×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

260 comments

Ceren, be my valentine! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8278719)

Is it any wonder people think Linux [debian.org] users are a bunch of flaming homosexuals [lemonparty.org] when its fronted by obviously gay losers [nylug.org] like these?! BSD [dragonflybsd.org] has a mascot [freebsd.org] who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks [hope-2000.org] and gorgeous babes [hope-2000.org] then maybe it would be able to compete with BSD [openbsd.org]!

Linux [gentoo.org] is a joke as long as it continues to lack sexy girls like her [dis.org]! I mean just look at this girl [dis.org]! Doesn't she [dis.org] excite you? I know this little hottie [dis.org] puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox [spilth.org]. As you can see, no man can resist this sexy [spilth.org] little minx [dis.org]. I mean are you telling me you wouldn't like to get your hands on this ass [dis.org]?! Linux [suse.com] has nothing that can possibly compete. Come on, you must admit she [imagewhore.com] is better than an overweight penguin [tamu.edu] or a gay looking goat [gnu.org]!

With sexy chicks [minions.com] like the lovely Ceren [dis.org] you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD [netbsd.org] if she [dis.org] told you to? Don't you wish you could get one of these [drexel.edu]? Personally I know I would give my right arm to get this close [dis.org] to such a divine beauty [czarina.org]!

Don't be a fag [gay-sex-access.com]! Join the campaign [slashdot.org] for more cute [pipboy2002.mine.nu] open source babes [pipboy2002.mine.nu] today!

fuck it (-1, Flamebait)

AnimeFreak (223792) | more than 10 years ago | (#8278722)

Open Source is doomed to fail anyway. Just take a look at Microsoft and see how their profits keep improving even though Linux is somehow "advancing."

Good to see a range of source material used. (5, Insightful)

Denyer (717613) | more than 10 years ago | (#8278725)

Inclusion of some other major news sources makes the well-structured argument more credible to outside readers.

Nice article!

Re:Good to see a range of source material used. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8278914)

Wal-Mart is giant and evil but fun. When I lived in Arkansas, we could kill entire days there. This was before I cared about politics or workers' rights or the malling of America and was really only concerned with what to do with an entire day off in Hot Springs when the one movie theater in town has been running "Air Force One" for three months and I've seen it twice already.

The good news about Wal-Mart being giant and evil is that its employees really don't care if you play hockey in the aisles or have races to see who can put all the clothes in rainbow color order the fastest or eat entire meals in the grocery section before paying for them or turn the store into a set for the werewolf movie you're filming at the time, hopping out from behind display signs and frightening small children, chasing shoppers-- some willing participants, some not-- to their cars, giggling like madmen.

The size of Wal-Mart, despite its being evil, makes all of this ok.

Laughable assertions (4, Insightful)

maharg (182366) | more than 10 years ago | (#8278729)

.. one example of which is This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Yes as we all know, *anyone* is free to modify the source code, and then sell or distribute it, and we're all such trusting souls. Only this morning I chmod +x'ed and executed a binary (as root) which I had earlier accepted from a kindly stranger. More FUD methinks..

Re:Laughable assertions (5, Insightful)

cperciva (102828) | more than 10 years ago | (#8278753)

and we're all such trusting souls

I'm providing binary security updates for FreeBSD. The Project publishes source code patches (and adds them into the CVS tree); I take those and build binaries, in order to help people who cannot or don't want to build updated binaries themselves.

Thousands of people have used updates I've built; nobody has ever emailed to ask "who are you, and why should I trust you?"

We may not be *all* such trusting souls, but there are an awful lot of trusting souls out there.

Re:Laughable assertions (5, Insightful)

maharg (182366) | more than 10 years ago | (#8278789)

Yes, there are millions of trusting souls out there who (if they have even considered the issue) perceive themselves to not have any *choice* but to trust the Microsoft Corporation. Your site appears to be reputable, and you presumably have nothing to gain by publishing malware. I think you have to some degree missed the point of the article, which talked about high security applications of computing, such as national security et al. To say that trusting a single corporation which will not let you show you the "ingredients" is more secure than having a choice of sources, compilers and so on is naive, at best IMO.

Re:Laughable assertions (4, Insightful)

Tony-A (29931) | more than 10 years ago | (#8278865)

Thousands of people have used updates I've built; nobody has ever emailed to ask "who are you, and why should I trust you?"

Sure you could do something nefarious, but why would you? Seems like somehow you'd have a lot more to lose than to gain.

Since you have no control over, and not much knowledge of who downloads what when, it seems utterly fantastic that you'd use those binaries to target your enemies.

Somebody compiles his own binaries. It should be fairly normal for him to download your binaries and see how his stacks up against yours. If there's something strange about yours, he's likely to try to find out what and why and unlikely to keep quiet if he finds any evidence of something wrong.

It's not that I trust you or don't trust you. I'm sure that I can trust you a lot more than I need to trust you. If I have to ask why I should trust you then I probably should not trust you. Either way, I don't ask. If I did ask, I no idea of any answer you could give that would cause me to trust you. It's more like I'd trust you because the binaries are there than that I'd trust the binaries because I trust you.

Re:Laughable assertions (3, Funny)

Negative Response (650136) | more than 10 years ago | (#8278994)

It's not that I trust you or don't trust you. I'm sure that I can trust you a lot more than I need to trust you. If I have to ask why I should trust you then I probably should not trust you. Either way, I don't ask. If I did ask, I no idea of any answer you could give that would cause me to trust you. It's more like I'd trust you because the binaries are there than that I'd trust the binaries because I trust you.

Geez. I was able to follow what you said until this part. Now I'm feeling dizzy.

Re:Laughable assertions (1)

Tony-A (29931) | more than 10 years ago | (#8279008)

Geez. I was able to follow what you said until this part. Now I'm feeling dizzy.

Tehe. It's almost impossible not to confuse ability with need. ;-)

When was the last time you downloaded binaries... (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8278998)

and compared the result to your own compiled versions and how did you do the comparing? Just curious...

On the other hand (3, Insightful)

Benm78 (646948) | more than 10 years ago | (#8279019)

I think the parent has a point. It would be quite easy to exploit people that trust your binaries. When they download a precompiled binary from your system and install it, they could actually install a very big backdoor on their system.

To make things worse, the one that offers the malicious binaries can easily log from which IP's they where downloaded. Many people will download directly to their server using wget, and then install the binaries.

If people then omit to verify the integrity of the binaries one way or another, this whole scenario becomes quite risky. Not that I think any self-respecting person would follow this course of action, I still feel that some scriptkiddies out there might give this a try.

Therefore, beware!

Re:Laughable assertions (5, Interesting)

I confirm I'm not a (720413) | more than 10 years ago | (#8278895)

The impression I formed from the DevX article was that it was aimed at government (and I suppose you could article that that might influence large corporations, too).

In my experience government and corporate IT admins are *not* trusting souls. As an example, I once worked as a contractor for an agency that built software for the UK health service: everything I built was then reviewed and recompiled by in-house staff. The manager told me that they preferred open-source precisely because of the ability to review source code. Cost was only a secondary factor.

The same manager also commented that security-through-obscurity - relying on closed-source to deter evil-doers - was not an acceptable option as it placed to much reliance on third-parties.

Re:Laughable assertions (1)

dnoyeb (547705) | more than 10 years ago | (#8279002)

I think they trust each other, not you. They trust that if you slipped a mickey into the code, it would come out. Then you would be branded. They trust the system of communication that is the internet. I used precompiled binaries on occasion for difficult projects such as Multimedia ones on Linux. I'm suspicious too.

I'm quite a bit less suspicious when using software from RedHat. Though I emailed them twice about their up2date upgrade downloads md5sum not matching the binaries, on some of their download servers.

Re:Laughable assertions (1)

realnowhereman (263389) | more than 10 years ago | (#8279007)

Are any of these people working for a high-security governmental organisation? The assertion made in the original derrogatory article was that dubious binaries would be run by governments.

Re:Laughable assertions (1)

Shinobi (19308) | more than 10 years ago | (#8278821)

Well, can you trust the contributors? Can you trust the entire core team? What if someone participates with a fake identity also, and uses the legit and the fake identity to insert exploits, with the legit ID saying "I've checked out his patch, it seems ok", occasionally fixing a trivial error etc. Maybe not very likely, but it's definitely possible.

The whole "Many eyes makes the problem shallow" only works if everyone is equally skilled, and hopefully as skilled as the potential exploit creator. There's also the fact that the more people that become involved, the more things tend to screw up, with people not doing things because they think that someone else will look at it.

Re:Laughable assertions (4, Insightful)

Tony-A (29931) | more than 10 years ago | (#8278964)

The whole "Many eyes makes the problem shallow" only works if everyone is equally skilled

Totally wrong.

The advantage of many eyes is that they are different eyes. The problem is only visible if it is viewed from the right angle, in the right lighting, etc. The skill sets required to identify that a bug exists, to identify what the bug is, and to actually fix the bug are all very different.

Re:Laughable assertions (1)

TobiasSodergren (470677) | more than 10 years ago | (#8278985)

But the malicious code, should it happen, is more likely to be removed if you have access to the source code than if you just have the binaries. You should at least have the chance to figure out if something strange is going on. With only the binaries, you have no clue.

Best point is the last (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8278730)

The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.

Re:Best point is the last (1)

FePe (720693) | more than 10 years ago | (#8278779)

The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.

I have just rebooted Windows for the third time now because it won't install the Real One Player. I use Linux too, and by experience I know that what you say is true - I have never experienced a stable release of a large open source projects that crashed or did anything else weird.

Re:Best point is the last (4, Interesting)

tigress (48157) | more than 10 years ago | (#8278803)

Playing the devil's advocate here, you can trust source from Apache yes, but can you trust a precompiled Apache HTTPD from ACME GPU/Linxu?

Re:Best point is the last (4, Informative)

thelen (208445) | more than 10 years ago | (#8278872)

can you trust a precompiled Apache HTTPD from ACME GPU/Linxu

Nope, but you also cannot trust Thugs R' Us Locksmiths.

OSS commoditizes software: it devalues code in exchange for freedom of collaboration, the ability to build on others' successes, probably a greater amount of software overall, and I would argue, a faster development cycle. The author of the original article apparently thinks that this is a detriment because it makes it easy to start a malicious company like ACME GPU/Linxu to sell a forked open source product with intentional security holes.

But we're used to this problem in other industries where products become commonly available and people can form their own businesses utilizing those commodities. And while there *are* scams, most of us accept that we need to exercise judgment in whom we trust. Anyone can go out and buy locksmithing equipment, but if you skip over a known, reputable and trusted vendor in favor of the cheaper 'Thugs' alternative, you get what deserve: a lock with more keys than you know about.

Re:Best point is the last (4, Insightful)

gweihir (88907) | more than 10 years ago | (#8278879)

...but can you trust a precompiled Apache HTTPD from ACME GNU/Linxu?

Not strictly. Yes, you can assume if ACME has a long enough and knowen history that they are honorable. No, there could still be backdoors in there.

But you know what? You can get part or all of your distro from somebody else! And since it is GNU, if somebody claims ACME has backdoors you can check this in the source (if it is there) or compile from their source (if it is not there).

That is actually a major advantage for compilable open source: Patches can be source patches and you can see and verify yourself what the vulnerability was and how well it was fixed. In addition you can fix things that are not exactly matching the patch. I, for example, run Debian with self-compiled xfree 4.3.9x (Radeon 96000XT). The published patch for the recent font-related buffer overflow does not apply to the sources cleanly. But it is very easy to see what the patch does and to change the sources accordingly. Took me about 20 Minutes (+recompile) to patch it manually.

With closed-source patches you never know whether they are actually fixing the problem or whether they also do other stuff. All the fake "MS-patches" in Email also show that it is a good thing when people can verify what the patches do. And it gives strong motivation to come up with a minimal, elegant patch> as well, since people can see it!

Re:Best point is the last (5, Insightful)

no longer myself (741142) | more than 10 years ago | (#8278888)

It's both a valid and interesting point, but how many times do we have to keep second-guessing ourselves over the security of software? In general, it boils down to "who do you trust?"

In my case, I see it as, "Do I want to trust a company who's only interest is in generating a profit, or do I want to trust the broader base of humanity who wants to create an open and free system?"

Admittedly I've got a tin-foil hat collection to rival any slashdotter, so I'll try to advocate the devil as well with "Do I want to trust some band of amaturish zealots who lack a clear and unified mission statement, or do I want to trust a company that has shown an exceptional degree of responsibility by haveing a track record in producing enormous profits?"

Obviously both have appealing merits. So "who do you want to trust today?" (TM)

We all have our heroes into which we place our faith, and nobody likes to be let down by a hero. For some it's the almighty dollar, for others it's their faith that deep down, humanity tends to be good.

--
Yes, I'm biased.

Re:Best point is the last (5, Insightful)

I confirm I'm not a (720413) | more than 10 years ago | (#8278901)

...and, to add to the parent's excellent points, open-source gives you the option to say:
I only trust myself... and then compile the reviewed code yourself.

Re:Best point is the last (1)

CBravo (35450) | more than 10 years ago | (#8278868)

I haven't RTFA, but the same is true for closed software. Spyware anyone?...

Too controversial to ignore? (4, Interesting)

heironymouscoward (683461) | more than 10 years ago | (#8278732)

Heironymous' Prime Law of Journalism:

Opions are valued in inverse relation to the amount of money paid to produce them.

In this case, the opinion that transparency is bad for security is of so little value that it's difficult to answer it with a serious tone.

After all, Windows is remarkable for its security wrt to something like, OpenBSD, known for its secretive and opaque practices.

lol.

Re:Too controversial to ignore? (0)

Anonymous Coward | more than 10 years ago | (#8278944)

What made me laugh was I got an add for freeVBcode.com, stating "Get high quality, FREE, Visual Basic Code" on the devx site. c | n > k

Re:Too controversial to ignore? (1)

dnoyeb (547705) | more than 10 years ago | (#8279018)

Let us also not forget that windows "leaks" have occured recently. And remember last year when their was question about the code being infultrated? Leaks can go both ways.

I like the ability to personally verify any rumors I hear about the code, or pay someone else too. OSS offers this, cloded source does not.

Also, when you have the illusion of security, you tend to be less diligent. I argue OSS has stronger code checks for major projects because of the nature of the code. For instance, the Linux kernel appears to have several review steps for CODE that is submitted. They dont just check if the running binary breaks.

Obvious chance to find out... (4, Interesting)

darnok (650458) | more than 10 years ago | (#8278742)

Now that the MS source for NT 4 and Win2k is "out there", even if only in part, we'll have a good chance to see exactly how secure it is over the next several months.

Anyone want to bet that the number of exploited Windows security holes is NOT gonna soar?

Re:Obvious chance to find out... (1)

Qeantk (660103) | more than 10 years ago | (#8278760)

It's already soaring, making it hard to call after the fact. People could argue it is more of the same, even it it picked up some, and if it doesn't they'll decree the OSS security model, regardless of proof to the contrary. Apache v. IIS, anyone? Anyways, we're still busy figuring out exactly what code is involved, and what the ramifications of that distinction are.

Re: Obvious chance to find out... (4, Insightful)

Black Parrot (19622) | more than 10 years ago | (#8278847)


> Now that the MS source for NT 4 and Win2k is "out there"

Which suggests the argument that even if your code isn't "Open Source" it may still be "open source", so even if source availability is a security handicap, the field may still be more level than closed source shops would like to think.

How many barn doors do you need? (1)

rufusdufus (450462) | more than 10 years ago | (#8278852)

Windows is already hackable and riddled with security holes. How many barn doors there are isn't going to change the number of chickens that escape.
The limit of security is not a technical one, it is a human one: how many sociopaths bent on destruction of innocent bystanders are there. No doubt there are a few, and no doubt the network nature of internet gives them leverage disporportional to their numbers, however more ways of commiting the same heinous hacks isn't going to make much impact on their influence.

Re:How many barn doors do you need? (0)

Anonymous Coward | more than 10 years ago | (#8279009)


"Windows is already hackable and riddled with security holes."



Oh, and I suppose Linux/*BSD/Solaris isn't? I'd be prepared to lay good money that if you were sat down in front of a properly configured Windows box that had been setup by a competent admin, you couldn't break in if your life depended on it.



Posting AC, because Slashdot Karma is as worthless as shares in an inflatable-dartboard company.

Re:Obvious chance to find out... (4, Interesting)

gweihir (88907) | more than 10 years ago | (#8278902)

Now that the MS source for NT 4 and Win2k is "out there", even if only in part, we'll have a good chance to see exactly how secure it is over the next several months.

To tell you the truth, I am not interested. Why should I look at parts of a badly structured, feature infested, bug infested monolith of an OS? When I can at the same time find out how to do it right by looking at the sources of the Linux kernel or one of the open sourced BSD's? Why would I actually want to read bad code?

True, some people will actually spend the time to find vulnerabilities. Some of them (especially those in military and commercial espionage) will not publish what they find. But I suspect these people already had this kind of access before. And the usual script-baby loosers do not have the competences to understand the sources anyway.

One thing could happen though: Too many published and still current vulnerabilities for MS to fix. Or even worse, vulnerabilities they cannot fix because they made bad design decisions. Will be interesting to watch.

Re:Obvious chance to find out... (1)

fucksl4shd0t (630000) | more than 10 years ago | (#8278938)

Why should I look at parts of a badly structured, feature infested, bug infested monolith of an OS?

When I ran out of gas over on 520 and found myself walking down 156th Ave NE in Redmond, I asked myself this same question. The answer, right there in the heart of Microsoft, presented itself. Some well-dressed, clean cut dude came out with a CD and said "He's the source for Windows XP." I said "What the fuck am I gonna do with that?" You know what he said?

"You'll learn how not to write code."

Part of my story is true, guess which part. :)

Re:Obvious chance to find out... (1)

Tony-A (29931) | more than 10 years ago | (#8278989)

Anyone want to bet that the number of exploited Windows security holes is NOT gonna soar?

Yeah, I'd take that bet.
For baseline, there is a trend going back to Melissa that indicates an ever increasing level of malware. "soar" is above that baseline.

The bad guys have every reason to use the newly exposed source.
The good guys have every reason to avoid the newly exposed source.
Still there should be a few cheap hacks so that my computer does what I wand it to do instead of what Microsoft wants it to do.
My best guess is that the level of malware will be slightly below the baseline.
An interesting possibility is that exposure to the source messes up the minds of the bad guys sufficiently that the level actually goes down.

Huh? (5, Insightful)

Dan Farina (711066) | more than 10 years ago | (#8278747)

I fail to see how his logic works.

Because I can view the source code and change the source code, I can introduce a flaw. Yet it would be far less likely for a for-profit closed source project to be swayed by some sort of ulterior motive to include a flaw, because we have seen exactly how ethical and steadfast corporations are in this modern day and age.

It seems that he doesn't acknowledge that the aspect that makes open source secure is that it's hard to have a unified, systematic, malevolent agenda due to the extensive peer review inherit in the system. People who have different agendas or motives than you will be viewing your changes.

While his hypothesized scenario is certainly possible, I wouldn't go so far as to say it is a bane.

Re:Huh? (2, Interesting)

TrancePhreak (576593) | more than 10 years ago | (#8278774)

What about like what happened when the source tree was compromised and someone added a line of code that didn't look all that bad until further investigation when it gave programs root access? I remember they asked for MD5 sums and they were able to track down the root of the problem, but what if someone better was able to modify something on a system such as that without notice?

Re:Huh? (5, Insightful)

thelen (208445) | more than 10 years ago | (#8278829)

That's a different problem than the one suggested by the original -- and badly misguided -- article. In the case you mention, a security breach allowed unauthorized alterations to the codebase. And of course after any such intrusion a full code review is a necessity regardless of your development model.

The argument presented though is predicated on the "core developers" of a project intentionally creating a secret fork of the source containing security holes and using that compromised branch to build binaries. Of course this threat is equally if not more likely to occur in closed source products, and so the author presses his case with the scenario of a no-name company being formed to sell compromised open source products. Somehow we're asked to believe that the virtue of OSS -- the ability to build off of others' work -- is actually a security liability because of the ease of creating a malicious startup. Never mind that any IT manager who chooses to use the binaries from an unknown software vendor, especially if verifiably pure source is available, is clearly being negligent.

Re:Huh? (0)

Anonymous Coward | more than 10 years ago | (#8278908)

Just because it is possible for people to look at and review open-source code, doesn't make it happen. How much of your spare time do you use looking for security problems in open-source code? As open-source continues to grow, this will become a real problem.

jesus (0, Flamebait)

kyknos.org (643709) | more than 10 years ago | (#8278748)

10 yo kid knows that Linux is far more secure than Windows

Re:jesus (-1, Troll)

Rosco P. Coltrane (209368) | more than 10 years ago | (#8278795)

10 yo kid knows that Linux is far more secure than Windows

On the other hand, 10 year old kids don't seem to be have enough sense to not make broad statements like this.

Fact #1: Windows has gotten a lot better and continues to get better

Fact #2: Use Linux as a Windows user, i.e. logged as root all the time, installing and disinstalling crap, not knowing what the hell you're doing, and I guarantee you Linux is less secure than Windows.

Fact #3: If Linux had a broader user-base, 90+% like Windows, it'd certainly be the target of worm writers. So far it hasn't been "virus-tested" like Windows, so don't be so prompt to declare it secure.

I'm no Windows fan, but at some point you have to look at the truth, and avoid saying "this is better than that. period.".

MOD PARENT DOWN - CLUELESS KARMA WHORE (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8278806)

Dude, you can wrap your facts together and shove them back into your ass....

1) So does Linux.

2) Same with windows.

3) You just shut the fuck up and watch it, dude.

4) Troll.

MOD PARENT DOWN - CLUELESS ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#8278820)

BUT MOD GRANDPARENT UP!

Re:MOD PARENT DOWN - CLUELESS ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#8278848)

Zealots and whores, stfu, for godsakes.

Windows is more insecure than Linux because it has a completely different architecture. Linux (like all Unix-like systems) is built in layers. Fix a security problem in one layer (like ssh) and all layers that use it (like CVS) are secured.

Windows is built in large vertical chunks. Fix a security problem in (e.g.) IIS and you've done nothing to make SQLServer more secure. Jeses, how many times have I had to patch my Windows servers... it's just incredible!

Added to this the ease with which Windows clients execute hostile scripts that can easily gain admin privileges, and add to this the naivity of most Windows users, and add to this the fact that Windows' DNA presents a huge sterile monoculture for malicious code to attack, and you have a serious problem.

If you love Windows, like I do, the last thing you should be doing is playing kindergarten about who's daddy is bigger. We need to fix this damn situation before the whole world decides it's had enough of the viruses and trojans and worms and hackers, and turns to something like Linux. That would be tragic for us die-hard Windows zealots who know that Bill Gates invented the Internet and is the greatest geek of them all!

We all _know_ Windows is insecure. It's not really a secret any longer. You gotta be totally crazy to deny this.

Now, what are you gonna do about it? Say it's a Linux zealot's fault? Nah, help Bill fix Windows: send him bug reports, tell him when your PC got spammed, and generally do what those long-haired commie linux dudes do, take an interest in the software they use and make it better!

An open-source Windows would be just the coolest.

Re:jesus (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8278827)

Haha.

Virus tested...

Is that like Debbie does Dallas was penis tested?

Re:jesus (5, Insightful)

Dashing Leech (688077) | more than 10 years ago | (#8278837)

Mr. Troll, you were never any good at debating, were you.

"Fact" #1 doesn't say anything about the relative security. Linux also continues to get better. It started better and has stayed better. Windows started from crap security and has gotten slightly better.

"Fact" #2 is (a) wrong, and (b) a non-argument. It is wrong because even as root it is not as easy to unintentionally screw things up as it is in Windows, which does so many things automatically without user knowledge so as to not "inconvenience" the user with "unimportant" details. It is certainly not less secure than Windows.

It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." It's like saying a car with a bunch of anti-theft devices is just as (or more) insecure as one with none because if you leave it running with the keys in it and doors open, someone could steal it.

"Fact" #3 has been tried and refuted many times. It is not secure because it is not as common. There's been a variety of analyses to prove this wrong. The obvious one is that Linux and Unix are used far more than Windows on servers, and yet server attacks are still more common on Windows.

At some point you have to check your "facts" before calling them facts.

Re:jesus (0, Flamebait)

tomstdenis (446163) | more than 10 years ago | (#8278968)

"It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." "

No his point was if windows users used linux like they do windows then Linux wouldn't look so hot. Sure linux has few security exploit reports. That's because most linux users are so far half way intelligent about security.

""Fact" #3 has been tried and refuted many times. It is not secure because it is not as common."

Have you seen the kernel exploit lists for the 2.4.xx series? I thought not.

