Ranjeet Walunj

February 12, 2009

Argument: Is open source software secure enough ?

I’ve heard this argument by many microsoft/closed source technology evangelist that Open Source softwares are not secure enough.

And any one can easily find the flaw in the software and use it for his benefit.

This week there was an argument on slashdot about the same.

According to the Linus’s Law, “given enough eyeballs, all bugs are shallow”. More formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.” — this rule was formulated by ESR (Eric S. Raymond).

Open Source due to its very own nature of revealing all catches attention of all users/hackers/programmers across the world using that software. (Pls Note: Hackers always have good intentions.)

The source code is validated by many learned people and if any flaw is found it is quickly reported and fixed.
If a certain OSS is subject to vulnerability continuously then it looses its charm and people quickly migrate to more secure alternatives.
(For example: Most of the new installations of mail servers are based on qmail/postfix rather than Sendmail)

In case of closed source (for e.g. windows) it takes long time to report flaw and much longer to fix it.

I dont hate microsoft, infact i use windows XP for most of my day job and happy with it. But I feel much flexibility with my linux. Most importantly if something is going wrong I know where to check and what could be the reasons. (syslogs are also great friend)

But talking about security NO OSS is less secure than any closed source software just because it is open in nature or for that matter any other reason.

Lots of learned independent developers/testers/reviewers have gone through the codes/designs/outcomes of the OSS and have contributed to the security threats/bugs/potential problems.

Collective intelligence (worldwide) is always superior to a closed group of people.

As someone suggested it is easy to experience than arguing over this.

Best is to deploy for yourself and run weekly penetrative testing to see the possible results.

There is no security from stupid actions of users/administrators, however assuming security by obfuscation/closed source is nothing bu stupidity.

I’ve been personally using OSS for years now and absolutely happy with the way it has helped me in learning things.

Advertisements

September 4, 2008

Browser War: Microsoft IE8 Vs. Firefox Vs. Google Chrome (or Google OS?)

Its quite logical move from google where they have come out with their own version of browser (Google Chrome) after looking at the features of MS IE8 and possible threat to its advertising revenue.

Internet explorer enjoys 60-70% of browser market share due to its strong presence in OS.
Mozilla/Firefox enjoys close to 20-25% (or more) of market share
And remaining browsers (Opera, Safari) enjoy the remaining share.

Chrome is out in market and it will face the similar problems which Mozilla is facing.
(Most of the people are happy with their built-in (/pre-shipped) browser with OS (Read: Microsoft Internet Explorer)

So probably what it will do is, eat Mozilla share of browser market, and mozilla foundation looks amazed with the timing of the announcement of chrome.

Mozilla CEO’s thoughts on chrome:

Mozilla’s Europe president, Tristan Nitot does not think chrome as direct attack on Firefox

However I seriously think this announcement as threat to firefox as the only place Chrome will eat browser share is Firefox.

(As mentioned above normal users are happy with their pre-shipped browser.)

About IE8 — yeah in my previous post i mentioned how it can create problems for online advertising (Inprivate Blocking mode)

Chrome seems to be the answer to that threat … It allows advertising …
Obvious since google does not want to cut Advertising Revenue 😉

It gives option to block pop-ups though …. (since google yet does not have pop-ups 😉 )

But to me it looks like google has secret agenda with Google chrome.

It looks a like a platform for OS Wrapper … where normal user do not need to switch to other applications if he is using google chrome …. Google will soon start providing all basic needs of surfer inside the chrome browser itself.

(remember they are already building/launched apps for desktop, word processing, presentations, editing, email, chat)

All google need to do is provide all these things together in google chrome.
They are already giving Google Gears, using which i would not be surprised if people start distributing web softwares as offline installable applications which can be run through the Chrome browser.

Browser war is heating up …. are you party to it ?

I’ve been using following browsers

(IE7, Firefox 3 and 2, Opera, Safari, Netscape and now Chrome)

Chrome is multi-process, multi-tabbed browser whereas FF tries to provide lean efficient experience with single process and IE8 tries to provide smoother browsing experience by creating multiple instances of iexplorer.exe.

What it means that if something goes wrong in one tab of Chrome, other tabs will keep working properly.

IE it may happen if other tabs are handled by other instance of iexplorer.exe
And firefox may crash the entire process.

I’ve experienced memory utilisation is sometimes bad for all browsers (sometimes pathetic)

My experience with Chrome is as follows:

I’ve installed chrome yesterday and faced few issues with it.
Almost wasted 20-30 mins to figure out why it was throwing some weird errors like following.
— the application failed to initialise properly (0xC0000005). Click ok to terminate the program

The reason for above error is due to Microsoft XP Pro + SP3, Symantec Endpoint Protection and Chrome running together.

The temporary workaround is disable sandbox mode of chrome by running chrome with additional option “–no-sandbox” (without quotes) — check here

Post that its running strictly OK for me …

  1. It has already crashed few times .. and i had to restart the browser
  2. My laptop’s scroll-down from mousepad works fine … but scroll-up does not work
  3. Few sites do not open in chrome (need to figure this out — this may not be problem with it) 

Blog at WordPress.com.