Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security of Open vs. Closed Source Software

michael posted more than 12 years ago | from the flame-retardant-suit dept.

Security 366

morhoj writes "Cambridge University researcher Ross Anderson just released a paper concluding that open source and closed source software are equally secure. Can't find a copy of the paper online yet, but I thought this would make for an interesting morning conversation. You may not agree with him, but anyone who's on the BugTraq List can tell you that open source software isn't as bug free as we would all like to think." I found Anderson's paper, so read it for yourself. There are some other interesting papers being presented at the conference as well.

Sorry! There are no comments related to the filter you selected.

FP! (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#3743163)

Frist prost again!

CLAIMED (-1)

DonkeyHote (521235) | more than 12 years ago | (#3743340)

Another FP victory for the CUNT

Germany owns US ! (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3743363)

1:0 victory for teh Germans.

CNN: average US penis size shrinks 2 inches.

Re:FP! (-1, Offtopic)

Monkey Puncher (574987) | more than 12 years ago | (#3743430)

Name: Monkey Puncher Password goatse.cx 0wned.

This ghostse (-1)

GhostseTroll (582659) | more than 12 years ago | (#3743170)

gets second post!

FP (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743172)

sorry, had to do it.

fp (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743176)

fp? woo!!!! maybe not.. maybe...

p00p (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743179)

in my mouth

right now!

filthy ACs (-1)

neal n bob (531011) | more than 12 years ago | (#3743180)

everyone knows that open sores lack of security will leave your network wide open - wider than Klerck or goatse.cx even.

wankers (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743181)

first post?

what a bunch of twats you yanks really are.

I'm watching you get a righ kicking from Germany

Re:wankers (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743235)

Too right - I fucking HATE those dirty fat pillocks as well.

Nothing but fat burger munchers.

England owns you. But not all the pikeys; you can keep those.

Re:wankers (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743268)

What? What's that? Oh wait, didn't you pansy Brits cry like little girls after losing to Brazil [espnsoccernet.com] ?

Re:wankers (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743337)

Get off it.

The shitheads above do not represent America, and they sure as hell don't represent me.

For that matter, neither do the actions of our out-of-control government.

And don't forget, (and you might want to sit down for this one), Soccer/Football is only a game!

Re:wankers (0)

Anonymous Coward | more than 12 years ago | (#3743383)

No, it's not a game. As the riots after some of the games would indicate, it's often a way for two groups of people, "us" and "them", to run around for a couple hours to prove that our dicks are bigger than theirs.

It used to just be a game. More of a religion now.

say it with me (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743185)

g to the oatse
c to the izzex
fo shizzle my nizzle i have nothing clever to say right now.

Re:say it with me (-1)

GhostseTroll (582659) | more than 12 years ago | (#3743341)

from the goatse [goatse.cx] to the dumper [bumperdumper.com] We're all nerds [yahoo.com]

MBTF My Ass (2, Interesting)

Anonymous Coward | more than 12 years ago | (#3743192)

The Manufacturer's Estimated Time Before Failure is for physical goods - things that naturally wear out. Not software, which is at the very least a loose mathematical desctiption of a repeatable process. Software and security don't "wear out". If they seem to, they were broken in the first place.

I hope that was just CNet editorialization, and isn't indicative of the rest of this paper.

Re:MBTF My Ass (0, Troll)

lucifuge31337 (529072) | more than 12 years ago | (#3743288)

Software and security don't "wear out". If they seem to, they were broken in the first place.

Then why do my Win2k installs slow down to a crawl after a few weeks and require a re-install to work properly?

Oh yeah....you already explained that. Broken to begin with.

....or is it all the pr0n?

Re:MBTF My Ass (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3743373)

Then why do my Win2k installs slow down to a crawl after a few weeks and require a re-install to work properly?

Because you're not using NTFS?

Re:MBTF My Ass (0)

Anonymous Coward | more than 12 years ago | (#3743369)

Security isn't "Broken to begin with". A new technique for breaking the security that wasn't even thought of might be invented later. As such, the security was not broken as of the time of release.

Re:MBTF My Ass (2)

schon (31600) | more than 12 years ago | (#3743393)

the security was not broken as of the time of release

Ehrm, BULLSHIT.

By your logic, ALL vulnerabilities don't exist until someone discovers them.. at which point, one has to ask, if they didn't exist, then how were they found?

"If you can't see something, then that means that it doesn't exist."

No, the vulnerability always existed, just because nobody found it doesn't mean that it wasn't there.

Science software (0, Troll)

PhysicsGenius (565228) | more than 12 years ago | (#3743196)

As a physicist I work with some of the most intensive and expensive software in the world. That's why, back in 1998, I chose Linux for all our simulation and embedded device needs. I was happy at my choice because Linux is flexible, powerful and cheap.

However, due to the possible weapons applications of our work, security is a big issue. So in 2001 the Feds came in to audit us. When they saw we were using Linux they almost shit a brick. Apparently the GAO (General Accounting Office) has done a lot of work checking the kernel code and has found many many security errors and is recommending that sensitive sites not use the bug-riddled OS.

I tried to tell these guys to have the GAO just submit patches to Linus, but they told me to install Windows 2000 instead. *shrug* What're ya gonna do?

Re:Science software (0)

Anonymous Coward | more than 12 years ago | (#3743220)

Troll. Unless you want to back that up with something that isn't ancedotal or hearsay.

(No, I didn't say heresy. That would be a completely different issue)

Re:Science software (1)

scsirob (246572) | more than 12 years ago | (#3743224)

Now the big question of course is, if they were so brilliant to find all these security issues, why didn't they put them on a to-fix list?



At least with Linux there's a pretty good chance of getting things fixed, where in 'some other OSes' they wouldn't even get to see the source code...

Re:Science software (1)

Budgreen (561093) | more than 12 years ago | (#3743225)

yeah! it's much better to work with unknown bugs than already known ones

I guess it's more of a buisness decision than reality based decision anyways..

Re:Science software (1)

olethrosdc (584207) | more than 12 years ago | (#3743259)

1. you should write portable code. Your code security should not depend on the OS security.

2. For embedded applications there are many other OSes apart that are most suitable for the job. i.e. ThreadX for a lean, fast OS and VxWorks for a more comprehensive version.

