Security — Open Vs. Closed 101
AlexGr points out an article in ACM Queue, "Open vs. Closed," in which Richard Ford prods at all the unknowns and grey areas in the question: is the open source or the closed source model more secure? While Ford notes that "there is no better way to start an argument among a group of developers than proclaiming Operating System A to be 'more secure' than Operating System B," he goes on to provide a nuanced and intelligent discussion on the subject, which includes guidelines as to where the use of "security through obscurity" may be appropriate.
Printable view link (Score:1, Informative)
Cleverly hidden on page 2 of 4 advertisement-riddled pages. You would think ACM could focus on the content with less distractions than other sites...guess not.
Re:Simple (Score:4, Informative)
Re:My light fixtures are safe, really, trust me. (Score:2, Informative)
Re:closed source is just one aspect (Score:3, Informative)
See: http://rmh.blogs.com/weblog/2005/05/is_microsoft_
Those posts are somewhat old, but the trend apparently continues if you go check Secunia, or your favorite vulnerability lists.
Re:security through obscurity just another layer (Score:3, Informative)
Not to mention disable password logins altogether, and only allow logins using a key pair (known as public key authentication in SSH terminology). This makes a password guessing attack impossible, and an attacker must either guess (or obtain in another way) your private key, or find a security vulnerability in the software itself. This approach is somewhat more cumbersome to administrate though, but very secure.
Re:My light fixtures are safe, really, trust me. (Score:3, Informative)
1) Even if the source code is available for people to check, if nobody else bothers checking but the author there's no difference right?
2) It's the quality of the checking not the quantity. A billion stupid monkeys won't know the difference between good code or bad code.
What you should do is see who made the stuff and what their track record is like.
I can confidently say Firefox will continue to have regular security bugs for years, and that any claims that it is far more secure than IE are hype. The fact that it is written in an unsafe language and crashes regularly means it has both code quality issues and security issues. Don't even need to look at the source to tell.
It seems as if that there are fewer than 10 people in the world who know how to code safely in C (or C++) AND actually do it.
I'm definitely not one of them.