> Oh, come on Nick. How are you going to prevent any operations staff > with the inclination either downloading the source code to Linux in > their one time on their own equipment? I never spoke about prohibit, the question is one of what an auditor does. They are advisors. It is reasonable for them to advise of the risk that was being outlined here (that the "way" to find out what a msg means is to look at the source, when the original posting did not even say "open source"). That source might not be available, or it might be a risk of feasibility/practicality (come on folks, just how many computer operators do you know that can read C source and make heads or tails of it?).
These are not things to just "get used to", they represent real risks to real businesses. Sure a PROGRAMMER can read the source, and perhaps figure out what is going on (though all the problems stated on this list about simple configurations clearly indicates that even we find that to be difficult ;-)... but really, expecting an OPERATOR to do so... and then expecting the AUDITORs to not care about the business risks this represents (and no, it is not security... audit & control is much more than just security). All I have said is that there is a cost to this approach, and that it is unreasonable for "auditors to get used to it", and that we can actually start to do something to fix it... Get over it. Peace. -njg
