LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-09-2005, 10:50 PM   #1
LinuxPadawan
Member
 
Registered: Mar 2005
Location: USA
Distribution: Fedora Core 3
Posts: 114

Rep: Reputation: 15
Is Open Source secure?


Iíve heard people say that open source is not secure because its very strength (being open) is also its weakness. Open source code can be modified by anyone with less than honorable intensions to create backdoors or anything else they please. And even with everyone else doing good by modifying programs and fixing problems, they would still have a hard time finding vulnerabilities placed intentionally by other people.

Any part of this true?

Last edited by LinuxPadawan; 04-15-2005 at 11:03 PM.
 
Old 03-10-2005, 12:36 AM   #2
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
i'm sure there is some grain of truth... but then again for every malicios person trying to dress a wolf in sheep's clothing... there's someone who can smell the wolf despite the costume... there are people checking this code before it gets released
 
Old 03-10-2005, 03:05 AM   #3
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
As a person that only uses Linux, I trust open source way more than I would ever trust M$. If there is a security problem with a closed source OS then you are at the mercy of them. Look at M$. They fix a bug when they are good and ready and you have to wait. With Linux they make a patch available and it is up to you if you want to live with the problem or fix it.

I have noticed that when I get one of those secuity alerts that the problem is already fixed in Linux and it is being worked on in windoze, some still are. I would say that open source is more secure. There are probably hundreds of thousands of people, if not a million or so, that works on Linux. It is hard for a security problem to last long with that many people looking at it.

If you can do a bit of programing, you can always fix the problem yourself too. You don't have to wait for the fix. Let's see you get the source code for winders. Good luck!! The only people that see that security hole is the people who created it to begin with. Kind of like the fox gaurding the hen house.

Later

 
Old 03-10-2005, 04:15 AM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
dalek pretty much covered it, but to reiterate a little:

With open source, most security flaws are fixed before they have a chance to be exploited. Since the code is available it usually means that everyone involved will be more conscious of possible security issues. The maintainers of the code almost always put effort into fixing security flaws simply for their pride and reputation. You also have a limitless number of knowledgeable users of the programs (who also have a vested interest in it's security because they run these programs) that can see the source and gain full understanding of what it does or does not do. They then use this knowledge to try to discover security issues before the crackers do. With this multi-sided approach and a large enough user base, it's more likely that maintainers and other knowledgable users will find and resolve security issues before anyone has a chance to exploit them.

With closed-source software, the developers tend to trust in the fact that their code is harder to examine and may not put as much proactive effort into security. Instead, you find this software usually has any security issues resolved in a reactive manner, so you end up waiting for someone to exploit a flaw before seeing a fix for it.
 
Old 03-10-2005, 04:33 AM   #5
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
Just to add one more point: If you, or the people you talk too, think that because source code is not available that it is more secure, look at windoze. It is the most unsecure OS there is. I would trust almost any OS more than windoze. Just because the source code is not readily available does not mean it is secure.

Last I read, there are over 80,000 variants of viruses and such for windoze. There are only a couple dozen or so for Linux. From what I have read there is only one that is not fixed and rendered useless. The one is the rootkit thing, never seen one myself but have read about it.

I have been running Linux since I built this rig, never had windoze, and have yet to have a infection of any kind. I am on dial-up but I go all over the web and get the occasional bug in email. I suspect that I have ran up on quite a few bugs but none of them will run or has the ability to access anything that will cause damage. Even if I did get a Linux bug, it would most likely only affect the user I am logged in as. That would not mean I would need to re-install, just delete the infected user and then add it back, removing the user directory in the process. Since I store my documents on a seperate directory, I would loose nothing but my preferences and such. Trash the kernel in windoze and you are re-installing and may loose everything. Of course, I could just delete the bug. F-prot would find the thing for me.

Later

 
Old 03-10-2005, 07:37 AM   #6
Oliv'
Senior Member
 
Registered: Jan 2004
Location: Montpellier (France)
Distribution: Gentoo
Posts: 1,014

Rep: Reputation: 36
Quote:
Just to add one more point: If you, or the people you talk too, think that because source code is not available that it is more secure, look at windoze.
I'd like to add: that's because you have source code (or algorithm) that you can trust and think that's secure.
For example if you are parano, you can think that's Windows' engineer have put backdoor everywhere in their OS to retrieve your personnal info like bank account code... And you can't check that's true or wrong as you don't have source code
Another example is crypto algorithms which are all public (I think there are private one's but that's not those which are widely used) everyone know how they work but it's quite hard to break them. From my point of view, for Open Source that's the same thing
 
Old 03-10-2005, 07:50 AM   #7
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
It is hard to hide something that is in plain site. Good point. On the funny side, my Dad did loose his glasses once, they were on the top of his head. He looked for them for about 2 hours before I pointed them out to him. I held up a mirror.

Anyway, I trust Linux. I do NOT trust windoze, at all. Their track record says it all. As Dr. Phil says roughly, 'a good predictor of future behaviour is past behavour'. M$ has proven their code sucks and is not secure. I don't see it changing any time soon.

Any more questions????

Later

 
Old 03-10-2005, 09:01 AM   #8
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
Another thing to think about when people say open source is less secure than closed source is the assumption that no one gets to look at the closed source code. I know both Microsoft and Cisco have suffered from code leaks from time to time, and Microsoft has its "shared source" or whatever programs where they let other people look at the code. With open source, the fact that everyone can see the code is a known fact, with closed source you don't know who exactly has a copy of the source.
 
Old 03-10-2005, 09:18 AM   #9
LinuxPadawan
Member
 
Registered: Mar 2005
Location: USA
Distribution: Fedora Core 3
Posts: 114

Original Poster
Rep: Reputation: 15
One good thing about windows is that everyone spends so much time hating it and creating viruses for it that all the bad attention is off Linux & on Windows.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[most secure, open source, client/server file transfer program] Synesthesia Linux - Software 5 11-28-2005 08:20 PM
open source Ammad Linux - General 3 05-20-2005 06:19 AM
open source samjkd General 6 03-31-2005 03:37 PM
How secure is open source? ashesh Linux - Security 26 12-04-2004 03:15 AM
How do I secure an open relay? lhoff Linux - Networking 3 11-16-2004 07:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration