Elias Levy, SecurityFocus 2000-04-17
Is Open Source really more secure than closed? Elias Levy says there's a little security in obscurity.
Colapse all |
Post comment
Netscape developers are weenies!
2000-04-17
Anonymous (2 replies)
Anonymous (2 replies)
Netscape developers are weenies!
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
As a matter of fact, there is no backdoor associated with the DVWSSR.dll that allows the reading of files on a web server. The problem was with incorrect directory permissions. The file did exactly what it was supposed to, and weenies had nothing to do with it.
There is a buffer overrun in the ...
[ more ] [ reply ]
There is a buffer overrun in the ...
[ more ] [ reply ]
Ever hear of SourceSafe?
2000-04-17
Anonymous (3 replies)
Anonymous (3 replies)
Sheesh... CVS. Microsoft has their own source configuration management product called Sourcesafe.
I grow tired of people commenting on issues they know nothing about. It's like every high school kid with $20 is buying Linux and proclaiming to the world that MS knows not what they are doing, and...
[ more ] [ reply ]
I grow tired of people commenting on issues they know nothing about. It's like every high school kid with $20 is buying Linux and proclaiming to the world that MS knows not what they are doing, and...
[ more ] [ reply ]
MS vs. Linux
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
That's because Microsoft doesn't know what they're doing and Linux is the answer. :)
And I've used SourceSafe. Yes, it works fine. Like most Microsoft products.
...
[ more ] [ reply ]
And I've used SourceSafe. Yes, it works fine. Like most Microsoft products.
...
[ more ] [ reply ]
Like most MS products
2000-04-17
Anonymous
Anonymous
Windows 98 is not a good product, IE is not a good product NT4.0 is not a good product, in fact name me an MS product where point and click is not considered more important than security and reliability. Even W2K has a long way to go before it reaches the sort of reliability and security that big ir...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Is Open Source really more secure than closed?
2000-04-17
Anonymous
Anonymous
Interesting assertions. Do you have any examples of OSS
security breeches _where the source code helped_ more
recent than the Morris Worm and the login/pcc hack? Say,
within the last 5 years?
More to the point, do you have as many such examples as
we have seen security breeches from MSFT in ...
[ more ] [ reply ]
security breeches _where the source code helped_ more
recent than the Morris Worm and the login/pcc hack? Say,
within the last 5 years?
More to the point, do you have as many such examples as
we have seen security breeches from MSFT in ...
[ more ] [ reply ]
Please emphasize your conclusion
2000-04-17
Anonymous
Anonymous
>So does all this mean Open Source Software is no better
>than closed source software when it comes to security
>vulnerabilities? No. Open Source Software certainly does
>have the potential to be more secure than its closed
>source counterpart.
>But make no mistake, simply being open source i...
[ more ] [ reply ]
>than closed source software when it comes to security
>vulnerabilities? No. Open Source Software certainly does
>have the potential to be more secure than its closed
>source counterpart.
>But make no mistake, simply being open source i...
[ more ] [ reply ]
Bug *fixes*...?
2000-04-17
Anonymous (2 replies)
Anonymous (2 replies)
Are we going to totally ignore the speed with which bugs are fixed, given the different models of software development? With Open Soure once they *are* found, they are usually fixed very quickly indeed, whereas many Closed source companies have no incentive whatsoever to quickly closed holes - in fa...
[ more ] [ reply ]
[ more ] [ reply ]
Re: bug fixes
2000-04-17
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
This is silly.
Do you expect users to troll for bug fixes daily? Do you think RedHat
releases security advisories as fast as patches are posted to bugtraq?
And this ignores the number of people who don't even know that
security problems with Linux exist, because they've been brainwashed
b...
[ more ] [ reply ]
Do you expect users to troll for bug fixes daily? Do you think RedHat
releases security advisories as fast as patches are posted to bugtraq?
And this ignores the number of people who don't even know that
security problems with Linux exist, because they've been brainwashed
b...
[ more ] [ reply ]
What?
2000-04-17
Anonymous
Anonymous
Linux bigots are far more willing to admit to problems in their code than MS market droids, who will first spend a long time denying any problem exists and then after several months will finally get round to releasing a service pack which breaks something else. Look at the 50 IP address limit on W2K...
[ more ] [ reply ]
[ more ] [ reply ]
a bit reactionary, eh?
