[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- To: "'Linux-IL'" <linux-il(at-nospam)linux.org.il>
- Subject: RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- From: "Haim Gelfenbeyn" <rnews(at-nospam)hageltech.com>
- Date: Thu, 30 Aug 2001 09:11:04 +0300
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Importance: Normal
- In-Reply-To: <Pine.GSO.4.33_heb2.09.0108300820040.12775-100000@techunix.technion.ac.il>
- Organization: Hagel Technologies
- Reply-To: <haim(at-nospam)hageltech.com>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
I feel that saying that "open souce can be trusted more than closed
source" is a huge overstatement. There are certain (very few)
open-source projects (Apache, Linux kernel, etc) which had security
audits and someone except the author read the sources. However, for
majority of open-source projects this is not the case. Take a look at
any linux archive. While there are many quality software there, there
are also lots of programs written badly, and no one in a clear mind
should depend on them in any production environment.
For Linux distributions the situation is even worse. More often then not
you cannot depend on them to update all the packages with all the latest
security patches. And it takes exactly one exploit to root the
machine...
So, if you have time and qualification to:
1. Review and audit the source code on a regular basis.
2. Actively look for updates and patches for all software installed.
Then open source is the way to go. But if you don't have time and
qualification, then closed-source (or open-source but commercial)
alternative, if maintained and supported properly, can be viable
soliution.
Haim Gelfenbeyn.
> -----Original Message-----
> From: linux-il-bounce@cs.huji.ac.il
> [mailto:linux-il-bounce@cs.huji.ac.il] On Behalf Of Tzafrir Cohen
> Sent: Thursday, August 30, 2001 8:28 AM
> To: Alon Altman
> Cc: Dani Arbel; Linux-IL
> Subject: Re: Closed source & Secutiry (was: Re: Smooth wall -
> more detailed)
>
>
> On Wed, 29 Aug 2001, Alon Altman wrote:
>
> > On Wed, 29 Aug 2001, Dani Arbel wrote:
> >
> > > Alon,
> > > Where did you get this idea about closed source ?
> > > You can trust it just like you trust open source: use
> caerfuly and keep
> > > tuned for news/patches.
> > > Dani
> >
> > But with closed source, you can't ever be sure there ain't
> backdoors that
> > were deliberately added to the software for the advantage
> of the closed
> > source developers. See for example, Microsoft "registration
> wizard" and
> > other deliberate backdoors such as the noturious "NSA key".
> > Open source software is checked by experts around the world
> to ensure its
> > security and thus disallowing the original producer to put
> in malicious code
> > or backdoor. That's why I never use closed-source products
> when security is
> > a concern.
>
> >From your argument it can be concluded that:
>
> 1. closed source software cannot be trusted (enough for those critical
> applications)
>
> 2. Whenever you want to apply an open-source product you have
> to either
> review it yourself and search for critical bugs and backdoors, or
> verify that someone else already has.
>
> Have you verified that for, say, the latest version of smoothwall?
>
> Another consideration is the ammount of support: One of the
> tings I didn't
> like about LRP (http://linuxrouter.org) is the lack of awareness for
> security updates. For instance: look at the versions of the
> kernels, and
> of the bind, proftpd, ssh (and probably other) packages in
> the 'official'
> archive (although I haven't checked those spesific packages
> in the recent
> monthes. Things may have improved lately).
>
> --
> Tzafrir Cohen
> mailto:tzafrir@technion.ac.il
> http://www.technion.ac.il/~tzafrir
>
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
>
>
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il