On Fri, 2004-02-13 at 02:13, -ray wrote: > > > > Having the source code to a piece of software leaves it wide open for > > abuse. HOWEVER, among the open source community, there are a wider > > array of individuals who can (and will) check out the code and seek out > > potential exploitable holes (your aforementioned security audit). > > Ahhh hogwash, Pure hogwash. If the software is "wide open", then it's > wide open, source or not. If the current security disaster that is > Microsoft has taught us anything, it's that people are quite effective at > finding holes in closed-source software. >
I think fundamentally you are still agreeing with me. > > For example, if I wanted to know exactly how the Windows messenger > > system worked, having the source code to Windows would show me how it > > does it's thing. That would give me all the information that I need to > > know about it's protocols, handshaking information, etc. and who knows > > what I could do from there...spy on IP's...pose as other people...become > > a real nuisance, etc. > > You can get all the info from the network, without the source. How do you > think the clone ICQ/AIM programs work? And if the application protocol > let's you do all that bad stuff, and bases its security model on the > premise that "we hope they don't figure this out...", how can you call > that secure? Whether you have the source code or not, that is just > insecure programming. > That was just an example - I am sure that with a bit of thought and more research, I could find better examples. > > Another example would be a deeper understanding of Window's network file > > structure, and how it handles shares across a network. Imagine what I > > could do if I knew -everything- that there was to know about that... > > Don't have to imagine. The Samba team pretty much knows it all. And i > bet they found lots of holes in SMB/CIFS along the way. So much for > closed-source security. What about Kerberos, ssh, ssl, gpg/pgp, https, > etc. Source code readily available, and still secure. Imagine that. > A good encryption algorithm is still good even after the algorithm is > disclosed. I think software is the same way. > Again this was just an example. > > I know it's a common sentiment among the open source community to > > militantly defend against the notion that available source code makes > > software less secure, but the only defense is in the efforts of the open > > source community to audit software that is available. > > Source availability is irrelevant to security. Bad code is bad code. > Period. Knowing the source is open might make you a more careful > programmer, yet we still find holes in open source. Knowing the source is > closed probably makes you a lazy programmer.... run windowsupdate on a > fresh XP install for proof of this. > > Does running a closed source system lessen your chances off attack? > Possibly. Does it mean you are more secure? Hell no! > > ray Windows has relied on "security through obscurity" for a long, long time. In the focus of your argument, you have not make a distinction between "bad programming" and "closed source". Source availability is -not- irrelevant to security...to think so is foolish. Of course you are going to find holes in open source - but being open source, we have that luxury. Closed source does not give us the luxury to study and seek out possible holes in a way that is thorough. -=D
