-   Linux - Security (
-   -   Is Open Source secure? (

LinuxPadawan 03-09-2005 10:50 PM

Is Open Source secure?
Iíve heard people say that open source is not secure because its very strength (being open) is also its weakness. Open source code can be modified by anyone with less than honorable intensions to create backdoors or anything else they please. And even with everyone else doing good by modifying programs and fixing problems, they would still have a hard time finding vulnerabilities placed intentionally by other people.

Any part of this true?

frieza 03-10-2005 12:36 AM

i'm sure there is some grain of truth... but then again for every malicios person trying to dress a wolf in sheep's clothing... there's someone who can smell the wolf despite the costume... there are people checking this code before it gets released

dalek 03-10-2005 03:05 AM

As a person that only uses Linux, I trust open source way more than I would ever trust M$. If there is a security problem with a closed source OS then you are at the mercy of them. Look at M$. They fix a bug when they are good and ready and you have to wait. With Linux they make a patch available and it is up to you if you want to live with the problem or fix it.

I have noticed that when I get one of those secuity alerts that the problem is already fixed in Linux and it is being worked on in windoze, some still are. I would say that open source is more secure. There are probably hundreds of thousands of people, if not a million or so, that works on Linux. It is hard for a security problem to last long with that many people looking at it.

If you can do a bit of programing, you can always fix the problem yourself too. You don't have to wait for the fix. Let's see you get the source code for winders. Good luck!! The only people that see that security hole is the people who created it to begin with. Kind of like the fox gaurding the hen house. :scratch:


:D :D :D :D

Darin 03-10-2005 04:15 AM

dalek pretty much covered it, but to reiterate a little:

With open source, most security flaws are fixed before they have a chance to be exploited. Since the code is available it usually means that everyone involved will be more conscious of possible security issues. The maintainers of the code almost always put effort into fixing security flaws simply for their pride and reputation. You also have a limitless number of knowledgeable users of the programs (who also have a vested interest in it's security because they run these programs) that can see the source and gain full understanding of what it does or does not do. They then use this knowledge to try to discover security issues before the crackers do. With this multi-sided approach and a large enough user base, it's more likely that maintainers and other knowledgable users will find and resolve security issues before anyone has a chance to exploit them.

With closed-source software, the developers tend to trust in the fact that their code is harder to examine and may not put as much proactive effort into security. Instead, you find this software usually has any security issues resolved in a reactive manner, so you end up waiting for someone to exploit a flaw before seeing a fix for it.

dalek 03-10-2005 04:33 AM

Just to add one more point: If you, or the people you talk too, think that because source code is not available that it is more secure, look at windoze. It is the most unsecure OS there is. I would trust almost any OS more than windoze. Just because the source code is not readily available does not mean it is secure.

Last I read, there are over 80,000 variants of viruses and such for windoze. There are only a couple dozen or so for Linux. From what I have read there is only one that is not fixed and rendered useless. The one is the rootkit thing, never seen one myself but have read about it.

I have been running Linux since I built this rig, never had windoze, and have yet to have a infection of any kind. I am on dial-up but I go all over the web and get the occasional bug in email. I suspect that I have ran up on quite a few bugs but none of them will run or has the ability to access anything that will cause damage. Even if I did get a Linux bug, it would most likely only affect the user I am logged in as. That would not mean I would need to re-install, just delete the infected user and then add it back, removing the user directory in the process. Since I store my documents on a seperate directory, I would loose nothing but my preferences and such. Trash the kernel in windoze and you are re-installing and may loose everything. Of course, I could just delete the bug. :D F-prot would find the thing for me.


:D :D :D :D

Oliv' 03-10-2005 07:37 AM


Just to add one more point: If you, or the people you talk too, think that because source code is not available that it is more secure, look at windoze.
I'd like to add: that's because you have source code (or algorithm) that you can trust and think that's secure.
For example if you are parano, you can think that's Windows' engineer have put backdoor everywhere in their OS to retrieve your personnal info like bank account code... And you can't check that's true or wrong as you don't have source code
Another example is crypto algorithms which are all public (I think there are private one's but that's not those which are widely used) everyone know how they work but it's quite hard to break them. From my point of view, for Open Source that's the same thing :)

dalek 03-10-2005 07:50 AM

It is hard to hide something that is in plain site. Good point. On the funny side, my Dad did loose his glasses once, they were on the top of his head. He looked for them for about 2 hours before I pointed them out to him. I held up a mirror. :rolleyes:

Anyway, I trust Linux. I do NOT trust windoze, at all. Their track record says it all. As Dr. Phil says roughly, 'a good predictor of future behaviour is past behavour'. M$ has proven their code sucks and is not secure. I don't see it changing any time soon.

Any more questions????


:D :D :D :D

slacky 03-10-2005 09:01 AM

Another thing to think about when people say open source is less secure than closed source is the assumption that no one gets to look at the closed source code. I know both Microsoft and Cisco have suffered from code leaks from time to time, and Microsoft has its "shared source" or whatever programs where they let other people look at the code. With open source, the fact that everyone can see the code is a known fact, with closed source you don't know who exactly has a copy of the source.

LinuxPadawan 03-10-2005 09:18 AM

One good thing about windows is that everyone spends so much time hating it and creating viruses for it that all the bad attention is off Linux & on Windows.

All times are GMT -5. The time now is 07:16 AM.