3. I dont udnerstand how a simulation on a desktop machine can be security-compromised. (For an embedded device, look at [2]). Will hackers d/l all your data? how will the udnerstand what it means? In the end, if your simulations are so sensitive you can put put them in an isolated network.

Just my 2 euro-cents :)

Re:Science software (0)

Anonymous Coward | more than 12 years ago | (#3743304)

I didn't know the GAO checked program code. I thought they delt with how many $1000 hammers you were buying. You sir are FOS and no genius only a FUDMEISTER.

Re:Science software (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743388)

this is an obvious troll. please mod accordingly

security and OS's (0)

Anonymous Coward | more than 12 years ago | (#3743436)

--I do not know the application specific programs you require in your research and work. But however, wouldn't it have been more prudent, when choosing OS's, to have gone with mac classic in 98 as the "most secure" by empirical observation? I am saying this based on known exploits at the time, ease of use, etc.

This is NOT a troll by the way. I am a relative newcomer to linux, and am using it learning it as just a hobby, but by my personal anecdotal, it doesn't even come close to being secure without really tons of research and specialised knowledge, wheras mac classic just worked admirably using a default install. I never once got rooted using a normal install, despite many years on the web. With linux, even trying different firewalls so far (repeat, I am still a n00b here), I honestly can't say that (unfortunately). I know it's possible, but it wouldn't be my first choice for a 'secure' OS, again, especially going back to 1998.

interesting piece (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743199)

.sp eht elprup yeknom keaps suriv si gidearps !

Might be controversial (3, Insightful)

q-soe (466472) | more than 12 years ago | (#3743200)

But i think security of software is often down to the admin... I mean you can secure any operating system if you know what you are doing and its easy to build an insecure box - linux and windows.

How secure is an out of the box mandrake install ? or a windows 2000 ?

A good admin who is a pro will work hard to secure his servers and patch and look after them - a bad admin is a bad admin regardless of the OS

Re:Might be controversial (-1)

TrollBridge (550878) | more than 12 years ago | (#3743299)

"I refuse to argue with Anonymous Cowards - if you want a discussion get an account...."

Well aren't you quite the elitist prick.

Re:Might be controversial (0)

Anonymous Coward | more than 12 years ago | (#3743390)

"I refuse to argue with Anonymous Cowards - if you want a discussion get an account...."

Well aren't you quite the elitist prick.

Sure, but he's got you logged in, SUCKAH!

Stick to your roots! AC trolls 4evah!

Re:Might be controversial (4, Insightful)

demaria (122790) | more than 12 years ago | (#3743317)

Patches are a big deal, especially in production environments. You can't just willy nilly upgrade the kernel on a high load and important server. Bigger departments/companies have a change management system in place so that everyone know when any piece of software is upgraded, when it will happen, who is to blame, and why it occured. Patches can cause unexpected problems (like that linux one that corrupted the file system a few months back). This process may take days or weeks to complete.

Security Bugs are inevitable (4, Insightful)

Nerant (71826) | more than 12 years ago | (#3743203)

Security bugs in software are inevitable : it is bound to happen , sooner or later. A properly setup system can mitigate some of these problems (ie. chroot, modified security kernels). What my concern is is how long and how public security disclosures are, and how long the affected vendor takes to issue a bugfix.

Re:Security Bugs are inevitable (5, Insightful)

dnoyeb (547705) | more than 12 years ago | (#3743345)

I think we should be careful to draw a distinct line between a Security 'flaw' and a 'bug'.

A flaw is an error in judgement. A bug is an error in coding. The original poster ended his statement that Open Source has lots of bugs. This is unrelated to security unless they are specifically security related bugs.

In any event, the speed at which you can lock down the Fort HAS to be a consideration.

I mean, We have planes flying in Iraq and Afganistan right now. They are being shot at all the time, but they move fast enough to get out of the way. OpenSource moves faster than closed source so I can't possible see how the article writer concluded they were equal.

Equally buggy, yes. Equally secure, puhleez.

Re:Security Bugs are inevitable (2)

Per Wigren (5315) | more than 12 years ago | (#3743376)

Security bugs in software are inevitable : it is bound to happen , sooner or later.

That attitude is a big dangerous IMO.. That is an excuse for programmers to have bad/lazy coding habits and not program with security in mind..

Developing a good coding habit and learn and use all known techniques for creating secure code is the only good way to minimize security bugs.

Even in the year 2002, it's still common to find unchecked strcpy's in newly released code..

WHen you write software you should design it to be run as root on sensitive boxes without a firewall. But then you should run it chroot as a restricted user with minimal permissions anyway...

And of course, release securityfixes as fast as possible if bugs ARE found...

Re:Security Bugs are inevitable (3, Insightful)

PhilHibbs (4537) | more than 12 years ago | (#3743419)

That is an excuse for programmers to have bad/lazy coding habits and not program with security in mind..
I disagree entirely - I'm always looking for bugs in my software, because I know that there always will be bugs to find. If you mistakenly believe that perfection can be achieved, you might mistakenly believe that it has been.

In Other News (0, Troll)

0101000001001010 (466440) | more than 12 years ago | (#3743204)

And in other news, new research has finally proven that:

Less peer review actually improves scientific accuracy

Fewer engineers lead to safer cars

Oh well, at least we can wait for the amusing PR spins that MSFT can put on this.

Re:In Other News (2, Interesting)

tomstdenis (446163) | more than 12 years ago | (#3743232)

Anderson's point was not that less is better is that its irrelevent in the long run to compare open and closed source.

I mostly agree with him however I like open source software for more reasons than just the fact its "more secure". Often OSS software isn't in fact more secure or reliable. Look at mozilla. Its a great project but its not as nice as IE by a long shot. Anyone using 1.1a in Linux will know that [e.g. me! while at the same time 0.9.9 works fine... ???]

tom

Re:In Other News (1)

0101000001001010 (466440) | more than 12 years ago | (#3743411)

I guess you are right to a point. I got a little agitated and shot from the hip, when I first read the ./ post and skimmed the article.

I do maintain though that OSS is more secure. Even if it had ten times the amount of security bugs that closed software had, I could at least rest assured that I will know about the bugs and be able to make an informed decision. In a closed source implementation, I am always left guessing.

