[vox] Open Source and Security

Karsten M. Self vox@lists.lugod.org
Sat, 6 Mar 2004 19:04:47 -0800 

--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

on Mon, Mar 01, 2004 at 12:27:40PM -0800, Bill Kendrick (nbs@sonic.net) wro=
te:
> On Mon, Mar 01, 2004 at 12:10:39PM -0800, Byron Roberts wrote:
> >  I feel like I'm totally missing something here....I thought that
> > one of the big advantages of OSS was increased security, precisely
> > because the code is accessible and able to be modified?  Or as a
> > newbie is there some piece of information that I'm lacking?

<...>

> With closed-source, the barrier is immediate.  Example:
>=20
>   "Hey Fred, OpenOffice.org seems to have a problem doing such-n-such"
>=20
>      "Well I can try to fix it.  [pay me / I'm happy to help for free / e=
tc.]"
>=20
>=20
> Versus:
>=20
>   "Hey Fred, Microsoft Office seems to have a problem doing such-n-such"
>=20
>      "That sucks.  I hope they fix it and provide an update some day..."
>=20
>=20
> In the first case, we assume Fred is interesting in helping, either for
> compensation or not.  In the second case, it doesn't matter.  Nothing
> you or Fred can do about it (except wait and hope).

This leaves off another option, highlighted by Thomas C. Greene in The
Register last week:  free software is modular.  Drop-in replacements
tend to be readily facilitated:

  "Fred, fizwutz has a security hole, and there's no fix, this is the
  ninth one this month."

  "Hrm.  Well, rutzwiz is a drop-in replacement with a far better
  security record, we can just tear out fizwutz and replace it.  I'll
  prototype it this afternoon, we should be able to convert by
  (tomorrow|next week|next month)" (Depending on site size).

Versus:

  "MS (Exchange|IE|SQL Server|Outlook|Word|Access|Palladium) has another
  critical buffer overflow."

  "We can't replace it without replacing everything...."

Note thta in the case of "fizwitz", we could be talking an application
(vim vs. nvi), a server (exim vs. postfix vs. smail), a library, a
protocoll (ftp vs. fish), or even an entire distro/OS/arch (Red Hat vs.
Debian vs. FreeBSD vs. OpenBSD vs.  x86 vs. hppa....)

Choice.  Flexibility.  Modularity.  Security.


Tom's article:


    Does open source software enhance security?
    By Thomas C Greene in Washington
    Posted: 05/03/2004 at 10:11 GMT

    http://www.theregister.co.uk/content/55/36033.html

    Analysis There are several reasons why open-source software provides
    for superior computer and network security, but the computing public
    seems confused about why this is so.

    <...>


Peace.

--=20
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Art is long and life is short.

--JgQwtEuHJzHdouWu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFASpFPefG8443k044RAs9XAJsHb3vuAd3mSYr5KoDPCw/l73h7yQCeI26b
V2BAaTg1G4a8/SFt6yw8Hns=
=7cBw
-----END PGP SIGNATURE-----

--JgQwtEuHJzHdouWu--