Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?
From: Bernd Felsche (bernie@innovative.iinet.net.au)Date: 07/15/02
- Next message: JoshB: "starting up a company"
- Previous message: Bernd Eckenfels: "Re: A good website about security?"
- In reply to: Alun Jones: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Next in thread: Jim Patrick: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Reply: Jim Patrick: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Bernd Felsche <bernie@innovative.iinet.net.au> Date: Mon, 15 Jul 2002 10:45:02 +0800
alun@texis.com (Alun Jones) writes:
>In article <1103_1026582308@news.utu.fi>, Markus Jansson
><jansson_markus@ziplip.com> wrote:
>>Linux may have and has programming errors, bugs and security holes, even
>>remote ones. It is highly unlikely that it has a backdoor planted since anyone
>>could find it.
>You are assuming that anyone goes looking in depth.
>One of the great advantages of open source coding is that the
>source code is provided for anyone to analyse, debug, patch, etc.
>One of the great disadvantages of open source code is that almost
>nobody does analyse, debug, or patch it. Bugs in open source are
That's not a disadvantage of open source. It's a disadvantage to
*anything* that's been written.
>generally found by the same method as in closed source - someone
>runs the program, and gets output or side-effects they didn't
>expect. Security holes are often found in the same manner, because
No. Many bugs in open source software are found by code review.
See CERT announcements.
>it's easier to throw broken input at a program than it is to
>analyse the source code. Bugs and security flaws alike are
>reported to open source developers by users, who don't generally
>tend to suggest patches, because they are users, not developers.
Many users don't report bugs. More often than not, users will look
for a workaround. In closed-source software, any bug reporting that
does occur, even in supported environments, is frequently *filtered*
so that the bug description can be quite different to the one the
user sees.
>Many of the supposed benefits of open source don't really exist,
>because people do not take advantage of them in anything more than
>the rarest of cases. There are a few real benefits that don't
They don't exist because they're not usually exploited?
Why is that preferable to having closed sources where the
opportunity for independent code review doesn't even exist?
Do you want code review only by the authors of the code, or those
who share the same mind-set?
>I've yet to see any examples of security flaws found in open source
>programs through code analysis - I'm sure there are some examples,
Openssh is a recent one.
-- /"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia \ / ASCII ribbon campaign | I'm a .signature virus! X against HTML mail | Copy me into your ~/.signature / \ and postings | to help me spread!
- Next message: JoshB: "starting up a company"
- Previous message: Bernd Eckenfels: "Re: A good website about security?"
- In reply to: Alun Jones: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Next in thread: Jim Patrick: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Reply: Jim Patrick: "Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
