From Fedora Project Wiki

< FWN‎ | Beats

Line 6: Line 6:
 
Contributing Writer: [[JoshBressers]]
 
Contributing Writer: [[JoshBressers]]
  
=== Encryption Security ===
+
=== Is Open Source Software Secure? ===
With all the recent talk of encrypting hard drives, the cold boot method, and using proper passwords, this<ref>http://xkcd.com/538</ref> xkcd comic reminds us of the weakest link in all cryptography, the person with the password.
+
This week there was a story posted to Slashdot titled '''How To Argue That Open Source Software Is Secure?'''<ref>http://it.slashdot.org/article.pl?sid=09/02/11/007216</ref>.  Quoting the post:
 +
<pre>
 +
... saying that they were warned that they are dangerously insecure because they run open source
 +
operating systems or software, because 'anyone can read the code and hack you with ease.'
 +
</pre>
  
<references/>
+
This issue seems to keep coming up from time to time. This argument is of course silly and one of those "Prove it ... you can't? So it's true!"  There is no way to prove that a piece of closed source software is more or less secure than a given piece of Open Source Software.  If you can't see the source, you can't be certain that the vendor did or didn't fix issues.  You need to unconditionally trust your vendor.  If the source code is wide open for anyone to see, it keeps the vendor honest.  You can't sweep issues under a transparent rug.  You can try, and maybe hide a few piles of dust, but the really scary piles of dirt will stick out like sore thumbs.
  
=== Running Things as root is a Bad Idea ===
+
The issue at hand isn't is application A more secure than application B, but do you trust vendor A more than vendor B?
While I always knew this, this article still sort of blows my mind:
 
''Windows Security Improved By Denial Of Administrative Rights''<ref>http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=213001021&subSection=Enterprise+Applications
 
</ref>
 
To quote the article:
 
<pre>... configuring users to operate without administrative rights mitigates the impact of 92% of "critical" Microsoft vulnerabilities ...</pre>
 
92%, that is mind boggling. It's been sound advice for a long time in the Linux world, not to do things as root. I suspect if we expected everyone to be doing everything as root, virtual any minor security flaw would suddenly become a very serious matter.
 
  
 
<references/>
 
<references/>

Revision as of 01:32, 16 February 2009

Security Week

In this section, we highlight the security stories from the week in Fedora.

Contributing Writer: JoshBressers

Is Open Source Software Secure?

This week there was a story posted to Slashdot titled How To Argue That Open Source Software Is Secure?[1]. Quoting the post:

... saying that they were warned that they are dangerously insecure because they run open source
operating systems or software, because 'anyone can read the code and hack you with ease.'

This issue seems to keep coming up from time to time. This argument is of course silly and one of those "Prove it ... you can't? So it's true!" There is no way to prove that a piece of closed source software is more or less secure than a given piece of Open Source Software. If you can't see the source, you can't be certain that the vendor did or didn't fix issues. You need to unconditionally trust your vendor. If the source code is wide open for anyone to see, it keeps the vendor honest. You can't sweep issues under a transparent rug. You can try, and maybe hide a few piles of dust, but the really scary piles of dirt will stick out like sore thumbs.

The issue at hand isn't is application A more secure than application B, but do you trust vendor A more than vendor B?