2000-04-18
Anonymous (1 replies)
Anonymous (1 replies)
"Do you expect users to troll for bug fixes daily?"
No, but using the update utilities will help...and people who require security quickly *CAN* get the fixes...
"Do you think RedHat releases security advisories as fast as patches are posted to bugtraq?"
Of course not...that would be like d...
[ more ] [ reply ]
No, but using the update utilities will help...and people who require security quickly *CAN* get the fixes...
"Do you think RedHat releases security advisories as fast as patches are posted to bugtraq?"
Of course not...that would be like d...
[ more ] [ reply ]
potentialities and realities
2000-04-18
David Terrell <dbt (at) meat (dot) net [email concealed]>
David Terrell <dbt (at) meat (dot) net [email concealed]>
"The fact is that closed source inhibits strong proactive security auditing and Open Source enables it..."
Yes and no. Open Source enables public scrutiny. But it doesn't demand or imply it. There's plenty of Linux software out there that could use a good security audit, but it's not being don...
[ more ] [ reply ]
Yes and no. Open Source enables public scrutiny. But it doesn't demand or imply it. There's plenty of Linux software out there that could use a good security audit, but it's not being don...
[ more ] [ reply ]
Latest MS bug fixed same day
2000-04-18
Anonymous (1 replies)
Anonymous (1 replies)
MS released a fix for the latest DLL bufferoverrun the same day it was introduced. Slow? No....
[ more ] [ reply ]
[ more ] [ reply ]
Wide Open Source
2000-04-17
Anonymous
Anonymous
You wrote:
When the security company Trusted Information Systems (TIS) began making the source code of their Gauntlet firewall available to their customers many years ago, they believed that their clients would check for themselves how secure the product was. What they found instead was that very f...
[ more ] [ reply ]
When the security company Trusted Information Systems (TIS) began making the source code of their Gauntlet firewall available to their customers many years ago, they believed that their clients would check for themselves how secure the product was. What they found instead was that very f...
[ more ] [ reply ]
Open Source Security
2000-04-17
Anonymous
Anonymous
While you are technically correct, that Open Source code
is only as secure as the people who review it, how often
do people find bugs BEFORE they compile their program? Most
bugs that are found in any program are AFTER they have
compiled the program and tested it out, not becuase someone
has s...
[ more ] [ reply ]
is only as secure as the people who review it, how often
do people find bugs BEFORE they compile their program? Most
bugs that are found in any program are AFTER they have
compiled the program and tested it out, not becuase someone
has s...
[ more ] [ reply ]
But you ignore the obvious
2000-04-17
Anonymous
Anonymous
You are simplt ignoring the fact that whether a software is open source or closed source, there can still be security holes. That isn't the ultimate panacea of security (providing the source). But the solutions of open source come in that these holes can be closed more quickly (and frequently are) i...
[ more ] [ reply ]
[ more ] [ reply ]
Auditing of compiled code not much harder ...
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
I have to strongly disagree with a couple of statements
made in your article. Your estimation that in the time
someone audits one closed-source product he can audit
10 open-source programs is just a huge exagerration.
Looking for strcpy() or sprintf() or other 'notorious'
library calls is no...
[ more ] [ reply ]
made in your article. Your estimation that in the time
someone audits one closed-source product he can audit
10 open-source programs is just a huge exagerration.
Looking for strcpy() or sprintf() or other 'notorious'
library calls is no...
[ more ] [ reply ]
Forget about strcpy()
2000-04-17
Anonymous
Anonymous
Looking for strcpy() and sprintf() is near to worthless for security auditing of software other than simple programs, written by beginners -- I have a lot of strcpy() in my programs, and there were only two cases of buffer overflows, both didn't involve either, and were caused by sloppy manipulation...
[ more ] [ reply ]
[ more ] [ reply ]
good analysis...
2000-04-17
Anonymous
Anonymous
<pre>
but the strengths in having source code are:
1 - problem can be solved (nearly) immediately
2 - more likely to notice other holes while fixing
existing hole.
it is true that most don't (moreover, can't) audit every
line of code running on their system, however, it only
takes...
[ more ] [ reply ]
but the strengths in having source code are:
1 - problem can be solved (nearly) immediately
2 - more likely to notice other holes while fixing
existing hole.
it is true that most don't (moreover, can't) audit every
line of code running on their system, however, it only
takes...
[ more ] [ reply ]
Examine the record...
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
Let's look at a couple of apps with roughly the same functionality and see whether this theory holds.
Apache, the open-source web server which has over 60% of the website market according to Netcraft (http://www.netcraft.com/survey) has its last security advisory with a critical upgrade in August...
[ more ] [ reply ]
Apache, the open-source web server which has over 60% of the website market according to Netcraft (http://www.netcraft.com/survey) has its last security advisory with a critical upgrade in August...
[ more ] [ reply ]
Comparing Apache and IIS is wrong
2000-04-17
Anonymous (2 replies)
Anonymous (2 replies)
You can not compare them. Apache is a webserver. IIS is a webserver with a whole crapload of other junk around.
Apache is minimal on purpose. If you want something to do foo on top of what Apache does, then get something to do foo that you can add on. In the meantime, all the users that don...
[ more ] [ reply ]
Apache is minimal on purpose. If you want something to do foo on top of what Apache does, then get something to do foo that you can add on. In the meantime, all the users that don...
[ more ] [ reply ]
crap load along with Apache.
2000-04-17
Anonymous
Anonymous
Take a look at the same exploits found in packages such as PHP, MySQL, and Perl. With this "crapload" of packages you now have a comparable suite to IIS. IIS still falls short.
May as well be using SSL Apache too...
In either case I think the whole point is "Who are you going to trust?". Th...
[ more ] [ reply ]
May as well be using SSL Apache too...
In either case I think the whole point is "Who are you going to trust?". Th...
[ more ] [ reply ]
Comparison of Apache and IIS is Dead On
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
>You can not compare them. Apache is a webserver. IIS is a
>webserver with a whole crapload of other junk around.
Actually, I think that this observation merely reinforces the validity of the contention that open source software is generally inherently more secure. Why is there a whole bunch o...
[ more ] [ reply ]
>webserver with a whole crapload of other junk around.
Actually, I think that this observation merely reinforces the validity of the contention that open source software is generally inherently more secure. Why is there a whole bunch o...
[ more ] [ reply ]
Right, no one really wants all those features...
2000-04-21
Anonymous
Anonymous
Bill has been stuffing those features down the throats of the poor computing masses so they'll give him a few billion dollars a year in a vain hope that he'll stop.
In reality comparing Apache and IIS is fairly lame. First Apache has been around basically forever and is a much more mature applic...
[ more ] [ reply ]
In reality comparing Apache and IIS is fairly lame. First Apache has been around basically forever and is a much more mature applic...
[ more ] [ reply ]
Path of the weak
2000-04-17
Anonymous
Anonymous
Say... if we can just obscure our code instead of "doing it the right way" (TM)(C), we can probably also charge for bug fixes to. And why bother optimizing our code when memory is so cheap. Security through obscurity is the calling card of the lazy and weak!
Maybe you don't read the code, but ...
[ more ] [ reply ]
Maybe you don't read the code, but ...
[ more ] [ reply ]
You've made several critical mistakes in your comment.
2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (3 replies)
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (3 replies)
Hi Elias,
<p>
I'd like to point out a few problems with your comment.
<p>
The Gauntlet firewall published by Trusted Information Systems was not an
Open Source program. It's what we call "disclosed source-code", and that's
very important because that difference means that nobody had much reaso...
[ more ] [ reply ]
<p>
I'd like to point out a few problems with your comment.
<p>
The Gauntlet firewall published by Trusted Information Systems was not an
Open Source program. It's what we call "disclosed source-code", and that's
very important because that difference means that nobody had much reaso...
[ more ] [ reply ]
Sorry about the bad formatting.
2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Re: Bruce Parens' Defense of Open Source
2000-04-17
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
David Terrell <dbt (at) meat (dot) net [email concealed]> (2 replies)
Bruce:
How would you respond to the issues like: multiple wu-ftpd vunlerabilities,
userland-nfs mountd vulnerabilities, multiple remote root WU-imapd
vulnerabilities, and other security issues that have plagued linux
distributions for years?
You can pick on his specific examples, but I th...
[ more ] [ reply ]
How would you respond to the issues like: multiple wu-ftpd vunlerabilities,
userland-nfs mountd vulnerabilities, multiple remote root WU-imapd
vulnerabilities, and other security issues that have plagued linux
distributions for years?
You can pick on his specific examples, but I th...
