Open Source Is Less Secure

Nominated for most moronic apparently serious page on Wiki.

First things first, what does Open Source mean? It means that your source is open to any loser who knows C++ and considers himself a hacker.

Much open source software is implemented in languages other than CeeLanguage/CeePlusPlus.

Quality is extremely poor in the Open Source world.

References? This is an assertion without any evidence. At any rate, see SturgeonsLaw.

Contrast this with the Free Software world, where the source is made free not for technical reasons (so any loser can take a look at it) but purely for political motivations.

To state that all FreeSoftware is political is flatly wrong. LinuxOs is FreeSoftware; however LinusTorvalds is notoriously apolitical--to the point of having quite a few folks in the FreeSoftware community accusing him of OnceRocketsGoUpWhoCaresWhereTheyComeDown. (Linus has taken quite a bit of flak for several decisions; such as allowing binary-only kernel modules to be linked into the kernel when the opinion of many is that these are "derived works" of the kernel and thus subject to GPL); use of the non-free BitKeeper configuration management tool (no BitKeeper code is part of Linux), and a recent statement where he is not opposed to DigitalRightsManagement-enabling technology from being put in the kernel.

In the Free Software world, software is made by a few programmers instead of a legion of coders or hackers. Such software is invariably more coherent, better designed, and all around higher quality.

A distinction without a difference? "Coder" and "hacker" seem to be pejoratives whereas "programmer" is a compliment here. In some shops, it's "programmer" that's the pejorative term. In any case, I smell a RedHerring. At any rate, there are hundreds of people who have contributed to the Linux kernel--and it's FreeSoftware and under CopyLeft. BsdOs, on the other hand, is developed by a small team using a closed development process--and that's OpenSource (non CopyLeft) software

And since real security comes from good design, not from fixing "bugs" (especially after a critical mass of cruft has accumulated), Open Source systems are less secure.

Good design is necessary but not sufficient. Good design, quality implementation, rigorous testing, proper configuration, and expert peer review are all required for security.

At any rate, good design and "open source" are orthogonal things. Most of the security holes in various free software packages are of the implementation sort, not fundamental design flaws (no requirement spec anywhere specifies a buffer overflow or "insert race condition here"). Use of a higher-level language than C/C++ (many Windows/Unix security flaws are buffer overflows; a method of attack which is directly tied to these languages) would certainly help--but it's possible to write buggy code in any language; even with a bulletproof set of requirements.

There seems to be this belief that OpenSource programmers (hackers, whatever) are all a bunch of pimply-faced high-school nerds who have never cracked a book on computer science theory; let alone studied it at the collegiate (or postgraduate) level. Which is far from the truth--there are many folks with advanced degrees (and years of industry experience) working on this stuff.

At any rate, a GoodDesign must draw on experience.

Compare and contrast the insecure worthless Linux with ... hell, even with ErosOs, a 30 year old design!

hmmm, that is at least a little harsh. After all, linux security compares quite favourably with the major PC OS...

Not at all. You mistake reliability for security. Linux has more reliability than Windows does, but that does not mean it has more security at all. To see the difference, consider just what is the security of a computer that has been turned off and put away in a locked vault? Answer: none.

[A turned-off, locked, and disconnected computer has perfect security; nobody shall ever breach it. Of course, it's also useless for legitimate purposes - so this isn't a real solution when the computer is needed. For home users on DSL lines, though - switching the 'puter off when you aren't using it is very good advice.]

Actually, I don't. MS products have never fared well in security. Until recently they were terrible for reliability. Don't be confused into thinking that an increase in reliability (which XP certainly has) is an increase in security (in which XP has barely made a dent).


Compare and contrast the insecure worthless Linux with ... hell, even with ErosOs, a 30 year old design! hmmm, that is at least a little harsh. After all, linux security compares quite favourably with the major PC OS...

Linux is insecure? Insecure compared to what? Tell that to the NationalSecurityAgency? - a group of folks who probably know more about security issues then the aggregate of everyone on this Wiki. They seem to think that Linux is a fine platform for a hardened operating system.

I'll grant you that Linux is less secure than say, MVS. It's certainly more secure than anything put out by MicroSoft. As for ErosOs or anything else that has never enjoyed widespread deployment - we really don't know. Until a system has been subject to peer review (design, implementation, and configuration), rigorous testing (including expert adversaries who try to break the system), and the overall nastiness of a production environment, anyone who says that something is "secure" is deluding themselves. (Or worse.)

And anyone who makes security claims for an operating system that has yet to be written is really full of it.


What a waste of brain cells. See ClosedSourceIsLessSecure.


CategorySecurity


EditText of this page (last edited April 16, 2004) or FindPage with title or text search