That is just my humble opinion though. Thanks for your post; made me realize how much like an idiot I sounded earlier.

Nil - Nil (0)

Anonymous Coward | more than 12 years ago | (#3743210)

Finally, some has the balls to tell the truth rather than just regurgitate the propaganda.

Of course not... (3, Insightful)

Dilbert_ (17488) | more than 12 years ago | (#3743214)

Of course there are just as many bugs in open source software as in closed source. Most of it is even written by the same people: what they do at work is closed, what they hack upon during the night is open.
The main difference lies in the speed and motivation to fix the bugs. Open source bugs can be fixed by anyone, but closed source bugs need to be fixed by vendors who are afraid to even admit they exist, for fear of losing customers.

Re:Of course not... (1, Insightful)

goldspider (445116) | more than 12 years ago | (#3743333)

I hate to nitpick, but for a post modded as Insightful, it may be relevant to note that this story is about SECURITY in open vs. closed source software, not BUGS. A totally different kind of discussion.

Re:Of course not... (2)

Dilbert_ (17488) | more than 12 years ago | (#3743395)

And what, pray tell me, causes these security problems in open and closed source software? Might it be... bugs?

Idiots will be modded down without mercy, indeed! Take it away, moderators!

Re:Of course not... (5, Insightful)

great throwdini (118430) | more than 12 years ago | (#3743379)

Open source bugs can be fixed by anyone, but closed source bugs need to be fixed by vendors [...]

Correction: open source bugs can be fixed by anyone with requisite knowledge, talent, and time. This would include things such as familiarity with the particular software package, affected platforms, and programming language and the energy and ability to ferret out the bug(s) and apply an appropriate fix. Then one has to factor in that package maintainers may or may not readily allow outside submission (e.g., bigotry, internal/peer review, etc.) of fixes, which may slow, hamper, or block the transmission of fixes. Add into this issues of trust, where a "fix" is offered by someone who lacks proper credentials (official or "street") to someone who has no clue how to evaluate the original issue or the proposed remedy.

Granted, given the nature of open source software, the population of people who may repair a bug may be larger than that for closed applications, but that doesn't force into being an army of people with the inclination or skills to do so, or an effective and trustworthy means to distribute said fixes.

I favor the potential for open source to improve response time to bugs, but I don't think one can claim "anyone" can address issues in an appropriate manner. There's no reason a skillful and organized firm couldn't address security concerns for a closed application it offers with any less celerity than maintainers of an open application.

Security Begins at the Firewall (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743221)

#!/bin/bash
# --
# Slashdot Opensores Firewall Script
# --
# Distributed under the superior BSD license
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1.Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2.Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# 3.The name of the author may not be used to endorse or promote
# products derived from this software without specific prior
# written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE
#
# -- Start Here
#
IPTABLES="/sbin/iptables"

# Being gang raped by sinos is not fun
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT DROP

# The rulz
${IPTABLES} -t filter -A INPUT -p unprotected -s male/16 --sport penis --dport mouth -j ACCEPT
${IPTABLES} -t filter -A INPUT -p unprotected -s male/16 --sport fist --dport anus -j ACCEPT
${IPTABLES} -t filter -A INPUT -p unprotected -s male/16 --sport finger --dport anus -j ACCEPT
${IPTABLES} -t filter -A INPUT -p protected -s male/16 --sport fist --dport anus -j ACCEPT
${IPTABLES} -t filter -A INPUT -p protected -s male/16 --sport penis -j ACCEPT

# I know this may seem controversial but it feels good
${IPTABLES) -t filter -A INPUT -p unprotected -s female/16 --sport fist --dport anus -j ACCEPT
${IPTABLES) -t filter -A INPUT -p unprotected -s female/16 --sport finger --dport anus -j ACCEPT

${IPTABLES} -t filter -A OUTPUT -d female/16 -j DROP

# TODO: IMPLEMENT NAT AND DMZ
# -- Finish

Security (3, Insightful)

Ashcrow (469400) | more than 12 years ago | (#3743227)

There will always be software bugs as long as programmers are not perfect. The huge diffrence is the in a closed source environment you'll have to wait for patches from the vendor, or not at all. In the OSS you can patch it yourself, get the unoffical patches for your vendor, get diffrent up-to-date packages, or install the latest version from source.

Ad Hoc Quackery (1, Interesting)

big_pianist (563663) | more than 12 years ago | (#3743228)

Does a week go by without some "researcher" claiming to solved this dilema?

For the life of me, I can't imagine how closed and open source programs could be equally
secure simply because there's no quantitative measurement to prove that. Even if there was, it would
be so unlikely... Notwithstanding, I believe to generalize this issue at all is just mental
masturbation -- security depends on the development context -- just because something was
developed close/open-source just doesn't make it any secure or less secure by definition, it
doesn't make it equally secure either.

all things being equal (0)

Anonymous Coward | more than 12 years ago | (#3743230)

I'd still lean towards open source, because there is an element of truth there.

i.e. "nothing to hide"

Buglist (2, Insightful)

Bloody Bastard (562228) | more than 12 years ago | (#3743231)

OK, Open Source has a lot of bugs, but who does list closed source bugs? I'm sure most of their bugs don't go public, because it is not a good market technique... It isn't fair to compare both lists.

Just my two cents.

Duh... (5, Insightful)

sootman (158191) | more than 12 years ago | (#3743234)

Security != number of bugs. There's 'severity of bugs' and 'speed of fixes', not to mention the OS's and software's design in the first place--think permissions, user spave vs. kernel space, etc.

Another viewpoint (3, Interesting)

yogi (3827) | more than 12 years ago | (#3743250)

Ross Anderson's argument appears to be based around the trade off between massive peer review ( Good Thing! ) and the ease of finding a flaws if you have the source code ( Not so Good Thing ).

This is certainly true, however there is a large amount of security appears to come from the community / vendor around the code too. Yes, I'm generalising, but open source programmers treat security problems as security issues, rather than as a PR problem. Even though the apache team ( rightly, in my opinion ) criticized ISS for the manner of their reporting, they did also release a full disclosure release, and a suitable, working patch within 36 hours of the issue going public.

