How To Argue That Open Source Software Is Secure? 674
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
*sigh* (Score:5, Informative)
If it's good enough for the NSA [nsa.gov], it's good enough for you.
*cough*conficker*cough* (Score:1, Informative)
Do you need any more blatant example than that?
Name the next largest 'nix worm after the Morris worm.
Don't show them OSS is secure (Score:2, Informative)
Show them it's more secure than Closed source software.
Show them statistics about compromise and Virus infections of Windows servers.
Show them statistics about compromise and Virus infections of servers running open source OSes.
Construct "model" servers implemented according to system defaults and providing all required services (but with no extras installed)
For example, e-mail: A FreeBSD 6 server running postfix MTA, A Windows 2000 server running IIS SMTP Service.
Show them the probably impact that would be expected to both servers if no Vendor security updates were ever applied (based on Worms and viruses that were in the wild).
Show them statistics about the number of remotely exploitable vulnerabilities that were discovered that would actually impact the two model servers.
Show them the impact of actually protecting the Windows 2000 server from vulnerabilities with constant updates VS the few updates required to protect the fairly ironclad FreeBSD 6 server.
Consider the historic frequency of updates required to keep a system secure, and the downtime impact of constant reboots to apply updates.
Re:That's a new low (Score:5, Informative)
Never understood why people didn't like KDawson, but approving articles from known [slashdot.org] professional trolls with links to Twitter(not to mention the fact that other Slashdot admins post Twitter's articles) smells funnny. There's always a market in people you love to hate
Patch tuesday? (Score:1, Informative)
Remind them what patch Tuesday is about. Them ask them about MS transparency on disclosing unpatched bugs. How many patches were applied to IE and is it yet secure?
Re:turn tables (Score:5, Informative)
Actually, it's not true.
You should read this article http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]
Microsoft did use code from BSD, but it was licensed from UCB (via Spider Software) and predates the first open source versions of BSD's network stack, as evidenced by the copyright dates. And Windows Network stack is not based on it anymore.
Re:how to argue that closed source is secure? (Score:5, Informative)
I've worked in a commercial outfit, and if it worked, we shipped.
The quality control that a patch goes through, the ruthless dissection of programming style, usefulness, and clarity is something I've never seen in a commercial environment.
Some data to present to the client... (Score:4, Informative)
http://www.sans.org/top20/#z1 [sans.org]
The critical flaws that were reported this year in Office products:
* Microsoft Excel Remote Code Execution (MS07-002)
* Microsoft Outlook Remote Code Execution (MS07-003)
* Microsoft Word Remote Code Execution (MS07-014)
* Microsoft Office Remote Code Execution (MS07-015)
* Microsoft Excel Remote Code Execution (MS07-023)
* Microsoft Word Remote Code Execution (MS07-024)
* Microsoft Office Remote Code Execution (MS07-025)
* Microsoft Outlook Express and Windows Mail (MS07-034)
* Microsoft Excel Remote Code Execution (MS07-036)
* Microsoft Excel Remote Code Execution (MS07-044)
* Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
* Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
While all operating systems are affected...
Linux has two mentions on the entire page while other operating systems just go on and on and on.
With Open source, MANY eyes are looking at it finding problems and fixing them.
With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.
Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.
At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)
---
However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.
You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".
What does the government think? (Score:5, Informative)
DHS [netcraft.com] - linux
FBI [netcraft.com] - linux
Navy [netcraft.com] - linux
Air Force [netcraft.com] - linux
Wonder why those agencies are using such an "unsecure" platform...?
FALSE: read the code, hack you with ease (Score:3, Informative)
Re:Windows is Open source on Balckhat sites alread (Score:3, Informative)
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.
Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.
Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.
Strangely enough, that hasn't happened with linux & openbsd.
You already have what you need, a positive record (Score:5, Informative)
"...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."
Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.
If you can clearly point out to your customers that:
1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
2. Uptime of your systems in a given time period.
3. Cost of your systems/services over that time period.
4. Be honest, unplanned downtime in the same time frame for your systems/services.
5. Distill all of that to brief bullets or an executive summary paragraph.
6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.
Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.
Actually, it is true. (Score:5, Informative)
It is true - the GP said they used BSD licensed code and the source you cite agrees:
Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue [securityfocus.com] several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.
