Occasionally the question arises: Is Free Software more secure?
And what statement can be made about this, e.g. by the FSFE. My answer to this is: Free Software has a higher chance of being secure.
Of course I wouldn't post this to a discussion list if this was completely clear to everybody. Unfortunately the relation of freedom to security is complicated. There are already quite a few texts and papers about it. Maybe we need to find the best which can be used as references to give to journalist and other interested people.
To support my statement I usually look at David Wheeler's work first.
http://www.dwheeler.com/oss_fs_why.html#conclusions
OSS/FS software often has far better security [1], perhaps due to the possibility of worldwide review.
[1] http://www.dwheeler.com/oss_fs_why.html#security
Again, it is not true that proprietary programs are always more secure, or that OSS/FS is always more secure, because there are many factors at work. For example, a well-configured and well-maintained system, of any kind, will almost always be far more secure than a poorly configured and unmaintained system of any kind. For a longer description of these issues, see my discussion on open source and security [2] (part of my book on writing secure software). However, from these figures, it appears that OSS/FS systems are in many cases better - not just equal - in their resistance to attacks as compared to proprietary software.
[2] http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-se...
(Wheeler in this book uses "open source" for Free Software.)
2.4.1. View of Various Experts
2.4.6. Bottom Line
Just making a program open source doesn't suddenly make a program secure, and just because a program is open source does not guarantee security:
First, people have to actually review the code. This is one of the key points of debate - will people really review code Second, at least some of the people developing and reviewing the code must know how to write secure programs.
Third, once found, these problems need to be fixed quickly and their fixes distributed. Open source systems tend to fix the problems quickly, but the distribution is not always smooth. Another advantage of open source is that, if you find a problem, you can fix it immediately. This really doesn't have any counterpart in closed source.
In short, the effect on security of open source software is still a major debate in the security community, though a large number of prominent experts believe that it has great potential to be more secure.
Another interesting source stressing active peer preview is within Chapter 4 and Chapter 5 of Peter Gutmann's book: Cryptographic Security Architecure
It is the book that stems from his thetis. He has put a few chapters online at: http://www.cs.auckland.ac.nz/~pgut001/pubs/thesis.html
Especially interesting for this question are: Chapter 4: Verification Techniques where he criticises a lot of believes about how to build secure systems and verify them Chapter 5: Verification of the cryptlib kernel where he explains his approach and the interesting part is 5.1.1 "Peer Review as an Evalution Mechanism" and the cited literature there
Bernhard
OpenBSD is good and secure for both slow and fast computers
On Sat, 18 Sep 2004 11:02:30 +0200, Andres K. Foerster list@akfoerster.de wrote:
Am Freitag, dem 17. Sep 2004 schrieb Bernhard Reiter:
Free Software has a higher chance of being secure.
And what OS would you suggest for security? OpenBSD?
-- AKFoerster _______________________________________________ Discussion mailing list Discussion@fsfeurope.org https://mail.fsfeurope.org/mailman/listinfo/discussion
On Sat, 18 Sep 2004 11:02:30 +0200, Andres K Foerster said:
And what OS would you suggest for security?
The question is broader than the simple question what OS is more secure (or what editor is better). It's about whether the freedoms granted by FS helps developinng and maintaing software in a way that it provides better security to the user.
Werner
Am Montag, dem 20. Sep 2004 schrieb Werner Koch:
And what OS would you suggest for security?
The question is broader than the simple question what OS is more secure (or what editor is better). It's about whether the freedoms granted by FS helps developinng and maintaing software in a way that it provides better security to the user.
OpenBSD actually IS free software. And it's mainly targeted for security.
But I was really surprised, when I read the recent interview with Theo de Raadt (founder of OpenBSD). He comes to the conclusion: "The source code doesn't make a difference. You can get the source code for anything today and an attacker can find vulnerabilities. The fact of the matter is, there is no more closed source there is just limited open source."
The whole article can be found here: http://www.computerworld.com.au/nindex.php/id;1498222899;fp;16;fpid;0
How do you think about this interview?
Am Die, den 21.09.2004 schrieb Andres K. Foerster um 12:20:
But I was really surprised, when I read the recent interview with Theo de Raadt (founder of OpenBSD). He comes to the conclusion: "The source code doesn't make a difference. You can get the source code for anything today and an attacker can find vulnerabilities. The fact of the matter is, there is no more closed source there is just limited open source."
The whole article can be found here: http://www.computerworld.com.au/nindex.php/id;1498222899;fp;16;fpid;0
How do you think about this interview?
Spontaneously, I think it shows how important it is to speak about Free Software, and how ambigous the term "Open Source" is.
Thanks,
Occasionally the question arises: Is Free Software more secure?
And what statement can be made about this, e.g. by the FSFE. My answer to this is:
Free Software has a higher chance of being secure.
No (less) spyware/adware Independance (from governments, firms, political groups, etc.) Transparence Peer-review (large peer review in fact) Less marketing constraints You can read the code (that's needed for security) You can fix the code. (vs you need a new editor version) Anybody can fix it. (vs editor can fix it) Public bugzilla (you know there are security bugs) ...
On Tue, 21 Sep 2004 00:29:37 +0200, Benoît Sibaud said:
Peer-review (large peer review in fact)
True, there is a chance for peer review but it is in general not done. During GnuPG development we have seen some serious and easy to identify bugs - only found by coincidence and after many months.
You can read the code (that's needed for security)
And you may build it using your own toolchain.
Werner