Recently, several outlets picked up the story that had hundreds of security flaws in the Android Linux kernel, with 88 of them classified as “severe” – but it was no surprise to me. All code has bugs and errors. What surprised me were the responses I’ve read in the forums.
Of course, Apple and Windows users were all over the fact that Android has 88 serious security flaws have recently been publicly disclosed and remain fixed. But the Linux faithful, as they frequently do, let me just shaking their heads and wondering how people can become so disconnected from logic and reality in the blind devotion to their favorite operating system or kernel.
In this case, arguments about the “many eyes” versus “security by obscurity” security models. The Linux defending noted that the problems were revealed, illustrating the superiority of the “many eyes” to patch the kernel. They further argued that while IOS, OS X, and Windows 7 / Windows 7 phones are undoubtedly countless security flaws – many of them serious – we can not compare to Linux, because these platforms are closed source and nobody knows total number.
This is where my mind starts to loop endless loop errors and smoke starts coming out of my ears. Maybe my mind is not evolved is simply incapable of understanding the complexities of logic thinner than the sacred Order of the Linux community – but there’s something in that logic that simply is not.
In bullet points, the argument seems to be:
Linux is open. Many eyes watching the code.
Looking at the code, the problems come to light quickly and dealt with immediately.
Other platforms are closed. Privileged eyes only see the code.
Since only privileged eyes to observe the code, problems can be buried and are less likely to be addressed.
Now, I do not disagree with these basic ideas. In fact, they make sense. But I think we need a couple of points.
Whom do we fear? No eyes would be privileged to bury and hide the security defects in code. We fear the people abroad. But the argument above, people abroad are in the same disadvantage as the “many eyes” to protect Linux and are unable to protect closed-source platforms.
The reason that “many eyes” model can not protect closed source is because the code is closed. Similarly, those who exploit security flaws in the closed-source platforms to the basic obstacle. They do not have access to the raw source code to scan for security flaws.
On the other hand, the same reason, the “many eyes” open source model works makes it inherently more vulnerable to people abroad that we are afraid to try to exploit security flaws. There is an inescapable logic here – the first points go hand in hand with the point of sale.
But there is still more below the surface, and that’s where it looks more like blind faith as a metaphysical and less rational logic, which is as dry and analytical as it is expected that the Linux community to be. It does not seem to be an implied threat here goes something like this:
“Linux can be self-policed by the community of developers who use, enjoy, and support for Linux. The source is open for them to review and correct, and this makes Linux a stronger, safer, more secure platform. Other platforms, on the other hand, can not be revised by the end user and developer community. ”
So far, so good … but:
“Closed-source platforms, however, can hide its serious security flaws, and poor (who have unlimited abilities the ability to find and exploit the closed-architecture platforms) will take advantage of it, and exploit knowledge of safety defects who knows how long, while the guardians of the faulty code hide the flaws and risks. ”
That’s where things go wrong. If open source is more secure, and enjoying the benefits of the “many eyes” security model is also more at risk because the evil eye is easier to discover and exploit security flaws that exist.
All the fatal loop exists in this logic. In short, if closed source is less secure because it can not be reviewed by weak security, then it is safer because it can not be easily revised security weakness. If open source is more secure because it can be checked by the security weakness, then it is less secure because it can be checked by the security weakness.
Obviously, the conclusion that “Linux is more secure because it is subject to the eyes of many” security model “argument itself is a valid argument, inductive (but not necessarily true). It is only when it expands to include the assumption (implicit) that the closed-platform security model is therefore less secure than the argument becomes an invalid argument, deductive (and therefore false).
The Linux community is approaching this as a zero-sum gain Linux / other platforms lose “the debate, but only because the argument that” many eyes “security model is valid and inductive (not shown) does not mean that security “through obscurity” security model is invalid and denied. In fact, by itself, “security by obscurity” model of security is a valid argument, inductive – although it is ironic that this is only the case until it is compared against and disprove the “many eyes” security model .
Therefore, we can not support the Linux community solely responsible for paying insufficient attention to the logic of reason 101 classes when they earn their degrees SE. There are plenty of people in each camp, guilty of committing the same errors in logic to defend their own pet operating system. For some reason, however, I think the Linux community should be accountable to a higher level of expectations – certainly more than the uneducated masses of Windows users.
I guess there’s an argument here that a lot of Mac users have higher education and graduate degrees, and perhaps should know better, too – but I think that Linux brings to the class of devotees who take pride in your razor sharp intellect, superior, logic and reasoning. Is it just the risk of Ubuntu Linux’s gene pool?
In fact, when you reach the end, there are only a few places where people are willing to suspend logic and reason for blind faith. Many people in the Linux community are the first and most vocal to attack others who behave superstitiously or hopelessly biased along party lines. However, they quickly fall into the same behavior when defending their own platform.
The other thing that logic, of course, the reason I teach is that it is impossible to sustain a conclusion drawn from metaphysical belief. In the case of the superiority of the platform, it seems clear that the conclusions are drawn from the same pool of people to determine their spiritual beliefs or (often) the preference vote.
Ultimately, I’m not expressing my opinion about which is superior – the “many eyes” or “security by obscurity” security models. Instead, I am proposing that either is a mystical belief, spiritual, not an end user comes to believe that through logic or reason, but by blind faith.
Once you realize that, it becomes quite clear that it is futile to try to argue or reason with someone who has drawn his line in the sand on both sides of the argument. How do you know? “Because I’ve seen myself,” is probably the best answer is going to get, which is effectively the same, “because you can only feel inside.” Personal feelings drawn from personal experience do not provide truths.
I have not seen a compelling argument to convince me either way one way or another. I have read and heard many opinions and a lot of non-admitted “evidence” as long as a fact, but in the final analysis, the superiority of a security model to another is largely a matter of personal opinion and conclusions learned in the faith – and that reduces the platform / kernel-based flame wars bit binary holy wars.