I don't see many vendors responding that quickly, although, to be fair, the apache team did know about the vulnerablity already.

It's all about the "Window of Exposure" really. Go to Bruce Scheiners Cryptogram page [counterpane.com] to see some excellent arguments about peer review, and the whole window of exposure idea.

Re:Another viewpoint (2, Interesting)

GigsVT (208848) | more than 12 years ago | (#3743347)

ease of finding a flaws if you have the source code ( Not so Good Thing ).

This is contradictory to the rest of your post. You mention window of exposure. While you might argue the window of exposure starts with public disclosure, it really does not.

A flaw that is found in a piece of software often was there for years. The window of exposure actually starts when the flaw is introduced, since from that point forward, there is the possibility of a person or group having knowledge of the flaw and not releasing it.

It's entirely possible that there is a blackhat group or groups, which we will probably never discover, that is harboring hundreds or thousands of unreleased vulnerabilites. Such a group would have immense power, the ability to disrupt the information systems of nearly every company on the planet, on a whim, or when hired to do so.

Open source, with it's ease of finding flaws, reduces this "true window" of exposure.

It's easy to fall into the trap of believing that all security threats are script kiddies running tools against well known vulernabilities, since the majority of the attacks reported are of that nature, but that doesn't mean that the threat of a true blackhat group doesn't exist, and couldn't be devestating.

Re:Another viewpoint (1)

yogi (3827) | more than 12 years ago | (#3743396)

The part you quoted was my from my two line summary of the papers argument, and perhaps I wasn't clear on this.


You are correct, of course, the window of exposure opens once the buggy software is released, becoming much, much wider when an exploit is posted to the net as a whole.


My reference to the Apache incident was more to do with how fast they closed the window, once they were aware of the problem, rather than when the window first opened.

Multics VM/Paging PW Redux and Real World (3, Insightful)

Vengie (533896) | more than 12 years ago | (#3743251)

From the article....
"Even though open and closed systems are equally secure in an ideal world, the world is not ideal, and is often adversarial," Anderson said.
To rehash an old example (learned in my OS class) the multics system had a cruddy password check feature that interacted poorly with the VM. It compared one character at a time and stopped on a poor character. If you set up that character to be on a page boundary, you could check to see if the character was correct by how long it took to check the next character. If you quickly got an error, the character was wrong. Otherwise, you page-faulted and trapped into the os and read the next page (and next character) off disk. End result? OSS --> Easily cracked passwords is pseudo-valid. Time to patch said bug? 5 minutes. Result: Problem solved. Unfortunately, the point NOT highlighted in the article is that with closed source proprietary software, notably windows, you have far less knowledgeable admins who _don't_ apply necessary patches often. (Vengie's Addition to Godwin's Law: In dealing with Internet Security, the probability of a thread discussing Nimda/Code Red turning into blatant MS bashing reaches infinity as the number of posts increase; Lets avoid that one here)
In the real world, closed source apps DON'T get patched fast and have far more easily recognized buffer over/under run errors. (OSS people are notorious for noting buffer over/underruns in development/testing phases.) Then again, like my OS teacher said...."If you ever want to hack into a system, just find a bug in sendmail." ;)

Re:Multics VM/Paging PW Redux and Real World (0)

Anonymous Coward | more than 12 years ago | (#3743352)

Vengie's Addition to Godwin's Law: In dealing with Internet Security, the probability of a thread discussing Nimda/Code Red turning into blatant MS bashing reaches infinity as the number of posts increase; Lets avoid that one here
Hum ... Aren't probability supposed to be in the range [0..1] ? This is what I remember from my math class ...

Re:Multics VM/Paging PW Redux and Real World (1)

Vengie (533896) | more than 12 years ago | (#3743366)

Yeah. You're right. Its too early for math.
Vengie's Addition to Godwin's Law, restated without stupidity: After security has been mentioned, as the length of a discussion reaches infinity the chances of CodeRed/Nimda turning into blatant (mindless) MS Bashing approaches 1.
With apologies to every Stats/Prob class I've taken.

Password bug was in Tenex - NOT Multics (0)

Anonymous Coward | more than 12 years ago | (#3743414)

This bug was NOT in Multics - it was in Tenex.
Tenex was a contemporary of Multics, but not in the same class when it came to security.

Hmmm (2, Interesting)

Clansman (6514) | more than 12 years ago | (#3743415)

"Infortunately, the point NOT highlighted in the article is that with closed source proprietary software, notably windows, you have far less knowledgeable admins who _don't_ apply necessary patches often."

And yet I find that solaris admins are general very up to speed despite their closed source proprietary software.

I conclude that this is not the determining factor.

I suggest that windows, being the dominant platform, ubiquitous and cheap (sort of) means that many people have been taken the opportunity to admin a box, without training, mentoring or other good habit forming stuff.

They now call themselves 'systems administrator' and yet are , as you spot, often clueless as to what they should be doing.

Paradox: linux's cheapness may prove just as much a burden in generating under trained admins.

Re:Multics VM/Paging PW Redux and Real World (1)

Vengie (533896) | more than 12 years ago | (#3743446)

Ok. Sum of above comments: I mean well, but I'm a moron, at times.
Ah well, at least no one lost process for content. =)

Well, Duh (2, Insightful)

jweb (520801) | more than 12 years ago | (#3743253)

Not trying to flame or troll here, but this isn't a very shocking conclusion. The amount of bugs in any software is primarily dependent on the quality of your design and implementation. Well-designed closed source programs can be just as secure as open source programs. Conversely, badly designed and coded programs will have many bugs, no matter if they're open-source or not.

Granted, it may be easier to find and fix bugs in open-source software, but that doesn't mean that a well-designed, well-coded, throughly-tested closed source program can't be relatively bug-free and secure.

Re:Well, Duh (1)

2nesser (538763) | more than 12 years ago | (#3743392)

Granted, it may be easier to find and fix bugs in open-source software, but that doesn't mean that a well-designed, well-coded, throughly-tested closed source program can't be relatively bug-free and secure.

In the perfect world, bugs and holes would get fixed the same day that they were found.

The security issue comes down to access. If I find a hole in Apache, I can fix it any time I feel like (read, 'NOW'). If I find a hole in IIS, I have to wait until they develop a solution (read, 'A WEEK LATER') while the server get's nailed with attacks.

