You have a point there, but I don''t think that public-key cryptography and operating system security can really be compared. When we''re referring to exploits, that is.
I still think it would be interesting to do this study. I don''t know exactly how you would go about it though. I mean, you obviously can''t base it solely on the number of exploits that exist for one OS over another since there are great disparities in the number of users. Perhaps a simple test program could be written, then given to two groups of hackers, one of which would be given the source code and the other told that the program is closed-source.
I don''t know, but it would be interesting.
16 users logged in
Proud partner of GDC 2025
Before posting, review our community guidelines.
Support GameDev.net with a monthly GDNet+ subscription!
The Good points and the Bad points.
122
May 27, 2003 04:11 PM
The company I work for is pretty tight with MS, so we usually have the new release software half a year or more before release (the AS platforms at least). I was using 2003 when it was .NET =). I find it funny talking to NT admins learning 2000, I feel like its old tech now. =)
I think OSS is a great model for security. Here''s how most Open Source security updates are done.
1) User posts to mailing list he found a exploit.
2) An hour later or so, another user submits a patch file to the mailing list.
3) Admins look it over and decide if they want to patch or not.
4) Later that day, one of the core devs for the OSS project posts an "official" patch, usually something similar to the #2.
Either way, admins are aware of it almost instantly. Compare this to MS where you submit the bug, are asked not to post it, and then NT admins are ignorant for about 3 months until it''s fixed. Meanwhile, someone else found the exploit and has written a virus that hits your machine. Later that day MS releases a hotfix for that exploit.
It happens over and over and over. Most of the NT exploits where found but never fixed. Most companies don''t fix the bug until it''s an issue, unless it was discovered by a large customer who demands a remedy.
Plus, with Unix its possible to do a new build of the application, relaunch your daemon listener and have all new connections start using the patched application without interrupting current users. I can never seem to do this with Windows. =)
Windows has a lot of great points, I like WindowsUpdate.com. It''s a great service, but its just a convienant location to automatically patch. Solaris, Red Hat, and others have a similar system.
Open Source also has more vulnerabilities and runs the risk of injecting a trojan into the source. But that''s why you check checksums from multiple trusted sources. But, I would bet money that some program you use and love has a backdoor entrance some programmer probably snuck into it. You''d be surprised how many "test accounts" still remain in commercial software after release.
Scary stuff =)
Interim
I think OSS is a great model for security. Here''s how most Open Source security updates are done.
1) User posts to mailing list he found a exploit.
2) An hour later or so, another user submits a patch file to the mailing list.
3) Admins look it over and decide if they want to patch or not.
4) Later that day, one of the core devs for the OSS project posts an "official" patch, usually something similar to the #2.
Either way, admins are aware of it almost instantly. Compare this to MS where you submit the bug, are asked not to post it, and then NT admins are ignorant for about 3 months until it''s fixed. Meanwhile, someone else found the exploit and has written a virus that hits your machine. Later that day MS releases a hotfix for that exploit.
It happens over and over and over. Most of the NT exploits where found but never fixed. Most companies don''t fix the bug until it''s an issue, unless it was discovered by a large customer who demands a remedy.
Plus, with Unix its possible to do a new build of the application, relaunch your daemon listener and have all new connections start using the patched application without interrupting current users. I can never seem to do this with Windows. =)
Windows has a lot of great points, I like WindowsUpdate.com. It''s a great service, but its just a convienant location to automatically patch. Solaris, Red Hat, and others have a similar system.
Open Source also has more vulnerabilities and runs the risk of injecting a trojan into the source. But that''s why you check checksums from multiple trusted sources. But, I would bet money that some program you use and love has a backdoor entrance some programmer probably snuck into it. You''d be surprised how many "test accounts" still remain in commercial software after release.
Scary stuff =)
Interim
122
May 27, 2003 04:21 PM
You know what would be a great study?
To see what the _real_ turn around time for fixes to exploits is between OSS and CSS (closed-source).
Problem is, most CSS companies get exploit reports, then ask you not to report them to the internet for about 2 months while they fix them. I know my primary job isn''t programming, but even I could fix some of the exploits that hit the OSS projects. Most are a simple fix once it''s isolated and pointed out. If I didn''t trust some unknown patch, I could essentially do it myself. Or better yet, decide to monitor or log connections that could abuse this exploit until I get a fix (assuming I couldn''t shut down the service with the exploit).
I think the GPL might back fire on the community in the future. It will be hard to convince some companies to adopt GPL Open Source when they learn they can''t mix their closed source with the GPL Open Source. (Or has this changed?)
I think Open Source mixed with Closed Source could be a good business for a lot of companies, but GPL is a little too strict in how you can distribute projects with GPL''d code.
Or am I off base?
Interim
To see what the _real_ turn around time for fixes to exploits is between OSS and CSS (closed-source).
Problem is, most CSS companies get exploit reports, then ask you not to report them to the internet for about 2 months while they fix them. I know my primary job isn''t programming, but even I could fix some of the exploits that hit the OSS projects. Most are a simple fix once it''s isolated and pointed out. If I didn''t trust some unknown patch, I could essentially do it myself. Or better yet, decide to monitor or log connections that could abuse this exploit until I get a fix (assuming I couldn''t shut down the service with the exploit).
