My reasoning is, the linux source-code is free and highly distributable. If someone wanted to do harm, why would I want linux over windows from this perspective? Yes, windows source code is attainable; it just seems linux is more vulnerable than windows. For example, if Red Hat begins to get major market dominance and people in the linux community (or a faction) get pissed at how watered down and proprietary they've become, but still with the source code highly available, it would be easier to do harm.


Josh

no it wouldn't be easy to do harm. how do you suppose this dubious person causes harm? if you mean via finding their own miraculous exploit that no one else knows about, then sure, but exploits are much easier to be aware of in linux than windows anyway. By this i mean if anyone wants to check a certain library for a vuln, whatever colour metaphorical hat they wear they can find it. it is then known about and fixed. the only people who can really truely fix a M$ flaw is M$, and they can only be truly identified and understood by others by blind prodding and poking. In Linux you can see there in front of you that lines 1623 to 1627 of imlib.c have been updated to prevent some potential hack or other. being open source doesn't make this worse at all, arguably it makes it better.

If you propose this person was to change the code, then core libraries have more structured code acceptance and patch management systems. Normally only certain people can apply patches etc... there was a recent case where someone appeared to have tried to submit a really subtle patch to a kernel source file that would give anyone root access, but the kernel maintainers saw it and removed it and it never got anywhere close to being accepted. Havnig said that there is a train of thought leading to saynig that while this attempt was found, how do we know others didn't slip through unnoticed?

Simply having the source code available does not make it easier to do harm; in fact, it is widely recognized that having the source open can greatly improve security, since potential security flaws can be found and fixed more quickly than is usually possible in a closed-source model. Cryptographic security, for example, depends on the openness and widely-studied nature of the encryption and decryption algorithm. Nobody would trust crypto that comes out of a black box; it's pretty amazing that we so often trust security-critical software that comes out of a black box.

As Linux becomes more popular, it is more likely to be a target of attacks, but that doesn't make Linux itself inherenly less secure. The Linux environment is more hostile to a potential attacker (especially to viruses) by the nature of its design than, for instance, Windows is. There have been so few attempted (and even fewer successful) attacks on Linux that one could even argue that the greater threat of attack would serve to make Linux even more robust, as flaws are perhaps exploited first, but quickly patched.

The matter of whether a clever cracker could insert malicious code into the Linux kernel seems pretty weak to me, in comparison with whether someone could be inserting malicious code into Windows. With open source, you can at least look at the code for yourself to determine if it's malicious; with Windows, we have to trust the internal auditing of a single company, whose intentions we well know to be less than entirely benign towards users.

lynchpin9; do not think so. kernel source code is tightly kept by L. Tovald & Consortium. yes we can fiddle around with it but just under strict contents & laws of GNU org. in the manner that u assume it would be detrimental not only
to users but the user that would do something like that maliciuosly,malefic.
unless working for MS, changing source code is a felony.

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

When asking a question about software vulnerabilities, one has to start with the fact that software can have vulnerabilities.
This is a fact and non-specific to any OS.
From there two different weak points can be seen. One is the computer user, their habits and needs. The other is the OS and applications themselves.
I am not sure that it can ever be argued that the user is not a huge weak point for vulnerabilities. Do they update, open any file in front of them, understand warning and error messages?
For the actual software the question is how severe of vulnerabilities are common, how quickly are updates available, and how easy are they to acquire and install.
The question about availability of source code preventing or contributing to vulnerabilities is an interesting question and I think that we will have to see how it plays out. I cannot see how it is a given either way.
So do I think Linux will become more vulnerable than Windows? No.
Do I think Linux is invulnerable? No.

I think one of the more compelling arguement in regards to this question is looking at the security histories of Apache which is open source and is the most commonly deployed webserver versus Microsofts IIS webserver which is closed source and has a smaller market share. So according to that theory Apache should have more vulnerabilities, but in the real world the opposite is true.

@penguin4: Not sure what you're talking about, but finding vulnerabilities in software doesn't require modifying the source code and as such isn't covered by the GPL license. Plus there are no provisions in the GPL for what kind of changes you can make, only that if you modify or make a derivative work, then you must provide the source code for free. In fact, I could take the current 2.6.9-stable kernel source and rewrite the entire network stack without checking bounds of a single buffer and release it as Capt_Caveman's Busted Kernel v 1.0 , and as long as I released the source and used the GPL license it would be perfectly fine.

One sentence explanation:

Security through obscurity.

This was the backdoor that someone tried to put, not so easy to spot. (how one character can break millions of others)

Hiding the source/algorithm doesn't help at all. It's even worth because YOUR TEAM has to audit your code and YOU are the only one who can patch it (and audit the patch.. which was not always the case with micro$oft)

You could make an analogy with cryptography:

All cryptographic mechanism that relies on the secrecy of its algorithm is bad.