I do not want to start a MS vs linux vs unix war here, but I am interested in your comments in light of a recently hacked sited. So what do you think is more secured?
Poll: Open sourced or packaged server software, which do you think is more secured?
- Thread starter Adul
- Start date
Any software package can be secure should the publisher and user choose to make it secure. In the case of MS, I feel they compromised security for ease of use. Open source has the advantage when it comes to speed of fixes. Users can take the initiative to make fixes rather than wait for companies to make the move. Of course nothing is 100% secure. Even the mighty Linux has the "Ramen" worm and many versions of UNIX have sensative info available in public folders (of corse it's encrypted and take a brute force effort to crack).
Windogg
Windogg
hmm... I've been getting these wierd black lines across my monitor. like very random like static.
Thats a good question. Both have their advantages. With open source, as windog stated you don't have to sit and wait around for these large companies to fix their products so you can download a patch. You have a huge group of developers that will probably get a fix out sooner than anyone else could.. But at the same time, it can be a real pain to use/install. Packaged software does have that ease of use, but they do trade off a lot for that. Most packaged server software I have seen (which isn't much I will admit) doesn't have the flexibility that a lot of open source seems to have.
I dunno. I've been brainwashed.. If MS told me it was good, then I would probably just say screw it and run it, and wait for the patches...
I dunno. I've been brainwashed.. If MS told me it was good, then I would probably just say screw it and run it, and wait for the patches...
Open source, while you have the ability to look through code for possible security issues and fix them on your own or have patches released quickly...that also allows people with malicious intent to do the same thing, possibly faster than a legitimate person would. There's also an issue with quality control in the available patches -- how are you POSITIVE that a release is good and doesn't introduce even more holes? Not everyone running an open-source server is familiar enough with code to be able to make that judgement. I think there are advantages to an educated admin with an open-source server, but it's not an area everyone should be trying to play around in.
Closed source/packaged servers eliminate the ability to look through code to find security holes...to find them, you must actually try to attack the server. Thus, many security holes are more obscure. Although patches take longer to become available, it is easier to prove that a patch is from a legitimate source (the software manufacturer) without likely possible hidden intentions to cause more harm. Ease of use is also a concern considering that many server admins simply aren't educated enough to administer their servers properly. That is not to say that you don't need as much knowledge to run closed-source gui software, but that the knowledge is directed in a different area which may be easier to learn.
Conclusion? Both open and closed source have their advantages and disadvantages; security holes in both can generally be worked around until patches become available. I think it ultimately depends upon the server admin and what s/he is comfortable and knows better.
~Ladi
Closed source/packaged servers eliminate the ability to look through code to find security holes...to find them, you must actually try to attack the server. Thus, many security holes are more obscure. Although patches take longer to become available, it is easier to prove that a patch is from a legitimate source (the software manufacturer) without likely possible hidden intentions to cause more harm. Ease of use is also a concern considering that many server admins simply aren't educated enough to administer their servers properly. That is not to say that you don't need as much knowledge to run closed-source gui software, but that the knowledge is directed in a different area which may be easier to learn.
Conclusion? Both open and closed source have their advantages and disadvantages; security holes in both can generally be worked around until patches become available. I think it ultimately depends upon the server admin and what s/he is comfortable and knows better.
~Ladi
I don't think Linux is the right example of open souce security. For that, you have to look at Open BSD.
If Anand were running that, the hack would likely have not occured.
If Anand were running that, the hack would likely have not occured.
Id have to say Open BDS is a sweet mutha, Yahoo is on all Open BSD servers
I think Ladi hit all the major points I was thinkning of, nothing more for me to add really.
I think Ladi hit all the major points I was thinkning of, nothing more for me to add really.
That is why I was being broad in my topic. Open source can iclude BSD, linux, and anything else that is open sourced. Good posts guys, keep it coming. I am enjoying the read.
Of course using massively obsolete package server software works too. C'mon you samn script kiddies, show me what you have for Novell NetWare 4.11 and Artisoft LanTastic!!! 
Windogg
Windogg
well, now that i think about it some more,
Open Source Server Software or not, chances are, your application is still open source. (Perl, ASP, PHP, JSP, whatever) though this is the part that usually no one knows about since its all custom to your site, there are lots of pre made scripts out there for every platform that poeple install on thier site.