Therefore, open >= closed, as it is possible that a closed source solution could be just as secure, it's all dependant on the company and how commited they are to security (!= M$).

Cheers,
Ness

Equally secure? (2, Insightful)

Ngwenya (147097) | more than 12 years ago | (#3743254)

Not sure that he does say that they're equally secure - he said that they are equally secure in an ideal world (Section 3), then goes on to establish the various micro-effects which break that ideal symmetry (vendor trust, quality of testers, etc).

He also says (S3.4)
...assurance growth is not the only, or even the main, issue with open systems and security.


He then links (maybe speciously) the DRM stuff surrounding TCPA as one of the micro-effects which might skew things. I tend not to agree with him, but you don't go publicly disagreeing with Ross Anderson without thinking lots and reading lots more.

Disclaimer: I work for HP, and have an interest in the Trusted Computing Platform, so I'm probably biased.

--Ng

Maybe... (4, Interesting)

ins0m (584887) | more than 12 years ago | (#3743255)

The trade-offs:

Pros:
Closed-source: No one can see your code, thus eliminating obvious exploits (buffer overflows, race conditioning, etc.) from being quickly jumped on. Less chance that an external developer will accidentally or intentionally misuse some of your libraries or otherwise write in exploitable code.

Open-source: Everyone can see your code, thus allowing a multitude of additional glass-box testers to help patch things more quickly to adapt around problems a project leader may/may not see. Quick turnaround on patching of code.

Cons:
Closed-source: Limited field of testers; slower turnaround on bug/exploit fixes when even reported (can go on unreported for months, or even when reported, may be ignored or shelved indefinitely).

Open-source: Since everyone can see your code, some black-hat punk is invariably going to find some exploit and blast your distributions for it. Also, QA is nigh impossible to timely enforce when 100's of developers submit patches, sometimes anonymously.


Opinion: Both may seem to be even; however, the timeliness of a fix can make all the difference in security, and waiting days vs. weeks or months for a patch can make or break an information-driven business. Also, even if an open-source project is patched with an exploit ingrained, there will still be a quick turnaround on patching it, as there is for any bug. IANA genius, but at least from a business standpoint, it would seem that quick and usually-reliable beats slow but usually-guaranteed.

Re:Maybe... (0)

Anonymous Coward | more than 12 years ago | (#3743457)

Pros:
Closed-source: No one can see your code, thus eliminating obvious exploits (buffer overflows, race conditioning, etc.) from being quickly jumped on. Less chance that an external developer will accidentally or intentionally misuse some of your libraries or otherwise write in exploitable code.

I find that argument flawed. Its very easy to test closed source software by throwing in huge environment variables, database names, command-line args, huge strings in general, etc. as input to the program to test and see if it segfaults. Once you're to that point, it doesn't really matter if you've got the source because you're going to be working with assembly and a debugger to find an exploitable overflow.

HA HA HA HA (2, Insightful)

jackb_guppy (204733) | more than 12 years ago | (#3743264)

Idealizing the problem, the researcher defines open-source programs as software in which the bugs are easy to find and closed-source programs as software where the bugs are harder to find. By calculating the average time before a program will fail in each case, he asserts that in the abstract case, both types of programs have the same security.

If he truely said this... Then the report is laughable.

1) Windows is open-source, because the bugs are easy to find. But you can not fix them.

2) He changes all common meanings, so the report can be used as FUD.

Is he a CS major or MS major? (Martketing Science)

But ofcourse! (0)

Anonymous Coward | more than 12 years ago | (#3743265)

All software wether open or closed source is created by humans.

We're *ALL* allowed to make mistakes, aren't we?!?!?!

Which tend to be patched faster? (4, Insightful)

Pentalon (466561) | more than 12 years ago | (#3743269)

I haven't read the paper yet, but I would say that if generally any two particular pieces of software have the same number of bugs or security issues, the open source software will benefit technical server groups more for the ability of those groups to analyze the code and make their own fixes if necessary, and for the way in which the community generally very quickly responds to discovered flaws. Closed source software does not tend to respond as fast or offer the flexibility of allowing users to analyze the code. Of course, I haven't read the paper yet. Maybe they take that into account.

Oversimplified, abstract, and useless (5, Insightful)

iiii (541004) | more than 12 years ago | (#3743279)

Idealizing the problem, the researcher defines open-source programs as software in which the bugs are easy to find and closed-source programs as software where the bugs are harder to find. By calculating the average time before a program will fail in each case, he asserts that in the abstract case, both types of programs have the same security.

I am not sure how much value this has. There are a lot of other considerations.

With open source you have the source, so you can do something about bugs, you can fix them. And you can also look for potential issues in the code. You are in control of your own security. And a potential attacker has no idea what you've done with your particular implementation.

With closed source you are completely dependent on the vendor to provide fixes. First you have to prove to them that something is wrong, then, if you are lucky, after some period of time, the will provide a udpate which may or may not fix your particular problem. They may not be as motivated as you would be to fix the problem.

I'll take the Open Source choice any time. That way the people who care about security are the ones in control of security, an arrangement that is likely to work better than any other.

But at least "he acknowledged that real-world considerations could easily skew his conclusions. "

The old saying... (2, Insightful)

sootman (158191) | more than 12 years ago | (#3743280)

Proprietary programs should mathematically be as secure as those developed under the open-source model, a Cambridge University researcher argued in a paper presented Thursday at a technical conference in Toulouse, France.

In theory, there's no difference between theory and practice. In practice, there is.

Supporters in the Linux community have maintained that open-source programs are more secure, while Microsoft's senior vice president for Windows, Jim Allchin, argued in court that opening up Windows code would undermine security.

The two things are nowhere near the same. 'Open source development' is not at all the same thing as 'closed source development, opened up later.'

People complain about posting without reading, but that's it--if it's from news.com/ZD/etc., it's wrong. :-)

He's describing and ideal world (1, Redundant)

grylnsmn (460178) | more than 12 years ago | (#3743282)

A few quick quotes from the paper:

Other things being equal, we expect that open and closed systems will exhibit similar growth in reliability and in security assurance.

Even though open and closed systems are equally secure in an ideal world, the world is not ideal, and is often adversarial.

The problem is that in an ideal world, there would be almost no bugs anyway. It completely overlooks some of the factors in proprietary software that cause the bugs. Items such as deadlines for a product can actually encourage sloppy programming (Compare Mozilla 1.0 with Netscape or IE's early releases).

One poster on ZDNet said it best: "In theory, there is no difference between theory and practice. In practice, there is."

Stop Thinking Windows (1)

marmite (79819) | more than 12 years ago | (#3743284)

There are several secure closed source operating systems (Trusted...). Don't just think as far as windows wrt closed-source operating systems.

Advertise to over 40 mil under $50 (-1)

GhostseTroll (582659) | more than 12 years ago | (#3743285)

You can advertise to over 40 million people for less than $50!!! [goatse.cx]

Click here to find out how

Do you need a hosting service?

Click here to Contact Us

We can submit your site to over 450 search engines.

Click here to find out how

CLICK HERE TO BE REMOVED FROM THIS MAIL LIST

Open Source v.s Closed Source (Again) (0)

Anonymous Coward | more than 12 years ago | (#3743287)

yes, open source programs have bugs too, but the thing is that they can be (and really are) fixed very fast. In the closed source world you have to wait for the bugs to be fixed often in a few months (if lucky), while open source code is fixed in a short time.

it is more flexible an develping time decreases a lot. You can obtain new versions almost every week.
For example:
How many kernel_fixes/version have the Microsoft Windows Graphic User Interface?

xDDD

That should read (3, Interesting)

DeadSea (69598) | more than 12 years ago | (#3743294)

Ross Anderson just released a paper concluding that open source and closed source software are equally insecure.

All software has security vulnerabilities. Software with vulnerabilites is secure as long as nobody knows about the vulnerabalities or nobody exploits the vulnerabilities. Security is a process, not a state. To run a secure system, you have to know as much about the vulnerabilities as the hackers. You have to patch your systems. You have to manage your risk.

All it takes is one hole in some piece of software that you are running. If somebody knows about it and hacks you you are insecure. There are channels for discussing security vulnerabilities for both open and closed source software. Holes in both open and closed source software get patched. In that respect they are equally secure. There are more holes in both. It doesn't matter how many holes, it only takes one. In that respect they are equally insecure.

PDF sucks, here is HTML (1, Informative)

Squash (2258) | more than 12 years ago | (#3743307)

I hate PDF files, so I converted the paper to html, and posted it Here [brokedown.net] .

Is there a real valid reason for this type of document to be in PDF form? Not to mention it is 122k vs 44k for HTML.

Biz Opportunity..A2 FRZJPK (-1)

GhostseTroll (582659) | more than 12 years ago | (#3743312)

SPECIAL REPORT: [goatse.cx]

My unprofessional little home made web site
brought in $115,467.21 last year
and you're about to discover
how you can do the same.....

CHECK IT OUT NOW.....CLICK HERE !!

How To Get FIVE Money-Making
Web Sites In 29 Minutes Or Less....
WITHOUT SPENDING A FORTUNE !

goatse

Dear Friend,

You're about to discover how you can have
FIVE of your own Internet Businesses set up
and taking orders Within 29 Minutes.....
For less than half of what most people
spend on groceries !

CHECK IT OUT NOW.....CLICK HERE !!

Our Warmest Regards......

goatse

Removal Instructions:

This message is intended for people who are interested in our offers.
You have opted in for information either through registration forms,
search engines, banner ads or marketing campaigns from other companies.
Most addresses have been doubled verified, however if this message
has reached you in error, we sincerely apologize.
Please CLICK HERE for instant address removal
Again we apologize for the error. We harvest our remove addresses
EVERYDAY and if you request that your address be removed.....
It Will !!
goatse

Not a surprise (1)

limekiller4 (451497) | more than 12 years ago | (#3743314)

I'm not sure that anyone who isn't a zealot believes that open source software is bug free. Open and closed source software are, after all, both written by humans of varying ability.

But I think they're looking at the wrong stat. What should be compared is how long users of that software are forced to live with the bug.

That is a much more meaningful question.

The benifits... (1)

dmarien (523922) | more than 12 years ago | (#3743321)

Come from a collaborative effort on the behalf of the many devlopers to patch the vulnerabilities once they are discovered. Sure, that's just as easy to do in a closed source enviroment, but when you have multiple devlopers in multiple time zones all hacking away at the same time, communicating over the net, it becomes a lot more easy.

Another difference application security makes is the popularity of the software. Obviously my little not apache linux web server hasn't been compromised because it only represents less that 0.005% of all webservers. IIS, while representing less of a market share than Apache (Netcraft [netcraft.com] ), is more of a target because of the fact that their are used by highly desireable corp's and govt's. Govt's are more likely to run IIS because they are somewhat important and their needs to be a source of responsibility for the software they *purchased*, same goes with the typical e-commerce vendor, who if misses a day of availability needs someone to either sue, or to have fix it.

All that said, their is still the human-admin factor. As we have seen very recently -- both IIS and Apache are prone to being vulnerable to attack, it's the response time of the developers and the competency of the admin to roll out and apply the patches/upgrades. There was a story on here earlier (month or so?) regarding the weakest security link in IT being the employee's, but the same holds true for lazy admins. It's not entirely the product you use, but the level of knowledge you have regarding the product, and your competency in making the service secure.

Insightful article from IBM Research on this topic (2)

forged (206127) | more than 12 years ago | (#3743322)

There is an article published in 1999 by IBM's John Viega, Senior Research Associate, discussing Open source software: Will it make me secure? [ibm.com] .

While the article is over 2 years old, the logic behind the man's reasonning is still very actual and he raises some good points.

Security isn't the only advantage of OSS (2)

Junior J. Junior III (192702) | more than 12 years ago | (#3743325)

Seriously, all things being equal, wouldn't you want to have access to the source code if you could have it?

Maybe it's more secure, maybe it isn't. I think security depends as much on the humans who set up and use the system as it does the software. But security is just one selling point.

If you don't have the source, you can't modify the code. All you can do is configure. (Well, unless you like hacking binary.) But if you have the source, you can de-bug, add features, remove unwanted features, etc.

