Slashdot Mirror


Defending Open Source Security

dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and posted a response over on the O'Reilly Network. As previously discussed on /. Jones' comments are too controversial to ignore."

4 of 260 comments (clear)

  1. Having the source may help bad guys ... by file-exists-p · · Score: 5, Interesting

    There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.

    The real problem would be if only bad guys had your source code .... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...

    Yeah, that would suck. That would really suck.

    --
    Go Debian!!!

  2. Proprietary code does not prevent hacked binaries. by tigress · · Score: 5, Interesting

    I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.

    At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.

    Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.

  3. Re:Laughable assertions by I+confirm+I'm+not+a · · Score: 5, Interesting

    The impression I formed from the DevX article was that it was aimed at government (and I suppose you could article that that might influence large corporations, too).

    In my experience government and corporate IT admins are *not* trusting souls. As an example, I once worked as a contractor for an agency that built software for the UK health service: everything I built was then reviewed and recompiled by in-house staff. The manager told me that they preferred open-source precisely because of the ability to review source code. Cost was only a secondary factor.

    The same manager also commented that security-through-obscurity - relying on closed-source to deter evil-doers - was not an acceptable option as it placed to much reliance on third-parties.

    --
    This is where the serious fun begins.
  4. Microsoft Isn't Closed Source (as such) any more by mattyrobinson69 · · Score: 5, Interesting

    in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.