2007-09-06, 06:15 | Link #1 | |||
sleepyhead
Author
Join Date: Dec 2005
Location: event horizon
|
Security: Open Source Vs. Closed Source
Topic: Which is safer to use for the average non-g33k user.
Because of the nature of the topic, let's not go further then offering personal creative opinion on the matter. I think we can all agree that for this sort of topic debating is pointless and a waste of time. So please keep your comments more general and avoid (as much as possible) directing them at other members here. ---------------------------------------------- Relevent Quotes: I'm aware there's more in those quotes then is relevent to this topic, but since it's a very short conversation I quoted everything for consistency. Quote:
Quote:
Quote:
__________________
|
|||
2007-09-06, 06:17 | Link #2 |
sleepyhead
Author
Join Date: Dec 2005
Location: event horizon
|
Relevent To Last Quote Above...
OSS guarantees it will be 'tinkered with' not developed. It's generally not the community that develops it, but the small charity organisation or company who needs support and publicity. It's like with lurkers/active members on forums... You don't see the people that just care it's anime (analogy: OSS) contributing, but the small groups of people who care for the little things and implications. Closed source programs backed by small companies like Opera are very unlikely to have anything close to malicious or spyware. It's a established company, it can't afford to be burned by legal retaliation from even claims along those lines. OSS, on the other hand is far riskier. Any moron has a chance of slipping some malicious code in there without any sort of legal repercussions. Worst, in the OSS world, there is no concept of good/wrong, everything's a "feature". Basically in a OSS you could insert some code along the lines: "It's scanning the contents of all your hdd and partitions to see if your choice of scratch disks was appropriate, and sending back the relevant information." Since OSS is generally meant to be used with other OSS, the developers may not even have any malicious intent when doing this... I'll give a easy to test easy to understand example of the kind thinking above. Wordpress (hereafter "Wp") is a leading Blogging CMS and quite popular these days. But it has a very interesting "feature".In the example above you actually see the effect. But let's say it's Firefox. Who has checked what data is transmitted, when it's transmitted and to whom it's transmitted by the those two default plugins. Even though it's OSS you can't be sure it's not doing something you wouldn't want behind your back. And I like to think, because it's OSS, it's more likely to do it, since it has the "we are uncentralised charity organisation" shell to retreat to.
__________________
|
2007-09-06, 08:57 | Link #3 | |||
Paranoid Android
Join Date: Dec 2005
Location: Wherever you go, there you are
|
Quote:
Quote:
Quote:
__________________
|
|||
2007-09-06, 09:47 | Link #4 |
Yummy, sweet and unyuu!!!
Join Date: Dec 2004
|
OSS or CSS in terms of security for an average user? Wow great topic
First let me start with the statement "I am totally against the idea of security through obscurity" (in most cases, ofc hiding your password is a good thing). In terms of building secure systems, using a good framework and good practices from ground up is the most important thing. OSS does not guarantee better security for the user, it gives an option for transparency if a person so wishes and is skilled enough to check the the code and compile themselves. This does mean that popular software will most likely be vetted and if something is wrong with it, it would be quickly highlighted and dealt with. With CSS there is no option to do this, it is based fully on the trust of the company (Microsoft with their genuine advantage thing is a good example of misplaced trust as is Sony's rootkit drm). Now an important aspect of user security with regards to OSS, isn't really to do with protecting your data from bad guys, but it is protecting the fact that you are able to access your data a few years down the line. When I deal with IT people the ones that impress me the most are the ones who understand that. With CSS if the software producer decides to no longer support a file format, or goes bust, then you have a chance you will no longer be able to access your data. With OSS this may not be an issue, as long as someone is willing to pick-up the application.
__________________
|
2007-09-06, 10:01 | Link #5 |
sleepyhead
Author
Join Date: Dec 2005
Location: event horizon
|
Regarding what Loniat said above,
Who exactly is checking OSS code for spyware!? Security risks don't pop up because someone placed them there, but because at some point someone or some group thought it was ok to do it like that. What may be a security risk for you and me may be acceptable for the developers. In the end it's still the main group who decides. I can go and make a version of B OSS program that fixes some issue, it doesn't mean my version will be even heard by the mainstream audience. That said, presuming they are the evil spyware bunch, who exactly checks the compatibility between the program they give us and what they call "it's source". As I see it OSS only guarantees sharing. And it's use is in expanding software ideas and innovation.
__________________
|
2007-09-07, 20:27 | Link #6 |
Geek
|
I think OSS can be more secure. Generally if someone from the community submits code to a project, they don't just check it into CVS. They give it to someone who has access and then they (hopefully) review the code and merge it in.
OSS projects generally have a more transparent process of reporting, discussing, and fixing security issues. MS for example gets vulnerabilities reported all the time. They ask the reporters to not disclose it publicly and then they fix it when they feel its appropriate. Just because the public doesn't know about the vulnerability doesn't mean its not there. Another reason is that say for instance that someone finds and publicly discloses a vulnerability in a closed source piece of software. There are no patches yet. The company is slow to respond. Users can't get a fix quickly. In a Linux distribution (for example) the distributor can quickly patch the third party software as soon as a patch written. A new version of the app is then pushed out via the package management utility. They don't have to wait for the vendor of the app to fix, test, then patch the vulnerability. |
2007-09-07, 20:40 | Link #7 |
Gregory House
IT Support
|
OSS doesn't guarantee you per se that there isn't going to be any kind of malicious code inserted in the source. However, it does guarantee you that, even if you don't know code, other people that know code can check it for you. Of course, you can't trust every piece of OSS going out there... but then you have things like the Debian repositories, in which every single piece of code is checked for malware. Every single one.
