[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)



> 
> On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:
> 
> > I feel that saying that "open souce can be trusted more than closed
> > source" is a huge overstatement. There are certain (very few)
> > open-source projects (Apache, Linux kernel, etc) which had security
> > audits and someone except the author read the sources. However, for
> > majority of open-source projects this is not the case. Take a look
> > at any linux archive. While there are many quality software there,
> > there are also lots of programs written badly, and no one in a clear
> > mind should depend on them in any production environment.
> 
> while i agree with you that open source does not automagically mean
> secure, i fail to see how that makes closed source programs 
> MORE secure,
> which you seem to imply.
> 

I'm sorry that my message wasn't clear enough. I don't think that
closed-source is more secure than open source. I don't believe in
"security through obscurity". I DO think however, that being open-source
provides little advantage to the general user. User can't know what's
going on in closed-source software. However, he has no qualification to
look into sources either.

> open source gives you the POSSIBILITY of a security audit. closed
> source doesnt. with closed source, you are at the mercy of 
> whover wrote
> it and whatever security skills they have. with open source, you at
> least have a fighting chance....
> 

*I* have the fighting change (although small one). Common user doesn't
have it, since reading C for him is not clearer then reading EXE binary
dump.

> > For Linux distributions the situation is even worse. More 
> often then not
> > you cannot depend on them to update all the packages with 
> all the latest
> > security patches. And it takes exactly one exploit to root the
> > machine...
> >
> > So, if you have time and qualification to:
> >
> > 1. Review and audit the source code on a regular basis.
> > 2. Actively look for updates and patches for all software installed.
> 
> you dont have to 'actively look'. passively looking (by subscribing to
> bugtraq and to your distro's security announcements) is 
> usually enough.
> 

This is true for the select number of very widely-used packages.
However, rarely-used software is not audied actively, and security bugs
are not fixed prompty. Take for example, Interbase. Wide-open backdoor
was discovered only months after this quite popular database went
open-source. 

My message was that rejecting closed-source software just because it's
closed source is not a solution for most people. Common user have to
trust someone...

Haim.



To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il