More FUD about LINUX security

Lies. There are lots of people auditing Microsoft`s code, probably more people (and more dedicated/organized) than those who really audit Linux in real world. The Linux "many eyes" mantra is largely a myth.

Besides that, MS proprietary code is shared with those who really need, read more about shared source.

 

Whilst this may be perfectly true it can be argued about until the sun dies out. There is no way of knowing just how many people are reviewing Microsoft's code and there is no way of knowing just how many people are reviewing all of the Linux code. I don't think either have an advantage when it comes to "eyes".

 

Do you have some kind of reference for this bold statement?

 

Yes, try reading what was already discussed in this thread, pages 2 and 3. You'll find.

 

Shared code is a hilarious marketing gimmick to get people to think that Microsoft benefits from the same thing Linux does. It does not mean that the entire Windows OS is available. It doesn't mean that I can personally audit the code. It doesn't mean that anyone can audit the code. It means that pieces of the code may be shared with agencies.

The idea that these agencies are auditing and correcting code is unfounded. The idea that these agencies are more qualified to audit code is unfounded.

What shared source means: (based on the various shared source licenses, with only two of which actually qualifying as being open)
1) That the code is completely without access to anyone
2) That the code may be read-only for specific agencies
3) That the code is fully open to be changed by specific agencies
4) The above can also be applied in a more open way where everyone can view the code. There are very few examples of (4) but i can think of a few.

What open source means:
1) Anyone anywhere may read, verify, validate, modify the code.

Let's not forget that the government (DOD) uses open source.

http://opensource.org/node/225
Who Is Behind "Shared Source" Misinformation Campaign?

There is no way to objective way to say that "many eyes" is not beneficial That is an opinion that is held by many people and I believe that, to an extent, it is true ie: "many eyes" on the code does not mean safer code. The main assumptions that people who don't think that this is beneficial hold are that the people looking aren't qualified and therefor don't matter. This assumption is just as silly as thinking that everyone who's looking is qualified. It's a bit of both. I don't have to be qualified as a security analyst to read code and understand what it's doing to a large extent. And the fact is taht there IS someone out there who IS qualified to look at it.

What many eyes means is that anyone can audit this code. There are people combing over this code, including the government (DOD uses OSS) to make sure that it's suitable for their uses.

I can personally (if I felt the need) look at the code and make sure that it's written properly. Anyone who's capable of reading code can do this.

What can I do with Microsoft? Nothing. I can view a bit of what they shared (I will be incredibly surprised if even a line of the MS kernel is "shared" with the public) and hope that the rest is of that quality.

I can never know that MS hasn't built in a backdoor (something I don't think they've done, but I know others believe so) because I can never view their source code. That is why having eyes on the code is important. Public audits are, I believe, key to providing actual security. Actually verifying that the code is what the company says it is and knowing that it is no more and no less.

So, does many eyes mean secure code? Maybe not. But I'll take it over MS hiding their code in the background and pretending they aren't.

 

Oh my...

Who are you trying to correct? Who here affirmed that shared source and open source are the same? Please, pick the context and point where in my posts that I said such thing.

Now, let me tell you that everything you wrote I've already read before. There is absolutely nothing new. It's the old tired rhetoric...

But I liked to see you mentioning DOD, lol. I have some news to you about it:

DOD uses Microsoft too. Army uses Microsoft. Navy uses Microsoft. USAF uses Microsoft.

http://www.microsoft.com/industry/government/guides/dod/default.aspx
http://twitter.com/#!/microsoft_navy
http://twitter.com/#!/microsoft_usaf
http://twitter.com/#!/microsoft_army
http://blogs.msdn.com/b/uspublicsector/
http://www.futurefed.com/

 

The problem with silly marketing ploys like Shared Source is that (as pointed out) due to its wording readers get confused easily. They think that because the two things sound alike that they are anything alike. You stated earlier:

This makes it sound like anyone who wants to view the code is free to. This isn't true at all. MS created shared source to sound like it's open. It is not open. None of it is GPL compatible.

Oh, I know parts of the gov't use Microsoft. I remember the keylogging incident not long ago because of it lol

https://en.wikipedia.org/wiki/Use_o...in_the_U.S._Department_of_Defense#Version_1.2

http://www.oss-institute.org/OTD2011/OTD-lessons-learned-military-FinalV1.pdf

You can see my earlier report for a government study showing that they believe OSS is more secure. I don't really put much credence into that study (though I put far more into it than the ones you originally posted) since it misses the point - counting vulnerabilities is idiotic at best, posting results as if it means anything is irresponsible (it leads to conversations like this.)

There is more potential for open source software than there is for closed source software in terms of security. Explaining why would take way too long. If you're really after the truth about security (I feel like a lot of people are more hobbyists who just enjoy the discussion on teh side, which is fine) you should learn a bit of programming and start understanding what a pain in the ass it is to debug large projects and understanding what kind of bugs you'll find.

What it all really comes down to is that this is a huge conversation and I don't really think it's possible to have it without more background knowledge on how computers actually work - that's on both sides. So I don't think this conversation is worth having.

 

Source is actually being shared, to qualified customers, enterprises, governments, and partners for debugging and reference purposes.

FOSS supporters can call it a marketing ploy or whatever. I don't care. It doesn't change the reality that Microsoft's proprietary code is actually being shared outside, to really relevant people.

As for embarassing incidents, let's not forget these recent ones:
http://arstechnica.com/open-source/...nel-archives-host-compromised-by-attacker.ars
http://arstechnica.com/security/news/2008/08/red-hat-fedora-servers-infiltrated-by-attackers.ars

BTW... Nice report on FOSS usage in DOD.... from 2003. lol. Info from a decade ago.

Why? Explain objectively why. Maybe you could help several people who are working on such thing and wasting their time. All those companies dedicated to vulnerability tracking for example. Are they wasting their time? Show them the key to their salvation. lol

 

The rereleased a similar paper in '09. Too lazy to find it. There may be one from 2011, can't remember. There are plenty of papers like this.

Some source is being "shared" ie: they can read it but can't actually do anything with it and they can only read some of it. Some of it they can actually change, some of it anyone can view, some of it anyone can change. There are at least 5 separate shared source licenses, most of which don't actually let anyone do anything to the code and only allow them to read specific areas that MS allows with MS's explicit permission.

This is probably something I could explain given enough time (as opposed to trying to explain OS vs CS._ I don't care to. There are already papers out there about it, you can probably find one in 5 minutes on Google.

Looking at the number of vulnerabilities in a single product gives a tiny picture into the security of that product. Trying to compare that product to another similar product based on that is a bit ridiculous. Trying to compare that product to another different product that's developed in an entirely different manner that drastically changes how vulnerabilities are handled and disclosed makes virtually no sense.

 

I don't doubt that they are using FOSS in some areas. But if you continue showing these papers which aren't much more than propaganda from "FOSS NGOs" (lol), I'll just show more of the same coming from Microsoft. There is plenty of info inside what US agencies are using, from both sides. The truth is, they use a mix of solutions, and they help improve them to different extents.

Yeah, I know. As stated, "debugging and reference purposes''. As to the extent of the code that is being shared, we can only guess. But, I never saw someone involved complaining, did you? That can be a strong indication that code is being shared to a great extent. We simply don't know because we have no inside info.

Explain why. You're just giving adjectives to a common practice, you are not explaining why counting vulnerabilities is irrelevant, and you are not explaining why comparing products in such way is irrelevant. In my opinion, the products can be compared, as long as they supposedly serve (or are designed for) same or very similar purposes.

 

Yes, this is the reality of things.....