Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Falling Apart at the Seams
Kathleen Ellis and Jon Lasser, SecurityFocus 2000-09-04

Last month's Brown Orifice program opened a backdoor to an insecure future. Can open source save the day?

Comments Mode:
User: friend or enemy? 2000-09-05
Pavel Roskin (1 replies)
User: friend or enemy? 2000-09-08
foo
Open Source Solution 2000-09-05
Pete Kofod (2 replies)
Re: Open Source Solution 2000-09-08
angel'o'sphere (1 replies)
Re: Open Source Solution 2000-09-08
Richard
Open Source Solution 2000-09-08
Mike Crist
Is the combination or the individual code itself to blame? 2000-09-06
Open source is not a silver bullet 2000-09-06
Your friendly neighborhood software developer
Linux is open source, but has a number of security issues as pointed out in BugTraq, so I don't think that open source is silver bullet. I can't think of any software that isn't without security issues. It took 2 years for people to discover the 'issues' around brown orifice. This is an indication of the complexity of the software.

The problem with any software project be it open source or not is when to declare a product ready to ship. Is it possible to ship totally bug free software? No, and having many eyes look at it isn't a viable solution either. Fred Brooks wrote a classic book containing some insight into bringing in endless resources to work on a project call 'The Mythical Man Month'. More people working on software doesn?t necessarily mean it?s going to be better. There comes a point in the history of every project when it becomes necessary to shoot the engineers and start production, waiting for perfection means it will never ship, open source or not. So you get as close as you can and ship. It is this way with everything (aircraft for example), and its called acceptable risk. I don't think anyone denounces using aircraft for travel, but thousands have died while traveling in aircraft. Society has deemed the benefits of travel by aircraft worth the risk (most people are not aeronautical engineers who truly understand how aircraft work either). You sitting in front of your screen have deemed the risk of radiation output from you screen worth the risk of using your computer (in a couple of years you might be really sorry that you used brand X monitor because of ?..).

What I?m trying to get at is software is not perfect, never will be perfect, but it is no different then any other product we use or live with. We do the best that we can, competition hopefully drives us to do better, legal action threatens us, and in some cases we employ regulators in an attempt to ensure that risks are kept at a minimum. Is it time to employ regulators in the software industry, I hope not.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/80/3315#3315
Brown Orifice bug not in Open Source! 2000-09-08
/dev/joe
"All bugs are shallow" is a delusion of Open Source Arguments 2000-09-08
peter (at) smalltalk (dot) org [email concealed]
Open source WORKS! 2000-09-08
Another friendly software developer
Mozilla and JavaScript 2000-09-08
Markus Fleck
How many ways can one article be wrong? 2000-09-08
Charles Miller







 

Privacy Statement
Copyright 2009, SecurityFocus