Security through ignorance. Security through Obsucrity. Why is open software more secure than closed?

To begin with – yes, open is more secure than closed, and there is no doubt about that, because software is the most secure system in the world, OpenBSD, where not a single line of closed code is allowed. And now to the question of why.

For non-industry people and often even for IT people, it is better to speak in comparisons, because IT is a very abstract field.

Therefore, let us now take a very simple example from the real world that everyone will understand. An example is the building of a prison, which in principle must be very well secured. We don’t want prisoners escaping like rats from a sinking ship. Logic commands everything to hide, conceal, cover up. Including a prison plan. In order for no one to know, he did not know anything and therefore could not use his knowledge to escape. But prisoners have a very long time. Like the so-called Black Hat Hackers. Crackers in real life. People who break into systems and harm. Their main advantage is invisibility and piles of time, which are usually occupied by security intrusion into the company.

Back to prison plans. We will certainly take a security adviser as administrative architects and future prison builders. But we will only take a handful of advisors to show us the plans and, depending on their time and experience, they will help us identify shortcomings. Then we wipe all the plans in black. In software, this is the equivalent of compiling code and disabling access to source code. However, we did not get rid of errors and security shortcomings. They’re still there. And those prisoners who have heaps of time reveal and share them for fun and for the escape plan. By no means have we made our prison safer by not having his plan.

And now the other way around. We will put our prison plans publicly on the Internet. There, a wide professional community of prison architects has the opportunity to comment on the potential dangers that arise from the plans. And they are constantly commenting on the modifications and building modifications of our prison, because we often carry out building modifications. Precisely for increased security and thanks to community advice. Surprisingly, this community may include former convicts from other prisons and they can also advise us on how to change how they would attack the system, where they see the weakest point. This will not happen if we keep it secret and keep it a secret.

Well – prison is not an ideal case, but it can be seen that painting a leaky box black does not mean that I have painted the holes. The human brain says that closing the system means securing it. At the same time, it is just the opposite. There are dozens of articles on the Internet that explain this issue in more depth, but in principle, one can imagine that open source searches for and detects potential security holes much faster than closed codes.

There is probably no better example than the aforementioned OpenBSD, which had only two remote holes in the entire existence of the system compared to Windows and other systems. Theo de Raadt’s philosophy is that absolutely everything must be open for the code to be audited. That’s why OpenBSD is the most secure system in the world, and that’s an irrefutable fact. And based on this assumption, open systems can be classified as much more secure than closed systems, which rely on security through ignorance. The more I cover my security flaw in the system, the less likely an attacker will find it. This is not true because this bug still exists, and unlike an open system, where it can even be reported from code by an audit tool that can be used by a security expert on the other side of the planet, such a bug is not fixed.

For software, open is safer than closed, although the human brain claims otherwise.

Contact us