×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fighting Claims That Open Source Is Insecure?

Cliff posted more than 7 years ago | from the ways-to-counter-the-fud dept.

Operating Systems 84

Lumpy asks: "Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told. Other colleagues in the area also have noticed this about 3 Microsoft Partners or so they claim have been going out of their way to strike fear of OSS in companies that respond with 'yes we use Open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics? I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

84 comments

okay but... (0, Flamebait)

ILuvRamen (1026668) | more than 7 years ago | (#17067692)

But....it is insecure. You can go look up the source code and see exactly how it works and find a way to get around stuff really, really easily. All you have to be is a programmer. Any open source software that claims to be secure is only secure on the outside to non-programmers and there is some software like that but hackers, most of which are programmers, have no trouble finding security holes in open source stuff.

Re:okay but... (1)

udderly (890305) | more than 7 years ago | (#17067888)

Anyone who has physical access to a machine owns it, regardless of the operating system, hence the saying "if you've got boot, you've got root." Surely you're not saying that anyone with access to the source code can easily execute something on a remote machine. Have you never heard of firewalls, permissions and the like?

sadly, this is dying off (1)

davidwr (791652) | more than 7 years ago | (#17068072)

With DRM'd BIOSes, this may no longer be the case in 5 years.

I've got physical possession of my cable-box but if it is "properly" DRM'd there's no way for me to completely control it without alerting the Cable Company it's compromised and should be disconnected.

BTW, I think the FUDsters' points are that if the bad guy examines the source code and finds an exploit BEFORE the good guys find and fix the hole, then it's just as bad as a 0-day Microsoft attack. They go further and say half-truthfully that it's easier for the bad guys to find the exploit with the source code in hand. They neglect to say the good guys share the same advantage.

Re:sadly, this is dying off (2, Insightful)

dextromulous (627459) | more than 7 years ago | (#17068558)

BTW, I think the FUDsters' points are that if the bad guy examines the source code and finds an exploit BEFORE the good guys find and fix the hole, then it's just as bad as a 0-day Microsoft attack. They go further and say half-truthfully that it's easier for the bad guys to find the exploit with the source code in hand. They neglect to say the good guys share the same advantage.

Sure, but have you seen how a lot of bugs are being found lately? Fuzzing. You can fuzz both closed and open source software the same way. Sure, if you had the code for it, you could look at Joe Schmoe's web software and look for input validation bugs, and maybe find one after a while. Or, if it was closed source you could fuzz it and find a bunch of vulnerabilities you probably never would have thought of looking for.

My point is, insecure software is always going to be insecure, whether it is open or closed source, and don't let someone kid you into thinking that one has an aboslute, inherent advantage over the other.

OT:"Only you can prevent" (2, Funny)

davidwr (791652) | more than 7 years ago | (#17068662)

Re: your sig-line: "Only you can prevent hotlinking. Well, you and mod_rewrite."

When read your post, this [tribalfusion.com] banner ad graced the top of the page.

Cosmic Coincidence or intelligent ad placement gone haywire?

Re:sadly, this is dying off (1)

turbidostato (878842) | more than 7 years ago | (#17069354)

"if the bad guy examines the source code and finds an exploit BEFORE the good guys find and fix the hole, then it's just as bad as a 0-day Microsoft attack"

And then you gave the answer. The key point is "as bad", as in "no worse". So in the worst case scenario you are "as bad", but no worse than, a 0-day Microsoft exploit.

On the other hand, if just one of the miriads of white hat hackers do find the bug in advance to the black hackers you are in a much better situation than in the 0-day Microsoft exploit case.

Now, ask yourself which scenario is more probable: the black hats wining the race against dozens of Microsoft developers in one case or against hundreds, if not thousands, of white hackers in the other?

Re:sadly, this is dying off (1)

pallmall1 (882819) | more than 7 years ago | (#17078178)

... it's just as bad as a 0-day Microsoft attack.
Not quite. With closed source (especially Microsoft), crack one and you've cracked 'em all. With open source development, many different packages are available to implement solutions for the required task. The availability of this diverse pool of highly customizable tools also allows the developer to tailor a fine garment to fit the user's requirements, while using closed source products is like buying an off-the-rack garment and telling the customer to "suck it in" so it will fit. Furthemore, one mannequin will fit all off-the-rack products made from the same pattern. It would require a custom made mannequinn to fit the tailor-made suit. And because open-source solutions are made from individually customized components, the mannequin would have to also fit the shoes, belts, and other accessories.

That's why open source solutions as a whole are much more secure than closed source attempts.

Well clothed clients will get the idea.

Re:sadly, this is dying off (1)

rtb61 (674572) | more than 7 years ago | (#17079046)

Not to mention that M$ closed source ain't closed source as M$ has specifcally given copies of the source code to major companies as well as most countries. Not only are the Chinese and Russian government included on the list of entities with copies of the source code but chinese and russian tech companies also have access to M$ source code.

Not that those entities have made any of the security holes they have found in their spy vs spy code scanning efforts,neither will they release any the bug fixes or the 'er' unfixes that they have created.

So while entities of questionable ethics and integrity (after all, all spy agencies are government angencies designed to break other countries laws) have access to both sets of source code, there are not a range of independent companies and individuals scanning the closed to public audit windows source code.

Makes you wonder what m$ has got to hide, after all they have copyright and patent protection, I gues the code much be such a mess that they are too embarassed for the public to see it, as well as of course the somewhat more questionable code elements in windows that might not stand up to public scrutiny or approval.

Re:okay but... (1)

ILuvRamen (1026668) | more than 7 years ago | (#17074744)

what are you, retarded?! It goes like this. *reads the source code* oh look, here's a place in the program where a security flaw exists. *exploits it to hack someone in whatever way who's using the program* You seriously are retarded if you didn't realize that's what I meant because that's how hacking happens like 75% of the time. My php board got hacked cuz...well cuz it's php but still, it was badly designed open source crap that everyone can see the source code for. You can't possibly tell me that there's a program that exists with such perfect security that studying the source code wouldn't come up with a single security flaw at all!

Re:okay but... (1)

dextromulous (627459) | more than 7 years ago | (#17076312)

My php board got hacked cuz...well cuz it's php but still, it was badly designed open source crap that everyone can see the source code for.

Was there an update you didn't install, or was this one of those rare cases where it was hacked before the update was available?

You can't possibly tell me that there's a program that exists with such perfect security that studying the source code wouldn't come up with a single security flaw at all!

Newsflash: You don't need the source code to find security flaws, web applications included.

Re:okay but... (1)

budgenator (254554) | more than 7 years ago | (#17081422)

In all fairness, shared hosting ISP's are notorious for not applying PHP updates to their systems, there are so many poorly written PHP appilications in use out there that one update or default configuration change can knock out a lot of customers.

