Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[roseway]

I'd been coming around to the idea that Open Source software needs to be better scrutinised

By definition, open source software is fully open to scrutiny at all times. That's something you can't say about closed source software. The open source world isn't perfect (nothing is) but I know what I prefer to trust.

[kitz]

>>  I was angling at more them denying being affected...then later saying they were but then patched it...

yup I got what you meant    

I also found that statement I emboldened very cleverly worded and covers a multitude of sins.
If you read it carefully what its saying is Nobody has yet owned up to compromising our systems, but thats not to say it hasnt been...

...otherwise they would have said 'No customer data has been compromised".

[kitz]

I'd been coming around to the idea that Open Source software needs to be better scrutinised

By definition, open source software is fully open to scrutiny at all times. That's something you can't say about closed source software. The open source world isn't perfect (nothing is) but I know what I prefer to trust.

Exactly.  Mistakes happen, and bugs occur even in the best written software.  What is surprising is how long this has been undiscovered

[sevenlayermuddle]

I'd been coming around to the idea that Open Source software needs to be better scrutinised

By definition, open source software is fully open to scrutiny at all times. That's something you can't say about closed source software. The open source world isn't perfect (nothing is) but I know what I prefer to trust.

I'm sorry but I can't agree.

In the commercial environment the programmers chosen to work on sensitive and secure software would be selected based on experience and track record.   They would also most likely be subject to the most stringent security vetting before being allowed to work on the project, and any changes they make would be subject to fully audited code inspection and high-level management signoff.

Mistakes may still happen, but they are perhaps less likely?

[Chrysalis]

I'd been coming around to the idea that Open Source software needs to be better scrutinised

By definition, open source software is fully open to scrutiny at all times. That's something you can't say about closed source software. The open source world isn't perfect (nothing is) but I know what I prefer to trust.

I'm sorry but I can't agree.

In the commercial environment the programmers chosen to work on sensitive and secure software would be selected based on experience and track record.   They would also most likely be subject to the most stringent security vetting before being allowed to work on the project, and any changes they make would be subject to fully audited code inspection and high-level management signoff.

Mistakes may still happen, but they are perhaps less likely?

compare number of disclosed vulns on openssl to eg. windows.

[sevenlayermuddle]

compare number of disclosed vulns on openssl to eg. windows.

There have been none to my knowledge that remotely compare to heartbleed.   

Bur it is an unfair comparsison to the programmers too.   In the commercial world if one made a mistake, one simply accepted a poor annual review and moved on.   The employer took the flak.   But I have already seen websites naming the individual who wrote this bug.   And that's definitely  not fair.   The guy's probably a lot cleverer than I ever was, yet here he is in the world headlines, just cos of one little slip up... 

[roseway]

The point about closed source software is that we just don't know what happens behind the closed doors. We have no idea how many times vulnerabilities and bugs have been discovered and quietly fixed without the world knowing, nor do we know how long it took to discover and fix them. The commercial companies aren't going to tell us, for fear of being sued for consequent damages. And we can be sure that there are bugs still lurking which haven't yet been discovered.

By contrast, open source issues happen in the open. There are no secrets. When bugs are discovered, the world knows in a flash, and the issues get fixed very quickly. Open source works by an informal process of peer review, which may seem haphazard, but is far more satisfactory than the reliance on goodwill and good practice in commercial companies.

The seriousness of the heartbleed issue is of course in the fact that it took so long to be discovered. But that, together with the fact that there are no publicly known instances of its ever being exploited, means that it must be quite obscure. There are lots more obscure bugs out there, in both open source and closed source software. It's an imperfect world.

[Berrick]

I have to agree with Eric.

Open source is most likely more secure then close source software. Because it is "open" more eyes get to see the source and contribute or spot mistakes which can be corrected.

[broadstairs]

I agree with Eric on open source.

I think one thing which is probably misunderstood by the public at large is that there is really no such thing as an error or bug in the actual code created. The problem is that the code executes exactly as the writer coded it, the problem happens at the design stage where not all possibilities of using the software have been considered and actually it is unlikely you could ever do this. This is why you will always find problems when software is rolled out - there is nothing like millions of users running the software to find problems. So no matter how much peer review or any other kind of review is carried out prior to software being released I contend you will never find ALL the potential design flaws, and somebody somewhere is likely to find one. This applies as much to commercial closed source as it does to open source. The person who designs/codes flaw free software has not been born yet! Neither has the reviewer who finds all the flaws!!

Stuart

[sevenlayermuddle]

It would appear then that I am outnumbered on this one. 

I could argue that whatever the perceived benefits of Open Source may be, it has now been demonstrated that they can do still lead to howling security bloomers, and arguably one of biggest bloomers of all time.   And, with that evidence in mind, the suitability of using Open Source for 'secure' products ought to be reassessed. 

But I'm outnumbered and so instead of arguing the case above, I will pipe down now.

[broadstairs]

It would appear then that I am outnumbered on this one. 

I could argue that whatever the perceived benefits of Open Source may be, it has now been demonstrated that they can do still lead to howling security bloomers, and arguably one of biggest bloomers of all time.   And, with that evidence in mind, the suitability of using Open Source for 'secure' products ought to be reassessed. 

But I'm outnumbered and so instead of arguing the case above, I will pipe down now.

I think the point here is that I dont believe that commercial software is any more immune to this kind of error than the open source community. They are both exposed in exactly the same way.

I dont think this is one of the biggest bloomers of all time, certainly a serious issue but there have been others just as big but have not caught the public eye in the same way.

What I do think is that in general the open source community is more 'open' to admitting their problems and fixing them in a fast and effective way. In commercial software this kind of issue would be covered up if at all possible for financial reasons and  it is far more likely that a new paid for version would appear which said that it just fixed some security issues without ever admitting what those issues were of their effect was, IF they could get away with it.

Stuart

[snadge]

Am I right in saying that with Open Source (while I agree its good) it makes it available to hackers with ease to probe and find ways in...where as closed source requires some knowledge/skill/experience in being able to "reverse engineer" the software to "find ways in"?

[roseway]

I can't really answer that question, as I know nothing about how people discover vulnerabilities in software. Certainly you can decompile or disassemble software to make it more human-readable. But I rather doubt that the vulnerabilities are discovered by poring over the source code; I think it's far more likely that they hit the software with various attacks and see what pops out.

[broadstairs]

Having spent most of my working life fixing bugs in commercial software where I did have the source code I can say that even when you know the issue and have the source it is often still time consuming and difficult to fix problems, so yes it is unlikely hackers use source code to find problems, as Eric suggests it is far more likely that they try brute force methods and see what pops out.

Stuart

[snadge]

...but i would imagine it would be easier if you knew how it was constructed (open source) - im no programmer (I know the fundamentals, I used to program basic in my teens) but I imagine that it would be easier to 'break in' if you had access too "blue-prints" (if you will) than it would if you didn't have them?