Though Elias is correct when he says that people aren't

reading open sources, I think it's the tone of the article

I disagree with.

At what point does it become a blackhat endeavour to find

vulnerabilities? It seems there is a pervasive attitude

from many in the security community that reading source in

search of a vulnerability is dishonourable. I don't know

anyone that would publicly admit to believing this, but

it seems to be a growing sentiment.

OSS is not the final solution for dealing with

the Hacker Menace, and I appreciate that Elias has

taken the time to take the piss out of some of the more

religious elements of the debate. But, code review is

undeniably a nessecary part of development, and

Buqtraq is evidence enough that industry has not done,

and due to its current priorities cannot, do an adequate

job of reviewing code.

Unfortunately, there is a creeping sentiment that OSS

is not a sustainable process worth exploring as an option

for mission critical applications, scalability and long term growth. The marketing FUD is in full polemic swing over

full disclosure vs. something a little more market oriented.

Current evidence suggests that large numbers of dedicated amatuers

are doing a much better job of finding security problems

than small teams of highly paid,and dubiously certified,

'professionals'.

I find it cruelly ironic that the "ethical hacking" industry

differentiates itself from the underground by virtue

of who signs their paycheques.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/19/1392#1392