Closed Source Is Less Secure

The following is a parody of OpenSourceIsLessSecure intended to demonstrate the ridiculous nature of the original argument there.


First things first, what does Closed Source mean? It means that your source is closed to peer-review, because it has something to hide.

Quality is extremely poor in the Closed Source world.

Contrast this with the Defense Contractor world, where the source is made secret not for technical reasons (so only losers can take a look at it) but purely for political motivations.

In the Defense Contractor world, software is made by a few programmers instead of a legion of coders or hackers. Such software is invariably more coherent, better designed, and all around higher quality.

And since real security comes from good design, not from fixing "bugs" (especially after a critical mass of cruft has accumulated), ClosedSource systems are less secure.

Compare and contrast the insecure worthless Windows with ... hell, even with ErosOs, a 30 year old design!

Windows security compares quite favourably with the major Enterprise and Internet OS...

Not at all. You mistake glitz for security. Windows has more visibility than Linux does, but that does not mean it has more security at all. To see the difference, consider just what is the security of a computer that has been turned off and put away in a locked vault? Answer: none.

[A turned-off, locked, and disconnected computer has perfect security; nobody shall ever breach it. Of course, it's also useless for legitimate purposes - so this isn't a real solution when the computer is needed.]


If the source code is closed, it does not automatically mean that it is not reviewed. In organizations that follow good practices, code review is followed quite often. Though it can be argued that more eye balls result in safer software, how many people actually look at the Linux source with a critical eye? I believe that for security, it is important that the users follow best practices, and the software should make it easy for them to do so. Contrast it with our home security. It does not matter that who built the lock, and how it was built. The real security comes from being cautious and not keeping doors open (ports in computers). Installing burglar alarms (intrusion detection software). Neighborhood watch schemes etc. The problem with Windows was that there were no easy way to secure it (hence people were lazy to do it), and there were no best practices and user instructions. Also, the origin of Windows was a personal, single user operating system (DOS), and the culture just stuck. The problem is with Microsoft culture and not closed source. -- vhi

It also depends on the type of code. I don't know of any organization with the resources (read cryptanalysts) to do a proper review of security/encryption algorithms internally. Well, I guess the NSA can do it (others?), but it is well beyond the capability of commercial software companies. For this reason, it is crucial that the algorithms at least be open, if not the code (and it helps to have the code open too, as it is often very difficult to get right).

In that case, the organization can always show these pieces of code to companies that have specialize in security, without making it open source. -- vhi

[Yes, but although it's true that relatively few look at open source code critically, it helps that some people do some of the time. As for closed processes, look at the history of the DES algorithm! Very sobering.]


CategorySecurity


EditText of this page (last edited July 20, 2006) or FindPage with title or text search