Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security — Open Vs. Closed

Posted by kdawson on from the depends-what-the-meaning-of-is-is dept.

AlexGr points out an article in ACM Queue, "Open vs. Closed," in which Richard Ford prods at all the unknowns and grey areas in the question: is the open source or the closed source model more secure? While Ford notes that "there is no better way to start an argument among a group of developers than proclaiming Operating System A to be 'more secure' than Operating System B," he goes on to provide a nuanced and intelligent discussion on the subject, which includes guidelines as to where the use of "security through obscurity" may be appropriate.

2 of 101 comments (clear)

  1. My Take by RAMMS+EIN · · Score: 4, Interesting

    The same old argument for openness applies to open source. You have to assume the black hats will find and try to exploit vulnerabilities. Without that assumption, there isn't much to worry about. But given that the black hats will find vulnerabilities and use them, the best thing we can do is to make sure the white hats find the vulnerabilities, too. This way, the vulnerabilities can be fixed or worked around (e.g. through firewalls). The vulnerabilities exist whether or not you know about them, but, if you know about them, you can take adequate measures. Open source makes it easier to find vulnerabilities, and thus, to know about vulnerabilities.

    Of course, open source also makes it easier for the black hats to find the vulnerabilities. So there's an arms race here. If the black hats find the vulnerability first, they can exploit it before it gets patched or worked around. If the white hats find it first, it can be fixed or worked around before it is exploited. The same arms race exists for closed source and open source, but, in the case of closed source software, the developers are (supposedly) the only ones with the source code, which gives them a slight edge in the arms race.

    So it seems that both open source and closed source have advantages and disadvantages when it comes to security. Furthermore, I think that both arguments are theoretical, and the advantages that both models have are not always exploited. Having the source available does not help if no white hats are actually auditing it. And this is why open source wins, in my book. With open source, if you're concerned about vulnerabilities in the software and don't trust the rest of the world to have done proper audits and notified you about the results, you can do your own audit. If the developers of the software don't fix the vulnerabilities to your satisfaction, you can do so yourself. With closed source, you are at the mercy of the vendor. If they don't do proper audits, you're out of luck. If they don't fix vulnerabilities, you're out of luck.

    Proprietary software vendors do not always have your best interests in mind. It's not unusual for vendors to keep silent about vulnerabilities found and/or fixed in their software, and some vendors have even threatened or sued people who have disclosed vulnerabilities in the vendor's software. The reputation is more important than the _actual_ security of the product, because the actual security is unknowable. With open source, such tacticts don't work. The source is out there, anyone can find the vulnerabilties and assess the security for themselves. If things are fixed, anyone can make a diff between the two versions and see what was fixed. They can't keep the information from you. Your security benefits from that.

    --
    Please correct me if I got my facts wrong.
  2. Re:You Can't Know Which is More Secure by RAMMS+EIN · · Score: 4, Interesting

    ``This means there is no way to define a 'more secure' approach, and therefore all we can do is discuss individual products in comparison with one another.''

    And I'm saying that even that is pretty meaningless. Five vulnerabilities were fixed in Mozilla last week, and two in Opera. Which is more secure? Twelve new vulnerabilities have been discovered in Firefox, and one in Opera. Which is more secure? The Apache servers in our sample have been broken into 50 times during the course of our study, compared to 3 break ins for lighttpd. Which is more secure? A team of five experts found three vulnerabilities in the NT kernel and two in Linux. Which is more secure? Static analysis found 10000 possible vulnerabilities in Konqueror and Microsoft reports static analysis found 1000 possible vulnerabilities in MSIE. Which is more secure? Which of the mentioned products should you select, based on the given facts, if your goal is to minimize future break ins?

    I honestly don't know the answer to any of the questions I asked. I really think none of the (fictional) data I gave says anything about the relative security about the products it ostensibly pertains to. I _feel_ more secure running OpenBSD than Windows 2000, and, given the absense of reports of OpenBSD machines being broken into on a large scale, that feeling seems justified. But this is entirely based on something that I _don't_ know. I _don't_ know that OpenBSD machines are massively broken into, and thus, I feel safe. However, I also don't know that they are _not_ massively broken into, so my feeling could be entirely misplaced. I certainly don't know that there are no holes in OpenBSD, so even if it hasn't been massively exploited up to now, it could start tomorrow. All I have is the assurance of the developers that they make great efforts to improve security. I believe them, hope they are indeed doing so, and hope they are actually _achieving_ better security that way. But I don't _know_ that.

    --
    Please correct me if I got my facts wrong.