On Sat, 2004-02-14 at 18:05, John Hebert wrote: > Well, then what do you think about: > http://www.dougriddle.com/linux/johnh20020606.html? >
I would like to first draw attention to the fact that this original thread started over the possibility that the source code to Windows had been leaked out. I believe your article, and the support article about Kerchoff's Principle, serve to reinforce my original point. "Security through obscurity" never works, for dozens of reasons. Microsoft has relied on it for the bulk of their existence. They do not benefit from "peer review", because their OS and applications are closed source. Following this assertion, it might be easy to draw the conclusion that open source, by inference, is much more secure. But, it is solely because of peer review that it is more secure. Microsoft does not have the luxury of peer review; they keep their source code secret. When someone discovers their "secrets" (in this case, their source code), they no longer have obscurity, thus they have no more security. We're not talking about cryptography here; we're talking an operating system, and the ability to exploit it. Having the source code will give you all manner of information that will enable you to tailor-make buffer overrun exploits, play with sending packets to any one of the dozen or so ports that Windows leaves open...etc. The bottom line is this; as long as open source benefits from peer review, then yes, open source will be, by it's nature, more secure than closed source. In this specific case however, Microsoft will lose it's obscurity, and their entire operating system will be compromised. -=David
