There is this ludicrous paradigm among the technorati that just because a piece of software is developed collaboratively and by enthusiasts with source code shared freely on the web, that automatically makes it more secure and less buggy.
"When everyone can look at your code," runs the argument, "flaws get found more quickly and patches get released almost immediately."
But although everyone can look at open source code, in practice, the only people who do are those involved in developing the software and those trying to create malware that exploits it.
This is exactly the same situation that applies to closed source software, except that it is somewhat harder for the hackers to get their copy of the code.
I'm not going to dispute that there are lots more viruses that target Microsoft Office than there are that target Open Office. But this is not because the Open Office community have more pairs of eyes pre-emptively spotting flaws and patching them, it's because fewer people target Open Office in the first place.
The dichotomy is not between open source and closed source. It's between liked software and hated software. People target Microsoft because it has large market share and because it represents The Man.
Publishing the source code for Internet Explorer wouldn't make it any safer - Microsoft already has lots of very talented developers working full time on finding and fixing security loopholes. In fact it would open the flood gates to a whole new generation of wannabe haxzors.
World of Warcraft is closed source software and has had relatively few security flaws, despite a very large market share. This is because we love Blizzard and we don't want to take them down.
I can't think of any easy way for Microsoft to turn itself into a beloved company again, like it was 25 years ago but it is hard to see how they have anything to gain from the open source "movement".
-------------------------------------------------------------------------------------------------------
You might also like Don't bother reading T&Cs, they're totally unenforceable
Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register
Your comments (5) Click to add a new comment
jose_x
March 10th 2009
5. I was a bit defensive in that last comment, but I want to make explicit a few things that may have been implied but not stressed.
Not all proprietary vendors are the same.
It's most important to get security correct at the OS and at other key layers.
Alert a moderator
jose_x
March 10th 2009
4. You are missing some things.
[OS vs app:] The operating system can do a lot more than a game. If you write a game, it's naturally easier to be safe.
[Common apps vs uncommon:] You usually get violated through using an application even if it is the fault of the operating system environment/design. There are more common applications through which you might get affected.
[Popularity:] The most popular webservers have for a long time been open source (Apache), which have a fairly clean record, yet Microsoft's webservers have a horrendous record. Much commodity high security software is open source. As Linux moves mainstream, some open source Linux apps will need to be developed more carefully, but then, there will be many more eyeballs at that point in time!
["Cheating":] Many proprietary companies base some portion of their products on open source. If nothing else, they can study the open source. Microsoft borrows from open source. Note that openssl is licensed so that any proprietary vendor can use it and not tell you about it. There is a reason so many hardware vendors (routers, tivo, cellphones, etc) use Linux or other open source. There is a reason Google and Yahoo and Akamai use it (though they hack it and keep some secrets). There is a reason government entities in high security environments have specifically stated that security concerns are a major reason to switch to open source [that's not to say Windows isn't used frequently by the government in many places].
[Higher priorities:] When you have to make profit numbers and you make this your most important goal, guess what that means about cutting corners. When backdoors and as much control as possible over your product running on users desktop are a part of your business plan, guess what that says about sticking to best security practices.
[Human nature:] When you are closed source, you can hide more issues for a longer period of time. You can get away with sloppiness for longer. Microsoft gets less feedback on these holes they leave. When you have to show your laundry to the world, guess what that says about you *not* cutting corners.
[Number of experts:] Are you aware that a bunch of people around the world that care about security have access to Linux source and do check it? They couldn't if they used Windows. All of open source isn't safe, but the most important parts will have a lot more experts looking over it. Last I heard, Microsoft has a few tens of thousands of tech employees, many of which aren't doing security by a long shot. Last I heard, the world had around 6,000,000,000 people. A hundredth of one percent of that is still 600,000 total people (ie, one person out of every 10,000 you meet -- have you even met 10,000 people?).
[But I agree:] How much people dislike you is an important factor. Do you provide healthy ways for would-be attackers to study and contribute to your product, or do you essentially tempt them to see if they can get through and make you look bad? There are more ways for mischievous individuals to make a positive for themselves on open source.
It's very tough to deny that Microsoft has had very foolish weaknesses. They have admitted this themselves even while people were still making excuses for them. Some architectures are simply better. Microsoft's products are designed to turn out profits. Linux is not, and it leveraged many more design decisions from OS that are used in high security environments [UNIX].
Blue pill or red pill? http://en.wikipedia.org/wiki/Redpill
Alert a moderator
marybranscombe
March 6th 2009
3. @louis: open source is free as in speech, not free as in beer. it doesn't always and automatically mean free software - there are lots of business models. and sometimes, you get what you pay for...
Alert a moderator
louis058
February 25th 2009
2. i just like open-source cos it means free to download
Alert a moderator
jmace86
February 25th 2009
1. Good article that brings to light a common misconception held by the less informed.
As stated in the article, if anything open source software would be easier to hack as the code is so easily accessible, but it is not such a large target for hackers because -- whilst it is becoming more popular -- it is still used by a minority of people, with the vast majority still using closed source software and therefore closed source software represents a far larger "market" for hackers to attack.
Alert a moderator
Tell us what you think
You need to Log in or register to post comments