The Myth of Open Source Security

[smith at missioncriticallinux.com (Jeffry Smith)]

On Thu, 1 Jun 2000, Jesse Noller wrote:

> 	Number 2: I do not install anything on a mission critical system i
> have not personally reviewed, and checked the track record on. There are
> many sites which archive every vulnerability for just about any piece of
> software out there. It is the designer's/admin's responsibility to check
> these sites for possible vulnerabilities of the software he/she is
> installing. To make the excuse "i don't have the time" or "the vendor should
> have gave me the patch" is, in and of itself, a denial of responsibility
> (What i call the DoR attack, commonly found in extremely large
> corporations).
> 
> 	Just my .0002 cents.
> 


I agree with the original artical that Open Source doesn't guarantee
security (look at the holes found in various packages), but it at
least ENABLES the review.

Basically, there are two options:
1.  Open Source - where many eyes CAN look for holes, including the
original author and me.  No guarantee, but the possibility.
2.  Proprietary - where only the author (& bad guys, cause they'll
reverse engineer, decompile, etc to find them) can look for holes.
Even worse, you can't tell if he looked for holes.  For those who say
that the act of finding holes for breaking is illegal, my response has
been:  yea, and if you're going to break the law anyway, are you
really concerned that planning the crime is illegal?

Given those two choices, I think I prefer the former.

jeff


> > -----Original Message-----
> > > For the sake of discussion, here is an interesting article 
> > on Open source security.
> > > 
> > > http://developer.earthweb.com/journal/techfocus/052600_security.html
> > 
> > While I think the article covers a lot of valid points, the 
> > open source
> > model gives anyone that wants to a chance to look for security
> > holes.  Even if no one looks at it and something slips 
> > through, in this
> > case, it still is a better model than not being able to see 
> > the code at
> > all and rely on shady developers to fix it for you.  Sure 
> > there will be
> > bugs, but at least open source allows for a mechanism of 
> > finding them and
> > fixing them quickly.  I'm still wondering why the author of 
> > the software
> > is so concerned with touting all the holes in his program and 
> > the flaws in
> > the open source model than fixing them himself.  It would seem rather
> > counter-productive.
> > 
> > Brian Conway
> > dogbert at clue4all.net
> > 

------------------------------------------------------------------------
Jeffry Smith      Technical Sales Consultant     Mission Critical Linux
smith at missioncriticallinux.com   phone:603.930.9379   fax:978.446.9470
------------------------------------------------------------------------
Thought for today:  Reality must take precedence over public relations, for Mother Nature
cannot be fooled.
		-- R.P. Feynman


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).