W dniu 14.02.2022 o 20:58, David Crayford pisze:
On 15/2/22 3:48 am, Phil Smith III wrote:
While clearly closed source is no more likely to be randomly secure than
open source, the fact that the source is available for open source (by
definition!) does perhaps change the equation a bit. The question I have
ZERO data to answer is:
If a hacker has access to the binary, they essentially have the code.
For example, give me Java Jar and I can use any number of Java
decompilers [1] (including my IDE) to recreate the source code
verbatim. Same for
C#. C/C++ not so easy but yet again there are decompilers, but you
lose the original symbol/label names. Most hackers just fire up a
debugger and look at the assembly. Assembly code is no brainer.
Of course, code leaks are common. The entire Windows XP code base was
leaked. By that time it was old but a huge amount of customers,
including the military, were still using it. Now a lot of companies
are all moving to
Git they better make sure they have locked down the repository host
servers. And if they're using Github or another cloud based repository
service then fingers crossed it never gets breached.
[1] https://github.com/deathmarine/Luyten
My €0.02:
1. Source code (open source) is *NOT* the same as decompilation.
2. An access to source code is better than no access - from
vulnerability searching point of view.
3. However there are notable holes found years after the code was released.
4. Open source mean more eyes are looking for the holes => better code
review. However closed source means it is less likely that possible hole
would be found. What's better?
5. While open source means access to the source code it does not mean
code contribution. Let's assume I made some piece of software and used
log4j. What next?
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
