From: hal@finney.org
Date: Sun Feb 03 2002 - 13:53:01 MST
Harvey Newstrom writes:
> Definitely. Most security experts consider closed source software to be a
> security threat. It cannot be verified, contains more security flaws than
> open source software, and requires giving the software vendor inside access
> to your computer without being sure what they are doing. The higher levels
> of security control in most criteria systems actually require open source
> and source code analysis. Closed source software cannot be made as secure
> as open source software according to these security ratings.
I don't agree with this. I have worked for many years on a security
program, PGP, with published source. In my experience the degree of
review provided by the open source community is haphazard, random and
spotty. Just publishing software as open source is no guarantee that
anyone will review its security flaws closely.
In my opinion and experience, a far more effective method is to pay
for an independent review by security experts. I would rather trust a
closed source program which has been given a clean bill of health by a
review team I trust than one which has been published on sourceforge.net
for a couple of years with whatever degree of review and inspection the
public happened to give it.
Furthermore there is the risk that publishing software source code will
give more information to the bad guys to allow them to design exploits.
Sadly, this is often a greater motivation for identifying security
holes than an altruistic desire to improve the quality of someone else's
software.
The people for whom security is a life and death matter, like the military
and spy agencies, do not publish their internal software as open source.
I believe they share the belief that doing so is not the optimal way
to secure their software. They rely on internal reviews, attack teams,
and closed source.
Hal
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 13:37:37 MST