When I said I preferred Firefox's Open Source system to Opera's proprietary system, my take was mainly a philosophical one (ie, I firmly believe every piece of software out there should be open source). When I've got two tools to do the same job (web browsing, in this case) I'll always prefer the OSS one. Opera is a really really great browser, and maybe better than FF in several aspects... but still, I prefer the code on the software that I use to be open. In fact, if I had a USB music player that supported OGG, I'd have converted my whole music library to that open format already.
__________________
|
2007-09-08, 02:43 | Link #9 |
You could say.....
Join Date: Apr 2007
|
Depends on the situation. No way in hell do I want my banking/financial institutions to be using OSS for their front end Internet banking/share trading.
They can use OSS all they want for back office stuff. your average day to day use Open Source is great. I'd have stuck with Linux but unfortunately no Dolby Digital Live support (closed source) broke the deal. |
2007-09-08, 03:26 | Link #10 |
Senior Member
Join Date: Dec 2005
Location: US
|
For the non-geek user the difference is so minuscule that it really does not matter.
Your chances of getting a virus when you're using internet explorer might be 0.002% and then it becomes 0.00198% because you switch to firefox. The whole issue is only an issue for two purposes. 1) It's a marketing bullet. 2) People get obscure non-mainstream stuff to be more "cool". |
2007-09-08, 08:21 | Link #11 | |
Geek
|
Quote:
My one bank uses Solaris (which was open sourced) web servers and my other bank uses Linux. Oh noes. |
|
2007-09-08, 08:31 | Link #12 | |
Yummy, sweet and unyuu!!!
Join Date: Dec 2004
|
Quote:
But the thing is I don't believe they release their changes so in essence it becomes CSS
__________________
|
|
2007-09-08, 09:19 | Link #13 | ||
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Quote:
Taking off my tin-foil hat now, I think these comments represent something of a misunderstanding of the nature of many security problems. Most vulnerabilities arise from poor programming methods, not from malevolence on the part of the programmers. I subscribe to the SANS vulnerability list, a weekly e-mail listing newly-discovered vulnerabilities. Many of them look like this one for the Novell Netware client taken from this week's mailing: Quote:
I do think the "many eyes" theory of why open-source is more secure has merit, but I also think it's become too much of a mantra. I think Cats is right that much open-sourced software is not scrutinzed all that carefully, but I don't think that's so true for major projects where the development process is centrally managed. Remember also that many of the contributors to the major projects are working in places like IBM, Novell, RedHat, and the like. They're not just some kid down the block who enjoys hacking in his spare time. Finally, the closed-source approach guarantees that no one other than the product's developers will be able to find, and more importantly fix, security issues in that software other than by brute-force methods. Open-source at least leaves open the possibility that problems can be identified, and fixed, by third-parties.
__________________
|
||
2007-09-08, 09:32 | Link #14 |
Yummy, sweet and unyuu!!!
Join Date: Dec 2004
|
Just spoke to my friend who works for a banking institution (who deals with OSS software I mentioned earlier). He says they actually do release fixes back to the community even through they are not required to. They use their products in-house so don't need to release the changes they make.
__________________
|
2007-09-08, 15:06 | Link #15 | |
Senior Member
Join Date: Aug 2007
Age: 33
|
Quote:
If you like to browse porn sites, the chances are more like 50% in IE and .003% in Firefox. Or if you like to click around your google search results. Odds are at least a few of the sites will have a crapload of popups or some malware that automatically installs on your computer. In that case it'd be like 70% IE and 1% Firefox. But yeah, for safe sites like anime suki, google, yahoo, etc...it's like 1% IE, .05% Firefox. |
|
2007-09-10, 15:59 | Link #16 |
Obey the Darkly Cute ...
Author
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 66
|
As Seiji notes, the "many eyes" philosophy is what keeps OSS software relatively more secure than closed source. Transparency. Microsoft has so many issues with poor coding practice, poor testing, and unintentional feature synergies that it gets its own research sections in community security reports. Other less pervasive closed source packages aren't as lucky. A few trained eyeballs looking over any system versus hundreds of trained eyeballs has been demonstrated over and over to be less successful especially when the version control system is transparently defined and managed.
Some of the assertions presented here make my head hurt, but rather than waste my time, I"ll just say if you aren't subscribed to and read SANS and RISK, do professional security work, or keep up with the writings of people like Bruce Schneier - then you probably don't have a very clear idea what you're talking about Most software, closed or open, has their purpose and contain risks and benefits. Understanding what those are and doing the trade-off analysis determines what you use and how you connect them together.... and what your battle plans are.
__________________
|
2007-09-11, 23:13 | Link #17 |
残念美人
Join Date: Oct 2004
|
For the business stand point, people factor matters. As long as code typists are committing to keep the software up to date. Some software vendors went out of business, and their clients suffered. Because those vendors didn't reveal their codes, their clients have difficulty to migrate data to the new environment. Even there's industry standard, some big vendors still like to pioneer their own way. Because, they think they can do better. It's usually not the case. Their software can still be exploited without revealing its code. Even the exploitation is being discovered, they still keep it low profile without trying to fix it. Big vendors also use their resource to threaten people who try to inform the security risks to the public. Of course, consumer pays for those legal fee.
Most open source project has tendency to update frequently. Afterall, security is not end of all solution. It's the on-going process. They are open to anyone. Even MS is said to use BSD code to stablize its XP system. The main concern for business is who's going to be reliable for the open source, since it's contributed by anybody. Apache project set up the legal counsel(which has nothing with the coding) to address this issue. The moral is when you obtain the software with or without financial expense, the software is obsoleting. |
|
|