By now, you've probably seen the news coverage about the French Ministry of Defense and their analysis of OpenOffice. You may have even seen the OO.org rebuttal where they claim that it's "all good" over there and that anything to the contrary is bull. All in all, it's an interesting debate.
What's interesting to me is not whether or not OpenOffice is more secure - after all, I'm sure it has its security advantages (like the fact that researchers/haxors are targeting it less) and its security disadvantages (like leaving out anti-macro-virus countermeasures). However, what I find fascinating is the general unwillingness on the part of indviduals to accept that Microsof Office might have a lesser attack surface than OpenOffice. Maybe it does and maybe it doesn't, but why is the discussion so loaded?
Look, the word on the street is that OpenOffice is clearly more secure - that it's 100 times more secure in fact. But where is the evidence? Why are we so unwilling to accept that MSFT might have made some advances, and why are we so willing to accept that OpenOffice is superior just because it's an open-source project? Shouldn't we be objective?
Posted by Ed at August 15, 2006 04:17 PM | TrackBackOO could very well be less secure than MSO, but I will continue to use OO all the time it is the minority player in the Office Marketplace.
MSO and OO are only as dangerous as the people using and abusing them.
I have both MSO and OO, but prefer OO for reasons such as stability and cost, not for security.
Any lack of faith in the security of OO is nothing to do with the fact it is OpenSource. Far from it.
Mine is from a pure security aspect. If you swapped all users with MSO over to OO, and all the OO users to MSO, OO would become the tartget of the hackers. OO would suddenly have a user base more capable of finding the issues that usually remain hidden, (no matter how good you think the test coverage is, give a million monkeys a Moveable Type installation and you'll have the complete works of Shakespeare in a week or so).
I'd prefer to remain security conscious no matter what I am using...
There are security projects and then there are projects that talk about security. In the former group are projects like BSDs/SSH. In the latter camp are things like general user tools. In this case OO, MO, and also e.g., browsers.
The projects that aren't security are often seduced into talking about security, and soon get themselves in a mess. It's important to understand that these projects do not have security as a goal; and unless and until they decide and positively elect to take on security as a goal, they are doing what we might characterise as a middle-order, reactive form of security. That is, fixing bugs and trying not to slow down the good work in other areas too much.
We are talking about ... the office and what users do there. In this sense, the reports just indicate furious agreement that these projects are not security projects, and won't pass muster if treated as security projects.
Posted by: Iang at August 18, 2006 04:05 AM