Fighting Claims That Open Source Is Insecure? 84
Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"
Re: (Score:2)
sadly, this is dying off (Score:1)
I've got physical possession of my cable-box but if it is "properly" DRM'd there's no way for me to completely control it without alerting the Cable Company it's compromised and should be disconnected.
BTW, I think the FUDsters' points are that if the bad guy examines the source code and finds an exploit BEFORE the good guys find and fix the hole, then it's just as bad as a 0-day Microsoft attack. They go further and say half-truthfully that it's
Re: (Score:2, Insightful)
Sure, but have you seen how a lot of bugs are being found lately? Fuzzing. You can fuzz both closed and open source software t
OT:"Only you can prevent" (Score:2, Funny)
When read your post, this [tribalfusion.com] banner ad graced the top of the page.
Cosmic Coincidence or intelligent ad placement gone haywire?
Re: (Score:2)
And then you gave the answer. The key point is "as bad", as in "no worse". So in the worst case scenario you are "as bad", but no worse than, a 0-day Microsoft exploit.
On the other hand, if just one of the miriads of white hat hackers do find the bug in advance to the black hackers you are in a much better situation than in the 0-day Microsoft exploit
Re: (Score:2)
Not quite. With closed source (especially Microsoft), crack one and you've cracked 'em all. With open source development, many different packages are available to implement solutions for the required task. The availability of this diverse pool of highly customizable tools also allows the developer to tailor a fine garment to fit the user's requirements, while using closed source products is like buying an off-the-rack garment and telling the customer to
Re: (Score:2)
Not that those entities have made any of the security holes they have found in their spy vs spy code scanning efforts,neither will they release any the bug fixes or t
Re: (Score:1)
Was there an update you didn't install, or was this one of those rare cases where it was hacked before the update was available?
Newsflash: You don't need the source code to find security flaws, w
Re: (Score:2)
Re: (Score:2)
Re:okay but...[OT] (Score:1)
okay but, now the rest of the story (Score:2)
REALLY simple answer (Score:2)
Even simpler... (Score:5, Informative)
botnets [wikipedia.org]
Then you can explain how it's actually the closed source OS that is the [techweb.com] most [zdnet.co.uk] damaging [microsoft-watch.com].
Hell, just show them some apache logs that are still constantly being hit by things like IIS servers still infected with Sasser, years after it should have been eradicated.
Re: (Score:1)
Re: (Score:1)
Well, there's a good realistic suggestion for him!
well... (Score:2)
Aside from that, google for security comparisons for the open source solutions you promote and their competition.
Re: (Score:2, Informative)
all software has bugs in it, there is no such thing as a completely secure application.
the point of open source software is the more eyes you have looking at code, the easier it is to find and patch these bugs...
the problem with closed source software is that the bugs aren't easily as found, and certainly not easy to patch, especially since only few have access to the source. So while the bugs exist, they go unfound, generally
Re: (Score:2)
Re: (Score:1)
Or worse, if your vendor won't release news (or a workaround) of a bug until there is a patch. If they don't put out a patch for a few months, you're not only SOL, you don't even know it!
Re:well... (Score:4, Informative)
You might say, yes yes, I know about all that, but you can't actually do that in practice. I would bet, though, that some of the early electronic calculators were proven correct. The people making them in the very beginning were probably interested in such things. Perhaps some apps running on MIT LISP machines were also proven (LISP is easiest to prove, and the MIT AI lab people are the type to do it), although in this case it is unlikely that the entire platform up to the app was also proven. So it is not so cut and dried as to allow you to say that there are no completely secure apps. Reasonable, useful apps today, probably none are completely secure, since I doubt that any kernels are completely secure if for no other reason. But nonetheless, it is possible to have 100% bug free, 100% secure software.
Re: (Score:3, Insightful)
Yes, and no. You can't make "bug free" software, because one persons feature (or lack of) is another's bug. However, I believe, you can make secure (read: no remote exploits) software. That's a much smaller scope you have to defend against, and it's mostly testable. Also multiple people have done it [and.org], or claim to have done it ... includ [and.org]
Re: (Score:1)
and "commerciall" solutions are more secure. why? (Score:2)
And why is any solution more secure than any other..???
Open source use (Score:5, Informative)
On a couple of occasions I've spoken to IT people who have said things like "we'd never touch open source because..." and then I've been able to point out multiple ways they use it without realising it. If they use google, if they use email, if they use many websites, then they're using open source software. Many bits of hardware contain open source code (wifi boxes for instance). Many companies are using Apache for their web sites without realising it.
Another good argument is just to spout off a list of Fortune 500 companies who use open source to run their websites. "it's secure enough for IBM, but not secure enough for you?" is the type of argument that's difficult to counter. Very often they just don't know much about it.
The problem you have to fight in people who say things like "open source is insecure" is their ignorance.
Re: (Score:3, Insightful)
The point is that we are surrounded by open source usage, and we're all directly or indirectly using it all the time. It's everywhere and many of the biggest, most dynamic companies in the world (Google for instance) are using it, often in their core business. So why aren't we
Re:Open source use [OT] (Score:1)
Re: (Score:2)
That, and the fact that people don't like to be confronted with their shortcomings. So they may be ignorant, they may be wrong, they may even know it, but that doesn't mean they'll admit it and do the Right Thing.
OSS is NOT made only by amateur volunteers! (Score:1)
Security through obscurity is no security at all (Score:5, Interesting)
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?
Or, how about the really important one:
Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?
Re:Security through obscurity is no security at al (Score:4, Insightful)
Re: (Score:2)
"We brought this guy in here to discuss the security of our software, and now he's ranting about the government!?"
Re: (Score:2)
Re:Security through obscurity is no security at al (Score:4, Insightful)
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?"
To attain exactly, what?
Just to follow your argument, here comes the obvious answer to your "counter-question":
Of course closed software has its defects. But then, its defects are hidden, aren't they? So they are obviously more difficult to exploit, and I prefer to have a software its defects are difficult to exploit rather than one which is easy to exploit. I'm questioning my confidence on your ability to have the things done if I have to explain to you such an obvious thing!
"Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?"
Hummm... at the end of the day, a USA corporation may be held legally liable. Do you really expect me to try to recover damages from a stinky teenager deep in Soviet Russia (where teenagers stink you) that happened to develop some seemingly cute software in his spare time?
No, the answer has been already told. If they really are paying attention at such stupid arguments like those from 'M$ drones', they are ignorant about these issues, and the best course of action is enligth them in such a way they can understand:
Look at IBM: they extensively use open source and it seems they are not going into bankrupcy anytime soon.
Look at Google: they critically use open source, they have an ashtounding computer-base all around the globe and still it doesn't seem like they are hacked everyday, do they?
You can ask a question *then*:
Look at IBM or at Google, or at almost every Fortune 100 out there; they do well using open source. Don't you find suspicious the only ones pesting about open source are companies (Microsoft and its VARs) that *do* would go bankrupcy if open source took the computer world for a raid?
Re: (Score:2)
I'm not stinky.
Re: (Score:1)
As opposed to the enormous success corporations have had in recovering damages from major commercial software vendors?
Re: (Score:2)
Since this FUD campaign seems to gain some success, is obvious it is not a matter of facts, but a matter or perceptions. The ignorant one that pays on the arguments of Microsoft's marketroids certainly will try the 'liability argument', so you better avoid that field.
Re:Security through obscurity is no security at al (Score:3, Insightful)
Where are the articles about companies losing data due to defects in OSS?
Now where are the articles about IE (for example)?
Once they compare them, they will see the light.
fighting FUD, when FUD is not FUD (Score:3, Informative)
Likewise, anyone can read the code and repair it with ease.
High-profile projects run by responsible people will benefit from the "many eyeballs" approach and be better quality than if they were closed-source run by a team of a few or dozens of people.
The FUDsters do have a point when it comes to out-of-date or low-profile software:
If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.
The moral of the story:
1) Stay current with security patches
2) Hide what you use from the adversary. If they don't know you run ObscureWebServer 1.0, they don't know to try attacking it first. Keep them guessing.
3) Make sure the official vendor/caretaker takes reports of security breaches seriously and is willing to consider patches from the community
above all,
4) Don't depend on your software's security to protect your assets. Make sure you have good backups. Train your employees against social engineering attacks.
Security is but one of many factors that go into the open/closed source decision.
For me, two of the biggest factors are:
1) if the product is abandoned or sunsetted, I can maintain it myself or hire someone to maintain it
2) If I don't care about paid-for support, I can use the product on as many machines as I want without worrying about "product activation" or getting sued.
Re: (Score:2)
If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.
That's no different than a site running Windows 2000, or IIS 1.1 on their website. This point also holds true for closed source as well as open source. The intent is differentiate between closed and open
Re: (Score:3, Insightful)
Rather than going through all this debate (de-bait?)...
I like the point of Past Performance and the special interests that Microsoft has in telling you the other software is "bad"
BTW -
Apple is based on Open Source.
SUN Solaris 10 is Open Source (mostly?)
IBM has chosen to grant much of it's invested IP to Open Source
If that doesn't convince them even a little bit then you might just consider one of your two remaining options:
Quote how much is would cost in new servers, software for converting to 100%
Three out of Four is Okay. (Score:1)
Re: (Score:1)
You clearly have no clue what you are talking about.
Firstly, you seem to be misinformed about what a port scan is. A port scan will only tell you which ports are opened (or filtered or closed). While it's possible to guess which services are running by assuming any open ports are running their IANA assigned services, this isn't necessarily the case. It is possible for some port scanning software to guess which operating system you are running by comparing it's behavior with existing data, but this isn't ne
Security design (Score:2, Informative)
Closed Source security thinks that no-one else knows what is in there. THINKS being the operative word. Maybe they've worked on that assumption, and just obscured the holes rather than fixed them. Maybe they've left some deliberate backdoors, on the grounds that no-one else knows they are there. Possibly not, but you don't know that.
The MS people are correct to say that it is easier to construct
Analogise (Score:2)
Yeah right ... (Score:2)
This logic assumes that the bad guys are smarter than the good guys and are much better at finding vulnerabilities in code ... or that they can do this faster than the good guys can fix them. It's so damn stupid and easy to refute, and it has been refuted numerous times.
The only thing that closed source does is to create a false sense of security ... 'they can't see the code, so they can't find vulnerabilities'. This completely ignores other methods such as reverse engineering and just plain stubborn testi
I find what Adobe said yesterday much more interes (Score:3, Informative)
Re: (Score:2)
Well, Apache Software, MySQL AB, Postgres folks, KDE Team, Gnome fanboys, Mozilla Foundation... they all don't seem to find writing and maintaing software for Linux (and *BSD, and quite some different Unix flavours) to be so terribly difficult, so maybe Adobe's efforts are not so good after all, despit
Re: (Score:2)
I think the problem is that companies like Adobe still haven't realised "Linux" isn't a single entity. They have to regard different Linux distributions as different (even though similar) targets for their software -- instead of trying to release a "compatible with all Linux distributions, even if we have to include all required libraries instead of using those of the host system" package, which unfortunately is often the case.
As a related note, I don't buy the "standard package manager for Linux" argumen
Microsoft sales reps are ruthless. (Score:4, Informative)
Try IBM,
http://www-1.ibm.com/linux/opensource/ [ibm.com]
Download some of the report PDFs and send them to your clients.
This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told.
I'd have your sales rep call your clients and let them know that your company shares thier concern. At the same time remind them of SQL Slammer, Code Red, Melissa, Blaster, etc. Point out all the other companies using OSS products, Google, Wall Street, etc.
Of course I'm just a programmer, so take my comments with a grain of salt.
