Open source security
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
-
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
FWIW, that is actually one of the definitions of a secure cryptographic system, IIRC.
"Your cryptographic system is secure if potential attackers having access to its source code does not decrease its security or increase their chances of breaking it"- or something kinda-sorta-almost like that... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
FWIW, that is actually one of the definitions of a secure cryptographic system, IIRC.
"Your cryptographic system is secure if potential attackers having access to its source code does not decrease its security or increase their chances of breaking it"- or something kinda-sorta-almost like that... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!)True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
-
True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
Seems to me that there's no such thing as "secure" open source. By definition, the source code is readily available, which is the best blueprint you can get for those who wish to do bad things. Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
True, but when a project applies decent quality control to code contributions, software can be safe even with the security alogorithms available. What i'm looking for is excepetions to this case and especially events where code contributors managed to sneak a backdoor past community's all seeing eyes. you can't forget something you never knew...
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
These may help www.bitpipe.com www.searchsecurity.com
-
True, but when a project applies decent quality control to code contributions, software can be safe even with the security alogorithms available. What i'm looking for is excepetions to this case and especially events where code contributors managed to sneak a backdoor past community's all seeing eyes. you can't forget something you never knew...
For commonly used open source projects (e.g. linux), Cert.org reports bugs/exploits and the status of their fixes. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.:rolleyes:
-
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.:rolleyes:
Rob Graham wrote:
Umm.. I really don't think my 80 year old mother can manage that "simple matter" on her own.
I'm guessing that you do the service support for your 80-year-old mother's PC, so you should be able to handle it quite well. :P If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
True enough. Meanwhile, out here in the real world... :) I mean, can you imagine how many attacks there would be on IE if people had the source code? :rolleyes: Author of The Career Programmer and Unite the Tribes Know someone who desperately needs to get a clue? Visit www.DownloadAClue.com and send them one!
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
-
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
Scott Lee wrote:
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source.
True - except that no software is secure, therefore none is written properly in the first place. Kevin
-
I'm in search of a website or online knowledge base with an extensive record of security issues, known breaches and vulnerabilities in known open source projects. Many open source projects don't openly make this information available. . you can't forget something you never knew...
secunia.com covers both closed and open source. But perhaps you're looking for something deeper? Kevin
-
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Ok.. I'll echo what Christopher said in his post above... "and back in the real world"... I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile. Most non-techy computer users I know have extreme difficulty even figuring out how to get Windows/Microsoft update to work on Windows if it isn't set to auto-install everything and I find the same with non-techy people who use Linux. Regards, Brian Dela :-) Blog^ Co-author of The Outlook Answer Book... Go on, order^ it today! -- modified at 18:18 Thursday 1st June, 2006
-
Zac Howland wrote:
It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling.
Ok.. I'll echo what Christopher said in his post above... "and back in the real world"... I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile. Most non-techy computer users I know have extreme difficulty even figuring out how to get Windows/Microsoft update to work on Windows if it isn't set to auto-install everything and I find the same with non-techy people who use Linux. Regards, Brian Dela :-) Blog^ Co-author of The Outlook Answer Book... Go on, order^ it today! -- modified at 18:18 Thursday 1st June, 2006
Brian Delahunty wrote:
I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile.
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them. Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period. That leaves those that have no problem doing it themselves, and those that have friends do it for them. In either of those cases, open-source updates are not a problem. And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ... If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
Correct. Not sure why you were voted a 1 there. But it is important to remember that not all software applications need to be secure. Safe (and stable) maybe, but not necessarily secure. -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
Christopher Duncan wrote:
I mean, can you imagine how many attacks there would be on IE if people had the source code?
Few to none because by the time someone figured out how to exploit a bug in the code, a thousand other people would have already fixed the issue and either submitted the fix to online forums, Microsoft, or both. It would be a simple matter of downloading a patched source file (or making the change yourself) and recompiling. FYI, this is exactly what happens in the *Nix world. Many of the most secure servers on the planet run on open source operating systems and software. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
I do not believe that this is a safe assumption to make. Many open-source projects have suffered attacks in the past. Take PHP-based applications,
sendmail, and some TCP/IP stack implementations for examples. Lots of the more robust open source systems out there are more secure because of previous attacks on them and learning from that and/or learning from attacks on other systems. It is not correct to assume that just because source code is available for talented and competent eyes to look at, does not mean that talented and competent eyes are looking at it. Also, remember that there are always new kinds of bugs and exploits to discover. For example, no one was looking out for how to preventSQL Injectionexploits until someone actually conceived, developed and successfully executed one. You at least have to have people with the hacker mindset actively trying to break the code, not just looking at it and saying "it looks OK to me!" While having the source code openly available is likely a move in the right direction, it is far from a complete solution on its own. Just my $.02, take it or leave it... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!) -
Brian Delahunty wrote:
I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile.
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them. Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period. That leaves those that have no problem doing it themselves, and those that have friends do it for them. In either of those cases, open-source updates are not a problem. And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ... If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
There comes a time when updates become just plain irritating and if it doesn't happen automatically, even I (as a technical person) wont lift a finger to update my system X| , irrespectively of the serious "risk my system now faces". (It's been facing that risk eversince the software was originally released anyway!) And don't even get me started on updates that need to reboot your system!!!!!:mad: you can't forget something you never knew...
