--- Dustin Puryear <[EMAIL PROTECTED]> wrote: > > I still maintain that source availability is > irrelevant. Say you run a > > piece of closed-source software for years and > years. Then one day see the > > source, and find tons of holes in it. Was it more > secure before you saw > > the source? No. it is still the same program, > with the same holes. You > > just never knew about them before... and here's > the kicker: you're > > *really* hoping no one else knew about them > either. Given the option, i'd > > rather not run systems like that. > > Let's regroup and consider an example that follows > the discussion being held > here. > > I am a General in the military protecting a > fortress. It is my job to keep > the treasure in the inner keep safe. Am I more > secure by keeping my building > plans to myself, or by letting outside experts, who > I have no control over, > review the plans for me?
I don't think this is a good metaphor at all for the problem we are discussing. But, for the sake of this discussion, I'll go along with it for now. > Naturally, it is entirely possible for an attacker > to get his hands on my > plans even if I don't release them (e.g., because of > an internal spy or, oh > I don't know, if an angry employee posts them on the > Internet). It is also > possible that one of the outside experts is actually > a future attacker. Apparently the plans are not being kept in the same place with the same safeguards as the treasure itself. :) > Which is better? Is it always better? Since you admitted that you are not the only person with access to the plans (disgruntled employees), it is possible that the plans to the fortress can be leaked out. I assume the general cannot threaten employees with death (since closed source providers do not) but only lawsuits (since closed source providers do) for keeping the building plans safe. I'll let the fact that the treasure is only really protected by threat of lawsuit speak for itself. The only smart thing to do would be to come up with further safeguards and methods to keep the treasure safe, since we cannot rely on the fact that the plans of the fortress will always be secret. So, unless you (the General) are also an expert in creating these further safeguards and methods (let's assume you are not, you are already pretty busy), you will have to rely on outside experts. So, it is not only better to rely on experts, it is necessary. And yes, it is always better, since not relying on experts is false or illusory security. ===== John Hebert Official BRLUG Linux Curmudgeon Open Source Ankle Biter __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html
