How secure is open source and how secure is Linux?

Is are the questions that came up recently when I was trying to explain the advantages of work in Linux.

We all know that Linux is open-source meaning that the source code is availabe and anyone can download it. So anyone who has access to the source code will be able to know as to how the security is provided.

So anyone who has enough understanding of the code, might also know how to break into someone who is using Linux. And, most probably the attacker will also be able to understand how the root password might be working and can brack it too, there by having access to the system.

Similarly, since it is open source, anyone can write virus programs that can access the root account itself and cause a system to breakdown.

Hope someone can clarify as to how OPEN SOURCE is CLOSED for hackers?

It's all about Peer Review. In the Closed Source world, if someone were to put a program out that had malicious content, there would be no way to know since no one could see the content of the program. In the Open Source world, any program can be viewed, assessed and rewritten by anybody with the skill and knowledge to do so. Any malicious content would therefore be see, exposed and removed or nullified.

Being Open Source (or regularly peer reviewed) has nothing at all do with being insecure - cryptography works in the same way. As an example of this example (), Microsoft once created a closed and unreviewed cryptographic routine - it was broken in (I believe) around 40 days. The other ones tend to last a lot longer.

Bugs that might lead to root access are fixed a lot better than in windows. Next to that windows runs as administrator often which is bad if you have malicious code. In a linux user account it'll only be able to damage your home directory (still not much fun BTW) If it's a small program that I think I understand I often look at the source code as well just to see how it looks/how it's done and at times if there's nothing that strikes me as strange.

Yes, I have read on the net that its all about peer review. But then I also read some where that since, unlike Microsoft, which employs "TRAINED SOFTWARE PROFESSIONALS" who have a design methodology and a strategy, Linux is developed by anyone who know C programming (these are the words of a US univ prof, unfortunately didn't bookmark the site) there is a greater possibility of a in secure OS being made.

So it is possible that someone with a knowledge of how the root system or the security is developed can crack the system too.

Since the password is stored in encrypted form (hope this is what is done) , and since we have open source, the "data encryption algorithm" (heard this is what does the encryption) is also avaiable to a hacker. So he can decrypt the password of any accounr that is created includuing the root.

Also there is an argument that since M$ doesn't give out its codes, everyone is trying to find loopholes in Windows. But if the same group of people start attacking Linux based systems, they can do it far more easily.

The concept of an OPEN SOURCE OS being secure is itself confusing....

Simply Knowing and understanding how somthing works does not mean its easyer to break into.

IF a vunerability in the code exists, it will be easyer to detect... However there are more people looking for vunerability's with the intention of fixing the code, than there are people looking for vunerability's with the intention of exploiting the vunerability.

Also. think of a closed source OS like MS windows as a heard of cloned sheep, if a virus finds a vunerability in one sheep, then all sheep will die.

However with Linux, because it is so open, thereare many differend versions.
Each distro has different versions of software, each distro compiles there kernels differently... some home users even customise the kernel.
some linux distro's are compiled with GCC patches to harden them againsed buffer overflow explouts..

Open source is like natural selection, if one sheep is vunerable to a virus, the other sheep in the heard may be sufficiantly different to be imune to the virii.

These are the self same TRAINED SOFTWARE PROFESSIONALS who repeatedly send out buggy, insecure code, is it? Linus wasn't just a nut with a C book - he is also a TRAINED SOFTWARE PROFESSIONAL.

Get your professor to read "The Cathedral and the Bazaar" to see the methodology behind Open Source.

This is an often debated question. While open source programs can be worked on , as you put it, by "anyone who knows C", not everybody has the authority to commit code. When first starting out, small bugs are fixed by beginners and submitted as patches. In most cases the stuff is looked over by someone who knows what they're doing...

One other thing. Tell your professor to stop trolling

And another thing.

The algorithms used for encryption are available for anyone to see, but the whole point of them is that it is virtually impossible to reverse the process.

As an example, if the algorithm was a+b, and you knew the result was 12, you still wouldn't know if it was originally 11+1 or 10+2 or 9+3 etc...

I shell quote, "Its only as secure as the system admin wants it to be!" or the alt "Its only as secure as the developer and system admin want it!". Those hold true for everything........ even though the fact the commutity can review open source code and all that, really the only way to be truely secure is to know what your doing.

Hi everyone,

Thanks for the replies.

Maybe since people have not yet started hacking in to Linux based systems they are more secure.

For the sake of argument, consider a situation when Linux becomes paid. Then would it be easier for a person to hack into a Linux based system as compared to MS windows?

If I come across the page where I read about the statement given by the prof, I will post it here.. Too bad that I donot even remember the university to which he belonged to...

Hi Ashesh,

I get the feeling you are confusing things here. When you talk of security, you mostly mean what is comonly called "security through obscurity": The less people know of a system, the more difficult it will be to break into it. This kind of security is sometimes applied in closed source, and is almost impossible in open source, because in open source it is more difficult to keep secrets.

Then again, security through obscurity isn't considered to be very secure anyway, because even in closed source, people can find out a lot about a system by decompiling or reverse engineering it and stuff.

There is a different kind of security, based on cryptography. Basically, these are puzzles that are impossible (or at least very difficult) to solve, but if you already know the answer, there is no problem. So you can grant access to anyone who knows the solution to the puzzle, because you can mathematically prove that noone can know the answer by solving the puzzle, only by being told by someone else.

This is somewhat similar to securing your house. These days, anyone knows how to locate your front door (provided they have your address, of course), or how to operate a door knob, or even how a lock works interally. Still, if you don't have the key, it is very difficult (though not entirely impossible) to open the lock.

By comparison, "security through obscurity" is similar to having no lock at all, but instead hiding the location of your front door or the doorknob: Anyone who knows the locaton of the door and doorknob have access, and anyone who looks hard enough can find it.

On to the issue of bugs: Cryptography depends on the puzzles being unsolvable. However, there are bugs that make the puzzles solvable, and hence you are less secure. These kind of bugs (eh... any kind of bugs) are more likely to be found in an open source environment, where everyone can check the code for correctness.

About the trained software professionals: If you are unable to check the security of the code yourself (because you don't have the time or the technical skill or, in case of closed source, the source), then you have to ask yourself if you trust the organization that gave you the code to make sure its secure. Here, closed and open source aren't essentially different. There are people that rather trust closed source companies (in the assumption that they hire trained software professionals), and those that rather trust open source (in the assumption that anyone who cares enough to write an OS, must also care enough to do a good job about it). At this point, we're leaving the world of facts, and entering the world of statistics, religion and (simetimes biased) surveys.

Hope this makes any sense :-)

Groetjes,

Kees-Jan

Hi kees-jan,

That was a wonderful explanation.

Maybe I donot understand the exact meaning of what a security is from a computer's point of view and what a vulnerability is.

But a further search on google about "how secure/unsecure Linux is" resulted in the following links:

Most Unsecure OS?

Honeymoon over for Linux users

Also came across this page which explains as to why Linux is more better.

I always beleived that Linux is more secure becasue that is what I always read and I had viruses only in my windows partition and I always found softwares for windows with which I could access others systems on the LAN. Also it is only in MS-win2k that a windows pops up and says my system will be rebooted in 59 seconds and I need to save everything...

I like Linux, as I get to learn a lot and configure a lot myself. I never got to exlpore this when I was an only windows user. And I would continue to use Linux until I get some strong reason to shift to windows, which I hope isn't possible... Maybe I should STOP looking as to why Linux is more secure and should enjoy using it..

About the first link you posted... The most unsecure OS.
You wil notice that #1 its a Microsoft funded site... and The Vendor that Lies the most... Yep, its Microsoft.. lol.

i remember reading about that report before.. The argument was that 90% of sucessfull manual "hacks" were done on Linux machines.... this sounds bad, but is actually very good.

What it is saying, is that to hack into a linux box, you need to do it all manually, telnet / ssh / custom wrtiing programs to smash stacks.... its verry hard to do this.

Hacking windows is easy... its a matter of downloading a "hacker tool" picking a vunerable windows machine, then typing the IP into the "hack tool" and clicking the "hack this machine and totally own it" button.

Every month there are 1000 new virii for the windows platform.
in the 13 or so year linux has been around ive heard of 20 virii... of which all were "proof of concept virii" running in a computer lab, or which absolutly NONE of them could survive in the wild.

90% manual hacks is good when the ratio of manual hacks to automated hacker-tool / virii attack it so incredable large.

the first report is just a pathetic attempt to twist the truth into somthing that sounds bad..

for example.... "SHOCK REPORT !!!!! 50% of school kids score LESS than the National AVERAGE in an IQ TEST !!!"

sounds bad... but if you know what the word average means, you will realise that this statement is a tautology !!!!

the report on the second link seems pretty lame too..

this is not a lInux virii... its an APACHE vunerability... according to NetCraft, most servers run Apache.. with only a few windows machines running IIS.
and yet the number of infections is several orders of magnitude smaller than IIS virii.. cummon!!!!

The 3rd report, i agree with.

the ONLY people claiming Widnows is better than linux is Microsoft....
People claiming Linux is better are the users, network admins, company's like IBM and NOVEL, which chose linux,

In a world Where You can Get a virus from Reading a document written in MS Office... or look at a Picture in MS IE.. any sane person would choose... well... anything that isnt Windows... Solaris, BSD's Linux, or any other Unix's.