Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 07-21-2004, 05:58 AM   #1
In Runtime
 
0x54's Avatar
 
Join Date: Jul 2004
Posts: 157
Smile Nice short article on closed vs. open source security.

http://www.osviews.com/modules.php?o...ticle&sid=1792
__________________

0x54 is offline   Reply With Quote
Old 07-21-2004, 07:46 AM   #2
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: Nice short article on closed vs. open source security.

A good article that raises many good points.
Personally Id say I have to agree, just the amount of exploit in windows has to be testement to the fact that two pairs of eyes is better than one.
I still believe that one of the strongest point about Linux and other open source projects is its userbase hackers play number games, and for someone 'hacking for profit' Linux is not really a viable platform to infect. plus the fact that various design points about linux make it a lot harder to infect with malware.
(the obvious counter to this argument is the Apache project, Apache runs well over half the worst website, yet still has less available expolits)

did I just shoot myself in the foot?
__________________

root is offline   Reply With Quote
Old 07-21-2004, 08:35 PM   #3
Guru
 
Lord Kalthorn's Avatar
 
Join Date: Dec 2003
Location: Britain
Posts: 13,293
Send a message via MSN to Lord Kalthorn
Default

Lol; I don't think so. Obviously I don't agree with the article either; and Root said why I don't believe this in his post:

Quote:
Originally Posted by root
the strongest point about Linux and other open source projects is its userbase hackers play number games
Hence, at least as I see this - is that its userbase; and especially the people who write it and like it and go on rallys supporting it are the hackers we are all trying to protect against. If you're a hacker, what goes through your mind? You go for Windows, and not entirely because it is the most used system although that must follow very fast; but because it is Windows. You don't hack Linux because you use it, you helped make it, and you agree with its Anarchist views on society. Hence the great difference in security between Linux and Windows. Yes - there are more people looking over it and there people looking over it who are radicals about the OS. However, if hacking were wanted to be done the code is so easily seen on a general-user's un-editted Distribution that it would not even involve a great deal of knowledge. It takes weeks, of hacking with hundreds of hackers working together, maybe even more hacking hundreds of machines to break into a new version of Windows. Yes its easy now because theres been 3 years to learn how to do it!

I have a funny feeling from the title of this it was not started to discuss cryptography; hence my above comments.

I don't believe Open-Source is safer that Closed-Source - I know you have said you have heard the argument 'if Linux was as used as Windows, it would not be able to handle it' and don't believe it is valid. However, I believe it is for the simple fact that Linux is Open-Source, people can edit the code and sell it to unsuspecting users - unsuspecting users can buy it even a nice new clean one and the code of that distribution is readily available to the next door neighbour paedophile-hacker to hack into their computer and get their daughter's e-mail address, talk to her, get their family photos, etc etc and so on. On Windows this sort of thing cannot happen; even if you do say it is dreadfully unsecure. No cryptographic algorithm is unbreakable - giving it out to people to pour over into the early ours of the morning is not something anybody would advise somebody to let somebody, least of all a trained and mentally unstable hacker.

Of course though, point it out if anything I just said is wrong?
__________________
A Knight is sworn to Honour. His heart knows only Virtue. His blade defends the helpless. His might upholds the Weak. His word speaks only truth. His wrath undoes the Wicked.
Lord Kalthorn is offline   Reply With Quote
Old 07-22-2004, 12:03 AM   #4
In Runtime
 
0x54's Avatar
 
Join Date: Jul 2004
Posts: 157
Default Re: Nice short article on closed vs. open source security.

1. im not sure how you gathered the view that a notable amount of the linux community were hackers. hackers concerned with windows furthermore.


2. "No cryptographic algorithm is unbreakable - giving it out to people to pour over into the early ours of the morning is not something anybody would advise somebody to let somebody, least of all a trained and mentally unstable hacker."

who advises? you? but you know nothing about cryptography...
the smartness of that article is that in the cryptographic community, opensource is taken as a given, now - the folk of that community are the experts in their field, and paranoid to boot. i trust their judgement more then my own (heh, because comparitively we know next to nothing)

So youd rather use some cipher that only one person has ever seen and wont let anyone else see rather then 3DES or CAST5? the NSA would have a field day with you..

(i feel a typical comment is in order: OTP is unbreakable.)


3. you argument that a pedo could insert a backdoor into a program you use is of more relevence to windows users then linux users..you cant see the source code of the numerous freeware programs you run. they could be doing anything, and there are no checks in place and no way for you to check.

take a distro..such as debian, all software going into the project is frozen and tested for at least 18 months (or am i wrong?), 18 months of people looking over the source code, looking for flaws, backdoors, buffer overflows etc.
im unconcerned about someone trying to insert malicious software into my computer. they'd have to get it into either the debian or openbsd package repositories.

in windows there is no such trusted (relatively) resource? you just download software at will off random google hits? software who's workings are unknown to you and the rest of the world? sounds risky to me.

(still surprises me that windows software rarely ever comes with even basic integrity checks like a md5/sha1 checksum's)
0x54 is offline   Reply With Quote
Old 07-22-2004, 03:30 PM   #5
Guru
 
Lord Kalthorn's Avatar
 
Join Date: Dec 2003
Location: Britain
Posts: 13,293
Send a message via MSN to Lord Kalthorn
Default Re: Nice short article on closed vs. open source security.

Quote:
Originally Posted by 0x54
1. im not sure how you gathered the view that a notable amount of the linux community were hackers. hackers concerned with windows furthermore.
Its just a thing I believe, it may or may not be true but it would make sense would it not? I was not saying all members of the Linux Community are Hackers - I was saying most, if not all Hackers will be Members of the Linux Community. I think that is probably a generally realised fact?

Quote:
Originally Posted by 0x54
2. "No cryptographic algorithm is unbreakable - giving it out to people to pour over into the early ours of the morning is not something anybody would advise somebody to let somebody, least of all a trained and mentally unstable hacker."

who advises? you? but you know nothing about cryptography...
the smartness of that article is that in the cryptographic community, opensource is taken as a given, now - the folk of that community are the experts in their field, and paranoid to boot. i trust their judgement more then my own (heh, because comparitively we know next to nothing)

So youd rather use some cipher that only one person has ever seen and wont let anyone else see rather then 3DES or CAST5? the NSA would have a field day with you..

(i feel a typical comment is in order: OTP is unbreakable.)
I'm not advising, I'm theorising - and to me that sounds like a reaonable fact; giving a cryptographic algorithm to a mentally unstable and highly adept hacker (of which there are, however few) is not a safe thing to do is it? Also, I stand by the fact that no cryptographic algorithm is unbreakable: it is impossible to make such an algorithm - and even less possible when you give out the code of it. Of course, I realise these are brilliant cryptographers, I'm not saying they're not. I am simply saying that the same brilliant cryptographers can make a safer code in a Closed-Source environment. And, that the cryptography in Windows is probably of the same high quality of, if not higher than that of Linux - it is just much harder to make one that can stand up against these great cryptographers and indeed generally psycopathic hacking scum when they are determinded to break it and show up Microsoft. I'm sure, with swapped positions, the psycopathic hacking scum of Windows would find it far easier and have to be less intelligent to break the Linux codes with them in Open-Source.

Quote:
Originally Posted by 0x54
3. you argument that a pedo could insert a backdoor into a program you use is of more relevence to windows users then linux users..you cant see the source code of the numerous freeware programs you run. they could be doing anything, and there are no checks in place and no way for you to check.

take a distro..such as debian, all software going into the project is frozen and tested for at least 18 months (or am i wrong?), 18 months of people looking over the source code, looking for flaws, backdoors, buffer overflows etc.
im unconcerned about someone trying to insert malicious software into my computer. they'd have to get it into either the debian or openbsd package repositories.

in windows there is no such trusted (relatively) resource? you just download software at will off random google hits? software who's workings are unknown to you and the rest of the world? sounds risky to me.

(still surprises me that windows software rarely ever comes with even basic integrity checks like a md5/sha1 checksum's)
Probably, but you shouldn't be downloading untrusted Freeware Software anyway - so if you do so its really more your fault that Windows'.

