-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 25 September 2003 09:52, [EMAIL PROTECTED] wrote: > itself. The thinking is that the quality of the code is much lower; that
and yet closed source software continues to have as many if not more serious security issues. so much for "quality" of code... there's also the issue of having all open source code, well, open. it's easy to look at it and criticize it since you have the luxury of seeing it and criticizing it. it's much harder to be critical of the quality of code you can't see. i think anyone who's worked in real life situations on closed projects will tell you that people's ability to write code doesn't magically improve just because nobody can see the code; the opposite is true IME. most coders suck, therefore most code sucks. period. > many people do not even review the source with a very scrutinizing eye and key word: "many". reality: "enough". if it wasn't being scrutinized, then patches to Free Software security issues would always lag behind what the blackhats knew and were exploiting. but it's the exact opposite. patches for security issues affected Free Software are almost always ahead of the game, and the ONLY way you can manage that is if there is serious review with a "scrutinizing eye" by the good guys. > those that do don't have the expertise required to pinpoint the various > vulnerabilities that may be present. people in the security industry tend to be a bunch of arrogant assholes. the coders think they are hotter than the sun's core, and the salespeople/execs usually have little compunction about stretching the truth or speaking outside their realm of knowledge just to push sales. that's how we go the "virus protection" industry and l33t speak. outside of their actual security analysis of specific pieces of software, i don't much weight behind anything they say because it's usually wildly innaccurate. here's the text of a mail i posted to another list last week regarding the dual sendmail and OpenSSH security announcements that i think states the realities of software security much clearer: === well, we always need to be concerned when it comes to security issues. Open Source is not a panacea; there are security issues that arise from time to time and they should be taken seriously. the Internet is a shared resource, so we each have a responsibility to ensuring its health. it's quite important how security issues are discovered and handled and what our options as users are. with closed source software, the vendor has very little motivation to take of security issues in a timely manner. this is because fixing a security problem takes time and money, and there's usually no means to recoup that investment if you release it as a patch. many closed source companies take care of security issues primarily to avoid disenfranchising their users. if they feel they can get away with not fixing it (the public doesn't know, their users aren't concerned, etc), they usually try and do just that. fortunately, many vendors of closed source software are more sensitive to this issue today since Linux and other Free Software projects have pushed security to the forefront; we still see far too much lip service being paid, however. in the closed source world, threats are usually discovered by the black hats and exploited long before the users are informed about it. the vendor may or may not know, but when they do they often they keep it under their hat hoping no one will find out before their next scheduled upgrade (which they can charge for), if at all. but as a user, you never really know. anybody remember that MS security bulletin last year warning about massive intrusions ocuring that they "couldn't explain" but felt the need to warn admins about anyways? with Free / Open Source Software, there is a real motivation to find problems and fix them: the code is open for anyone to peruse (including the black hats) and those who work on the software usually depend on it themselves as users. we also have the benefit of the "many eyes make bugs shallow" principle, which usually works pretty well for security. but we also have choice: what to use, when and how. this is a bigger ally than it's often given credit for. in the case of the sendmail exploit, more and more people are (thankfully) using something else, such as Postfix. for those who are stuck with sendmail for one reason or another, more's the pity, but fortunately for them patches are readily available. they could also switch to another MTA temporarily (or permanently) at no cost beyond that of installing and starting the alternative MTA, while waiting for binaries. but for many this sendmail flaw isn't an issue because we have a plethora of choices: postfix and (the non-Free) qmail for example; more Linux distributions are shipping with postfix as a default rather than sendmail these days. is that sort of inexpensive, easy and pragmatically driven choice typically available in the closed source world? nope. when Exchange has a flaw, Exchange has a flaw and you just have to hope that the fix comes out from MS sooner rather than later (it's often already later by the time you know about it, however). switching in the meantime is expensive and laborious, if at all possible. as for the OpenSSH flaw, as far as I'm aware all major Free Software operating system vendors have already shipped updated packages. there are still questions as to the severity of the flaw: it's definitely DOS'able, but perhaps not fully exploitable (the buffer is on the heap which makes it trickier). the fact there is debate means that there aren't any (widespread?) exploits in the wild ... which means that this is yet another non-starter for those who would like to demean Free Software. i know that all my systems, except one, were updated automagically as the patches became available. that one exception is running an older OS version (i really need to upgrade it, but it's just so stable =) and i had compiled OpenSSH from source on it; in that case i simply grabbed the source patch and applied it locally on that machine and recompiled. try that on a now-unsupported closed source system. while this was all happening i turned SSH off on the firewalls (one command, or a couple of clicks, depending on your taste) for the brief period of time between the announcement and the time the patches trickled down the pipe. once that happened i flicked SSH back on. so i haven't been worried at all about the security of my systems over these issues. and that's a priceless peace of mind and reliability i just don't get with closed source software ===== - -- Aaron J. Seigo GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/dG3m1rcusafx20MRAo+8AKCR1LIRTF1h1joZq0MEsISEm1oRmgCgpdOR CPpvO3TTaE7zjH6N/Ytgh7g= =GTFG -----END PGP SIGNATURE-----
