specs, the other tells you that you just have to trust him, the vest is safe. Which vest would you choose for the live-test ?
The only real way to measure real safety/security is with real numbers of how things actually work in the field. You can't deduce security. The only way to know how secure something is, is to measure the break-in rate. One important thing to understand about break-ins is that most are a result of end-user-mistakes. The main tool the U.S. and Britian used to break Inigma during WWII was thier knowledge that all German transmissions ended with the same phrase. The British used a brute force decoding, they simply tried every encoding sequence until they got one that decoded the last phrase to the content they knew it had. Operator error! The most common Windows and Linux attacks STILL rely on operator error.