Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft Software Linux

How To Argue That Open Source Software Is Secure? 674

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
This discussion has been archived. No new comments can be posted.

How To Argue That Open Source Software Is Secure?

Comments Filter:
  • That's a new low (Score:5, Interesting)

    by Daishiman ( 698845 ) on Tuesday February 10, 2009 @11:36PM (#26808095)
    Really, that's a new low for Microsoft lackeys. Being ISV's you'd expect them to be a bit more honest and pragmatic. Turns out they're just like their evil overlords.
    • Re:That's a new low (Score:5, Informative)

      by Ethanol-fueled ( 1125189 ) * on Tuesday February 10, 2009 @11:54PM (#26808251) Homepage Journal
      Eh. Two of the three ads [imageshack.us] served on this page since I first viewed it are Microsoft ads.

      Never understood why people didn't like KDawson, but approving articles from known [slashdot.org] professional trolls with links to Twitter(not to mention the fact that other Slashdot admins post Twitter's articles) smells funnny. There's always a market in people you love to hate ;)
    • Fight back (Score:5, Insightful)

      by missing000 ( 602285 ) on Wednesday February 11, 2009 @12:16AM (#26808457)
      Don't discuss the attack, that's just playing into the hand they gave you.

      What I would point out is the monthly patch cycle you buy into with MS.

      Any vendor worth using releases patches as vulnerabilities are discovered, keeping software safe. MS doesn't do this, and claims it as a feature.

      The rest of the world releases patches as soon as someone with eyes sees a flaw. This is a clear advantage and negates all the FUD you are seeing.
      • Re:Fight back (Score:5, Insightful)

        by Malc ( 1751 ) on Wednesday February 11, 2009 @01:05AM (#26808809)

        Microsoft have a shocking history of sitting on a known vulnerability for years, but saying that releasing monthly instead of immediately is a problem is to spread your own FUD. They used to release as they patched, but that was even more problematic and so they responded to their customer's needs. In most cases, exploits don't appear in the wild until Microsoft release a patch for it.

        • Re: (Score:3, Insightful)

          Interesting adaptation...

          Wait for any anyone who's going to patch to patch. Any remaining hosts are theoretically easier targets and as a result you have a more stable botnet (no initial surge & dieoff as people patch/repair).
          • Re: (Score:3, Insightful)

            by Malc ( 1751 )

            No, I think it's just the reality of what happens. Maybe people don't write exploits until they've seen the issues that Microsoft are patching. A believe a lot issues are reported privately to Microsoft to give them time to investigate and patch. Then public disclosure comes. Then the exploits are implemented.

        • Re:Fight back (Score:5, Informative)

          by suckmysav ( 763172 ) <suckmysav@gmaiUMLAUTl.com minus punct> on Wednesday February 11, 2009 @06:54AM (#26810647) Journal

          "They used to release as they patched, but that was even more problematic"

          Translation: Admins were sick and tired of rebooting servers on a daily basis.

          Rather than do the impossible and redesign their OS from the ground up to make the constant rebooting issue irrelevant, they did the only thing possible wh

          Clump all their updates into bundles so that reboots were "scheduled" and admins got used to the cycle.

           

        • Re: (Score:3, Informative)

          by ckaminski ( 82854 )
          No, the idiots used to release product improvements in service packs and patches, and THAT caused a problem. They didn't constrain patches to simple fixes.

          And WSUS makes their once-a-month policy moot anyway, because it puts upgrade power back in the hands of the site admins, and not WindowsUpdate.
      • by Anonymous Coward on Wednesday February 11, 2009 @01:16AM (#26808899)

        You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.

        • Test, test, test (Score:3, Interesting)

          by CarpetShark ( 865376 )
          <blockquote type="cite">You don't "argue" security--you test security. Offer your clients periodic penetration tests as a routine part of your service.</blockquote>

          Exactly. If you can't prove it's secure, then you must assume it's insecure. Penetration testing is a start. Code auditing and automated analysis, unit testing, honeynets, design by contract (including specification of what exceptions methods throw), and even mathematical proofs of code reliability would be better.

          Of course, until
      • Re:Fight back (Score:5, Insightful)

        by rtfa-troll ( 1340807 ) on Wednesday February 11, 2009 @01:17AM (#26808907)

        Don't discuss the attack, that's just playing into the hand they gave you.

        Well; if nobody's discussing it, then no. If they do discuss it you should definitely be ready to discuss their specific points with the people who have heard them. Preparing in advance so those points seem silly at the time they are told is also good.

        What I would point out is the monthly patch cycle you buy into with MS.

        It should be remembered that whilst this doesn't work properly, it was introduced partly at the demand of corporate customers. Some of them still like the idea and so it's maybe not the strongest point. What is worth discussing.

        • Linux has SELinux / iptables and other second level defenses which make many vulnerabilities easier to control
        • Linux patch management is integrated for both standard applications and OS making the likelyhood of an unpatched system much less than on Windows;
        • Linux patch management is flexible, allowing automated patching of systems on a self imposed schedule; e.g. desktops automatically, servers at night after warning.

        If you do want to discuss Microsoft's patch cycle, discuss it in the light of specific problems it causes. You should know of a specific "zero day" unpatched vulnerability which should obviously be patched and hasn't been.

        • Re:Fight back (Score:5, Informative)

          by HungryHobo ( 1314109 ) on Wednesday February 11, 2009 @04:03AM (#26809715)

          Well there's an old quote you could pull out.

          If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -and you still can't open the safe and read the letter - that's security.

          This might be a way to explain it to your clients.

          • Re:Fight back (Score:4, Insightful)

            by TheLink ( 130905 ) on Wednesday February 11, 2009 @06:06AM (#26810387) Journal
            But the truth is Open Source Software is not automagically secure. There can be safes which have open design specifications that aren't secure - just no safecrackers have bothered looking at them.

            Some OSS is secure, some aren't. Same for closed source.

            To me the track record of the programmers involved will give you a better idea of whether a particular program is secure or not.

            Analogy: someone who hasn't learnt how to write properly after 5 years of writing (or bothered to), is unlikely to write properly tomorrow. Whereas someone who keeps writing well is likely to still do so.
            • Re: (Score:3, Informative)

              by TheJasper ( 1031512 )

              But the truth is Open Source Software is not automagically secure. There can be safes which have open design specifications that aren't secure - just no safecrackers have bothered looking at them.

              That is not the point. No one said open source meant 100% perfect software. The point with security is that if there is a problem you want to know about it right away and take steps. Thinking that by hiding away details means noone will know about your problems is naive. Security lies in how well your safe can resist being opened by someone who knows how it works and in keeping secret your combination. That last part is the biggest security hole in most systems.

              Sure track record is important but any sec

              • Re:Fight back (Score:5, Insightful)

                by ScuzzMonkey ( 208981 ) on Wednesday February 11, 2009 @07:37AM (#26810921) Homepage

                There are a load of fine suggestions in this thread which are well-constructed for logical minds, but I can't help but feel this tactic is best answered in kind: a gut-level fear-check. And so the best response isn't to sit down and try to explain the perils of security through obscurity, nor to try to sell additional security services, or to discuss patch cycles and the like, but instead to simply ask the client this: "When's the last time you heard on the evening news anything about a new virus, exploit, or vulnerability discovered in your Linux software? Now, how about Microsoft software?"

                Overly simplistic? Absolutely. Sure to make them reconsider what the Microsoft vendors are trying to sell them on its supposed security? Definitely.

                • by TheJasper ( 1031512 ) on Wednesday February 11, 2009 @08:22AM (#26811283)
                  Good point. I like to educate people however. Even if your way is more effective. I like to tell people what I think and then if they ignore me I watch things blow up. If I like them I'll even tell them I told them so. Otherwise they probably won't see me again.

                  Of course they can do the same: "When OS is hacked who solves your problem? Some good samaritan? Who do you blame? Microsoft has a whole team of professional security experts who are standing by 24 hours a day...."
      • Re:Fight back (Score:5, Insightful)

        by LurkerXXX ( 667952 ) on Wednesday February 11, 2009 @01:27AM (#26808965)

        They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one.

        Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against. When patches were coming out frequently (sometimes daily as I said), their testing teams would only get a start on one patch, when they'd have to begin the testing process again with another patch. Things stacked up in the queues and they blew a lot of money on large testing teams. They requesting less frequent, but scheduled patch releases from MS so that they could set a regular manageable cycle for testing. It's certainly a security risk, but the pointy-hairs and bean counters at the large corps thought it was a good risk for the dollar savings.

        By attacking MS's patch cycle, you are attacking the pointy-hairs and bean counters at those companies you are trying convince open-source is good. Probably not the best approach.

        • Re: (Score:3, Informative)

          "They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one."

          But the question is *why* they asked for it.

          "Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and

          • Re:Fight back (Score:5, Informative)

            by init100 ( 915886 ) on Wednesday February 11, 2009 @04:37AM (#26809909)

            I'm still waiting for a Debian security update to break anything.

            OpenSSL?

          • Re:Fight back (Score:5, Insightful)

            by erroneus ( 253617 ) on Wednesday February 11, 2009 @07:37AM (#26810923) Homepage

            If Microsoft "discovers" patches, that kind of scares me.

            Vulnerabilities are not patched when they are discovered. Some are, others sit waiting acknowledgement for a very long time before they are addressed.

            In any case, the only true and reasonable metric is track record.

            So first, one needs to explain that source code does not necessarily mean vulnerabilities are visible or present any more than knowing how a lock works makes them insecure. That is a pretty challenging hurdle to overcome. Frankly, I am not sure how I would address that in a way that would be universally understandable. But that is the beauty of FUD. Fear is easy to do, but not easy to undo. And since Microsoft is the accepted "religion" speaking against it is blasphemy.

            But it is easy to point to track record of security and it might be helpful to select some specific cases of known vulnerabilities in Windows that went unpatched for a very long time. It is also easy to point to the many, widely-known disasters that have occurred with Windows over the years... disasters that occur regularly without the use of source code proving that availability of source code is somewhat irrelevant.

            In the end, there will be arguments for both sides and neither will make clear sense to the non-technical. Request a 3rd party penetration test and security audit and be sure your ducks are in a row.

        • Re: (Score:3, Insightful)

          by Tuoqui ( 1091447 )

          Well I'm surprised people haven't gone with the most obvious method of arguing security...

          Ask them the following questions...

          Have you seen the Microsoft (XP, Vista, Office, etc...) source code?
          Do you know anyone who has?
          Do you know how quickly they find bugs and/or fix them?

          You can ideally attack the Microsoft patch cycle because EVERY. SINGLE. TIME. YOU. PATCH. YOU. HAVE. TO. REBOOT... With Linux the only time you need to reboot the system is if you patch the kernel itself.

          With Linux the patches are made a

      • Re:Fight back (Score:5, Insightful)

        by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Wednesday February 11, 2009 @01:46AM (#26809083) Homepage Journal

        Oh, there's actually a much better ways to do things. Windows 2000 had its NIST certification withdrawn due to insecurities (you don't have to say those were fixed and it was revalidated).

        Whereas Linux is certified at around EAL5 - one of the highest Government ratings for commercial software and above the standards needed for classified work. Linux also has security code by the NSA. They can't endorse it, being the Government and all, but would the NSA spend money on software they can't use?

        Even NASA and the Department of Energy have spent millions on Linux systems and putting some of their most essential work in that environment. If it's good enough to secure our nation against terror, doesn't it have to be better than the system you're patching monthly and still getting break-ins on?

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Someone can correct me if I am wrong, but I believe Redhat EL 4/5 and Suse 10 have EAL4+. The + does not mean its EAL 5 and above, but rather EAL 4 with additional protection profiles. The generic Linux kernel does not have an EAL rating.

          Windows 2000/XP/2003 has got the same (That is EAL4+). I am not sure about differences between the protection profiles though.

          So watch out when you argue that point.

          Note: AFAIK only 1 or 2 purpose designed OSs have ever got higher than that.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          We deal with satellites and gather data from NASA, ESA, JAXA, several governmental intelligence satellites, IRIDIUM and GALILEIO among others.

          Do we need tight security? I would say so.
          Do we run mainly on Linux and open source? Yes.

        • Re: (Score:3, Insightful)

          Oh, there's actually a much better ways to do things. Windows 2000 had its NIST certification withdrawn due to insecurities (you don't have to say those were fixed and it was revalidated).

          Yea, and when an MS ISV points out it's been revalidated, your credibility just went to zero. Clients would naturally think "What else didn't he tell me?" or worse.

        • Re: (Score:3, Insightful)

          by N1AK ( 864906 )
          Don't even bother talking about Windows and Windows software security. If your customers are caught by some FUD being spread trying to sell them a product and you start flinging mud against Windows you are pitting yourself against MS, which might be ok for a knowledgeable audience, but a lot of people will think MS is a good software provider because of its size.

          I'd try and keep your case very simple.
          Various government agencies use Linux, including Intelligence.
          Open Source means that people who follow
      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Wednesday February 11, 2009 @01:48AM (#26809105)
        Comment removed based on user account deletion
      • Re:Fight back (Score:4, Insightful)

        by turbidostato ( 878842 ) on Wednesday February 11, 2009 @03:16AM (#26809507)

        "Don't discuss the attack, that's just playing into the hand they gave you.
        What I would point out is the monthly patch cycle you buy into with MS. "

        I think you are right, but I'd go even a step further. Just as it is read:
        "I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years"

        Then I'd say: "Have your facts: all I can offer is my word and my 5-6 years track record, true. But once the Microsoft minion's word dust has settle what is it in reality *their* track record? Something like millions of malware-bloated systems? You are not buying words; you are buying facts."

    • by squidinkcalligraphy ( 558677 ) on Wednesday February 11, 2009 @12:25AM (#26808531)

      I wonder if that's because suddenly companies are trying to save money by moving to open source software [slashdot.org]? And this is a pre-emptive response by the people who have the most to lose?

      • Yep (Score:3, Insightful)

        by symbolset ( 646467 )

        "First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Gandhi

        They're getting scared now.

    • by Enleth ( 947766 ) <enleth@enleth.com> on Wednesday February 11, 2009 @04:24AM (#26809847) Homepage

      That's also being disinformed - the Microsoft itself is ENDORSING AND FUNDING Open Source!

      Just put the phrase "Microsoft funding apache" in any web search engine. It was on Slashdot a few weeks ago anyway. And show that to your customers. MS's CMPs are telling that Apache is insecure? Well, Microsoft is funding it and telling that it's good, so it looks like those MCPs know crap even about things Microsoft has say in officially and they shouldn't be trusted in those matters, or probably in any matters.

    • For Dutch customers, there's an excellent and highly piblicised example why open source is better than closed proprietary algorithms: the new public transit chip card (OV chipkaart).

      This new chip card, is meant to become the new univeral standard for paying for public transit in Netherland. Big project, and needed to be secure, to they hired a company with their own, secret, proprietary encryption system to handle it.

      Anyone who knows anything about encryption can see the next step coming: as soon as it beca

  • turn tables (Score:5, Insightful)

    by TheSHAD0W ( 258774 ) on Tuesday February 10, 2009 @11:37PM (#26808101) Homepage

    How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

    • Re:turn tables (Score:5, Informative)

      by man_of_mr_e ( 217855 ) on Wednesday February 11, 2009 @12:00AM (#26808323)

      Actually, it's not true.

      You should read this article http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]

      Microsoft did use code from BSD, but it was licensed from UCB (via Spider Software) and predates the first open source versions of BSD's network stack, as evidenced by the copyright dates. And Windows Network stack is not based on it anymore.

      • Re:turn tables (Score:5, Insightful)

        by Roger W Moore ( 538166 ) on Wednesday February 11, 2009 @12:18AM (#26808487) Journal
        Ah, but how do we know it is not true? Since it is closed source we can never be completely certain and just have to take someone's word for it....which is really the whole point of the argument for OS.
      • by tpgp ( 48001 ) * on Wednesday February 11, 2009 @01:02AM (#26808793) Homepage

        It is true - the GP said they used BSD licensed code and the source you cite agrees:

        Keep in mind there is no reason to rewrite that code. If your ftp client works fine (no comments from the peanut gallery!) then why change it? Microsoft has other fish to fry. And the software was licensed perfectly legally, since the inclusion of the copyright notice satisfied the BSD license.

