Hi Jim,

I know the argument goes both ways. There are pros and cons to both private code and public code. At times there are just as many exploits in open source code as in Windows. However, a key point that I have not seen made quite often enough is that most windows vulnerabilities are found by a 'working exploit' while open source vulnerabilities are typically found by code examination without there having been an actual 'exploit' and in many cases, the exploit never occurs.


>>>>>4. "Security through obscurity" works reasonably UNTIL someone does get their hands on the code (even just parts of it) and makes it 'available". Suddenly you've gone from pretty good security to NONE!
>>>>
>>>>So you're supporting my argument? When they have your source code, you have no security.
>>>>
>>>>
>>>>I never claimed obscurity was a sufficient defense by itself. But it sounds like a good addition to.
>>>
>>>No, I don't think so. Maybe it was unclear but it's never a question of "if" someone will get their hands on the code, rather only "when".
>>
>>If the code is safe only 'Until someone does get their hands on' it, then open source code is inherently unsafe, because the code is available to anybody.
>>
>>
>>>And did you stop there in reading my reply?... I thought I was quite convincing that open beats hidden any time.
>>
>>I read it, I just didn't have any comment on it. I lean more towards open source than closed, just playing devils advocate, as I said.
>
>Good.
>What I meant by "until someone gets their hands on it..." is that it offers a false sense of security because you can never know if/when someone got their hands on it and is keeping mum. When source is "open" you know it is open right from the git-go.
>
>cheers