Stanislav Malyshev wrote:
BR>> Isn't that a demonstration of the *real* (no FUD) open source model BR>> security break points?
Well, that looks like open source _strong_ point. If the same code was closed, what chance someone - except, of course, for original programmer and probably his associates - would notice that? If, say, Windows function GetProcessSomeObscureAttribute would get you administrator privilege for some combination of flags - what is a chance someone would ever discover that?
You're defenitly right in your point - in OSS many more eyes see the code and can spot potential malicious pieces quickly. But this was not my initial point - and maybe I should have clarified it:
Open Source model allows many bad minds access to the code, planning and inserting sofisticated/obfuscated pieces of code, that hopefully will go unnotinced, at least for some time, and that will grant them non-legitimate power. Such a method for gaining this power is not possible for the public in closed source enviroments. This malicious act is an option only for employees of the company creating the specific piece of SW (well, or for anyone else with access to their source code). This seems to me, a weak point in the OSS development model, probably a point which should not go unnotinced, as I'm sure happening, as in fact did not go unnoticed in that example.
Further more, don't get me wrong. I did not conclude my "verdict" on OSS security from this simple demonstration of a weak point. Not at all. Without going into details I think the opposite - I prefer openess over obscurity, taking in mind the price we have to pay for defending against OSS weak points such as the one demonstrated.
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
