Pinterest Stumbleupon Whatsapp
Advertisement

Linux users often cite security benefits as one of the reasons to prefer open source software. Since the code is open for everyone to see, there are more eyes searching for potential bugs. They refer to the opposite approach, where code is only visible to the developers, as security through obscurity. Only a few people can see the code, and the people who want to take advantage of bugs aren’t on that list.

While this language is common in the open source world, this isn’t a Linux-specific issue. In fact, this debate is older than computers. So is the question settled? Is one approach actually safer than the other, or is it possible that there’s truth to both?

What Is Security Through Obscurity?

Security through obscurity is the reliance on secrecy as a means of protecting components of a system. This method is partially adopted by the companies behind today’s most successful commercial operating systems: Microsoft, Apple, and to a lesser extent, Google. The idea is that if bad actors don’t know a flaw exists, how can they take advantage of them 3 Windows 98 Bugs Worth Revisiting 3 Windows 98 Bugs Worth Revisiting Is it just nostalgia that keeps me attached to this OS, or was Windows 98 actually worth remembering? This operating system released 15 years ago had its ups and downs. Critics have been pretty harsh... Read More ?

You and I cannot take a peak at the code that makes Windows run (unless you happen to have a relationship with Microsoft). The same is true of macOS. Google open sources the core components of Android Is Android Really Open Source? And Does It Even Matter? Is Android Really Open Source? And Does It Even Matter? Here we explore whether or not Android is really open source. After all, it is based on Linux! Read More , but most apps remain proprietary. Similarly, Chrome OS is largely open source, except for the special bits that separate Chrome from Chromium Is Google Eavesdropping on Chromium Users? Is Google Eavesdropping on Chromium Users? Open source developers have found that the Debian version of Chromium is downloading code from Google records the user via PC mic and streams the audio back for analysis. Is Google eavesdropping on you? Read More .

What Are the Drawbacks?

Since we cannot see what’s going on in the code, we have to trust companies when they say their software is secure. In reality, they may have the strongest security in the industry (as seems to be the case with Google’s online services), or they may have glaring holes that embarrassingly linger around for years.

Security by obscurity, on its own, does not provide a system with security. This is taken as a given in the world of cryptography. Kerckhoff’s principle argues that a cryptosystem should be secure even if the mechanisms fall into the hands of the enemy. This principle dates all the way back to the late 1800s.

Advertisement

Shannon’s maxim followed in the 20th century. It says that people should design systems under the assumption that opponents will immediately become familiar with them.

Back in the 1850s, American locksmith Alfred Hobbs demonstrated how to pick state-of-the-art locks made by manufacturers who claimed that secrecy made their designs safer. People who make their livelihoods (so to speak) picking locks get really good at picking locks. Just because they may not have seen one before doesn’t make it impenetrable.

This can be seen in the regular security updates that arrive on Windows, macOS, and other proprietary operating systems. If keeping the code private were enough to keep flaws hidden, they wouldn’t need to be patched.

Security Through Obscurity Can’t Be the Only Solution

Fortunately, this approach is only part of the defensive plan these companies take. Google rewards people who discover security flaws in Chrome, and it’s hardly the only the only tech giant to use this tactic.

Proprietary tech companies spend billions on making their software safe. They aren’t relying entirely on smoke and mirrors to keep bad guys away. Instead, they rely on security as only the first layer of defense, slowing attackers down by making it harder for them to get information on the system they’re looking to infiltrate.

The thing is, sometimes the threat doesn’t come from outside the operating system Microsoft Eases Your Windows 10 Privacy Concerns Microsoft Eases Your Windows 10 Privacy Concerns Ahead of the release of the Creators Update, Microsoft is addressing people's privacy concerns regarding Windows 10. But will this be enough to appease privacy advocates? Read More . The release of Windows 10 showed many users that unwanted behavior can come from the software itself. Microsoft has ramped up its efforts to collect information on Windows users in order to further monetize its product. What it does with that data, we don’t know. We can’t take a look at the code to see. And even when Microsoft does open up, it remains purposefully vague.

Is Open Source Security Better?

When source code is public, more eyes are available to spot vulnerabilities. If there are bugs in the code, the thinking goes, then someone will spot them. And don’t think of sneaking a backdoor into your software. Someone will notice, and they will call you out.

Few people expect end users to view and make sense of source code. That’s for other developers and security experts to do. We can rest easy knowing that they’re doing this work on our behalf.

Or can we? We can draw an easy parallel with government. When new legislation or executive orders are passed, sometimes journalists and law professionals scrutinize the material. Sometimes it goes under the radar.

Bugs such as Heartbleed have shown us that security isn’t guaranteed. Sometimes bugs are so obscure that they go decades without detection, even though the software is in use by millions (not to say this doesn’t happen on Windows too). It can take a while to discover quirks such as hitting the Backspace key 28 times to bypass the lockscreen. And just because many people can look at code doesn’t mean that they do. Again, as we sometimes see in government, public material can go ignored simply because it’s boring.

So why is Linux widely regarded as being a secure operating system Is Linux Really as Secure as You Think It Is? Is Linux Really as Secure as You Think It Is? Linux is often touted as the most secure operating system you can get your hands onto, but is this really the case? Let's take a look at different aspects of Linux computer security. Read More ? While this is partly due to the advantages of Unix-style design, Linux also benefits from the sheer number of people invested in its ecosystem. With organizations as varied and diverse as Google and IBM to the U.S. Department of Defense and the Chinese government The Chinese Government Has A New Linux Distro: Is It Any Good? The Chinese Government Has A New Linux Distro: Is It Any Good? Ubuntu Kylin is a heavily customized spin of Ubuntu Linux, built by the Chinese government, aimed at Chinese users. Unlike other government-based Linux projects, Ubuntu Kylin is actually pretty good! Read More , there are many parties invested in keeping the software secure. Since the code is open, people are free to make improvements and submit them back for other Linux users to benefit from. Or they can keep those improvements for themselves Open Source vs. Free Software: What's the Difference and Why Does It Matter? Open Source vs. Free Software: What's the Difference and Why Does It Matter? Many assume "open source" and "free software" mean the same thing but that's not true. It's in your best interest to know what the differences are. Read More . By comparison, Windows and macOS are limited to the improvements that come directly from Microsoft and Apple.

Plus, while Windows may be dominant on desktops, Linux is widely used on servers and other pieces of mission critical hardware. Many companies like having the option to make their own fixes when the stakes are this high. And if you’re truly paranoid Linux Operating Systems for The Paranoid: What Are The Most Secure Options? Linux Operating Systems for The Paranoid: What Are The Most Secure Options? Switching to Linux delivers many benefits for users. From a more stable system to a vast selection of open source software, you're onto a winner. And it won't cost you a penny! Read More or need to guarantee that no one is monitoring what’s happening on your PC, you can only do that if you can verify what the code on your machine is doing.

Which Security Model Do You Prefer?

There is a general consensus that encryption algorithms must be open, as long as keys are private How Does Encryption Work, and Is It Really Safe? How Does Encryption Work, and Is It Really Safe? Read More . But there is no consensus that all software would be safer if the code were open. This may not even be the right question to ask. Other factors impact how vulnerable your system may be, such as how often exploits are discovered and how quickly they’re fixed.

Nonetheless, does the closed-source nature of Windows or macOS leave you feeling uncomfortable? Do you use them anyway? Do you consider that a perk, not a detriment? Chime in!

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Zhong
    April 21, 2017 at 3:16 am

    Which security measure is most prevalent? Does most infection or vulnerability caused from network attacks or modified application code?

  2. Bruce Epper
    April 19, 2017 at 2:49 pm

    The title doesn't make sense. Security through obscurity is what closed source software relies on so how would one be safer than the other?

    • Gavin Phillips
      April 19, 2017 at 8:31 pm

      Hey Bruce,

      Glad to see you're still browsing and keeping an eye on things.

      Hope all is well with you,

      Gavin