Mate Wierdl <[EMAIL PROTECTED]> wrote:
>I am reading this book by B. Schneier, in particular, the section
>`Cracking and hacking contests'. He thinks that contests (like
>offering $1000 for finding a security hole in a product) are bad for
>four main reasons, the first reason being that the contests are
>usually unfair since the author of the software decides what he/she
>considers a "hole".
He's right, of course. However, the qmail challenge I ran was not
judged by Dan, and, although I'd have been pleased to pay out the
$1000 because it would have closed a major security hole, the primary
purpose was promoting qmail, which I think it did pretty effectively.
>He also thinks that even having a software out and used for a few
>years without incidence does not imply that it is secure. He says,
>the best way to evaluate the security of a product is to have it
>audited by security experts.
Again, he's right. Of course, he'd be happy to sell you such an
audit. :-)
>So has any expert ever audited qmail or djbdns?
No. Any audit worth doing would be prohibitively expensive for a
freeware project. $1000 wouldn't even begin to cover it, at least for
qmail.
-Dave
