Open Source vs Closed Source?

Discussion in 'General Mac Discussion' started by Sushij, Mar 3, 2004.

  1. Sushij macrumors newbie

    Joined:
    Feb 9, 2004
    Location:
    Iowa City
    #1
    I have a question about the whole open source thing. Everyone is like OS X has better security than Windows cause it has UNIX, which I know is open source. I know that OS X runs on a darwin kernal and you can download it. So if anyone can download and look at your kernal, how can it be inherently more secure? I know I may just be very newbish about this, but someone asked me and I had a hard time explaining why open source is better than closed. Any help is welcomed as I am trying to understand my OS and computer better. Thanks.
    :D

    Jeff
     
  2. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #2
    *because* people can look at it, people can fix it so the bug will be gone.

    The problem with Windows though, is that too many people use it. A virus for Mac OS X is pointless as hell because it doesnt affect large companies (because most of them use Windows or some Linux/Unix variant) or ordinary users (most of them are Windows users).
    And the thing is Darwin is only *part* of Mac OS X (barely the foundation) so it'll either be devastating or stupidly pointless if a MyDoom sort of thing for Macs existed.

    If Apple's OS and computers were as popular as Microsoft Windows and Dell/Sony/Gateway/all those other manufacturers, security-conscious people would be using something else. Honestly, nobody can say that one platform is safer than another usually because it hasnt happened.

    as for me, I'll be content with having both a Mac and a PC. Linux is a great thing sometimes, because as soon as a large problem arises, someone out there (or me, because the source is widely available) in the world will fix it.
     
  3. varmit macrumors 68000

    varmit

    Joined:
    Aug 5, 2003
    #3
    more eyes

    Simply this, 1 million programmers vs. a couple hundred programmers. Who do you think will find more bugs quicker. Just remember, every OS is not completely secure. They all have bugs, but Linux and BSD have them fixed quicker than MS. Hell, MS has yet to fix some major critical flaws, and they have been in MS for over 150 days now. In open source, flaws are fixed as soon as possible, which is usually pretty damn fast too.
     
  4. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #4
    uh actually MS has more than a "couple hundred programmers", and with hundreds of millions of lines of code and thousands of different hardware configs, who can blame them for not being able to find all the bugs in Windows?

    Apple makes their own software and hardware in house and its not hard for them to test OS X out for any major bugs, because they can test it on theoretically every single variant on their computers dating back to the early 90s set up in their ADC testing labs. Seriously. They have like blueberry iMacs and Xserves and everything inbetween. :p
     
  5. logicat2001 macrumors regular

    Joined:
    Apr 16, 2003
    Location:
    Minneapolis, MN
    #5
    Do some reading first.

    The discussions re: Open-source vs. closed-source code run both wide and deep. If you're curious do yourself and the world a favor and skim some of the material found here:

    http://www.gnu.org/philosophy/

    Here's a very recent talk by Eben Moglen at the Harvard Law School, available as a Real media stream or as a written transcript.

    I just watched the stream recently and was blown away by some of what Eben Moglen said. FYI, in the words of Jonathan Zittrain, a Harvard Law professor, Eben Moglen is "among other things, counsel to the Free Software Foundation, and therefore, Richard Stallmans' lawyer, and somebody who is the legal, and in other important respects, public face of the Free Software Foundation and the Free Software Movement."

    If anyone reading this has an inkling of interest in this topic, the video stream is incredibly enlightening (and is peppered with law terms that I don't know, but that's OK).

    Best,
    Logicat
     
  6. abhishekit macrumors 65816

    abhishekit

    Joined:
    Nov 6, 2003
    Location:
    akron , ohio
    #6
    well,..security of an operating system doesnt all depend on whether its open source or proprietary...although one of the advantages of open source is that you have too many 'eyes' watching u, so bugs get fixed up easily..but still if u get too many bugs, then u r not secure, regardless of how soon u fix it..security really depends upon how carefully ur system is designed..
    Linux is much more suceptible than solaris, although latter is proprietary,..linux releases so many patches....yes,sometimes within hours of a bug but still ..bugs keep coming...so it doesnt mean its perfect,..
    couple of very secure systems presently would be mac os x ,:D ofcorse, and solaris..one is open source one is not..so....u know..
     
  7. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #7
    hey
    if Mac OS X was the Windows of today's computing world you wouldnt be saying that. It actually isnt as secure as you think it is. Its just that all studies and polls are biased because a lot of people use Windows or Linux than OS X.
     
