I think the article commented that (in effect) 'a process I can see is better because otherwise I have to trust the vendor'. I think an important addition to this is the concept of liability. If a vendor is liable for failures in its products, you don't really have to trust it to 'do the right thing' but simply to want to stay profitable. For example, I would assume a new car's brakes would work not because I think the company loves me, but because I know that the company will be liable if they fail. Surely closed-source software companies could (in principle) do the same?

Second is the idea of 'open' vs 'closed' security. I think there's some law (Kirchoff's?) that states something like 'the smaller the data that needs to be secret, the better'. I may have got that wrong - but anyway, my point is that this is only true *all other things being equal*.

This can have practical implications. For example, assume (closed-source) Company X spends $10bn hiring mathematicians to formally verify the most important sections of its code. Obviously, if Company X open-sourced this audited code, the code's security would become better still. But the question is: even if the Company X's code remained closed-source, would it be more or less secure than hypothetical non-formal OSS Project Y? If you were a high-profile organization, would you be better off using X's or Y's product?

One response might be 'you have to trust Company X's audit claims'. But what if they were willing to accept liability for failures, just as Intel or GM does? Is closed source with liability worse than open source with no liability?

More controversially, you could make a similar argument for cryptography - although I guess (but really have no idea) that encryption algorithms are much more 'research'-based, and more sensitive to new mathematical discoveries than most other products. But anyway: assume NSA creates or modifies some encryption algorithm. Obviously, if it released this algorithm publicly, it would become more secure. The question is, is a closed NSA algorithm always less secure than a public algorithm? Which would be better for use in, say, a nuclear launch control facility, or for encrypting billion-dollar bank transactions?

All other things being equal, open is better than closed. In practice, however, trade-offs are involved.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/269/28666#28666