> From: Javier, Jonathan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 12:33 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [PH-TechHeads] Open Source and Vulnerability > > > Good timing on this inquiry. I just had a very animated conversation with > my regional IS director about the future of Linux. There is a good article > about this in Newsweek, I can share a copy if you like. Firstly, Open > Source is the IS security auditor's worst nightmare.
This is an unqualified statement, something based on subjective bias. A security strategy using principles of "security through obscurity" is precisely what happened to Microsoft and all its products, with all the innumerable bugs and fatal flaws. Peer review is necessary for reviewing all security programs and protocols to be sure that unplugged vulnerabilities are discovered and patched appropriately. Read and learn. http://aaxnet.com/editor/edit029.html#dotnet ---------------------------------------------------------------------------------------------- FUD (Fear, Uncertainty, Doubt) is Microsoft's second line of defense. A large number of articles are now appearing in news and magazines purporting to show that all environments have about the same level of vulnerability (X27), or that Linux has more bugs than Windows. They are typically by "Writers for Hire" (X26), and are simple rewordings of the Microsoft line. Aberdeen, a market research firm that numbers Microsoft among its important clients, published a "report" with a catchy title claiming that Linux has more security flaws than Windows (X49). Cert , the prestigious security clearing house upon whose numbers the "report" was based, immediately declared Aberdeen's interpretation meaningless and invalid, but this has not stopped the Aberdeen "report" from being widely quoted in magazines and newsletters that should know better. In January 2002, Bill Gates issued his famous internal memo (obviously designed to be leaked) proclaiming security as Microsoft's number one development concern from that point forward. He also copyrighted the title "Trustworthy Computing" to symbolize Microsoft's new mandate. Microsoft also created a new vulnerability category, "Important", so they wouldn't have to release so many "Critical" warnings. Since then, public pressure has forced them to bump several "Important" warnings up to "Critical", and we're still getting a "Critical" about every two weeks. (X24, X29). When a security problem is found Microsoft generally does nothing until it becomes a PR (public relations) problem (X21). Then a patch is issued, which may work, but may cause problems (X25, X56). If it isn't easily fixed, or the fix would violate Microsoft's marketing plans, they just deny the problem (X7, X3, X4, X13). Meanwhile, security patches continue to roll out in an incessant stream, (X5, X8, X11, X12, X13, X14, X15, X18, X19, X22, X29, X31, X32, X43, X54, X55), and many, many more, but you get the picture. Despite boasting of spending over $100 million reviewing code, very few of the problems (1 out of the first 15 in 2002) have been discovered by Microsoft. That security patches have been issued is irrelevant anyway. Microsoft has told everyone that Windows doesn't require skilled administrators, so few businesses have them, and security patches don't get applied. The Code Red and Nimda server worms came out long after the patches, but a year later servers all over the world still transmit these infections. When informed of an infection, owners of these servers become very angry at the messenger, but do nothing to fix the problem. Most have no idea how. Companies that do have skilled administrators are often reluctant to install patches, because they often break something else, or make the system unstable or nonfunctional (X53). Sometimes they simply don't fix the problem anyway. Sometimes they are used by Microsoft to force new license terms customers don't want, as with Windows 2000 SP3, and to install new features that may disrupt operation. ---------------------------------------------------------------------------------------------- Learning about open source from a Newsweek article then taking it at face value only exposes his unfamiliarity with free/open source software. If he really wants to learn what technology trends will affect his business and how he does business, then he better hop over to http://aaxnet.com/editor/edit029.html#dotnet The article discusses free/open source software more closely and indicates how Microsoft has become more decadent as free/open source software phenomenon threatens to crumble their kingdom. > I also share your issues/concerns about security and putting some level of > control -- without neglecting the fact that Open Source is "free" and offer > much flexibility. There will be no silver bullet solution into this ..... > it will be a cocktail of solutions to address varying concerns/issues. I > guess the first question you have to ask is, "What systems are mission > critical to your core business?" By knowing this, you will be able to plan > your approach and determine if you are willing to embrace Open Source or > apply computing environment standards/controls. Mission critical systems > must still be secured, controlled, and exclusive. Open source programs preaches no silver bullet solution for security. Linux administrators know that security will never be a simple point-and-click gesture that Microsoft tends to imagine with Windows. Deploying open source programs doesn't mean you're suddenly vulnerable because anyone can inspect the code and plan exploits around it. Rather, open source programs are more secure because anyone can inspect the code and patch up vulnerabilities quickly. > Personally, Linux/Open Source will give me short-term benefits but I will > not put my future (or the future of the business) into something that is > very vulnerable. Linux/Open Source will always be the "Wild West" of > business computing and it will stay that way. That's why, I think > Linux/Open Source will rule the Inernet world but will struggle in > providing core business solutions. Short term