  8. abhishekit macrumors 65816

    abhishekit

    Joined:
    Nov 6, 2003
    Location:
    akron , ohio
    #8
    if mac os x was windows of today's computing world i wont be using that :D
    ..and ofcourse os x isnt invulnerable, hence all the security updates..and if you beleive Lance Ulanoff all hell is waiting to break on us ...but then who knows lance...:D
     
  9. smllpx macrumors member

    Joined:
    Feb 25, 2004
    #9
    on an off note:

    Mac OS X is not really based on "UNIX" in the since, UNIX comes from AT&T Bell Labs’ system V. It is really derived from Carnegie Mellon's Mach Kernel; which is from BSD. Which, I am sorry to say is also the basis of the Window NT Kernel ( and thereby the 2000 and XP kernel ). it is because the BSD license allows companies to rewrite, if only minimally, the software and call it there own. Which is partly why Richard Stallman created the GPL.

    The common problem with viruses and worms comes from the older paradigm of non-networked computers. Now that virtually all computers can act as servers, while the majority of them are operating on the older concepts has lead to these problem. BSD (which Darwin draws much of its architecture from) was design from the beginning as a network server with multiple users and has already addressed many of its common security issues.

    If you really want a headache check out the UNIX history map:
    http://www.levenez.com/unix/history.html

    Oh by the way Microsoft once had a Unix derivative called Xenix. So if Unix was the key to security; they just threw it away. ;)
     
  10. caveman_uk Guest

    caveman_uk

    Joined:
    Feb 17, 2003
    Location:
    Hitchin, Herts, UK
    #10
    If you're being picky then yes the kernel is derived from the mach kernel. Much of the rest of Darwin is derived from FreeBSD which is derived from the BSDs and thenon back to the original Unix.
     
  11. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #11
    The "common sense logic" is more or less wrong

    People are always saying "Windows isn't any less secure than anything else, it's just much more widely used". There may a small amount of truth to this, but it's far from the complete truth. Apache Web server runs 60-70 percent of ALL websites, while IIS is somewhere around 25 percent - yet IIS bugs have far and away outnumbered Apache bugs. Heck, most "Apache" bugs have actually been problems with other things like PHP rather than the core server (and therefore are independent of Apache, since PHP can be run on a wide variety of webservers).

    Part of the problem is that Microsoft is only now starting to learn what the Linux and BSD folks learned several years ago - you don't leave unnecessary services running by default. This is what allowed the DCOM bug to propagate (and it's still being a pest), as well as SQL-Slammer. It's why marketing spammers were able to pop up annoying ads on people thanks to the MS Messenger service being on by default.

    Another issue is that, until recently, most Windows services ran as Administrator. Most Linux/BSD services run as a particular dedicated user - and those that need to be started as root (Apache, OpenSSH) don't run their daemons as root.

    A third issue is that Microsoft has had the bad habit of tieing things into the kernel that really shouldn't be there. Personally I think this one is the fault of the marketing and business strategy folks ("We can't remove IE because it's part of Windows!"), because I can't imagine why else it'd have made sense to do it.
     
  12. ZeppelinArmada macrumors member

    Joined:
    Mar 26, 2003
    Location:
    Mostly here
    #12
    Something that I don't see touched on in these Open Source vs Closed Source (MS) is the knowledgeability required of the technicians. With products designed for the MS server environment the way that services interact with each other is more obfuscated than with equivalent open source "solutions". Technicians need be less enlightened on the actual mechanics in the MS server world. Thus, when something is afoot they have a harder time identifying the weak link.

    IIS fits together like 80 ton legos; you can turn interlocking services on and off very easily. Not so true in any of the open source environments that I have worked in. When one has to gather all of the dependancies of the "solution" that one wishes to install, then configure, compile and install them all, one simply can't help but learn about how each of the pieces work. When something goes wrong it is much easier to pinpoint where and why it is happening.
     
  13. smllpx macrumors member

    Joined:
    Feb 25, 2004
    #13
    Not exactly, BSD's goal was to create a Free UNIX-like system, so it isn't directly from UNIX, is was build to be like UNIX. In fact AT&T sued BSD because their system was very much like UNIX, but the courts said it was a different animal.

    But to the end user and most developers it is very UNIX like. I will full concede that I am being picky.

    Ok, back to the question of security, here is a quote I alway have in mind when programming.

    there is a flaw in your code
    if there isn't a flaw in your code, there is one in your logic
    if there isn't one in your logic, there is one with the language
    if there isn't one with the language, there is one with the library the language is accessing
    it there isn't one in the library, there is one in the server code
    if there isn't one in the server, there is one in the HTTP prorocol itself

    there is only good enough security...
     
  14. wordmunger macrumors 603

    wordmunger

    Joined:
    Sep 3, 2003
    Location:
    North Carolina
    #14
    What you're referring to here is commonly known as the "myth of security through obscurity."

    It seems as if a closed-source system would be more secure, because no one knows how it works. However, if only Microsoft knows how their system works, then we simply have to trust their claim that it is secure. Supposing there actually is a security flaw, then in the best case, only Microsoft employees can break into your system; in the worst case, the news will leak out (either through carelessness or through a disgruntled employee) and anyone will be able to break in.

    In open source systems, all the information about the operating system is available for everyone to see. This is proof that the system is truly secure--that the only way to access your computer is if you know the password. Since thousands of people are looking at this source code every day, any unforeseen security problems can be quickly identified and fixed.

    By contrast, in a closed source system, the company might know about the flaw for years, but be unwilling to invest the resources to fix it.
     
  15. smllpx macrumors member

    Joined:
    Feb 25, 2004
    #15
    I disagree, security through obscurity does add a layer of protection. I think the problem is when companies depend on the obscurity.
     
  16. wordmunger macrumors 603

    wordmunger

    Joined:
    Sep 3, 2003
    Location:
    North Carolina
    #16
    Exactly. And in closed source systems, that's all you can depend on.
     
  17. gbojim macrumors 6502

    Joined:
    Jan 30, 2002
    #17
    Thanks for the link. That was an excellent talk.
     
  18. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #18
    The thing is now a days people keep touting the proprietary word as being a bad thing. In reality it isn't. Bare with me here. Proprietary and closed software development can work just as well as open source as long as its done right. The security holes in Microsoft's code it not due to it being closed but due to the nature of how Microsoft deals with security. As I've stated before security is like insurance. It's not a visible function of a product, be it a car, a house, or an OS. Security up to this point in time hasn't been a major selling point for any OS. It's generally the features and the eye candy that draws the crowd. Look at Panther. Is Apple touting Security as its main feature? Nope. Expose is the draw. Look at Linux. Security does play some part but more so the price of the OS. Licensing costs are zip. Microsoft knows this and caters to this attitude. Again: Microsoft is a marketing company that just happens to make software.
    Things are changing at Microsoft. Security has become priority one there but a simple fact of life applies to Microsoft's predicament. You can't make an aircraft carrier do a 180* turn in 30 seconds. Similarly a transition at Microsoft to consider security first is not going to happen overnight and is not going to happen in XP. XP's development occurred in the very mist of this "security first" transition and because of this toting security and XP in the same sentence is going to end up being laughable at best.
    They are doing their best with an upcoming Service Pack release for XP but reality check time. This is not going to fix the various problems that are plaguing XP. (Note SP2 will begin to implement the idea of security at the perimeter. Whether or not that idea will work only time and a virus trial by fire will tell.)
    No its Longhorn is where the real test is going to show how well Microsoft is handling this transition. There are a number of reasons Microsoft is now estimating (Note the estimate word.) that Longhorn won't be out until 2006. Some of the minor ones are backwards software compatibility.
    Some of the more major ones are security. Microsoft has stated they are writing Longhorn from scratch. I'm guessing that a certain percent of XP's code base will be recycled in Longhorn. I'm betting that Microsoft is going over the parts that are being recycled with a fine-toothed comb, which is probably the reason for the delay. They don't want existing holes in XP to transition over to Longhorn.
    So where does this lead us? Basically back to the beginning. Open source advocates tote open source because Microsoft gets a bad rep. In reality closed source development works as long as its done right. Having 1,000 to 1,000,000 developers really doesn't matter in the long run. The goal of most companies is to have an acceptable margin of error in the code. As long as it runs, doesn't crash, and is acceptably secure most companies are happy.

    Also I would put forth a possible suggestion. Feel free to correct me if I'm off on this since my hands on for software development is somewhat limited. (Took a few classes in college but never could get use to sitting there for hours on end.) While open source in and of itself isn't a bad thing, probably more good then anything else, what happens if all OS's were based on open source code? Innovation can only go so far if you are bound to a sandbox. Lets say Windows used BSD's kernel for Longhorn. They dropped the entire NT platform right now. Obviously you can build, append, and make changes to that kernel but since that underlying code it basically the same, OS development could be hampered in the event that say Microsoft wanted to write their kernel from scratch while still using open source. *shrugs* Maybe not. I don't know. :confused: :confused: :confused:

    My brain has officially turned to mush. I just spent the last 3 hours trying to track down a missing laptop that was sent to us, that never showed up, that we can't verify, that we don't know who's it is who's packing slip that has the laptops serial number is needed to check which of the 3 laptops of that model is truly missing and once that is done we need to get a UPS tracking number all the while dealing with an administrative assistant that is based out of Chicago for a manager who is based here in Minneapolis who ordered the laptops and is getting pissy with me that one of those orders was lost so she contacts my manager but I had the good sense to contact him before she did and gave him the real line of what is going on and and and. *brain explodes* I hate corp politics. Sorry. This was off topic but I had to rant.
     