Problems with this is other poeple see you are runing that app, go and download it too, and look at it locally, now they know exactly what code you are running, and they know the directory structure, for example, If I went and bought fusetalk, I would easily find out where tha admin directory is on forums.anandtech.com, of course i dont know the password, but if i were the admin, id rather poeple not even know where to try. And seeing exaclty how these scripts are run would give someone insight to a lot of possible holes, APPLICATION holes, not server holes, which IMO, are much more of a threat, and im betting there are many more of these out there.
Open Source Server Software or not, chances are, your application is still open source. (Perl, ASP, PHP, JSP, whatever) though this is the part that usually no one knows about since its all custom to your site, there are lots of pre made scripts out there for every platform that poeple install on thier site.
Problems with this is other poeple see you are runing that app, go and download it too, and look at it locally, now they know exactly what code you are running, and they know the directory structure, for example, If I went and bought fusetalk, I would easily find out where tha admin directory is on forums.anandtech.com, of course i dont know the password, but if i were the admin, id rather poeple not even know where to try. And seeing exaclty how these scripts are run would give someone insight to a lot of possible holes, APPLICATION holes, not server holes, which IMO, are much more of a threat, and im betting there are many more of these out there.
why are you still on novell 4.11 windogg??? your place too cheap to go to 5?? I personally think its definitly worth it...
Arkaoss, we are still on novell 4.11. Don't know when we are going to novell 5.0 It was in the plans until the GE buy turned up.
Oh yeah, you work for a chip company of some sort right? Also, your server's might be older models than some of ours here. But I doubt it, We have a few old UNix lock box's kicking around, that we might try to resusitate.
Open Source Server Software or not, chances are, your application is still open source. (Perl, ASP, PHP, JSP, whatever)
Perl can be compiled (as can web applications in C/C++), PHP can also be compiled...I don't know about other languages and I don't know about how uncompilable these languages are. In any case, most people aren't aware of the ability to encrypt and/or compile their application/dynamic content code, so yes, this is still a concern.
I would easily find out where tha admin directory is on forums.anandtech.com, of course i dont know the password, but if i were the admin, id rather poeple not even know where to try. And seeing exaclty how these scripts are run would give someone insight to a lot of possible holes
Absolutely an issue...a good reason that applications developed in-house may be more secure...except that they probably haven't been subjected to the same type of security testing as a public application. Popular apps tend to have holes discovered quickly and patched quickly. Again...something you can go both ways on this: security through obscurity or security by mass testing.
For the average user packaged, for the update freaks then open source.
Unfortunately, even many update freaks aren't educated about the software they're running. They may run out to get new patches within the hour they're released, but that doesn't mean they're remotely qualified (in the real-world sense) to be safely and effectively running the server. This goes for both open and closed source...
~Ladi
Perl can be compiled (as can web applications in C/C++), PHP can also be compiled...I don't know about other languages and I don't know about how uncompilable these languages are. In any case, most people aren't aware of the ability to encrypt and/or compile their application/dynamic content code, so yes, this is still a concern.
I would easily find out where tha admin directory is on forums.anandtech.com, of course i dont know the password, but if i were the admin, id rather poeple not even know where to try. And seeing exaclty how these scripts are run would give someone insight to a lot of possible holes
Absolutely an issue...a good reason that applications developed in-house may be more secure...except that they probably haven't been subjected to the same type of security testing as a public application. Popular apps tend to have holes discovered quickly and patched quickly. Again...something you can go both ways on this: security through obscurity or security by mass testing.
For the average user packaged, for the update freaks then open source.
Unfortunately, even many update freaks aren't educated about the software they're running. They may run out to get new patches within the hour they're released, but that doesn't mean they're remotely qualified (in the real-world sense) to be safely and effectively running the server. This goes for both open and closed source...
~Ladi
I do not work for a chip company. Not anymore and not for quite a few years. Unless you are talking to windogg.
<--- works at honeywell.
<--- works at honeywell.
Ya I knew perl and others can be compiled, actually so can ASP and Cold Fusion (wellnot really compiled but encrypted), but theres always that text copy lying around, and if its a public or even commercial web app, being compiled wont help it keep what its doing a secret as much as an in-house developed application will.
Novell 4.11 is ancient but we are planning on migrating to W2K Server so corporate has decided just to stick with what we got. All of our fabtools are on UNIX or propriatry systems.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 403
-
Facebook
Twitter