Re:turn tables (Score:5, Informative)
If I were in that situation, I'd cite:
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
And I'm sure several others.
If open source is good enough for Cisco to use for Firewalls that you'd need to secure your network, you'd think it's secure enough for the common man?
Any references where Windows was used for firewalls to secure the rest of the network?
I'm not sure if I'd take the combative approach but the point is that even if you went 'proprietary' and wiped out all open source servers, put windows on 'em - what would you put in front to firewall them? Another windows box? Or a Cisco ASA? So, did you really get rid of Open Source?
Re:Go to the bug logs for your software (Score:2, Informative)
Secunia [secunia.com] keeps track of vulnerabilities in over 20,000 different software applications and operating systems. I would start there when comparing the relative security of an application - which I would not rate simply by whether it is closed or open source but by whether it is maintained, the severity of the vulnerabilities, and how many issues are outstanding.
Re:how to argue that closed source is secure? (Score:5, Informative)
You seem to be a bit trolling, but you're an interesting troll, so lets go ahead :-)
It's very clear that different parts of open source have different standards of review. Whilst the Debian SSL situation is bad to terrible (I had just installed my home web server on Debian for an experiment; I was not pleased!), however it was discovered only due to the source being open. It's known that actual deliberate attempts to put back doors into the Linux Kernel have been thwarted [freedom-to-tinker.com]. By choosing properly supported stable well audited parts of Linux there can really be a benefit. Personally I would strongly recomment RedHat. I was impressed that ther distribution wasn't actually compromised during the recent attacks on their signing infrastructure. It showed a real commitment to defense in depth to a level which surprised me.
Even the compiler attack you mention has now been countered [dwheeler.com] (see also Schneier's interesting discussion of double compilation [schneier.com]). I'm surprised you don't mention it when discussing a 1980's paper (which is why I wonder about the trolling bit). This means that it really is possible to leverage the benefit of "open source" for better security.
I'd take a slightly different moral; you should have layered trust. More for Linux; less for Apache; little for Open Office very little for random Linux games; none for closed source software. Use SELinux to partition your software (if your OS doesn't support SELinux then change it :-). If you care about security then insist on source and actually pay for some parts of source level audits.
A key "talking point" in this discussion would be why the Chinese insisted on having Windows source whilst commercial customers don't get it. Discuss whether your company has any Chinese competitors. Seriously consider switching off a system which gives those competitors a benefit you don't have (sometimes Chinese competitors seem indistinguishable from the government). If they insist on source then so should you.
Re:*sigh* (Score:3, Informative)
It doesn't matter that somebody can identify a vulnerability and write code to exploit it if they can't get it loaded and running on anybody else's box. Even if they can get the program downloaded onto a Linux machine, it won't, by default, have execute permission. In the Windows world, everything has execute permission and ActiveX is there to download and run arbitrary code from any website that wants to take advantage of it. I don't know about you, but to me, that makes Linux more secure than Windows, which is why I'm using it right now.
Re:Fight back (Score:3, Informative)
"They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one."
But the question is *why* they asked for it.
"Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against."
That's the symptom, not the deep reason. The reason they didn't wanted ASAP patches is simply because *they broke things*.
I'm still waiting for a Debian security update to break anything.
Re:Fight back (Score:5, Informative)
Well there's an old quote you could pull out.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.
This might be a way to explain it to your clients.
But it's not only being dishonest... (Score:5, Informative)
That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!
Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.
Re:Fight back (Score:5, Informative)
I'm still waiting for a Debian security update to break anything.
OpenSSL?
Re:Fight back (Score:4, Informative)
Couldn't they keep releasing patches as holes were discovered and simply provide the means for their clients to decide when to install them at their discretion?
Yes, thats how it always worked, and still does.
You seem to be suggesting that at one point that Microsoft would 'force' (somehow) customers to apply the patch. This has never been the case and doesnt even make sense.
The piece you're missing is that once MS releases a patch, the black hats reverse engineer the patches, and within a few days to a week can have a working exploit in the wild.
So in the real world, exploits for a patch necessarily follow the release of that patch by a few days to a week.
In that situation (which describes the real world situation) its much better to lump them all together and do them once per month.
