We needed to order some FTP software and I wanted to use FileZilla to FTP HTML files and some other random utility that was open source. Both my Bosses(the one is high up in IT) say they will not allow it here. When I asked why the reason was that "if the software messes production up we have no one to hold liable."

Im just curious if this is a common belief from some of the IT people. My thought was even if we paid for WS_FTP and it 'messed up production' we couldn't really hold them liable either.

Sounds like someone is just determined to spend their budget money. We all use FileZilla in our office, not sure exactly what he thinks it is going to mess up.

We use a lot of it. You're right, it's not like WS_FTP is going to say "oh, we erased that important file? Sorry! Here's some cash!"

Sounds more like ignorance to me.

Well, it's kind of a slippery issue. Open source & shareware are 'unknown' software to IT management. Meaning that if they rely on a software package to perform a critical business function, they want to know who to blame in case it fails.

For commercial software, it's easy - blame the manufacturer, make them fix it or replace it with something else.

For open source or shareware - no manufacturer to blame. OK, who decided to use it? The IT manager approved it, that was a bad decision. If it was a high profile screw up, the manager who OK'd it takes the fall.

They're not looking for someone to repair the damage, they're just looking for who caused the screw up, so they can avoid making the same mistake again.

I think a lot of people equate "open source" with "buggy/doesn't work/crashes the computer" etc. Which is a shame because in many cases, open source software is better developed (and more secure/reliable) than big business software (Firefox vs IE).

I've found that much of this type of attitude in the workplace comes from people who have never used open-source software (OSS). All of our servers run OSS: linux servers running Apache, MySQL, PHP, Snort, etc. I have only once encountered an issue that I couldn't find a solution for in <10 minutes on Google, and it turned out to be a bug in PHP that was patched 2 days later.

The head of our graphics division is an Apple guy and doesn't really understand OSS. He's asked me repeatedly why I use it and I tell him the usual: greater control, freedom to change, faster response to security issues, etc. His position is that 1) vendors make security easier because they package it (even if it takes they 3-7 days longer to respond to a threat) and 2) that OSS developers can't possibly be as good as CSS developers because they get paid to develop the software. I've tried to explain to him that a lot of those same developers work on OSS projects, but he doesn't get it. :rolleyes:

I think a lot of people equate "open source" with "buggy/doesn't work/crashes the computer" etc. Which is a shame because in many cases, open source software is better developed (and more secure/reliable) than big business software (Firefox vs IE).

I was just reading the latest NetworkWorld, and it had some very interesting articles on open source in the corporation. Interesting points:


Open source vs. Windows security
Research firm Security Innovation evaluated both and found:

Windows 2003, IIS 6.0, SQL Server 2000, and ASP.NET:
Vulnerabilities needing patches, 2004: 52
Average “days of risk” before patch: 31.3

Red Hat Linux 3.0, Apache Web server, MySQL and PHP:
Vulnerabilities needing patches, 2004: 174
Average “days of risk” before patch: 71.4


Source, plus a very good read:
Open Source vs. Windows Security (http://www.networkworld.com/supp/2005/opensource/070405-open-source-security.html)

Also, list of the major reasons that open source hasn't taken off in the corporate world yet:

An open letter to the open source community (http://www.networkworld.com/supp/2005/opensource/070405-what-users-want.html)

I try to use OSS products where I can in order to save money on our annual budget. I have software like filezilla deployed in our engineering group and engineering testbeds. As it says in the network world article, CSS and OSS are different 'religions' and many people in IT have misconceptions about open-source as being inferior.

You should remember that the study those security numbers came from was paid for by Microsoft. I don't want to start a huge ranting debate about that, but it is not a true 'independent' study and I can't hold those numbers to be ethically fair.

You should remember that the study those security numbers came from was paid for by Microsoft. I don't want to start a huge ranting debate about that, but it is not a true 'independent' study and I can't hold those numbers to be ethically fair.

That's absolutely true - although the study was done by an independent firm, MS paid for it, so take it with a grain of salt. However, the results are pretty much the same that other *totally* independent studies have found... MS is actually very secure compared to the competition.

http://www.gotapex.com/forums/showthread.php?t=84754
http://www.gotapex.com/forums/showthread.php?t=86677

MS is actually very secure compared to the competition.But you have to compare apples to apples. Microsoft advertises something like 200 active products that are supported by their security team. If you look at a Linux distribution, there security teams support every single package that is packaged for that OS. For an average Slack distro, that means that something like 3000 packages are supported by there security folks. So part of it is a matter of sheer volume of code that is supported. (Forgive me, I'm too lazy to look up the exact numbers right now.)

Also, when comparing overall security of a platform, one most consider the ease and nature of a particular exploit. The fact that all windows users default to admin rights makes it *much* easier for anyone to exploit a particular hole that is found. Generally speaking, exploiting a windows hole remotely is much easier than exploiting a *nix hole remotely. For goodness sake, because of the f-ing stupid design of XP, if a hole is found in IE, the entire OS is compromised.

And just for good measure, check out this article: http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci1102680,00.html

Also, when comparing overall security of a platform, one most consider the ease and nature of a particular exploit. The fact that all windows users default to admin rights makes it *much* easier for anyone to exploit a particular hole that is found. In the average home I would agree with you, but the topic at hand is the enterprise and if the company has administrators that are worth a dime nobody is actively logging in as an administrator. They should be using run-as options or have local administrator accounts that they temporarily use when admin rights are needed.

Generally speaking, exploiting a windows hole remotely is much easier than exploiting a *nix hole remotely. This totally depends on the exploit. There have been tons of remotely exploitable holes found in various versions of unix. A lot of the exploits for Windows desktop are IE holes, which technically aren't remotely exploitable. They require a user to be browsing a site that exploits the hole. Most remotely exploitable holes in 95, 2000, and xp are stopped with basic firewalls or NAT, which every enterprise should be using.

For goodness sake, because of the f-ing stupid design of XP, if a hole is found in IE, the entire OS is compromised.Hopefully in an enterprise there are security measures setup so people aren't browing 'questionable' sites that would be exploiting an IE hole in the first place. I'm not sure how this is a design flaw of XP either.. the browser runs in the security context of the user (just like linux), so the browser is only able to do what the user is able to do, and if the user isn't an admin, not much real harm can be done.

As for the OSS issues.. I think what the bosses are getting at is if/when you have a production outage caused by an OSS product, who are you going to call? Yeah you can go post in a message board and probably get a fix in a a few days. We've found bugs in SQL Server 2000 and got emegency patches from MS in less than 24 hours. We've had the same type of response when dealing with Windows. When the stuff hits the fan and you have a critical production outage MS can be very responsive.

As for the research of IIS against Apache.. IIS 6 has had very few security patches since it was released:
http://secunia.com/product/1438/
IIS6 had 3 advisories 2003-2005, none of which are unpatched, and none of them were considered more than a moderately critical vulnerability.
http://secunia.com/product/1438/
Apache2 had 22 advisories 2003-2005, with 9% unpatched, and 5% were highly critical.
http://secunia.com/product/73/
Apache 1.3 had 12 advisories 2003-2005, with 8% unpatched, and 8% highly critical.
http://secunia.com/product/1343/ (Redhat 9 info, notice that 63% of them are remote exploits)
http://secunia.com/product/22/ (XP Professional info, notice that 62% of them are remote exploits)

MS is improving.. RedHat ES 4 vs Windows 2003 Server Enterprise:
http://secunia.com/product/1174/ (Windows, 56 total, 63% remotely exploitable)
http://secunia.com/product/4668/ (Linux ES, 67 total, 88% remotely exploitable)

Stuff he said

:stupid:



But you have to compare apples to apples. Microsoft advertises something like 200 active products that are supported by their security team. If you look at a Linux distribution, there security teams support every single package that is packaged for that OS. For an average Slack distro, that means that something like 3000 packages are supported by there security folks. So part of it is a matter of sheer volume of code that is supported.

No no - let's not focus on volume of code - that's irrelevant to the discussion. Let's also not focus on product A vs. product B. Everyone will have strong points and weak points, and my fingers will get tired pointing out the differences.

My point is that a Microsoft based solution in a large enterprise, supporting thousands & thousands of users, running critical apps, is a safe & secure system to use. Everyone likes to shout about how insecure it is, how this product or that product is better, how all MS products are buggy & slow, etc. My position is that Microsoft delivers a secure, stable product that is perfectly suited to run an enterprise network with thousands of nodes. Other products are also able to deliver this - open source & commercial.

However, when taking into consideration the overall stability, functionality, cost of ownership, usability, security, maintenance, etc - EVERYTHING needed to run an enterprise wide system, from desktop to back end - Microsoft is an easy choice.




And just for good measure, check out this article: http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci1102680,00.html

That is a good article - esp. this part -


Irrespective of the operating system used, implementing inappropriate practices can potentially compromise your business continuity. Inadequate backups, poor password policies, shared user accounts and security projects that don't include multi-disciplinary teams and infrequent audits -- to name a few -- should be avoided wherever possible.

That's a very good point. As a matter of fact, if your network is configured correctly, your OS should never be the front line against security exploits. They should already be blocked at the firewall/IDS before they even get to the OS. I know this is not true in many cases, but the point is that there's a lot more to a secure system than the OS on the servers.