User: Password:
|
|
Subscribe / Log in / New account

Toward healthy paranoia

Toward healthy paranoia

Posted Sep 12, 2013 21:09 UTC (Thu) by anselm (subscriber, #2796)
In reply to: Toward healthy paranoia by renox
Parent article: Toward healthy paranoia

security has not really been a concern in FOSS community (like in the proprietary software word): it's features first and then security is bolted on afterwards, which of course doesn't work..

What makes you think that the situation in the proprietary software world is in any way different?

At least in the FOSS community, projects – unlike proprietary software vendors – have nothing to gain by trying to keep security issues secret and unfixed.


(Log in to post comments)

Toward healthy paranoia

Posted Sep 13, 2013 7:43 UTC (Fri) by renox (subscriber, #23785) [Link]

> What makes you think that the situation in the proprietary software world is in any way different?

Ah, I see, what I wrote is ambiguous.. To clarify: I think that it is the same in the proprietary software world as in the FOSS community: security isn't really a concern, just an afterthought.

Proof that the FOSS doesn't really care about security:
- C instead of 'safe by default' languages such as Ada (for example).
- the X design: any application can snoop on other applications
...

I'm sure that spender could come with a list with a hundred items.

Toward healthy paranoia

Posted Sep 13, 2013 10:42 UTC (Fri) by hummassa (subscriber, #307) [Link]

I would say that in the proprietary world security is not even an afterthought like it is in the FLOSS world... it's some annoying thing you have to do if vunerabilities explode on you and make you look bad to the press.

Toward healthy paranoia

Posted Sep 13, 2013 11:42 UTC (Fri) by spender (subscriber, #23067) [Link]

Since I've been summoned:

Say what you will about the intentions for fixing vulnerabilities in the proprietary world. I find it to be the same for the Linux kernel really.

What's undeniable though is the dramatic change Microsoft has made in their development processes (SDL) and entire approach to security (EMET, etc). In his now-famous memo (http://www.wired.com/techbiz/media/news/2002/01/49826) Bill Gates identified security as a systemic threat to his business.

Contrast this to the Linux kernel, which is still very much in an old mindset. Even the Linux kernel's security pride and joy, its ability to publish timely fixes in response to submitted reports, is rendered ineffective by upstream's inability and unwillingness to communicate the importance of those fixes. In the space of any other commercial product based on Linux (Android, NASes, etc), you also have the problem of those fixes just not getting out to the users at all.

-Brad

Toward healthy paranoia

Posted Sep 13, 2013 13:17 UTC (Fri) by anselm (subscriber, #2796) [Link]

Say what you will about the intentions for fixing vulnerabilities in the proprietary world. I find it to be the same for the Linux kernel really.

I agree that the Linux kernel development community could do a lot to improve their handling of security issues. That does not detract from the observation that most FOSS projects are much more open about security than most proprietary vendors. The Apache web server project, for example, seems to do a decent job of dealing with security issues and their fixes.

What's undeniable though is the dramatic change Microsoft has made in their development processes […]

Microsoft may be better than they used to be but they often still need extensive prodding before acknowledging, let alone fixing, security issues. In many cases it requires an active exploit out in the wild to get most vendors to do anything, mostly because the act of having to publish patches at all means bad PR (for having been vulnerable in the first place). It is also difficult to get customers to install the patches, and there is a chance of introducing new bugs when patching existing ones, which is why after-market upgrades are often viewed as a bad idea, and are restricted to the most egregious problems. For a vendor it often pays to sit on problems that are not being actively exploited, where in the FOSS community (with the possible exception of some projects like the Linux kernel) proactive fixing of even theoretical security issues is generally welcomed.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds