On 16/2/22 4:04 am, Radoslaw Skorupka wrote:
W dniu 14.02.2022 o 20:58, David Crayford pisze:
On 15/2/22 3:48 am, Phil Smith III wrote:
While clearly closed source is no more likely to be randomly secure
than
open source, the fact that the source is available for open source (by
definition!) does perhaps change the equation a bit. The question I
have
ZERO data to answer is:
If a hacker has access to the binary, they essentially have the code.
For example, give me Java Jar and I can use any number of Java
decompilers [1] (including my IDE) to recreate the source code
verbatim. Same for
C#. C/C++ not so easy but yet again there are decompilers, but you
lose the original symbol/label names. Most hackers just fire up a
debugger and look at the assembly. Assembly code is no brainer.
Of course, code leaks are common. The entire Windows XP code base was
leaked. By that time it was old but a huge amount of customers,
including the military, were still using it. Now a lot of companies
are all moving to
Git they better make sure they have locked down the repository host
servers. And if they're using Github or another cloud based
repository service then fingers crossed it never gets breached.
[1] https://github.com/deathmarine/Luyten
My €0.02:
1. Source code (open source) is *NOT* the same as decompilation.
For Java and C# it is. I can step through the Java JRE in a debugger and
it recreates the source code verbatim, variable names etc. The only
thing missing is comments and I could care less about that.
2. An access to source code is better than no access - from
vulnerability searching point of view.
The horse bolted a long time ago. Even Microsoft have open sourced huge
amounts of their ecosystem. C#, .Net, PowerShell etc are all hosted on
Github. Microsoft owns Github, how about that for a paradigm shift?
3. However there are notable holes found years after the code was
released.
4. Open source mean more eyes are looking for the holes => better code
review. However closed source means it is less likely that possible
hole would be found. What's better?
5. While open source means access to the source code it does not mean
code contribution. Let's assume I made some piece of software and used
log4j. What next?
In the case of Log4j it's a moot point. The use of JNDI was documented
in the manual. Having access to the source code is irrelevant.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
