On Tue, 01 Feb 2005 23:24:47 +0530, Rajev Mhasawade <[EMAIL PROTECTED]> wrote: > Hi, > I hope u all must be aware of Microsoft's statement over Linux.According > to them Linux's security claims are hyped and exaggerated.I was just > thinking of the same,isnt Linux, more vulnerable to security threats as > its source code is known by everyone? > I hope its not a silly question! :-) > Rajev > --
Hi Rajev: The availability of source code discounts any attempts to provide security by obscurity (ie. I will hide in a secret that you won't know since I never told you). Did you, ever wonder how come the license keys for so many proprietary software for windows are floating all around ? This is because the executable is opened in a hex editor and the key string is pasted at a pre-determined location. Since it was the manufacturer who did this and never told it to anybody, how come any body will ever figure out ? Well, humans are smart and we can figure that out! The vulnerability of any system to external threats is a consequence of bad implementations, hacks that did not take into account corner cases etc. As a practioner in this field, I can tell you a lot of software including security software ships with focus on deadlines and not QA reports! In open source the source code is exposed to everyone and very important *both* the attackers and the defenders! This is a very important point! The source code audit done by programmers and experts, creates an environment where it is much easier to spot vulnerabilities and fix them! Consider pyschologically, about the programmer who has to show his code in public to so many critical eyes. This has the benign effect of cleaning up the logic, straightening the algorithms and even 'deconstructing' the scenario where a compromise has happened! However, simply being open source is no guarantee of security! If an exploit has happened on the open source software, since the code is available, the fix can be readily made available! Interestingly enough, when the code is closed, the guys who have figured it out have everything to gain! How ? Well, once the exploit is done, the world learns of the compromise and then the fix is done. e.g. you have a virus attack on Outlook and then weeks later a patch is available! This is just the tip of the ice-berg. Some other interesting issues that work against closed source code are: . decompilers . back-doors . escrow requirements. Hope this helps see some of the issues at hand in the right perspective! -- thanks Saifi Khan. -- ______________________________________________________________________ Pune GNU/Linux Users Group Mailing List: ([email protected]) List Information: http://plug.org.in/mailing-list/listinfo/plug-mail Send 'help' to [EMAIL PROTECTED] for mailing instructions.
