It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Open source and Security = ???

page: 1
0

log in

join
share:

posted on Aug, 16 2004 @ 05:09 PM
link   

The new concept in the server is the security model. The RPOW server
is running on a high-security processor card, the IBM 4758 Secure
Cryptographic Coprocessor, validated to FIPS-140 level 4. This card
has the capability to deliver a signed attestation of the software
configuration on the board, which any (sufficiently motivated) user
can verify against the published source code of the system. This lets
everyone see that the system has no back doors and will only create RPOW
tokens when supplied with POW/RPOW tokens of equal value.


sources:

cryptome.org...

www.rpow.net...

Maybe I missing something here, but I don't understand why one would go through the trouble of creating a very nice network security system only to have the source code available for download and encouraged to be studied. Wouldn't this kinda defeat the purpose?




posted on Aug, 17 2004 @ 02:32 AM
link   
Linux is open source too...Servers run it. You dont see many problems with it. The source to programs are available so people can improve upon it. There may be a bug...but it will be fixed pretty quickly. Bugs dont last long in the Open Source community.



posted on Aug, 17 2004 @ 02:36 AM
link   
That would make sense, which would seem to make the lifetime expectancy of system exploits shrink as each WIP is updated as it is discovered. Not foolproof, but then again nothing ever is...



posted on Aug, 17 2004 @ 12:28 PM
link   
there's a lot of heated debate on the security merits of closed versus open-source programs. the arguments for closed source are usually:

a) because the source is closed, someone looking to create a new exploit will have a harder time discovering exploitable weaknesses

and for open source:

a) exploitable weaknesses are more easily discovered, but if the development community is reasonably active the exploits get closed pretty quick

in my mind, the biggest problem with relying on closed source programs in a high-security environment is that they're less fixable; for example, if the software provider releases a patch right away you're not in any trouble, but if they don't respond promptly you may not be able to do much to fix the problem yourself while you wait for an official patch.

with open source, if it's critical you can just write some kludgy fix into the program, recompile, and then wait for the development community to write a better fix; the "official" turnaround may turn out to be just as slow as with the closed source program, but at least you have the ability to make a quick fix.

the biggest open-source security problem, in my book, is that if your operation is building the source locally and then installing it -- as opposed to just grabbing the precompiled binaries -- any malicious employees / team members could theoretically insert backdoors into the source before it compiles, which would make what might have been a very secure program into a very secure program with a back door for a couple people; with closed source you don't have a similar option (though someone could monkey with the settings after installation) but there's no way to know if someone at the software company put in their own backdoors.

so it's really a mixed bag; for the time being the open-source stuff is typically a lot more secure, at least when you're looking at a linux/unix/associated software vs. microsoft's offerings, but if microsoft picked up some slack that security gap could get a lot narrower.



new topics

top topics
 
0

log in

join