Open source security
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
https://bugzilla.mozilla.org/[^]
---- Scripts i’ve known... CPhog 1.0.0.0 - make CP better. Forum Bookmark 0.2.5 - bookmark forum posts on Pensieve Print forum 0.1.2 - printer-friendly forums Expand all 1.0 - Expand all messages In-place Delete 1.0 - AJAX-style post delete Syntax 0.1 - Syntax highlighting for code blocks in the forums
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
-
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
FWIW, that is actually one of the definitions of a secure cryptographic system, IIRC.
"Your cryptographic system is secure if potential attackers having access to its source code does not decrease its security or increase their chances of breaking it"- or something kinda-sorta-almost like that... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
FWIW, that is actually one of the definitions of a secure cryptographic system, IIRC.
"Your cryptographic system is secure if potential attackers having access to its source code does not decrease its security or increase their chances of breaking it"- or something kinda-sorta-almost like that... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!)True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
-
True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
True, but when a project applies decent quality control to code contributions, software can be safe even with the security alogorithms available. What i'm looking for is excepetions to this case and especially events where code contributors managed to sneak a backdoor past community's all seeing eyes. you can't forget something you never knew...
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
These may help www.bitpipe.com www.searchsecurity.com
-
True, but when a project applies decent quality control to code contributions, software can be safe even with the security alogorithms available. What i'm looking for is excepetions to this case and especially events where code contributors managed to sneak a backdoor past community's all seeing eyes. you can't forget something you never knew...
For commonly used open source projects (e.g. linux), Cert.org reports bugs/exploits and the status of their fixes. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.:rolleyes:
-
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.:rolleyes:
Rob Graham wrote:
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.
I'm guessing that you do the service support for your 80-year-old mother's PC, so you should be able to handle it quite well. :P If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
-
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
Scott Lee wrote:
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source.
True - except that no software is secure, therefore none is written properly in the first place. Kevin
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
secunia.com covers both closed and open source. But perhaps you're looking for something deeper? Kevin
-
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Ok.. I'll echo what Christopher said in his post above... "and back in the real world"... I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile. Most non-techy computer users I know have extreme difficulty even figuring out how to get Windows/Microsoft update to work on Windows if it isn't set to auto-install everything and I find the same with non-techy people who use Linux. Regards, Brian Dela :-) Blog^ Co-author of The Outlook Answer Book... Go on, order^ it today! -- modified at 18:18 Thursday 1st June, 2006
-
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Ok.. I'll echo what Christopher said in his post above... "and back in the real world"... I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile. Most non-techy computer users I know have extreme difficulty even figuring out how to get Windows/Microsoft update to work on Windows if it isn't set to auto-install everything and I find the same with non-techy people who use Linux. Regards, Brian Dela :-) Blog^ Co-author of The Outlook Answer Book... Go on, order^ it today! -- modified at 18:18 Thursday 1st June, 2006
Brian Delahunty wrote:
I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile.
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them. Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period. That leaves those that have no problem doing it themselves, and those that have friends do it for them. In either of those cases, open-source updates are not a problem. And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ... If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
Correct. Not sure why you were voted a 1 there. But it is important to remember that not all software applications need to be secure. Safe (and stable) maybe, but not necessarily secure. -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
I do not believe that this is a safe assumption to make. Many open-source projects have suffered attacks in the past. Take PHP-based applications,
sendmail, and some TCP/IP stack implementations for examples. Lots of the more robust open source systems out there are more secure because of previous attacks on them and learning from that and/or learning from attacks on other systems. It is not correct to assume that just because source code is available for talented and competent eyes to look at, does not mean that talented and competent eyes are looking at it. Also, remember that there are always new kinds of bugs and exploits to discover. For example, no one was looking out for how to preventSQL Injectionexploits until someone actually conceived, developed and successfully executed one. You at least have to have people with the hacker mindset actively trying to break the code, not just looking at it and saying "it looks OK to me!" While having the source code openly available is likely a move in the right direction, it is far from a complete solution on its own. Just my $.02, take it or leave it... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
Brian Delahunty wrote:
I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile.
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them. Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period. That leaves those that have no problem doing it themselves, and those that have friends do it for them. In either of those cases, open-source updates are not a problem. And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ... If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
There comes a time when updates become just plain irritating and if it doesn't happen automatically, even I (as a technical person) wont lift a finger to update my system X| , irrespectively of the serious "risk my system now faces". (It's been facing that risk eversince the software was originally released anyway!) And don't even get me started on updates that need to reboot your system!!!!!:mad: you can't forget something you never knew...