        Furthermore, I think the GP was thinking of the BSD licensed zlib. This library had a security issue [securityfocus.com] several years back. Linux / BSD / etc were patched almost immediately (just update a single library), but MS products, including DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, were not patched as quickly.

      • Re:turn tables (Score:5, Insightful)

        by the_womble ( 580291 ) on Wednesday February 11, 2009 @01:07AM (#26808827) Homepage Journal

        It does not invalidate the point that the bugs were fixed in the open source versions and not in the MS version.

        Other points to make:
        1) Open = open to independent security audits. I think the Open BSD audit covers other people's code, so there is at least one example of it happening.
        2) MS code has been leaked [slashdot.org], and other code is deliberately shared [microsoft.com] with selected people. The bad guys probably have ways of getting hold of a lot of MS source code; whereas open source is available to you as well.
        3) Track record. Not just Windows vs Linux, but IIS vs Apache etc.

      • Re: (Score:3, Interesting)

        by AlgorithMan ( 937244 )
        if the BSD code is completely gone now, why does vista and the win7beta still have the

        C:\Windows\System32\drivers\etc

        Directory? And why does that Directory contain files that have the exact same syntax as the files found in BSDs /etc Directory? even the names are the same, plus the comments in these files start with a # which is common in unix-systems (like BSD), but completely unusual for Microsofts Syntaxes...

      • Re: (Score:3, Insightful)

        Actually, when I worked at Spider a few years later, there was still a lot of bitterness as apparently Microsoft did not so much as license the code, as just take it.

        But a small company of around 50 bodies does not have the resources to take Microsoft to court, so what are you going to do about it? Microsoft would counter-sue for defamation or somesuch and you'd be bankrupt before you got chance to prove your original claim.

    • Re:turn tables (Score:5, Insightful)

      by Pav ( 4298 ) on Wednesday February 11, 2009 @12:09AM (#26808407)

      I'm not sure "counter-spin" is the right tactic. Sure, you can offer some counter arguments, but personally I'd suggest the customer do an Internet search with something like "windows linux security". Microsoft has advertising muscle, editorial influence and sales teams... but despite this many people in-the-know choose open source specifically for security - an Internet search should make that clear. It will also demonstrate your integrity.

      • Re:turn tables (Score:5, Interesting)

        by sumdumass ( 711423 ) on Wednesday February 11, 2009 @12:56AM (#26808759) Journal

        Many small shops like to think they are more important then they are. I don't know how many times I have had to switch to some other software because a partner found that a larger firm used something else just to find it willfully inadequate compared to what was being used before the 20 grand switch. This is true for law firms, Tax shops and accounting shops, insurance agencies and almost everything else I have worked with. They seem to think that using the software they use will give them the edge to be as profitable as they are.

        The counter spin tactics that would probably be beneficial is something along the lines of Sun, IBM, Novel, and several other big Iron shops use OSS. Even the smaller shops mid level shops that use DB back ends use OSS like pervasive SQL, Oracle, MySQL, and so on. How is it that the large shops who spend the money for the Sun or Novel or IBM or Oracle servers that cost probably more then what they paid for IT in the last year don't have security concerns with Open-Source Software but a Microsoft rep who is attempting to sell you software and lock your into their specific version/line can convince you that it is unsafe?

        I would still attempt to back that up with other facts concerning OSS usage like by Cisco, Zycell, and several other routing companies who provide industry leading security and routing products. I mean if the routers are configures correctly and capable of acting as a firewall, it's the first line of defense. And if their OSS servers and software aren't directly connected to the internet, then where is the worry because in order to hack them, you would need to bypass the routers or gain physical access to them.

      • Re:turn tables (Score:5, Informative)

        by Hooya ( 518216 ) on Wednesday February 11, 2009 @01:06AM (#26808821) Homepage

        If I were in that situation, I'd cite:

        Cisco - ASA - Based on Linux
        A10 - Loadbalancer/Firewall - Has Linux
        Coyote Point - Loadbalancer - *BSD

        And I'm sure several others.

        If open source is good enough for Cisco to use for Firewalls that you'd need to secure your network, you'd think it's secure enough for the common man?

        Any references where Windows was used for firewalls to secure the rest of the network?

        I'm not sure if I'd take the combative approach but the point is that even if you went 'proprietary' and wiped out all open source servers, put windows on 'em - what would you put in front to firewall them? Another windows box? Or a Cisco ASA? So, did you really get rid of Open Source?

      • Re:turn tables (Score:5, Insightful)

        by JWSmythe ( 446288 ) * <jwsmythe@noSPam.jwsmythe.com> on Wednesday February 11, 2009 @01:13AM (#26808869) Homepage Journal

            An obvious one would be....

            "So, why do my non-public facing workstations constantly get viruses; my public facing Windows machines get exploited; yet my non-public facing Linux machines have no security problems; and my public facing Linux machines have never been exploited. They're all patched in accordance to the distribution guidelines."

            To appease the C-level folks, good documentation and quantification of the instances of security problems will make them happy.

            "We spent 5,000 man hours last year cleaning up exploit problems on properly patched Windows machines, yet we spent 20 hours investigating potential security problems on the open source machines and found them to be simply user error. Per machine they equate to 50 hours per Windows machine, and 0.01 hours per open source machine.

            In the last fiscal year, the TCO per machine on average, including cost of licenses, upgrade licenses, maintenance, and required security response for Windows machine was $800, while it was only $2.50 per open source machine. Hardware costs are not accounted into this, as the open source users are happy with the superior performance achieved versus the Microsoft based counterparts."

            Those numbers are just yanked out of thin air. Fill them in with the appropriate numbers for your network.

