Security: Open Source Vs. Closed Source

[felix]

Topic: Which is safer to use for the average non-g33k user.

Because of the nature of the topic, let's not go further then offering personal creative opinion on the matter.
I think we can all agree that for this sort of topic debating is pointless and a waste of time.

So please keep your comments more general and avoid (as much as possible) directing them at other members here.

----------------------------------------------
Relevent Quotes:

I'm aware there's more in those quotes then is relevent to this topic, but since it's a very short conversation I quoted everything for consistency.

Quote:

Originally Posted by WanderingKnight

PS: @Cats. I know Opera is good, but the fact that it remains closed source bothers me. And now I'm just too used to the Firefox way of rendering... I know that, in terms of speed, they come close, but since FF holds on a bit and then displays everything at once (unlike Opera which renders by pieces) it just gives me the 'feeling' of it being a bit faster... or at least I'm more comfortable with having the whole page load at once.

Quote:

Originally Posted by Cats

The fact they're closed source doesn't mean their some cheapo company.
And if they were OSS it wouldn't make them better.

In the OSS world the most popular team wins... not the best team. If say Opera became OSS, Firefox would just steal their code. Then you would see people from Op migrate to FF, and eventually, Opera would die out. And what good did all that do: the original developers and vision was lost in favor of making it OSS, yay!

But you could say: it's OSS now so everyone can pick up where they left. But then, if "everyone" could pick it up so easily browsers like Firefox would already be the fastest...

I agree making OSS things that aren't available in any form, is a good thing...
But for some things, I'd rather have them in good hands and damn closed source.

Quote:

Originally Posted by WanderingKnight

Ah, the old OSS vs proprietary software discussion? Well, IMO if something is open source there's no actual stealing involved... there's just copyright infringement if you don't attach the original copyright notice. The only "illegal" act I would consider is merging open source code in a proprietary binary blob without providing the GPL notice or a means of acquiring the source on petition.

OSS just guarantees you that the software will be developed to solve a need, and that the software will do no tricky stuff to your PC. So, as long as there are needs that need (duh!) to be provided for, the software will keep moving forward. And of course there's all the trust issues (though I'm not distrusting the Opera developers) regarding closed source software. Just a matter of principles on this point.

Besides, from an objective point of view, OSS is certainly the best (theoretical) method of improving the software. Theoretically speaking, of course.

Whatever, I don't feel like railing the thread offtopic any further

[felix]

Relevent To Last Quote Above...

OSS guarantees it will be 'tinkered with' not developed. It's generally not the community that develops it, but the small charity organisation or company who needs support and publicity. It's like with lurkers/active members on forums... You don't see the people that just care it's anime (analogy: OSS) contributing, but the small groups of people who care for the little things and implications.

Closed source programs backed by small companies like Opera are very unlikely to have anything close to malicious or spyware. It's a established company, it can't afford to be burned by legal retaliation from even claims along those lines.

OSS, on the other hand is far riskier. Any moron has a chance of slipping some malicious code in there without any sort of legal repercussions. Worst, in the OSS world, there is no concept of good/wrong, everything's a "feature".

Basically in a OSS you could insert some code along the lines: "It's scanning the contents of all your hdd and partitions to see if your choice of scratch disks was appropriate, and sending back the relevant information." Since OSS is generally meant to be used with other OSS, the developers may not even have any malicious intent when doing this...

I'll give a easy to test easy to understand example of the kind thinking above.

Wordpress (hereafter "Wp") is a leading Blogging CMS and quite popular these days. But it has a very interesting "feature".

Wp will actually change the formating in your post without warning.

Wp has a Visual (WYSIWYG) editor, and No all this format manipulation isn't for it. (that passes through other filters before entering the database) The actual code auto re-edits are done whenever it exits the database. Ain't it cool, it does a few hundred tests on the server every time someone requests a page. But wait it gets better...

What the little piece of crap does is replace your formatting with what it thinks it's the right thing (just like FrontPage) The most common issues are: missing line breaks, style distortion (you type <div id="x"></div> it turns it into <p id="x"></p>) random "<p>" (yes no </p> to be found) inserted out of the blue... etc

Wordpress Source: http://wordpress.org/download/
Relevant File: /wp-includes/formatting.php

In the example above you actually see the effect. But let's say it's Firefox. Who has checked what data is transmitted, when it's transmitted and to whom it's transmitted by the those two default plugins. Even though it's OSS you can't be sure it's not doing something you wouldn't want behind your back.

And I like to think, because it's OSS, it's more likely to do it, since it has the "we are uncentralised charity organisation" shell to retreat to.

[Loniat]

Quote:

Closed source programs backed by small companies like Opera are very unlikely to have anything close to malicious or spyware. It's a established company, it can't afford to be burned by legal retaliation from even claims along those lines.

Several small companies have used malware/spyware in their products. Why do you think this problem escalated so much in the past few years? Do you see any open source code with spyware? Do you see closed source programs with spyware?

Quote:

OSS, on the other hand is far riskier. Any moron has a chance of slipping some malicious code in there without any sort of legal repercussions. Worst, in the OSS world, there is no concept of good/wrong, everything's a "feature".

How many times someone "slipped" malicious code into open source programs? If this happens, the community or code maintainer can easily identify this and roll back to a previous version.

Quote:

I'll give a easy to test easy to understand example of the kind thinking above.

I believe your example would probably fits better into a "bad coding" case (if that even fits), although I don't use WP and can't say anything about it. Even though, isn't it nice that you can verify for yourself what the program is doing just by looking at the files you mentioned? Of course, if you don't know nothing about coding, it doesn't matter if it is open or closed source, you are just as clueless and vulnerable...

[grey_moon]

OSS or CSS in terms of security for an average user? Wow great topic

First let me start with the statement "I am totally against the idea of security through obscurity" (in most cases, ofc hiding your password is a good thing). In terms of building secure systems, using a good framework and good practices from ground up is the most important thing.

OSS does not guarantee better security for the user, it gives an option for transparency if a person so wishes and is skilled enough to check the the code and compile themselves.

This does mean that popular software will most likely be vetted and if something is wrong with it, it would be quickly highlighted and dealt with.

With CSS there is no option to do this, it is based fully on the trust of the company (Microsoft with their genuine advantage thing is a good example of misplaced trust as is Sony's rootkit drm).

Now an important aspect of user security with regards to OSS, isn't really to do with protecting your data from bad guys, but it is protecting the fact that you are able to access your data a few years down the line. When I deal with IT people the ones that impress me the most are the ones who understand that.

With CSS if the software producer decides to no longer support a file format, or goes bust, then you have a chance you will no longer be able to access your data. With OSS this may not be an issue, as long as someone is willing to pick-up the application.

[felix]

Regarding what Loniat said above,

Who exactly is checking OSS code for spyware!? Security risks don't pop up because someone placed them there, but because at some point someone or some group thought it was ok to do it like that. What may be a security risk for you and me may be acceptable for the developers.

In the end it's still the main group who decides. I can go and make a version of B OSS program that fixes some issue, it doesn't mean my version will be even heard by the mainstream audience.

That said, presuming they are the evil spyware bunch, who exactly checks the compatibility between the program they give us and what they call "it's source".

As I see it OSS only guarantees sharing. And it's use is in expanding software ideas and innovation.

• There is no guarantee the people making it and distributing it are angels.
• There is no guarantee they aren't totally biased to security.
• There is no guarantee they didn't insert things you don't want.
  
  
• There is no guarantee things will get fixed if someone points them out.
  
  Just being OSS doesn't exactly put it in the hands of the community. Sure you can provide code snips with your contribution but the system's not a wiki, at least not for the more known projects. There is a plan and there is a team. If the project leaders don't want to fix it, it's gonna stay broken, no matter how hard the community pushes. Just like with closed source.
  
  Extensions, Pugins and the like are valued precisely because of this. For example for FF 3.0 the Restart Firefox option was added in the File menu. But a extension has been there for years, and it's such a simple idea and easy to implement. ~

[Epyon9283]

I think OSS can be more secure. Generally if someone from the community submits code to a project, they don't just check it into CVS. They give it to someone who has access and then they (hopefully) review the code and merge it in.

OSS projects generally have a more transparent process of reporting, discussing, and fixing security issues. MS for example gets vulnerabilities reported all the time. They ask the reporters to not disclose it publicly and then they fix it when they feel its appropriate. Just because the public doesn't know about the vulnerability doesn't mean its not there.

Another reason is that say for instance that someone finds and publicly discloses a vulnerability in a closed source piece of software. There are no patches yet. The company is slow to respond. Users can't get a fix quickly.
In a Linux distribution (for example) the distributor can quickly patch the third party software as soon as a patch written. A new version of the app is then pushed out via the package management utility. They don't have to wait for the vendor of the app to fix, test, then patch the vulnerability.

[WanderingKnight]

OSS doesn't guarantee you per se that there isn't going to be any kind of malicious code inserted in the source. However, it does guarantee you that, even if you don't know code, other people that know code can check it for you. Of course, you can't trust every piece of OSS going out there... but then you have things like the Debian repositories, in which every single piece of code is checked for malware. Every single one.

When I said I preferred Firefox's Open Source system to Opera's proprietary system, my take was mainly a philosophical one (ie, I firmly believe every piece of software out there should be open source). When I've got two tools to do the same job (web browsing, in this case) I'll always prefer the OSS one. Opera is a really really great browser, and maybe better than FF in several aspects... but still, I prefer the code on the software that I use to be open. In fact, if I had a USB music player that supported OGG, I'd have converted my whole music library to that open format already.

[Dkong1026]

I really don't think Firefox would go and steal Opera's code. Considering they use totally different rendering engines, Opera's being far inferior.....it wouldn't make sense.

Either way, open source FTW.

[hobbes_fan]

Depends on the situation. No way in hell do I want my banking/financial institutions to be using OSS for their front end Internet banking/share trading.
They can use OSS all they want for back office stuff.

your average day to day use Open Source is great. I'd have stuck with Linux but unfortunately no Dolby Digital Live support (closed source) broke the deal.

[ImperialPanda]

Quote:

Originally Posted by Cats

Topic: Which is safer to use for the average non-g33k user.

For the non-geek user the difference is so minuscule that it really does not matter.

Your chances of getting a virus when you're using internet explorer might be 0.002% and then it becomes 0.00198% because you switch to firefox. The whole issue is only an issue for two purposes. 1) It's a marketing bullet. 2) People get obscure non-mainstream stuff to be more "cool".

[Epyon9283]

Quote:

Originally Posted by hobbes_fan

Depends on the situation. No way in hell do I want my banking/financial institutions to be using OSS for their front end Internet banking/share trading.

So you're basically limiting yourself to Banks that use Windows/IIS to serve their web pages?

My one bank uses Solaris (which was open sourced) web servers and my other bank uses Linux. Oh noes.

[grey_moon]

Quote:

Originally Posted by hobbes_fan

Depends on the situation. No way in hell do I want my banking/financial institutions to be using OSS for their front end Internet banking/share trading.
They can use OSS all they want for back office stuff.

your average day to day use Open Source is great. I'd have stuck with Linux but unfortunately no Dolby Digital Live support (closed source) broke the deal.

I know of at least one that does. They actually won't use any CSS products on their core systems. Their reasoning behind it is that they have the money to employ people who are capable to tearing the code apart. They keep it inhouse because they have full control over the code. I would imagine MS would have something to say about a company taking their products apart and rebuilding them

But the thing is I don't believe they release their changes so in essence it becomes CSS

[SeijiSensei]

Quote:

Originally Posted by Cats

As I see it OSS only guarantees sharing. And it's use is in expanding software ideas and innovation.
There is no guarantee the people making it and distributing it are angels.
There is no guarantee they aren't totally biased to security.
There is no guarantee they didn't insert things you don't want.
There is no guarantee things will get fixed if someone points them out.

First, there's no guarantee that Microsoft hasn't inserted some kind of back door that the National Security Agency requested to gain access to computers, either.

Taking off my tin-foil hat now, I think these comments represent something of a misunderstanding of the nature of many security problems. Most vulnerabilities arise from poor programming methods, not from malevolence on the part of the programmers. I subscribe to the SANS vulnerability list, a weekly e-mail listing newly-discovered vulnerabilities. Many of them look like this one for the Novell Netware client taken from this week's mailing:

Quote:

Description: The Novell NetWare Client for Windows, used to provide
access to Novell NetWare services on Microsoft Windows systems, contains
multiple vulnerabilities. This client exports multiple Remote Procedure
Call (RPC) interfaces. Failure to properly handle values passed to
several of these interfaces can lead to buffer overflow vulnerabilities.
A specially crafted RPC request could exploit these vulnerabilities and
allow an attacker to execute arbitrary code with the privileges of the
vulnerable process. No authentication is required to exploit these
vulnerabilities.

Note the phrase "failure to properly handle values passed...could lead to buffer overflow vulnerabilities." Buffer overflows continue to be one of the most prevalent security flaws and are the result of failure to check inputted values for length and consistency. These are exactly the kinds of problems that are more visible in open-sourced software since you can determine right away if correct bounds-checking and other programming issues are handled correctly.

I do think the "many eyes" theory of why open-source is more secure has merit, but I also think it's become too much of a mantra. I think Cats is right that much open-sourced software is not scrutinzed all that carefully, but I don't think that's so true for major projects where the development process is centrally managed. Remember also that many of the contributors to the major projects are working in places like IBM, Novell, RedHat, and the like. They're not just some kid down the block who enjoys hacking in his spare time.

Finally, the closed-source approach guarantees that no one other than the product's developers will be able to find, and more importantly fix, security issues in that software other than by brute-force methods. Open-source at least leaves open the possibility that problems can be identified, and fixed, by third-parties.

[grey_moon]

Just spoke to my friend who works for a banking institution (who deals with OSS software I mentioned earlier). He says they actually do release fixes back to the community even through they are not required to. They use their products in-house so don't need to release the changes they make.

[Dkong1026]

Quote:

Originally Posted by ImperialPanda

Your chances of getting a virus when you're using internet explorer might be 0.002% and then it becomes 0.00198% because you switch to firefox.

Depends on what types of sites you go on....
If you like to browse porn sites, the chances are more like 50% in IE and .003% in Firefox.
Or if you like to click around your google search results. Odds are at least a few of the sites will have a crapload of popups or some malware that automatically installs on your computer. In that case it'd be like 70% IE and 1% Firefox.

But yeah, for safe sites like anime suki, google, yahoo, etc...it's like 1% IE, .05% Firefox.

[Vexx]

As Seiji notes, the "many eyes" philosophy is what keeps OSS software relatively more secure than closed source. Transparency. Microsoft has so many issues with poor coding practice, poor testing, and unintentional feature synergies that it gets its own research sections in community security reports. Other less pervasive closed source packages aren't as lucky. A few trained eyeballs looking over any system versus hundreds of trained eyeballs has been demonstrated over and over to be less successful especially when the version control system is transparently defined and managed.

Some of the assertions presented here make my head hurt, but rather than waste my time, I"ll just say if you aren't subscribed to and read SANS and RISK, do professional security work, or keep up with the writings of people like Bruce Schneier - then you probably don't have a very clear idea what you're talking about

Most software, closed or open, has their purpose and contain risks and benefits. Understanding what those are and doing the trade-off analysis determines what you use and how you connect them together.... and what your battle plans are.

[GundamZZ]

For the business stand point, people factor matters. As long as code typists are committing to keep the software up to date. Some software vendors went out of business, and their clients suffered. Because those vendors didn't reveal their codes, their clients have difficulty to migrate data to the new environment. Even there's industry standard, some big vendors still like to pioneer their own way. Because, they think they can do better. It's usually not the case. Their software can still be exploited without revealing its code. Even the exploitation is being discovered, they still keep it low profile without trying to fix it. Big vendors also use their resource to threaten people who try to inform the security risks to the public. Of course, consumer pays for those legal fee.

Most open source project has tendency to update frequently. Afterall, security is not end of all solution. It's the on-going process. They are open to anyone. Even MS is said to use BSD code to stablize its XP system.

The main concern for business is who's going to be reliable for the open source, since it's contributed by anybody. Apache project set up the legal counsel(which has nothing with the coding) to address this issue.

The moral is when you obtain the software with or without financial expense, the software is obsoleting.