Re: French Gov handing out Linux in schools

From: Imhotep (Imhotep_at_nospam.com)
Date: 08/18/05

  • Next message: Imhotep: "Re: US Gov looking for input about IE ONLY pre-patient web site..."
    Date: Thu, 18 Aug 2005 02:52:49 GMT
    
    

    Hairy One Kenobi wrote:

    > "Imhotep" <Imhotep@nospam.com> wrote in message
    > news:NFpMe.34749$dJ5.4455@tornado.tampabay.rr.com...
    >> Hairy One Kenobi wrote:
    >> > "Imhotep" <Imhotep@nospam.com> wrote in message
    >> > news:fzSLe.15697$Oy2.5608@tornado.tampabay.rr.com...
    >
    > <snip>
    >
    >> > Take a look at Gartner.com, or one of the mainstream IT news sites -
    >> > you'll soon get the idea.
    >>
    >> I have used Gartner over the years. Yes, I am very famalar with them.
    >> However, I am asking you to restate your point, that is what I do not
    >> understand.
    >
    > Hmm. maybe it's a language thing? Time to quote...
    >
    > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    > news:h%KLe.8368$Mf6.7813@newsfe2-gui.ntli.net...
    >
    >
    >> According to the analysts, it's split 50-50 between security-by-obscurity
    >> and security-by-peer-review (which, judging by my experience, is
    >> something more talked about than performed).
    >
    > Now, by "50-50" I meant that it's evenly split between the two sides: that
    > no being open source is approximately as effecive as being open source,
    > when it comes to security. Thus spake the analysts.
    >

    First, Gartner is not the Gospel. I used to have an account with the for
    many years. They do have some good people and info but, they are not
    perfect. When researching I take their point of view into account, but I
    also take it "with a grain of sand".
     
    > From my own POV, I keep hearing how much better it is that people inspect
    > other people's code, and fix it. But I've never met anyone that did that.
    > Or anyone that knew someone that did that. Or anyone who had a friend who
    > know someone...

    Not true. You should have been taught from college about peer code review. I
    personally have been all over the BSD IP protocol stack not just looking
    for bugs but also to better understand socket/server programming.

    Many theoretical security holes have been patched, BEFORE ANY CODE WAS
    WRITTEN, by code review.

    1) sendmail about 2 years ago. It was theorized that the structure of
    sendmail be split into a client and server within the same server because
    of a theoretical security hole

    2) Recently ssh was being looked at. It was discovered that because of the
    way Intel has designed it's hyperthreading CPU it COULD be possible for one
    thread to "peek" at data for another thread (within the same thread
    "family").

    3) Other open source applications have benefited from code review also, but
    I will leave that for the readers homework. :-)

    ...the point is that open source works in many ways. First, it allows anyone
    who is writting application code to view how the code (underneath the API
    level) is structured. Resulting in tighter and more secure code. Second,
    there are people who do review the code looking for possible problems
    (again review #1 and #2 above).

    > Hell, I contribute (at at least /have/ contributed) to OS myself - people
    > tend to find a bug when they are using a particular aspect.

    Sure sometimes people find a problem when writting code for a particular
    application. There again, they can verify that it is really a security hole
    by looking at the code below.

    > With literally millions of downloads, how could even 0.01% (hundreds of
    > dedicated techies) have missed the holes in OpenSSL and the Linux kernel?

    Be more specific. Which holes?

    > Assuming, of course, that these people actually exist, as opposed to the
    > couple of people involved in the development of specific aspects or
    > products. Or developers breaking that precise aspect of the code?

    Yes, these people really exist...

    >> > Pick the platform that does the job best for your particular
    > application.
    >> > I usually have a mix of Windows, virtual IBM mainframe, Linux, and
    > Solaris
    >> > at home; no RH at the moment, though - some idiot broke the installer,
    > so
    >> > that it doesn't cope with my LCD panel. Must get around to fixing that
    > at
    >> > some point...
    >>
    >> That has been fixed.
    >
    > Glad to hear that. Could you point me towards the patch that fixed my
    > particular version...? (Cough)

    Ah....why all the coughing, gota cold? You patch is included in Red Hat FC
    4...

    >
    > H1K
    >
    > P.S. Being marginally less cruel, it seemed to have been a major problem
    > with Gnome - even manually editing the files to match the monitor
    > characteristics failed to help. After a couple of months, I temporarily
    > stuck MSDN Windoze on there, just to be able to run Ethereal (couldn't
    > find my old installation CDs).


  • Next message: Imhotep: "Re: US Gov looking for input about IE ONLY pre-patient web site..."

    Relevant Pages

    • Re: [Lit.] Buffer overruns
      ... > Brian Inglis wrote: ... >> security hole in there for the security establishment. ... >> open source, there could be a subtle hole. ...
      (sci.crypt)
    • Re: [Lit.] Buffer overruns
      ... > security hole in there for the security establishment. ... > Even if it's open source, there could be a subtle hole. ...
      (sci.crypt)