[ more ] [ reply ]
How to respond to past reports of vulnerability
2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (1 replies)
Bruce Perens <bruce (at) perens (dot) com [email concealed]> (1 replies)
The bottom line is, are there more such vulnerabilities in current Open Source software, or in the current Microsoft product? Sure, there have been multiple vulnerabilities with wu-ftpd. We've learned a lot about security during that time, and we even have a "stackguard" compiler now. We still don't...
[ more ] [ reply ]
[ more ] [ reply ]
Re: How to respond to past reports of vulnerability
2000-04-18
David Terrell <dbt (at) meat (dot) net [email concealed]> (1 replies)
David Terrell <dbt (at) meat (dot) net [email concealed]> (1 replies)
"The bottom line is, are there more such vulnerabilities in current Open Source software, or in the current Microsoft product?"
I'm sorry that you feel this way. I think the only bottom line is "Are customers at risk". If you're going to consider Security as a marketing tool
in some sort of c...
[ more ] [ reply ]
I'm sorry that you feel this way. I think the only bottom line is "Are customers at risk". If you're going to consider Security as a marketing tool
in some sort of c...
[ more ] [ reply ]
I don't think you get what he's talking about, Dave...
2000-04-19
Barry Fitzgerald <reaperx1 (at) netscape (dot) net [email concealed]> (1 replies)
Barry Fitzgerald <reaperx1 (at) netscape (dot) net [email concealed]> (1 replies)
No offense, you have your points but I don't think you get what he's saying...
The statements concerning Microsoft were made to put things in perspective...there is NO system where security is absolute, so in order to determine which ideology is more effective - we MUST compare systems for relati...
[ more ] [ reply ]
The statements concerning Microsoft were made to put things in perspective...there is NO system where security is absolute, so in order to determine which ideology is more effective - we MUST compare systems for relati...
[ more ] [ reply ]
Indeed there are a lot of bugs
2000-04-18
Anonymous
Anonymous
But if you think Microsoft's Closed Source "Windows" operating system to be bug free, then i have but only to laugh at you in the face. Windows 98 may well contain millions of bugs (for its stability), and perhaps thousands of security exploits. In all probability, that's TRUE. After all, Microso...
[ more ] [ reply ]
[ more ] [ reply ]
Thanks for the additional info but...
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
Bruce,
Thanks for the additional information. While it does help put the arguments into a better context I think the points made are still valid.
1) Most people trust the person (or company) who packaged the binary and never look at the source. Is that person more inherently trustworthy than M...
[ more ] [ reply ]
Thanks for the additional information. While it does help put the arguments into a better context I think the points made are still valid.
1) Most people trust the person (or company) who packaged the binary and never look at the source. Is that person more inherently trustworthy than M...
[ more ] [ reply ]
Trust-worthyness and ability to spot bugs
2000-04-17
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Bruce Perens <bruce (at) perens (dot) com [email concealed]>
Go to the Linux area of Security Focus and read the welcome message that I wrote there. It will tell you about the trust measures placed on Debian volunteers. The idea is that we are able to trace work back to them, and if they do something nasty, we can bring charges.
Not everybody will spot a b...
[ more ] [ reply ]
Not everybody will spot a b...
[ more ] [ reply ]
Open source is not written by 1 person.
2000-04-17
Anonymous
Anonymous
Any OSS project will have more than one author. Simply because I find a bug, a missing feature or something, I want to look at that source code.
Therefor any big enough OSS - project will have 1000's of authors, each will understand what he is working on, each will understand the underlying prin...
[ more ] [ reply ]
Therefor any big enough OSS - project will have 1000's of authors, each will understand what he is working on, each will understand the underlying prin...
[ more ] [ reply ]
Skill is always at a premium
2000-04-17
Christopher Petrilli <petrilli (at) amber (dot) org [email concealed]> (1 replies)
Christopher Petrilli <petrilli (at) amber (dot) org [email concealed]> (1 replies)
The thing that everyone seems to miss is that it is not easy to understand security. Lots of people "talk" about it (mostly they talk AT it), but few people actually take the time to understand attack vectors and how you might want to mitigate them. The reason that some organizations have never had ...
[ more ] [ reply ]
[ more ] [ reply ]
Rigorous methodology
2000-04-17
Anonymous
Anonymous
...is called "being obscure, irrelevant and extremely lucky". Everyone who is not obscure and irrelevant, and used large amount of poorly-audited software, had a breach of security, and a lot of obscure and irelevant ones, had it, too. The consequences of break-in, of course, are different and actua...
