Slashdot Mirror


Confidence Shaken In Open Source Security Idealism

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

9 of 265 comments (clear)

  1. I don't buy it by GameboyRMH · · Score: 5, Insightful

    Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:I don't buy it by Lilith's+Heart-shape · · Score: 5, Insightful

      Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

    2. Re:I don't buy it by The+Ickle+Jones · · Score: 5, Insightful

      Corporations will definitely be re-evaluating the option of open-source after these two issues.

      Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

    3. Re:I don't buy it by GameboyRMH · · Score: 5, Insightful

      Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    4. Re:I don't buy it by ArhcAngel · · Score: 5, Insightful

      Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  2. The source is there, just read it by Anonymous Coward · · Score: 5, Insightful

    The schematics for cars are available, just review them to make sure there's no structural or design flaws.
    The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
    The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

    The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

  3. Yes. Yes it is. by Anonymous Coward · · Score: 5, Insightful

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

    Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

    With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

  4. Re:Cart before the horse. by FuzzyDustBall · · Score: 5, Insightful

    On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

  5. Re:Yes, it really is so different. by ljw1004 · · Score: 5, Insightful

    Yes, it really is so different.

    With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

    Why do you submit that?

    I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

    What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

    I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.