[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- To: "'mulix'" <mulix(at-nospam)actcom.co.il>
- Subject: RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- From: "Haim Gelfenbeyn" <haim(at-nospam)hageltech.com>
- Date: Thu, 30 Aug 2001 12:16:38 +0300
- Cc: "'Linux-IL'" <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Importance: Normal
- In-Reply-To: <Pine.LNX.4.33.0108301143300.12062-100000@alhambra.merseine.nu>
- Organization: Hagel Technologies
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
>
> On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:
>
> > I feel that saying that "open souce can be trusted more than closed
> > source" is a huge overstatement. There are certain (very few)
> > open-source projects (Apache, Linux kernel, etc) which had security
> > audits and someone except the author read the sources. However, for
> > majority of open-source projects this is not the case. Take a look
> > at any linux archive. While there are many quality software there,
> > there are also lots of programs written badly, and no one in a clear
> > mind should depend on them in any production environment.
>
> while i agree with you that open source does not automagically mean
> secure, i fail to see how that makes closed source programs
> MORE secure,
> which you seem to imply.
>
I'm sorry that my message wasn't clear enough. I don't think that
closed-source is more secure than open source. I don't believe in
"security through obscurity". I DO think however, that being open-source
provides little advantage to the general user. User can't know what's
going on in closed-source software. However, he has no qualification to
look into sources either.
> open source gives you the POSSIBILITY of a security audit. closed
> source doesnt. with closed source, you are at the mercy of
> whover wrote
> it and whatever security skills they have. with open source, you at
> least have a fighting chance....
>
*I* have the fighting change (although small one). Common user doesn't
have it, since reading C for him is not clearer then reading EXE binary
dump.
> > For Linux distributions the situation is even worse. More
> often then not
> > you cannot depend on them to update all the packages with
> all the latest
> > security patches. And it takes exactly one exploit to root the
> > machine...
> >
> > So, if you have time and qualification to:
> >
> > 1. Review and audit the source code on a regular basis.
> > 2. Actively look for updates and patches for all software installed.
>
> you dont have to 'actively look'. passively looking (by subscribing to
> bugtraq and to your distro's security announcements) is
> usually enough.
>
This is true for the select number of very widely-used packages.
However, rarely-used software is not audied actively, and security bugs
are not fixed prompty. Take for example, Interbase. Wide-open backdoor
was discovered only months after this quite popular database went
open-source.
My message was that rejecting closed-source software just because it's
closed source is not a solution for most people. Common user have to
trust someone...
Haim.
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il