            If you can provide a brief yet complete statement like that, it won't matter what the sales minions say, you have factual data to back up your side. Scare tactics aren't as good as hard evidence. Well, except in court. Juries will believe anything if you wrap it up right.

    • Re:turn tables (Score:5, Insightful)

      by TubeSteak ( 669689 ) on Wednesday February 11, 2009 @12:11AM (#26808427) Journal

      How about telling them that Microsoft has taken code from open-source operating systems like BSD (true) and people have discovered bugs which had been fixed long ago in the open-source versions, and missed in the closed-source versions BECAUSE they were closed-source?

      What the argument really boils down to is this:
      Open Source - You/I/We/The Community can audit the code and fix problems now
      Closed Source - Wait for the vendor (MS) to release a patch (once a month) if the vendor thinks it is worth patching

      • Re:turn tables (Score:4, Insightful)

        by shutdown -p now ( 807394 ) on Wednesday February 11, 2009 @01:48AM (#26809099) Journal

        What the argument really boils down to is this:
        Open Source - You/I/We/The Community can audit the code and fix problems now
        Closed Source - Wait for the vendor (MS) to release a patch (once a month) if the vendor thinks it is worth patching

        Careful with your phrasing! This can easily be twisted to:

        Open Source - there are no experts, just you/I/we/the community hacking on the code; problems will be fixed only when someone is bothered enough, and even then you have no guarantee he knows what he's doing. No support for the fix either.

        Closed Source - wait for the well-paid experts to release a thoroughly tested patch. If there are any problems, call support.

        And when it comes to marketing, it doesn't matter if it's true or not; it only matters what the customer hears last, and what he is more likely to believe...

  • by bugi ( 8479 ) on Tuesday February 10, 2009 @11:37PM (#26808103)

    Open source is verifiable. Closed source is not.

    Open source is verified, by many people, who discuss it in public. Closed source is not.

    • by goombah99 ( 560566 ) on Wednesday February 11, 2009 @12:07AM (#26808389)

      Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal. [theregister.co.uk]

      Also it's worth noting that even for-profit companies like Sun and Apple often open source their code (e.g. apple's Darwin Kernel and openSolaris). And those companies have much better security reputations than Microsoft.

      • by Anonymous Coward

        Since 2004 The source code for windows is available for $20 on blackhat websites. SO it's avaialble for scrutiny by a very select few since possession is criminal.

        Also, Microsoft regularly allows universities and governments to look at windows source code under NDA.

        Plus, Bill Gates testified under oath that it would be a security calamity for windows source code to be released into the wild.

        Strangely enough, that hasn't happened with linux & openbsd.

  • by wtansill ( 576643 ) on Tuesday February 10, 2009 @11:37PM (#26808105)
    Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.
    • by grcumb ( 781340 ) on Tuesday February 10, 2009 @11:51PM (#26808231) Homepage Journal

      Show them how quickly discovered vulnerabilities are patched and how much discussion each bug receives. Ask the competitors to provide access to their discussion groups and bug logs. Compare. Contrast.

      I'd put the emphasis on 'Compare'.

      Print two lists. One containing all the critical vulnerabilities that have been reported in the last twelve months, along with numbers of exploited machines worlwide. The other will be a list of how many of these vulnerabilities have affected your supported machines.

      If you've been doing your job well, the second list will be a blank page.

  • Of course... (Score:5, Interesting)

    by QuietLagoon ( 813062 ) on Tuesday February 10, 2009 @11:40PM (#26808119)
    they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.'

    .
    Of course, Microsoft Windows has proven that closed-source, proprietary software is secure. Ha-ha-ha-ha-ha-ha-ha-...

    Microsoft is desperate to fight the lower cost of Open Source in these troubled economic times. Microsoft is having trouble justifying their economic exstence. So, instead of fighting on a cost basis, Microsoft is tryng to shift the battleground to a different arena --- one of security. Unfortunately, in the arena of security, Microsoft loses big.

    • Re:Of course... (Score:5, Insightful)

      by joocemann ( 1273720 ) on Tuesday February 10, 2009 @11:58PM (#26808299)

      I don't think they are aiming to battle on the concept of 'security' but rather the easily exploitable human characteristics of fear and susceptibility. This is, to a knowledgeable person, an obvious attempt at spreading rumor/mudslinging to create a widescale negative buzz among the weeble peoples.

      I also heard Obama is a Muslim?

  • He may be lurking hereabouts, but if not, here's his bio [perens.com]. I've been doing open source for a fair while - 10 years or so - but he's been talking to companies and coming up with good answers to various arguments against open source for much longer.

  • Um..laugh? (Score:3, Interesting)

    by msimm ( 580077 ) on Tuesday February 10, 2009 @11:42PM (#26808141) Homepage
    I'm sure in enterprise things can be different but working for a small/medium sized developer I know my CEO isn't so un-clued in that I couldn't explain something like this over drink and have a good laugh.

    But then we've used Oracle and seen what happens when cost and bad economics limit your businesses growth. Let them smoke our RHEL and MySQL licensing, maybe their getting something out of the ink.

    Better yet, when your PHB approaches you why don't *you* ask him to point out a security situation that *wasn't* caused or aggravated by something that wasn't open source.

    Just because some idiot says it's true doesn't mean anything.
  • *sigh* (Score:5, Informative)

    by faedle ( 114018 ) on Tuesday February 10, 2009 @11:42PM (#26808143) Homepage Journal

    If it's good enough for the NSA [nsa.gov], it's good enough for you.

    • Re: (Score:3, Interesting)

      Keep in mind that the question was not linux, the question was "open source." OpenBSD falls under that, and in many ways I'd regard OpenBSD as more "secure" than linux.