benefits? What long-term benefits do you get from Microsoft? Long-term taxation and extortion. Something very vulnerable? It's a subjective perception borne out of unfamiliarity with free/open source software. Computing history will rather attest with strong, actual data that open-source is more secure. Read again: ---------------------------------------------------------------------------------------------- Security Security problems will continue to dog Microsoft at an accelerating rate. Security is high profile since 9/11, and it's one of Microsoft's most serious weaknesses. Worm, virus and trojan invasions, Web page defacement, credit card theft, data theft, espionage and destruction are major features of Windows systems, costing business tens of billions of dollars per year worldwide, which could easily become hundreds of billions. The vulnerability issue has now become such a serious public relations problem (even long time ally Gartner Group has recommended dumping Microsoft's Web software (X34)). Security issues now threaten Microsoft's expansion into the enterprise datacenter and encourage customers to look seriously at alternatives. Microsoft claims attacks predominantly focus on Windows because Windows is so popular, but it is even more because Windows is a uniquely soft target. While no system is entirely secure, most at least take some skill to penetrate. Windows provides easy success for neophyte crackers and entertainment for thousands of unskilled "script kiddies". But don't take it from me, here's what Microsoft says. "... Our products just aren't engineered for security." (X0) - Brian Valentine - Microsoft senior vice president for Windows development. Another Microsoft executive recently explained they never paid attention to security "Because customers wouldn't pay for it until recently" (X23). In other words, customers wouldn't pay extra for something they expected as part of the product. Windows XP, advertised as "The Most Secure Windows Ever" needed a major security patch within weeks, for a feature (Universal Plug and Play) for which there is still no use, but which fits into Microsoft's marketing plans. Now Windows XP's password security has been found totally useless, easily bypassed by even normal users (X58). The skill level needed to write a successful Windows worm or virus is absurdly low. The people who launched the famous Love Bug (estimated $8 Billion in damage and eradication costs), was launched by people with only a few weeks of computer training. Even commercial products take advantage of Windows' weaknesses. Anyone can install a keyboard logger on someone else's Windows PC and have it email all the activity on that computer to the perpetrator's mailbox (X10, X9). Now that Microsoft's customers are desperate enough to pay extra, Microsoft has opened a new Microsoft Security Business Unit, and is exploring ways to charge customers to overcome the design failings of Microsoft products. This will allow Microsoft to establish "tight integration" between the vulnerabilities of core products and extra cost add-on products to counter those vulnerabilities. Sweet deal, huh? ------------------------------------------------------------------------------------------------ > If your core business is about providing services to the rest of the world, > then you have to seriously consider the Linux/Open Source strategy. > However, you still have to consider building a secured and controlled > community. In the case of AstraZeneca, our future is always about > discovering new drugs and introducing them to the market the shortest > possible time. Our R&D infrastructure is like Alcatraz located in the > North Pole. Introducing Open Source to them is like walking to a > competitor and giving them the chemical composition of our key products. Now this becomes more confusing than ever, based on the false precept that deploying open-source software will render your computing infrastructure open to the world of crackers (Not hackers. Hackers are socially responsible.) Microsoft products have become magnets for crackers because concealing their source code also conceals their vulnerabilities. And Microsoft is too lazy to fix these vulnerabilities unless these problems become public relations disasters to them. The reverse is true with open source. When source code is available for review by millions of programmers around the world, vulnerabilities are easily seen and fixed faster. In this case, the software is strengthened and becomes more robust. A software is only strong as its weakest link. Open source strengthens the weakest link a whole lot better than closed source. Let's take another analogy. Ampalaya is a remedy for diabetes. And it's free/open-source remedy. I can grow it in my backyard, buy it from the market, yet there are plenty of nutritional companies making profits from ampalaya (ABS B*tt*r H*rb*, Ch*r*nt*y*, etc...). Any capable chemical and testing laboratory can inspect the chemical composition of ampalaya, make independent tests on it, and ensure that it's safe. <rant> Take phenylpropanolamine (PPA). Isn't this harmful? Yet pharmaceutical arm-twisters managed to sneak it to the unsuspecting public for immediate big bucks at the expense of our safety. Introduce drugs at the shortest time possible so that they can make money immediately while we die sooner? Who knows how safe the bizarre chemicals in the Alcatraz lab in North Pole puts into my tablet then label it as safe? Good thing there's open-source hawthorn, for example. It's more natural. Plus, I don't get to pour money into medical representatives' obscene sales commissions, or tons of promotional items which have nothing to do with curing my disease (like those pesky plastic freebies and other unnecessary items a med rep frequently hawks). </rant> By the way, scientific discoveries are independently peer reviewed and published in reputable scientific journals. Free/open source software is another form of facilitating peer review in software technology. > Linux is the latest craze since Netscape and Dot Coms ..... but the two > biggest industry movers -- Microsoft and Intel -- will find a way to deal > with this challenge. Linux' a bubble craze? Hence the comparison to Netscape and Dot Coms? Intel dealing with this challenge? Then why do other companies run Linux on 4-processor Intel platforms? Doesn't Intel win when Linux can be used on their fire-breathing iron? >From the article: ------------------------------------------------------------------------ With business management moving to Web Services and Web based applications, The strength of open source Web applications is very worrisome for Microsoft. For instance, both FedEx Freight (C25) and Union Pacific Railroad (C24) have placed their customer interface and traffic management systems on Linux and/or Apache. Neither FedEx Freight nor Union Pacific Railroad are exactly "Mom & Pop" operations. FedEx Freight moved from Windows NT to Linux / Apache, and intends to dump another 40 or 50 Windows servers, consolidating their functions onto a single 4- processor Intel server running Linux. Union Pacific has a mostly Unix network, and refers to their remaining Windows / IIS applications as "legacy applications". So powerful is the Linux freight train, even mainline business magazines are getting on board. Business Week (A8 - articles listed to the left of the cover picture) has just published a 9 article cover feature on Linux. ------------------------------------------------------------------------ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 11:14 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: [PH-TechHeads] Open Source and Vulnerability > > I would like to solicit comments and feedback on a hypothesis that I'm > looking into. > > Open Source computing increases security vulnerability due to the way the > community actually understands limitations and flaws of the system. As > such, vulnerability exploits have a greater probability of happening. At > the same time, due to the "underground" nature of open source > contributions, we are unable to police its ranks -- plenty of opportunities > for lurkers with bad intentions to come in. >From the article: -------------------------------------------------------------------------------------------------- Microsoft claimed open source software is a security risk because the source code is available. Microsoft has argued in court that exposing Windows source code would compromise national security, but they have now agreed to provide that source code to the government of Russia and China (X62). Both are not only considered hostile powers by the U.S. government, but are point of origin for many viruses and cyber attacks. ---------------------------------------------------------------------------------------------------- Yikes! To think that Bill Gates and Co. where under oath when declaring that it will compromise national security. Won't the Department of Justice arrest them for perjury? > This is similar to the current Microsoft situation but in a slightly > different manner. Microsoft's vulnerability is its popularility. As such, > there are more people who are trained to actually use and develop products > on their platforms. Thus, you have an army of hackers and crackers just > waiting on the sidelines to push the envelope. > > What's the difference though in protection strategies? For Open Source, we > are dependent on the Open Source community at large to try and police or > create defensive products to help block off attacks. Unfortunately, this > is not a concerted effort due to the non-remuneration model of Open Source. > > In Microsoft and other branded Unix environments, there is a whole slew of > companies whose primary purpose is to create products to defend against > attacks. > > Open Source has become popular due to the "free" nature of the beast. It > will catch on further as companies begin to understand how to further > exploit it. But, its popularity will also mean its downfall unless we come > up with adequate means of protecting the platform. > > As a CIO, I'm hesitant in plunging head on into a full Linux strategy for > industrial-strength and enterprise-class applications and deployment. Cost > benefits aside, I'm worried about support issues and vulnerabilities. Yet, > I cannot ignore what's happening and need to formulate a strategy for > possible Linux acceptance. > > Given this scenario, I would appreciate any comments, suggestions and > thoughts on what you feel about the above. Am I right, did I miss > something or is there a silver bullet out there that can help us make > better decision on this. > > Many thanks. > > Regards, > > > Johnny C. Sy > VP - Information Technology > ABS-CBN Broadcasting Corporation/ > The Communications Group Hello Johnny! This link can help you make better decisions. http://aaxnet.com/editor/edit029.html#dotnet http://catb.org/~esr/writings/cathedral-bazaar/ http://www.opensource.org/ http://www.cnn.com/2003/TECH/ptech/03/12/fortune.ff.open.source/index.html Sample: ------------------------------------------------------------------------------------------------- The basic idea behind open source is very simple: When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. People improve it, people adapt it, people fix bugs. And this can happen at a speed that, if one is used to the slow pace of conventional software development, seems astonishing. We in the open source community have learned that this rapid evolutionary process produces better software than the traditional closed model, in which only a very few programmers can see the source and everybody else must blindly use an opaque block of bits. Open Source Initiative exists to make this case to the commercial world. Open source software is an idea whose time has finally come. For twenty years it has been building momentum in the technical cultures that built the Internet and the World Wide Web. Now it's breaking out into the commercial world, and that's changing all the rules. Are you ready? ----------------------------------------------------------------------------------------------- Sincerely, Michael Peligro _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
