Re: Is Open Source software really more secure?

[Julien Stern <stern@lri.fr>]

On Sun, Oct 08, 2000 at 08:05:21AM -0500, Bud Rogers wrote:
> I've always taken for granted the idea that open source was inherently more 
> secure because it's open to peer review.  Linus said "Given enough eyes, all 
> bugs are shallow."  But has anyone ever done a serious study on the subject?  
>  I've seen plenty of emotional arguments and anecdotal evidence, but nothing 
> that I would consider hard evidence.  
> 
> I'm doing a paper on this topic for a graduate level class in Information 
> Assurance Management.  I'm looking for background material for my paper.  I 
> would appreciate any pointers, urls, etc.
>
Hi,

I can't really talk about bugs, but regarding cryptographic security,
there is an aspect that is often overlooked: consider a software like PGP.
It is possible to include a trojan inside that can only be discovered if
you dissassemble the code. And in a very strong sense: it can be proven that
if the trojan is properly written, it is as hard to detect it without the
source than it is hard to break the encryption scheme itself.
(They were papers on this topic in a crypto conference a few years ago,
search for "Kleptography" if interested).

To put it another way, it you only observe the ouputs of the trojanized
program, you won't be able to make the difference with a genuine
implementation. On the other hand, it is not known (at least in the public
litterature), to insert a cryptographic trojan in an open source software.

And if you look at the SSL standard, a similar trick can be done by only
changing a few lines of the code.

Considering the huge importance that cryptology is taking on the net nowadays,
I would tend to think that this is a major point in favor of the open source
development model.

Hope this helps.
Julien Stern -- http://www.julienstern.org