Re: [vox] Open Source and Security

To: vox@listMAPSs.lugod.org
Subject: Re: [vox] Open Source and Security
From: Jonathan Stickel <jjstickel@sbcglobalMAPS.net>
Date: Mon, 01 Mar 2004 12:53:28 -0800
Delivered-to: lugod@livepenguin.com
Delivered-to: vox@livepenguin.com
In-reply-to: <200403012010.i21KAd6W022804@lymeon.ucdavis.edu>
List-archive: <http://lists.lugod.org/pipermail/vox/>
List-help: <mailto:vox-request@lists.lugod.org?subject=help>
List-id: lugod's free for all mailing list <vox.lists.lugod.org>
List-post: <mailto:vox@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=unsubscribe>
References: <200403012010.i21KAd6W022804@lymeon.ucdavis.edu>
Reply-to: vox@lists.lugod.oMAPSrg
Sender: vox-admiMAPSn@lists.lugod.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040214

Here is my (naive) view of software security:

1. old software is insecure because un-patched exploits have been discovered long ago, but it is so old no one wants to fix it

2. recently released software is mostly secure because easy exploits are found quickly and patches are available; less obvious exploits are not yet known

3. bleeding edge, pre-released software is insecure because fixes for easy exploits are not yet available.

This applies to both proprietary software (PS) and open-source software (OSS). Note that for both PS and OSS, it is the responsibility of the end user to keep up-to-date on security vulnerabilities and make the appropriate updates. A decided advantage of OSS is that _anyone_, including yourself, can fix security problems, even for case 1. But with PS, you are in the hands of the software vendor. Also, OSS is often more secure to start with because more people can look at the code and anticipate problems.

It sounds like the person quoted here falls under case 1, where an old version of a RH distro is being used that RH inc no longer supports. He/she probably ought to switch linux distributions or purchase RHE.

Jonathan

Byron Roberts wrote:

Here is an excerpt from a post on the CVBIG list that I belong to:

[snip]
The problems with Linux are that RedHat (our operating system) no longer supports further updates, the Linux operating system has three system vulnerabilities, which need to be fixed, and it is open source (I know I touched on something sacred here, but no programmer likes to redo old code, especially someone elses, so I'm concerned the security vulnerabilities will not get fixed).

[snip]

I feel like I'm totally missing something here....I thought that one of the big advantages of OSS was increased security, precisely because the code is accessible and able to be modified? Or as a newbie is there some piece of information that I'm lacking?
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox

References:
- [vox] Open Source and Security
  - From: Byron Roberts

Prev by Date: Re: [vox] Open Source and Security
Next by Date: RE: [vox] Open Source and Security
Previous by thread: Re: [vox] Open Source and Security
Next by thread: Re: [vox] Open Source and Security
Index(es):
- Date
- Thread

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.