Programmers working on closed source get into a mindset, thinking less about security i would imagine. That is a security layer and some holes might never be discovered. Microsoft (just an easy example) employs 22000 programmers, open source can easily muster 10 times that. All them programmers looking for holes, and programming knowing that the code will be analysed seems best policy. Sure there might be more holes found but at least they are found and fixed. As for the great linux/windows debate its not just about open source, windows is less secure by design. Eg if i was running linux and got a virus(yes there are some). It could only spread to MY files not get permission to install backdoors etc. Although if you run as root you are screwed.
Originally posted by Bernardmidgley
But you would agree that there are bad guys out there hence we are having this discussion.
Yes, agree with that, but the rate that open source code vulnerabilities gets patched up is far quicker than with closed source.
Those threats are there for closed source as well. Just saying that the people who know Linux/Unix well enough to understand the source are very unlikely to be people who would look for vulnerabilities to cause damage. These people still far outweigh the bad guys. It is rare for someone to learn all about programming Linux/Unix with the intent to tear it all apart.
The people who look into the machine code of closed source systems to "reverse engineer" and look for vulnerabilities are the ones that want to cause damage. A legit programmer who wants to improve the system would have no incentive to do that.
There would be no purpose of reverse engineering compiled code with open source because the uncompiled source is already there (which would be subjected to the first paragraph I made above).
Originally posted by BernardmidgleyNo you misunderstand, it's not about people just being nice it's about the system of reward they choose to follow...
So your argument here is that Open Source is more secure as someone who identifies a secuirty weakness in an Open source product is more likely to report the weakness rather than someone who finds a weakness in a closed system who is going to expolit it!!!
And at the end of the day it all boils down to humanity!!!
I dont think so
One way you are responsible for bringing down half the internet, causing billions of dollars damages, making hell for people and your work is being talked about on all the news. BUT you cant take any credit for it!
The other way you are responsible for improving the systems that run the internet, saving billions of dollars, making people's lives better and you can become the toast of the hacking community because you can take credit for it!
If you view these people negatively then presumably you will think that wider publicity and indeed knowing that they were alone responsible and knowing that no one else knows beats being a goody-two-shoes by far. i.e. they are malicous egotists of the worst order.
If you view them positively then presumably you will expect them to take the real recognition, even if it is only amongst those who can really appreciate it (other geeks), and maybe get some usable reward out of it. i.e. they can get a high paid job, "you fixed that flaw in the xyz module of the abc software??? you're hired!".
Either way, it's what they will do for themselves, not what they will do for other people. Currently, secure source products dont give them the positive option...
MÅ¥HÅRM
Originally posted by Mayharm
No you misunderstand, it's not about people just being nice it's about the system of reward they choose to follow...
One way you are responsible for bringing down half the internet, causing billions of dollars damages, making hell for people and your work is being talked about on all the news. BUT you cant take any credit for it!
Exactly, and considering how much Linux has been developed and improved over the years by the open source community. Isn't this evidence enough on how much they are committed to developing a strong and robust system?
Any malicious hacks would be drowned out by the people who are dedicated to spot any flaws.
- Joined
- 03 Sep 03
- Moves
- 89331
Originally posted by tamoshanter
Programmers working on closed source get into a mindset, thinking less about security i would imagine.
You imagine? I've been a software developer for 9 years and worked on many closed source products. Any decent IT shop will consider security a major part of their design. Hell, many have programmers that will review all the code of other programmers and look for holes. That's been my job in the past, So I KNOW what I'm talking about. If you put out holey products and they get hacked, you have a good chance of getting sued. MS has an army of lawyers which probably scares most people off, most IT shops can't afford that luxury.[/b]
Eg if i was running linux and got a virus(yes there are some). It could only spread to MY files not get permission to install backdoors etc. Although if you run as root you are screwed.
Ok, well that's only if you are running your wiindows box as root (administrator), Once again, no decent IT shop/IT department is going to have their users logging in as root/administrator, thats what accounts and domains are for.
There is no reason that a windows install can't be as secure as a linux install. MS just doesn't lock-down the install by default. Causes too many usability issues, issues that a linux/unix person is used to, but the average user has no experience or desire to jump through hoops, so it is open by default.
Tim
- Joined
- 03 Sep 03
- Moves
- 89331
Originally posted by lausey[/b]
Yes, agree with that, but the rate that open source code vulnerabilities gets patched up is far quicker than with closed source.
That may be true in some cases, but it is in no means a guarantee.
My favorite example: (a bug that the mozilla group knew about for 5 years and left unpatched)
http://it.slashdot.org/article.pl?sid=04/07/31/0037210&tid=154&tid=128&tid=172
Or since MS gets so much grief for these types of bugs, a newer mozilla bug:
http://secunia.com/advisories/12526/
No this is just one exploit, any idea how many holes that "bad guys" have found and been exploiting for years/months/weeks that go unpatched because they sure aren't going to share their "secret exploit" with others? If they did that, then they wouldn't be able to use it anymore.
So I guess the question is: Are there more bad guys or good guys looking at the code, and which team has the best and most creative programmers on their team.
Originally posted by Bernardmidgley
If I have done my research correctly, open source software (and I am really referring to Linux here) is supposed to be more stable and secure, than other standard packages.
But how can it be more secure? If the source code is availabel to all surely this makes it easier for any would be attacker to identofy and exploit weaknesses.
Discuss>
I don't think this is the case at all. Hackers in general tend to be pretty much anti-social. The majority of hackers aim to break the arch enemy Microsoft, thus the majority of attempts to hack into sites happen to be those running Microsoft machines.
I would bet that Linux would suffer the same amount and very likely more should it receive an equivalent no of hacking attempts.
As a side note, the majority of hacks tend to be poor windows configuration on the part of systems administrators, instead of simply flaws in the OS.
More research and I just found a very good anaology
Would you buy a car with the bonnet (hood) welded shut. Of course everyone would answer of course not. However amoungst all those people who buy a car where the bonnet (hood) opens how many look inside? How many know what to do (especially with all the new electronics involved).
Whilst it is true that if teh bonnet is open someone might find a weakness but having it open more people can look inside and work out how to fix it.
Thank you all for your very intesting views. From the posts and my own research I now understand the issues and my main fears surrounding open source have been addressed. I have been converted.
My summary is, Open Source has the potentail to be at least as secure if not more secure than a closed system.
System development and source code is better designed
More reviews undertaken
More resources availble to fix problems
Much cheaper in licensing costs
Closed source is probably not as closed as one would think (or like)
Popularity / commonality is still an issue and it will be interesting to see what happens when Open Source gains even more market share.
Thanks again