Whats the benefit from Open Source?

Linux gains its momentum when all of its developers constantly give back to the community developing new things, etc. The distributions make money by selling boxed sets of their OS (ie instead of waiting for the download, you can purchase a boxed CD with manual, etc) and also by selling live support. Then there are companies like RedHat which started as open source and then went corporate. Of course, a small company that only produces some standalone open source software isn't going to make much money, but it is definitely something to put on a resume and to gain experience.

I think that with the proper network configuration, a linux box can be pretty secure. I don't know enough about linux and network security to be able to answer this, so I'll compare it to something I do know about. Suppose I want to find out the password you used to register your account on DaniWeb. I have direct access to the database that stores information about users, and I know your username. However, passwords are encrypted with the MD5 algorithm, which is a one-way algorithm - it's impossible to decrypt. So while I may have access to where your password is stored, I have no viable way of figuring out what it is.

This post goes in conjunction with my post in your other thread.

I work as a web developer and maintain our servers as part of my job. I maintain one in-house Linux server and five remote Linux servers, so I know a few things about why Linux is great and what makes it a robust, secure platform.

How can a company make income from open source? Easy, charge for service and not for the product. Red Hat is easily one of the largest providers of Linux distributions. They currently offer two different version lines Enterprise Linux and Fedora. Enterprise Linux is not free, it is a professional, server-grade package that you purchase a subscription for. Technically, you are not purchasing the software; rather, you are purchasing access to their support, automated updating system, and management controls. Fedora is free, it is a community developed package that is moderated by the Red Hat team. Even though Fedora is free, you can still purchase services from Red Hat, such as: support, installation media, manuals, professional installation, access to their up2date service, etc.

The examples I gave are some of the primary ways that companies can make money from open source. It's not always about making money though. Much of the time the company is able to make a much bigger name for themselves by giving the software they produce away for free. Since the software is free, many more people will use it, talk about it, recommend it, share it, and make internet links to their site; all with a fraction of the cost of traditional marketing. How do they make money then? Usually these companies will have other software or services that they charge for. Essentially, they used the resources that they invested into the software that they are giving away as an inexpensive marketing tool. They can also charge for customized versions, updates, etc on the software that they gave away.

It's easy to see why open-source software is widely seen as more vulnerable than closed-source software. Once you know more about how security works in the software world and how the open-source software world works, you begin to appreciate how open-source software can create superior security products. While the basics of security, cryptography, and secure programming are way too broad to cover here, I can give some information that should help you understand the concept that open-software doesn't necessarily equate to vulnerable software.

Most code is subject to code review. During code review, other programers first test the code for functionality and then inspect the code for potential security risks. The more people that inspect a segment of code, the greater the likelihood that potential security risks are found and corrected. The likelihood that potential security risks are found also increase when the code is reviewed by unrelated parties since their focus on security risks is likely to be different from those that have done reviews before. Since software like Windows is mostly code-reviewed by other coders in Microsoft and by some select outside parties, the group of reviewers is relatively small and non-diverse when compared to the group of reviewers that have access to open-source code. There are even more complex issues to consider when thinking on this level, but I think what I have described is sufficient to understand the basic concept that a wider, more diverse audience can be more accurate than a small, relatively non-diverse one.

Most security concerns come not from the fact that it is possible to brute-force into most password-protected areas but that there are sometimes security holes that allow for an attacker to quickly bypass the entire security system without having to resort to finding a valid entry point. For example, critical flaws are found in Windows almost monthly that allow code of an unknown origin to execute without a user's knowledge or concent. In Windows, if you can manage to execute code, you usually have access to the entire system. From that execution point, you can change almost any data on the system, add whatever programs you wish, and basically take control of a system. This sounds like a far-off scenario, but it is not.

Just recently, a security hole was found in Windows that allowed an image file loaded in any part of the system (even in an internet browser) allowed for arbitrary code to execute. Interestingly enough, this hole was found not by Microsoft, one of their code reviewers, or some crafty virus writer that took advantage of the hole but by a security group that found the hole. If Windows was open-source, the company could have patched the affected code, submitted it for review with a bug report, and had it incorporated into the release code so that people could update their affected software. Since Windows is closed source, the only option is to make a public announcement about the security risk. This seems dumb, but since Microsoft often ignores security holes that are not widely publicized, quicker results are achieved by getting knowledge of the security risk out into the open since everyone knows that malware creaters won't wait long to take advantage of it. Shortly after patching the original flaw, another flaw in the same module was found. If the code was open-source, it is quite possible that the need for multiple patches could have been avoided since a larger group of coders would be analyzing the suitability of the new patch and its ability to correct the flaw without introducing new ones.

I hope that helps put some of your fears at ease. If you want to know more, just let us know.

Hi chrisbliss,

thanks for ur patience in writing me such a descriptive reply....

also...let us not forget that the open source model of charging for services is extremely lucrative for Red Hat. Their business has doubled over the past year and is expected to more than double over the next year.

As far as people breaking into the system...since Linux was made to be Unix-like...it is inherently more secure than any other platform. Controls built into Linux make this possible. Windows is only beginning to tap into items such as this in their Vista release...for instance...

In Windows, installing a program you must be an administrator. In linux, you don't. This is a huge security concern and also a problem...people who install programs must be administrators? Can you even begin to see the problems in that? In Linux, you can use tools such as "sudo" etc that make installing as a user easy and controlled. Vista will ship with a sudo-like function. Good thing to know they're only about 10 years behind on this control.

So, you can see that Linux is both lucrative for some companies (red hat, asterisk) through services and that there are good controls in place for Linux to remain secure despite having open code.

Remember, open code doesn't mean bad code. When bad, security ridden code finds its way into Linux...someone finds it within a few hours and changes it to good, secure code.