      But before the trolls get at me (I ONLY HAVE LINUX DESKTOPS, BACK OFF!)...

      Don't get me wrong, as a whole I'd agree with your NSA analogy, but your example isn't remotely encompassing of "open source." Mozilla is open source, but you'll note we don't have SEMoz. And really - SElibpng?

      The MS reps are spreading FUD.

      " because 'anyone can read the

      • Re: (Score:3, Informative)

        The question, is who can *load and execute code* with ease.

        It doesn't matter that somebody can identify a vulnerability and write code to exploit it if they can't get it loaded and running on anybody else's box. Even if they can get the program downloaded onto a Linux machine, it won't, by default, have execute permission. In the Windows world, everything has execute permission and ActiveX is there to download and run arbitrary code from any website that wants to take advantage of it. I don't know abou

  • Open source software is like any report in an academic journal.

    While a little more informal, it has usually been similarly vetted by competent experts in the field before it's been allowed into the wild, especially in large projects.

    Therefore, it's much more reliable than closed source software like Windows, for which you have to take Microsoft's word alone, as opposed to the reviews of several top developers in their fields who approved the commits in the first place.

    Plus, tell them to examine their sources; the bias is obvious.

  • The proof is ..... (Score:3, Insightful)

    by budword ( 680846 ) on Tuesday February 10, 2009 @11:44PM (#26808165)

    The proof is in the pudding. Who gets hacked more ? Who suffers from worms and viruses constantly ? Who has to run anti-virus and anti-malware software ?

  • by Lord Kano ( 13027 ) on Tuesday February 10, 2009 @11:44PM (#26808167) Homepage Journal

    I had a professor say that kind of thing in class once. He said that "Linux will never be as secure as Windows because it's open source. Anyone can see the source code and use it to hack your computers."

    It was completely involuntary on my part, but I let out a loud, and I do mean LOUD, "WHAT?".

    He turned and looked at me, I said "I'm sorry but that's not correct. Look at OpenBSD, it's open source too and there has been exactly one remote exploit in a default install in the past six years. Microsoft wishes that Windows had that kind of track record." He stammered and stuttered and then moved on with his lecture.

    LK

  • by Zigbigadoorlue ( 774066 ) on Tuesday February 10, 2009 @11:54PM (#26808255)
    Show them trusted (kind of) and family name organizations that work on/use FLOSS. Big ones that jump to mind are the DoDs use of linux, the NSAs creation of SE linux and everyone knows who IBM is.
  • Antivirus (Score:5, Interesting)

    by lena_10326 ( 1100441 ) on Tuesday February 10, 2009 @11:54PM (#26808261) Homepage

    2 points.

    1. The fact that an antivirus program combined with a firewall is mandatory for any windows box (closed source) to remain virus free for longer than 20 seconds connected to the internet, whereas linux (open source) requires no such antivirus program, is experiential proof that linux is more secure.
    2. Many firewall/routers run linux. If linux is good enough to protect your windows machines from intrusion, then a logical person would conclude an open source operating system such as linux is more secure.
    • Re: (Score:3, Insightful)

      by TubeSteak ( 669689 )

      # Many firewall/routers run linux. If linux is good enough to protect your windows machines from intrusion, then a logical person would conclude an open source operating system such as linux is more secure.

      Many firewall/routers run a highly stripped down version of linux.
      It does not follow that an OSS OS is more secure.

  • by filesiteguy ( 695431 ) <perfectreign@gmail.com> on Wednesday February 11, 2009 @12:02AM (#26808351)
    Whether or not the source code is available does not make software less secure. The methods by which most script kiddies and actual hackers (if I can use that term with these losers) access systems are those which would not be more or less available given the source code. You take a given library, note the interfaces and find a way to break in. If you have a buffer overflow, all the better.

    Though I am an OSS advocate, I do not fall prey to the "oss is better" or "closed source is better" simply as a security measure.

    Bad (insecure) software can be written by any individual or vendor. It is how that individual vendor responds to exploits that is the key.
  • This is easy (Score:5, Insightful)

    by garada ( 617442 ) on Wednesday February 11, 2009 @12:03AM (#26808361)
    Tell your customers that Microsoft is trying to sell them stuff. It has nothing to do with open source vs.closed source, just money.
  • Hows this? (Score:3, Insightful)

    by pugugly ( 152978 ) on Wednesday February 11, 2009 @12:08AM (#26808397)

    Mmm Hmm.

    And how many times have you heard about worms on Microsoft, the 'more secure' closed source OS?

    And how many times have you heard about viruses getting through on the Linux systems I helped you set up?

    Since Linux is the main system used for internet servers, you would think dangerous criminals would hit it first, right?

    The reason you haven't heard of it lately is they did. Unix and Linux ironed all this stuff out 20 years ago - the last Unix worm that got famous was the Morris Worm. Huey Lewis and the News were big, there were still hair bands, and Republicans still had a reputation as being fiscally responsible.

    Pug

  • by phallstrom ( 69697 ) on Wednesday February 11, 2009 @12:14AM (#26808443)

    I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security.

    5-6 years? Go back and figure out the cost of purchasing the various windows software that you'd need (including all licenses, per-seat, etc.) over that time period. Don't forget the proprietary back up software and enterprise anti virus software. Then taking your hourly rates run the numbers for how often you would need to patch those systems (every week?) and toss in the time it would take you to *test* the roll out of those patches and then add more time for when it breaks everything despite your testing.

