Slashdot Mirror


Defending Open Source Security

dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and posted a response over on the O'Reilly Network. As previously discussed on /. Jones' comments are too controversial to ignore."

6 of 260 comments (clear)

  1. fuck it by AnimeFreak · · Score: -1, Flamebait

    Open Source is doomed to fail anyway. Just take a look at Microsoft and see how their profits keep improving even though Linux is somehow "advancing."

  2. jesus by kyknos.org · · Score: 0, Flamebait

    10 yo kid knows that Linux is far more secure than Windows

    --

    SHE does throw dice.
    1. Re:jesus by tomstdenis · · Score: 0, Flamebait

      "It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." "

      No his point was if windows users used linux like they do windows then Linux wouldn't look so hot. Sure linux has few security exploit reports. That's because most linux users are so far half way intelligent about security.

      ""Fact" #3 has been tried and refuted many times. It is not secure because it is not as common."

      Have you seen the kernel exploit lists for the 2.4.xx series? I thought not.

      Tom

      --
      Someday, I'll have a real sig.
    2. Re:jesus by Anonymous Coward · · Score: -1, Flamebait
      Since Apache/linux run 66% of the webservers

      Bunk. There's new reports that dispute that figure, along with the fact that every freaking Apache server DOES NOT necessarily run Linux. Linux fools overhype themselves to the point of destroying whatever credibility they ever may have had.

  3. Re:Having the source may help bad guys ... by uv_light · · Score: 0, Flamebait

    The real problem would be if only bad guys had your source code .... that would really suck.

    now we just have to see how suck it would get for microsoft to leak the source code. I am waiting for a major outbreak of exploit and or virus, worms. By that time, I will be sitting in front of my computer and laughing at what A. Russell Jones had said (and microsoft as well) about the which is the ground for foul play.

  4. Re:Having the source may help bad guys ... by Anonymous Coward · · Score: -1, Flamebait

    Yes you can hope, but it's empty hope as no one is checking for security holes anyway:

    http://www.techworld.com/news/index.cfm?fuseacti on =displaynews&NewsID=971

    Linux security site abandoned

    Is Linux security good enough or does no-one actually care?

    It seemed like a good idea at the time. Set up a website that allows users and developers alike to check which pieces of Linux code have been checked for security holes. The project, dubbed Sardonix, was a classic open source solution to a clear problem.

    The scheme's originator Crispin Cowan, chief research scientist at WireX Communications, said: "Auditing is needed not just because some developers refuse to read, or follow such standards, but also because humans make mistakes and may fail to completely, or correctly, follow all rules perfectly."

    Yet few became involved because, according to Cowan, there's no glory in auditing security holes.

    Funded initially by the US defence establishment body Defense Advanced Research Projects Agency (DARPA), the research grant aiming to centralise what was, and remains, a fairly loosely structured review process dried up nine months ago.

    The plan was that volunteer code auditors would be ranked according to the volume of code they examined and the number of security holes discovered. Points would be lost if holes were subsequently discovered in code passed as clean.

    But, said Cowan, "I got a great deal of participation from people who had opinions on how the rankings should work, and then squat from anybody actually reviewing code."

    Cowan added: "The Bugtraq model is: find a bug, win a prize - a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code. It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game."

    Some have commented that few people can both code and have sufficient expertise to spot buried security bugs for no reward, while others moot a lack of visibility and marketing as the reason for the site's demise.

    Only 22 pieces of code are listed on the site as having been audited, 14 as unaudited.