McAfee Blames Open Source for Botnets

v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"

Wow!

[rockabilly]

McAfee is still around? I'm surprised...

Re:Dude, again, it's _not_ about OSS

[wirelessbuzzers]

Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way.

RANT!

I'm sick and tired of the "what the other guy says is security by obscurity" argument. The real truth of the matter is Kerckhoff's principle, which says that a security system (in Kerckhoff's case, a cyrptosystem, but it generalizes) should remain secure if its design falls into the hands of the attacker, or equivalently "the smaller the secret, the more secure the system". This is a statement about design principles, not about disclosure; non-disclosure is a defense in depth. Of course, it also prevents other qualified people from reviewing your designs, so there's a trade-off to make, but there are advantages on both sides.

Kerckhoff's principle doesn't mean that you should disclose the design of a security system, just that the system should be designed to remain secure if you do. Note that the NSA designs its ciphers to remain secure if their workings are disclosed, but it doesn't disclose them. Kerckhoff's principle also doesn't mean that a flawed system is more secure if you publish vulnerabilities complete with exploit code. It does mean that by design, the system should remain secure no matter how much code you publish, but obviously once you have a vulnerability that's not true anymore.

Under the assumption that criminals have already discovered and are already exploiting a vulnerability, it may be argued that disclosing vulnerabilities improves security by forcing the vendor to patch, or by alerting systems administrators to the vulnerability (particularly if a workaround is available). Neither of these is improved by widely-distributed, fully-functional exploit code, so lacking some other reason (please enlighten me), publishing such code is a terrible security decision.