Do you think he'll be able to understand the concept of [link|http://www.ddj.com/articles/1999/9912/|Attack Trees]?

His point is that....

On identically insecure machines.....

That being, the machines have no physical security or scheduled remote security checks....

An individual with enough time to completely reload and reconfigure your machine....

Will have a SLIGHTLY (my word) easier time if said person has the source code to your OS and apps.

Now, in MY experience, simply swapping the keyboard on your machine (you have physical access, remember) with one that will record keystrokes and then complaining that it doesn't work will accomplish the same goal. The admin will attempt to login using his/her username/password and you have their info.

Now, this requires less time, less expertise, less everything and there is no chance you will be caught because you failed to copy someone's configuration file correctly.

So, is Open Source MORE insecure that closed source IF you have to IGNORE the EASIER attacks on BOTH?

Suppose you have a choice of two banks. Both banks leave their money in handy bags on the front porch at night so the customers can withdraw whatever they want and leave a signed note saying what they took.

But bank #2 doesn't check the signatures on the notes.

Which bank is more insecure?

Duh! Bank #2 is more insecure because you can sign someone else's name!

In other words, a "security" evaluation that requires a stated level of INSECURITY is not a security evaluation.

There is no security without physical security.