[ more ] [ reply ]
[ more ] [ reply ]
Blackhat?
2000-04-17
batz <batsy (at) vapour (dot) net [email concealed]> (1 replies)
Though Elias is correct when he says that people aren't
reading open sources, I think it's the tone of the article
I disagree with.
At what point does it become a blackhat endeavour to find
vulnerabilities? It seems there is a pervasive attitude
from many in the security community that re...
[ more ] [ reply ]
batz <batsy (at) vapour (dot) net [email concealed]> (1 replies)
Though Elias is correct when he says that people aren't
reading open sources, I think it's the tone of the article
I disagree with.
At what point does it become a blackhat endeavour to find
vulnerabilities? It seems there is a pervasive attitude
from many in the security community that re...
[ more ] [ reply ]
semantics
2000-04-17
Ryan Russell <ryan (at) securityfocus (dot) com [email concealed]>
Ryan Russell <ryan (at) securityfocus (dot) com [email concealed]>
If you assume the "Blackhat" means that the person finds the vulnerabilites, and then uses them against others, then the tone is reasonable. I don't think Elias means to imply that the act of looking for vulnerabilites itself is wrong. Saving them for one's self, and/or putting them to use against...
[ more ] [ reply ]
[ more ] [ reply ]
Some good points...
2000-04-17
Anonymous
Anonymous
but the topic of the Sendmail debug hole is a bit of a strawman.
Face it: a large part of the reason that hole remained dangerous for so long is that the sendmails in question were vendor supplied code on binary-only machines, and the vendors simply never saw fit to fix the problem. I'd venture ...
[ more ] [ reply ]
Face it: a large part of the reason that hole remained dangerous for so long is that the sendmails in question were vendor supplied code on binary-only machines, and the vendors simply never saw fit to fix the problem. I'd venture ...
[ more ] [ reply ]
Open source as a democracy
2000-04-17
Anonymous (1 replies)
Anonymous (1 replies)
The same principles that make open source strong also make the US democracy strong, yet flexible.
Sure, there are loopholes within US laws. When such a loophole is exploited, the laws are changed (eventually) to close the loophole. Yet, almost no one actually reads the US law code. We do not n...
[ more ] [ reply ]
Sure, there are loopholes within US laws. When such a loophole is exploited, the laws are changed (eventually) to close the loophole. Yet, almost no one actually reads the US law code. We do not n...
[ more ] [ reply ]
Politics are irrelevant
2000-04-17
Anonymous
Anonymous
Please don't compare software development with political systems. While there are similarities between a country and software preject, they are too different. The idea of "meritocracy" that in some form exists in all open source projects regardless of their "political" structure (sendmail, perl, Moz...
[ more ] [ reply ]
[ more ] [ reply ]
This isn't OSS vs. CSS
2000-04-17
Anonymous
Anonymous
The disagreements from the OSS community on this page seem to be missing the mark. To me, the article is not saying that OSS is better/worse than CSS but rather it is saying that blind devotion to OSS is dangerous. There are still weaknesses in the OSS security model (as in ANY security model) tha...
[ more ] [ reply ]
[ more ] [ reply ]
Finding holes in closed source isn't hard...
2000-04-17
Anonymous
Anonymous
I used to read the source code before deploying applications on servers that might be accessible to "other people". I'd download maybe a half dozen programs before I found one that did what I wanted and didn't have a security hole that I could find in the first ten minutes of searching the source c...
[ more ] [ reply ]
[ more ] [ reply ]
bugs? yeah. fixes? right away
2000-04-17
Anonymous
Anonymous
While there are, and always will be, bugs in software, the FIXES for those bugs appear much more quickly in Open Source projects than in proprietary systems. How long has the Weenies backdoor been in place? How long has Microsoft known about it? How long did they drag their feet making a fix availab...
[ more ] [ reply ]
[ more ] [ reply ]
Apples and Oranges
2000-04-17
Anonymous (2 replies)
Anonymous (2 replies)
An excellent article in my opinion.
When you get down to it, though, I think the break-down of Open Source - Closed Source/Secure - Insecure is inaccurate.
None of the current Closed Source OS' that the OSS movement likes to attack are focused primarily on security. Those companies, such as S...
[ more ] [ reply ]
When you get down to it, though, I think the break-down of Open Source - Closed Source/Secure - Insecure is inaccurate.
None of the current Closed Source OS' that the OSS movement likes to attack are focused primarily on security. Those companies, such as S...
