Open Source vs. Closed Source [ was Re: Firewall Throughput ]

[Chris Calabrese <christopher_calabrese () merck com>]

I must disagree most strongly on this point.

In the course of testing products that we use around
here for security holes, I have discovered
numerous holes in numerous closed source products.
This was all done using simple testing techniques with
no special equipment.  I'm talking simple things like
nmap scans and following up to make sure a security
advisory for one system doesn't apply to others.
This is a lot easier than reading the (quite voluminous)
source code to FreeBSD, Linux, etc., and anyone could
have discovered these holes if they tried.

In almost every case, when I've reported these holes to the
vendors, they were ignored.  Since I am constrained in my
ability to disclose these holes to the general public (for
other reasons), the holes are still out there waiting to be
exploited.  If this was in the Open Source world, I would have
produced a patch and sent it out to the world.  Instead, they
stand waiting for discovery malicious usu.  Or perhaps
they have already been discovered!?!

This also matches my experience when I've worked
for major software vendors.  Security holes generally
are only addressed if genuine customers complain
about them, if the company's own IT shop complains
about them, or if some certification that's needed
for a big contract gets rejected because of them.

Finally, if you think nobody has access to the source
code just because the vendor doesn't make it available
to the general public, you're sorely mistaken.  You'd be
amazed at how easy it is to get the source to something
if you really want it (through employees, through business
partners that have source, etc.).

That's not to say that there aren't any problems in the
Open Source model from a security standpoint, but there's no
way you can convince me that closed source is safer.

And don't even get me started on the implications of UCITA
on the Open Source vs. proprietary issue!

--Chris

Robert Purdy wrote:

> > > No offense, but I have Solaris, BSD, AIX, and Linux running here--and
> > > all of them are stable and reliable.  I had one hard-used Linux server
> > > running for almost 2 years before I recently took it down for some
> > > upgrades.
> >
> > Do yourself a favour and stay ignorant of the development methodology
> > that goes on "behind the scenes" with Linux.  What are they now,
> > 2.4.pre34-test83, and still making major architectural changes inside it.
> > That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> > as securely as you can BSD, plus you get source code for BSD.
>
> Thats great, I can get the source code for BSD.... well I know I have 2
> months and $16,000 dollars to loose in down time while I pour over BSD code
> to make sure its safe to use.  Don't get me wrong; I am an avid fan of the
> GNU project and of Linux, (I run it at home as my firewall), but the idea of
> "source code being available" as an argument dosen't sit with me.
>
> Purely because business' don't have the time or capital to pay someone to
> got over the code and check it.  I know 15-25yo males with a lot of spare
> time do, and they find holes.  Whats to say the 18yo Joe hasn't found a hole
> in the BSD code and its exploiting it left right and center? (There is a
> flip side to the argument for this that there could be a hole in CP or PIX
> that is unreported)
>
> At least with closed code its going to take something more than a script
> kiddie or someone with time on thier hands to break it.
>
> I dunno, maybe I am off the beaten track, but I certainly prefer someone to
> shout at when things turn to custard.  And strangly enough so do the people
> that pay my fees.
>
> Regards,
> Rob Purdy
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese