Thread: Open Source and Security

Originally Posted by Thantos

Using closed source as a security measure isn't really security if that is all you have. A lot of attacks can be done without ever looking at the source.

Not to mention that it doesn't take a lot of skill to understand some assembler code and from that derive a rough sketch of what the code looks like in the original source. If we combine that with some understanding of where the security hole may be located, it is likely that we can find the hole without an enormous amount of effort. Of course, traipsing through tons of disassembly is slightly more complex than doing the same with tons of source code, but it is not sufficient to make one secure and the other insecure in and of itself.

--
Mats

Originally Posted by Thantos

Well not all software can be broken down that way. For example an type of interpreted code or code ran on a server that you can't get to (at least not without breaking the software in question).

But yeah, a lot of the initial attempt is just trying known exploits to see what happens which can lead someone who knows what they are doing to break the software without ever looking at the code or assembly.

I was more referring to code that is published as binary only vs. published as (or with) source - someone determined enough will break either. But of course, if the system is running on a server where you do not have access to the code in either binary or source form, it doesn't PREVENT someone from trying to break it - it just makes it a bit harder.

Apparently, Alan Cox is using "security by obscurity" by running a firewall on a simulated Z/390 running Linux, based on the assumption that if there's a security hole in the firewall+OS, it's unlikely to be found/exploited first on Z/390....

--
Mats