Re:okay but... (1)

budgenator (254554) | more than 7 years ago | (#17081370)

Most PHP boards are pieces of crap, and most PHP boards are abandoned piles of steaming crap that are not only unmaintained, but are unmaintainable. There are also a few PHP boards out there that are not piles of crap, are actively maintained, are up to modern standards and secure. Even secure PHP boards are vulnerable when a 3 letter password stands between the website and the Evil(tm) haxors; a little due diligence can go a long ways here. When all else fails go to EvilHaxers.com and see which PHP board they use!

Re:okay but... (0)

Anonymous Coward | more than 7 years ago | (#17068376)

Holey fucking troll, batman! I'll bite though. It is not hard to find security holes in closed source "stuff" either. Ever wonder why every single closed source application is cracked and pirated? Reverse engineering software is easy. Finding bugs by fuzzing is way easier than finding bugs in the source code. Hell, finding bugs in a binary is often easier than finding them in the source code. Now use your fingers to eat your Ramen and stay the hell away from the keyboard. (At least you had the guts to not post AC, like I am, though :-P )

okay but, now the rest of the story (1)

budgenator (254554) | more than 7 years ago | (#17081188)

If memory serves me correctly, most of the source code for windows was splashed all over the internet not to awfully long ago; so those same evil(tm) haxors are going over M$ source code as well. If M$ is depending on security through obscurity, the problem is, they're not really obscure, therefore they're no secure.

REALLY simple answer (1)

zappepcs (820751) | more than 7 years ago | (#17067702)

Just tell them to wait till the new year to make a decision.... long enough for Microsoft's shiny new baby to show itself just as insecure, or even more so

Even simpler... (4, Informative)

rbochan (827946) | more than 7 years ago | (#17068344)

One word:
botnets [wikipedia.org]

Then you can explain how it's actually the closed source OS that is the [techweb.com] most [zdnet.co.uk] damaging [microsoft-watch.com] .
Hell, just show them some apache logs that are still constantly being hit by things like IIS servers still infected with Sasser, years after it should have been eradicated.

Re:Even simpler... (1)

toadlife (301863) | more than 7 years ago | (#17070724)

"Hell, just show them some apache logs that are still constantly being hit by things like IIS servers still infected with Sasser, years after it should have been eradicated."
What do stupid admins who don't bother to patch their boxes have to do with the security of the OS they use?

I could show them the auth logs on my BSD router that shows owned linux boxes trying to brute force sshd every day, but that would certainly not prove that linux is insecure, would it?

Seriously, if people buy into the "open source less secure because the code is open" bullshit, they probably shouldn't be running any kind of server.

Re:Even simpler... (1)

AmigaBen (629594) | more than 7 years ago | (#17071570)

Seriously, if people buy into the "open source less secure because the code is open" bullshit, they probably shouldn't be running any kind of server.

Well, there's a good realistic suggestion for him!

well... (1)

jimstapleton (999106) | more than 7 years ago | (#17067784)

you said the solutions work well with minimal expense. I would start with telling them to use the evidence in front of their own eyes. Next I would also mention that they have "only the word" of the people pushing the anti-open-source views also. Remember: Just because you can see the source doesn't mean the bugs (which are necessary for exploits) exist.

Aside from that, google for security comparisons for the open source solutions you promote and their competition.

Re:well... (2, Informative)

casings (257363) | more than 7 years ago | (#17067992)

saying that software is 100% bug free, or not exploitable is a complete fallacy.

all software has bugs in it, there is no such thing as a completely secure application.

the point of open source software is the more eyes you have looking at code, the easier it is to find and patch these bugs...

the problem with closed source software is that the bugs aren't easily as found, and certainly not easy to patch, especially since only few have access to the source. So while the bugs exist, they go unfound, generally found first by some obscure hacker who may or may not have the best intentions.

To answer the articles question you have to point out the shortcomings of all programs, and that for ever malicious hacker scanning source code to determine flaws in any given open source project, there will most likely be any number more of benevolent people trying to stop him.

Re:well... (1)

jimstapleton (999106) | more than 7 years ago | (#17068570)

I didn't mean that open source has no bugs - I meant to say that they are more rare, for the reasons you mentioned. At least, in the security department, when security matters.

Re:well... (1)

dextromulous (627459) | more than 7 years ago | (#17068656)

the problem with closed source software is that the bugs aren't easily as found, and certainly not easy to patch, especially since only few have access to the source. So while the bugs exist, they go unfound, generally found first by some obscure hacker who may or may not have the best intentions.
Or worse, if your vendor won't release news (or a workaround) of a bug until there is a patch. If they don't put out a patch for a few months, you're not only SOL, you don't even know it!

Re:well... (3, Informative)

The_Wilschon (782534) | more than 7 years ago | (#17072882)

all software has bugs in it, there is no such thing as a completely secure application.
Not so. Computer code can be proven to be correct according to a specification. Now of course this is prohibited by effort on any kind of large or even medium scale, and furthermore you would have to not only prove your code, but also libc, the kernel, the cpu microcode, the bios, any firmware, the physical design of the motherboard, etc. However, if you do prove both your code and the platform it is running on, and the specification doesn't have any security problems (sometimes easy to establish, sometimes not), then you have a completely secure application.

You might say, yes yes, I know about all that, but you can't actually do that in practice. I would bet, though, that some of the early electronic calculators were proven correct. The people making them in the very beginning were probably interested in such things. Perhaps some apps running on MIT LISP machines were also proven (LISP is easiest to prove, and the MIT AI lab people are the type to do it), although in this case it is unlikely that the entire platform up to the app was also proven. So it is not so cut and dried as to allow you to say that there are no completely secure apps. Reasonable, useful apps today, probably none are completely secure, since I doubt that any kernels are completely secure if for no other reason. But nonetheless, it is possible to have 100% bug free, 100% secure software.

Re:well... (2, Insightful)

Nevyn (5505) | more than 7 years ago | (#17073256)

saying that software is 100% bug free, or not exploitable is a complete fallacy.

all software has bugs in it, there is no such thing as a completely secure application.

Yes, and no. You can't make "bug free" software, because one persons feature (or lack of) is another's bug. However, I believe, you can make secure (read: no remote exploits) software. That's a much smaller scope you have to defend against, and it's mostly testable. Also multiple people have done it [and.org] , or claim to have done it ... including myself [and.org] .

Re:well... (1)

segin (883667) | more than 7 years ago | (#17087020)

I can write a program that has no bugs:
int main() { for(;;); }
See? It does EXACTLY as intended no matter what - loop around and eat up CPU time!

and "commerciall" solutions are more secure. why? (1)

martin (1336) | more than 7 years ago | (#17067814)

I see and interesting article [theregister.com] on the reg about vulnerabilities in commercial software.

And why is any solution more secure than any other..???

Open source use (4, Informative)

pubjames (468013) | more than 7 years ago | (#17067840)

I think one of the most powerful ways to demonstrate open source is to show people how much they are using without even knowing it.

