Is Open Source Really So Much More Secure By Nature
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
The simple fact it's open source doesn't mean X number of other people are reviewing all of the source code looking for bugs and security vulnerabilities. It also doesn't even mean X number of people are even using the software.
No, but even if they don't, it only falls to the same as closed source. That's why the stated is "equal or better". That's all that matters, that it's equal and never worse. That's why it is such a big deal.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
I am willing to bet that there are more eyes on some closed source Microsoft code than there are on some open source software. I'm willing to bet some open source software source code has only ever been looked at by the creator and nobody else.
That's different and unrelated. Any given piece of software would be equal or more eyes if open. Windows gets more eyes than, say, a one man open source project that no one uses at all. Absolutely. But like 1/100,000th the eyes that Linux gets which is apples to apples. And far more importantly, Windows gets a tiny itty bitty fraction of the eyes on it now compared to it was open.
That's the difference.... any closed piece gets fewer eyes than it would if open, and any open gets more than it would if closed. It's true of every single piece of software. Using comparisons between different pieces of software is misleading, but irrelevant.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
Again, I think it totally depends.
That's the great thing about it, it doesn't depend. It's just fact, without expect. No depends at all. In any given scenario, open will always give you equal or better security in real review. And open always gives the end user more ability to be secure even when the code is the same. No "sometimes", no "it depends." Always.
-
How about the economics of Open vs Closed. I know RHEL brings in a crap ton from their support contracts, fortune 500 companies who feel they must buy support, even though they often employ people who could work for RHEL themselves... therefore not really needing the support, but they buy it as a reassurance for stockholders, etc, or so I've been told by someone who worked for a F500.
So outside of RHEL, what other projects are making millions or billions on their software that's open source?
I mean, would MS loose millions/billions if they open sourced Office?
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
I mean, would MS loose millions/billions if they open sourced Office?
Yes, very likely. They depend on the file formats not being able to be read perfectly. If LibreOffice was 100% compatible, would ANYONE buy Office, ever? Only totally insane people (who tend not to make much money) would ever discuss it again, because it's a huge pain to deploy, super buggy, crazy expensive, requires support for no good reason.
It's actually garbage software that depends entirely on its closed source nature to maintain market lock in.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
But like 1/100,000th the eyes that Linux gets which is apples to apples.
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
-
@JaredBusch said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
No not Windows. But I do like Windows 10. At least in my own experience it's been solid the last couple years especially. I'm a fan of Ubuntu equally though, but I use the desktop version less because it doesn't do/support some things I like to do as well or as efficiently as Win10 does.
-
@JaredBusch said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
Oh sure, the assumption is that there are thousands or even millions of people, small companies, little orgs, volunteers, etc. that are looking at the code that we just don't know about. But we can't prove those beyond "we all seem to know some people who've done it, which indicates that it's probably common."
-
thanks for all the chatter on this, i'm finding it quite interesting.
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
thanks for all the chatter on this, i'm finding it quite interesting.
Basically it comes down to...
Open source is in your interest. But every vendor and vendor rep and/or salesperson will say anything to convince you otherwise as nearly all of them base their careers on selling you things that are less than ideal for you.
-
@scottalanmiller some interesting statistics:
-
Interesting article on why closed source culture at Microsoft makes it hard for developers to produce the work that gets done on Linux.
http://blog.zorinaq.com/i-contribute-to-the-windows-kernel-we-are-slower-than-other-oper/
-
This is also interesting.
-
@Pete-S said in Is Open Source Really So Much More Secure By Nature:
This is also interesting.
What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)
-
@Pete-S said in Is Open Source Really So Much More Secure By Nature:
This is also interesting.
I don't get this chart. For example, what is Debian Linux versus Linux kernel vulnerabilities? And why is each windows OS listed separately when others are not? Windows should be at the top of the list by miles lol.
-
@DustinB3403 said in Is Open Source Really So Much More Secure By Nature:
What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)Well, I'm not happy about it because it would suggests a lack of quality control.
I don't see OpenBSD on the list for instance.
-
@Pete-S said in Is Open Source Really So Much More Secure By Nature:
@DustinB3403 said in Is Open Source Really So Much More Secure By Nature:
What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)Well, I'm not happy about it because it would suggests a lack of quality control.
I don't see OpenBSD on the list for instance.
Sure, but you have to ask the NIST and TNVD what they were evaluating against. Just because something isn't on the list doesn't mean that it's more or less secure.
Looking at the list, I would see this more as a veil that is preventing more issues from being discovered. Closed source software makes such list misleading, because there are so many things that simply aren't known.
-
@Pete-S said in Is Open Source Really So Much More Secure By Nature:
This is also interesting.
Notice that they split out every version and edition of Windows but lump all of Debian Linux into one thing. If you add up the Windows, it blows Debian out of the water in terms of vulnerabilities.
Also, it's fake data. Open source vulnerabilities are disclosed, closed source typically are not. So there's no way for anyone but Microsoft to know the real numbers for Windows. We know for a fact that Microsoft has hidden vulnerabilities in the past, and it's the natural thing to do to continue to hide any that you can (typically by silently fixing them) rather than announcing the you found a mistake (and thereby telling malicious actors who they can prey on and how.)
Bottom line is... this shows nothing. There's no possible way to have true data on this. Even Microsoft would struggle to have real numbers.
Also, it shows only what is found, not how many there are. So high numbers can be good, rather than bad.