Tom

Re:jesus (5, Insightful)

Ohreally_factor (593551) | more than 10 years ago | (#8278842)

Fact #3: Since Apache/linux run 66% of the webservers, you'd think that there would be many more exploits for Apache than for MS's competing product, based on your reasoning.

Re:jesus (1)

darnok (650458) | more than 10 years ago | (#8278874)

I agree with your points except for this:

> Fact #2: Use Linux as a Windows user, i.e. logged
> as root all the time, installing and disinstalling
> crap, not knowing what the hell you're doing, and
> I guarantee you Linux is less secure than Windows.

You would be correct, but the real issue is that Linux users (excepting Lindows users) *don't* normally run as root. They also typically install software from relatively trusted sources such as Mandrake, RedHat or Debian; instead of going to something like Kazaa and contracting all sorts of ugly diseases in the process, they download e.g. limewire from a site that isn't operated by people with commercial agendas that are at odds with your own personal agendas.

The very fact that this is the way Windows, and Windows users, work is a large part of what causes it to break. You can't sensibly argue "if only Linux worked like Windows, then it would be as bad as Windows".

Journalism, church and state (0, Offtopic)

Rosco P. Coltrane (209368) | more than 10 years ago | (#8278759)

Journalism is a difficult profession, demanding a rigorous editorial line between "church and state".

Yes, I'll second that faster than you can say "Antidisestablishmentarianism".

Having the source may help bad guys ... (5, Interesting)

file-exists-p (681756) | more than 10 years ago | (#8278763)

There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.

The real problem would be if only bad guys had your source code .... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...

Yeah, that would suck. That would really suck.

--
Go Debian!!!

Re:Having the source may help bad guys ... (0, Flamebait)

uv_light (750273) | more than 10 years ago | (#8278832)

The real problem would be if only bad guys had your source code .... that would really suck.

now we just have to see how suck it would get for microsoft to leak the source code. I am waiting for a major outbreak of exploit and or virus, worms. By that time, I will be sitting in front of my computer and laughing at what A. Russell Jones had said (and microsoft as well) about the which is the ground for foul play.

Re:Having the source may help bad guys ... (4, Insightful)

__past__ (542467) | more than 10 years ago | (#8278906)

The real problem would be if only bad guys had your source code .... that would really suck.
To put it differently: If access to source code is outlawed, only outlaws will have access to source code.

Re:Having the source may help bad guys ... (1)

glop (181086) | more than 10 years ago | (#8278949)

Having the source is nice but people should keep in mind that binary programs are fairly easy to understand too.

If you want to find holes in say Windows NT, you can simply buy a copy, install it (or not) and run SoftIce debugger and various decompilation or emulation tools.

When I was a teen I would take a disassembler and disassemble demos to find out how they made their special effects. It was really easy and it makes me believe that people less lazy than me can really go far with simple access to the binaries...

Finally, it is also fairly common to make binary patches to software that is only available in binary form (e.g. infinite lives in games). You really don't need the source to make and release modified binaries of a program.

So, I really think that source availability does not help the bad guys. Binaries are really OK when you have strong motivation and a few good tools. And I guess that we can expect bad guys to have both...

Looks like... (5, Insightful)

deitel99 (533532) | more than 10 years ago | (#8278766)

Slashdot is feeding the troll. Just because the original article claims to be a balanced warning into OSS, a little research shows all his points to be wrong.

Just another journalist trying to make a story people - move along.

Article rating and devx hosted rebuttal. (5, Informative)

FauxReal (653820) | more than 10 years ago | (#8278767)

Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5

The rebuttal "Who's Guarding the Guards? We Are" [devx.com] , also hosted at devx. Average Rating: 4.9/5

Re:Article rating and devx hosted rebuttal. (3, Informative)

Anonymous Coward | more than 10 years ago | (#8278812)

and the funny thing is that the first (anti-open source) article was written by the Executive Editor of DevX, and this rebuttal was written by "a Senior Engineer at DevX"

this is pathetic (4, Insightful)

pytheron (443963) | more than 10 years ago | (#8278769)

There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing


Let's see.. the most (un)likely way is that someone hacks a host server, mods the code and then updates the MD5 sums. Stupid. All major Open Source software know how to protect their codebases by holding offline checksums and isolated codebases. This is too unrealistic to happen these days, if you actually care about verifying what you just downloaded and are about to compile.


Instead, the security breach will be placed into the open source software from inside, by someone working on the project.


Laughable. Aboslutely ridiculous !! Can this not happen in closed source environments ? A disgruntled employee perhaps ? I'm sure the article writer would say "but there is quality control, peer review.." I suppose that never happens in Open Source.. I mean, how can we actually review the code when it's publicly available. Oh, that's right.. we can. Open Source peer review is brutal at the best of times !

Re:this is pathetic (0)

Anonymous Coward | more than 10 years ago | (#8278834)

You don't seem to realise that you're agreeing with the article in question. Perhaps you do; in which case, you should specify that you're agreeing with the author and we can then moderate you "redundant" accordingly.

Re:this is pathetic (1)

CBravo (35450) | more than 10 years ago | (#8278878)

Is there a howto on these sort of techniques? I haven't come accross that yet, but I would like to know more...

Dear original submitter (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8278772)

YHBT. YHL. HAND.

He might be right... (2, Interesting)

kyshtock (608605) | more than 10 years ago | (#8278780)

I believe he's right... if he means proprietary source code that finally goes in the wild. The moment code opens, troubles are waiting to happen. If some recent events ring a bell, that's not my fault :)

On the other hand, if he means code that's been built openly... damn, what's better than having the software AND the source code for inspection? how do you beat that?

whose payroll is writing this guys article ? (2, Insightful)

pytheron (443963) | more than 10 years ago | (#8278783)

Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.


So.... it's not Open Source then. Way to let the hot air out of your puffed-up argument.

Oh they were very easy to ignore. (5, Insightful)

SmallFurryCreature (593017) | more than 10 years ago | (#8278787)

I saw the post on this idiots article right below the post on the MS source leak.

So GNU/Linux source has been out for decades. Windows source has never been out except recently. Shall we do an exploits in the wild count? Note the in the wild part. It is a distinction that anti-virus researchers make as their are some pretty nasty computer virusses that have only been spotted in their labs, not on peoples pc's.

Every now and then some idiot is going to stand up and proclaim something really stupid. Instead of gently leading that person to proper care and attention in the form of a straight jacket and handfull of pills people print their ravings.

This guy is one of them. Opensource vs closed source means very little when it comes to security. Big holes can and have been found in both. What matters is how you respond to those holes. Opensource GNU/Linux is pretty fast. Closed source Microsoft is goddamn slow. So? MS is hardly the only closed source company. If someone ever post figures on the commercial unixes or OS's like symbian and shows the same terrible performance as MS then I will be impressed.

So far all the MS exploits prove is that they have some pretty sloppy working methods in redmond. Not that closed source itself is bad. If all closed source projects have the same track record as MS then it will be news. They don't.

HOWEVER, opensource has proven itself. Countless projects use it, linux kernel, gnu toolset, kde and gnome and all the other desktops, tron the os blueprint from japan, apache, mysql and postgress and the berkely databases, bsd even though it is dying and countless others.

Proprietary code does not prevent hacked binaries. (5, Interesting)

tigress (48157) | more than 10 years ago | (#8278794)

I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.

At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.

Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.

Re:Proprietary code does not prevent hacked binari (1)

Tony-A (29931) | more than 10 years ago | (#8278940)

To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.

And closed source makes it trivial to keep anyone else from knowing that the binary has been modified. Anyone along the line can inject a backdoor or trojan.

It will be interesting to see how Microsoft fares with some of their source gone public. There is a trend dating back to Melissa that suggests an ever increasing level of malware. My own prediction is that, with a few cheap hacks to have my computer do what I want it to do instead of what Microsoft wants it to do, the level of malware will be a tad smaller than the trend projected. That despite the fact that the bad guys have every reason to use it and the good guys have every reason to avoid it, the leaked source, I mean.

Closed source vs Open. (4, Insightful)

Anonymous Coward | more than 10 years ago | (#8278796)

First off, Malicious hackers have day jobs.

Lots of times they are professional programmers that like to play "games" on the weekends and in the evening.

MS's source code is like a prostitute. It's gets around and around to whoever has the money to afford it. To say that it never fell into the hands of a "bad man" even thru legitamate means is foolish.

People spend months and months researching and setting up specific attacks. Sometimes the stakes are worth hundreds of thousands of dollars when it comes to corporate espinoge and trade secrets.

Now most hardcore hackers even if they do have access to the source code definately isn't going to advertise it on warez sites and post their findings on slashdot. Their time is worth money/fame/insane pride to them too.

This latest release of the windows source to warez-style groups is definately NOT the first or the last time the source code to your programs is aviable to people you don't trust.

In Open source:
The developers have the source. The crackers have the source. YOU have the source.

In Closed source:

The developers have the source. The crackers have at least partial access to the source. Your screwed.

It may be a subtle difference, but also think about this:

How many discruntled employees piss in their bosses coffee? Or at least spit? Or use stale water(If they are pussies)?

Now how many programmers are entirely "there"?

Do you want your application to be the pissing ground for angry employees? Can you tell?

No of course not, their have been plenty of cases of otherwise perfectly good programs having security holes and backdoors planted in them by programmers.

You think it's going to stop because Bill Gates says it isn't so?

XBox rules!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8278797)

first post!!! you lame assholes... I can post first because my XBox is a american product and my pride in my great country and my great XBox accelerate everything...

If only they would make games for that bitch... IAve played Metroid Prime and it ruled... I hope M$ will buy those japanese bastards and port Metroid to my great american console system!!!

Join the fun!!! [slashdot.org]

i stopped reading after the first sentence (4, Insightful)

real_smiff (611054) | more than 10 years ago | (#8278799)

An old adage that governments would be well-served to heed is: You get what you pay for
right next story. (anyone who starts with an outdated & meaningless saying is not going to have anything valuable or new to say. we all have better things to do than entertain this rubbish).

and /., can you stop reporting this, it's basically one huge troll & it only encourages people like him.

btw Mr. Jones, the choice isn't open vs. closed, it's open vs. possibly leaked. yah. nice. please go away.

aha ! found him out (3, Funny)

Anonymous Coward | more than 10 years ago | (#8278807)

The guy has a trimmed beard ! a trimmed beard!! No open source has ever touched him, or his facial hair would be reaching for the keyboard !

Testosteron control (5, Insightful)

Gadzinka (256729) | more than 10 years ago | (#8278826)

As previously discussed on /. Jones' comments are too controversial to ignore.

On the contrary, this type of comments are the ones you have to ignore. It is simply mindless, fact defying -1 troll.

I mean, when you see after a quick glance that author obviously did the research and ignored all the facts that didn't support his thesis, there's nothing you can tell him that will make him apologise, admit to mistake or sth like this.

When you see additional rhetorical manipulations (e.g. things that are insinuated but not stated straight, guilt by assosiation, or proof by analogy) you already know, that the point of the article was purposeful manipulation.

For some people operating systems, computer vendors, open vs close source, GPL vs BSD are religious matters and you don't want to get into discussing beliefs with religious fanatic.

Robert

Still worthwhile. (3, Insightful)

Denyer (717613) | more than 10 years ago | (#8278915)

The writer of the article may never recant, but he can be highlighted as being an ignorant fool by a calm, intelligent rebuttal.

It's worth supporting things you believe in when the alternative is to let lies and FUD spread uncontested. It's particularly worthwhile for the benefit of those in the slightly wider audience who aren't generally informed about tech matters, and who might otherwise be swayed by rhetoric.

Diving in, head-first (0)

chance2105 (678081) | more than 10 years ago | (#8278830)

"When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get." I suppose he's one to pay for high-quality V|@gRa. :)

The answer to this is simply cognition (1)

Saint Stephen (19450) | more than 10 years ago | (#8278850)

In other words, people will get it in their own. It is easy for a casual observer to train him/herself up on the facts and make their own judgement about whether security efforts have gone into OSS, and whether they will pay off. Somebody just saying "ooh, watch out" might give them pause -- but they can experience it for themselves.

The facts will (or will not) speak for themselves.

My rebuttal :) (4, Insightful)

fucksl4shd0t (630000) | more than 10 years ago | (#8278851)

I realize I'm preaching to the choir, but here goes:

So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).

And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.

Therefore, security problems for governments begin with knowing which distributions they can trust.

Security problems for governments exist because of negligence, for the most part. More below.

This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.

Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.

He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.

Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.

MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject to a great deal of peer review. Science has used a peer review model for centuries, and it has advanced pretty far, all things considered. Why is he so afraid of the peer review model, especially considering that there are quite a few fields that have proven it works?

He also ignores the fact that not just anybody can join an open source project and get write access to the sources. You have to prove your worth. I've been following several open source projects, and I still don't have write access to any of their repositories. While they seem to welcome my feedback (I haven't been kicked out, yet :) ), I still haven't proven myself. We're talking a scale of years here (I don't code very often, either). Open source projects don't just let any fool who comes along start injecting whatever code they want into the codebase. They're not sluts, which is what he's trying to say.

Switch it around. What do you have to prove to Microsoft to get a job with them? Or IBM? Does Linus just let anybody who says they work for IBM have write access to Linux?

I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected. I think such a scenario is far less likely than finding a group of people willing and able to create and market a malware open source distribution.

He is, however, naive enough to think that closed course companies better protect their source. Especially when all it takes is one disgruntled employee to leak it out to the whole world. Let's take a look at a different security scenario to get a better understanding at his philosophy.

An attractive woman is going to the grocery at midnight. She's in a new BMW, top-of-the-line, and so forth. She has a choice of two parking lots to park in. One is well-lit and everyone can see into it. The other one is pitch-black, and nobody can see into it. She doesn't want to get robbed or raped. Where is she going to park?

Well, if she's smart, she'll park in the open space where everyone can see her. A malicious person is far less likely to attack her if someone might see him doing it. And even if he does, it's possible that someone will see it and act upon it. There are lots of good people in this world who would step up to the plate and at least call the cops, even go out there bare-fisted if necessary to save the girl. I would, would you?

Obviously, the well-lit parking lot is the publicly accessible CVS server, where everyone can see everything that happens to it. And there are plenty of good people in this world who will take steps if they see someone maliciously using that server. How long would a coder last in Linux that's injecting malicious code into the kernel? He'd be thrown out in a heartbeat, as soon as it was learned that he was malicious. And with all the protection the kernel has (starting with Linus, including IBM employees, RedHat, et al) he'd be caught quickly.

Closed source companies are the dark parking lot, and if you have some data to protect, you'd be foolish to try to protect it in the dark parking lot.

Re:My rebuttal :) (2, Funny)

tigress (48157) | more than 10 years ago | (#8278875)

Anyone remember when the Windows Update servers got hit by Code Red? =)

M$ s/w's security depends on having good SysAdmins (0)

Anonymous Coward | more than 10 years ago | (#8278863)

It occured to me recently that - if only because
of the sheer quantity of security patches needed
to keep Micro$oft gear "safe" (such as it is...)
- that it's got an inherent -human- vulnerability,
ie on top of all the technical ones:

If SysOp's effective dedication wanes, even for
a week, eg due to illness, relationship glitches,
or some sort of disgruntlement with the employer,
the company's entire LAN may be at risk (ie, in
a M$-based server facility... where "Which urgent security patch would you like to apply today?"
is he rule, rather than the exception).

[One South Aussie company's IT guru stopped gen-
erating bills for their Clients to pay, ie so
that he'd have more time to play the horses, ie
at work & from elsewhere... using various flavors
of database-based computer systems in an attempt
to improve his odds... :-/ I doubt anyone has
ever tested these programs, eg using -old- data,
where results are known... or am I wrong? ;-) ]

Then there is the risk that some really urgent
patch won't be available, eg, due to some [D]DoS
or just a /. like effect of eveybody needing to
download it at the same time, soon after it gets
released.

We've had to make a -few- patches & upgrades to
out e-Smith (now SEM Server) boxes, but nowhere
near as many as we're "offered" by Micro$oft...)

On the other hand, -our- risk is that we might
get lazy... and assume that our Linux-based boxen
are OK when there's a new vulnerabililty that
might affect them.

Six of one, half-a-dozen of another (3, Insightful)

andih8u (639841) | more than 10 years ago | (#8278866)

It really doesn't matter if its open source or closed source. The weakest part of any system will always be the person attached to the keyboard.

Blaster was a big problem because no one can be bothered to download a patch.
The MS source code was leaked because no one could be bothered to download a patch.

Feeding trolls... (3, Interesting)

yoshi_mon (172895) | more than 10 years ago | (#8278869)

To be quite honest I never gave that Dev X's troll any thought. But apparently /. seems to feel that this very poorly written piece of work deserves not one but two front page storys. So be it. (I sure hope to hell that OSDN is not getting any cash from those losers. It would really ruin my day.)

Bottom line for me is that FUD is FUD is FUD is FUD. There are several ways to combat it and one of them is to just let those that want to FUD away while we continue to build, create, use, and accept that OSS is a good thing for everyone. Those with small minds are scared, good. I don't want those people involved with me and it makes me actually feel good when I see that they have to resort to such lies and FUD to try to defend what they see as "the only way".

I read a comment here the other day about how someone viewed OSS OSes as the ultimate capitalist leveling field. By making not only the hardware but the base software, the OS, open you then allow everyone to create things as they wish and without any strings. They even can make them closed source if they so wish but the hooks, protocals, and standards are open such that you can make the software work correctly, regardless of platform.

As has been sited here many times MS has not even given that freedom to it's programmers with it's lack of API documentation in addition to it's lack of standards (Unless you think that they are alone in being able to set them. Go away then you shrill.) and numerous changes in even their own types of file standards. (Why does MS Word docs have to change so often? Hello, forced upgrades.)

I really could care less about such FUD from some lame ass website that I personally have never visisted or even heard of until reading the inital /. artical. They can go toil in obscurity imo and we are ill served by even giving them the time of day.

not far-fetched, eh? (0, Redundant)

saforrest (184929) | more than 10 years ago | (#8278870)

Much more likely is that distributions will be [...] created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Oh no! Linux is funded by Al Qaeda!

This ridiculous hysteria, more than anything else, shows how much this is just propaganda. Cut-rate contractors who code for low-budget government agencies already exist; why would a closed-source one be any more trustworthy than an open-source one?

If your quality control and background checks on outside contractors are so terrible that cut-rate Linux distributors could put in backdoors, why would you not have this problem with a bunch of contract VB coders? Especially since, in the latter case, they may only ever give you a compiled binary.

this is tiring (5, Insightful)

CAIMLAS (41445) | more than 10 years ago | (#8278880)

It's like fighting a war where we simply re-win the same outpost over and over again, and never make progress. Why?

