Was: Ubuntu wierdness Now: Disabling security in the name of availability

[Kristian Erik Hermansen]

On 8/14/07, Matt Nicholson <sjoeboo-RG5ZOK3LcrdBDgjK7y7TUQ at public.gmane.org> wrote:
> Ah yes, but the fact that the source code is available benefits both the
> people looking for holes and those fixing them. With IE, only M$ could offer
> the fixes. With something open source, yes, its easier to find holes, since
> you can look right at the code, but also, more people (not the the
> company/group behind the software) can offer up patches and fixes, since
> anyone can get their hands on the same code and resources the "core"
> developers have.

Any knowledgeable security research will tell you that having the
source code doesn't matter.  In fact, some claim it is easier to just
look at the assembly than the source, because some bugs, once
compiled, and not exploitable.  Looking at the binary gives you
complete reassurance of the possibilities.

The part about fixing bugs is true.  Open source software is faster to
deliver a patch.  But that's only when a vulnerability is known.  What
about unpublished vulnerabilities?  Almost any product is vulnerable,
so it is just a matter of time if you become the target of a bad guy
or not.  The point is to make it as tough as possible.  Guys like
Solar Designer have researched and implemented some great security
features into his distro, which have proliferated elsewhere and are
even in Microsoft Windows now :-)

It makes we wonder why people continue to claim that open source
software is not innovative.  Here are some big examples, with fuzzy
dates as I can't remember...

Firefox tabbed browsing (2002?)  -> IE7 (2006)
Truly transparent windowing (compiz 2001?) -> Vista Aero (2006)
Address Space Layout Randomization (openbsd ???) -> Vista (2006)
...and much more.  Too much to list...you get the point :-)
-- 
Kristian Erik Hermansen

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.