Ralf-Philipp Weinmann <[EMAIL PROTECTED]> writes: >On Dec 3, 2007, at 16:51 , Paul Hoffman wrote: >> Another interesting part is that open-source systems are much more >> susceptible to being attacked by competitors (that is, having their >> validation suspended) than are closed-source systems. > >this may have been true in the past. Enter tools like BinDiff [1] and BinNavi >[2] and a skilled reverse engineer is able to shoot down you're closed-source >implementation almost as quickly as one for which she has source (assuming >she has binaries, of course).
You're misunderstanding the threat model. The problem here is that commercial vendors are in a panic because the certification of free OSS security tools is allowing all sorts of riff-raff onto the previously exclusive US government purchasing gravy train. In order to keep the gravy train free of said riff- raff, they've kept up a steady stream of objections to the certification based on various nitpicks. While it's possible to say "There's something we noticed here in the source code that requires the software to be ejected from the train", it's a bit harder to say "We spent three months reverse-engineering someone else's proprietary protected intellectual property and think we may have found something". Peter. [1] Not my reference. [2] Not my reference. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]