Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Argue That Open Source Software Is Secure?

Posted by kdawson on from the beyond-because-i-say-so-dammit dept.

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

23 of 674 comments (clear)

  1. That's a new low by Daishiman · · Score: 5, Interesting

    Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.

  2. turn tables by TheSHAD0W · · Score: 5, Insightful

    How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

    1. Re:turn tables by Pav · · Score: 5, Insightful

      I'm not sure "counter-spin" is the right tactic. Sure, you can offer some counter arguments, but personally I'd suggest the customer do an Internet search with something like "windows linux security". Microsoft has advertising muscle, editorial influence and sales teams... but despite this many people in-the-know choose open source specifically for security - an Internet search should make that clear. It will also demonstrate your integrity.

    2. Re:turn tables by TubeSteak · · Score: 5, Insightful

      How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

      What the argument really boils down to is this:
      Open Source - You/I/We/The Community can audit the code and fix problems now
      Closed Source - Wait for the vendor (MS) to release a patch (once a month) if the vendor thinks it is worth patching

      --
      [Fuck Beta]
      o0t!
    3. Re:turn tables by Roger+W+Moore · · Score: 5, Insightful

      Ah, but how do we know it is not true? Since it is closed source we can never be completely certain and just have to take someone's word for it....which is really the whole point of the argument for OS.

    4. Re:turn tables by JWSmythe · · Score: 5, Insightful

          An obvious one would be....

          "So, why do my non-public facing workstations constantly get viruses; my public facing Windows machines get exploited; yet my non-public facing Linux machines have no security problems; and my public facing Linux machines have never been exploited. They're all patched in accordance to the distribution guidelines."

          To appease the C-level folks, good documentation and quantification of the instances of security problems will make them happy.

          "We spent 5,000 man hours last year cleaning up exploit problems on properly patched Windows machines, yet we spent 20 hours investigating potential security problems on the open source machines and found them to be simply user error. Per machine they equate to 50 hours per Windows machine, and 0.01 hours per open source machine.

          In the last fiscal year, the TCO per machine on average, including cost of licenses, upgrade licenses, maintenance, and required security response for Windows machine was $800, while it was only $2.50 per open source machine. Hardware costs are not accounted into this, as the open source users are happy with the superior performance achieved versus the Microsoft based counterparts."

          Those numbers are just yanked out of thin air. Fill them in with the appropriate numbers for your network.

          If you can provide a brief yet complete statement like that, it won't matter what the sales minions say, you have factual data to back up your side. Scare tactics aren't as good as hard evidence. Well, except in court. Juries will believe anything if you wrap it up right.

      --
      Serious? Seriousness is well above my pay grade.
  3. Go to the bug logs for your software by wtansill · · Score: 5, Interesting

    Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.

    --
    The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
  4. *sigh* by faedle · · Score: 5, Informative

    If it's good enough for the NSA, it's good enough for you.

  5. Not sure about customers, but... by Lord+Kano · · Score: 5, Funny

    I had a professor say that kind of thing in class once. He said that "Linux will never be as secure as Windows because it's open source. Anyone can see the source code and use it to hack your computers."

    It was completely involuntary on my part, but I let out a loud, and I do mean LOUD, "WHAT?".

    He turned and looked at me, I said "I'm sorry but that's not correct. Look at OpenBSD, it's open source too and there has been exactly one remote exploit in a default install in the past six years. Microsoft wishes that Windows had that kind of track record." He stammered and stuttered and then moved on with his lecture.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  6. Antivirus by lena_10326 · · Score: 5, Interesting

    2 points.

    1. The fact that an antivirus program combined with a firewall is mandatory for any windows box (closed source) to remain virus free for longer than 20 seconds connected to the internet, whereas linux (open source) requires no such antivirus program, is experiential proof that linux is more secure.
    2. Many firewall/routers run linux. If linux is good enough to protect your windows machines from intrusion, then a logical person would conclude an open source operating system such as linux is more secure.
    --
    Camping on quad since 1996.
  7. This is easy by garada · · Score: 5, Insightful

    Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.

  8. Re:how to argue that closed source is secure? by cptdondo · · Score: 5, Informative

    Did you ever monitor a project maillist? I'm constantly amazed at the nit-picky details that must be addressed before a patch is accepted. The submitter is held to an incredibly high standard.

    I've worked in a commercial outfit, and if it worked, we shipped.

