On Fri, 13 Feb 2004, David Jackson wrote: > > On Thu, 2004-02-12 at 20:15, will hill wrote: > > <SNIP> > > That available source code makes software less secure is an old lie that > > should not be repeated. > > I think you have your wires a bit crossed on this one, Will. > > Having the source code to a piece of software leaves it wide open for > abuse. HOWEVER, among the open source community, there are a wider > array of individuals who can (and will) check out the code and seek out > potential exploitable holes (your aforementioned security audit).
Ahhh hogwash, Pure hogwash. If the software is "wide open", then it's wide open, source or not. If the current security disaster that is Microsoft has taught us anything, it's that people are quite effective at finding holes in closed-source software. > For example, if I wanted to know exactly how the Windows messenger > system worked, having the source code to Windows would show me how it > does it's thing. That would give me all the information that I need to > know about it's protocols, handshaking information, etc. and who knows > what I could do from there...spy on IP's...pose as other people...become > a real nuisance, etc. You can get all the info from the network, without the source. How do you think the clone ICQ/AIM programs work? And if the application protocol let's you do all that bad stuff, and bases its security model on the premise that "we hope they don't figure this out...", how can you call that secure? Whether you have the source code or not, that is just insecure programming. > Another example would be a deeper understanding of Window's network file > structure, and how it handles shares across a network. Imagine what I > could do if I knew -everything- that there was to know about that... Don't have to imagine. The Samba team pretty much knows it all. And i bet they found lots of holes in SMB/CIFS along the way. So much for closed-source security. What about Kerberos, ssh, ssl, gpg/pgp, https, etc. Source code readily available, and still secure. Imagine that. A good encryption algorithm is still good even after the algorithm is disclosed. I think software is the same way. > I know it's a common sentiment among the open source community to > militantly defend against the notion that available source code makes > software less secure, but the only defense is in the efforts of the open > source community to audit software that is available. Source availability is irrelevant to security. Bad code is bad code. Period. Knowing the source is open might make you a more careful programmer, yet we still find holes in open source. Knowing the source is closed probably makes you a lazy programmer.... run windowsupdate on a fresh XP install for proof of this. Does running a closed source system lessen your chances off attack? Possibly. Does it mean you are more secure? Hell no! ray
