[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Closed source & Secutiry (was: Re: Smooth wall - more detailed)



Here's my view.

The more well known your product is, the less likely it is to have 
unknown security problems, back doors and plain ol' bugs.

Having an open source helps, but as the PGP example showed, doesn't 
solve the problem.

A well known, much used, closed source security solution is much less 
likely to have unknown security problems than an open source little used 
product of similar complexity. I think the best way to illustrate this 
is to point out that the MS registration, NSA key, Real Player's tricks, 
and all the rest were found in CLOSED SOURCE products. My expirience 
shows that the extra obscurity gained by not releasing the source is 
nothing in comparison to the extra obscurity gained by having your 
product not interest anyone (security by anonimity).

            Sh.


mulix wrote:

>On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:
>
>>I feel that saying that "open souce can be trusted more than closed
>>source" is a huge overstatement. There are certain (very few)
>>open-source projects (Apache, Linux kernel, etc) which had security
>>audits and someone except the author read the sources. However, for
>>majority of open-source projects this is not the case. Take a look
>>at any linux archive. While there are many quality software there,
>>there are also lots of programs written badly, and no one in a clear
>>mind should depend on them in any production environment.
>>
>
>while i agree with you that open source does not automagically mean
>secure, i fail to see how that makes closed source programs MORE secure,
>which you seem to imply.
>
>open source gives you the POSSIBILITY of a security audit. closed
>source doesnt. with closed source, you are at the mercy of whover wrote
>it and whatever security skills they have. with open source, you at
>least have a fighting chance....
>
>>For Linux distributions the situation is even worse. More often then not
>>you cannot depend on them to update all the packages with all the latest
>>security patches. And it takes exactly one exploit to root the
>>machine...
>>
>>So, if you have time and qualification to:
>>
>>1. Review and audit the source code on a regular basis.
>>2. Actively look for updates and patches for all software installed.
>>
>
>you dont have to 'actively look'. passively looking (by subscribing to
>bugtraq and to your distro's security announcements) is usually enough.
>
>of course, if you want to be paranoid enough, either check, audit or
>write your own software. that's what i did with all externally visible
>components of my system (including writing a small customized web
>server).
>
>>Then open source is the way to go. But if you don't have time and
>>qualification, then closed-source (or open-source but commercial)
>>alternative, if maintained and supported properly, can be viable
>>soliution.
>>
>
>i have no qualms with commercial software. i fail to see how a closed
>source program can be touted as secure, for the simple reason that you
>have NO IDEA WHAT IT REALLY DOES!
>
>It all comes down to levels of paranoia, in the end. remember, just
>because you're paranoid does not mean they aren't after you.
>




=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il