Security — Open Vs. Closed

AlexGr points out an article in ACM Queue, "Open vs. Closed," in which Richard Ford prods at all the unknowns and grey areas in the question: is the open source or the closed source model more secure? While Ford notes that "there is no better way to start an argument among a group of developers than proclaiming Operating System A to be 'more secure' than Operating System B," he goes on to provide a nuanced and intelligent discussion on the subject, which includes guidelines as to where the use of "security through obscurity" may be appropriate.

Printable view link

[Anonymous Coward]

http://www.acmqueue.com/modules.php?name=Content&p a=printer_friendly&pid=453&page=2 [acmqueue.com]

Cleverly hidden on page 2 of 4 advertisement-riddled pages. You would think ACM could focus on the content with less distractions than other sites...guess not.

Re:Simple

[$RANDOMLUSER]

That was Intel's Realtime Multitasking eXecutive - a REAL TIME operating system. Security wasn't its job. You may as well ask how the security on QNX or a PLC is. Answer: nobody cares, as long as the I/O completes on time.

Re:My light fixtures are safe, really, trust me.

[ninja_assault_kitten]

Closed doesn't mean nobody has seen it. MS for example gives it source code to many 3rd parties for review and analysis. If source code is subject to extensive 3rd party review, closing it to the general public adds an additional layer of security. Security through Obsurity may not be a great stand alone security model, but as part of security indepth it can be. It should be used as one of many layers.

Re:closed source is just one aspect

[ThinkFr33ly]

See: http://blogs.msdn.com/michael_howard/archive/2004/ 10/15/242966.aspx [msdn.com]
See: http://rmh.blogs.com/weblog/2005/05/is_microsoft_i i.html [blogs.com]

Those posts are somewhat old, but the trend apparently continues if you go check Secunia, or your favorite vulnerability lists.

Re:security through obscurity just another layer

[init100]

Without security through obscurity, you can do things like keep OpenSSH patched, use very good passwords, disallow root logins, restrict logins to certain users

Not to mention disable password logins altogether, and only allow logins using a key pair (known as public key authentication in SSH terminology). This makes a password guessing attack impossible, and an attacker must either guess (or obtain in another way) your private key, or find a security vulnerability in the software itself. This approach is somewhat more cumbersome to administrate though, but very secure.

Re:My light fixtures are safe, really, trust me.

[TheLink]

In my experience there is no big difference between the security of closed and open software.

1) Even if the source code is available for people to check, if nobody else bothers checking but the author there's no difference right?
2) It's the quality of the checking not the quantity. A billion stupid monkeys won't know the difference between good code or bad code.

What you should do is see who made the stuff and what their track record is like.

I can confidently say Firefox will continue to have regular security bugs for years, and that any claims that it is far more secure than IE are hype. The fact that it is written in an unsafe language and crashes regularly means it has both code quality issues and security issues. Don't even need to look at the source to tell.

It seems as if that there are fewer than 10 people in the world who know how to code safely in C (or C++) AND actually do it.

I'm definitely not one of them.