--- David Jackson <[EMAIL PROTECTED]> wrote: > On Thu, 2004-02-12 at 20:15, will hill wrote: > <SNIP> > > That available source code makes software less > secure is an old lie that should not be repeated. > > I think you have your wires a bit crossed on this > one, Will.
I agree with Will, though it goes against conventional wisdom; the fact that having access to source code does not necessarily make it less secure, not the fact that I'm agreeing with Will. ;) > Having the source code to a piece of software leaves > it wide open for > abuse. HOWEVER, among the open source community, > there are a wider > array of individuals who can (and will) check out > the code and seek out > potential exploitable holes (your aforementioned > security audit). Open source makes badly written and badly _maintained_ software wide open to abuse. If software is badly written, then of course having access to the source code will make those mistakes obvious, but that software must stand on its merit. Badly-written _open_ source software soon makes itself known, whereas badly written closed source software can hide its mistakes for a long time; six months in one Microsoft case (http://apnews.myway.com//article/20040210/D80KJ01G1.html). I would rather know sooner than later. Do you trust a closed source provider to acknowledge their mistakes sooner, or do you trust peer review? Sounds like you trust in the honesty of closed source providers. Well maintained open source projects audit source code contributions _before_ they are merged into the source tree, they are crytographically signed, and they are md5 checksummed, among other efforts. If you install software on your own PC that you have not thoroughly audited yourself, then you are placing trust in the developers and providers of that software. I, personally, have more trust in open source merely because it is open for peer-review by those with a self-interested motivation for security and correctness. I do not have as much trust for a closed source provider who has a profit motive, because then the marketing droids decide when the software is good enough for release rather than the programmers. David, why is security such a headache for Microsoft? If closed source means more security, why is Microsoft so insecure? As Ray has stated, closed or open source code has actually little to do with it. It is all about secure software design. Security must be built in and practiced throughout the entire endeavor. See http://www.openbsd.org for an excellent example. > For example, if I wanted to know exactly how the > Windows messenger > system worked, having the source code to Windows > would show me how it > does it's thing. That would give me all the > information that I need to > know about it's protocols, handshaking information, > etc. and who knows > what I could do from there...spy on IP's...pose as > other people...become > a real nuisance, etc. Anyone with a port sniffer and lots of time on their hands could do the same thing. People (myself included) who run IM clients that do not use encryption are trusting fools. Begs the question: anyone know of a secure IM client? > Another example would be a deeper understanding of > Window's network file > structure, and how it handles shares across a > network. Imagine what I > could do if I knew -everything- that there was to > know about that... Though I may be damning the world to its complete and utter destruction, here ya go: http://www.ubiqx.org/cifs/ Go nutz. > I know it's a common sentiment among the open source > community to > militantly defend against the notion that available > source code makes > software less secure, but the only defense is in the > efforts of the open > source community to audit software that is > available. In the interest of enlightened debate, I would really like to hear your critique of something I wrote earlier: http://www.dougriddle.com/linux/johnh20020606.html Thanks for saving that, Doug. My dog ate my copy. ;) ===== John Hebert Official BRLUG Linux Curmudgeon __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html
