>Do the letters F. O. mean anything to you?. You came in pronouncing 128
>bit crypto in Win2k and adequacy of closed source peer review.
Everything
>you say seems to require confirmation.
The speech by Brian Valentine was well reported at the time.
If you needed to verify the statement you could have done
so yourself at the Microsoft site.
The only reason that the statement required confirmation
in your view is that you have such a fixed world view that
your mind is not capable of processing data that conflicts
with it - the appearance of which causes an ABEND and core
dump.
The definition of 'peer review' has nothing to do with the
definition of 'open source'. The two terms are in fact entirely
orthogonal, most open source software has not been reviewed,
most peer reviews are closed.
Just because peer review is good and open souce is good does
not mean that peer review = open source.
The issue is the quality of the peer review, not the context in
which it takes place. I perform peer reviews for real companies,
I also design internal processes to ensure that thorough
reviews take place. It is a time consuming and very costly
process.
If nobody with a white hat actually does any peer review on your
open source code and tells you the problems you have weakened
your security, not strengthened it.
With the exception of a handfull of very frequently used programs
such as Apache, the mere fact of putting code in the public
domain does nothing for security since the number of experts
qualified to perform a peer review is vanishingly small (perhaps
a few hundred) and they charge significant fees for their
services.
Most times the review is not of consumer oriented software at
all but an installation where there are particular security
issues that must be examined. I very much doubt that the
average reader of this list is prepared to donate their
services for free to a random bank.
Ten years ago a bunch of folk were putting out the idea that
'neural nets' and 'genetic algorithms' were a means of solving
any problem at all without doing any actual work. The idea
that 'open source' is a panacea for security is equally bogus.
Revising my ealier statement, security through bogosity is
no security at all.
Phill
smime.p7s