On a couple of occasions I've spoken to IT people who have said things like "we'd never touch open source because..." and then I've been able to point out multiple ways they use it without realising it. If they use google, if they use email, if they use many websites, then they're using open source software. Many bits of hardware contain open source code (wifi boxes for instance). Many companies are using Apache for their web sites without realising it.

Another good argument is just to spout off a list of Fortune 500 companies who use open source to run their websites. "it's secure enough for IBM, but not secure enough for you?" is the type of argument that's difficult to counter. Very often they just don't know much about it.

The problem you have to fight in people who say things like "open source is insecure" is their ignorance.

Re:Open source use (0, Insightful)

Anonymous Coward | more than 7 years ago | (#17068194)

If they use google, if they use email, if they use many websites, then they're using open source software.

If someone who would be persuaded by that line of reasoning (which doesn't even make sense even if accessing Google really were "using open source software") is in charge of security, open/closed source is the least of their problems.

Re:Open source use (2, Insightful)

pubjames (468013) | more than 7 years ago | (#17068398)

If someone who would be persuaded by that line of reasoning (which doesn't even make sense even if accessing Google really were "using open source software") is in charge of security, open/closed source is the least of their problems.

The point is that we are surrounded by open source usage, and we're all directly or indirectly using it all the time. It's everywhere and many of the biggest, most dynamic companies in the world (Google for instance) are using it, often in their core business. So why aren't we seeing all this evidence of real problems with open source security breaches? Why are all the problems with Windows. Let's face it, the reality is that virtually all viruses, for example, would be more accurately called "Microsoft viruses", because it is security flaws in Microsoft software they exploit. The same goes for worms. So the IT guy counters "but Microsoft software is everywhere and that's why it gets expoited". My central argument is that actually, open source software is also everywhere, even if you don't realise it, and it suffers much fewer security problems.

Re:Open source use [OT] (1)

metalcup (897029) | more than 7 years ago | (#17069900)

why has the parent been modded troll? How is pointing out a possible loop in logic a troll? Mods - what ARE you smoking!!?

Re:Open source use (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17076922)

``The problem you have to fight in people who say things like "open source is insecure" is their ignorance.''

That, and the fact that people don't like to be confronted with their shortcomings. So they may be ignorant, they may be wrong, they may even know it, but that doesn't mean they'll admit it and do the Right Thing.

OSS is NOT made only by amateur volunteers! (1)

hadaso (798794) | more than 7 years ago | (#17078730)

Many think of OSS as something created by hobbyists for fun and do not realize that many of those "volunteers" are fully employed programmers by companies like IBM, Novell, Sun, Red Hat, Oracle, etc. etc. etc. that have realized that they don't have to do EVERYTHING in house but they better cooperate on some things and compete on others. They invest by dedicating programming resources that the "contribute" to the public, but this is based on a business decision that it is more cost effective to share their resources with other companies and restrict competition to areas in which they are better than the others.

The consequence is that every major OSS software package undergoes the scrutiny of many of these companies that have to verify they are good enough to be bundled with their offerings, unlike closed source software that is only verified by whoever wrote it and sells it (that BTW has more interest in not letting the problems surface than in actually avoiding them).

Security through obscurity is no security at all (4, Interesting)

TheWoozle (984500) | more than 7 years ago | (#17067882)

Ask your customer a simple question in reply:

Does that fact that closed source software hides it's defects mean that it doesn't have any defects?

Or, how about the really important one:

Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?

Re:Security through obscurity is no security at al (3, Insightful)

KermodeBear (738243) | more than 7 years ago | (#17068054)

You can also make an analogy to government using the parent's ideas. Would you rather have an open, transparent government where you can inspect each and every process or would you rather have a closed, secretive government where anything can happen without your knowledge?

Re:Security through obscurity is no security at al (1)

lawpoop (604919) | more than 7 years ago | (#17070812)

This sounds like a typical geek answer that sounds ridiculous to a non-geek.

"We brought this guy in here to discuss the security of our software, and now he's ranting about the government!?"

Re:Security through obscurity is no security at al (1)

The_Wilschon (782534) | more than 7 years ago | (#17072980)

Problem with that is that there are so many people today who think "OMG TER'RISTS!" and decide that since the government has told them that being more closed will help them fight terrorists, the government should be more closed. So you'd have to know who you were talking to pretty well before deciding to use that argument.

Re:Security through obscurity is no security at al (3, Insightful)

turbidostato (878842) | more than 7 years ago | (#17068998)

"Ask your customer a simple question in reply:
Does that fact that closed source software hides it's defects mean that it doesn't have any defects?"

To attain exactly, what?
Just to follow your argument, here comes the obvious answer to your "counter-question":

Of course closed software has its defects. But then, its defects are hidden, aren't they? So they are obviously more difficult to exploit, and I prefer to have a software its defects are difficult to exploit rather than one which is easy to exploit. I'm questioning my confidence on your ability to have the things done if I have to explain to you such an obvious thing!

"Would you rather be at the mercy of your vendors to disclose (against their own self-interest) and fix security issues (on their own timetable); or would you rather have a multitude of people, who are dedicated to the values of openness and transparency, constantly striving to keep open source software as secure as possible?"

Hummm... at the end of the day, a USA corporation may be held legally liable. Do you really expect me to try to recover damages from a stinky teenager deep in Soviet Russia (where teenagers stink you) that happened to develop some seemingly cute software in his spare time?

No, the answer has been already told. If they really are paying attention at such stupid arguments like those from 'M$ drones', they are ignorant about these issues, and the best course of action is enligth them in such a way they can understand:

Look at IBM: they extensively use open source and it seems they are not going into bankrupcy anytime soon.
Look at Google: they critically use open source, they have an ashtounding computer-base all around the globe and still it doesn't seem like they are hacked everyday, do they?

You can ask a question *then*:
Look at IBM or at Google, or at almost every Fortune 100 out there; they do well using open source. Don't you find suspicious the only ones pesting about open source are companies (Microsoft and its VARs) that *do* would go bankrupcy if open source took the computer world for a raid?

Re:Security through obscurity is no security at al (1)

Marcus Green (34723) | more than 7 years ago | (#17079176)

"Hummm... at the end of the day, a USA corporation may be held legally liable. Do you really expect me to try to recover damages from a stinky teenager deep in Soviet Russia"

As opposed to the enormous success corporations have had in recovering damages from major commercial software vendors?

Re:Security through obscurity is no security at al (1)

turbidostato (878842) | more than 7 years ago | (#17079456)

"As opposed to the enormous success corporations have had in recovering damages from major commercial software vendors?"

Since this FUD campaign seems to gain some success, is obvious it is not a matter of facts, but a matter or perceptions. The ignorant one that pays on the arguments of Microsoft's marketroids certainly will try the 'liability argument', so you better avoid that field.

Re:Security through obscurity is no security at al (2, Insightful)

Intron (870560) | more than 7 years ago | (#17072512)

Better questions would be:

Where are the articles about companies losing data due to defects in OSS?

