How To Argue That Open Source Software Is Secure? 674
Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
That's a new low (Score:5, Interesting)
Go to the bug logs for your software (Score:5, Interesting)
Of course... (Score:5, Interesting)
.
Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...
Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.
I'd consider calling in Bruce Perens (Score:4, Interesting)
He may be lurking hereabouts, but if not, here's his bio [perens.com]. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.
Um..laugh? (Score:3, Interesting)
But then we've used Oracle and seen what happens when cost and bad economics limit your businesses growth. Let them smoke our RHEL and MySQL licensing, maybe their getting something out of the ink.
Better yet, when your PHB approaches you why don't *you* ask him to point out a security situation that *wasn't* caused or aggravated by something that wasn't open source.
Just because some idiot says it's true doesn't mean anything.
Think of it like an academic report (Score:5, Interesting)
Open source software is like any report in an academic journal.
While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.
Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.
Plus, tell them to examine their sources; the bias is obvious.
Antivirus (Score:5, Interesting)
2 points.
Windows is Open source on Balckhat sites already (Score:5, Interesting)
Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal. [theregister.co.uk]
Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.
turn it around -who is the largest online company? (Score:1, Interesting)
They sure have to be concerned over security. I don't know for sure, but google has to be right up there, probably the largest, 500 buhzillion servers running.... Let's check.... What do they run? [netcraft.com] Aww, gee, would they do that if it was insecure? Is google dumb, or smart? Does IBM push open source? Well, yes they do. Is IBM dumb, or smart, would they push inherently stupid and insecure software? What runs on the bulk of the worlds supercomputers used by top companies and research organizations and universities and nations? I just looked, 439 out of the top 500 run linux. Ask those MS scaremongers if all these advanced eggheads would run linux or open source if it was inherently insecure.
Just start throwing some big names, big computers and big projects out there that deflate the MS bluster. Then tell them you are now on their "do not call" list, to stop spamming you, and to stop wasting your time. Really, this is 2009, any company/PHB that would fall for such retarded scare tactics about open source has no business using anything more modern than an abacus and an ink quill.
A good metaphor (Score:2, Interesting)
This is a general principle of security in general: something is only truly secure if it remains secure even when you know exactly how it works. Anything else is "security by obscurity"
Closed source software is like a mysterious lock where you have no idea how it works. You can take the company's word that it's secure, but really you just don't know. One day someone may just show up able to waltz right into your house. If the design of the lock is public for everyone to see, you can examine it yourself if you're knowledgeable in such things, or else rest secure knowing that plenty of knowledgeable people have deemed the lock good enough for their homes
That's my favorite way of explaining open source to non-computer people
Ask your customers just some simple questions (Score:5, Interesting)
Re:*sigh* (Score:3, Interesting)
Keep in mind that the question was not linux, the question was "open source." OpenBSD falls under that, and in many ways I'd regard OpenBSD as more "secure" than linux.
But before the trolls get at me (I ONLY HAVE LINUX DESKTOPS, BACK OFF!)...
Don't get me wrong, as a whole I'd agree with your NSA analogy, but your example isn't remotely encompassing of "open source." Mozilla is open source, but you'll note we don't have SEMoz. And really - SElibpng?
The MS reps are spreading FUD.
" because 'anyone can read the code and hack you with ease.'"
Which is absolutely true. The question, is who can *load and execute code* with ease. That answer is pretty clearly defined - and in the case of open source, it is arguably more clearly defined that in the case of MS.
In any case, if someone is capable of running code on your system, you're likely screwed. It's not as bad as physical access no, but it's still not good either.
The relative "openness" of the source code has 0 impact on who you allow to run code on your system. You trojaned a PAM library, great! You can now get complete root access!
Now you just have to install it.
(Oh....)
What your customer wants to hear: (Score:2, Interesting)
1. First tell them it is a great question. Explain to them that your company is very serious about security and they should always feel comfortable asking any question about your architecture, methods,etc..
2. Explain one of the reasons you use Linux is because of your concerns about their security.
3. Be able to link/show them the percentage of infected windows computers compared to Linux. This link should be from a highly reputable news source. (e.g. http://www.nytimes.com/2005/08/17/technology/17virus.htmll [nytimes.com]) This is the only stat they need to see.
4. Avoid any evangelism about open source. Most likely they don't care, they want a solution and a provider they can trust.
5. Finally take this as an opportunity to build a better relationship with your customer. The fact that they called you rather than switching providers means they *want* to trust you. Leave them with the feeling that they can.
Re:That's a new low (Score:3, Interesting)
[MS developer]: Eureeka! We've surpassed the iPhone and made efficient all that humanity stands for!
[Ballmer]: "Yes, great that it cost a lot. We'll save it for later, you are all redirected to the Zune project! We can't lose to Apple, can we?! You know how many job openings there are in India? [*brandishes fist*]
[shareholders]: "Why haven't we seen any useful technologies emerging from the sinkhole that is your R&D department?"
[Ballmer]: "We have RIAA and MPAA operatives in the United States government."
[shareholders]: "Ooooooh."
[other shareholders]: "Ahhhhhhhhh!"
I'd take a 3 pronged approach (Score:3, Interesting)
1) I'd ask them what has the security experience been over the period you have supported them? While headline after headline has been in the paper about Windows exploits, botnets and viruses, what has happened with their installation.
2) I'd inform them that Google runs on Linux. Do they think Google knows what they are doing.
3) I'd tell them to talk to one of the people who is selling the windows services, and ask them to detail the costs of converting to MSFT, and what the security measures required would be. I think they'll blink after they get the price tag.
Sad to say, even if Windows was more secure, most people will balk at the expense if they're already running a solid linux based infrastructure.
Re:turn tables (Score:5, Interesting)
Many small shops like to think they are more important then they are. I don't know how many times I have had to switch to some other software because a partner found that a larger firm used something else just to find it willfully inadequate compared to what was being used before the 20 grand switch. This is true for law firms, Tax shops and accounting shops, insurance agencies and almost everything else I have worked with. They seem to think that using the software they use will give them the edge to be as profitable as they are.
The counter spin tactics that would probably be beneficial is something along the lines of Sun, IBM, Novel, and several other big Iron shops use OSS. Even the smaller shops mid level shops that use DB back ends use OSS like pervasive SQL, Oracle, MySQL, and so on. How is it that the large shops who spend the money for the Sun or Novel or IBM or Oracle servers that cost probably more then what they paid for IT in the last year don't have security concerns with Open-Source Software but a Microsoft rep who is attempting to sell you software and lock your into their specific version/line can convince you that it is unsafe?
I would still attempt to back that up with other facts concerning OSS usage like by Cisco, Zycell, and several other routing companies who provide industry leading security and routing products. I mean if the routers are configures correctly and capable of acting as a firewall, it's the first line of defense. And if their OSS servers and software aren't directly connected to the internet, then where is the worry because in order to hack them, you would need to bypass the routers or gain physical access to them.
Not new. Been there, seen that. (Score:1, Interesting)
http://2stepsback.wordpress.com/2007/10/22/get-out-linux/
Re:turn tables (Score:3, Interesting)
Directory? And why does that Directory contain files that have the exact same syntax as the files found in BSDs /etc Directory? even the names are the same, plus the comments in these files start with a # which is common in unix-systems (like BSD), but completely unusual for Microsofts Syntaxes...
Re:Fight back (Score:3, Interesting)
Someone can correct me if I am wrong, but I believe Redhat EL 4/5 and Suse 10 have EAL4+. The + does not mean its EAL 5 and above, but rather EAL 4 with additional protection profiles. The generic Linux kernel does not have an EAL rating.
Windows 2000/XP/2003 has got the same (That is EAL4+). I am not sure about differences between the protection profiles though.
So watch out when you argue that point.
Note: AFAIK only 1 or 2 purpose designed OSs have ever got higher than that.
Comment removed (Score:4, Interesting)
Re:Fight back (Score:3, Interesting)
We deal with satellites and gather data from NASA, ESA, JAXA, several governmental intelligence satellites, IRIDIUM and GALILEIO among others.
