<a href="http://news.com.com/2100-1001-938124.html">http://news.com.com/2100-1001-938124.html</a><br /><br />I know many of our readers are Linux fans and may even have a Linux based PDA, so I thought this would be somewhat interesting. One of the comments I've heard about Linux and other open source software is it is inherently more secure than closed source software simply because you have a bazillion eyeballs looking at the code and trying to make it more secure and stable. That may just be rhetoric though.<br /><br />"Proprietary programs should mathematically be as secure as those developed under the open-source model, a Cambridge University researcher argued in a paper presented Thursday at a technical conference in Toulouse, France. In his paper, computer scientist Ross Anderson used an analysis that equates finding software bugs to testing programs for the mean time before failure, a measure of quality frequently used by manufacturers. Under the analysis, Anderson found that his ideal open-source programs were as secure as the closed-source programs. 'Other things being equal, we expect that open and closed systems will exhibit similar growth in reliability and in security assurance,' Anderson wrote in his paper."<br /><br />Of course, this swings both ways. MS has long held that opening up Windows would compromise security and stability. Your thoughts?

I like open-source. I want to try Embedded Redhat Linux. Has anyone else tried it?

I believe that the more popular an open-source program is, the more secure it becomes. I also think that the more popular a closed-source program is, the more likely people are to look for security holes and exploit them, therefore making it less secure the more popular it gets. Just my theory.

I believe that the more popular an open-source program is, the more secure it becomes. I also think that the more popular a closed-source program is, the more likely people are to look for security holes and exploit them, therefore making it less secure the more popular it gets. Just my theory.
Exactly what Linux proponents say, and it sounds good. It is exactly what this article refutes too.

Yeah, I also need to add something to my theory. The more popular a program becomes, the more people (both closed source and open) try to find security loop-holes. If the program is a closed-source expensive one, then generally the more popular it gets, the more money that the company that makes the program can earn in order to hire more people to fix the program. This applies also to open-source projects as well, although not just certain ones as in closed-source.

Then again, this paper is not necessarily talking out reality, just what "mathematically" should-be.

... like many things, the answers to this question are:

a) Always

b) Sometimes

c) It depends

I'm all for open source, but I'm glad my bank's software isn't.

How come?

Do you wear boxers or briefs?


A) Boxers

B) Briefs

C) Depends

:lol:

One would think that security would be better served by secrecy.

In practice, secrecy promotes hiding defects. When managers aren't concerned about defect exposure, they are far less concerned potential defects.

Microsoft is obsessed with releasing lots of features ASAP. Be damned with quality or security.

Open source promotes quality through external scrutiny. It's far harder to hide your STUPID little secrets and pathetically dumb code when everyone can read it. Real programmers aren't afraid to have their work scrutinized. It many cases they've actually done it themselves before it's published ;-)

An open door policy will consistently produce higher quality results. One must program under the assumption that it will be scrutinized. Otherwise, one can get overly smug about work completed but done poorly.

This is one of those posts that gets my blood boiling :). But remember, I'm Linux biased, so take away from my comments what you will...

In the last week (or two?) there was a MAJOR Apache bug reported. To my count, that makes one such bug for quite some time. However, I can't honestly count the number of IIS bugs that were reported in the past few months that were this critical... 5, 10, more?

Microsoft said they dedicated an entire month to focus on removing these problems, and yet they keep occuring... and one of their products was even released with a virus (albiet in S. Korea ???) . So keep in mind, this article is indeed "mathematical theory", not entirely reality. I'm all for mathematical theory, as I'm an idealist, but obviously, I get proved wrong many times, and I think this theory will be shot down just the same.

I do agree that Linux works GREAT in the server room, but it does have some lengths to go in the desktop arena (however, a couple of major achievements were marked in the past month... namely Mozilla 1.0 & OpenOffice 1.0).

My thoughts...!

This is one of those posts that gets my blood boiling :). But remember, I'm Linux biased, so take away from my comments what you will...

In the last week (or two?) there was a MAJOR Apache bug reported. To my count, that makes one such bug for quite some time. However, I can't honestly count the number of IIS bugs that were reported in the past few months that were this critical... 5, 10, more?
I have a link, though I cannot find it right now for anything, that shows how many patches each major operating system and major server product has been patched each year since 1996 for security issues. Windows NT 4 and Windows 2000 fared no better or worse than Solaris, OS/400, *nix, Linux or any other operating system in wide spread use.

MS products just get hammered when they find something because their products are in so many shops.

I think that a lot of Linux geeks are seriously mentally ill because of their security paranoia (and perhaps therefore the seriousness of a security bug in an app that they use can get blown out of proportion not by Microsoft, but actually by themselves). Some (perhaps even a lot) users of server-oriented Windows (even admins) don't care that much about security or they are dumb enough to believe what Microsoft says about the security of their products, instead of finding out for themselves.

Keep in mind that these are generalizations, but I think that some of you will agree with me, at least partially.

It's interesting to note who released this report and who is one of its major sponsors..... here's a clue: Microsoft.

It's interesting to note who released this report and who is one of its major sponsors..... here's a clue: Microsoft.
Huh? Where do you see that. I see where they attack a report from a consortium that MS is part of:
Oddly, Anderson used the latter third of the paper to launch into a criticism of the Trusted Computer Platform Alliance, a security consortium started by Microsoft, Intel, Hewlett-Packard, Compaq Computer and IBM in October 1999.
I don't see that this report is sponsored by MS in any way. In fact, Ross Anderson's home page, the author of the report and staff at Cambridge University makes no mention of who sponsored it. It is likely just academic reasearch on his part. http://www.cl.cam.ac.uk/~rja14/ Again, he makes it clear that he is pretty much blasting both sides on whether or not open/closed source software is more/less secure.

In fact, if there is any bias to be had, it is for the Open Source argument. go read his paper and look at the acknowledgements and see who he has accepted an invitation to spead on and about what.