[ more ] [ reply ]
re: Apples and Oranges
2000-04-17
Anonymous
Anonymous
Regardless of whether open source software is more/less secure than closed source, it does give the user the opportunity to change it. If you wished to build a "secure" linux kernel, you could. Would MS let you build your own kernel if you found theirs deficient? There are already several secure-lin...
[ more ] [ reply ]
[ more ] [ reply ]
NSA/Linux
2000-04-20
Anonymous
Anonymous
Actually it is funny that you make a reference to the NSA because they have contracted with Secure Computing to make a more secure version of Linux, for internal use (only?). Of course the NSA probably could have gotten a source license for any number of Operating Systems, they have the money, but ...
[ more ] [ reply ]
[ more ] [ reply ]
Blackhat, whitehat, whatever.
2000-04-17
Anonymous
Anonymous
Actually, the fact that black hats can find bugs in open source more quickly is a good thing in the long run.
First, this should make authors more aware of the need for good security design -- if the source is hidden, they may be tempted to rely on the percieved comforts of obscurity.
Second, ...
[ more ] [ reply ]
First, this should make authors more aware of the need for good security design -- if the source is hidden, they may be tempted to rely on the percieved comforts of obscurity.
Second, ...
[ more ] [ reply ]
Who found the sendmail bug?
2000-04-17
Brett <disfunct (at) radiusnet (dot) net [email concealed]> (1 replies)
Brett <disfunct (at) radiusnet (dot) net [email concealed]> (1 replies)
Let me remind you that the person that found teh sendmail bug that was exploited in the morison worm was not Morison Jr, his Father who worket at bell labs....
[ more ] [ reply ]
[ more ] [ reply ]
Morris didn't find the Sendmail bug
2000-04-20
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
If you read any of the detailed reviews of the Internet Worm (the cream have been reprinted in Peter Denning's books "Computers Under Attack" and "Internet Besieged") you'll find that Sendmail's Debug mechanism was familiar to many in the Unix community. Some sites disabled it, but a lot of sites di...
[ more ] [ reply ]
[ more ] [ reply ]
to expand on what i said earlier.
2000-04-17
Brett <disfunct (at) radiusnet (dot) net [email concealed]>
Brett <disfunct (at) radiusnet (dot) net [email concealed]>
Attitudes
2000-04-17
Anonymous
Anonymous
Elias brings good points to mention, but I think the problem, and the reason why the Open Source Nuts are so against the article(I happen to be an Open Source nut), is because it portrays Open Source in a bad light.
The truth is, Nothing is perfect, and as Elias says, Open Source CAN be more secu...
[ more ] [ reply ]
The truth is, Nothing is perfect, and as Elias says, Open Source CAN be more secu...
[ more ] [ reply ]
Rates of evolution
2000-04-17
Anonymous
Anonymous
Some facts about open source. The internet worm which created havoc exploited a vunerability that was documented at the time but no-one took the problem seriously enough to document the problem. You deny that users have the experience to search for bugs and then give scenarios where open source is e...
[ more ] [ reply ]
[ more ] [ reply ]
just a few little things...
2000-04-17
Anonymous
Anonymous
First of all. Yes open source does allow bad guys as u say it to find holes alot easyer. but in them doing so ,newgroups alot of these badguys do post there holes found to claim some glory in finding them and these ppl make finding holes in software easyer for the programmers and in hence they end u...
[ more ] [ reply ]
[ more ] [ reply ]
a quick Summary and rant
2000-04-17
Anonymous
Anonymous
It would seem this thread gathered quite a bit of attention
I will try to be brief, yet show that both sides are right :o)
On one side you have the open source, that says, come see for yourself how secure we are.
On the other side, you have the closed source that mostly says, trust us, we asked t...
[ more ] [ reply ]
I will try to be brief, yet show that both sides are right :o)
On one side you have the open source, that says, come see for yourself how secure we are.
On the other side, you have the closed source that mostly says, trust us, we asked t...
[ more ] [ reply ]
OSS vs closed
2000-04-17
Anonymous
Anonymous
Open sourced software at least gives the potential and allows someone to attempt to fix holes and back doors. the closed source denies all attempts except reverse engineering (of which I have done to prove bugs in a certain big software company's compiler). In any case when the software's complexi...
[ more ] [ reply ]
[ more ] [ reply ]
Banks, The NSA, and US companies.
