RE: Use of closed source software

From: hal@finney.org
Date: Mon Feb 04 2002 - 12:02:53 MST


I agree with 90% of what Harvey wrote but I'll just follow up on one
issue:

> > Furthermore there is the risk that publishing software
> > source code will give more information to the bad guys
> > to allow them to design exploits.
>
> I disagree here. Security by obscurity does not work. A closed source
> application with many security holes will get abused more than an open
> source application with few security holes. If source code is published
> (and actually reviewed, as you point out), it will have most security holes
> fixed. If a few slip by the experts, they will be fewer than the obvious
> holes in some closed source applications. Microsoft has closed-source
> software, and its holes are well-known and often exploited.

There is a debate this morning on slashdot at
http://slashdot.org/article.pl?sid=02/02/04/1629246 about an article
claiming that Linux has more security holes than Windows. Apparently
the methodology used for counting security problems is problematic in
this claim, but here is an example of how one person explained the
difference:

: Third: the study compares a kit of open-source software, which has
: received extensive peer review, to a closed-source product. It should
: surprise nobody that Linux has more documented problems than Windows:
: it's actually possible to go find vulnerabilities on Linux. Finding
: Windows vulnerabilities requires black-box reverse engineering.

This is just one guy's opinion, but it is one I have run into quite a bit
among security developers. It seems very plausible that it is easier
to find bugs in open-source software than in closed-source software.
That is the primary reason offered to hope that it can be made more
secure. But clearly this can come back and hurt you in that it also
makes it easier for the bad guys to find flaws as well.

Again the real issue is whether there is a well organized, active effort
to search out and fix bugs in the open source product. Just publishing
the source will not automatically make that happen. If you don't have
that, releasing source can actually hurt security.

Hal



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:12:11 MST