    ROI goes a long way towards changing a customer's mind (which is why so many of them don't want to spend money on reliable backups :)

  • by Maxo-Texas ( 864189 ) on Wednesday February 11, 2009 @12:17AM (#26808471)

    http://www.sans.org/top20/#z1 [sans.org]

    The critical flaws that were reported this year in Office products:

            * Microsoft Excel Remote Code Execution (MS07-002)
            * Microsoft Outlook Remote Code Execution (MS07-003)
            * Microsoft Word Remote Code Execution (MS07-014)
            * Microsoft Office Remote Code Execution (MS07-015)
            * Microsoft Excel Remote Code Execution (MS07-023)
            * Microsoft Word Remote Code Execution (MS07-024)
            * Microsoft Office Remote Code Execution (MS07-025)
            * Microsoft Outlook Express and Windows Mail (MS07-034)
            * Microsoft Excel Remote Code Execution (MS07-036)
            * Microsoft Excel Remote Code Execution (MS07-044)
            * Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
            * Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)

    C2.2 Operating Systems Affected

    Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.

    While all operating systems are affected...
    Linux has two mentions on the entire page while other operating systems just go on and on and on.

    With Open source, MANY eyes are looking at it finding problems and fixing them.

    With Closed source, FEW eyes are looking at it-- are probably only focused on bugs and enhancements that will return new revenue, and may remain unaware of exploits for long periods of time. For example, some zero day flaws get extensive script libraries written to take advantage of them before they are discovered.

    Hackers, the real ones (who are very few) can see the windows assembler and C code via disassemblers and debuggers anyway.

    At least some of them probably have access to Windows code. (It's not really that secret- several companies have copies of the code including China which is known to launch cyber attacks against windows computers)

    ---

    However, from dale carnegie, remember people decide with their emotions and then fit the facts to that.

    You need to argue emotionally "Linux is safe because people really care about it and work hard to make it secure-- it's not just 'a job' that some jaded corporate programmer is phoning in".

  • by Toe, The ( 545098 ) on Wednesday February 11, 2009 @12:20AM (#26808503)

    DHS [netcraft.com] - linux
    FBI [netcraft.com] - linux
    Navy [netcraft.com] - linux
    Air Force [netcraft.com] - linux

    Wonder why those agencies are using such an "unsecure" platform...?

  • by jrj0001 ( 1082231 ) on Wednesday February 11, 2009 @12:20AM (#26808505)
    The argument that "anyone can read the code and hack you with ease" is false. To win the argument, one must explain the relationship between a _cypher_ (implemented in a program) and a _key_ (generated by a program). Secure programs are written such that even their *authors* can not hack them. The reason is because these programs do not directly provide security. Instead, for example, they may help users generate unique digital keys. Is is the combination of this digital key and the program itself (ie. the cypher) that provides security. Reading the source code will _not_ give the reader the key required to breach someone's privacy, especially if the program is good and can produce trillions of different and complex keys, each of which take a long time to test. Conversely, closed sourced programs are generally scrutinised by far fewer people, and as such they are generally less able to perform with the same speed, efficiency and reliability of their open source alternatives, including security related programs described above.
  • by Johnny Loves Linux ( 1147635 ) on Wednesday February 11, 2009 @12:22AM (#26808515)
    What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html [networkworld.com] Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.
  • by Hacksaw ( 3678 ) on Wednesday February 11, 2009 @12:26AM (#26808535) Homepage Journal

    1. Do not belittle or otherwise blow off the customer's fear. In fact, hear it, and agree that it's something to think about.

    Them: "I'm worried about this Linux stuff. A guy was telling me that anyone could see the code, and just know how to hack it!"

    You: "I can understand how that could be a concern. It is a little like having a map of the valuables in your house taped to your front door."

    2. Explain why openness is helpful

    Them: "Yeah, so what should we do?"

    You: "To be honest, sir, the reason why we like that anyone can see the code is because that means anyone can fix those problems. And lots of people do, for the very same reason you are worried about it. They need something that's secure, and isn't going to surprise them."

    3. Mention that serious people have a big stake in making this work.

    You: "I should mention that a few companies have bet a lot of money on open source, and wouldn't be happy to see it easily broken. IBM, Novell, and Oracle, to name a few, have very large investments in Linux, and have donated many patches to make sure the code is secure. And for that matter, so has the NSA. They have actually extended the security quite a bit, with their Security Enhanced Linux."

    4. Reassure them that people are thinking hard about this.

    Them: "Yeah, but if anyone can see it..."

    You: "...then you have to be extra careful. See, the strategy that Open Source follows, and everyone should, is to assume that everyone *can* see the code, so you better design it so that the real keys to the kingdom aren't in the code at all. You make sure the keys are completely in the hands of the owners of the system, so it doesn't matter if you can see how the lock works, you still don't have the keys."

    5. Point out the obvious.

    Them: "But what happens if someone tries to slip something in, and is really good at it?"

    You: "Once in a while, someone tries. But when a thousand people might look at the files you are trying to sneak in, someone's going to notice. And then a hundred thousand geeks will make fun of you. In public, all over the internet."

  • by NevarMore ( 248971 ) on Wednesday February 11, 2009 @12:29AM (#26808573) Homepage Journal

    "...[systems] that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security."

    Prove, document, and send your customers exactly that. None of my customers give a rats ass about philosophy, they care about the bang for the buck.