  19. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #19
    yo when i was talking about Mac OS X security as opposed to Windows et cetera, I wasnt just talking about Apache vs. IIS.

    And when you have a PC running Windows, with all the updates and patches installed, and you have common sense, plus your hardware is set up in an optimal way, you will never ever run into ANY problems with it. Maybe th occasional error, but that's common with Mac OS X as well.

    You also have to realize that Microsoft is doing a decent job dealing with security holes. Most viruses take advantage of the fact that most people do not bother downloading the patches for holes that were announced by MS. That's not the fault of the company or the OS (operating systems are inherently buggy, you cant do anything about it), its the fault of the admins and users.
     
  20. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #20
    You're missing the point. The argument made was that MS's exploitability was simply a function of relative marketshare. I was showing this is demonstrably false by providing a contradictory parallel example.

    There was not a patch available that would block DCOM when it hit. Even now, NT/2000/XP are exploitable out of the box - you have to configure network settings with the network unattached because otherwise your box will get owned in less than a minute. This is not true of other OSes.

    SQL slammer had a patch... for SQL server. But MS, in it's wisdom, also included bits of MS-SQL code in numerous DESKTOP software programs for no apparent good reason. There was no reason for the SQL port to be left open on desktop machines by default, but that's exactly what MS did. I could be wrong, but I believe the desktop-level patch wasn't available until after the fact.

    The XP UPNP exploit also did not have a patch, and for months MS argued that it wasn't exploitable - even though a known exploit existed. It wasn't until a news reporter demonstrated the exploit by taking over a computer in California from a computer in New Jersey (or was it New York? I forget) that this got remedied.

    For a very recent example, look at the IE "%" URL bug. How long has that been around?

    I agree with this to a point. MS is doing a better job than they used to, in large part because they've seen that businesses are no longer ignoring the continual problems with Windows.

    On your second point: Unfortunately, speaking as an admin, you don't always have control over your users. Just this week it came out that a particular Fortune 500 company's Windows network got owned and hosed due to the top execs insisting on having PCAnywhere running on their desktop computers with easy to remember passwords. The admins were against this, but had no power to enforce it on that tier of user. Also, depending on where you work (I work at a state university, for example) there are often political reasons you can't totally enforce good security policy across the board. Faculty and students want to be able to bring in their laptops and plug them into the network. The most we can do is try to educate users, but it only takes one to screw it up - even if all the other attached boxes are fully patched, network degradation due to the virus/worm's activities can bring all traffic down to a crawl.

    While OSes all have bugs, you can't consider them equivalent. What's the worst OS X exploit you can think of? The DHCP poisoning attack? At worst that would let someone take over boxes on a subnet that he/she has the ability to insert a rogue server into. Compare that to the scope of the various MS Windows exploits I've mentioned above.
     
  21. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #21
    Not really, since you don't have to have any common sense to use Mac OSX. Some of the most computer illiterate people I know, use Macs. Then there are the computer illiterates using Windows, who have problems all the time. Like there was this girl whose computer wouldn't boot up due to "Keyboard error". Turned out her printer was doing that... For me, that wouldn't be a troubleshooting thing I would have looked for (she mentioned it to me and I thought she was crazy). OSX is already set up optimally. XP has to be set up.

    P.S. you can run XP with a pseudo root user, by using a limited account by default instead of the administrator. Read that somewhere.
     
  22. stoid macrumors 601

    stoid

    Joined:
    Feb 17, 2002
    Location:
    So long, and thanks for all the fish!
    #22
    The problem with Windows is that you don't have to enter in a password whenever you need root access. In Mac OS X you do. It's easy to convince a regular ol' user to download an E-mail attachment, but it's far more difficult to convince them to enter in their password for no apparent reason.

    And the security-through-obscurity bull**** is just that. Many corporations use the open source technology that is the core of the OS X, and it would not be difficult at all to assume that viruses targeting them could easily effect Mac users.

    Unless you have a single damn shred of evidence supporting your wild "If Apple was mainstream it would suck too." argument, I suggest that you realize Apple is different because it's BETTER, not because it's SMALLER.

    I think Apple is in the right place with open source technology, and unless Microsoft gets it's act straightened up FAST, it's going to start resembling Anakin Skywalker or the Titanic. :D
     
  23. abhishekit macrumors 65816

    abhishekit

    Joined:
    Nov 6, 2003
    Location:
    akron , ohio
    #23
    hmm..interesting,..as this thread makes way to its 2nd or may be third day, today an article appeared in The register, same topic"Does open source code enhance security?" link
    anyone here in this forum works for register?
     

Share This Page