Firewall Wizards mailing list archives
Open Source vs. Closed Source [ was Re: Firewall Throughput ]
From: Chris Calabrese <christopher_calabrese () merck com>
Date: Thu, 14 Sep 2000 09:36:02 -0400
I must disagree most strongly on this point. In the course of testing products that we use around here for security holes, I have discovered numerous holes in numerous closed source products. This was all done using simple testing techniques with no special equipment. I'm talking simple things like nmap scans and following up to make sure a security advisory for one system doesn't apply to others. This is a lot easier than reading the (quite voluminous) source code to FreeBSD, Linux, etc., and anyone could have discovered these holes if they tried. In almost every case, when I've reported these holes to the vendors, they were ignored. Since I am constrained in my ability to disclose these holes to the general public (for other reasons), the holes are still out there waiting to be exploited. If this was in the Open Source world, I would have produced a patch and sent it out to the world. Instead, they stand waiting for discovery malicious usu. Or perhaps they have already been discovered!?! This also matches my experience when I've worked for major software vendors. Security holes generally are only addressed if genuine customers complain about them, if the company's own IT shop complains about them, or if some certification that's needed for a big contract gets rejected because of them. Finally, if you think nobody has access to the source code just because the vendor doesn't make it available to the general public, you're sorely mistaken. You'd be amazed at how easy it is to get the source to something if you really want it (through employees, through business partners that have source, etc.). That's not to say that there aren't any problems in the Open Source model from a security standpoint, but there's no way you can convince me that closed source is safer. And don't even get me started on the implications of UCITA on the Open Source vs. proprietary issue! --Chris Robert Purdy wrote:
No offense, but I have Solaris, BSD, AIX, and Linux running here--and all of them are stable and reliable. I had one hard-used Linux server running for almost 2 years before I recently took it down for some upgrades.Do yourself a favour and stay ignorant of the development methodology that goes on "behind the scenes" with Linux. What are they now, 2.4.pre34-test83, and still making major architectural changes inside it. That's *insane*. Sure, Solaris is stable, but you can't strap it down as securely as you can BSD, plus you get source code for BSD.Thats great, I can get the source code for BSD.... well I know I have 2 months and $16,000 dollars to loose in down time while I pour over BSD code to make sure its safe to use. Don't get me wrong; I am an avid fan of the GNU project and of Linux, (I run it at home as my firewall), but the idea of "source code being available" as an argument dosen't sit with me. Purely because business' don't have the time or capital to pay someone to got over the code and check it. I know 15-25yo males with a lot of spare time do, and they find holes. Whats to say the 18yo Joe hasn't found a hole in the BSD code and its exploiting it left right and center? (There is a flip side to the argument for this that there could be a hole in CP or PIX that is unreported) At least with closed code its going to take something more than a script kiddie or someone with time on thier hands to break it. I dunno, maybe I am off the beaten track, but I certainly prefer someone to shout at when things turn to custard. And strangly enough so do the people that pay my fees. Regards, Rob Purdy _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Attachment:
christopher_calabrese.vcf
Description: Card for Chris Calabrese
Current thread:
- Open Source vs. Closed Source [ was Re: Firewall Throughput ] Chris Calabrese (Sep 14)
- RE: Open Source vs. Closed Source [ was Re: Firewall Throughput ] Domenico De Vitto (Sep 16)
- <Possible follow-ups>
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] amanda (Sep 16)
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] Doug Hughes (Sep 18)
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] ark (Sep 20)