2000-04-18
Anonymous
Anonymous
No one's reading the source eh?
Just ask corporations like UBS (the biggest bank in Switzerland), who will ONLY use software that they have reviewed the source for in many applications. Companies like these spend large amounts of money on software, and the don't trust US companies (or even Swiss c...
[ more ] [ reply ]
Just ask corporations like UBS (the biggest bank in Switzerland), who will ONLY use software that they have reviewed the source for in many applications. Companies like these spend large amounts of money on software, and the don't trust US companies (or even Swiss c...
[ more ] [ reply ]
Open source is not secure ONLY because it's open
2000-04-18
Anonymous (1 replies)
Anonymous (1 replies)
Um, the author correctly concludes that source-openness is not a self-redeeming feature. The code is not safe just because it's open.
The author falls sadly short of realizing that he generalizes way too much.
He misses the most important rule: "Don't believe something is secure. Check it your...
[ more ] [ reply ]
The author falls sadly short of realizing that he generalizes way too much.
He misses the most important rule: "Don't believe something is secure. Check it your...
[ more ] [ reply ]
So what you're saying is that open source software is often as insecure as closed-source software is most of the time.
2000-04-18
Anonymous
Anonymous
Let's see. Gauntlet is given as an example of open source software that didn't get security bugs fixed. I'm sorry, but Gauntlet was never open-source, not really. It was "open source" in the same sense that VMS was... customers could read the source code and send bug reports back to the vendor, but ...
[ more ] [ reply ]
[ more ] [ reply ]
Open source? Use real examples!
2000-04-18
Anonymous
Anonymous
You are criticizing open source, but none of your examples are open source
projects: Gauntlet is proprietary, disclosed source, sendmail at the time of
the Morris worm was ATT licensed, etc.
Why is it that the majority of exploits are against the products of that open source
pinnacle, Microsoft?...
[ more ] [ reply ]
projects: Gauntlet is proprietary, disclosed source, sendmail at the time of
the Morris worm was ATT licensed, etc.
Why is it that the majority of exploits are against the products of that open source
pinnacle, Microsoft?...
[ more ] [ reply ]
Come on
2000-04-18
Anonymous
Anonymous
I'm sorry, but as even a novice coder - I am insulted by the stupidity of some of these articles. I don't claim to be an 'opensource guru' either. And knowing people who write articles for a living, are there not ethics that you're supposed follow, such as recearching what you are writing about? ...
[ more ] [ reply ]
[ more ] [ reply ]
Correct the facts and the conclusions stand strong
2000-04-21
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
Rick Smith <rick_smith (at) securecomputing (dot) com [email concealed]>
by Richard E. Smith, CISSP, PhD, CCP, etc.
Secure Computing Corporation
author of "Internet Cryptography"
I hope I am doing the author a favor. Elias Levy spends several paragraphs explaining the security shortcomings of open source software. Then, in a final paragraph, he opines that open sour...
[ more ] [ reply ]
Secure Computing Corporation
author of "Internet Cryptography"
I hope I am doing the author a favor. Elias Levy spends several paragraphs explaining the security shortcomings of open source software. Then, in a final paragraph, he opines that open sour...
[ more ] [ reply ]
Original Bugtraq mailing list description?
2000-04-21
Robert Quinn <rquinn (at) pobox (dot) com [email concealed]>
Robert Quinn <rquinn (at) pobox (dot) com [email concealed]>
Anyone have the original Intro to bugtraq? What we see on the list now is a slightly different take on the original purpose. People were pissed that vendors like Sun were fixing bugs (of any kind, not just security) and then not releasing the details. You couldn't tell if the problem was really fix...
[ more ] [ reply ]
[ more ] [ reply ]
There's more to security than fixing bugs...
2000-05-17
Anonymous
Anonymous
One security advantage to Open Source is that I have the ability to adapt or extend a program to meet my particular needs. In a Closed Source situation, I don't have that option.
A real-life example:
The Linux PPP daemon looks a number of places for configuration information: the command line, ...
[ more ] [ reply ]
A real-life example:
The Linux PPP daemon looks a number of places for configuration information: the command line, ...
[ more ] [ reply ]
This is the password for the Frontpage 98 extensions backdoor,
which allows anybody people to get access to MS IS sites
running these extensions.
How long have that backdoor existed, undetected - or atleast
unpublished. I wonder how long it would have exi...
[ more ] [ reply ]