Weekly Edition
Return to the Press page
| |||||||||||||
|
| |||||||||||||
Is Open-Source Software Less Secure? (TechWeb)
TechWeb jumps
into the debate about the security of open source vs. closed source.
"A recent analyst report claiming open-source software surpassed
Microsoft as the major source of severe security flaws has rekindled the
security debate over open source versus proprietary software. The Aberdeen
Group says open-source software, including the popular Linux OS and a wide
variety of applications, has pushed aside Microsoft as the "poster child"
for security problems."
(Log in to post comments)
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 22, 2002 22:16 UTC (Fri) by Strike (guest, #861) [Link] For the first 10 months of the year, 16 out of 29 security advisories published by CERT were for open-source or Linux software. Only seven involved Microsoft products. I'd say that this tips the scales in the favor of OSS, considering I'd wager that there is at least twice as much if not more like ten times (or even more!) the amount of open source software than there is Microsoft software. Not to mention it doesn't deal with the severity of the advisories. ... Sales of new Linux operating-system licenses declined 5 percent from 2000 to 2001. And could that be because you don't have to buy a license for most of them? Hmmm... The way Aberdeen sees it, open source software has a disadvantage in security because no single organization is responsible for releasing patches, Aberdeen analyst Eric Hemmendinger says. Forget about the fact that you aren't relying on a group of people to do the fixes FOR you. Yeah, instead of one single organization having the ability (and therefore the responsibility) if releasing a patch, anyone can do it - making you just as responsible as the next guy. Heaven forbid people accept culpability these days. And lastly, this guy makes me smile and then totally disappoints me, all in one paragraph: Young will only buy software if the vendor guarantees patches in less than a day when a major vulnerability is discovered. Assuming that an open source and a proprietary product are equal in quality, Young believes open source software is still less secure because of its development process, and would have to be convinced otherwise. "Open source means it's an open book, and anyone that wants to understand how the process works can," Young said. "Understanding how something works, because it's open source, does give the bad guys an advantage in bypassing security." I think that's a great policy to adopt for buying software. And I'll wager he'd never get Microsoft to commit to such a license (which makes me wonder what OS he is running, assuming he did buy that software .. maybe it's an embedded solution or some other less popular one). Yet, he fails to see the potential behind the "with many eyes, all bugs are shallow" credo. Sure, there have to be eyes looking, but the number of good eyes looking is pretty much proportional to the number of bad eyes looking in just about any case (i.e., popular software will be more scrutinized by both white hats and black hats alike than unpopular software which may not have rapid development, but is also not a high-risk candidate for black hat attacks either). So, in short, I think Aberdeen is full of it. :)
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 22, 2002 23:00 UTC (Fri) by brugolsky (✭ supporter ✭, #28) [Link] "Young will only buy software if the vendor guarantees patches in less than a day when a major vulnerability is discovered."One word: teardrop.
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 26, 2002 14:40 UTC (Tue) by Peter (guest, #1127) [Link] One word: teardrop. One 32-bit word: f00fc7c8. Came out in July 1998, I think. A fixed Linux kernel was out within about 5 days; the fixed Windows kernel, NT 5, came some 18 months later. (Or is Win2k secure against f00f? I've never tested it, actually.) I suppose not everyone considers Instant Unprivileged Local Freeze to be a "major vulnerability", though.
F00F bug Posted Dec 15, 2002 9:02 UTC (Sun) by rickmoen (subscriber, #6943) [Link] Six days for Linux's kernel fix -- and that was without the benefit of inside information that Intel was willing to divulge only with an NDA. The F00F bug came to public notice on Thursday, Nov. 6, 1997, through an anonymous Usenet post, though it turns out that Intel had been advised of the bug long before and taken (it seems) no action. A fix got posted to LKML the evening of Wednesday, Nov. 12, 1997. I believe Linux was the second OS to have a fix, after BSD OS -- and BSDi had the aforementioned inside help from Intel.I have an archives of posts on the subject at http://linuxmafia.com/~rick/linux-info/f00f. Rick Moen
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 23, 2002 12:51 UTC (Sat) by ajay (guest, #8162) [Link] looks like redmond funded this article. any ms is changing gears and has become overtly security concerned. hmmm, i will definetly begin hating my OS when its security features stop me from ripping my audio CDs
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 23, 2002 18:47 UTC (Sat) by ken_i_m (guest, #4938) [Link] The article conflates the issue by making the assumption that all bugs are equal. The recent news of M$'s teflon bug (applied patches don't stay stuck) is a prime example. The bugs in Windows are a separate species from OSS. M$ bugs tend to be so fundamental that the best way to fix them is to fdisk and install a different OS.As a side note, I wonder how much Mr. G had to pay for the flak. I think, therefore, ken_i_m
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 26, 2002 1:41 UTC (Tue) by hazelsct (guest, #3659) [Link] This "teflon bug" sounds pretty severe! Where can I read more about it?
Is Open-Source Software Less Secure? (TechWeb) Posted Nov 25, 2002 9:56 UTC (Mon) by beejaybee (guest, #1581) [Link] Surely the point here is that M$ get away with posting a fearsome vulnerability as one item - by claiming it's in (multiple versions of) Internet Explorer, as opposed to one vulnerability against each of their operating systems which might be affected - whereas vulnerabilities in linux are claimed once for each distribution.Lies, damned lies & statistics (as usual).
|
|
||||||||||||