From my own internet research this morning I am certainly warming to the idea of Open Source but so many sources are so much in favour without presenting a balanced view. Taking the below examples
Security by 'secrecy' is not a good idea.
This could lead to complacency and you usually don't follow best practice rules - because your code is secret. When the code then leaks, there are so many flaws and possible exploits in it.
Bad code is bad code. Bad practices are Bad practices. Interstingly you say 'could lead .....' I don't think mircosoft have become complaicent becuase their source code is secret, i think there are many other reasons why they have produced bad code. If a company was to follow best practive, enforce protocols and perform internal reviews to ensure guidleines had been followed - would then secrecy be ok. I reject the arguement that because the code is secret complancy is prevelant. If an organization is well run, with the correct controls in place there is no reason why the code should be bad. As for leaking code, this is a seperate discussion.
The theory is that open source is more stable and secure because it is being constantly scrutinized.
Attacks on open source won't become more commoplaced because all the flaws are recognised and fixed quickly - before attacks can occur - unlike the 'secure' source community where flaws are usually only recognized after the attack occured.
Again this implies that a whole group of developers are looking at the software trying to ideintfy loopholes. I think this again is a high expectation. I refer to an earlier post whereby one company put up a reward for finding holes, and one guy found three holes immediatly in an open source software.
Everyone hates microsoft and atatcks are mainly directed to them, with open source (LINUX) becoming more popular how long before atatcks on thiis software become as popular?
Originally posted by BernardmidgleyAre you inferring a connection between the hatred for microsoft and popularity? 🙄
From my own internet research this morning I am certainly warming to the idea of Open Source but so many sources are so much in favour without presenting a balanced view. Taking the below examples
Security by 'secrecy' is not a good idea.
This could lead to complacency and you usually don't follow best practice rules - because your code is sec ...[text shortened]... urce (LINUX) becoming more popular how long before atatcks on thiis software become as popular?
Seriously though, why would people end up hating open source, because it is open source, enough to direct their attacks at it?
MÅ¥HÅRM
Originally posted by BernardmidgleyMore reason for the lack of security in Microsoft products.
For those that are interested this explained the issues very well
I am begging to warm to the idea, still not totally convinced.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html#OPEN-SOURCE-SECURITY-BOTTOM-LINE
Find a security hole in XP and you have a flaw in hundreds of millions of computers, all with all the same software. As it spreads, it is a better than 90% chance a omputer is running Windows. A bit like a pest spreading through a field of identical corn plants. And even if 90% of users patch their machines, it can still spread as there will still be tens of millions of computers unprotected.
Spreading a Linux virus is much harder. 90% of infections would end up on Windows machines and spread no further. Linux users do not generally run as supervisors and their code is more diverse - different distros and kernels.
Much more effective to write an exploit for IE on Windows than Konqueror on Linux - even with equivalent internal security on the systems. I would never now use IE for Internet Banking - too many flaws.
Originally posted by MayharmPerhaps 'popularity'was the wrong word, maybe prevelant or most common would have explained my point better.
Are you inferring a connection between the hatred for microsoft and popularity? 🙄
Seriously though, why would people end up hating open source, because it is open source, enough to direct their attacks at it?
MÅ¥HÅRM
Its not that people will end up hating open source, just that at the moment mircosoft presents a bigger target, i.e. find a loophole, exploit it and the impact is across many computers. As Open Source becomes more popular (read common) the impact stakes increase and hence the number of attacks increase. Maybe
Originally posted by steerpikeSo the argument here is that because Linux is not in common usuage it is more secure. So what happens when we have 50% corn plants and 50% carrot plants. Will our pests change thier appetitie?
More reason for the lack of security in Microsoft products.
Find a security hole in XP and you have a flaw in hundreds of millions of computers, all with all the same software. As it spreads, it is a better than 90% chance a omputer is running Windows. A bit like a pest spreading through a field of identical corn plants. And even if 90% of users patch t ...[text shortened]... nal security on the systems. I would never now use IE for Internet Banking - too many flaws.
Originally posted by BernardmidgleyThis depends entirely on how you view humanity...
Perhaps 'popularity'was the wrong word, maybe prevelant or most common would have explained my point better.
Its not that people will end up hating open source, just that at the moment mircosoft presents a bigger target, i.e. find a loophole, exploit it and the impact is across many computers. As Open Source becomes more popular (read common) the impact stakes increase and hence the number of attacks increase. Maybe
The people who break security systems do it for the challenge and the noteriety (at worst). If they are doing it on open source products the challenge is open to everyone and thus the competition is higher. The recognition you get for openly pointing out security flaws in open source is of a far more pleasant variety than breaking secure code...
So if humanity is viewed positively those people will take the positive recognition over the negative. If you view it negatively then you will probably believe that they will continue to seek the negative recognition.
MÅ¥HÅRM
Originally posted by BernardmidgleyIts basically it. MS have been somewhat complacent on security and that has fed the creation of the script kiddie and so on. Even in XP for example, the rather simple protocol of using mutliple accounts: one admin for program installation, and a higher-security 'normal' profile for your day-to-day work is not followed through.
So the argument here is that because Linux is not in common usuage it is more secure. So what happens when we have 50% corn plants and 50% carrot plants. Will our pests change thier appetitie?
