Here's the way I see it. Knowing how an OS works should not give a potential attacker any benefits. The only way that seeing code would allow an exploit to be crafted is if there is a coding or logic error. Therefore, having a vastly larger group of auditors (as exists with open source OS's) makes the product more secure by the sheer number of concerned eyes scrutinizing the code.
I think the comparison to algorithms in cryptography is quite appropriate. Knowing how the encryption process works should not make it any easier to break. The algorithm is based on principles that in and of themselves are difficult to crack. Same with an OS: there isn't anything inherantly insecure about its components, just how they are implemented. And before any new algorithm is introduced, it goes through a review process during which brilliant minds try (and hopefully fail) to crack it. It is the same way with open source OS's: they are under constant review by the world's best and brightest. This process has worked well for cryptography, and so far, has proven itself well for operating systems.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/269/28681#28681