Enjoy,
Re:Microsoft sales reps are ruthless. (Score:5, Informative)
Microsoft wants you to run OSS on thier stuff. Point your clients to this site:
http://www.microsoft.com/presspass/features/2005/
Enjoy,
Your answer lies in them thar' internets (Score:3, Informative)
The fountain of knowledge that is Wikipedia has this article, http://en.wikipedia.org/wiki/The_Cathedral_and_the _Bazaar [wikipedia.org], which is interesting. Its an essay/book about open source development, and there is a link to the full text in the WP article. There's a chapter about why open development is good (from a quick look at te text), and I know I've read similar-minded texts on sites like gnu.org and fsf.org, but was unable to find them. I think Cory Doctorow has written some good articles about secrets and the management of them, but I think his are more DRM musings, though the same principles apply to proprietry software vs. open software.
Articles about why SSH etc. are secure, even though their inner workings are wide open to the world, may be helpful too.
open source is not 'no source control' (Score:3, Insightful)
Consider which is less secure, a project whose source is always available, or a project whose source suddenly becomes available? I would guess that since Microsoft has never officially had its source be in the hands of hackers, there are TONS more exploits there that if you did see the source, you would easily find. Since OSS is always visible, people are quick to point out and fix various holes. This is a much more effective way to manage source control, since any fixed number of people can only read so much into a massive body of source code.
Also, not anyone can modify the actual gold master source for an OSS project, so it's not insecure in that way.
bank vault example (Score:3, Interesting)
Anyone can fix it! (Score:2)
Open source is more secure given an equal number of bugs, and probably has fewer bugs. Here's why:
Scenario: A piece of software contains some exploitable bug.
Closed source software: Bad guys reverse-engineering the code probably find the bug before it is found by the general public (the only other possibility is that it's found and fixed by the vendor's QA). It becomes known after it starts getting exploited in the wild. People notice they're getting hacked, put pressure on the vendor. The vendor needs
Re: (Score:2)
Just tell that, ie. to Red Hat Inc.
Re: (Score:2)
Good point, though in their cases, the part that gets the commercial treatment is usually a small part of the product, rather than the whole product, mitigating the effect.
To take a random example, RedHat creates kernel patches for various purposes. Those kernel patches are subject to most of the usual commercial-development pressures I mentioned, so they don't get the usual open-source quality boost. (I don't actually know if they're good or bad quality; let's for the sake of discussion assume the worst
Re: (Score:2)
And you cannot have it both ways: you either explain that properly chosen open source software can be as "corporative" as any privative one, in which case your "no commercial pressure" doesn't hold water, or you try to go with the "no pressure argument" and the next you will be told is that if there's no commercial pressure is because such software is developed by pimply teenagers in their basement.
So, all in all, I find be
If you want to be substantive (Score:4, Interesting)
Here's a good analogy. If I walk into my local bank branch, I can see the bank vault behind the tellers. The massive, foot thick steel door stands wide open, and if you look, you can see the network of gears and lever bars that are needed to for a person of ordinary strength to drive home the dozen massive two inch hardened steel bolts that secure the vault when locked.
Now, the design of the door mechanism might useful information for me if I wanted to break into the vault. The bank is placing this information in full view in part to reassure its customers. But it also deters people like me from even trying. Yes, it reveals potential vulnerablities, but on balance the message to me is that there are more practical ways to make a buck.
Being confident enough to expose your vulerabilities is a good sign, not a bad one.
Hiding vulnerabilities is not a sign of strength. If the customer can't see for himself or through an agent that a piece of software is secure, why bother making it secure? And hiding source code doesn't hide vulnerabilites. A burlgar can make use of floor plans if he has it, but not having floor plans is no deterrant. Furthermore, unlike you, hackers can reverse engineer the source code, so the only party left in the dark is you.
Here's a good question to ask: has the software vendor subjected his product to a responsible and independent third party security audit? Why not? Companies disclose source code all the time under NDA, so there's no risk there. And it isn't expensive in the grand scheme of things, unless they audit reveals the sofware to be so insecure the vendor has to throw a lot of it out.
Who Uses Open Source? (Score:2)
Many companies rely on open source; Cisco, Google, Yahoo, even the US Military [theregister.co.uk]. Yeah, the "if it is good e
OSVDB (Score:3, Informative)
Here's a search for "Microsoft" on the Open Source Vulnerability Database [osvdb.org]. ("Open Source" here refers to the nature of the database, not covering only open source products.) Pop in any other large closed-source vendor you can think of and you'll find something. ("Oracle" is another personal favorite. It may have "Enterprise-class" performance, which I can't vouch for either way having never used it, but it sure doesn't have "Enterprise-class" security.)
I think the main problem with the implied argument is that you don't need source code to find security vulnerabilities (in fact it might not even be helpful given the other cracking techniques you can use), but you do need it to fix them, with rare exceptions.
Who do you trust? (Score:2)
Back to those well-known people... About
it's not about open versus closed source... (Score:1)
To put this into perspective a colleague and I once received a email from a particularly challenging group of users during an ongoing discussion which stated 'we are *** University Computer Scientists, we are the best sysadmins in the world'. Now while this may or may not be true they do have a far better
Point to the objective data. (Score:3, Informative)
You can also point out that, when bugs are found, they tend to be fixed very rapidly, frequently within hours of their discovery. Since the source code is available to everyone, anyone affected can create an update to fix the problem. This happens exceedingly rarely [com.com] in the closed-source world, despite the large numbers of bugs encountered.
Here me out..... (Score:1)
No matter what OS you use, you will have security issues. Just because Open Source has its code open to the public does not make it secure! All it takes is a smart individual to create a piece of code that looks very legit among the OSS community but in actuallity that code's purpose
You aren't dealing with intelectual giants here (Score:2)
Look, these people can clearly be influenced by the words from complete strangers with no proof or justificati
Off to a poor start. (Score:1, Redundant)
It's a damm good thing I'm not one of your customers - because if I saw this, I'd drop you like a hot rock and go find an honest vendor. You've been pushing the religion of OSS - without any facts to back you up. When asked for facts... You have to go the lame rou
Re: (Score:2)
IMHO your being a bit unfair. Have you ever seen Microsofts sales force in action? They are just as much zealots (If your a MS salesforce rep, I apologize, but you are a zealot).
OSS has market share in Apache right now. OSS has market share (or double digit growth, gaining market share) in Linux servers and embedded Linux p
HONEST vendor?? (Score:2)
I've told this before, but let me tell you this again - you ought to get yourself invited to a seminar where MS is flogging its wares to a high value buyer, say, Government. Go there because you can see your tax money being wasted right in front of your eyes.
A couple of characteristics:
(1) The person or group they're presenting to rarely has an ability to understand or question the "facts" presented. Classic golf course sales setup.
(2) The "facts" need careful examinat
Re: (Score:2)
Protect them, by all means! (Score:1)
Oh wow.. Thank GOODNESS you're protecting these poor companies using these lying tactics. I'd hate for their business to be negatively impacted as a result of them.
Peoplesaywhat? (Score:3, Interesting)
Hm. In the open source arena, if someone is reading your code, they've obtained it legally. Most people who read OSS code do so to improve the code--not specifically for the purpose of creating a full-fledged exploit with it.
In the Windows world, if someone is reading your code then they are either: 1. an employee of Microsoft or 2. someone who stole the code. In the first case they're ethically barred (not supposed to. *ahem*) from using their corporate knowledge to hack you. In the second case they've already established themselves as a criminal.
Which situation makes you feel more comfortable about knowing that other people can read your code? I choose OSS.
Slander? (Score:2)
I believe there are laws against that sort of thing.
the bad guys don't need the source (Score:1)
Q: Doesn't closed source help protect against crack attacks?
A: This is exactly backwards, as any cryptographer will tell you. Security through obscurity just does not work.
The reason it doesn't work is that security-breakers are a lot more motivated and persistent than good guys (who have lots of other things to worry about). The bad guys will find the holes whether source is open or closed (for a perfect recent example of this see "The Tao of Windows Buffer Ov
How about some 360 degrees FUDback (Score:2)