Presently, MS is less secure because the majority of attacks, being oppertunistic in nature, all tend to use the greater oppertunity inherent in the majority installation. If it ever changed and MS were not the dominant platform, then the new dominant would be attacked in the same manner. Its not 'personal' as such: those that have 'fun' in faceless vandalism never consider who is going to be hurt (to the point of bei unaware)
An example: a friend recently returned from Afganistan where she has been working on/off for 2 years in nursing infrastructure. She told a strory where a fairly "low threat" virus (according to the anti-virus lobby, <queue conspiracty theory that they write most new viruses/worms etc>) got a PC-novice local nurse (common) to click on something in an email: PC wrecked, all medical data gone. These folks don't have money for backups and nothing like enough money to hire an IT consultant or get IT training for staff. This script kiddie just killed a fair few people who had a s**t enough life as it was.
I *think* this conversation is missing the point about why open source is more secure - it's not simply that there are less people interested in attacking it.
Basically, open source code is open, and generally developed by many people working in conjunction without any monolithic control (see 'The Cathedral and the Bazaar', by Eric Raymond). This means that each element of the code that goes into an application has to adhere to standards in order that other people can easily work with it. Which means better software, and easier review of software for security holes.
Microsoft have no need to adhere to design standards as they do everything internally - therefore a lot of the interactions between MS Office, Explorer, and the Windows OS are fudged simply because it was the most convenient way for them to quickly accomplish a goal - however having applications that ar and now the security issues can't be disentangled because it is so hard to identify where code for one application stops and where code for another starts. This has also led to the issue of M$ patching one vulnerability and the patch causing anotehr vulnerability somewhere else.
Open source isn't necessarily more secure than a well-designed closed system, but it is far more likely to be. And more importantly, when a vulnerability is discovered, it is far easier for the code to be reviewed and patched.
Actually, I tend to disagree that there could be more bad guys and good guys. Hackers (or crackers) tend to be in 3 categories:
1. The "script kiddies". You might hear about them on the news. Teenagers (or younger) who are thought to be computer geniuses but really just know how to download dangerous scripts from an obscure website and run them.
2. These ones know considerably more about computers and are fairly common. They know about known vulnerabilities and manage to write scripts to exploit them.
3. The hacking/cracking gurus. These are the ones that find the vulnerabilities. Tend to be computer geniuses that could basically talk in binary or hexadecimal. These ones basically sit in front of the computer most of their lives and are social outcasts. They are also quite rare.
Category 1 is very commonplace but the vulnerabilities to these scripts can be found and patched up quickly, making them no longer a threat.
Category 2 is based on the fact that these vulnerabilities are known anyway, hence can also quickly be patched up.
Category 3 is the real threat, but as I said, they are quite rare. The good guys definately outweigh the number of these people.
I have met a lot of Linux/Unix programmers and I have found that when all of them reach the level that they do, all they want to do is make Linux/Unix better. Not find vulnerabilities and exploit them to cause damage.
Lau
Originally posted by MayharmSo your argument here is that Open Source is more secure as someone who identifies a secuirty weakness in an Open source product is more likely to report the weakness rather than someone who finds a weakness in a closed system who is going to expolit it!!!
This depends entirely on how you view humanity...
The people who break security systems do it for the challenge and the noteriety (at worst). If they are doing it on open source products the challenge is open to everyone and thus the competition is higher. The recognition you get for openly pointing out security flaws in open source is of a far more pleas ...[text shortened]... n you will probably believe that they will continue to seek the negative recognition.
MÅ¥HÅRM
And at the end of the day it all boils down to humanity!!!
I dont think so
Originally posted by OsseI agree we maybe moving off track slightly. From what I have read you have summed it up very well with your comment 'Open source isn't necessarily more secure than a well-designed closed system, but it is far more likely to be. '
I *think* this conversation is missing the point about why open source is more secure - it's not simply that there are less people interested in attacking it.
Basically, open source code is open, and generally developed by many people working in conjunction without any monolithic control (see 'The Cathedral and the Bazaar', by Eric Raymond). This means th ...[text shortened]... y, when a vulnerability is discovered, it is far easier for the code to be reviewed and patched.
And it is more likley to be due to the number of reviewers in place. So if Microsoft were to introduce a large department of reviewers, to ensure all code was designed following set standards, would this make there software as good as / as secure as / Open source?
(Or is it too late for them)
Originally posted by ToeSo as an interesting sub question -
just-in news
MS opens up source code on Office products (but to Governments only)
see http://www.microsoft.com/resources/sharedsource/Licensing/GSP.mspx
If Microsoft opened its source code to all, what would be the impact ? (in terms of stability and secuirty)
Originally posted by lauseyBut you would agree that there are bad guys out there hence we are having this discussion.
Actually, I tend to disagree that there could be more bad guys and good guys. Hackers (or crackers) tend to be in 3 categories:
1. The "script kiddies". You might hear about them on the news. Teenagers (or younger) who are thought to be computer geniuses but really just know how to download dangerous scripts from an obscure website and run them.
2. ...[text shortened]... o is make Linux/Unix better. Not find vulnerabilities and exploit them to cause damage.
Lau