What is Digg?24 Comments
- shakin, on 10/12/2007, -0/+10It doesn't fail in practice at all. Remember: security is a process, not a state. For Open Source software to be more secure it must have a better security process, which as you pointed out it does (higher patch rate). Closed source programmers are no better or worse than Open Source programmers so you can generally expect them to make just as many mistakes. If Open Source is getting more patches then they must have a better process. Open Source software is usually easier to report bugs for (accessible developers + open code for those who want to look), easier to patch (more programmers can access and fix the code) and easier to release patches for (no corporate bureaucracy or agendas).
- cazabam, on 10/12/2007, -0/+6My point was that the openness leads to a higher and faster patch rate. The article implies that the bugs are caught before they get out into the wild.
- warmcat, on 10/12/2007, -0/+4Don't forget that the object code IS a functional representation of the source. All of the errors that matter, that are in the source, are present in the object code. So for example attackers can use tools to randomly mess with file contents to try to discover buffer overflow events, and then use a debugger or disassembler to understand how to exploit the crash. So your assumption that there is even much obscurity in hiding the source is wrong.
All of the bugs are out there both ways, Accepting this, issuing the source, and more importantly over time, patches to public review before application, is for sure going to end up in a better place. - ExCornelius, on 10/12/2007, -0/+4If Open Source is viewed as better, it is by developers, not end-users. I can't count the number of times I have run into brick walls trying to build on top of proprietary code. In similar circumstances with Open Source, I can just step thru and find out exactly what's going on and either work around it (since I have a better understanding of the cause) or fix it. Since the cost of correcting a bug is a sunk cost, by pushing my fix out to the community I ensure that later versions will incorporate the change, rather than having to rely on my "customized" version.
- schestowitz, on 10/12/2007, -0/+4Idiot for quoting an article? Take a hike, laddie.
- Dracker, on 10/12/2007, -1/+4Shivetya: You are correct that code does not need to be open to be secure.
It's just that open code has many, MANY more "code reviewers" as you call them, increasing the chance that bugs and holes are found and fixed.
A hole not fixed but not yet found because of obscurity is tomorrow's exploit and next week's windows update patch. Isn't it better that these are fixed early rather than late? - barberouge, on 10/12/2007, -3/+5You seem to contradict yourself !
- cabazorro, on 10/12/2007, -0/+2All software, open and close, have bugs that make them vulnerable.
If look in nature for models of adaptability and resilience of information encoding and decoding (DNA), We can see that higher complex lifeforms have more resources employed in the guarding of the code vs. simpler more pervasive lifeforms. In terms of security, when the complexity increases so it's obscurity (information availablity).
Thus, in life, obscurity makes a system less vulnerable/more estable.
Yet, with increased security, adaptability and flexibility suffers (mutation capability).
A security system incabable of adaptation, leans towards a path of dead-end lineage....extinction.
The lesson being: The ability for security to brake and adapt it's self fulfilling.
Lunch's over..get back to work! - sadistical, on 10/12/2007, -1/+3Misconception? I never heard "better". More productive, usable, flexible to different types of applications perhaps.
- inactive, on 10/12/2007, -1/+3I agree with you ExCornelius. I am a developer and as a developer I can see the benefits of open source, but as an end user why would anyone care?
- JQP123, on 10/12/2007, -1/+3@tooshort
"What is the thinking behind this?"
It's primarily political. The overwhelming majority of users couldn't care less about source code because they lack the necessary time, resources and ability to use it. As succiently as possible, it all boils down to the issue of "intellectual property" and whether one views it as a good or bad thing.
There is also a practical aspect to it. Unix has always been somewhat fractured and suffered from compatibility issues. With over 500 active distros, Linux has not only embraced but expanded upon this. The only practical way to achieve any semblance of portability in this sort of environment is by hacking and re-compiling source code. - Dracker, on 10/12/2007, -0/+2And on top of that, the bug you ran into is fixed for other developers and users. It's a win-win situation.
- inactive, on 10/12/2007, -2/+3Can someone please explain to me why Open Source is frequently touted as "better" than closed sourced in the geek world? I've never gotten this. Some people refuse to use great programs such as the Opera Web Browse just because it's closed sourced. What is the thinking behind this? This is coming from a Linux user btw.
- Dracker, on 10/12/2007, -0/+1It's definitely not a catch-all safety net and is certainly not an excuse to be lazy in coding.
But it helps. - Tux42, on 10/12/2007, -0/+1In computing, security through obscurity is not reliable. I would liken it to taking drugs. When the "high" is over, you are left in a bad situation. Here is an example. Internet Explorer is closed source. Has that fact prevented hackers/crackers from exploiting it? NO!!!
Security can complicate things, but would you rather deal with those issues, or have to clean up your credit history when someone commits massive credit fraud in your name.
Have a nice day :) - Brahma, on 10/12/2007, -1/+1The writer in his article points out that there is no ending to these discussions/arguments. This has been amply demonstrated in the discussion thread. It would be absolutely foolhardy to blindly argue for any one side. Positives and negatives are what we need to focus on. No silver bullet solution there.
- plasticmind, on 10/12/2007, -5/+4As big an open source fan as I am, I still don't think "a greater number of programmers view[ing] the source code" is going to be the catch-all safety net. That statement assumes that all of these programmers care about, have time to fix and won't exploit all of the insecurities.
- sadistical, on 10/12/2007, -4/+2Please "digg" down the above post. I meant to make a snappy joke so I would get a bunch of +diggs, not make a valid point. Good job kiddies.
- JQP123, on 10/12/2007, -4/+2"Security by visibility" is just as flawed as "security by obscurity". Most major security issues are uncovered by hackers and researchers, not programmers. And as the article points out, source code helps the bad guys just as much as the good guys so in the overall scheme of things, it's probably a wash. The only real advantage to Open Source is as a *potential* training tool, provided that programmers take the time to study the before and after code in sufficient detail. I suspect that very few ever partake of this opportunity because they don't have the time.
- sadistical, on 10/12/2007, -6/+3You could argue this forever, not knowing how any one programmer will exploit or benefit the code. I think the purpose of the article is to point out that a small percentage of open-source is more secure, not a save-all solution to security.
- Burmask, on 10/12/2007, -5/+1Whooptie-fricken-dooooooooooooooooooo!
- cazabam, on 10/12/2007, -11/+6It's a good theory, but it falls over in practice. However, when a project has it's code open for public viewing, it cannot simply hide from the security implications and hope that obscurity will save the day. One statistic closed source advocates love is that FOSS projects have a much higher patch rate for security issues. This is simply due to them actually being fixed, not just hidden away!
- Shivetya, on 10/12/2007, -9/+3Code does not need to open to the public to be secure. It can be proven that code not open to the public is as secure, if not more, than code open to the public.
Proper code review is all that is required.
I think the big problem some of these writers have is that they are not the ones in on the know. There is nothing wrong with having code reviewed by outside parties but nothing should require that ANYONE be allowed to review code for secure items. Its a simple idea of "need to know".
Lets use electronic voting as an example. I want review of the code by outside organizations. I however see no reason to allow review by the general public. First off I realize that there may be trade secrets that do require protection. The real problem is there are too many people out there who think its their right to pass judgement on the works of others.
Damn, do I ramble.
Look at it this way, those complaining the most about access are probably the first people we don't ever want to give access to. - Frebis, on 10/12/2007, -14/+1Im curious what would be the easiest way to exploit a program? Look at the code for security errors? Or just guess where the security problem is? This schelowitz guy is an idiot.
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is