Subject Re: [IBDI] Food for thought
Author David K. Trudgett
On Sunday 2002-04-14 at 03:24:56 -0400, Claudio Valderrama C. wrote:

> Some comparisons in terms of flaws between OS & traditional development:

That article is simply wrong-minded.

First, it's a straw-man argument. The simple fact of being open source
does not confer an automatic benefit in relation to security. No one
in their right mind would even suggest that (hence the straw-man
nature of the argument).

Second, the speed of bug-fix releases by open source software
maintainers is not the central issue, but only peripheral (another
factor in the straw-man argument). The central issue is trust and
auditing, together with the _possibility_ of fixing problems
_yourself_ without waiting for the patches in the first place.

Third, closed source peddlars like Microsoft (and they're not the only
ones), don't release security patches unless they are forced to by
the full disclosure movement. There are signs that this attitude may
be changing in Microsoft ("yeah, and pigs might fly" I hear some say),
but the fact is that closed source encourages the attitude of "sweep
it under the carpet", which becomes entrenched in corporate culture.

Fourth, it distracts from the real reasons for choosing open source
(or, even better, Free Software). Those reasons have to do with the
freedoms that each of us require. These include the ability to:

+ adapt software to individual requirements
+ fix bugs that stop us achieving our aims
+ help each other by sharing software, thus generating an
increasing spiral of benefits for all
+ study how software works so we can use it better
+ use the software in whatever manner we wish

Fifth, although open source is no guarantee of security, it is a
pre-requisite. In more precise language that some of you may be
familiar with, being open source is a necessary but not sufficient
condition for security. The NSA does not use software for which it
doesn't have the source. What possible reason could there be for that?
I suggest it is because it is impossible to verify the security of any
software without having the source available for study.

It is therefore incredibly absurd for the author to conclude that the
security status of closed source products is equivalent to open
source. It beggars belief to such an extent that the only possible
explanation is that the author(s) have a particular axe to grind,
which is a particular political agenda aimed at discrediting that
which is a clear and present threat to the continued monopolistic
powers of certain large corporations.

Well, there are other explanations: stupidity and ignorance both come
to mind. Perhaps these people really can't see past their DOS prompt.
Who knows?

For those who are interested, I recommend you read:

Secrets and Lies
Digital Security in a Networked World
Bruce Schneier
John Wiley & Sons Inc
ISBN 0-471-25311-1

Bruce Schneier is a security expert and knows what he's talking about.

David Trudgett