is open-soure REALLY more secure???

Printable View

October 2nd, 2003, 04:07 PM
ol jeb

is open-soure REALLY more secure???

after seeing articles like this, i really begin to doubt the whole open-source argument that open-source software IS more secure than proprietary products. i just cannot believe that the "many eyes=better code" philosophy is accurate at all. if that were true, than we would not have these issues, right??? (personally i don't think either one is more secure than the other) i think it all depends on the developers working on the code, as we all know, there are quality developers and crappy ones. i have been a technician for many, many years now and have yet to come across any developer that has said "hmmm...i'm bored, i think i'll look over this code for bugs". unless, they are wanting to use some of that particular code in one of their projects or want to build something similar, they don't do that. anyway, i just wanted to get some of the AOers thougts on this.

BTW-before i get flamed or neg'd, i have to say that i hate all OSs equally...they all do the same thing, but get from point A to point B differently. IMO

http://news.com.com/2100-1002_3-5085...l?tag=nefd_top
October 2nd, 2003, 04:21 PM
souleman

open source is actually less secure because the flaws can be found easier. But, when a flaw is found, it is patched a LOT more quickly then propriatary software.
October 2nd, 2003, 04:23 PM
bpiedlow

See that's the oddity of opinions...

I read that exact same article - and it makes me think what a GREAT idea open source is. I believe that article outlines the very reason open-source is made to be more secure then most non-open source.

Being that non-open source it normally only the developers and the 'bad guys' (to use their terms) that have access to the source-code. So mainly 'bad-guys' find the holes and the 'good guys' don't find out about it until after we see the exploits found for the holes.

Where as with open source this is not always the case, as both good-guys and bad-guys have the same access to the same info. Thus causing situations like this when (to quote them)

Quote:

"We certainly know of no exploits yet," he said. "These were found by the good guys.

Thus giving the end users a chance to fix the problem before it even becomes exploitable...

Thats my 2 cents,
RRP
October 2nd, 2003, 04:36 PM
pwaring

The whole idea of open source with relation to security is that bugs are found because people can see the source code. If software is insecure but closed-source, it's going to take longer for the problem to be noticed by the creators and fixed. Plus, at the end of the day, if you notice a security hole in an open source product and have the programming ability, you can fix it yourself and submit a patch to the project. Even if the developers refuse to use it, you have at least secured your own system.

With closed-source products (e.g Windows XP), I have to wait for the developer - in this case Microsoft - to release a patch before I can secure my system. There's nothing I can do in the meantime except leave my computer disconnected from the internet (or even switched off) and wait for MS to solve the problem.
October 2nd, 2003, 04:39 PM
Limpster

I would say that it depends on the people that aquire it. If the people who get the software decide to search for flaws and exploit them then it is somewhat less secure. On the other hand if the people decide to notify people and patch it then it is perfectly fine.
October 2nd, 2003, 05:07 PM
nihil

Hi,

"Security is in the hands of the beholder".......if you do not know what you are doing, all OSes are vulnerable.

If you have open source then you are vulnerable in that a bad guy can see how it works?...in the case of the closed source, the bad guy can generally figure out how it works..........hell Gates would not have gotten that rich if he only employed angels and geniuses?......they are ordinary folks. And hacking is based on HOW IT WORKS, not on the potential of a system/language. It is very much a "suck it and see" activity?

IMHO vulnerabilities are attached to applications NOT sources.

I have a machine I just moved today...it is a trifle old, OK, but it runs the RISK operating system...........anyone out there under 40 fancy their chances?...I doubt it :p

It is closed source, but that does not matter.............not many of us would understand it anyway?

My final comment is that with closed source it is THEIR problem...with open source it is yours :(

Cheers
October 2nd, 2003, 06:26 PM
mohaughn

Open source vs closed source by themselves have no direct correlation to the security of the product. If you have a group of 5 guys all coding for the same open source product and they don't care about security at all, and make a lot of mistakes, that product is insecure. Same thing can happen with closed source development. They are development models, and that is it. The security of the product is only as good as the developers care to make it. All developers right now are humans, and humans make mistakes. Which means that no matter how good you think you are, you are going to screw up atleast once, and that is all it takes for an insecurity to pop up.

The whole argument that open source is more secure because open source developers care more is conjecture. I have never seen any statistical evidence that proves that open source developers care more, or vice-versa. Most of the time the people who get into these arguments are either open source or closed source developers/supporters and they are tooting their own horns.

nihil- That would be RISC. What type of ARM processor are you running in that machine?
October 2nd, 2003, 07:20 PM
nihil

Hi mohaughn,

You spotted my dyslexia straight off :D It is RISC, and the chip is some sort of Motorola. The machine is 1990 and is designated a 12/20 so I suppose the processor is 12Mhz and the FSB 20?

It has a 151Mb hard drive (Wow)

A nice bit of history as far as I am concerned, I must get it going again (just moved house) I will have a look and get back..............are you interested in old machines too?............sort of a hobby for me like some guys with old bikes or cars?

Cheers
October 2nd, 2003, 07:59 PM
PM8228

RE: Neat stuff is neat, right?

Nihil is right that if the person setting it up has no idea what they are doing then it probably will not be secure, however... I do believe that open source gets patched much faster because many more people see it. Where as with Windows even if they have a developement team of say, 100, they are not nearly as numerous as the people who look at open source material, they are most likely also focusing on release dates, and that type of thing, and security is less important than does it work, and will it not crash every few minutes. I do comment them on XP Pro, it has been more stable for me, until I killed it and put RedHat on :p.
October 2nd, 2003, 11:28 PM
lumpyporridge

The time between discovery of a possible exploit and patching with open source is many times a matter of hours at most days not weeks or months(unless the project is dead/unsupported. Right now there are exploits for IE6 that have been around for along time. Companys work for the bottom line , people who do open source work for the love and challenge. I know where i put my trust.
October 3rd, 2003, 01:33 AM
nihil

One aspect of open vs closed source that no one seems to have touched on so far is Corporate Perception.

I heard a saying a long time ago "Nobody ever got fired for buying IBM" I guess you could put "Microsoft" in the place of "IBM" these days?

The perceived notion is that "closed source" is contractually guaranteed whereas open source is not, therefore "must be inferior" :(

I would point out that IMHO and my experience, the "perception" of a CEO is reality, as far as we are concerned. They think they can sue, so they go for that option. I know this is BS, but how many CEOs do you know of who are aware of what "EULA" stands for? let alone read all the small print. At best you might get your money back..............no consequential losses, compensation for loss of earnings etc.

I have had very little success in getting freeware/shareware accepted in the workplace for exactly the same reason.

Basically if I said "Sun Solaris" they would say "Good idea Johnno" if I said "Linux", they would say "Johnno, you have been on the beer again" :)

Just a few thoughts

Cheers
October 3rd, 2003, 05:52 AM
St1cky

Think of it this way:
If you can see the defense of a fortress, you could easily fix every place where the possibility somone could slip in would be, but you could also use that same vulenrability to your advantage. Now, if you could not see it, you'd have to do some snooping around to find the area someone could get in, but it would not be fixed immediately, you would have to wait for someone to do the work you could do yourself.

Basically it's all up to how you feel about your operating system. If you trust Bill to take care of you and your computer(s), then just stay on top of the latest news from MS. If you'd rather take care of it yourself, find an open source OS.