I realise the software in Distributions is checked - but the code for the final project is Open-Source yes? Hence the fact its called Open-Source. If so, what is to stop somebody from distributing Linux from their computer store as Debian. It would start up as Debian, look like Debian, have all the tools of Debian, even have the branding of Debian - but the Programmer could so easily put some more routines in there, some more files that start up with Linux undetected - like a System Tool - which could do all manner of things - anything that person would like it to do.

Would you buy an Open-Source Toy Dog for your daughter; that anybody could copy, edit however much, and redistribute as the same Toy Dog with no outsidely viewable additions? I doubt you would, I certainly wouldn't if I had a daughter. When then allow the same thing to be done with an Operating System - it is possible and we all know that. Even more possible if Linux becomes more widely available and used. This is the same problem which my Librarian whom I discussed this problem with earlier on in the year thinks of first when she thinks of using something Open-Source. The exploitation of those with no know how about Programming or too young to by those who do - that is what Microsoft and Macintosh stop by using Closed-Source.

Would you like to live in Anarchy? Why let your Computer do it if you wouldn't want to?
__________________
A Knight is sworn to Honour. His heart knows only Virtue. His blade defends the helpless. His might upholds the Weak. His word speaks only truth. His wrath undoes the Wicked.
Lord Kalthorn is offline   Reply With Quote
Old 07-23-2004, 02:36 AM   #6
In Runtime
 
0x54's Avatar
 
Join Date: Jul 2004
Posts: 157
Default Re: Nice short article on closed vs. open source security.

Quote:
The one-time pad (OTP), sometimes known as the Vernam cipher, is a theoretically unbreakable method of encryption where the plaintext is combined with a random "pad" the same length as the plaintext.
http://en.wikipedia.org/wiki/One_time_pads

you really should have said any cipher other then a otp was unbreakable ;\


anyways, as for someone taking debian, altering and selling it down at your local store, why are you getting a OS from a untrusted source?

if they claim it to debian though, then when you get home and you check the md5 checksums vs. whats on debian.org youll notice their diffferent, and therefore know your copy of debian has been altered in someway.


yes someone can take a open source project and make a fork of it with ill intent. but i can make a mirc clone with ill intent too. hell, it wouldnt have to work, all id need was a similar looking install.exe. then whilst installing it would spit up some bs error and see it can not be installed..whilst installing numerous backdoors.



it still comes down to in closed source you dont know whats going on, in open source you do.
theres no avoiding that fact.

you seem to favour security through obscurity. i dont.
0x54 is offline   Reply With Quote
Old 07-23-2004, 02:41 AM   #7
In Runtime
 
0x54's Avatar
 
Join Date: Jul 2004
Posts: 157
Default Re: Nice short article on closed vs. open source security.

Quote:
The one-time pad (OTP), sometimes known as the Vernam cipher, is a theoretically unbreakable method of encryption where the plaintext is combined with a random "pad" the same length as the plaintext.
http://en.wikipedia.org/wiki/One_time_pads

you really should have said any cipher other then a otp was unbreakable ;\


anyways, as for someone taking debian, altering and selling it down at your local store, why are you getting a OS from a untrusted source?

if they claim it to be debian though, then when you get home and you check the md5 checksums vs. whats on debian.org youll notice their diffferent, and therefore know your copy of debian has been altered in someway.


yes someone can take a open source project and make a fork of it with ill intent. but i can make a mirc clone with ill intent too. hell, it wouldnt have to work, all id need was a similar looking install.exe. then whilst installing it would spit up some bs error and see it can not be installed..whilst installing numerous backdoors.



it still comes down to in closed source you dont know whats going on, in open source you do.
theres no avoiding that fact.
if someone doesnt trust a program..they read the source. or ask someone else who has. in this system peer review exists.


you seem to favour security through obscurity. i dont.
i lack the effort to argue about it, as many more smarter people then us have already had this identical argument and theres no point doing the same work twice (ahhh, open source vs closed source analogy? hehehe..)


curiously, without talking about the reasons why, i think we'd both agree on who's computer(/network) is more secure
0x54 is offline   Reply With Quote
Old 07-23-2004, 05:14 AM   #8
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: Nice short article on closed vs. open source security.

Using your source article to provide arguments for security through obscurity...

