>>Just playing devil's advocate here... Closed source has some 'security through obscurity' benefits, it's likely a case of trial an error, or decompiling the program to get the source code, to find a hole. Open source removes that last barrier, they can simply download the source code.
>
>Security through obscurity is no security.
If it's your only security, then I agree it's worthless. If there are a thousand potential buffer overruns in the code, and only one of the is vulnerable, an attacker with the source code can ignore the 999 and focus on the one. If he doesn't have the code, it's a guessing game, he doesn't know where it is ahead of time.
>As a parallel, however, the best cryptology that mathematics can offer is in fact open source. It's how it is applied that ensures the strength of the crpytology, not how secret the algorithim is.
How much harder would the encryption be to crack if you didn't know which algorithim was being used?
>There are more holes discovered in this o/s than other open source versions.
>Look, the whole idea of secure code is not dependent on whether the app is open source or closed source. You can write insecure code either way. Its not open vs. closed - it's secure coding vs. insecure coding. At least with open source we can all have a look and see what's what and no one is trying to hide anything.
Yeah, and? I never argued that one codebase was better or worse than another, just the possible differences between the same pile of code being open or closed.
Why don't banks post the details of their security systems? They could get interested people to point out holes in their coverage. But they'd also be giving every thief in town the roadmap into the vault.
An unknown target is harder to crack than a known one.
Précédent
Suivant
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement