I know that this is probably a dumb question, but i am curious. i was reading on www.linux.org an article about some of microsoft's source code for Win 2000 and Win NT 4.0 leaked out on the interent. they said that this could cause hackers to exploit the OS since they have code. so why is LInux so secure? the code is freely spread and anyone can make changes to it. it is used to secure servers and cell towers (mabye) and important stuff. if it is free to use and make changes to it, why do people trust it? I am not knocking anyone, i am just asking a question. Thanks

Open source doesn't mean it's insecure completely.... But there are vulenrabilities and people do exploit it ... those people are crackers.. whereas there are good people around who are much more knowledgeable and working for a good cause.... they are called hackers... these people are much much much much more in number than the crackers ... so the crackers get very vey very little chances to get a security loop hole... this is the linux opensource advantage...

Why is open source inheritently more secure inspite allowing anyone, even crackers access to it? Because it cuts both ways. The blackhats (crackers) can scrutinize it for weaknesses, but so can the whitehats (hackers). For every blackhat who wants to insert malicious code into the source tree, there's a vigilant whitehat ready to fix and remove it.

The OSS model also prevents developers from taking shortcuts through obscurity. The problem with security thru obscurity is, if your entire security model around it, the moment the code gets leaked (which this recent MS incident has shown to be entire possible), then the entire system's security falls apart.

Closed source is not audited constantly for weaknesses by a large peer group who know the software and are aware of what to look for. Because of this auditing process, an weaknesses that are obvious are usually caught before the software hits the real world. After it does, though, a cracker's exploit is caught fast and can be plugges by those who are already there with the knowledge to stop it. If the source is closed, only those who have coded it (behind closed doors) can plug the holes. Security by numbers.

Different philosophy as well. Fewer processes that run with root priviledges are accessable to a normal user as well (usually). Therefore, if there is an exploit, it cannot have as much impact as otherwise. But, security does also rest on the shoulders of the user. Don't run your box as root and you'll contribute to the safety of the world on your own level too.

Its not a dumb question its actually a good question!

The Win source code leak is currently in the hands of a few hackers. This means that these hackers can audit the code, find vulnerabilities and keep the information to themselves. These hackers would then be able to have knowledge of vulnerabilities that no one else knows about. That makes a very dangerous situation!!

On the other hand, when linux source code is released, it is released to everyone. Because of the large number of code auditors in the open source community, if there is a flaw in the code, it is likely they would be found and corrected shortly.

So to answer your question, the WIN source code leak is dangerous because it is in the hands of a few people who we can assume are malicous hackers. And the linux source code is available to everyone, many of those who are good and helpful to the linux community.

Perhaps one of the best things Microosft could do now is to (a) fully audit the source code that was leaked to make sure there are no vulnerabilities, or (b) release the leaked source code to everyone!

I think you'll find it's pretty damn easy to get a copy of the w2k code if you know where to look - it's hardly a "few hackers". Granted, most of the people who download will do so just because they can and the rest will be largely script kiddies who won't really know what to do with it. However, there will be enough clueful people downloading it for the next few months to become interesting.

People trust it because it's good code. Claiming that it's a security risk to have the source code available to the public is just admitting to having a lot of holes in your system.
Besides, even if someone were to hack up their own kernel, opening up as many exploits as they could find, that only effects their own system. The "official" kernel is still going to be as secure as possible.
An open source system, in my opinion, is the best way to ensure that bugs and exploits get fixed as soon as they are found.

I trust Linux because I have not seen it crash, once configured properly, in years. I can see that other OS crash hourly where I work. I have an LTSP that ran for 80 days with multiple users without a crash and none of the machines in my lab will run that other OS for a day without crashing with a single user. This is prima facie evidence that Linux is better code. Better code should be more secure since better code results from people who care enough to make the code well and we know the kernel developers are aware of security issues, so why would they not take care of security as well as keeping the programme from tripping over its own feet? Other obvious evidence of the security of Linux are the design of the file system, the vigilance of the community, and the free sharing of information about usage and problems. Knowing that bugs get fixed (sometimes with amazing speed) gives me confidence in Linux.

I view the crashing thing that the other OS does as a serious threat to my security. I do not want any of my work or the work of any of the hundred or so people who use my system wasted because the folks who created that other OS care more about advertising and monopolizing the market than of producing a great product. The nail in the coffin of the reputation of that other OS is the provision of capability to spread e-mail and document viruses. What insanity! That they blame the purveyors of the viruses rather than close the door to such viruses is a testament to their priorities. Should we store gasoline in our homes in spite of its dangerousness just for the convenience of having a ready supply? That other OS opens the door, keeps gasoline all over the place and hands the virus writers the match.

What Linus and the Open Source community have shown is that there is a better way to do things. Providers of software need to seriously examine their methods. What prevent the creators of that other OS from doing that is that they have made an investment in the old way and have created a cash cow. Until that cow dries up they will continue on the old path so I believe Linux will continue to grow more secure as time goes on and that other OS will be left behind.