ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Is Open Source Really So Much More Secure By Nature

    Scheduled Pinned Locked Moved Water Closet
    202 Posts 13 Posters 35.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in Is Open Source Really So Much More Secure By Nature:

      I mean, would MS loose millions/billions if they open sourced Office?

      Yes, very likely. They depend on the file formats not being able to be read perfectly. If LibreOffice was 100% compatible, would ANYONE buy Office, ever? Only totally insane people (who tend not to make much money) would ever discuss it again, because it's a huge pain to deploy, super buggy, crazy expensive, requires support for no good reason.

      It's actually garbage software that depends entirely on its closed source nature to maintain market lock in.

      1 Reply Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce @scottalanmiller
        last edited by

        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

        But like 1/100,000th the eyes that Linux gets which is apples to apples.

        How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Obsolesce
          last edited by

          @Obsolesce said in Is Open Source Really So Much More Secure By Nature:

          How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.

          Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.

          But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.

          And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @scottalanmiller
            last edited by

            @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

            @Obsolesce said in Is Open Source Really So Much More Secure By Nature:

            How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.

            Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.

            But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.

            And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.

            And that leaves out the people.

            I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.

            Cannot say that about your god and savior operating system, Windows.

            ObsolesceO scottalanmillerS 2 Replies Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @JaredBusch
              last edited by

              @JaredBusch said in Is Open Source Really So Much More Secure By Nature:

              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

              @Obsolesce said in Is Open Source Really So Much More Secure By Nature:

              How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.

              Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.

              But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.

              And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.

              And that leaves out the people.

              I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.

              Cannot say that about your god and savior operating system, Windows.

              No not Windows. But I do like Windows 10. At least in my own experience it's been solid the last couple years especially. I'm a fan of Ubuntu equally though, but I use the desktop version less because it doesn't do/support some things I like to do as well or as efficiently as Win10 does.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @JaredBusch
                last edited by

                @JaredBusch said in Is Open Source Really So Much More Secure By Nature:

                @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                @Obsolesce said in Is Open Source Really So Much More Secure By Nature:

                How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.

                Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.

                But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.

                And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.

                And that leaves out the people.

                I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.

                Cannot say that about your god and savior operating system, Windows.

                Oh sure, the assumption is that there are thousands or even millions of people, small companies, little orgs, volunteers, etc. that are looking at the code that we just don't know about. But we can't prove those beyond "we all seem to know some people who've done it, which indicates that it's probably common."

                1 Reply Last reply Reply Quote 0
                • siringoS
                  siringo
                  last edited by

                  thanks for all the chatter on this, i'm finding it quite interesting.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @siringo
                    last edited by

                    @siringo said in Is Open Source Really So Much More Secure By Nature:

                    thanks for all the chatter on this, i'm finding it quite interesting.

                    Basically it comes down to...

                    Open source is in your interest. But every vendor and vendor rep and/or salesperson will say anything to convince you otherwise as nearly all of them base their careers on selling you things that are less than ideal for you.

                    1 Reply Last reply Reply Quote 1
                    • ObsolesceO
                      Obsolesce
                      last edited by

                      @scottalanmiller some interesting statistics:

                      https://lwn.net/Articles/834085/

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        Interesting article on why closed source culture at Microsoft makes it hard for developers to produce the work that gets done on Linux.

                        http://blog.zorinaq.com/i-contribute-to-the-windows-kernel-we-are-slower-than-other-oper/

                        1 Reply Last reply Reply Quote 0
                        • 1
                          1337
                          last edited by 1337

                          This is also interesting.

                          alt text

                          DustinB3403D ObsolesceO scottalanmillerS 3 Replies Last reply Reply Quote 1
                          • DustinB3403D
                            DustinB3403 @1337
                            last edited by

                            @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                            This is also interesting.

                            alt text

                            What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.

                            For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)

                            1 1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @1337
                              last edited by Obsolesce

                              @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                              This is also interesting.

                              alt text

                              I don't get this chart. For example, what is Debian Linux versus Linux kernel vulnerabilities? And why is each windows OS listed separately when others are not? Windows should be at the top of the list by miles lol.

                              1 Reply Last reply Reply Quote 2
                              • 1
                                1337 @DustinB3403
                                last edited by

                                @DustinB3403 said in Is Open Source Really So Much More Secure By Nature:

                                What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
                                For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)

                                Well, I'm not happy about it because it would suggests a lack of quality control.

                                I don't see OpenBSD on the list for instance.

