It does beg the question of who is looking out, software vulnerability-wise, for those who don’t have enough clout to review source code. As Barry mentions, there is no such thing as perfect code. There is a lot of trust out there I think, and not enough skepticism / push back in this area. Not that open source is a panacea, or the right answer everywhere - certainly we’ve seen in the last few years major ugly bugs in open source software (OpenSSL, for instance). But, at least there is a wider audience and the opportunity to review it. The recent Volkswagen fiasco is a god example of willful misuse of the fact that little corporate software IP is reviewed outside the ‘mothership’, if you will.
Chad > On Oct 17, 2015, at 11:08 AM, Clark Morris <[email protected]> wrote: > > On Sat, 17 Oct 2015 06:16:47 -0700 (PDT), in bit.listserv.ibm-main you > wrote: > >> The fact that IBM continues to issue integrity PTFs shows that their code is >> not perfect when it comes to integrity and therefore security. Nobody's is. >> So, it is possible, by a review of the code, that the Chinese review team >> can identify an integrity issue and save that for a later attack on an IBM >> customer. This is a big risk. > > Actually allowing any country to review code is to open an exposure. > On the other hand all users have at least some need to verify that > code is not exposing them. For those users with high security needs > and a large enough budget, having all software in house maybe using > open source software as a starting base can make sense. I believed > back in the 1970s and 80s that one of the best places to put a spy was > in the IBM software creation and distribution system. These comments > apply to all countries. It would be interesting to find out which > countries and entities are reviewing source code from the various > vendors. I believe that Snowden supporters are naive if they believe > that other major and not so major countries are not engaged in much > the same activities as those he accused the United States NSA and > other agencies of committing. If IBM is allowing the Chinese > government to review the code, I will guarantee that other governments > are also reviewing the code. In addition we know that at least some > ISV's have access to at least some of the code under non-disclosure > agreements. I leave to you who are citizens of various countries to > determine how concerned you should be. > > Clark Morris >> >> Barry Schrager >> Creator of ACF2 >> Member: Mainframe Hall of Fame >> www.Enterprisesystemsmedia.com/mainframe-hall-of-fame > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