The exception is when there are active exploits going on in the wild already. At that point, there's no downside to releasing the patch.
Re:Some data to present to the client... (Score:2, Informative)
Re:Fight back (Score:5, Informative)
"They used to release as they patched, but that was even more problematic"
Translation: Admins were sick and tired of rebooting servers on a daily basis.
Rather than do the impossible and redesign their OS from the ground up to make the constant rebooting issue irrelevant, they did the only thing possible wh
Clump all their updates into bundles so that reboots were "scheduled" and admins got used to the cycle.
Re:Fight back (Score:3, Informative)
But the truth is Open Source Software is not automagically secure. There can be safes which have open design specifications that aren't secure - just no safecrackers have bothered looking at them.
That is not the point. No one said open source meant 100% perfect software. The point with security is that if there is a problem you want to know about it right away and take steps. Thinking that by hiding away details means noone will know about your problems is naive. Security lies in how well your safe can resist being opened by someone who knows how it works and in keeping secret your combination. That last part is the biggest security hole in most systems.
Sure track record is important but any security system which doesn't open itself to public scrutiny is likely to be flawed. This is what you are taught if you take courses on security, this is what the real professionals believe. Keeping things secret will work as long there is one person who knows the secret and he has to be dead.
FUD and bullshit (Score:3, Informative)
Countermeasure: Education.
'anyone can read the code and hack you with ease.'
Use the opportunity to explain to them that if reading the code reveals possible hacks, then indeed the code sucks. Cryptography teaches us that knowing the algorithm doesn't give you an "in", unless the algorithm is flawed. Example: Knowing that the file was AES encrypted doesn't allow me to decrypt it (without the key), even though the AES algorithm is public knowledge.
You could also ask two provocative questions:
One: Why then are public standards public, if knowing how things work would make it easy to exploit them?
Two: If knowing the code makes it easy to hack you if there are bugs in the code - then what does Microsoft have to hide, by hiding the code? All the bugs that make hacking it so easy, perhaps?
Third alternative, you could point out that the source code to windows is widely available (lots of companies and university have source code licenses), and has in fact been leaked into the general public several times.
My preferred alternative would be "if you believe that shit, you're a lot dumber than I thought", but you probably can't say that to customers.
Re:Fight back (Score:3, Informative)
And WSUS makes their once-a-month policy moot anyway, because it puts upgrade power back in the hands of the site admins, and not WindowsUpdate.
The wrong argument (Score:3, Informative)
I would say that the most secure NSA-custom operating system in the world in the hands of someone who knew little about how to use it was far less secure than the least-secure OS you can think of (say, MSDOS) skillfully deployed in a secure infrastructure.
I feel that the security of your company rests more on the experience of your IT management team than on any single hardware or software component.
If your team knows how to use Linux securely it easily trumps using any unfamiliar platform in a potentially insecure manner.
If I were microsoft I would tout that it is supposedly easier to hire and retain trained microsoft geeks than trained Linux geeks. To my mind, perhaps a more rational point and harder to argue back against.
Don't read this as a rant against MSDOS, for all I know it was tremendously secure, easy to assimilate, still somewhat familiar to many older IT staff and I doubt virus writers support it any more. So yeah - by all means migrate to MSDOS for the security benefits.
commercial use of open source (Score:1, Informative)
Cisco - ASA - Based on Linux
A10 - Loadbalancer/Firewall - Has Linux
Coyote Point - Loadbalancer - *BSD
Isilon - FreeBSD
Juniper's JunOS - FreeBSD
NetApp - FreeBSD
Force10 - NetBSD
Re:Fight back (Score:1, Informative)
Even NASA and the Department of Energy have spent millions on Linux systems and putting some of their most essential work in that environment. If it's good enough to secure our nation against terror, doesn't it have to be better than the system you're patching monthly and still getting break-ins on?
It's hard to argue against the US Department of Defense Future Combat System;
U.S. Army's Future Combat System Will Run Linux (2003) [slashdot.org]
Work Progressing on Army's Future Combat Systems (2008) [slashdot.org]
Or the US Department of Defense Open Source Code Development Repository;
US Dept. of Defense Creates Its Own Sourceforge (2009) [slashdot.org]