On Fri, 13 Feb 2004, David Jackson wrote: > Windows has relied on "security through obscurity" for a long, long > time.
True. So has IBM, Novell, DEC, etc. And their systems remain more secure than Windows. > In the focus of your argument, you have not make a distinction between > "bad programming" and "closed source". You are right, i am not making that distinction. Sorry if it sounded like i was trying to convey that. My point is good programming and bad programming happens in both open and closed source software. > Source availability is -not- irrelevant to security...to think so is > foolish. Of course you are going to find holes in open source - but > being open source, we have that luxury. Closed source does not give us > the luxury to study and seek out possible holes in a way that is > thorough. One thing Microsoft has taught us is the white hats and black hats are still VERY effective at finding holes in closed-source software. Sure the source would make it easier to find holes, but it's definitely not required. I still maintain that source availability is irrelevant. Say you run a piece of closed-source software for years and years. Then one day see the source, and find tons of holes in it. Was it more secure before you saw the source? No. it is still the same program, with the same holes. You just never knew about them before... and here's the kicker: you're *really* hoping no one else knew about them either. Given the option, i'd rather not run systems like that. ray