Do we need tight security? I would say so.
Do we run mainly on Linux and open source? Yes.
Re:Fight back (Score:2, Interesting)
I was always puzzled w/ those "eyes" thing in open software, more precisely with implicit assumption that there are plenty of eyes looking at the software code. I thought it's the ratio "bad eyes"/"good eyes" that matters the most, and what is actually these numbers are in "closed" and open software?
Re:turn tables (Score:5, Interesting)
In other words "Science - it works bitches"
As a physicist I am quite comfortable arguing the merits of evolution over creationism because I understand the strength of the process that favored the former over the latter. I don't have to see every single experiment performed in that area of research; I know dodgy research would've been (and has been) spotted.
Open Source Isn't Always Secure (Score:2, Interesting)
Re:Antivirus (Score:3, Interesting)
While that may be true, blackhats also prefer unix machines...
The CLI is better, and usable over a slow connection, smart blackhats will relay through multiple machines in different countries resulting in a connection far too slow for use of a gui.
Unix machines will also have a whole set of cli based tools installed, and it's usually easy to install more if necessary...
Blackhats will typically only resort to windows machines when they need mass numbers, eg spam sending and ddos, and they will write automated tools to do it rather than logging in and running tools manually.
Test, test, test (Score:3, Interesting)
Exactly. If you can't prove it's secure, then you must assume it's insecure. Penetration testing is a start. Code auditing and automated analysis, unit testing, honeynets, design by contract (including specification of what exceptions methods throw), and even mathematical proofs of code reliability would be better.
Of course, until most open source code has enough documentation to specify its intended purpose, so that you can actually test that it meets those specifications, most of this is a moot point.
Re:Reminds me of something people said about crypt (Score:3, Interesting)
AES, RSA, and all the rest are published standards. Now, some companies claim that they can't reveal what kind of encryption they use or it would severely degrade their product. I'm not naming names because I have none, this is just a vague recollection. Just go with the high level idea.
I once encountered a product that protected some internal information with the RSA algorithm. The key was the product of two large prime numbers. The large prime numbers were the tenth prime number above 2^63, and the tenth prime number below 2^60. Looks like they took their large primes from Knuth's "Art of Computer Programming". I factored the product using pen and paper :-)
Why open is more secure than closed (Score:3, Interesting)
For Dutch customers, there's an excellent and highly piblicised example why open source is better than closed proprietary algorithms: the new public transit chip card (OV chipkaart).
This new chip card, is meant to become the new univeral standard for paying for public transit in Netherland. Big project, and needed to be secure, to they hired a company with their own, secret, proprietary encryption system to handle it.
Anyone who knows anything about encryption can see the next step coming: as soon as it became big and the first chip cards became available, real expert started testing the security, and it was quickly broken. Several times, by different people, in different ways.
There's lots of other problems with this new chip card, they went way over budget, there are privacy issues, detection gates behave erratically etc, but this single issue, using private amateur encryption instead of an established and well tested system, is just really amazingly stupid.
It's already in production in Rotterdam. You have to use the card, no other option. And everybody knows it's insecure.
No. But others have. (Score:3, Interesting)
Banks (all the major ones worldwide), oil companies (both in the service side and producers), education institutions, government agencies and uncountable private companies in many other industries.
None of them have gone through all the code at once for sure, but for example one company I know about found problems with the "top" utility, checked the code, fixed it, and the guy that found the problem was given permission to release the fix.
The same company found a major problem with a very important infrastructure service around 5 or 6 years ago. The software provider tried to help, but the only developer that really knew anything about the bit of code relevant to the problem was always too busy doing something else, so the client company had to redesign its whole regional infrastructure in order to accommodate for the shortcomings of the software.
If that company had have access to the code it had enough money to hire 2 or 3 programmers full time for a couple of months, in order to sort out the problem (it would have been cheaper).
This effect accumulates and benefits *everybody*, the benefits are based in user need rather than in the needs of a software provider.