                                DustinB3403D scottalanmillerS 4 Replies Last reply Reply Quote 0
                                • DustinB3403D
                                  DustinB3403 @1337
                                  last edited by DustinB3403

                                  @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                  @DustinB3403 said in Is Open Source Really So Much More Secure By Nature:

                                  What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
                                  For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)

                                  Well, I'm not happy about it because it would suggests a lack of quality control.

                                  I don't see OpenBSD on the list for instance.

                                  Sure, but you have to ask the NIST and TNVD what they were evaluating against. Just because something isn't on the list doesn't mean that it's more or less secure.

                                  Looking at the list, I would see this more as a veil that is preventing more issues from being discovered. Closed source software makes such list misleading, because there are so many things that simply aren't known.

                                  1 Reply Last reply Reply Quote 2
                                  • scottalanmillerS
                                    scottalanmiller @1337
                                    last edited by

                                    @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                    This is also interesting.

                                    alt text

                                    Notice that they split out every version and edition of Windows but lump all of Debian Linux into one thing. If you add up the Windows, it blows Debian out of the water in terms of vulnerabilities.

                                    Also, it's fake data. Open source vulnerabilities are disclosed, closed source typically are not. So there's no way for anyone but Microsoft to know the real numbers for Windows. We know for a fact that Microsoft has hidden vulnerabilities in the past, and it's the natural thing to do to continue to hide any that you can (typically by silently fixing them) rather than announcing the you found a mistake (and thereby telling malicious actors who they can prey on and how.)

                                    Bottom line is... this shows nothing. There's no possible way to have true data on this. Even Microsoft would struggle to have real numbers.

                                    Also, it shows only what is found, not how many there are. So high numbers can be good, rather than bad.

                                    1 Reply Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller @1337
                                      last edited by

                                      @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                      I don't see OpenBSD on the list for instance.

                                      Because it's not a big product. I don't see Solarwinds on the list, doesn't make it secure.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @1337
                                        last edited by

                                        @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                        Well, I'm not happy about it because it would suggests a lack of quality control.

                                        Actually, it suggests absolutely nothing. We don't know how the data is collected. We don't know what it reflects. And we don't know the true numbers.

                                        While marginally one can say it is "interesting", the one definitive thing that we can say is that it is meaningless.

                                        The discussion is literally about "systems we can know things about" versus "things we can't know things about." Then to provide a list purporting to know the unknowable means that the list is worthless. And that's assuming we know exactly how the data is collected.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @1337
                                          last edited by

                                          @Pete-S I think if you look at that list and think about it, you'd see just how dramatically that list is telling us that open source is winning on vulnerabilities. Now, I still stand by my statement that the list is utter gibberish and means literally nothing whatsoever, BUT, let's assume that it means something and that the numbers are all true and directly comparable.

                                          Now, let's look at the numbers that are bad enough to make the 2019 list (notice Linux isn't even on the list, it's all Windows and OMG cPanel!!!) with Fedora at 184 and Windows Server 2016 at 360. Fedora includes Linux, plus lots of other things, and includes every version of Fedora (about 31 releases in 2019.) Windows Server 2016 is a single release by comparison.

                                          Now let's look at the size of the two. Fedora isn't just the tiny footprint that Windows is, no. It includes databases, video games, multiple products in every category... Windows Server 2016 is between 2-6GB. Each release of Fedora is around 250GB. It's apples to oranges. Windows is a tight OS with very few "extra packages" included in the OS. Sure it has Notepad, but the amount of bloat is small (in the OS itself.) Fedora may not install much by default if you don't want it to, but the entire OS is as much as 100x the size of Windows. Windows Server doesn't include Exchange or SQL Server. But Fedora includes several competitors to Exchange and myriad competitors to SQL Server, as examples. Plus half a dozen commercial video editors. Multiple web browsers, and on and on. Windows Server is also just the server release, but Fedora has Workstation, Cloud, and Server all lumped together as well.

                                          That a single release of Windows Server has even 2% the vulnerabilities of the entire Fedora ecosystem collectives would be something. But that it has twice as many, lol. With some perspective, it's downright staggering how many more vulnerabilities Windows has per line of code.

                                          DustinB3403D 1 2 Replies Last reply Reply Quote 0
                                          • DustinB3403D
                                            DustinB3403 @scottalanmiller
                                            last edited by

                                            @scottalanmiller I was reading an article (someone posted here) from a MS dev, who said they just refuse to update because they are forced to maintain their one piece of the pie. So even big vulnerability issues, they "find a reason to not accept or allow any changes"

                                            Which is way more surprising.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 11 / 11
                                            • First post
                                              Last post