At 11:19 AM 5/5/2003 -0500, you wrote: > > Perhaps. However, I do not think that the average open source software is > > any more secure than closed software. There is a [higher potential] for > > security, but that doesn't mean that there is a higher level of security > > for the average software. > >Ah, I've heard that often lately and I don't buy it. Even one of the >authors of fetchmail said it a while back. The only way to make it true >is to twist around the definition of "average" and ignore key differences >in security models and user choice. > >When you are honest about the software people use, the potential is often >realized. Widely used programs are scrutinized and free code has >significantly fewer bugs than it's commercial counterparts. People who >define "average" by counting stuff on source forge rather than looking at >program deployment are not being very honest.
You tend to write with a lot of hyperbole. :) >When we are talking about the difference between Windows and free >software, architectural differences must be considered. You mentioned not >putting X on a web server. That makes sense but it does not make X a >bloated buggy thing like windoze, it's just a matter of risk >management. You don't need X to run a server, so the additional small >risk of using it is not justified in many cases. It's rumored that >Microsoft is working on a version of their server that does not have or need a Running X is hardly a small risk. Also, remember we are talking about desktops here and not servers. Most Linux desktops, if not all, run X. And a lot of X programs, including KDE, Gnome, and the applications built under them have a proven track record of having vulnerabilities. As Linux desktops become more popular this trend will continue. So I wouldn't term the problem as a "small risk." Unfortunately, the problem here is simply the abundance of complicated and non-audited code. That problem is just as big in the open source world as in the closed source world. Ultimately, open source does have a [higher potential] for security in most applications. The main reason for this is the ability for the community to fix broken code. However, when it comes to the Linux desktop we are seeing that we still have a long way to go. That was my entire point originally. >GUI. This is a glaring example of window's lack of modularity causing >security problems that don't exist in the free software world. As I >mentioned before, free software is not so brain dead as to run email and >browser software as root. Windows 2003 accepts logins via the serial port for administrative control if this is what you mean? Also, you can control a lot of NT and Win2k functions via telnet/SSH and scripts albeit not as well as you can a UNIX system. >Both of these differences, user choice and unprivileged users, are >barriers to break ins that Microsoft may never erect. Unfortunately, from my experience a very large number of users log in as root on their desktops. Under NT a lot of users give themselves Administrator privileges and then run dangerous code. Same issue here. The major problem in most situations is not so much the code as user education. >At some point it becomes a matter of faith. When I've finished mulling >over the past and the above reasoning, the future is still >unknown. Because I can't review every line of code I'll ever use at some >point I have to trust the authors. I trust free code developers to be >honest. Reason, memory and bad faith are all against Microsoft. I'm >going to chose software written by people who release it under a license >that respects my ability to use the software as I see fit, understand the >software, modify the software to meet my particular needs and share those >modifications with my friends. This approach is going to work much better >for security than a humiliating "submit" button that violates all of the >above. People who lack respect for their users must care less about them >than those who do respect their users. In the end, I can't see any >company being able to compete with free software. > >Time will tell. Extrapolating from a few DoS venerabilities in one or two >projects is more hazardous than extrapolating from Microsoft's record of >root expoilts and internet destabalizing worms. Good thing that wasn't done here. Anyway, my point was that most open source code has not had the benefit of a world of active eyeballs. And a lot of code that is commonly used still hasn't had the rigorous testing that is needed. Finally, the bad state of documentation of a lot of open source contributes to problems, security-related and otherwise. (A recent issue with Courier-MTA (a server application, I know) and a fellow LUG user brings that to mind.) That being said, I personally do prefer open source to closed source. --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