    The quality control that a patch goes through, the ruthless dissection of programming style, usefulness, and clarity is something I've never seen in a commercial environment.

  9. Fight back by missing000 · · Score: 5, Insightful

    Don't discuss the attack, that's just playing into the hand they gave you.

    What I would point out is the monthly patch cycle you buy into with MS.

    Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.

    The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.

    1. Re:Fight back by rtfa-troll · · Score: 5, Insightful

      Don't discuss the attack, that's just playing into the hand they gave you.

      Well; if nobody's discussing it, then no. If they do discuss it you should definitely be ready to discuss their specific points with the people who have heard them. Preparing in advance so those points seem silly at the time they are told is also good.

      What I would point out is the monthly patch cycle you buy into with MS.

      It should be remembered that whilst this doesn't work properly, it was introduced partly at the demand of corporate customers. Some of them still like the idea and so it's maybe not the strongest point. What is worth discussing.

      • Linux has SELinux / iptables and other second level defenses which make many vulnerabilities easier to control
      • Linux patch management is integrated for both standard applications and OS making the likelyhood of an unpatched system much less than on Windows;
      • Linux patch management is flexible, allowing automated patching of systems on a self imposed schedule; e.g. desktops automatically, servers at night after warning.

      If you do want to discuss Microsoft's patch cycle, discuss it in the light of specific problems it causes. You should know of a specific "zero day" unpatched vulnerability which should obviously be patched and hasn't been.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    2. Re:Fight back by LurkerXXX · · Score: 5, Insightful

      They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one.

      Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against. When patches were coming out frequently (sometimes daily as I said), their testing teams would only get a start on one patch, when they'd have to begin the testing process again with another patch. Things stacked up in the queues and they blew a lot of money on large testing teams. They requesting less frequent, but scheduled patch releases from MS so that they could set a regular manageable cycle for testing. It's certainly a security risk, but the pointy-hairs and bean counters at the large corps thought it was a good risk for the dollar savings.

      By attacking MS's patch cycle, you are attacking the pointy-hairs and bean counters at those companies you are trying convince open-source is good. Probably not the best approach.

    3. Re:Fight back by jd · · Score: 5, Insightful

      Oh, there's actually a much better ways to do things. Windows 2000 had its NIST certification withdrawn due to insecurities (you don't have to say those were fixed and it was revalidated).

      Whereas Linux is certified at around EAL5 - one of the highest Government ratings for commercial software and above the standards needed for classified work. Linux also has security code by the NSA. They can't endorse it, being the Government and all, but would the NSA spend money on software they can't use?

      Even NASA and the Department of Energy have spent millions on Linux systems and putting some of their most essential work in that environment. If it's good enough to secure our nation against terror, doesn't it have to be better than the system you're patching monthly and still getting break-ins on?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Fight back by HungryHobo · · Score: 5, Informative

      Well there's an old quote you could pull out.

      If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.

      This might be a way to explain it to your clients.

    5. Re:Fight back by ScuzzMonkey · · Score: 5, Insightful

      There are a load of fine suggestions in this thread which are well-constructed for logical minds, but I can't help but feel this tactic is best answered in kind: a gut-level fear-check. And so the best response isn't to sit down and try to explain the perils of security through obscurity, nor to try to sell additional security services, or to discuss patch cycles and the like, but instead to simply ask the client this: "When's the last time you heard on the evening news anything about a new virus, exploit, or vulnerability discovered in your Linux software? Now, how about Microsoft software?"

      Overly simplistic? Absolutely. Sure to make them reconsider what the Microsoft vendors are trying to sell them on its supposed security? Definitely.

      --
      No relation to Happy Monkey
  10. What does the government think? by Toe,+The · · Score: 5, Informative

    DHS - linux
    FBI - linux
    Navy - linux
    Air Force - linux

    Wonder why those agencies are using such an "unsecure" platform...?

  11. Ask your customers just some simple questions by Johnny+Loves+Linux · · Score: 5, Interesting

    What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.

  12. Use an Analogy... by Rinnon · · Score: 5, Insightful

    I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.

  13. buying the false argument by Anonymous Coward · · Score: 5, Insightful

    You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.

  14. Re:how to argue that closed source is secure? by rtfa-troll · · Score: 5, Informative

    You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)

    It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.

    Even the compiler attack you mention has now been countered (see also Schneier's interesting discussion of double compilation). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.

    I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.

    A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();