Mitnick on OSS

comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."

Captain Obvious

[Fusen]

In other news, it's easier to see where you are going when you have your eyes open.

I'd prefer to hack open source with FEW AUTHORS

[xxxJonBoyxxx]

I think I'd agree with Kevin if he said:

"I'd prefer to hack open source with FEW AUTHORS."

There's no doubt that lots of eyes and a security focus have helped Apache, but there's lots of open source shitware (for example, just Google up a list of PHP messageboards) that don't have basic input validation controls, require too much access to the operating system, use plain-text or unsalted MD5 passwords or contain other gaping holes.

Without those extra eyes helping out...yes, many open source projects are easier to hack than similar closed source projects.

Re:Doublespeak ?

[Knuckles]

You can't believe it because you (1) are making up an argument for the aim to refute it, commonly called a strawman, and (2) treat a collection of people as an individual. (Is there a fallacy name for this too?)

ad (1)
Mitnick did not say "it's easier to hack" (I assume TFA/you mean "crack" here) which would mean that it's easier to get unauthorized access.

In fact TFA quoted Mitnick as saying that finding vulnerabilities in OSS code is easier, since it's easier to analyze for holes. This is true for both black-hats and white-hats, so it gets evened out somewhat. On the other hand, finding holes in closed source is harder for black-hats, but fixing them is impossible for white-hats, so overall this might put black-hats at an advantage.

And you leave out that OSS is not just "GPL the source and put it on a server". Mature OSS projects generally are modularized well, because parallel development is greatly hampered otherwise. Closed projects tend to be much dirtier in this respect.
Incidentially, this separation also helps secure coding.

ad (2)
It should not be a surprise that among > 1,000,000 /. users, you find both people who say "duh" in the one, and others who say "Stop Fudding" in the other story.

Actually, what happens is this:
Some people say "duh", because, well, duh, but you leave out the supporting argument that while Mitnick's assertion is obviously true, TFA left out the fact that it is easier to fix also.
Other people say "FUD", because they forget that Allchin is somewhat right: putting Windows in the open now, necessarily with insufficient preparation and code cleanup, would make it more insecure. But that does not mean that it couldn't be more secure had it been constructed in the open from the beginning.

And I can't believe there are idiots who modded you +5 Insightful.