>>>Just playing devil's advocate here... Closed source has some 'security through obscurity' benefits, it's likely a case of trial an error, or decompiling the program to get the source code, to find a hole. Open source removes that last barrier, they can simply download the source code.
>>
>>Security through obscurity is no security.
>
>If it's your only security, then I agree it's worthless. If there are a thousand potential buffer overruns in the code, and only one of the is vulnerable, an attacker with the source code can ignore the 999 and focus on the one. If he doesn't have the code, it's a guessing game, he doesn't know where it is ahead of time.

Check out the article I posted. It is very clear that open source systems like Apache and BSD are way ahead in the secure code game.



>>As a parallel, however, the best cryptology that mathematics can offer is in fact open source. It's how it is applied that ensures the strength of the crpytology, not how secret the algorithim is.
>
>How much harder would the encryption be to crack if you didn't know which algorithim was being used?

The very strength of public encryption systems is that they have been peer reviewed by the best cryptology experts anywhere. It is because of their openess that they can be trusted as secure. Their security is not derived from not knowing the algorithim but rather in the mathematics that produces them.


>>There are more holes discovered in this o/s than other open source versions.
>>Look, the whole idea of secure code is not dependent on whether the app is open source or closed source. You can write insecure code either way. Its not open vs. closed - it's secure coding vs. insecure coding. At least with open source we can all have a look and see what's what and no one is trying to hide anything.
>
>Yeah, and? I never argued that one codebase was better or worse than another, just the possible differences between the same pile of code being open or closed.

You played devils advocate iro closed vs. open source :) It would appear that the most secure o/s is BSD and the most secure web server is Apache. Both are open source :)


>Why don't banks post the details of their security systems? They could get interested people to point out holes in their coverage. But they'd also be giving every thief in town the roadmap into the vault.

Banks are notoriously targetted by crackers succesfully. And they do hire companies to find the flaws as well. But most big banks will use known and public encryption systems. Those that build in-house, from scratch, encryption will almost certainly be cracked.