    If you can clearly point out to your customers that:
    1. The sales calls they're getting are SALES CALLS. Your customers will realize that the salesman will spin things so that they buy his kit. That spin may not be accurate or apply to them.
    2. Uptime of your systems in a given time period.
    3. Cost of your systems/services over that time period.
    4. Be honest, unplanned downtime in the same time frame for your systems/services.
    5. Distill all of that to brief bullets or an executive summary paragraph.
    6. Follow on with a request for feedback. You strive to provide the best service to your customers, make sure that they're happy.
    7. Double check all of your numbers before sending, assume it will be shown to the sales people from other companies. CYA.

    Waffling on about philosophy and visibility of code and yadda yadda is all well and good, but the person cutting the cheques does.not.care. What they do care about is ROI and cost/benefit. They care about your track record of performance.

  • by Alpha830RulZ ( 939527 ) on Wednesday February 11, 2009 @12:38AM (#26808645)

    1) I'd ask them what has the security experience been over the period you have supported them? While headline after headline has been in the paper about Windows exploits, botnets and viruses, what has happened with their installation.

    2) I'd inform them that Google runs on Linux. Do they think Google knows what they are doing.

    3) I'd tell them to talk to one of the people who is selling the windows services, and ask them to detail the costs of converting to MSFT, and what the security measures required would be. I think they'll blink after they get the price tag.

    Sad to say, even if Windows was more secure, most people will balk at the expense if they're already running a solid linux based infrastructure.

  • Use an Analogy... (Score:5, Insightful)

    by Rinnon ( 1474161 ) on Wednesday February 11, 2009 @12:49AM (#26808715)
    I watched a "How's it Made" episode on combination locks. Knowing how a lock is made, didn't make it any easier to break into one. If the code is made correctly, the passwords can't just be bypassed. You can't just change the code and load it in for a fun filled night of hacking any more than you can with a closed source OS. That's how I'd explain it to a customer.
  • by jandersen ( 462034 ) on Wednesday February 11, 2009 @01:13AM (#26808873)

    The strongest security is the one you get from everybody in the company being loyal and well educated about what they should and shouldn't do. Of course, you don't post your passwords on a sign outside, but that is about as much secresy as it is worth the effort to maintain, I think. Apart from that - if we know that Microsoft's security strategy uses "protocol X" and open source uses the same, what is the real difference? Only that in open source you can potentially inspect the implementation and verify that it doesn't contain inherent weaknesses that allow you to circumvent it. You can't do that with closed source, you have to trust the supplier; the big question then is: can you?

    Open source works along the same lines as the open, scientific discourse that has brought us from pre-industrial society to the present day. If we had relied on secret research, we would still have lived in the mud; romantic, perhaps, but no computers. Or compare open societies to closed ones: are countries like Sweden, Germany and Switzerland less secure than, say, Burma? The only ones that feel more secure in Burma are the ones in power, but the country as a whole is less secure, as far as I can see.

  • by Idou ( 572394 ) on Wednesday February 11, 2009 @01:27AM (#26808961) Journal
    Look at all the "respected" finance firms that either no longer exist, are close to death, or turned out to be giant scams. The root to all this were complicated processes that lacked the necessary transparency. When something started to break, no one could determine which parts in the system were still valid, so everything grinded to a halt.

    The moral of the story is that complicated systems need to be transparent, regardless of their industry. Assume the worst of what you and other vested parties are unable to see. Not being able to see the problem is worse than the problem itself.
  • by RichiH ( 749257 ) on Wednesday February 11, 2009 @04:45AM (#26809939) Homepage

    You must stress that being able to _read_ the code is not the same as being able to _write to the released codebase_. This is an assumption I have encountered again and again and again.

    The evil thing is, people don't ask about this, they assume it's fact and that's that.

    "We" need to make sure this myth dies.

  • by mormop ( 415983 ) on Wednesday February 11, 2009 @06:38AM (#26810555)

    OK you can say that the authour's background may bias him somewhat but then Microsoft's claims are open to the same criticism.

    http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ [theregister.co.uk]

    The best line though is that old favourite "well they would say that wouldn't they" particularly if you then explain the dependance Microsoft has on business and Office in particular.

    On the other hand, you can also find out who the Microsoft vendors are that are making the claims and report them for false advertising or fraud. At best, the current situation i.e. which system is most secure, is debatable and at worst a matter of opinion and it will remain this way until a truly independant analyst manages to definitively show otherwise.

  • Don't (Score:4, Insightful)

    by benjymouse ( 756774 ) on Wednesday February 11, 2009 @07:33AM (#26810891)

    With the risk of being modded into obscurity and burning all my karma:

    Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.

    Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.

    IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf [ibm.com]

    It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.

    The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.

    You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.

    Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.

    Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.

    Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.

  • FUD and bullshit (Score:3, Informative)

    by Tom ( 822 ) on Wednesday February 11, 2009 @07:58AM (#26811073) Homepage Journal

    Countermeasure: Education.

    'anyone can read the code and hack you with ease.'

    Use the opportunity to explain to them that if reading the code reveals possible hacks, then indeed the code sucks. Cryptography teaches us that knowing the algorithm doesn't give you an "in", unless the algorithm is flawed. Example: Knowing that the file was AES encrypted doesn't allow me to decrypt it (without the key), even though the AES algorithm is public knowledge.

    You could also ask two provocative questions:

    One: Why then are public standards public, if knowing how things work would make it easy to exploit them?

    Two: If knowing the code makes it easy to hack you if there are bugs in the code - then what does Microsoft have to hide, by hiding the code? All the bugs that make hacking it so easy, perhaps?

    Third alternative, you could point out that the source code to windows is widely available (lots of companies and university have source code licenses), and has in fact been leaked into the general public several times.

    My preferred alternative would be "if you believe that shit, you're a lot dumber than I thought", but you probably can't say that to customers.

/earth: file system full.

Working...