-
If the code is written properly in the first place then it will be secure regardless of whether it is open or closed source. Relying on security through obscurity is a very dangerous position to be in. It's not the bugs that security experts find in open source software and report that people should be worried about. Those sorts of bugs get patched within days (sometimes hours) of being discovered. The dangerous bugs are the ones that someone stumbles upon in a closed source application and chooses to keep to themselves in order to exploit for some type of gain. These bugs may provide an entry point to the system for years to come and no one would ever be the wiser.
Scott Lee wrote:
Those sorts of bugs get patched within days (sometimes hours) of being discovered
Define "bugs being discovered". A. A developer does a double check on a certain piece of code and discovers a loop-hole. B. A user comes accross a loop-hole or glitch in the system. C. A hacker does a double check on a certain piece of code in search of weaknesses to exploit. Which of A, B or C will occur most often? Probably B, followed by C. Obscurity rules out C, thus reducing the security risk but it also significantly decreases the frequency that A occurs. So which is best? * Having none of C but very little of A. OR * Having a fair amount of C and alot of A. This totally depends on the project, if software requires a high level of security but the development team is small, it my be best to make the software (or at least the security code) proprietary. If the development community is large in number, by all means, open source the security code and let the developers and the hackers battle it out! you can't forget something you never knew...
-
Brian Delahunty wrote:
I seriously can not see my mother, or the vast majority of non-techy computer user being able to "[make] tha change yourself", apply a patched source file, or recompile.
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them. Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period. That leaves those that have no problem doing it themselves, and those that have friends do it for them. In either of those cases, open-source updates are not a problem. And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ... If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
The "vast majority" of "non-techy computer user[s]" either don't worry about security or have someone they know maintain it for them.
Ok. Where I come from, that is simply not the case. My manager and non-techy colleagues definitely care about security, both at home and in work. In work the machines are under the control of our IC department/team so that isn't a problem but at home it's up to them. That is the case for most non-techy people I know. I have yet to find one who isn't worried about their personal data being taken from their machines... be it PPS (SSN in the states), credit card, personal items etc, they are well aware of the security issues.
Zac Howland wrote:
Those that don't care about it either assume that auto-updates fix everything or just don't bother with updates period.
lol.
Zac Howland wrote:
And hopefully, those non-techy people you know that are using *Nix systems do not have root permissions ..
Of course. But there are still plenty of exploits for *nix systems and the software the runs on them. Lots in fact. Regards, Brian Dela :-) Blog^ Co-author of The Outlook Answer Book... Go on, order^ it today!
-
I do not believe that this is a safe assumption to make. Many open-source projects have suffered attacks in the past. Take PHP-based applications,
sendmail, and some TCP/IP stack implementations for examples. Lots of the more robust open source systems out there are more secure because of previous attacks on them and learning from that and/or learning from attacks on other systems. It is not correct to assume that just because source code is available for talented and competent eyes to look at, does not mean that talented and competent eyes are looking at it. Also, remember that there are always new kinds of bugs and exploits to discover. For example, no one was looking out for how to preventSQL Injectionexploits until someone actually conceived, developed and successfully executed one. You at least have to have people with the hacker mindset actively trying to break the code, not just looking at it and saying "it looks OK to me!" While having the source code openly available is likely a move in the right direction, it is far from a complete solution on its own. Just my $.02, take it or leave it... Peace! -=- James
If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Avoid driving a vehicle taller than you and remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
DeleteFXPFiles & CheckFavorites (Please rate this post!)James R. Twine wrote:
I do not believe that this is a safe assumption to make. Many open-source projects have suffered attacks in the past. Take PHP-based applications, sendmail, and some TCP/IP stack implementations for examples. Lots of the more robust open source systems out there are more secure because of previous attacks on them and learning from that and/or learning from attacks on other systems.
I don't disagree (in fact, you are basically reiterating my point).
James R. Twine wrote:
It is not correct to assume that just because source code is available for talented and competent eyes to look at, does not mean that talented and competent eyes are looking at it.
Agreed. However, when you compare open-source to closed-source projects, you find that the probability of someone trying to fix an open-source bug is higher than a closed-source one. The reasoning is simple: for closed-source applications, your resources are limited to only those people that work for the company (and that work on that project). Lets say the team was 100 programmers. That means there is a maximum of 100 pairs of eyes looking for the bug and how to fix it. Compare that to thousands ...
James R. Twine wrote:
Also, remember that there are always new kinds of bugs and exploits to discover. For example, no one was looking out for how to prevent SQL Injection exploits until someone actually conceived, developed and successfully executed one. You at least have to have people with the hacker mindset actively trying to break the code, not just looking at it and saying "it looks OK to me!" While having the source code openly available is likely a move in the right direction, it is far from a complete solution on its own.
Again, I don't disagree. I was simply comparing the security of open-source projects to that of closed-source ones. How you publish your software is only a small part of the process that affects the security of it. If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac