Somebody mailed me this from the ISSSP list. My reply at the bottom.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 11:14 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [PH-TechHeads] Open Source and Vulnerability I would like to solicit comments and feedback on a hypothesis that I'm looking into. Open Source computing increases security vulnerability due to the way the community actually understands limitations and flaws of the system. As such, vulnerability exploits have a greater probability of happening. At the same time, due to the "underground" nature of open source contributions, we are unable to police its ranks -- plenty of opportunities for lurkers with bad intentions to come in. This is similar to the current Microsoft situation but in a slightly different manner. Microsoft's vulnerability is its popularility. As such, there are more people who are trained to actually use and develop products on their platforms. Thus, you have an army of hackers and crackers just waiting on the sidelines to push the envelope. What's the difference though in protection strategies? For Open Source, we are dependent on the Open Source community at large to try and police or create defensive products to help block off attacks. Unfortunately, this is not a concerted effort due to the non-remuneration model of Open Source. In Microsoft and other branded Unix environments, there is a whole slew of companies whose primary purpose is to create products to defend against attacks. Open Source has become popular due to the "free" nature of the beast. It will catch on further as companies begin to understand how to further exploit it. But, its popularity will also mean its downfall unless we come up with adequate means of protecting the platform. As a CIO, I'm hesitant in plunging head on into a full Linux strategy for industrial-strength and enterprise-class applications and deployment. Cost benefits aside, I'm worried about support issues and vulnerabilities. Yet, I cannot ignore what's happening and need to formulate a strategy for possible Linux acceptance. Given this scenario, I would appreciate any comments, suggestions and thoughts on what you feel about the above. Am I right, did I miss something or is there a silver bullet out there that can help us make better decision on this. Many thanks. Regards, Johnny C. Sy VP - Information Technology ABS-CBN Broadcasting Corporation/ The Communications Group ---------------- Hi Johnny. You are right in your assessment that since Open Source is freely available, there are hackers out there are do study the code and find ways and means to hack in the system. However, let me give you a choice. Would you rather have an operating system that you can open up, explore, check the code to find out that there are no holes, or would you rather trust a system that is there but secretly sends away the contents of your computer hard drive over the internet? With open source, the code is there for you to scrutinize and evaluate, if you want to. The developers of the open source is not hiding anything and when in fact, the release the code to the public, it allows more people to give right and well informed feedback to the developers/programmers to improve the code even further. Therefore, open source generally translates to better, secure, and more efficient software than proprietary ones. I would tend to believe Microsoft's vulnerabilities is that it does not publish these vulnerabilities, because may be viewed as a weakness in its products. They publish these vulnerabilities only when its too late. Another problem with Microsoft is that the code is super secret, and a few really get to test them. Hence, the problems don't really come out. With Open Source, a lot of people get into the picture, examine the code from top to bottom, inside out and hence would probably have lesser vulnerabilities or bugs. I would agree that Linux support is not there yet, but there are a lot of new companies springing out of the woodwork that will support Linux in cases of problems. IBM, Dell and HP have all embraced Linux (but between you and me I don't think their Linux capabilities are there yet -- peace Dominic!)...Even Informix, DB2 and Oracle have versions of their DBMS in Linux. Furthermore, there are Linux distributions that are being sold be companies like Red Hat and part of their cost goes into the support. I've been using Linux for the past 10 years and very seldom have I needed support. (On the other hand, come to think of it, I also have an NT server here and never did I call Microsoft for support...hmmm...) Anyway, if you need a quick answer to the most difficult problem, there is PLUG (Philippine Linux User's Group) that's more than willing to lend a helping hand. (I said difficult because if it's easy, you should read the docs first, aka RTFM). The problem you have might have already been discussed or experience by others, therefore searching the archive would yield wonderful results. If it's not there, an army of Linux experts and users would chip in and help -- try the mailing list. If you buy the Red Hat package for instance, you can call their tech support (I remember there is a local distributor for that now -- Touch Solutions?..)... or even via web. Even SCO has it's own flavor of SCO Linux. Vulnerabilities of Linux - I agree there are some, but most of them are just like locking the door to your house - you need to make a conscious effort to lock your system down instead of leaving doors open. Most vulnerabilites are widely publicized and patches are made available in a matter of days if not hours. Talk about free support. Proprietary systems, on the other hand, takes months before patches become available. Before you go enterprise wide on your open source, I suggest try the waters first. Ask people who have made the plunge. Dip your toes into the water before you jump in. Then you can make an informed decision. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