Now where are the articles about IE (for example)?

Once they compare them, they will see the light.

fighting FUD, when FUD is not FUD (3, Informative)

davidwr (791652) | more than 7 years ago | (#17067916)

"'anyone can read the code and hack you with ease'"

Likewise, anyone can read the code and repair it with ease.

High-profile projects run by responsible people will benefit from the "many eyeballs" approach and be better quality than if they were closed-source run by a team of a few or dozens of people.

The FUDsters do have a point when it comes to out-of-date or low-profile software:

If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.

The moral of the story:
1) Stay current with security patches
2) Hide what you use from the adversary. If they don't know you run ObscureWebServer 1.0, they don't know to try attacking it first. Keep them guessing.
3) Make sure the official vendor/caretaker takes reports of security breaches seriously and is willing to consider patches from the community

above all,

4) Don't depend on your software's security to protect your assets. Make sure you have good backups. Train your employees against social engineering attacks.

Security is but one of many factors that go into the open/closed source decision.

For me, two of the biggest factors are:
1) if the product is abandoned or sunsetted, I can maintain it myself or hire someone to maintain it
2) If I don't care about paid-for support, I can use the product on as many machines as I want without worrying about "product activation" or getting sued.

Re:fighting FUD, when FUD is not FUD (1)

brass1 (30288) | more than 7 years ago | (#17068986)

The FUDsters do have a point when it comes to out-of-date or low-profile software:

If an adversary knows YOU run last-year's version of apache or that you run some obscure open-source database on your web site, they can find and exploit bugs that are either already fixed or that nobody else is looking for.


That's no different than a site running Windows 2000, or IIS 1.1 on their website. This point also holds true for closed source as well as open source. The intent is differentiate between closed and open source, but that fails on this point.

I've found that the best way to approach this issue is by using the academic argument. In academia, researchers write papers, get them reviewed by their peers, published, then reviewed some more. This is how we build institutional knowledge in our society. Open source is software that has built in peer review. Closed source software has no peer review. It's like someone holding a press conference to announce they've cured cancer, but they won't tell anyone how they did it. Would you believe someone who told you he's cured cancer but can't tell you how? You'd believe him if he told you he's cured cancer AND he had a copy of an AMA journal with his paper on the topic.

I also find that doing thinks like pointing to Netcraft measurements, WHILE telling the customer how much they'll be paying in licenseing and consulting fees to rent their software if they decide to switch works wonders. Those microsoft sales types generally forget to mention that Microsoft actually expects people to pay them money in exchange for using their software.

Re:fighting FUD, when FUD is not FUD (2, Insightful)

tacocat (527354) | more than 7 years ago | (#17069320)

Rather than going through all this debate (de-bait?)...

I like the point of Past Performance and the special interests that Microsoft has in telling you the other software is "bad"

BTW -

Apple is based on Open Source.
SUN Solaris 10 is Open Source (mostly?)
IBM has chosen to grant much of it's invested IP to Open Source

If that doesn't convince them even a little bit then you might just consider one of your two remaining options:

Quote how much is would cost in new servers, software for converting to 100% Windows. And you should probably budget all the security software and patches along with the article about how even Balmer can clean a desktop computer.

Punch them in the head and call them stupid.

But try the last one after everything else fails.

Three out of Four is Okay. (1)

triso (67491) | more than 7 years ago | (#17078414)

...
The moral of the story:
1) Stay current with security patches
2) Hide what you use from the adversary. If they don't know you run ObscureWebServer 1.0, they don't know to try attacking it first. Keep them guessing....
Point 2 is just a variation of security by obscurity. Since a simple port scan can identify your software and its version number, this point can be ignored.

Re:Three out of Four is Okay. (1)

Hydroksyde (910948) | more than 7 years ago | (#17078988)

You clearly have no clue what you are talking about.

Firstly, you seem to be misinformed about what a port scan is. A port scan will only tell you which ports are opened (or filtered or closed). While it's possible to guess which services are running by assuming any open ports are running their IANA assigned services, this isn't necessarily the case. It is possible for some port scanning software to guess which operating system you are running by comparing it's behavior with existing data, but this isn't necessarily accurate And knowing which operating system the target is running is only the beginning. Sure, that Windows server may be running exchange and IIS, but it may be running MDaemon and Apache instead.

Secondly, what I suspect you may be talking about is banner grabbing. Banners can be changed easily. Especially with open source software

Many people don't seem to understand that "There's no security through obscurity" is not a blanket rule for every situation. In certain situations, while obscurity shouldn't be totally relied upon, it can be beneficial. While an open source project may benefit from its openness, if many people examine the code, the same can not be said for, for example, the individual machine belonging to Martech IT Ltd. An individual server is just as likely (or even more so, as penetration testers risk prosecution when reported) to be examined by a black hat as a while hat.

While it would be unwise to run a web server with known exploits and change the banner in order to (hopefully) prevent attacks, if you run a web server with no known exploits, and change the banner so if a vulnerability is discovered, it will be less obvious to an outsider that the server is vulnerable.

Re:Three out of Four is Okay. (0)

Anonymous Coward | more than 7 years ago | (#17080308)

I believe some port-mapping software(notably, nmap) includes methods intended to guess what software is running on the remote software, including version number, by investigating how they respond to various quirky/non-standard requests.

E.g., if Software A, upon a particular non-standard request, closes the connection after 250ms, while Software B(or version B of Software A) closes the connection after 125 ms, this could possibly be used as a test to eliminate the possibility of either Software A or Software B. (If the protocol is standardized, you would either be testing nonstandard behaviour in one or more of the protocols, or examining the actual implementations of "undefined behaviour".)

However, it's obvious that these methods aren't always accurate, so it's clearly false that "a simple port scan can identify your software and its version number".

Disregarding all aspects of security through obscurity is a sound principle when evaluating e.g. cryptographic protocols, but it is unnecessarily harsh when evaluating a practical implementation of a closed security system in which it is used as a layer.

(If I had a choice between running a web server I presumed to be relatively secure and displaying its version number openly, and running a web server I presumed to be relatively secure and hiding its version number, I would choose the latter as marginally more secure. Obviously, however, if a vulnerability is discovered in a version of the web server and a patch is released, people will try to exploit even the server with the hidden version number, and if that server is unpatched, the exploit will work: in other words, hiding version numbers is no excuse for not being quick to patch one's systems.)

Security design (2, Informative)

iainl (136759) | more than 7 years ago | (#17067924)

Open Source knows the source is going to be open. So the security model starts from knowing that will be the case.

Closed Source security thinks that no-one else knows what is in there. THINKS being the operative word. Maybe they've worked on that assumption, and just obscured the holes rather than fixed them. Maybe they've left some deliberate backdoors, on the grounds that no-one else knows they are there. Possibly not, but you don't know that.

