Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unfortunately, those skilled people at MS have let the NSA in on so many 0-day exploits. God knows how many have not been reported to the public yet. At least with open source, I know there is a community behind it for me or others to verify. Sure it is not 100% fool proof, but it makes it far harder to sneak bad things through.


> Sure it is not 100% fool proof, but it makes it far harder to sneak bad things through.

Debian SSL bug lasted 2 years. Open source means little for security.


cherrypicked examples mean little for arguements either. The WMF exploit was in windows for more than 15 years.

http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability


SSL is a security sensitive bit of code. That's the kind of thing that needs to be kept safe, and it's the kind of thing that people claim is kept safe my open source's many eyes.

The argument I'm making is not that Windows is secure (because it isn't), but that Open Source isn't necessarily secure just because it's open source.


No one has argued that open source is secure just because its open source.

Open source is however possible to independent verify if it is secure. Closed source is not possible to verify as secure and must be taken solely on the word of the company who made it.


There are a lot or security holes regularly surfacing in all kinds of software. We don't even have the post mortem of the kernel.org compromise , as one example. Even some Debian servers got hacked. Open source helps but lets not pretend it's a panacea.


It's not all or nothing. Open source is better than close source for security auditing purposes, but of course open source alone is not enough, nor is it impervious to security flaws. It's just better than the alternative.


> Debian SSL bug lasted 2 years. Open source means little for security.

How many examples can you come up with? Was this specific bug being actively exploited when it was discovered?


> How many examples can you come up with?

A bug caused by prettying the code, which was secure from upstream, which is in an important, widely used, supposedly secure bit of code isn't a good enough example?

> Was this specific bug being actively exploited when it was discovered?

Many Linuxes used to ship with lots of services running. That lead to many rooted boxes being used to deliver spam. Open Source fixed the problem, but only after many millions of emails had been delivered.

Someone somewhere probably has a nice chart of all the Red Hat boxes in SKorea in the late 1990s early 2000s.

Again, this isn't to suggest that MS or Apple are more secure. For years anyone putting an MS server onto the Internet ran the risk of very quick exploitation.


> A bug caused by prettying the code, which was secure from upstream, which is in an important, widely used, supposedly secure bit of code isn't a good enough example?

It's a good example. Can you come up with more? Because, you know, it's just one instance of a problem. It says nothing on how pervasive it is.

> For years anyone putting an MS server onto the Internet ran the risk of very quick exploitation.

IIRC, there was a time when the average time between install and first invasion was in the 40 seconds range.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: