Microsoft open-sources Windows!

[Karel]

https://www.bleepingcomputer.com/news/microsoft/the-windows-xp-source-code-was-allegedly-leaked-online/

 

[AntiProtonBoy]

If exploitable bugs are found in the Windows XP source code, and the code is still used in Windows 10, threat actors could exploit the bug in the modern version of the operating system.

Fundamental knowledge deficiency of the writer. By that theory Linux would be a total train wreck.

I don't think Linux and Windows is directly comparable in that respect. Linux has thousands of eyes on the source code, which is continually patched and maintained with a very quick turnaround. I don't see Windows getting the same level of attention internally, simply because the manpower is not there, or resource allocation priorities are different.

[Wuerstchenhund]

I don't think Linux and Windows is directly comparable in that respect. Linux has thousands of eyes on the source code, which is continually patched and maintained with a very quick turnaround. I don't see Windows getting the same level of attention internally, simply because the manpower is not there, or resource allocation priorities are different.

And still there have been a number of very embarassing and serious bugs in the Linux kernel which all these "thousands of eyes" (of which in reality only a handful are even competent to assess code written by others!) didn't see. And some of these bugs evaded detection for many years (11 years in one example).

Similar happened with other open source programs.

Besides, there isn't really much difference in how Windows XP was developed and how the Linux kernel is. There really are only a handful of main contributors to the kernel, all of which are large companies (Red Hat, intel, Microsoft, SUSE, IBM), and all which have seasoned professionals working on it.

The reality is that the "thousand eyes" principle is just that, it's not reality. Because aside from that it takes real skill and experience to read and find errors in someone else's code, even of those that have the ability not many feel inclined to actually search for bugs in the Linux kernel or any other FOSS project, unless they get paid for it.

[AntiProtonBoy]

And still there have been a number of very embarassing and serious bugs in the Linux kernel which all these "thousands of eyes" (of which in reality only a handful are even competent to assess code written by others!) didn't see. And some of these bugs evaded detection for many years (11 years in one example).

Sure, shit happens, that is the nature of software development.

At the end of the day, it's all about probabilities. Which gives you more confidence: project behind closed doors with limited staff allocation and different priorities with respects to security, or a project maintained and tested by thousands with security and open disclosure being the focus?

[Wuerstchenhund]

At the end of the day, it's all about probabilities.

Which may well be based on pure speculation and imagination.

Which gives you more confidence: project behind closed doors with limited staff allocation and different priorities with respects to security, or a project maintained and tested by thousands with security and open disclosure being the focus?

Microsoft deserves a lot of blame but they have been very open when it comes to security holes, and have been so for a long time.

Besides, Linux kernel devs are now seriously considering to make at least some bugs confidential. Because the fact that all bugs are open has the side effect of spreading knowledge about possible exploits amongst bad actors long before fixes are available. There's a reason "Responsible Disclosure" (RD) where a bug is only reported to the developer and otherwise kept confidential for a certain amount of time, which is that by the time the bug is publicly disclosed there's a fix available so bad actors can no longer use this information for nefarious purposes. The current handling of security problems in the Linux kernel (and many other FOSS projects) runs counter to RD and actually hampers the overall security of the Linux kernel.

But that's not even the point.

The point is that the overwhelming majority of security flaws are actually found by sources *outside* the OS manufacturer/kernel developers, and are not found by reading source code but by behavioural analysis. This is also the case for the various security flaws in the Linux kernel, which all have been missed by those "thousands of eyes".

I'm sorry but the idea of that "thousands of eyes" are skimming linux code for flaws is naive at best. There's a reason why almost all security flaws were found by some security researcher, usually a member of the larger security labs. Because these tasks require a certain skill set beyond of that of an average developer (who is often oblivious to even the more basic security implications of his code). And the widely accepted procedure of RD makes sure that a bug, unless it's a zero-day, remains generally under wraps until patches are available - independent on the operating system or who makes it.

When it comes to Windows, I'd worry a lot more about the overall number of bugs and UX problems, the constant change towards SaaS and the siphoning of telemetry data than about security. Because security is the one thing Windows actually got pretty good in over the years.

[Ed.Kloonk]

I'm waiting for the w98 source leak.

A true master class in how not to code.

[Wuerstchenhund]

I'm waiting for the w98 source leak.

A true master class in how not to code.

I'd rather see Windows ME (Windows 98 + a ton of more bugs) 

[Ed.Kloonk]

I'm waiting for the w98 source leak.

A true master class in how not to code.

I'd rather see Windows ME (Windows 98 + a ton of more bugs) 

I had dropped out well by that point. Didn't wanna play anymore. 

 

[rsjsouza]

Regarding Linux, I partially agree with the comments above regarding the true size of the "scrutinized by thousands of eyes" argument- I can imagine that parts of the code can be understood by just a single or a handful of people, but closed source does no favours to that either.

However. I know from experience that many fixes or discoveries are made by paid folks working on different platforms (e.g. embedded processors) altogether. Sure, the drivers are mostly tied to the platdorm, but the core OS, protocol stacks, etc. have a commonality that is reused, reviewed and put to use by a wide range of backgrounds.

Regarding Windows 98; In my recollection Windows 98 was the life saviour as it finally integrated the FAT32 natively, while before it was only available in the somewhat obscure OEM SR2 Windows 95. I did many reinstalls to baffled users that did HDD upgrades and couldn’t use them on a single partition. Also, the USB subsystem was much more stable. Did it have issues? Of course, but it was a progressive development.