If I have done my research correctly, open source software (and I am really referring to Linux here) is supposed to be more stable and secure, than other standard packages.
But how can it be more secure? If the source code is availabel to all surely this makes it easier for any would be attacker to identofy and exploit weaknesses.
Discuss>
Originally posted by BernardmidgleyOpen source relies on having more good guys than bad guys. If the security flaw is there for all to see, the hope is that someone who wants to keep the program secure will notice and fix it. With conventional programs you have hackers the world over probing for flaws, but only a few programmers with the knowledge and authority to fix problems.
If I have done my research correctly, open source software (and I am really referring to Linux here) is supposed to be more stable and secure, than other standard packages.
But how can it be more secure? If the source code is availabel to all surely this makes it easier for any would be attacker to identofy and exploit weaknesses.
Discuss>
Originally posted by AcolyteWhich is all well and good but surely also the reverse is true. There are less attacks on Microsoft (then there might be) because these bad guys cannot see the code and therefore restricting to probing / trial and error techniques.
Open source relies on having more good guys than bad guys. If the security flaw is there for all to see, the hope is that someone who wants to keep the program secure will notice and fix it. With conventional programs you have hackers the world over probing for flaws, but only a few programmers with the knowledge and authority to fix problems.
If I have understood it correctly you argument is
Closed Source (if this is the right term) - Bad Guys / Limited Good Guys / Secure source code
Open Source - Bad Guys / Lots of Good Guys / Open source Code
I am not sure I am entirly convinced by the argument
Originally posted by BernardmidgleyNot seeing the source code might be a good thing for the bad guys.
Which is all well and good but surely also the reverse is true. There are less attacks on Microsoft (then there might be) because these bad guys cannot see the code and therefore restricting to probing / trial and error techniques.
If I have understood it correctly you argument is
Closed Source (if this is the right term) - Bad Guys / Limited ...[text shortened]... / Lots of Good Guys / Open source Code
I am not sure I am entirly convinced by the argument
If you look at the code and dont run it you might be tempted to think it "looks" fine. Your bad guys dont have that option, they are always looking at the run-time version, the machine code, not the source code. Your good guys will hardly ever do that.
In any case Microsoft source code has been leaked before and will no doubt be leaked again. So the bad guys aren't necessarily as restricted as you suppose.
MÅ¥HÅRM
Originally posted by MayharmAnd when that Microsoft code was leaked, hackers spotted lots of exploits immediately.
Not seeing the source code might be a good thing for the bad guys.
If you look at the code and dont run it you might be tempted to think it "looks" fine. Your bad guys dont have that option, they are always looking at the run-time version, the machine code, not the source code. Your good guys will hardly ever do that.
In any case Microsoft source cod ...[text shortened]... bt be leaked again. So the bad guys aren't necessarily as restricted as you suppose.
MÅ¥HÅRM
For example :
http://www.theregister.co.uk/2004/02/17/windows_source_code_exploit_released/
The Open Source guys are also able to react to any new problems that may be discovered - they patch their code almost as quickly as is humanly possible. And we know this isn’t the case with MS – although it appears they take such problems a little more seriously these days. (They have been beaten up over security so much in the past, they have little choice.)
-Russ
Originally posted by BernardmidgleyNaah, most of these 'bad guys' actually come from the open source community, as they try to exploit the likes of Windows in order to show how much better the open source equivalents are.
Closed Source (if this is the right term) - Bad Guys / Limited Good Guys / Secure source code
Open Source - Bad Guys / Lots of Good Guys / Open source Code
Fresh, new thread. Thanks, Bernard.
Since the code is open, it is subject to review and analysis by the community. When a person submits code to an open-source project, it is analyzed for weaknesses. It is much more difficult for weaknesses to hide in open source code than it is in private code.
-Ray.
Summary of further arguments :
1 When the microsoft code was leaked, it was attacked. Therefore this stregthens the argument to keep all source code secure
2 The bad guys are actually the good guys from the other team. My fear is that open source will become so popular attacks on open source will become more 'popular' regardless of reasons / motives.
