>>>'those' open source people always crack me up. they complaine about the unsecure/dangerous MS products - but yet open source are the most unsecure programs by definition itself.
>>
>>
>>Hi Gunnar. This statement is simply not correct. Why do you think this? Is it because you think a compiled propriety program is secure because no one can see the source code? If so then you are mistaken.
>
>Just playing devil's advocate here... Closed source has some 'security through obscurity' benefits, it's likely a case of trial an error, or decompiling the program to get the source code, to find a hole. Open source removes that last barrier, they can simply download the source code.
>
>Open Source's security advocates claim that many eyes will discover and report flaws. The popularly bashed closed source OS has millions more users (and hackers) doing the same thing. Any hole obscure enough to be found only by hackers isn't going to be reported in either case.
>
>Not even going to mention the problems with getting users to apply patches...
Chris,
Your rationale may give you the warm and fuzzies, but that doesn't make it correct. In fact you are entirely incorrect!
1. Millions of USERS does not mean that any SECURITY FLAW will be found and reported.
--- First, 99.9% of users wouldn't recognize a "security flaw" if they fell over it.
--- Secondly, those that did would have no idea of WHERE to report it to.
2. Hackers decompiling are a minute fraction of the population yet look at the havoc they've wreaked already!
3. When source code is available it is far more than "hackers" who take advantage. Generally it would be to solve (enhance) something to make for smoother operations and you can be sure that id they came across a security hole they would be most pleased to report it. And reporting it is hardly an obscure thing when source is open.
4. "Security through obscurity" works reasonably UNTIL someone does get their hands on the code (even just parts of it) and makes it 'available". Suddenly you've gone from pretty good security to NONE!
5. Patches are the way fixing gets done regardless of the openness of source. It's not a factor.
I was in "Software Support" working on IBM mainframes for much of my computing life. IBM's source at that time - for MFT, MVT, SVS and MVS (and some others) - was "proprietary" but IBM supplied the source code for all of it.
You would be astonsihed to learn that countless bugs, security and otherwise, were identified and patched BY THE USER POPULATION (I had a few myself). We followed a 'rule' that all such patches would be sent to IBM and they would fix the code in thier next (or later) release.
There were also tons of ENHANCEMENTS developed this way, most of which IBM did not implement in the base code but which nonetheless were invaluable for many installations.
There should be no question in anyone's mind - availability of source code is far far better, by virtually any measure, that unavailability of source code.
cheers
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only