I think the GPL might back fire on the community in the future. It will be hard to convince some companies to adopt GPL Open Source when they learn they can''t mix their closed source with the GPL Open Source. (Or has this changed?)
I think Open Source mixed with Closed Source could be a good business for a lot of companies, but GPL is a little too strict in how you can distribute projects with GPL''d code.
Or am I off base?
Interim
2,123
May 27, 2003 05:33 PM
quote:No, but other licenses are available. The GPL's purpose is to ensure that a project and all future versions of it remain in the public domain in perpetuity. Personally, I don't plan to ever release code under the GPL because of my commercial bent (realize that its author, Richard Stallman, is fanatically anti-proprietary and even anti-commercial). The LGPL (which RMS renamed from "Library GPL" to "Lesser GPL" to emphasize his opinions), the BSD license, the Apache, Perl, Python and other licenses all cataloged at the Open Source Initiative offer a variety of company-friendly options.
Original post by Interim
I think the GPL might back fire on the community in the future. It will be hard to convince some companies to adopt GPL Open Source when they learn they can't mix their closed source with the GPL Open Source. (Or has this changed?)
quote:A lot of companies already do this kind of thing, and this is exactly why the LGPL exists. Eric Raymond wrote in one of his major essays that Open Source is not for everyone. Jamie Zawinski, when leaving Mozilla, famously said "Open Source is not magic pixie dust." Open Source, in fact, exists to encourage the adoption of free software and open development in commercial applications. To this day Richard Stallman looks down on Open Source as less "pure" than Free Software (which is a slightly confusing moniker to most people, and particularly aversive to commercial entities who live to make profit and don't want to give away anything free of cost - though Stallman's "free" is really "free of restriction").
I think Open Source mixed with Closed Source could be a good business for a lot of companies...
I suggest you browse through The Cathedral and the Bazaar for a full dissertation and analysis of the goals and methods of Open Source, or maybe even pick up a copy of the paperback at your local bookshop/library. It's analysis of when to go Open Source and how to profit from Open Source alone are worth the price of admission, and the historical perspective is sheer bonus.
[Edit: Corrected quotes.]
[edited by - Oluseyi on May 27, 2003 6:34:47 PM]
112
May 27, 2003 06:59 PM
quote:
Ok, Brasil and Germany are obvious exceptions. In Brasil they''re also currently trying to ban a variety of "english terms" since they fear it is taking away their national identity. Look up "+globalization +brazil" or "+globalization +germany". Its more about avoiding American globalization than the actual software for those countries. As far as China, I had actually read they were negotiation with Microsoft so I will research a bit more before I can definately comment on that.
eh? I live in Brazil, and... well, i don''t see this "trying to ban english terms" here. The thing with Brazil is that we have the (bad?) habit of using *way too much* english terms. And some ppl think this is not good for the national identity, as you said, but nobody''s trying to *ban* anything. I particularly find that very hard to happen here; i think brazillian ppl enjoy using the english terms, for some odd reason.
Victor.
c[_]~~
374
May 27, 2003 08:24 PM
quote:
To this day Richard Stallman looks down on Open Source as less "pure" than Free Software
Yet another reason why Stallman is an idiot
Seriously, though, he is like the open source version of a religious fundamentalist.
2,123
May 28, 2003 12:35 AM
Stallman is somewhat extreme, but there''s no denying that he has bequeathed a lot to the world at large: the GNU project, of which GCC alone is worth the price of admission; Emacs, though there are many who consider that more burden than boon; and the early articulation and laying out of an initial grammar for discussing the free exchange of ideas, particularly as relates to software. As the issues have matured, though, Stallman''s academic cloisterings have acted against him, as he seems to lack an understanding of the commercial underpinnings of pretty much all aspects of our modern society. Being proprietary is not equivalent to being evil, and no, software doesn''t morally "want" to be free!
Hopefully the Stallmans of this world - brilliant, eccentric and extreme - will be balanced out by the likes of Raymond: pragmatic, reasonable, brilliant in their own right and capable.
Hopefully the Stallmans of this world - brilliant, eccentric and extreme - will be balanced out by the likes of Raymond: pragmatic, reasonable, brilliant in their own right and capable.
374
May 28, 2003 10:38 AM
Yes, Stallman has done much good. But then again, so did people like Hitler, Mussolini, and Stalin.
Of course, I''m not really comparing him to a fascist/communist dictator... Just saying that anyone can do good, no matter how intrinsicly evil they may be.
But yeah, Stallman really isn''t THAT bad of a guy. I just don''t agree with his philosophy too much.
Of course, I''m not really comparing him to a fascist/communist dictator... Just saying that anyone can do good, no matter how intrinsicly evil they may be.
But yeah, Stallman really isn''t THAT bad of a guy. I just don''t agree with his philosophy too much.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
Recommended Tutorials
Advertisement