I see the trade off issue between open development and secuirty but I concerned that the secuirty issue maybe being overlooked
Originally posted by rgoudieI would hope that are controls in place over new source code development, change control etc, however the kind of secuirty breaches I was considering are not of this nature.
Fresh, new thread. Thanks, Bernard.
Since the code is open, it is subject to review and analysis by the community. When a person submits code to an open-source project, it is analyzed for weaknesses. It is much more difficult for weaknesses to hide in open source code than it is in private code.
-Ray.
For example, in Russ' link it says how someone was able to inject hostile code into systems via a buffer overflow flaw. My point is that somwone could see the open source code, find many more buffer overflow flaws(whatever they are) and essentially compromise our systems
In fact, the OS movement have even offered a bounty for people to spot bugs in the Mozilla code.
http://www.theregister.co.uk/2004/09/15/mozilla_patches/
So, Firefox/Mozilla users, get patched. (And I recommend all IE users do a windows update too - a nasty new glitch affecting jpg rendering needs to be patched fast.)
-Russ
Originally posted by Russhttp://ars.userfriendly.org/cartoons/?id=20040811&mode=classic
In fact, the OS movement have even offered a bounty for people to spot bugs in the Mozilla code.
http://www.theregister.co.uk/2004/09/15/mozilla_patches/
So, Firefox/Mozilla users, get patched. (And I recommend all IE users do a windows update too - a nasty new glitch affecting jpg rendering needs to be patched fast.)
-Russ
😀😀😀😀😀
Originally posted by BernardmidgleyThere is another reason Linux is more secure.
If I have done my research correctly, open source software (and I am really referring to Linux here) is supposed to be more stable and secure, than other standard packages.
But how can it be more secure? If the source code is availabel to all surely this makes it easier for any would be attacker to identofy and exploit weaknesses.
Discuss>
When Bill Gates released the DOS operating system for personal computers, mainframes already ran Unix.Linux is a built from the groung version of Unix - DOS lies underneath all Windows machines.
Mainframes had many users - students, academic staff and office staff all logged in through terminals to one big computer. So all could work together, no-one could see what anyone else was doing and no-one could install or delete progrms - except the computer supervisor - "root". Under Unix, all files have permissions - no permission and you could not even see a file.A student had access to the computer but could not change grades.
Personal computers of the 1980's were underpowered and expensive. DOS took away permissions and allow open viewing, altering and deleting of files - it was a personal computer, it sat on the accountants desk and control was through restricting who used the keyboard. A great solution for the first decade of non-networked machines as the file permissions took precious resource, but not so great when half the world can access your machine.
On my Linux box, I am severely restricted on what I can do. That may seem a disadvantage but if I want to change settings or install software, I must log in as root. That makes it much more difficult to execute bad code on a Linux machine - a virus has the same restrictions and important files are not easily accessed.
Why can't Windows put file restrictions back in? They could - but thirty years of software, from games to office apps would have to be rewritten. Meanwhile Unix is still going strong - msot serious databases are run on Unix boxes while Linux is picking up market share on web and mail servers.
So - I stick to Linux. And Microsoft can't buy them out or take them over.
Originally posted by Bernardmidgley1 When the microsoft code was leaked, it was attacked. Therefore this stregthens the argument to keep all source code secure
Security by 'secrecy' is not a good idea.
This could lead to complacency and you usually don't follow best practice rules - because your code is secret. When the code then leaks, there are so many flaws and possible exploits in it.
2 The bad guys are actually the good guys from the other team. My fear is that open source will become so popular attacks on open source will become more 'popular' regardless of reasons / motives.
The theory is that open source is more stable and secure because it is being constantly scrutinized.
Attacks on open source won't become more commoplaced because all the flaws are recognised and fixed quickly - before attacks can occur - unlike the 'secure' source community where flaws are usually only recognized after the attack occured.