Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Wide Open Source
Elias Levy, SecurityFocus 2000-04-17

Is Open Source really more secure than closed? Elias Levy says there's a little security in obscurity.

Comments Mode:
Netscape developers are weenies! 2000-04-17
Anonymous (2 replies)
Netscape developers are weenies! 2000-04-17
Anonymous (1 replies)
haha... 2000-04-18
Anonymous
Ever hear of SourceSafe? 2000-04-17
Anonymous (3 replies)
MS vs. Linux 2000-04-17
Anonymous (1 replies)
Like most MS products 2000-04-17
Anonymous
MS has SourceSafe (hehe) 2000-04-17
Anonymous
SourceSafe Rocks 2000-04-17
Anonymous
Re: Is Open Source really more secure than closed? 2000-04-17
Anonymous
Please emphasize your conclusion 2000-04-17
Anonymous
Bug *fixes*...? 2000-04-17
Anonymous (2 replies)
Re: bug fixes 2000-04-17
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
What? 2000-04-17
Anonymous
a bit reactionary, eh? 2000-04-18
Anonymous (1 replies)
"Do you expect users to troll for bug fixes daily?"

No, but using the update utilities will help...and people who require security quickly *CAN* get the fixes...

"Do you think RedHat releases security advisories as fast as patches are posted to bugtraq?"

Of course not...that would be like driving south and hitting florida before you hit virginia (when driving from New York)...it would be physically impossible...

in any case, the average user probably wouldn't need the fix until it's posted, in any case Red Hat is usually pretty quick with posting a fix...

"And this ignores the number of people who don't even know that security problems with Linux exist, because they've been brainwashed by Linux bigots into not thinking it's a problem."

I don't know anyone who says that Linux has no security holes...Open Source helps with fixing security holes which produces fewer security holes, it doesn't make it completely devoid of bugs and holes...

Again, I don't know anyone who says that Linux is completely invulnerable, are you sure you aren't making these people up?

"_And_ those bugs are only fixed AFTER the problem has become commonly known. You wouldn't believe how long attacks like the NFS mountd remote root overflow circulated in underground circles before it was publicly acknowledged (on bugtraq) and fixed."

Not always...back a few years ago, I can remember working with HPACV groups to fix holes in their own servers (which were Linux, slackware IIRC)...when those holes were fixed, they were released...

the fact is I don't think you know who is supplying the fix, all that matters is that the good guys are reviewing them (and they are)...

"This isn't to say that "Open Source" doesn't work. Go read the OpenBSD errata pages and look for the last remote root overflow.

Without strong, proactive security auditing, users are at risk ever day."

Well, DUH!

this is true with every single system and every single instance...

The fact is that closed source inhibits strong proactive security auditing and Open Source enables it...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/19/1443#1443
potentialities and realities 2000-04-18
David Terrell <dbt (at) meat (dot) net [email concealed]>
Latest MS bug fixed same day 2000-04-18
Anonymous (1 replies)
Good response, MS 2000-04-19
Anonymous
Wide Open Source 2000-04-17
Anonymous
Open Source Security 2000-04-17
Anonymous
You forgot one thing: 2000-04-17
Anonymous
But you ignore the obvious 2000-04-17
Anonymous
Auditing of compiled code not much harder ... 2000-04-17
Anonymous (1 replies)
Forget about strcpy() 2000-04-17
Anonymous
good analysis... 2000-04-17
Anonymous
Examine the record... 2000-04-17
Anonymous (1 replies)
Comparing Apache and IIS is wrong 2000-04-17
Anonymous (2 replies)
crap load along with Apache. 2000-04-17
Anonymous
Comparison of Apache and IIS is Dead On 2000-04-17
Anonymous (1 replies)
Right, no one really wants all those features... 2000-04-21
Anonymous
Path of the weak 2000-04-17
Anonymous
You've made several critical mistakes in your comment. 2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (3 replies)
Sorry about the bad formatting. 2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Re: Bruce Parens' Defense of Open Source 2000-04-17
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
How to respond to past reports of vulnerability 2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (1 replies)
Re: How to respond to past reports of vulnerability 2000-04-18
David Terrell <dbt (at) meat (dot) net [email concealed]> (1 replies)
I don't think you get what he's talking about, Dave... 2000-04-19
Barry Fitzgerald <reaperx1 (at) netscape (dot) net [email concealed]> (1 replies)
I don't think you get what he's talking about, Dave... 2000-05-05
Anonymous
Indeed there are a lot of bugs 2000-04-18
Anonymous
Thanks for the additional info but... 2000-04-17
Anonymous (1 replies)
Trust-worthyness and ability to spot bugs 2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Open source is not written by 1 person. 2000-04-17
Anonymous
Skill is always at a premium 2000-04-17
Christopher Petrilli <petrilli (at) amber (dot) org [email concealed]> (1 replies)
Rigorous methodology 2000-04-17
Anonymous
Blackhat? 2000-04-17
batz <batsy (at) vapour (dot) net [email concealed]> (1 replies)
semantics 2000-04-17
Ryan Russell <ryan (at) securityfocus (dot) com [email concealed]>
Some good points... 2000-04-17
Anonymous
Open source as a democracy 2000-04-17
Anonymous (1 replies)
Politics are irrelevant 2000-04-17
Anonymous
This isn't OSS vs. CSS 2000-04-17
Anonymous
Finding holes in closed source isn't hard... 2000-04-17
Anonymous
bugs? yeah. fixes? right away 2000-04-17
Anonymous
Apples and Oranges 2000-04-17
Anonymous (2 replies)
re: Apples and Oranges 2000-04-17
Anonymous
NSA/Linux 2000-04-20
Anonymous
Blackhat, whitehat, whatever. 2000-04-17
Anonymous
Who found the sendmail bug? 2000-04-17
Brett <disfunct (at) radiusnet (dot) net [email concealed]> (1 replies)
Morris didn't find the Sendmail bug 2000-04-20
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
to expand on what i said earlier. 2000-04-17
Brett <disfunct (at) radiusnet (dot) net [email concealed]>
Attitudes 2000-04-17
Anonymous
Rates of evolution 2000-04-17
Anonymous
just a few little things... 2000-04-17
Anonymous
a quick Summary and rant 2000-04-17
Anonymous
OSS vs closed 2000-04-17
Anonymous
Banks, The NSA, and US companies. 2000-04-18
Anonymous
Open source is not secure ONLY because it's open 2000-04-18
Anonymous (1 replies)
Open Source has nothing to do with security 2000-04-21
Anonymous
So what you're saying is that open source software is often as insecure as closed-source software is most of the time. 2000-04-18
Anonymous
Open source? Use real examples! 2000-04-18
Anonymous
Come on 2000-04-18
Anonymous
Correct the facts and the conclusions stand strong 2000-04-21
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
Original Bugtraq mailing list description? 2000-04-21
Robert Quinn <rquinn (at) pobox (dot) com [email concealed]>
There's more to security than fixing bugs... 2000-05-17
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus