Fighting Claims That Open Source Is Insecure? 84
Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Re:Security through obscurity is no security at al (Score:4, Insightful)
Re:Open source use (Score:0, Insightful)
If someone who would be persuaded by that line of reasoning (which doesn't even make sense even if accessing Google really were "using open source software") is in charge of security, open/closed source is the least of their problems.
open source is not 'no source control' (Score:3, Insightful)
Consider which is less secure, a project whose source is always available, or a project whose source suddenly becomes available? I would guess that since Microsoft has never officially had its source be in the hands of hackers, there are TONS more exploits there that if you did see the source, you would easily find. Since OSS is always visible, people are quick to point out and fix various holes. This is a much more effective way to manage source control, since any fixed number of people can only read so much into a massive body of source code.
Also, not anyone can modify the actual gold master source for an OSS project, so it's not insecure in that way.
Re:Open source use (Score:3, Insightful)
The point is that we are surrounded by open source usage, and we're all directly or indirectly using it all the time. It's everywhere and many of the biggest, most dynamic companies in the world (Google for instance) are using it, often in their core business. So why aren't we seeing all this evidence of real problems with open source security breaches? Why are all the problems with Windows. Let's face it, the reality is that virtually all viruses, for example, would be more accurately called "Microsoft viruses", because it is security flaws in Microsoft software they exploit. The same goes for worms. So the IT guy counters "but Microsoft software is everywhere and that's why it gets expoited". My central argument is that actually, open source software is also everywhere, even if you don't realise it, and it suffers much fewer security problems.
Re:sadly, this is dying off (Score:2, Insightful)
Sure, but have you seen how a lot of bugs are being found lately? Fuzzing. You can fuzz both closed and open source software the same way. Sure, if you had the code for it, you could look at Joe Schmoe's web software and look for input validation bugs, and maybe find one after a while. Or, if it was closed source you could fuzz it and find a bunch of vulnerabilities you probably never would have thought of looking for.
My point is, insecure software is always going to be insecure, whether it is open or closed source, and don't let someone kid you into thinking that one has an aboslute, inherent advantage over the other.
Re:Security through obscurity is no security at al (Score:4, Insightful)
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?"
To attain exactly, what?
Just to follow your argument, here comes the obvious answer to your "counter-question":
Of course closed software has its defects. But then, its defects are hidden, aren't they? So they are obviously more difficult to exploit, and I prefer to have a software its defects are difficult to exploit rather than one which is easy to exploit. I'm questioning my confidence on your ability to have the things done if I have to explain to you such an obvious thing!
"Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?"
Hummm... at the end of the day, a USA corporation may be held legally liable. Do you really expect me to try to recover damages from a stinky teenager deep in Soviet Russia (where teenagers stink you) that happened to develop some seemingly cute software in his spare time?
No, the answer has been already told. If they really are paying attention at such stupid arguments like those from 'M$ drones', they are ignorant about these issues, and the best course of action is enligth them in such a way they can understand:
Look at IBM: they extensively use open source and it seems they are not going into bankrupcy anytime soon.
Look at Google: they critically use open source, they have an ashtounding computer-base all around the globe and still it doesn't seem like they are hacked everyday, do they?
You can ask a question *then*:
Look at IBM or at Google, or at almost every Fortune 100 out there; they do well using open source. Don't you find suspicious the only ones pesting about open source are companies (Microsoft and its VARs) that *do* would go bankrupcy if open source took the computer world for a raid?
Re:fighting FUD, when FUD is not FUD (Score:3, Insightful)
Rather than going through all this debate (de-bait?)...
I like the point of Past Performance and the special interests that Microsoft has in telling you the other software is "bad"
BTW -
Apple is based on Open Source.
SUN Solaris 10 is Open Source (mostly?)
IBM has chosen to grant much of it's invested IP to Open Source
If that doesn't convince them even a little bit then you might just consider one of your two remaining options:
Quote how much is would cost in new servers, software for converting to 100% Windows. And you should probably budget all the security software and patches along with the article about how even Balmer can clean a desktop computer.
Punch them in the head and call them stupid.
But try the last one after everything else fails.
Re:Security through obscurity is no security at al (Score:3, Insightful)
Where are the articles about companies losing data due to defects in OSS?
Now where are the articles about IE (for example)?
Once they compare them, they will see the light.
Re:well... (Score:3, Insightful)
Yes, and no. You can't make "bug free" software, because one persons feature (or lack of) is another's bug. However, I believe, you can make secure (read: no remote exploits) software. That's a much smaller scope you have to defend against, and it's mostly testable. Also multiple people have done it [and.org], or claim to have done it ... including myself [and.org].