In an article comparing Windows to Red Hat, Microsoft recently used the following quote from former chair of the Apache security team Ben Laurie:
Although it
Top entries
- I am the reason for Hungarian notation in Android
- Dynamic language, refactoring: pick one
- Announcing Kobalt 1.0
- The Kobalt diaries: Templates
- Hardcore multicore with TestNG
- More on parallel topological sorting
- The return of statically typed languages
- Structural typing vs/ duck typing
- Agile people still don’t get it
- Various ways to get randomness wrong
- Coding challenge
- Coding challenge wrap up
Recent Comments
- Laurent Simon on It’s called Dependency “Injection” for a reason
- Michael Bayne on It’s called Dependency “Injection” for a reason
- pj on What Kotlin could learn from Rust
- John on What Kotlin could learn from Rust
- Cedric on What Kotlin could learn from Rust
Archives
- February 2023
- May 2022
- November 2021
- October 2021
- June 2021
- January 2021
- September 2020
- August 2020
- July 2020
- June 2020
- July 2017
- March 2017
- February 2017
- August 2016
- June 2016
- May 2016
- April 2016
- February 2016
- January 2016
- November 2015
- October 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- December 2014
- July 2014
- June 2014
- May 2014
- January 2014
- August 2013
- July 2013
- March 2013
- February 2013
- January 2013
- December 2012
- September 2012
- August 2012
- July 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- April 2009
- March 2009
- February 2009
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
#1 by Pinar Y. on August 27, 2007 - 11:21 am
in fact it’s a strange point, that can vary from a situation to another..
yes, open source is the most secure platform (i cannot imagine any other system that delevoping by thousands of people..). but that “open source secure” only encloses the best projects; like a famous distro, or a famous cms, or a music player, .. you guess.
but no, open source isn’t secure as we think, when we talk about unknown, or less known projects.. because you control your code with less people, less development, .. any little bugs or secure problems can blow your head..
hmm yeap that’s the point.
#2 by Frank Bolander on August 27, 2007 - 2:20 pm
I agree with you. Open Source/Closed Source means nothing with regards to security. The way I see it contemporary security problems are because OS developers are trying to please the least common denominator in terms of a wider userbase — with good intentions and valid business reasons. “Easier use” becomes a target for the “average hacker” as you say. We still see the mainframe as the most secure of all animals but I’m pretty sure you wouldn’t call a mainframe session a “user friendly” experience. Patches nowadays seem to bandaid a hole instead of plug it up.
I use to work for a military contractor where one guy use to say:” The only secure computer is one that isn’t connected”. An older security guy came back with “or turned off”. Insecurity is something I think we’re going to have to live with open source or closed source.
#3 by Joshua Foster on August 27, 2007 - 2:50 pm
I agree that Open source is not “more secure”. I think it comes from a path of logic that has never been proven. Its assumed to be correct because it sounds right.
Joshua
#4 by A-C on August 27, 2007 - 2:58 pm
You’re all missing the point.
The whole point is _how fast_ you get a fix for a secutiry issue.
In the proprietary world, you can do nothing but waiting for the company to release a fix ASAP.
ASAP sometimes means weeks or months. You *cannot* afford such delays when security matters.
In the open source world, anyone can access sources, which means that fixes might and will usually come within a day because there are enough
skilled people around. Period.
Other arguments are irrelevant.
#5 by Cedric on August 27, 2007 - 3:06 pm
AC,
I think you’re missing an important point as well. Yes, the fix comes faster, but what does it buy you if days after the vulnerability and fix have been disclosed, hundreds of web sites start going down because they did not (or could not) apply that fix while hackers acted on the vulnerability right away?
A lot of systems in production simply cannot be patched as soon as such fixes are made available, and this is why the approach of “security via obscurity” works as well: because it makes the vulnerability obscure to users and hackers alike.
#6 by Paul Tyma on August 27, 2007 - 4:03 pm
August 27th, 2007 – Cedric has agreed that “security via obscurity” has value. I’ll remember this day 🙂
#7 by Pinar Yanardag on August 27, 2007 - 4:31 pm
A-C,
i think we’re talking about the same; when i talk about well-known & famous open source project’s security, i meant how many coders around it. if there’s at least 100 good hackers (or less or more, just an example) around your code, they can find and fix bugs easily and early.. but if you’re not well-known, i cannot trust to your projects’ security with 3 developers.. a hacker comes, looks through your code, finds and uses it.. if you don’t have a well-covered community; who can hear it? who can help? so you simply die. that’s the point i’m talking about.
and Cedric,
of course first step of security is the physical security of your machine 🙂
i agree with the guy who told the most secure is a turned-off computer. because you can monitor an unconnected computer with ray technologies as well.
and i thought about your last words: “we’re going to have to live with open source or closed source”. i don’t agree with you, i think we have to live with both open source and closed souce. when i talk about “closed source”, most people understands closed source x operating system 🙂
a hybrid secure system i can imagine: if you want to make your system secure; you have to use an open sourced operating system (because, let’s talk about Linux, i can’t imagine any other operating system that been fixed so quickly and with a good community.. that’s the open source (and free software) effect..) and on this operating system; your applications have to be a) a good open source projects b) a good-coded but closed source project. i think that strategy works.
#8 by pcal on August 27, 2007 - 11:20 pm
…what does it buy you if days after the vulnerability and fix have been disclosed, hundreds of web sites start going down because they did not (or could not) apply that fix while hackers acted on the vulnerability right away?
Ok, Cedric, let me get this straight: your claim is that closed source projects actually get a leg up in the security department because it’s harder for hackers to find out about their vulnerabilities?
Maybe you should share your insight with Microsoft, who clearly are squandering tons of potential ‘obscurity value’:
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx
#9 by Brian Slesinsky on August 28, 2007 - 12:14 am
Sure, secure software has to be written by good, dedicated professionals, and most open source software doesn’t get nearly enough attention to be good. But for the winners of the popularity contest (Linux for example), it seems fair to say that part of the reason they get all that attention and years of updates and security fixes comes from being open source.
Or to put it another way, the “given enough eyes” thing only works for Linux and maybe a few other projects; it doesn’t generalize.
#10 by Angsuman Chakraborty on August 29, 2007 - 8:17 pm
Well said. Open source is not a guarantee for security. In fact non so well reviewed open source software may be more of a security risk because the security-by-obscurity veil is lifted from the start.
I have had serious hacking problems with Mambo in the past which forced me to switch to a dedicated hosting and even there I was threatened that my service would be switched off. On investigation, I realized the problem was because I didn’t apply a recent security patch to Mambo. I later switched on to Joomla (Mambo derivative). However it left a bitter taste in my mouth about the myth of open source security.
#11 by Preet on September 5, 2007 - 7:48 am
Hey, Just went through your blog and it makes for some nice reading. That thread about Indian students was hilarious. I’m Indian so I can understand what that must have been like. I’m sure they did not intend to be rude. Only those Indians who study in good schools (like me haha) can speak good English. The funny thing is – I came across your blog while searching for ideas about Java projects for beginners. So maybe that’s how they came across your blog and thought that you were offering suggestions. But I’m rambling here -nice work on the blog, keep it up!