|
Re: Risks of open source
Quote:
Thus it is not community review but trusted sites that is the key. Open source allows a trusted site to recompile binaries and verify that they match the developer's compiled binaries. They can also review the code and run it past malware scanners. I would hope that sites such as Maemo do this on a regular basis. Linux is in no way malware free. It's enough of a problem that there's a Wikipedia article on it with many other articles discussing the particular nasties that have been found: http://en.wikipedia.org/wiki/List_of...mputer_viruses |
Re: Risks of open source
I think it can be summarized in this way:
Yes, it can happen with an open-source operating system on your phone just as it can with closed-source. Neither inherently provides you with more or less security, as such, but in the current ecosystem, open-source tend to be more secure because there's a more immediate response to exploits and bugs. This doesn't mean open-source always respond immediately because that's at the whim of the maintainers, but that it has a tendency to do so because those with a need and interest in security will often participate in reviewing and patching and releasing secure code, whereas closed-source software prevents an effective means of having a public and massive effort of reviewing and participating. In short: If I care about malware and trojans, first and foremost I should protect myself regardless of which type of operating system I'm running, THEN I'd prefer open-source because OTHER like-minded individuals are protecting themselves as well and I can benefit from that. |
Re: Risks of open source
Quote:
The big distro makers pre-compile source packages into installable binaries, i.e. RPMs for the RedHat derived distros, PKGs for the Debian derived, etc. This effectively separates the binaries from the compilation process that produced them, so a higher degree of trust is needed on the part of the end user. Most distros demonstrate their trustworthiness by digitally signing their binary packages using GPG or some other key-pair type scheme, making it easy to determine if a binary package has been tampered with or not. There are a relatively small number of entities such as Adobe (Flash, AdobeAir), CyberLink (PowerDVD for Linux) and some others I can't think of as I type this, who only make binary versions of their software available. They are effectively saying to their end users, "We refuse to show you any evidence that this software is benign in terms of the security of your system and/or data. You'll just have to trust us". Finally, the security model in Linux is diametrically opposed to that found in many version of other widely used operating systems. The Linux way is that the default user access is always non-administrative, making accidental or deliberate tampering at system level more difficult. The other (OK, I'll say it, the Windows) way is that users by default have free rein over the majority of the operating system. It is this fundamental difference in approach which makes Windows-based malware relatively easy to write. The greater deployment footprint of Windows compared to Linux or MacOS ensures that malware can spread more easily too. I have spent almost 10 years deploying and maintaining Linux in ISP data centres for both infrastructure and managed/colocated hosting purposes. In my experience, the usual chain of events is that malware gets onto a server as source code, is compiled locally, exploits a vulnerability elsewhere in the operating system or the packages provided with it to gain root access and then begins to do it's dirty work. Particularly for web servers, having /tmp as a file system on its own partition, mounted with noexec, nodev and nosuid flags set, and changing the permissions on the gcc binary to make it executable only by root, will greatly reduce your exposure to most of the more common Linux exploits currently out there. |
Re: Risks of open source
For me, a risk is lack in polish in applications leading to customer frustration or dis-satisfaction.
|
Re: Risks of open source
People have explained that open source computer environments are much less prone to these things than close source ones. Just look at the number of viruses, trojans, keyloggers etc. for Windows (hundreds of thousands), compared with the number for Linux (very few, but not zero).
That said, I have seen two compromised Linux servers in my career; it does happen. But the smartphone world is a little different. Unlike a laptop or desktop, closed source smartphones are quite restrictive about what you can install. So you're not as likely to install malicious software on a closed source smartphone, compared with a Windows desktop, simply because you aren't allowed to: the only things you can install are "approved". Whereas on Maemo, you have freedom to install any old junk, and the temptation is surely there to install things you haven't compiled yourself... We rely on the community to check things, and for the most part, it does. We also rely on distributions, in this case Maemo and Maemo-extras, to check things and often to ensure the source matches the binary. Amd, when something is found out, if you are updating regularly, there's a good chance it will be fixed quickly. The same applies to closed source: with their app-approval processes, that provides a similar kind of checking. But a major difference has to be on Maemo you can install anything, from anywhere, if you are stupid or if you are tricked into it. With closed source smartphones, that's harder. It has been said that Linux is inherently more secure than Windows, by design. But it's also been said that Windows has so many malicious programs because of user culture / knowledge / security practices, and simply because it's the more popular platform so it attracts malicious software writers, which combined with the ease of cracking it, tips the balance strongly in its favour. N900 looks quite a tempting target, if it gets a huge amount of users. But it is developed by people who are quite security conscious, and a community which is also conscious of such things. So it remains to be seen which smartphone gets the first virus making premium-rate calls in the background... |
Re: Risks of open source
Quote:
- Apple's method, where no apps run without Apple approval - Symbian's method of tiered access - Maemo's method, which gives the owner total control Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
So if you feel that installing everything you see on the internet is a good idea, no matter how questionable the website or dubiously useful the utility, then by all means avoid the N900. If you're prepared to be a little responsible and practice safe computing (it really is a lot like what you're thinking, I know) then you can enjoy a far more powerful device than most without trouble. |
Re: Risks of open source
With Android users can install applications outside the marketplace.
With the iPhone you can install applications outside the store if you jailbreak it (or go through that weird sharing thingy that you can only distribute to 5 people?). I think there was also recently a thing where a developer of a popular iPhone application was caught taking phone #s or something (I didn't read much into it). |
Re: Risks of open source
If tomorrow everyone were to wake up and start using Linux instead of Windows, Linux would probably not be up to the task of defending itself against the deluge of hackers that would switch over from exploiting windows.
I quite frankly doubt the internet would survive this period in its current form. Within a year, though, you would probably find that Linux had fully recovered and was in a slightly better position, security-wise, than Windows, for the sole reason that there would just be more people working on it than Microsoft can afford.. |
Re: Risks of open source
Quote:
Quote:
|
Re: Risks of open source
Quote:
|
| All times are GMT. The time now is 06:40. |
vBulletin® Version 3.8.8