[vox] [OT] Length of time to infect a Windows computer?

Sun Sep 26 03:08:12 PDT 2004

On Sat, Sep 25, 2004 at 02:56:16PM -0700, Robert G. Scofield wrote:
> 2)  To what extent, if any, is open source software better in terms of 
> being spied on.

The issue of 'spyware' in Open Source is the same as with easter eggs
and 'malware' (purposeful 'misfeatures'), and bugs and other security problems
(accidental problems, or those caused by simple ignorance of proper coding)
in Open Source software.

A piece of software being 'open' does not implicity improve it's
stability, security, or trustworthiness.

With proprietary software, though, we can't even see inside it to see
exactly what it does.  This must be inferred by examining what it does
when running, disassembling the binaries, sniffing network traffic, etc.

One of the arguments people often use when supporting Open Source software is
that 'many eyes' will help find and fix the bugs.  While this, too, is
technically true, in practise, it really depends on the popularity of the
software (how many people use it to find the bugs in action (users),
as well as how many people want to contribute to the project to both find bugs
in the source itself, and fix the bugs and enhance the code (developers)),
and the competence and trustworthiness of the developers.

i.e., if you download "Super Foobar 0.1" (a make-believe GPL'd application)
off the Internet, it probably contains some bugs, it may be insecure, and
there's the technical possibility that it's malicious (e.g., spyware, or
purposefully decides to delete your home directory when you run it).

If you download FireFox, you know literally a million people are using it,
and there are probably dozens, if not hundreds of contributors working on
it even as I compose this message. :^)

There's social aspect of Open Source, too.  Part of the reason many of
us create OSS is to help improve the world.  Some of us do it for the
ego trip.  :^)

Once it's found that Super Foobar is malicious code, the word will spread,
and any semi-saavy web surfer looking for a piece of OSS will discover that
the app isn't trustable.  (If the app. is otherwise useful, since it's
Open Source, there's a good chance it will get forked into, say,
'Excellent Phoobar,' and the malicious bits taken out.  Software Darwinism at
work, so to speak!)

(Of course, the same can be said for proprietary software, up until that last
bit.  Many people know 'Gator' is spyware [*], and so it can be avoided.
However, whatever useful bits it has can't be forked.)

Anyway, it's 3am, I'm tired, and I think I'm rambling.  I hope this has helped
shed a /little/ light on the subject.  My disclaimer, however: I'm not an OSS
or spyware expert who's done any scientific research on either subject.
I'm just an average-Joe end user who prefers Linux and Open Source, and
a hobbiest software developer who releases his software under an OSS license.

G'nite!

-bill!

[*] e.g.: http://www.personalfirewall.trustix.com/spyware/gator.html