Security — Open Vs. Closed

AlexGr points out an article in ACM Queue, "Open vs. Closed," in which Richard Ford prods at all the unknowns and grey areas in the question: is the open source or the closed source model more secure? While Ford notes that "there is no better way to start an argument among a group of developers than proclaiming Operating System A to be 'more secure' than Operating System B," he goes on to provide a nuanced and intelligent discussion on the subject, which includes guidelines as to where the use of "security through obscurity" may be appropriate.

Security by Obscurity

[$RANDOMLUSER]

Is always a good first line of defense. At least it keeps out the riff-raff. Until someone smarter writes the scripts for them.

Re:closed source is just one aspect

[ThinkFr33ly]

But those same companies are at the mercy of consumers, just like anybody else. If there is enough bad press due to the poor security of the product, the company will be forced to fix things. This is especially true for companies that sell software to large corporations.

Microsoft really is a case in point. They did a lot of what you described, got nailed for it by the press, by consumers, and by corporations, and they really did change their ways. Their Secure Development Lifecycle [microsoft.com] has turned out some pretty high quality releases. For instance, IIS 6 has far fewer vulnerabilities than Apache. One certainly couldn't say that for IIS 5.

Re:Simple

[Marillion]

I don't agree.

The central server for a system of airport flight information display screens (FIDS) where I once worked ran an operating system called iRMX. It had pathetic security. The only thing that kept that system secure was the lock on the door to the room.

My Take

[RAMMS+EIN]

The same old argument for openness applies to open source. You have to assume the black hats will find and try to exploit vulnerabilities. Without that assumption, there isn't much to worry about. But given that the black hats will find vulnerabilities and use them, the best thing we can do is to make sure the white hats find the vulnerabilities, too. This way, the vulnerabilities can be fixed or worked around (e.g. through firewalls). The vulnerabilities exist whether or not you know about them, but, if you know about them, you can take adequate measures. Open source makes it easier to find vulnerabilities, and thus, to know about vulnerabilities.

Of course, open source also makes it easier for the black hats to find the vulnerabilities. So there's an arms race here. If the black hats find the vulnerability first, they can exploit it before it gets patched or worked around. If the white hats find it first, it can be fixed or worked around before it is exploited. The same arms race exists for closed source and open source, but, in the case of closed source software, the developers are (supposedly) the only ones with the source code, which gives them a slight edge in the arms race.

So it seems that both open source and closed source have advantages and disadvantages when it comes to security. Furthermore, I think that both arguments are theoretical, and the advantages that both models have are not always exploited. Having the source available does not help if no white hats are actually auditing it. And this is why open source wins, in my book. With open source, if you're concerned about vulnerabilities in the software and don't trust the rest of the world to have done proper audits and notified you about the results, you can do your own audit. If the developers of the software don't fix the vulnerabilities to your satisfaction, you can do so yourself. With closed source, you are at the mercy of the vendor. If they don't do proper audits, you're out of luck. If they don't fix vulnerabilities, you're out of luck.

Proprietary software vendors do not always have your best interests in mind. It's not unusual for vendors to keep silent about vulnerabilities found and/or fixed in their software, and some vendors have even threatened or sued people who have disclosed vulnerabilities in the vendor's software. The reputation is more important than the _actual_ security of the product, because the actual security is unknowable. With open source, such tacticts don't work. The source is out there, anyone can find the vulnerabilties and assess the security for themselves. If things are fixed, anyone can make a diff between the two versions and see what was fixed. They can't keep the information from you. Your security benefits from that.

Re:Simple

[CastrTroy]

Why wouldn't people want to use a secure operating system? I know you're trying to say that the vulnerabilities only show up once the people try to break the system, and crackers only try to break popular systems. However, I don't believe that it's a tautology that a system has to have vulnerabilities. If they developed a system that actually didn't have vulnerabilities, and actually ran all the necessary software, then wouldn't everybody start using that? I think the only thing holding back Linux is good hardware and software support. The "operating system" including the kernel up to the desktop environment is very good. Only problem is that a lot of hardware doesn't work well, and there isn't a lot applications you can run that will run on windows.

Re:You Can't Know Which is More Secure

[RAMMS+EIN]

``This means there is no way to define a 'more secure' approach, and therefore all we can do is discuss individual products in comparison with one another.''

And I'm saying that even that is pretty meaningless. Five vulnerabilities were fixed in Mozilla last week, and two in Opera. Which is more secure? Twelve new vulnerabilities have been discovered in Firefox, and one in Opera. Which is more secure? The Apache servers in our sample have been broken into 50 times during the course of our study, compared to 3 break ins for lighttpd. Which is more secure? A team of five experts found three vulnerabilities in the NT kernel and two in Linux. Which is more secure? Static analysis found 10000 possible vulnerabilities in Konqueror and Microsoft reports static analysis found 1000 possible vulnerabilities in MSIE. Which is more secure? Which of the mentioned products should you select, based on the given facts, if your goal is to minimize future break ins?

I honestly don't know the answer to any of the questions I asked. I really think none of the (fictional) data I gave says anything about the relative security about the products it ostensibly pertains to. I _feel_ more secure running OpenBSD than Windows 2000, and, given the absense of reports of OpenBSD machines being broken into on a large scale, that feeling seems justified. But this is entirely based on something that I _don't_ know. I _don't_ know that OpenBSD machines are massively broken into, and thus, I feel safe. However, I also don't know that they are _not_ massively broken into, so my feeling could be entirely misplaced. I certainly don't know that there are no holes in OpenBSD, so even if it hasn't been massively exploited up to now, it could start tomorrow. All I have is the assurance of the developers that they make great efforts to improve security. I believe them, hope they are indeed doing so, and hope they are actually _achieving_ better security that way. But I don't _know_ that.

OT: Things you can't ask about VMS.

[Kadin2048]

This is slightly off-topic, but a while back I got interested in OpenVMS, and VAX stuff in general. (I started doing some research because I thought I was going to get stuck doing some turd polishing of old mainframe software, but it never materialized. But by then I was just interested.) Even in hindsight (given that I think we can agree that UNIX-derivatives seem to have gained traction over VMS), it's extremely difficult to find any sort of rational comparisons of VAX/VMS and its architecture and design paradigms to that of UNIX. Whenever someone asks, the response is basically "don't ask [hp.com], you don't want to start that." Nobody wants to talk about anything that might invite UNIX/VMS comparisons, because it will cause flamewars -- even though such a discussion, at this point, might be interesting and productive. (There are so many people around who aren't familiar with VMS, or anything other than Windows and UNIX, that any perspective besides those would be worthwhile.)

At any rate, it struck me as interesting, because sometimes it's easy to assume that Windows/Linux (or Windows/Mac, or Windows/something) is the first Great OS War. But people have been getting emotionally attached to operating systems, probably as long as they have existed; and ever since, it has helped quash rational discussion, both through flamewars themselves, but also because of self-censorship that occurs, in order to try and prevent arguments.

Re:closed source is just one aspect

[VolciMaster]

For instance, IIS 6 has far fewer vulnerabilities than Apache. One certainly couldn't say that for IIS 5.

I've never heard anyone quote such a stat. Where does said statistic come from