The MS people are correct to say that it is easier to construct an exploit for one category of security hole if you've got the source. But that means that those sorts of holes don't get built in the first place.

cmp? wtf! (0)

Anonymous Coward | more than 7 years ago | (#17067984)

certified microsoft professional?

hahahahahahaha

hahahaha

hahahahahaha

har...

Analogise (1)

Phil246 (803464) | more than 7 years ago | (#17068024)

Put it in terms they will understand ie Open source is like building a house and letting lots of eyes look at it for ways a thief can get in. Any holes that get noticed will get sealed with bricks Closed source is like building a house, then blindfolding you when you want to look at it - so you dont notice the large hole in the wall and the people getting in and out through it.

Yeah right ... (1)

spellraiser (764337) | more than 7 years ago | (#17068040)

This logic assumes that the bad guys are smarter than the good guys and are much better at finding vulnerabilities in code ... or that they can do this faster than the good guys can fix them. It's so damn stupid and easy to refute, and it has been refuted numerous times.

The only thing that closed source does is to create a false sense of security ... 'they can't see the code, so they can't find vulnerabilities'. This completely ignores other methods such as reverse engineering and just plain stubborn testing around until you find something exploitable. Closed source also means that you have a small team of people who can see the code and review it for flaws, vs. an aformentioned horde of bad guys who are finding flaws via other means.

It's a shame that some people are confused by such obvious scare tactics and deliberate befuddlement. It's also a shame that this completely clouds the issue of what constitutes real security in software.

Pathetic crap.

I find what Adobe said yesterday much more interes (2, Informative)

chroot_james (833654) | more than 7 years ago | (#17068048)

I find what Adobe said [linux.com] about software development for Linux simply being hard more interesting than the security question. My experience has been that most people expect any platform to not be as secure as they'd like the same way they've expected their computers to not be as stable as they'd like. The thing they need is good software and now Adobe is pointing out that writing and maintaining software for Linux is difficult because, despite some good efforts, there still is no standard definition for what a linux system is or contains...

Re:I find what Adobe said yesterday much more inte (1)

turbidostato (878842) | more than 7 years ago | (#17069154)

"and now Adobe is pointing out that writing and maintaining software for Linux is difficult because, despite some good efforts, there still is no standard definition for what a linux system is or contains..."

Well, Apache Software, MySQL AB, Postgres folks, KDE Team, Gnome fanboys, Mozilla Foundation... they all don't seem to find writing and maintaing software for Linux (and *BSD, and quite some different Unix flavours) to be so terribly difficult, so maybe Adobe's efforts are not so good after all, despite what they say...

Re:I find what Adobe said yesterday much more inte (1)

doshell (757915) | more than 7 years ago | (#17071358)

I think the problem is that companies like Adobe still haven't realised "Linux" isn't a single entity. They have to regard different Linux distributions as different (even though similar) targets for their software -- instead of trying to release a "compatible with all Linux distributions, even if we have to include all required libraries instead of using those of the host system" package, which unfortunately is often the case.

As a related note, I don't buy the "standard package manager for Linux" argument. I think in the long run it would be more harmful than benefitial because it would get in the way of developers and users alike. Just like with everything else in Linux, choice is good, and I would rather not trade the ability to make that choice for the convenience of companies that deploy Linux software (besides, I'm sure that if they don't want to do separate packaging for all Linux distributions, the distribution maintainers would be happy to do it themselves...)

Microsoft sales reps are ruthless. (3, Informative)

NullProg (70833) | more than 7 years ago | (#17068068)

I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security.

Try IBM,
http://www-1.ibm.com/linux/opensource/ [ibm.com]
Download some of the report PDFs and send them to your clients.

This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told.

I'd have your sales rep call your clients and let them know that your company shares thier concern. At the same time remind them of SQL Slammer, Code Red, Melissa, Blaster, etc. Point out all the other companies using OSS products, Google, Wall Street, etc.

Of course I'm just a programmer, so take my comments with a grain of salt.
Enjoy,

Fighting Claims that Open Source IS Insecure" (0)

Anonymous Coward | more than 7 years ago | (#17068108)

Fix that title!
I think Slashdot needs an editor.
(or is it already oh-beer-thirty for Zonk?)

Your answer lies in them thar' internets (2, Informative)

internewt (640704) | more than 7 years ago | (#17068150)

The fountain of knowledge that is Wikipedia has this article, http://en.wikipedia.org/wiki/The_Cathedral_and_the _Bazaar [wikipedia.org] , which is interesting. Its an essay/book about open source development, and there is a link to the full text in the WP article. There's a chapter about why open development is good (from a quick look at te text), and I know I've read similar-minded texts on sites like gnu.org and fsf.org, but was unable to find them. I think Cory Doctorow has written some good articles about secrets and the management of them, but I think his are more DRM musings, though the same principles apply to proprietry software vs. open software.

Articles about why SSH etc. are secure, even though their inner workings are wide open to the world, may be helpful too.

open source is not 'no source control' (2, Insightful)

192939495969798999 (58312) | more than 7 years ago | (#17068230)

A lot of this centers around that because the source is exposed, anyone could exploit it for flaws.

Consider which is less secure, a project whose source is always available, or a project whose source suddenly becomes available? I would guess that since Microsoft has never officially had its source be in the hands of hackers, there are TONS more exploits there that if you did see the source, you would easily find. Since OSS is always visible, people are quick to point out and fix various holes. This is a much more effective way to manage source control, since any fixed number of people can only read so much into a massive body of source code.

Also, not anyone can modify the actual gold master source for an OSS project, so it's not insecure in that way.

bank vault example (2, Interesting)

192939495969798999 (58312) | more than 7 years ago | (#17068360)

Here's an example with bank vaults. Suppose I have two identical looking bank vaults, one showing the schematic and one hiding it. Which one can you exploit more easily? The vault showing the schematic has nothing to hide... if it's secure, then seeing the schematic doesn't make getting through a foot of steel any easier. However, the one not showing the schematic might have reason not to show it from a security standpoint, i.e. that little screw in the back of the vault, that if you just were to unscrew it, you could break in. Whether the system is strong or weak, open source will expose that. So from a security standpoint, your system's strength doesn't lie in its obscurity, it lies in your ability to disclose exactly what it is doing and still not be compromising its security.

Strong security discloses the facts, i.e. : "here's the pile of money, and there's the guy that will shoot you if you try to take the money."

Anyone can fix it! (1)

mutterc (828335) | more than 7 years ago | (#17068428)

Open source is more secure given an equal number of bugs, and probably has fewer bugs. Here's why:

Scenario: A piece of software contains some exploitable bug.

Closed source software: Bad guys reverse-engineering the code probably find the bug before it is found by the general public (the only other possibility is that it's found and fixed by the vendor's QA). It becomes known after it starts getting exploited in the wild. People notice they're getting hacked, put pressure on the vendor. The vendor needs to pull some programmer(s) off of the next version to investigate and fix the bug, then roll out a patch. They will resist this as long as possible, because to them it's a pure cost (and may impact The Schedule of the next release).

Open source software: Bug may be caught by bad guys reviewing the code, or by good guys reviewing the code. Once caught, and brought to the attention of the public, whoever is motivated can make and distribute a fix. In practice, this leads to patches being available very quickly.

The other dimension: Open Source software probably has fewer exploitable bugs.

Anyone with some experience in software development (not necessarily even as a programmer) can easily see why: Open Source projects never need to rush out a release to meet quarterly-revenue targets or arbitrary market windows.

Re:Anyone can fix it! (1)

turbidostato (878842) | more than 7 years ago | (#17069226)

"Open Source projects never need to rush out a release to meet quarterly-revenue targets or arbitrary market windows."

Just tell that, ie. to Red Hat Inc.

Re:Anyone can fix it! (1)

mutterc (828335) | more than 7 years ago | (#17070880)

Good point, though in their cases, the part that gets the commercial treatment is usually a small part of the product, rather than the whole product, mitigating the effect.

To take a random example, RedHat creates kernel patches for various purposes. Those kernel patches are subject to most of the usual commercial-development pressures I mentioned, so they don't get the usual open-source quality boost. (I don't actually know if they're good or bad quality; let's for the sake of discussion assume the worst case, that they're shoddy on the usual scale of commercial off-the-shelf software).

That's only true at release time, though. As the patches enter the community and live on, they can be improved by the community, asymptotically approaching open-source quality.

Also, the base product does have the open-source quality boost. In a pure closed-source product, the whole product has been subjected to these commercial pressures throughout its lifetime, so the overall product quality will be less.

Re:Anyone can fix it! (1)

turbidostato (878842) | more than 7 years ago | (#17079486)

You don't need to explain that to me. I was just taking the 'devil's advocate' role.

And you cannot have it both ways: you either explain that properly chosen open source software can be as "corporative" as any privative one, in which case your "no commercial pressure" doesn't hold water, or you try to go with the "no pressure argument" and the next you will be told is that if there's no commercial pressure is because such software is developed by pimply teenagers in their basement.

So, all in all, I find better to avoid the issue enterely and concentrate on "perceptions" the one that accept this kind of "FUD marketing campaign" cannot negate: ie the "but IBM uses it and they surely know better" argument or the "but Google is really an extremely wide open source software based around the world and they don't get cracked" one.

If you want to be substantive (3, Interesting)

hey! (33014) | more than 7 years ago | (#17068494)

then simply note that that the assumption being made is that all software is flimsy. The point of open source is to subject software to examination so that it is strenghtened.

Here's a good analogy. If I walk into my local bank branch, I can see the bank vault behind the tellers. The massive, foot thick steel door stands wide open, and if you look, you can see the network of gears and lever bars that are needed to for a person of ordinary strength to drive home the dozen massive two inch hardened steel bolts that secure the vault when locked.

Now, the design of the door mechanism might useful information for me if I wanted to break into the vault. The bank is placing this information in full view in part to reassure its customers. But it also deters people like me from even trying. Yes, it reveals potential vulnerablities, but on balance the message to me is that there are more practical ways to make a buck.

Being confident enough to expose your vulerabilities is a good sign, not a bad one.

Hiding vulnerabilities is not a sign of strength. If the customer can't see for himself or through an agent that a piece of software is secure, why bother making it secure? And hiding source code doesn't hide vulnerabilites. A burlgar can make use of floor plans if he has it, but not having floor plans is no deterrant. Furthermore, unlike you, hackers can reverse engineer the source code, so the only party left in the dark is you.

Here's a good question to ask: has the software vendor subjected his product to a responsible and independent third party security audit? Why not? Companies disclose source code all the time under NDA, so there's no risk there. And it isn't expensive in the grand scheme of things, unless they audit reveals the sofware to be so insecure the vendor has to throw a lot of it out.

Who Uses Open Source? (1)

KermodeBear (738243) | more than 7 years ago | (#17068546)

I would give your clients a list of other companies that rely on open source software. There is a good (but outdated) list of companies [mtechit.com] who use Linux, for example. That's just the OS. What about, for example, companies that use open source scripting languages (Like PHP, Perl, Python, etc.), open source databases (MySQL, PostgreSQL, Firebird, etc.), and open source web servers (Apache, LightHTTPd, etc.)?

Many companies rely on open source; Cisco, Google, Yahoo, even the US Military [theregister.co.uk] . Yeah, the "if it is good enough for them, it is good enough for me" argument isn't necessarily a strong one, but it does make a point. These companies are putting a lot of money - and in the case of the military, lives - at risk, so you know they are going to want to use the BEST product available.

OSVDB (2, Informative)

Jerf (17166) | more than 7 years ago | (#17068720)

Along with any number of other good answers, I'd also point out that Microsoft has a very poor security track record and is hardly in a position to be making ominous threats about other people's security.

Here's a search for "Microsoft" on the Open Source Vulnerability Database [osvdb.org] . ("Open Source" here refers to the nature of the database, not covering only open source products.) Pop in any other large closed-source vendor you can think of and you'll find something. ("Oracle" is another personal favorite. It may have "Enterprise-class" performance, which I can't vouch for either way having never used it, but it sure doesn't have "Enterprise-class" security.)

I think the main problem with the implied argument is that you don't need source code to find security vulnerabilities (in fact it might not even be helpful given the other cracking techniques you can use), but you do need it to fix them, with rare exceptions.

Who do you trust? (1)

dpilot (134227) | more than 7 years ago | (#17068994)

With open source, as others have said, the source is out there - for anyone to fix or exploit. At the same time, there are well-known people who are discussing open source security, there are well-disclosed flaws and fixes. There is a process and it gives every appearance of working most of the time. Moreover, its operation is generally transparent so we can see when it works and when it doesn't. When it doesn't work, we can also see people upset and trying to fix it.

Back to those well-known people... About the only Linux Luminary I've met in person is John Maddog Hall, and I have a friend who has submitted a kernel patch. But I've read enough by some of the others to know something about them, and to appreciate them as people. At the very least, I feel I can trust the combination of these people and an open process certainly more than my own code security audit capability. As long as the source is open, and these people are doing the things that they've been doing, it gives me some comfort on the software.

Contrast that with closed source...
The authors of closed source software are generally "top men" like the ones who are in charge of the Ark of the Covenant at the end of "Raiders of the Lost Ark." Won't name anyone, but you are assured that they are, "top programmers." Even if you do find some names, for the most part since the process itself is not open, you know nothing about the people, unless they've authored articles you've read.

Who are these people? On what do I base my trust?

Plus I've also seen enough of corporate practices to know that some of that software may not even have a maintainer. The old guy left, his manager has a new mission with high visibility from above, and just hasn't had time to backfill, may not have even known that the old guy was doing this, etc, etc.

it's not about open versus closed source... (1)

Ximogen (1033274) | more than 7 years ago | (#17070082)

it's not even about Windows versus Linux (or Netware, Vines, OS2, OSX or any other OS you might care to mention) it's about people, it's about experience and about not taking anything or anyone for granted.

