-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Here's a link to two videos. Unfortunately, neither of them are the one I saw :/ In any case, if you watch the cyber security one you might get a laugh. A level of ignorance can be found on both sides.
http://www.c-span.org/search/basic.asp?ResultStart=1&ResultCount=10&BasicQueryText=cyber&image1.x=0&image1.y=0&image1=Submit
Aaron J. Seigo wrote: | On Thursday 25 September 2003 09:52, [EMAIL PROTECTED] wrote: | |>itself. The thinking is that the quality of the code is much lower; that | | | and yet closed source software continues to have as many if not more serious | security issues. so much for "quality" of code... | | there's also the issue of having all open source code, well, open. it's easy | to look at it and criticize it since you have the luxury of seeing it and | criticizing it. it's much harder to be critical of the quality of code you | can't see. i think anyone who's worked in real life situations on closed | projects will tell you that people's ability to write code doesn't magically | improve just because nobody can see the code; the opposite is true IME. most | coders suck, therefore most code sucks. period. | | |>many people do not even review the source with a very scrutinizing eye and | | | key word: "many". reality: "enough". if it wasn't being scrutinized, then | patches to Free Software security issues would always lag behind what the | blackhats knew and were exploiting. but it's the exact opposite. patches for | security issues affected Free Software are almost always ahead of the game, | and the ONLY way you can manage that is if there is serious review with a | "scrutinizing eye" by the good guys. | | |>those that do don't have the expertise required to pinpoint the various |>vulnerabilities that may be present. | | | people in the security industry tend to be a bunch of arrogant assholes. the | coders think they are hotter than the sun's core, and the salespeople/execs | usually have little compunction about stretching the truth or speaking | outside their realm of knowledge just to push sales. that's how we go the | "virus protection" industry and l33t speak. outside of their actual security | analysis of specific pieces of software, i don't much weight behind anything | they say because it's usually wildly innaccurate. | | here's the text of a mail i posted to another list last week regarding the | dual sendmail and OpenSSH security announcements that i think states the | realities of software security much clearer: | | === | well, we always need to be concerned when it comes to security issues. Open | Source is not a panacea; there are security issues that arise from time to | time and they should be taken seriously. the Internet is a shared resource, | so we each have a responsibility to ensuring its health. it's quite important | how security issues are discovered and handled and what our options as users | are. | | with closed source software, the vendor has very little motivation to take of | security issues in a timely manner. this is because fixing a security problem | takes time and money, and there's usually no means to recoup that investment | if you release it as a patch. many closed source companies take care of | security issues primarily to avoid disenfranchising their users. if they feel | they can get away with not fixing it (the public doesn't know, their users | aren't concerned, etc), they usually try and do just that. fortunately, many | vendors of closed source software are more sensitive to this issue today | since Linux and other Free Software projects have pushed security to the | forefront; we still see far too much lip service being paid, however. | | in the closed source world, threats are usually discovered by the black hats | and exploited long before the users are informed about it. the vendor may or | may not know, but when they do they often they keep it under their hat hoping | no one will find out before their next scheduled upgrade (which they can | charge for), if at all. but as a user, you never really know. anybody | remember that MS security bulletin last year warning about massive intrusions | ocuring that they "couldn't explain" but felt the need to warn admins about | anyways? | | with Free / Open Source Software, there is a real motivation to find problems | and fix them: the code is open for anyone to peruse (including the black | hats) and those who work on the software usually depend on it themselves as | users. we also have the benefit of the "many eyes make bugs shallow" | principle, which usually works pretty well for security. but we also have | choice: what to use, when and how. this is a bigger ally than it's often | given credit for. | | in the case of the sendmail exploit, more and more people are (thankfully) | using something else, such as Postfix. for those who are stuck with sendmail | for one reason or another, more's the pity, but fortunately for them patches | are readily available. they could also switch to another MTA temporarily (or | permanently) at no cost beyond that of installing and starting the | alternative MTA, while waiting for binaries. | | but for many this sendmail flaw isn't an issue because we have a plethora of | choices: postfix and (the non-Free) qmail for example; more Linux | distributions are shipping with postfix as a default rather than sendmail | these days. is that sort of inexpensive, easy and pragmatically driven | choice typically available in the closed source world? nope. when Exchange | has a flaw, Exchange has a flaw and you just have to hope that the fix comes | out from MS sooner rather than later (it's often already later by the time | you know about it, however). switching in the meantime is expensive and | laborious, if at all possible. | | as for the OpenSSH flaw, as far as I'm aware all major Free Software operating | system vendors have already shipped updated packages. there are still | questions as to the severity of the flaw: it's definitely DOS'able, but | perhaps not fully exploitable (the buffer is on the heap which makes it | trickier). the fact there is debate means that there aren't any (widespread?) | exploits in the wild ... which means that this is yet another non-starter for | those who would like to demean Free Software. | | i know that all my systems, except one, were updated automagically as the | patches became available. that one exception is running an older OS version | (i really need to upgrade it, but it's just so stable =) and i had compiled | OpenSSH from source on it; in that case i simply grabbed the source patch and | applied it locally on that machine and recompiled. try that on a | now-unsupported closed source system. | | while this was all happening i turned SSH off on the firewalls (one command, | or a couple of clicks, depending on your taste) for the brief period of time | between the announcement and the time the patches trickled down the pipe. | once that happened i flicked SSH back on. | | so i haven't been worried at all about the security of my systems over these | issues. and that's a priceless peace of mind and reliability i just don't get | with closed source software | ===== | | -- | Aaron J. Seigo | GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/dGD7LeoSBberRbgRAocYAKCmbcHiJUb1JDpsJfTT9XKnaYjAdgCfQY57 n3CE7ttucbrWfsA0SdUcHAs= =5K8a -----END PGP SIGNATURE-----