Because the damned fools think that they're making a valid arguement when they're simply spitting out the same FUD over and over. Now, if they were to refute previously made refutations, further arguement can be made.

However, that would require them to be able to find something to refute our arguements with. Esentially, "Your guns are too big, so we'll back down and make this point again later." Urg.

I have problems - so do you. (1)

ehack (115197) | more than 10 years ago | (#8278889)

Yes, MS has serious security issues. Does this mean no one else has any problems ? For every exploit known to the script kiddies, how many in Linux known to the people who exploit for a living ? Does no one remember that even rootshell.org got ownzored ?

"Many Eyes" never actually proven to work (0, Interesting)

Anonymous Coward | more than 10 years ago | (#8278890)

In fact attempts to prove it have backfired:

Linux security site abandoned

Is Linux security good enough or does no-one actually care?

http://www.techworld.com/news/index.cfm?fuseacti on =displaynews&NewsID=971

It seemed like a good idea at the time. Set up a website that allows users and developers alike to check which pieces of Linux code have been checked for security holes. The project, dubbed Sardonix, was a classic open source solution to a clear problem.

The scheme's originator Crispin Cowan, chief research scientist at WireX Communications, said: "Auditing is needed not just because some developers refuse to read, or follow such standards, but also because humans make mistakes and may fail to completely, or correctly, follow all rules perfectly."

Yet few became involved because, according to Cowan, there's no glory in auditing security holes.

Funded initially by the US defence establishment body Defense Advanced Research Projects Agency (DARPA), the research grant aiming to centralise what was, and remains, a fairly loosely structured review process dried up nine months ago.

The plan was that volunteer code auditors would be ranked according to the volume of code they examined and the number of security holes discovered. Points would be lost if holes were subsequently discovered in code passed as clean.

But, said Cowan, "I got a great deal of participation from people who had opinions on how the rankings should work, and then squat from anybody actually reviewing code."

Cowan added: "The Bugtraq model is: find a bug, win a prize - a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code. It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game."

Some have commented that few people can both code and have sufficient expertise to spot buried security bugs for no reward, while others moot a lack of visibility and marketing as the reason for the site's demise.

Only 22 pieces of code are listed on the site as having been audited, 14 as unaudited.

missing the point? (1)

geoff lane (93738) | more than 10 years ago | (#8278918)

In theory the "many eyes" that can see open source will detect security problems. In practise it doesn't happen that way. The reason that open source code is more secure than closed source is that the designers and authors care more about their code as they KNOW it will be made public and they value their public reputation -- it's the same as a John Grisham making sure there are no speling errers in his books. Additionally in the Linux world they don't have to make security compromises suggested by some marketting department droid.

When security is designed in from the beginning it's far harder for a trivial hack to open up a computer to the world.

The question (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8278919)

The security question should not be:

Closed or open source?

It should be:

Who do I want to trust? What project has a good reputation (OpenBSD maybe).

Tight control of source (1)

webmilhouse (694316) | more than 10 years ago | (#8278927)

Too bad I can't use my mod points to mod Russel's article -1 Flamebait. A ridiculous article. Most source in an open source model is tightly controlled by a few people who review code changes submitted by others. Thus, the basis of his entire argument is false.

Don't you mean... (1)

Jebediah21 (145272) | more than 10 years ago | (#8278929)

...too stupid to ignore? Judas Priest on a pony, this is the same stuff that has been refuted time and time again.

Microsoft Isn't Closed Source (as such) any more (5, Interesting)

mattyrobinson69 (751521) | more than 10 years ago | (#8278941)

in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.

Great Security Article (2, Informative)

mrmdls (684047) | more than 10 years ago | (#8278955)

For those who want a great look at security, both in a closed source and open source OS, take a look at the March issue of Linux Magazine - Stephen J Vaughan-Nichols article on Security is a Process, not a Product. Mr. Vaughan-Nichols writes and quite correctly that security is every user's job, and that as Linux gains in popularity so does the threat of security concerns.

good response (2, Insightful)

tacocat (527354) | more than 10 years ago | (#8278958)

I'll skip the comments about how incorrect the original article is and leave it to the responses' comment about fundamental misconceptions of Open Source. But the response is really an excellent read, well thought out and showing an solid example of classical debate rebuttal.

Kudos for writing an article that the same audience that will believe DevX would understand as well. Too often the repsonse to such articles is written to an entirely different audience and on such a technical plane that those who read, and believe, the first article are often times entirely incapable of understanding the second article. It's not their fault, they are not CSE types by any stretch.

All the arguments made for open source.... (0)

jhoegl (638955) | more than 10 years ago | (#8278993)

can be made for the "closed source" community. At least with open source, you have the chance of seeing malicious or bugged code. How much spyware/adware/malware is out there now? Point proven.

XBox rules!! (0)

Anonymous Coward | more than 10 years ago | (#8278999)

first post!!! you lame assholes... I can post first because my XBox is a american product and my pride in my great country and my great XBox accelerate everything...

If only they would make games for that bitch... IAve played Metroid Prime and it ruled... I hope M$ will buy those japanese bastards and port Metroid to my great american console system!!!

Join the fun!!! [slashdot.org]

How would anyone know? (2, Insightful)

Brainix (748988) | more than 10 years ago | (#8279006)

"...Because anyone can create and market-or give away-a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?"

I would know by viewing the source code [fsf.org].

One thing missed in the rebuttal. (2, Informative)

SharpFang (651121) | more than 10 years ago | (#8279017)

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust.

GPL forces distributors to provide source code to their customer. Then the government is free to (and should) post the source to public audience. They can (and should, even for performance sake) recompile the binaries from the code provided. So...?

I think this guy didn't read GPL.

Complacency (1)

Alain Williams (2972) | more than 10 years ago | (#8279043)

Although I agree with the majority of the comments to this article I am glad that Mr Russell Jones wrote his article. Why ?

One big problem that the open source community faces is that of complacency -- ie knowing that we are: better, more secure, ...

What we know may well be true, but it will not remain true if we relax, content in the warm glow of our superiority. To remain ahead needs continuous awareness of the issues, which, in the case of security means a constant paranoia prompting reassessment of procedures, possible risks, etc.

There have been articles like that of Mr Russell Jones before; I hope that they keep coming just to remind everyone to keep on their toes.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...