Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Thu, 1 Jun 2000, Jesse Noller wrote: > Number 2: I do not install anything on a mission critical system i > have not personally reviewed, and checked the track record on. There are > many sites which archive every vulnerability for just about any piece of > software out there. It is the designer's/admin's responsibility to check > these sites for possible vulnerabilities of the software he/she is > installing. To make the excuse "i don't have the time" or "the vendor should > have gave me the patch" is, in and of itself, a denial of responsibility > (What i call the DoR attack, commonly found in extremely large > corporations). > > Just my .0002 cents. > I agree with the original artical that Open Source doesn't guarantee security (look at the holes found in various packages), but it at least ENABLES the review. Basically, there are two options: 1. Open Source - where many eyes CAN look for holes, including the original author and me. No guarantee, but the possibility. 2. Proprietary - where only the author (& bad guys, cause they'll reverse engineer, decompile, etc to find them) can look for holes. Even worse, you can't tell if he looked for holes. For those who say that the act of finding holes for breaking is illegal, my response has been: yea, and if you're going to break the law anyway, are you really concerned that planning the crime is illegal? Given those two choices, I think I prefer the former. jeff > > -----Original Message----- > > > For the sake of discussion, here is an interesting article > > on Open source security. > > > > > > http://developer.earthweb.com/journal/techfocus/052600_security.html > > > > While I think the article covers a lot of valid points, the > > open source > > model gives anyone that wants to a chance to look for security > > holes. Even if no one looks at it and something slips > > through, in this > > case, it still is a better model than not being able to see > > the code at > > all and rely on shady developers to fix it for you. Sure > > there will be > > bugs, but at least open source allows for a mechanism of > > finding them and > > fixing them quickly. I'm still wondering why the author of > > the software > > is so concerned with touting all the holes in his program and > > the flaws in > > the open source model than fixing them himself. It would seem rather > > counter-productive. > > > > Brian Conway > > dogbert at clue4all.net > > ------------------------------------------------------------------------ Jeffry Smith Technical Sales Consultant Mission Critical Linux smith at missioncriticallinux.com phone:603.930.9379 fax:978.446.9470 ------------------------------------------------------------------------ Thought for today: Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |