Lesson 1: Assets

Arguments for Closed Source

1. The Difficulty of Exploitation Argument:

Advocates of closed source argue that it is more difficult for attackers to exploit a closed source system than it is an open source system. They claim that, because they have access to the source code, it is easier for attackers to identify vulnerabilities in open source systems.

2. The "Many Eyes" Arguments:

Closed source advocates also point out a fallacy in the "many eyes" argument for open source. Just because the source code is available doesn't mean that anyone is reading it. Nor does it mean that all the vulnerabilities and bugs have been found and fixed; in fact, undetected bugs have lingered in open source packages for years before anyone discovered them.

Another problem with open source, say critics, is that the average user is not competent to actually inspect the source code and identify problems. So, while there may be many eyes looking at the code, they are not necessarily seeing in 20/20. On the other hand, the developers of proprietary software are competent and trained to identify and fix problems in the source code.

3. The Trust Argument:

The same trust argument against closed source can actually be used against open source. The reason? An increasing trend in the open source community is to develop small software packages that include "precompiled binaries." Users often download and install these precompiled binaries without examining their source. This means that the users are essentially placing their trust in the good will and good security practices of the site from which they downloaded the packages.

4. The Liability Argument:

Most open source licenses, such as the GNU General Public License, explicitly disclaim any liability. Proponents of closed source software point out that, when closed source software is purchased from reputable vendors, there is some recourse in the event of failure.

Summary:

Closed source advocates maintain that access to source code makes it easier for attackers to find vulnerabilities and exploit them. And, they argue, just because people have access to the source code doesn't necessarily mean that they are able to identify and fix bugs. They remind us that open source users who install precompiled binaries are essentially running closed source software since they can't be sure the executables match the source code. Finally, there is the issue of who is accountable when open-source software breaks.