Quote:
Now, there is a trump card up the sleeve when it comes to secrets and algorithms. When the organization or person creating the secret is trusted to do a good job simply because of who they are, i.e. the NSA or Bruce Schneier himself, then, and only then, can a secret possibly be an asset. The NSA doesn't, for example, give out its algorithms so that they can be scrutinized even though they know this could potentially lead to the discovery of weaknesses.
So the authour of the article completly shoots himself in the foot,
He doesn't trust closed source, from Microsoft, yet he trusts it from other sources. His argument isn't that you can't trust closed source, it's that you can't trust microsoft.

there are a number of arguments made by people, either individuals or IT journalists.
Microsoft source isn't completly secure, (as we found out shared source was leaked from a linux core dump)
When the microsoft source was leaked, for journalists, and Linux fanatics alike it was a field day, everyone was touting about how it would mean the end of microsoft, their front line of defense had been breached and their source was out in the wild.

On the other hand earlier this year Cisco (the network security experts) suffered a leak of some 800MB of source code, detailing, amongst other things the way that the IP6 protocol was handled. Now don't get me wrong, I don't want to spread fear, but practically 80% of the internet uses Cisco routers, most companies will hae believed the Cisco is so secure hype and have Cisco routers as their main firewalls, seems now Cisco cannot defend it's self, and the source code leak was massivly played down by both Cisco and IT journalists.

since you mention Debian as an ideology of open source goodness I'll post a few links as to how it's been compramised in the past, and tell you the fatal floor in the open source system.

First Link, debian does not apply it's own patches to it's own servers!
http://www.theregister.co.uk/2003/12...atched_server/

whilst I couldn't find the article, I do remeber reading how a bug was introduced after a trusted developers account was hacked, allowing and old exploit to be introduced into a major release.

Having said that, I still believe open source is very secure, I also believe microsoft can/could be trusted to release code that to the best of their ability is secure, I believe they have some of the worlds best programmers working at their HQ, and so would feel happy using the same argument
Quote:
When the organization or person creating the secret is trusted to do a good job simply because of who they are,
now having been given links as to how the distros of what I assume is your favorite distro have been tampered with hacked and how the developers themselves let their systems get hacked. Given information that the 'worlds premium' network hardware security provider also relies heavily on obscurity, (yet their source has been leaked).

Who's network do you think is more secure? and do you really believe there is such a thing as a secure network.

(just as a little disclaimer, Debian is actually one of my favorite Linux distros, though I think redhat is my most favorite)
root is offline   Reply With Quote
Old 07-23-2004, 08:41 PM   #9
Guru
 
Lord Kalthorn's Avatar
 
Join Date: Dec 2003
Location: Britain
Posts: 13,293
Send a message via MSN to Lord Kalthorn
Default

Although there are many good arguments; with Root's as always being the icing on the cake - it is always brilliant to read Roots arguments - basically we all have good points. However, there are holes in mine and holes in yours; if you want to continue we can but I don't think we'll get anywhere with it.

Just as a point to your OTP quote: theoretically Communism is the best form of government in the world. Many things can be said theoretically unbreakable - nothing it unbreakable. 30m thick stainless steel walls can be broken - I'm sure OTP can be broken.
__________________
A Knight is sworn to Honour. His heart knows only Virtue. His blade defends the helpless. His might upholds the Weak. His word speaks only truth. His wrath undoes the Wicked.
Lord Kalthorn is offline   Reply With Quote
Old 07-24-2004, 07:50 AM   #10
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: Nice short article on closed vs. open source security.

There is very little difference between a far left and far right wing government, in the end they will both completly fuck the coutry and everyone in it several times.

Whilst there is great difference in the two paradigms of open source and cosed source, especially closed source where the hiding of the source is a security feature), I don't think there is that greater difference in the qualty of the software being produced.
I think the main problem people don't understand is that an opperating system, is just a way to access a disk.
Linux would be niothing without the GNU tools, windows would be nothing without the thousands of other companies creating software (in both open and closed source) from that platform.

It is also worth mentioning, most problems and weaknesses in the OS are not caused by the OS, They are caused by the services running on the OS.

for example Internet explorer is a weakness in windows, Had all bugs been found in IE before it was fully integrated into windows then I imagine windows would be a lot better and more secure OS.
__________________

root is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 12:20 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0