And if you don't have the knowledge, skill, or desire to do this on your own, does it hurt you any to have the source available?

There's another sense in which having the source code makes you more secure: you're not tied to the vendor. If they go out of business, you don't have to go shopping for a new vendor who has a similar product that you'll have to migrate to in order to enjoy upgrades, patches, and tech support. If they decide to add features to a new version that you don't like, you can branch the code off and keep your house version however you like it.

There's a zillion reasons to prefer open source software. It's not just about security.

SLASHBOT WARNING, MOD PARENT DOWN!!! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3743349)

No GOATSE.CX in parent, but Slashbotting is just as bad, in my opinion.

Re:SLASHBOT WARNING, MOD PARENT DOWN!!! (0, Offtopic)

Junior J. Junior III (192702) | more than 12 years ago | (#3743362)

What exactly is slashbotting?

Re:Security isn't the only advantage of OSS (3, Interesting)

danheskett (178529) | more than 12 years ago | (#3743405)

And if you don't have the knowledge, skill, or desire to do this on your own, does it hurt you any to have the source available?

This is an interesting point. In my own efforts to get open source software used around the office, source has always been a non-issue.

Having the source, its kinda been like, "ohh, we get the source too? Well. yeah, thats great or something"

When we look at new software, its basically about it being "free" as in "free from cost". Essentially it doesn't matter how minor or major a bug, we will never, ever, ever modify the source. In fact, we never ever compile from source to begin with. we just grab the binaries and go.

So surprisingly, I think you'd find in many cases in the "business world", no one cares at all about having the source - unless they explicitly intend to modify it.

Yes, I know that having the source can help in many cases - the product falls from popularity into disfavor and disrepair, you have a specific bug you want to fix, etc. But unless you have skilled C/C++ hackers on the payroll, having the source is pretty much an academic discussion.

Thats no say it doesnt affect overall security and stability - it probably does - but for an individual company, or an individual person, its really moot about 99% of the time.

We're looking at the wrong idea here (1)

HowlinMad (220943) | more than 12 years ago | (#3743326)

I don't think we should look at Open vs. Closed Source, but rather the manner in which they implement security. If the manner which the security is implemented, open or closed source, then it will be secure. Look at the manner in which it was impleneted, not whether you can see the source or not.

Bugs are inevitable, of course (2)

unformed (225214) | more than 12 years ago | (#3743334)

I'll accept his statement that both are equally secure, especially because it's 90% based on the administrator. The difference is however, an open-source bug has many more eyes upon the code, and hence can be fixed a lot easier. Also, (though this doesn't pertain to most closed-source products) for programs that were written to be platform-independent, all the fix needs to be is a small .diff file, for the administrators who want to be as secure as possible, and the official builds and packages can be released in appropriate time.

The other great thing about OS is you -yourself- can fix the bug. No, not everyone is a kernel-hacker, but theres many bugs in small programs too.

IE: Not too long after I had first installed linux, I found out I couldn't play a certain DVD with any DVD player (Ogle, MPlayer, Xine, etc) although they played all of the others ones perfectly. The program was libdvdread (I believe) was dying on a failed (and completely unnecessary) assert(). So I opened up the sources, commented that line, recompiled, and wa-la, I could watch it now.

So, yeah, there will always be bugs; some OS products may even have more because they're made by people in their spare time (ie: apps like Ogle); but regardless, because there's many more eyes on it, bugs can (and generally are) fixed a lot quicker....

bugtraq reference (5, Insightful)

MartinG (52587) | more than 12 years ago | (#3743338)

open source software isn't as bug free as we would all like to think.

All this shows is that open source software has had more bugs discovered and fixed than we would have liked there to have been in the first place. It has no relation at all to the number of remaining undiscovered bugs, and therefore no relation to the security of the software in question.

It's simple:

Assumptions:
1) When written, open source and closed source software have on average the same number of security bugs.

Observasions:
1) The number of security bigs in a piece of software only decreases when they are fixed.
2) A security bug is typically fixed after, and as a result of it being discovered. (they can be fixed by accident, but i will neglect this as it's irrelivent anyway)
3) Closed source software and open source software can both have bugs discovered by trial and error style cracking.
4) Open source software can have bugs discovered due the sheer numbers of people with access to the source.

Conclusion:
1) I conclude that open source sofware will tend to have any bugs discovered more quickly because there are more ways to discover them, and all ways available to closed source are also available to open source.

Can anyone fault my reasoning? It seems to me that both start equal on average, but open source will tend to have the bugs removed more quickly.

Bugs in software (1)

OmniVector (569062) | more than 12 years ago | (#3743359)

The funny thing about the situation is you'd think open source software would have more bugs, being that anyone can find a hole in the source code and then exploit that. While that is true for the most part, security is more dependant on the firewalling and server configuration itself. However, for security "in general" i think open source and closed source software are pretty well matched. Open source software allows you to find the bugs in the code, which means there are less but still a few hanging around. Closed source software seems to have more open holes *cough*M$*cough* but are thus harder to find by the "security through obscurity" clause.

The unexpected of not knowing the source code... (0)

Anonymous Coward | more than 12 years ago | (#3743361)

I was wondering if the common consensus is to actually do testing in an almost double enviroment. One where the source is availible so that "expected bug checks" (bugs which are obvious on the source level like arrays that do not bounds check in C, type checks, etc,etc)and one were the source is not availible for view so that the tester will try things that are not in line with the code (If I press this button with the mouse while moving the window to the left and saying the magic word...totally contrived but the meaning is there) ?

Let's see.... (1)

qurob (543434) | more than 12 years ago | (#3743368)


Security Deathmatch!

Linux vs Windows....

Sendmail vs Exchange

Apachve vs IIS

What M$FT says ... (0, Redundant)

Mr. Mai (587155) | more than 12 years ago | (#3743375)

I lost the count of how many times M$FT has argued that this is not true

true but... (1)

RogueProtoKol (577894) | more than 12 years ago | (#3743382)

there is no way to accurately say how secure closed source and open source software is, also i must remind everyone before this turns in to a Windows vs Linux (and general *nix) debate that BOTH OSes have open and close source products, i support linux but please no preachers and people turning this into a war of Windoze vs *nix :-)

note: even with the above this comment will stink of win vs *nix :-)

an example of IIS vs apache for instance

security problem with IIS is found, if you publicise it M$ will shit a brick and do their absolute best to play it down and keep it quiet, if you contact them directly they'll keep it quiet for as long as possible and tell you to do the same, its also likely they'll take ages to fix the bug

whereas with open source apache if a bug is found yes it gets publicised quickly, by everyone, and its likely to get fixed ASAP, iss did a sloppy job by publicising it with a fix before even telling apache and then finding out the fix doesn't fix it totally, still apache got an updated release out in less than 24 hours

now back to just open vs closed, danger with open source is that some1 could spend ages analyzing the code looking for an exploit to use maliciously and not publicising it so it doesn't get fixed until after alot of damage has been done, but it is almost guarranteed (not sure of spelling) to get fixed and fixed FAST, with closed its that they are likely to be very slow to react if they react at all

just my 2 pence (im british :P) :-)

To be fair. (2)

jellomizer (103300) | more than 12 years ago | (#3743389)

Most of the time when comparing Closed Sourse Security to Open Source Security Most of the time people want to compare Microsoft as a flagship of Closed Source and Poor security. And they use Linux with all the latest patch or Open BSD which is a model of security. I think it would be more fare if you compared Linux as the OS and Solaris as the Closed Source. And check the security for those two in that case you may find less of a gap. Using Microsoft as a judge of anything is really giving closed source a bad name sience they only make junk.

From Experience, Open Source is more secure... (2)

linuxrunner (225041) | more than 12 years ago | (#3743421)

I personally run an open source perl portal... Don't worry slashcode, I'm not competing with you :)

Just recently, a new developer came on board, and really studied the code. He successfully found about 10 odd / abstract ways to exploit the code.

I might be an ok programmer but I NEVER in my life would have found these. It's just not my specialty....

Without the code being opensource and open to viewing by others, I never would have thought to look for these types of expoits, and they would have remained in the code. And if someone, with malicious intentions, tried them... I would have been.. in short... screwed!

NOW...
Two things happened here to require secure opensource programs. 1) I was willing to quickly make the changes.. and not just quick patches, but really study the code, and look for the best way to fix it.
2) I had a good samaritan.... He could have been malicious, and had his way. He didn't.

I personally believe that both are required, and then yes, open source is more secure and will always be.

Read this article too! (1)

dmarien (523922) | more than 12 years ago | (#3743422)

There is also another good article on secure coding at Security Focus [securityfocus.com]

_____________________
Several months ago, Bill Gates announced that security would be the number one priority at Microsoft. Several groups at Microsoft, such as the Trusted Computing Group and the Secure Windows Initiative strive to improve security in Microsoft products and ultimately improve security for individuals and corporations worldwide. These initiatives are not surprising, considering the major vulnerabilities found recently in Windows XP, Internet Information Server, Internet Explorer, and Outlook. Due to the popularity of Microsoft products and their market share, the vulnerabilities have caused havoc all across the Internet. If Microsoft, with it's billions of dollars of resources and talent, has all these security issues, how do you handle the problem of building trusted systems.

As any seasoned security professional will tell you, it's impossible to build bug-free, vulnerability free software. The resources required to create such software will be infinite, and financial analysts don't like seeing that on a balance sheet. The name of the game in the security industry is risk mitigation. That is, reducing the risk to an acceptable level. This article will provide a brief overview of some of the key issues of secure coding. It will identify some common mistakes made when developing software that lead to security vulnerabilities. This is followed by a list of best practices that, if followed religiously, will help you avoid 90% of all security vulnerabilities. The article concludes with a list of resources that will aid in your quest to build more secure software.

stupid closed source (1)

vorovsky (413068) | more than 12 years ago | (#3743423)

I don't think its so much the number of bugs there are, it's how they are handled. I know for a fact that open source has bugs, all software does. I think the fastest I've seen Micro$oft is about 2 weeks for even the most major of bugs. After the latest bug in Apache it was fixed and released within 24 hours for those of us waiting. For the most part anyone using open source will not be stupid and apply the patch soon after its released.

More secure than what? (0, Troll)

groomed (202061) | more than 12 years ago | (#3743426)

Good. Now hopefully people will see the foolishness of calling this software "more secure" than that software. "More secure"; what does it even mean? "Our software is 34% more secure than the competition!". It sounds like a cosmetics advert.

How do you quantify software security? Short answer: you don't. It is nothing but a hightech fantasy in the minds of geeks, like the unsinkable ship.

Get over it.

Open vs. Closed Is Not What Counts (1)

RAMMS+EIN (578166) | more than 12 years ago | (#3743444)

I don't think security is determined by whether the source is open or closed. What matters is the quality of the code, which seems more likely to be determined by the skill (and intentions) of the coder.

---
From http://www.microsoft.com/windowsxp/default.asp
`` Windows XP The fastest Windows ever'' Anyone wanna bet that 98 is faster?

As always, the answer is..."It depends" (3, Insightful)

DeepDarkSky (111382) | more than 12 years ago | (#3743462)

Closed source can have fewer bugs (security bugs are merely a special kind of bug) if the company that does the development is discplined and puts the focus on the quality (i.e. minimizing the bugs) of the software. Because they are all in the same organization, and they all follow development standards and methodology and provide good QA testing. That is, if the market and marketing department and the bottom line allows them time to do things correctly, which often is not the case.

Open Source software often depends on a somewhat less uniform and disciplined (but can often independently more disciplined than their commercial counterparts). There is usually less formal organization. This is where it really depends on the quality of work of the people working on these projects.

Because Open Source projects are less sensitive to the market and the bottom line (in general, except for the projects undertaken by commercial entities), they are not as likely to have quality problems because of lack of time.

But to say that Open Source projects have less bugs because more eyes are looking at them is a pretty big assumption. Just because more eyes can look at something doesn't mean more eyes will. The bugs can stay in Open Source projects for years before someone finds a problem - in this case, I'd say it depends on how popular this project is and how attractive is it to people who will look at code and look for problems and can understand what to look for.
If anything, in a short-cycled, less popular piece of software, a commercial software can have better quality than an open source one if the commercial developers are disciplined and dedicated. It is simply a matter of time.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?