Hi
The only problem is, did these programmers, and they may, by the way,
actually have access to vintage source, and made a comparison to the same in
Linux (open) code, and then arrived to the conclusion, that this code is
inherently not more secure then that code, or are they looking at the
open-source and having a wild guess at not-so-open one, and thinkinking, this
code is not so secure, therefore, it not more secure then the other code,
that i have never seen. . . . .Ok. Maybe this is not the case, and i could be
entirely wrong, and these people actually seen vintage code, and compared it
to Linux code, and then came up with the result. But you know, I dont think
so.
On the other hand. If you talk about security as a hole (whole), the weakest
link determines the strength of the system (security-wise in this case.), and
in this case, it is the human factor, that is responsible for 99% of the
security-breaches, the mere existance of an exploit is trivial in this case,
if no-one opens an e-mail attachment from an unknown source, or leaves their
sql server with default (factory) admin passwords, many of these worms and
viruses would not have worked atall.
Still i will reserve the opinion, that Linux failed in mutch fewer ways then
vintage did, and these faliores were fixed in far shorter a time then the
once in vintage, and the fixes broke far-far fewer things then the fixes in
vintage.
Now lets take a firly simple one here. Ping of death, very old and well
known dos attack. Many tcp/ip stacks where sencitive to a packet like that.
This was back in say 1995, the last unix stack was pached 6 days to 14 days
later, the linux pach was available next day. Vintage was still sencitive to
the attack 3 yeas later, when it was finally replaced the stack with the
contaversiol bsd-style tcp/ip stack.
I think it is the user, who have to be educated, it would have a far more
profound effect then trying to come-up-with the ultimate in security for
software. And you can not expect everyone to use a VMS on their home pc :-)
Cheers
Szemir
On Thursday 25 September 2003 21:52, you wrote:
> I was watching C-SPAN when I was down in the states a few weeks ago and
> they were showing subcommittee proceedings on cyber security. They had many
> 'experts' but the one thing that drew my attention was the CTO (i think it
> was the CTO) of Verisign who said that open source is generally no more
> secure than proprietary counterparts and that the openness of the software
> does not offer much to it being more secure. I have also heard this
> guardedly confirmed by other security individuals in the OSS community
> itself. The thinking is that the quality of the code is much lower; that
> many people do not even review the source with a very scrutinizing eye and
> those that do don't have the expertise required to pinpoint the various
> vulnerabilities that may be present. Now, I am no kernel hacker by any
> means but I thought it was interesting since the rest of the people on the
> panel (some fairly high-level programmers) tended to agree with the
> statement.
>
> Personally, I think that having something as 'simple' as user/group
> permissions on files goes a lot further in securing a system than not
> having it. Of course, this means nothing once a box is rooted.
>
> 2cents
>
> Jacob
>
> Bogi wrote:
> | Hi
> | Funny how meany people can not appriciate the fact, that ispite of linux
> | being open source (hence any flaw can be very easily found and
> | exploited) still has far less exploitable/exploited flaws then vintage
> | os, despite the source is being kept as top-secret-for-onone-eyes-only.
> | And i dont think vintage has as large a base as vintage would like us to
> | think. That number comes from sales-figures (oem vintage os). Now how
> | long would a vintage-os last on a hard-disk after it gets home ??
> | Hehe, till i find my Linux cds :-)
> | Cheers
> | Szemir
> |
> | Ps: Soorry , too mutch Balantines :-]
> |
> | On Thursday 25 September 2003 22:47, you wrote:
> |>More secure, less secure... Currently, one must place more value on the
> |>process of disclosure and patching since no software is totally secure.
> |> In that vote, Open Source and Linux win hands down. At least, it makes
> |> _me_ feel more secure (knowing what's going on and what's been fixed).
> |>
> |>So I voted 'Yes'. :-D
> |>
> |>Curtis
> |>
> |>-----Original Message-----
> |>From: Kevin Anderson [mailto:[EMAIL PROTECTED]
> |>Sent: September 25, 2003 10:36 PM
> |>To: [EMAIL PROTECTED]
> |>Subject: (clug-talk) Voting Booth
> |>
> |>
> |>http://www.securitypipeline.com/newslettervote.jhtml
> |>
> |>We might as well weigh in...
