posted Feb 13, 2004

Everyone's so worried about the Microsoft source leak. "It could open new security holes!" they say. But check this out, the source for Linux, a popular Microsoft competitor, has always been available, and this is promoted by its advocates saying it makes Linux more secure, not less. More programmer eyeballs looking for bugs. Maybe some white-hat types will try to check in some fixes for Windows 2000? Stranger things have happened. - Scripting News

Actually, it's not the "many eyeballs" alone that matters, it's the powerful feedback loop. How would a "white-hat type" actually "check in" a fix? Even if "we" have some of the source, the feedback remains broken. This is still a net negative for Microsoft, although I agree that many people are overstating the negativity; a lot of the security flaws that you could get by reading the source are still visible if you know how to look for them with the binary. For instance, a buffer overflow is going to come from excessively-large input, and it's easy to then start hitting the program with various excessive inputs and see what happens. In fact, that's more reliable then reading the code.


Site Links


All Posts