G-Archiver stole my password! Why Open Source is more secure - Adventures in Switching to Linux

Tuesday, March 11, 2008

G-Archiver stole my password! Why Open Source is more secure

No, it didn't really steal my password. I've never used G-Archiver or even heard of it before. But it did expose over 1,700 of other users' GMail login info.

News hit today that a G-Mail archive application steals user passwords by sending them to an email account of one of the developers. Whoops! This was discovered by Dustin Brooks and posted on the Coding Horror blog. The publisher claims it was debug code inadvertently left in the final release. Possible but I doubt it.

This shows yet another reason to run Open Source software. Security. I will not claim that malicious code hasn't ever made it's way into an Open Source software release or that Open Source is immune and never will have something like this happen but it is much less likely. With more independent users looking at the source, it is more likely that anything like this will get removed if someone is even successful enough to get the code included in the first place.

Go read Is Open Source Good for Security? for a more in depth review. An excerpt:

It's sometimes argued that open source programs, because there's no enforced control by a single company, permit people to insert Trojan Horses and other malicious code. Trojan horses can be inserted into open source code, true, but they can also be inserted into proprietary code. A disgruntled or bribed employee can insert malicious code, and in many organizations it's much less likely to be found than in an open source program. After all, no one outside the organization can review the source code, and few companies review their code internally (or, even if they do, few can be assured that the reviewed code is actually what is used). And the notion that a closed-source company can be sued later has little evidence; nearly all licenses disclaim all warranties, and courts have generally not held software development companies liable.

No comments: