This 24-Sep-2003 on http://tuxedo.org/: "The open-source project for secure communications technology, known as OpenSSH, plugged a second security hole on Tuesday that affects only users who have turned off a critical security feature."
LOL! Case in point. It's funny when people turn off security much less suffer under those less diligent about maintaining it (read: legacy OS). Curtis -----Original Message----- From: Curtis Sloan [mailto:[EMAIL PROTECTED] Sent: September 26, 2003 10:48 AM To: [EMAIL PROTECTED] Subject: RE: (clug-talk) Voting Booth I think you hit on a very important point, Szemir. Security is not so much about code and hardened systems and policy as it is a people phenomenon. If people are cracking closed source for the purpose of exploiting, it doesn't matter how good open vs. closed source is because the perpetrators obviously don't care about the source. In general, they care about the exploit, which is an innately human issue. A good read that focuses on this aspect of hacking/cracking is "Underground" by Suelette Dreyfus (http://www.underground-book.com/). It largely centers around Australian hackers but follows a few but gripping and poignant human stories across the world to their bitter ends. Entertaining read for anyone interested. FYI, the book is freely available in various formats (PDF, HTML, text, etc.). Suelette later published an essay entitled "Computer Hackers: Juvenile Delinquents or International Saboteurs" (http://www.aic.gov.au/conferences/internet/dreyfus.html). It focused on the sociological aspects that writing "Underground" had uncovered. I will admit, neither publication is particularly incredible writing, but it is interesting and captivating nonetheless. All that being said, the technical aspects of security (code, systems, policy, etc.) will probably remain the focus of security discussions (open vs. closed, et al.) for the foreseeable future. Which is interesting, since the crackers and virus writers of world -- the ones we're supposedly securing against -- don't seem to care as a matter of principle whether it's open or closed source. I think the matter of 'principle' is kinda what it's all about. :P The philosophic ramblings expressed in this message are those of the individual sender and are not necessarily the views of any other productive member of society. :-D Curtis -----Original Message----- From: Bogi [mailto:[EMAIL PROTECTED] Sent: September 26, 2003 12:49 AM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) Voting Booth Hi The only problem is, did these programmers, and they may, by the way, actually have access to vintage source, and made a comparison to the same in Linux (open) code, and then arrived to the conclusion, that this code is inherently not more secure then that code, or are they looking at the open-source and having a wild guess at not-so-open one, and thinkinking, this code is not so secure, therefore, it not more secure then the other code, that i have never seen. . . . .Ok. Maybe this is not the case, and i could be entirely wrong, and these people actually seen vintage code, and compared it to Linux code, and then came up with the result. But you know, I dont think so. On the other hand. If you talk about security as a hole (whole), the weakest link determines the strength of the system (security-wise in this case.), and in this case, it is the human factor, that is responsible for 99% of the security-breaches, the mere existance of an exploit is trivial in this case, if no-one opens an e-mail attachment from an unknown source, or leaves their sql server with default (factory) admin passwords, many of these worms and viruses would not have worked atall. Still i will reserve the opinion, that Linux failed in mutch fewer ways then vintage did, and these faliores were fixed in far shorter a time then the once in vintage, and the fixes broke far-far fewer things then the fixes in vintage. Now lets take a firly simple one here. Ping of death, very old and well known dos attack. Many tcp/ip stacks where sencitive to a packet like that. This was back in say 1995, the last unix stack was pached 6 days to 14 days later, the linux pach was available next day. Vintage was still sencitive to the attack 3 yeas later, when it was finally replaced the stack with the contaversiol bsd-style tcp/ip stack. I think it is the user, who have to be educated, it would have a far more profound effect then trying to come-up-with the ultimate in security for software. And you can not expect everyone to use a VMS on their home pc :-) Cheers Szemir On Thursday 25 September 2003 21:52, you wrote: > I was watching C-SPAN when I was down in the states a few weeks ago and > they were showing subcommittee proceedings on cyber security. They had many > 'experts' but the one thing that drew my attention was the CTO (i think it > was the CTO) of Verisign who said that open source is generally no more > secure than proprietary counterparts and that the openness of the software > does not offer much to it being more secure. I have also heard this > guardedly confirmed by other security individuals in the OSS community > itself. The thinking is that the quality of the code is much lower; that > many people do not even review the source with a very scrutinizing eye and > those that do don't have the expertise required to pinpoint the various > vulnerabilities that may be present. Now, I am no kernel hacker by any > means but I thought it was interesting since the rest of the people on the > panel (some fairly high-level programmers) tended to agree with the > statement. > > Personally, I think that having something as 'simple' as user/group > permissions on files goes a lot further in securing a system than not > having it. Of course, this means nothing once a box is rooted. > > 2cents > > Jacob > > Bogi wrote: > | Hi > | Funny how meany people can not appriciate the fact, that ispite of linux > | being open source (hence any flaw can be very easily found and > | exploited) still has far less exploitable/exploited flaws then vintage > | os, despite the source is being kept as top-secret-for-onone-eyes-only. > | And i dont think vintage has as large a base as vintage would like us to > | think. That number comes from sales-figures (oem vintage os). Now how > | long would a vintage-os last on a hard-disk after it gets home ?? > | Hehe, till i find my Linux cds :-) > | Cheers > | Szemir > | > | Ps: Soorry , too mutch Balantines :-] > | > | On Thursday 25 September 2003 22:47, you wrote: > |>More secure, less secure... Currently, one must place more value on the > |>process of disclosure and patching since no software is totally secure. > |> In that vote, Open Source and Linux win hands down. At least, it makes > |> _me_ feel more secure (knowing what's going on and what's been fixed). > |> > |>So I voted 'Yes'. :-D > |> > |>Curtis > |> > |>-----Original Message----- > |>From: Kevin Anderson [mailto:[EMAIL PROTECTED] > |>Sent: September 25, 2003 10:36 PM > |>To: [EMAIL PROTECTED] > |>Subject: (clug-talk) Voting Booth > |> > |> > |>http://www.securitypipeline.com/newslettervote.jhtml > |> > |>We might as well weigh in...