To put this into perspective a colleague and I once received a email from a particularly challenging group of users during an ongoing discussion which stated 'we are *** University Computer Scientists, we are the best sysadmins in the world'. Now while this may or may not be true they do have a far better grasp of the underlying technologies than I have, or am ever likely to have (apart from anything else they don't have jobs and social lives to worry about :-) However, it didn't stop their front line servers from being compromised within a couple of days of making this statement.

The point is that security is about more than which OS you run or how deep your technical understanding is. You need to understand the overall risks, which is as much about social understanding as it is technical, you need to understand the infrastructure and context in which your systems run, which means looking beyond your own technical comfort zone, you need a good dollop of common sense, a bit of good luck and plenty of experience.

If you maintain an understanding of the changing nature of the threats, keep on top of your system administration and act proactively against each potential threat as it surfaces you'll probably, remember nothing is certain, remain secure.

I have been an IT professional for twenty years now and I've been a Netware and Windows admin throughout that time, occasionally with some reasonably high profile clients, and fortunately I have never had a system compromised. That doesn't mean it won't happen tomorrow or the day after, but the fact that I acknowledge it may happen at any time and that neither myself or the technologies and products I choose are perfect is probably the most significant factor in it not having happened yet.

P.S. please accept my apologies for the calm and rational nature of my response, this is my first post on Slashdot and I'm not quite up to speed yet :-)

Point to the objective data. (2, Informative)

Dr. Manhattan (29720) | more than 7 years ago | (#17070188)

Open-source software, particularly the big, high-profile projects, tends to be better-written than the closed-source alternatives. There are objective tests [wisc.edu] that illustrate this [com.com] , over [informationweek.com] and over [gcn.com] .

You can also point out that, when bugs are found, they tend to be fixed very rapidly, frequently within hours of their discovery. Since the source code is available to everyone, anyone affected can create an update to fix the problem. This happens exceedingly rarely [com.com] in the closed-source world, despite the large numbers of bugs encountered.

Here me out..... (1)

madhatter256 (443326) | more than 7 years ago | (#17070190)

MS still has a high market share. That means that 9 out of 10 companies are using MS. Each of those companies have money. They have data that can be used against them to generate profit for their competitors or some other party.

No matter what OS you use, you will have security issues. Just because Open Source has its code open to the public does not make it secure! All it takes is a smart individual to create a piece of code that looks very legit among the OSS community but in actuallity that code's purpose is malicious. It will be very hard to track something like that if it is embedded in the kernel. You just don't know. The same goes for proprietary (not closed source, geez, use the right terminology). Just because the code is hidden does not make it secure. Having a proprietary software owned by one company, is in fact, better, from a business standpoint. Think about it, if X-software conglomerate who develops a proprietary OS was actually inserting malicious code to exploit their clients data that single company is held liable for that crime and be punished for it. However, if you have a piece of software developed by anonymous people located throughout the world and one of them inserted a piece of code with the intent to exploit sensitive data, it is much harder to hold that person accountable because there is no papertrail. it will be difficult for the victim to recuperate some of their lost revenue due to the intended-exploit. Basically, no one can be held accountable. The criminal is more likely to get away with it.

As more companies switch over to Open Source for security reasons, they will soon start to see same attacks or exploits they've encountered under proprietary software.

You aren't dealing with intelectual giants here (1)

clambake (37702) | more than 7 years ago | (#17070402)

"Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source. This week I received calls from 4 different customers that they were warned that they are dangerously insecure because they run Open Source Operating systems or Software because 'anyone can read the code and hack you with ease' they are being told."

Look, these people can clearly be influenced by the words from complete strangers with no proof or justification. They are NOT the kind of people you need to spend a lot of time convincing of ANYTHING. All you need to do is come up with something impressive sounding and your problem is solved. You can just tell them that they are going to be fine because they are running "bash shells", which will keep hackers locked down in little software eggs while they get beaten by waves of scripting code. No human is fast enough to hack that, it's a physical impossibility.

Off to a poor start. (0, Redundant)

DerekLyons (302214) | more than 7 years ago | (#17070936)

From TFQ[uestion]:
 
I have several customers that now want more than my word about the security of the systems that have worked for them flawlessly for over 5-6 years now with minimal expense outside of upgrades and patching for security.

It's a damm good thing I'm not one of your customers - because if I saw this, I'd drop you like a hot rock and go find an honest vendor. You've been pushing the religion of OSS - without any facts to back you up. When asked for facts... You have to go the lame route of asking Slashdot rather than having them at your fingertips!
 
Folks, you want to know why OSS is having such a hard time gaining market and mindshare? The OP is a prime exhibit of the reason - too many zealots who confuse philosophy with business.

Re:Off to a poor start. (1)

NullProg (70833) | more than 7 years ago | (#17076478)

Folks, you want to know why OSS is having such a hard time gaining market and mindshare? The OP is a prime exhibit of the reason - too many zealots who confuse philosophy with business.

IMHO your being a bit unfair. Have you ever seen Microsofts sales force in action? They are just as much zealots (If your a MS salesforce rep, I apologize, but you are a zealot).

OSS has market share in Apache right now. OSS has market share (or double digit growth, gaining market share) in Linux servers and embedded Linux products right now. Linux owns the cluster space, where is the Microsoft costly solution?

My company shipped 2000+ embedded Linux boxes this year. Were looking at 5000+ boxes next year. Were not OSS zealots, our server products are currently only Windows. We have a business case for using embedded Linux and OSS. Cost, security, ease of use (our own Linux configuration UI), and support.

Mind share is in the eye of the IT director saving the budget. He/She knows that accountants mark IT down as a necessary cost center, not revenue. A savings of thousands or tens of thousands dollars to the company means a bonus for the IT director regardless of how many free dinners the Microsoft Sales Rep takes them to.

Your absolutely correct about the parent poster not having a business case for his deploying of OSS solutions. But don't be cruel. I don't think Bill Gates had a business case for BASIC (Authored by someone else) on the Altair either :)

Enjoy,

HONEST vendor?? (1)

cheros (223479) | more than 7 years ago | (#17079648)

I like that one, mod +100 for humour.

I've told this before, but let me tell you this again - you ought to get yourself invited to a seminar where MS is flogging its wares to a high value buyer, say, Government. Go there because you can see your tax money being wasted right in front of your eyes.

A couple of characteristics:

(1) The person or group they're presenting to rarely has an ability to understand or question the "facts" presented. Classic golf course sales setup.

(2) The "facts" need careful examination. Rule 1 of any facts stated in a presentation is that you have to determine their origin - and check if that's really what was said. In the presentations I've seen (a good many) origin is rarely specified. Furthermore I've seen plenty of 'creative' interpretation of hard facts - again, they get away with it because the front row seaters don't have the ability to separate BS from fact.

(3) In case you were wondering about protests from the audience about the facts or 'hard questions' - take note of the ratio outsiders vs MS staff. It's usually close to 1:1. If you ask a painful question or one that makes it appear you can puncture the gloss you will immediately get engaged in quiet discussion by the MS person sitting next to you, and you will find he'll stick to you like glue during the break when you risk getting near the sales target (who will by surrounded by a thick circle of smiling MS execs to prevent you or any journo's getting near). Or, in short - you're stage managed the moment you open your mouth.

(4) somehow the solution to the buyers' problem is always straight there in the MS product set. No talks about integration, custom code to write, none of that. Just sign the contract for a huge volume and it'll all magically work.

This doesn't mean the people presenting don't know their stuff, but the sales tactics leave you wondering why the company needs it if it's really that good..

Honest? Cough ..

Re:HONEST vendor?? (1)

DerekLyons (302214) | more than 7 years ago | (#17080726)

I love it - you are about the 3rd person to excuse the dishonesty of the OP by explaining how dishonest Microsoft is. Yet more proof of why OSS is getting such a bad rep - too often their recourse is to name calling and finger pointing.

Not quite ... (0)

Anonymous Coward | more than 7 years ago | (#17090002)

I just pointed out how "honest" MS is - I have been working with their products since DoubleDOS proved that you could multitask (time slice) on a 8088..

I have also worked with FOSS since Slackware came on floppies, and boy oh boy was that full of holes.

However - THAT has changed. What hasn't changed since, um, roughly W98 is that you need a daily dose of anti-virus and anti-trojan updates just to surf the Net, coupled with huge patches from MS itself. The volume is so much that Securityfocus at some point reported that users with standard modems simply couldn't keep up anymore.

Now, the OS patches come in FOSS as well (I see the icon in Ubuntu come up frequently, and a couple of servers I have report on their patches from SuSE too), but the Anti Virus thing I've never had a problem with - despite that code being 'open'. That also happens to be the case for the the most used web server, Apache.

A friend of mine had her Windows laptop crash (W2K). I had nothing spare but a laptop with SuSE 9.3, I think. It took her + kids about 2 weeks to get used to it. I pumped her backed up Outlook to an IMAP server, then took it into Thunderbird and restored her office files. It worked. It was free. It was safe - her box was infested, but after a full year as stock-standard, non-computer literate end user she still has yet to get a single problem. It boots, it works. Simple. But, of course, you wouldn't call that safer, I assume?

I'm all for fighting myths with reality (I'm presently looking at the whole TCO story and that's not 100% straight in Linux either), but that means looking at reality, not FUD.

I don't need some research to tell me that FOSS is safer. Millions of systems, Google, virtually every ADSL router, quite a few of our office systems now, all of them run Linux. I can tell where I spend more time fixing problems. It isn't with Linux.

And that's because of its FOSS background - security through obscurity just doesn't work.

Protect them, by all means! (1)

AmigaBen (629594) | more than 7 years ago | (#17071618)

I know this is simply a sales tactic by these companies that will remain nameless, but how do I fix the damage caused by these sales tactics?

Oh wow.. Thank GOODNESS you're protecting these poor companies using these lying tactics. I'd hate for their business to be negatively impacted as a result of them.

Peoplesaywhat? (3, Interesting)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17072300)

> because 'anyone can read the code and hack you with ease' they are being told

Hm. In the open source arena, if someone is reading your code, they've obtained it legally. Most people who read OSS code do so to improve the code--not specifically for the purpose of creating a full-fledged exploit with it.

In the Windows world, if someone is reading your code then they are either: 1. an employee of Microsoft or 2. someone who stole the code. In the first case they're ethically barred (not supposed to. *ahem*) from using their corporate knowledge to hack you. In the second case they've already established themselves as a criminal.

Which situation makes you feel more comfortable about knowing that other people can read your code? I choose OSS.

FUD-less defense. (0)

Anonymous Coward | more than 7 years ago | (#17076872)

"Lately there has been a HUGE push by Certified Microsoft Professionals and their companies to call clients and warn them of the dangers of open source."


The best defense is to attack the credibility and motives of the speaker. Why would someone who has numerous Microsoft certifications do something that is good for Microsoft? Maybe because they want to work? Remember that this is usually the best defense when speaking to someone that is ignorant.

Then speak in "buzzwords", mention that Google claims that they couldn't have accomplished what they have without Linux, that IBM is promoting it, that Apple uses it at the core of it's very popular and critically acclaimed OS X, that almost all of the most powerful computers in the world use it, etc.

Next state that Unix has had a tradition of stability and security since the early 70s. That Unix source code has always been available. And that the reason it doesn't matter is because unlike Windows, it is designed with security in mind. Explain what it takes for a Unix system (use OS X as an example) to get spyware from surfing the web. Have you ever got spyware using Linux/*BSD?

Finally, finish off with a personal story.

Some people are just stubborn idiots and will only listen to what they want to hear, but if that's the kind of client that they are then they better be paying well.

Slander? (1)

Spudley (171066) | more than 7 years ago | (#17079398)

So let me get this straight: Your competitors are making unfounded claims about the quality of the products you provide, in order to gain a competitive advantage against you?

I believe there are laws against that sort of thing.

the bad guys don't need the source (1)

Walter Carver (973233) | more than 7 years ago | (#17079894)

from http://www.opensource.org/advocacy/faq.php [opensource.org]

Q: Doesn't closed source help protect against crack attacks?

A: This is exactly backwards, as any cryptographer will tell you. Security through obscurity just does not work.

The reason it doesn't work is that security-breakers are a lot more motivated and persistent than good guys (who have lots of other things to worry about). The bad guys will find the holes whether source is open or closed (for a perfect recent example of this see "The Tao of Windows Buffer Overflow" [1]).

Closed sources do three bad things. One: they create a false sense of security. Two: they mean that the good guys will not find holes and fix them. Three: they make it harder to distribute trustworthy fixes when a hole is revealed.

In fact, open-source operating systems and applications are generally much more security-safe than their closed-source counterparts. When the "Ping o' Death" exploit was revealed in 1997 (for example) Linux had fix patches within hours. Closed-source OSs didn't plug the hole for months.

Alan Cox has written an excellent article on "The Risks of Closed Source Computing" [2].

[1] http://www.cultdeadcow.com/cDc_files/cDc-351/ [cultdeadcow.com]
[2] http://www.ibiblio.org/oswg/oswg-nightly/oswg/en_U S.ISO_8859-1/articles/alan-cox/risks/risks-closed- source/risks.html [ibiblio.org]

How about some 360 degrees FUDback (1)

MrMr (219533) | more than 7 years ago | (#17128036)

I expect that pointing out that they are taking advice from Microsoft, which is a repeatedly convicted international offender, may be a better way to get through to the average PHB than any factual security claim.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...