Mitnick on OSS

comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."

Captain Obvious

[Fusen]

In other news, it's easier to see where you are going when you have your eyes open.

In other news...

[HaloZero]

He's got the same general (valid) outlook that the rest of us have: open-source code is easier to tinker with because you can see how and why it works. That is an intrinsic element of having open-source code.

Just because Mitnick has said what thousands - neigh - millions have said before, doesn't mean it's new and exciting. Doesn't make it news.

I'd prefer to hack open source with FEW AUTHORS

[xxxJonBoyxxx]

I think I'd agree with Kevin if he said:

"I'd prefer to hack open source with FEW AUTHORS."

There's no doubt that lots of eyes and a security focus have helped Apache, but there's lots of open source shitware (for example, just Google up a list of PHP messageboards) that don't have basic input validation controls, require too much access to the operating system, use plain-text or unsalted MD5 passwords or contain other gaping holes.

Without those extra eyes helping out...yes, many open source projects are easier to hack than similar closed source projects.

Err, no.

[Paradox]

Look, everyone knows that opening your source is a double-edged sword. It's not like your intent to open source summons the Buffer Overflow Fairy who magically waves their Valgrind wand and your code is perfect. The whole point is to get the bugs out in the open so that everyone can see them and patches can be submitted by a larger number of contributors. The idea is that it gets rid of the bugs faster.

The fact that Mitnik says this doesn't damage the case for open source at all. The Captain Obvious comments are just pointing out that Mitnik is just saying, "I like easier work over harder work." Or maybe, "It's really fucking tedious to analyze a binary without the source." Does that stop people from finding bizzare bugs in closed source code? Absolutely not.

Re:Master of the obvious!

[sbrown123]

I think the parent, and many others, wish they had some fame, a good job, and other such things. Nice try, though.

Wow, I have a better job than Mitnick, make more $$$ per year than him, don't have to fret with the fame, and I still think he knows less about hacking in todays world than I do. And I've never hacked a system in my life! But your like most lemmings today who believe that if a person roams around talk shows and writes some books on hacking that it he/she must be the defacto guru of hacking. Please. Thats like saying somebody that robbed banks 60 years ago are all-knowing-pros at how to rob the high tech banks of today. Time changes, and with it so do people.

Doublespeak ?

[bmajik]

So when Mitnick says it is easier to hack OSS software, people say "duh"

When Microsoft says "making our stuff open source will make it easier to find vulnerabilities", people say "Stop FUDing, Microsoft"

I dont see how can you beleive it when Mitnick says it and how you can refute it when Allchin says the same thing.

Re:Doublespeak ?

[Knuckles]

You can't believe it because you (1) are making up an argument for the aim to refute it, commonly called a strawman, and (2) treat a collection of people as an individual. (Is there a fallacy name for this too?)

ad (1)
Mitnick did not say "it's easier to hack" (I assume TFA/you mean "crack" here) which would mean that it's easier to get unauthorized access.

In fact TFA quoted Mitnick as saying that finding vulnerabilities in OSS code is easier, since it's easier to analyze for holes. This is true for both black-hats and white-hats, so it gets evened out somewhat. On the other hand, finding holes in closed source is harder for black-hats, but fixing them is impossible for white-hats, so overall this might put black-hats at an advantage.

And you leave out that OSS is not just "GPL the source and put it on a server". Mature OSS projects generally are modularized well, because parallel development is greatly hampered otherwise. Closed projects tend to be much dirtier in this respect.
Incidentially, this separation also helps secure coding.

ad (2)
It should not be a surprise that among > 1,000,000 /. users, you find both people who say "duh" in the one, and others who say "Stop Fudding" in the other story.

Actually, what happens is this:
Some people say "duh", because, well, duh, but you leave out the supporting argument that while Mitnick's assertion is obviously true, TFA left out the fact that it is easier to fix also.
Other people say "FUD", because they forget that Allchin is somewhat right: putting Windows in the open now, necessarily with insufficient preparation and code cleanup, would make it more insecure. But that does not mean that it couldn't be more secure had it been constructed in the open from the beginning.

And I can't believe there are idiots who modded you +5 Insightful.