Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Experts' Back To Claiming Open Source Insecure

Posted by Hemos on from the we've-handled-this-already dept.

jacobito was the first of the folks who sent us a report running in Silicon.com regarding security and open source products. It's the typical claims - that open source is insecure because it is open source. They've also provided the counter-quotes, though, talking about that because it is open source, it's inherently more secure. *sigh* I hate issue re-tread.

4 of 207 comments (clear)

  1. Security through obscurity DOES work! by wayne · · Score: 5
    Yes, security through obscurity DOES work!

    Chanting that it doesn't work doesn't make it so and doesn't help.

    There is a whole field of cryptography called "Steganograpy" that studies how to hide messages. Do you put valuables out of sight when you leave your car parked in public? Do you have a hidden key for your house/car, and if you really believe that obscurity doesn't work, why is it hidden? How many times have you heard wisecrackers on /. say that "microsoft will never release their source 'cause think of how many security holes would be immediately found." Look at the rapid increase in problems with Quake bots after source was released.

    Obscurity is just one more layer of protection. Hopefully it isn't the only layer nor the strongest layer, but it does help. Obscurity is often a very easy layer to add so the cost/benefit ratio is very good.

    Yes, obscurity most keeps out only the least skilled or people who want to spend only a little bit of time breaking something, but that is a huge group.

    Ranting that "security through obscurity doesn't work" is a nice bummer-sticker type slogan. Like most other short rants, it is bogus and life is more complicated than that.

    Instead, we should be calmly explaining that "open source is more secure despite not being obscure." We can take about how open source can be a plus as well as a minus. We can show emprical evidence, we can talk about how many "white hat" people can fix bugs, we can talk about how "too often closed source developers use obscurity as their only defense".

    --
    SPF support for most open source mail servers can be found at libspf2.
  2. Two different issues here.... by trims · · Score: 5

    First of all, Silicon.com isn't any place to be getting good opinions about technical stuff. It's a overview-style PHB rag. Too bad they don't recognise this.

    The more important thing we all seem to miss is that the security of an OS is dependent on two critical features:

    How easy is to find exploits?

    and

    How fast are those exploits fixed?

    Now, as a simple matter of logic, it is easier to find an exploit on a Open-Source system than a closed source system, everything else being equal. It's that simple. You've got the code right in front of you, so it's easy to verify that there is indeed a flaw.

    However, the other issue is where is Open Source community shines. Typical patches for exploits are generally issued within hours, or at most a couple of days for OS stuff, whereas we all know how long it takes our favorite vendors to fix their stuff (if they ever get around to it).

    You simply can't consider one of the two requirements in absence of the other. It's impossible. Doing so marks you as a complete nincompoop. Or dort, whichever you prefer. And, of course, we're talking about an ideal world, where everyone has an equally elegant design, all coders made the same quality code, etc. In reality, these other issues generally far outweigh the first consideration, and have a considerable impact on the second (bad code is harder to fix, thus longer patch times). And we've all seen the quality of some of the closed-source code, haven't we?

    The other quote there that I love is: Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available. The first sentance has nothing to do with the second one - they are completely unrelated. Indeed, security must be built into the OS, you simply can't bolt it on later. This is a design issue, and has nothing to do with whether the OS is OpenSource or closed. The guy's a blathering clueless moron.

    Right now, the most secure OSes around are OpenBSD, Secure IRIX, and Secure SunOS. All have a very careful security design included in them, and are very attentive to security concerns. One is OpenSource, the other two are closed. Giving away the code makes no difference to the end -security of your system. Either you did a good security design, or you didn't.

    The article is simply wrong.

    -Erik

    --
    There are always four sides to every story: your side, their side, the truth, and what really happened.
  3. Actually, none of the above... by LocalYokel · · Score: 5
    Open source doesn't make software more secure, and neither does closed source. It was established a long time ago that a skilled administrator was the most important security device.

    You can make NT, Linux, BSD, the MacOS, or even MS-DOS secure with a little bit of knowhow, even if the latter two are inherently nonsecured operating systems.

    (A car with ABS is no good if the driver still pumps the brakes, if you know what I mean.)

    --

    --

    --
    E2 IN2 IE?

  4. A word from your Friendly Local MS Spokesperson by locutus074 · · Score: 5
    "Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available."
    It's nice to see independent peer review confirming what we here at your Friendly Local Microsoft Business Office (C)(R)(tm)(sm)(patent pending) have been saying for years. You need to ensure that the source code to your Operating System (tm) stays out of the hands of the so-called "hackers" whose only aim is to break into your system and steal your important data.

    What is the best way to do this? You need to ensure that the source code to your Operating System (tm) is in the hands of a neutral third party: Microsoft (C)(R)(tm)(sm)(patent pending). We've been doing this for years. We ensure that nobody outside of our Company (tm) knows about any bugs that may or may not be in our Closed Source Code (tm). And because every Operating System (tm), as long as it is designed by humans, will have security holes, we ensure that each Service Pack (tm) will not only plug the old security holes, but also will introduce new ones that no one yet knows about. This, friends, truly is Quality (tm); there will always be security flaws, but don't you sleep better at night knowing that for the time being, the only party who knows about them is a name you can trust? And that so-called Operating System (tm) (we are investigating a trademark infringemnt lawsuit over the unauthorized use of a registered Microsoft (C)(R)(tm)(sm)(patent pending) trademark) designed by one Mr. Linux Torvalds has new security holes discovered at least once a week! You don't hear about Windows NT (C)(R)(tm)(sm)(patent pending) security holes for months sometimes!

    In closing, permit me to thank you for your continued patronage of Microsoft (C)(R)(tm)(sm)(patent pending), or your imminent switch to a Microsoft (C)(R)(tm)(sm)(patent pending)-based Operating System (tm).

    Sincerely,
    Mr. L. Mer Fudd, Microsoft (C)(R)(tm)(sm)(patent pending) Assistant Vice-Presidential Director of Marketing-Type Activities

    --

    --

    --
    We have fought the AC's, and they have won.