Is Linux Insecure because it's open source

[spookie]

Hi,
Recently i read somewhere that some people assume Linux is insure because its open source.
What reasons could have been behind that thinking?
I hope its not correct.



--------------------------------------------------------------------------
I never set a goal because u never know whats going to happen tommorow.

 

[sleipnir214]

The open-source development model neither adds to nor detracts from the security of a system.

What the open-source developement model can give a product is a much faster rate of software evolution. Anyone with a text editor and a knowledge of programming can review the source code of a project and suggest changes or enhancements. The source code is not locked away, viewable by a few hand-picked souls. Eric Raymond is quoted as having said, "Given enough eyes, all bugs are shallow."

Bruce Schneier (author of Applied Cryptography and Secrets and Lies) has stated "Security is a process, not a product". This tells us that security is more than just whether a piece of software has bugs. There are myriad things that can affect the security of the system: whether a firewall is in use; whether the firewall rules are sufficiently paranoid; whether the system security is set up to be sufficiently paranoid; whether the software being run was engineered with security in mind; whether the administrators caring for the system are sufficiently paranoid; the experience and abilities of the administrators; and a lot of others. And all these factors must be constantly watched and tweaked to maintain security.

Take a stock LAMP (Linux + Apache + MySQL + PHP) box and a stock WIM (Win32 + IIS + MSSQL) box and connection them both to the internet. They're both toast right out of the box, because neither of them are secure from the get-go. Both will have to be locked down by their respective administrators.



Take a look at Eric S. Raymond's essays, "The Cathedral and the Bazaar", "Homesteading the Noosphere", and "The Magic Cauldron" (available in print by O'Reilly books and online here:

http://www.catb.org/~esr/writings/).

Also, check out Neal Stephenson's essay "In the beginning was the Command Line" (available in print and here:

http://www.cryptonomicon.com/beginning.html)

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[j1bber]

A reason you might think OS is insecure by being open is because individuals (well everybody) are free to look through the code and find exploitable holes. The thing is that those holes are just as likely to be spotted by the good guys. Whereas a closed product takes more work to find the problems for those outside the source company but those inside may or may not be looking too hard and dont even have to do anything about it when they spot something.

 

[Morsing]

Linux is more secure because it's open source.

Usually when a someone finds a security hole a fix is out within 48h. How does Microsoft or other closed systems compare to that?
I know several companies that choose open software becuase they where critical systems with Internet access.

Open source definately adds to the security off a system.

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[spookie]

Thanks for the replies..
As j1bber says, people might think its insecure because the kernel is avialbale to anyone but at the same time if the bug is found it gets fixed in no time.
Being a open source fan, i needed some answers to throw back on anti open source people coming up with folowwing doubts.
sleip: thanks for the links provided.


--------------------------------------------------------------------------
I never set a goal because u never know whats going to happen tommorow.

 

[jwenting]

Linux indeed IS less secure because it's easier to find and exploit holes.
Of course there is a chance those holes are also fixed more quickly (but see the constant stream of exploits in sendmail as an example of the bad side...).

As there is no company with a vested interest in fixing problems (for most packages it depends on when a programmer fixes it in his spare time in between doing things he likes better such as tinkering with a new feature).

And of course there's the higher possibility that someone deliberately includes a hole (cunningly disguised of course) into an open source package in order to exploit it later. This could even be introduced over time as a combination of things each of which on its own is innocent.
With closed source the number of people capable of doing that is a lot smaller.

 

[awreneau]

jwenting, not to throw stones, but sendmail does have issues but lets take a look at it's track record. The program has been around forever, and it's good.

Open source is just as it says, white hats and black hats all have the same starting point. As stated earlier, with as many on lookers as there are in open source, out of sheer hatred for MS or desire for 'freedom', with this many eyes, bugs are shallow.

On the other hand, MS has some good products too, you cant knock what works.

Why would someone go thru the trouble of building a package so complex only to see it destroy, obviously it is possible, but the bad guy on the block is going to be caught if he is setting up back doors. It wont take long before the package in question is thrown out, just because it's open source doesnt mean it fly by night, here today gone tomorrow. Sendmail is a perfect example, take the kernel for instance before it's ever relased to the public it goes thru strenous test and hacks before it's released with a stable/safe version.

Open Source is as good as the administrator/user who is driving it. You dont do your homework and the guys in the shadows will find you.

Simple as that, Linux isnt with out it's problems to even think so would be ubsurd and even down right arrogant.

What makes you a better driver than the guy in the lane next to you? It's all about how you conduct your business.

Security is up to you!

Which one of me are you talking to?
My very own LUG!

http://www.lugot.org

 

[logitech1234]

Hi !
I had the same question in my mind about the open source about 2 years ago.I'm happy that today I'm part of Linux family.It gives everything right from the GUI to the console,well one has to be well versed with the methodologies to work on it.the strongest part of open source is that u can customize it unlike the microsoft products.It just costs you nothing and even ur 486 can work efficiently as an mail or gateway server to say.It's hard to describe what it can do and what it can't do? I have been helped my people all over the world when I had any problem.A few times my security had been compromised and server broken into and it made me strengthen my security even more.Sendmail has it's own problems but I still love it b'se of it's maturity.you can have ur own open webmail services,user customization etc.Open source gives u a chance to do whatever u want to do with the computer.It gives u an recognition that u have contributed something of ur own to a system.I thank all my collegues and friends all over the world and to the unknown people without whose help I would not have been an Linux System Admin )