Kathleen Ellis and Jon Lasser, SecurityFocus 2000-09-04
Last month's Brown Orifice program opened a backdoor to an insecure future. Can open source save the day?
Colapse all |
Post comment
Open Source Solution
2000-09-05
Pete Kofod (2 replies)
Pete Kofod (2 replies)
While Open Source has many benefits, I believe the most over-sold yet empirically unproven one is improved security. Given the sheer amount of eyes inspecting current code, vulnerabilities should be getting zapped as quickly as they appear, yet many go undetected for a while. The reason they go un...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Open Source Solution
2000-09-08
angel'o'sphere (1 replies)
angel'o'sphere (1 replies)
I comletely agree with the previous poster.
Further more it is a myst that OS software is more secure.
In fact if I I as a hypotetical cracker want to break into a system
I would of course try to use an unknown exploit.
So if I can get hands on the sources for a system I would
analyse them in ...
[ more ] [ reply ]
Further more it is a myst that OS software is more secure.
In fact if I I as a hypotetical cracker want to break into a system
I would of course try to use an unknown exploit.
So if I can get hands on the sources for a system I would
analyse them in ...
[ more ] [ reply ]
Re: Open Source Solution
2000-09-08
Richard
Richard
You said: "In OS development the situation is even worse! ... You see that most OS development projects have a ridiculess low performance in terms of LOC per programmer or LOC per month."
First, many of the sourceforge.net projects that you mention are mature. Second, many of the others are work...
[ more ] [ reply ]
First, many of the sourceforge.net projects that you mention are mature. Second, many of the others are work...
[ more ] [ reply ]
Open Source Solution
2000-09-08
Mike Crist
Mike Crist
I disagree. In my observations, security flaws are more readily located in Open Source vs. Clsode Source software. Even assuming they aren't, surely no one can claim that Open Source flaws are not remedied faster on average than Closed Source. There's plenty of empirical evidence to support that....
[ more ] [ reply ]
[ more ] [ reply ]
Is the combination or the individual code itself to blame?
2000-09-06
Although in some cases I'd agree that linking modules designed for completely different purposes may be a bad thing security-wise, I still think it's the module itself that's to blame, not the linkage.
Look at the Java bug: The two problems were both in Java classes. While these classes were comp...
[ more ] [ reply ]
Look at the Java bug: The two problems were both in Java classes. While these classes were comp...
[ more ] [ reply ]
Open source is not a silver bullet
2000-09-06
Your friendly neighborhood software developer
Your friendly neighborhood software developer
Linux is open source, but has a number of security issues as pointed out in BugTraq, so I don't think that open source is silver bullet. I can't think of any software that isn't without security issues. It took 2 years for people to discover the 'issues' around brown orifice. This is an indicatio...
[ more ] [ reply ]
[ more ] [ reply ]
"All bugs are shallow" is a delusion of Open Source Arguments
2000-09-08
peter (at) smalltalk (dot) org [email concealed]
peter (at) smalltalk (dot) org [email concealed]
"The key to solving this problem is the open source movement, and its propensity for keeping code development simple and ego-free."
"Raymond's formulation of Linus's Law in his classic open source polemic The Cathedral and the Bazaar, that "Given enough eyeballs, all bugs are shallow," hints at t...
[ more ] [ reply ]
"Raymond's formulation of Linus's Law in his classic open source polemic The Cathedral and the Bazaar, that "Given enough eyeballs, all bugs are shallow," hints at t...
[ more ] [ reply ]
Open source WORKS!
2000-09-08
Another friendly software developer
Another friendly software developer
I write web-based applications, and it's not uncommon for me to release portions of my self-written libraries as "open-source" - I ALWAYS find that I help others get their job done better, and they almost ALWAYS improve the code in some way - add features, improve security, etc.
Of course, there...
[ more ] [ reply ]
Of course, there...
[ more ] [ reply ]
Mozilla and JavaScript
2000-09-08
Markus Fleck
Markus Fleck
There is a fair chance that Mozilla will be even worse -
after all, it allows you to download "skins" that rewire
the buttons in your browser's user interface. "XUL" is
indeed a very dangerous "geek toy".
(And with the browers's UI depending on JavaScript, I
do wonder if it will be possible a...
[ more ] [ reply ]
after all, it allows you to download "skins" that rewire
the buttons in your browser's user interface. "XUL" is
indeed a very dangerous "geek toy".
(And with the browers's UI depending on JavaScript, I
do wonder if it will be possible a...
[ more ] [ reply ]
How many ways can one article be wrong?
2000-09-08
Charles Miller
Charles Miller
Brown Orifice is caused by two bugs in the Java implementation in Netscape. One of them allowed untrusted bytecodes to accept socket connections from places other than the originating host. The other allowed untrusted bytecodes to access files on the local filesystem.
One of these bugs originated...
[ more ] [ reply ]
One of these bugs originated...
[ more ] [ reply ]
Different modules are developped in different assumptions about the user.
Most programmers consider users as friends, i.e. they don't expect them to feed garbage to the program.
However, modules written in such assumptions (e.g. the modified...
[ more ] [ reply ]