On Wed, 21 Mar 2007, Steven M. Christey wrote:
: With rare exceptions, in general, I do not find that the
: open source community is that much more security consciousness
: than those producing closed source. Certainly this seems true
: if measured in terms of vulnerabilities and we measure
On Wed, 21 Mar 2007, Steven M. Christey wrote:
: With rare exceptions, in general, I do not find that the
: open source community is that much more security consciousness
: than those producing closed source. Certainly this seems true
: if measured in terms of vulnerabilities and we
Just because people can look at a project in detail, doesn't mean they
will. More to the point, just because people can, doesn't mean code
auditing gurus will look at it.
And sometimes, when they do look they get booted out of the project
http://www.heise-security.co.uk/news/82500
-gp
own exposure...
-Original Message-
From: Wall, Kevin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 20, 2007 9:16 PM
To: McGovern, James F (HTSC, IT)
Cc: sc-l@securecoding.org
Subject: RE: [SC-L] Economics of Software Vulnerabilities
James McGovern apparently wrote...
The uprising from
Spot on thread, Ed:
On 3/20/07, Ed Reed [EMAIL PROTECTED] wrote:
Not all of these are consumer uprisings - some are, some aren't - but I
think they're all examples of the kinds of economic adjustments that occur
in mature markets.
- Unsafe at any speed (the triumph of consumer safety over
On Wed, 21 Mar 2007, mudge wrote:
Sorry, but I couldn't help but be reminded of an old L0pht topic that
we brought up in January of 1999. Having just re-read it I found it
still relatively poignant: Cyberspace Underwriters Laboratories[1].
I was thinking about this, too, I should have
I was originally going to say this off-list, but it's not that big a deal.
Arian J. Evans said:
I think you are on to something here in how to think about this subject.
Perhaps I should float my little paper out there and we could shape up
something worth while describing how the industry is
On Mar 21, 2007, at 3:57 PM, Arian J. Evans wrote:
Spot on thread, Ed:
On 3/20/07, Ed Reed [EMAIL PROTECTED] wrote:
Not all of these are consumer uprisings - some are, some aren't -
but I think they're all examples of the kinds of economic
adjustments that occur in mature markets.
At 8:55 AM -0400 3/20/07, Michael S Hines wrote:
I'm not sure what your sources are but from what I'm hearing and reading the
problem is that there are many missing drivers for what have become standard
peripherals that people are used to - and some of the vendors are reluctant
to develop new
James McGovern apparently wrote...
The uprising from customers may already be starting. It is
called open source. The real question is what is the duty of
others on this forum to make sure that newly created software
doesn't suffer from the same problems as the commercial
closed source
[mailto:[EMAIL PROTECTED]
Sent: Mon Mar 19 16:00:48 2007
To: Gary McGraw
Cc: Ed Reed; sc-l@securecoding.org
Subject:Re: [SC-L] Economics of Software Vulnerabilities
Gary McGraw wrote:
I'm not sure vista is bombing because of good quality. That certainly would
be ironic
Gary McGraw wrote:
I'm not sure vista is bombing because of good quality. That certainly would
be ironic.
Word on the way down in the guts street is that vista is too many things
cobbled together into one big kinda functioning mess.
I.e. it is mis-featured, and lacks on some
Crispin Cowan wrote:
Crispin, now believes that users are fundamentally what holds back security
I was once berated on stage by Jamie Lewis for sounding like I was
placing the blame for poor security on customers themselves.
I have moved on, and believe, instead, that it is the economic
Ed Reed wrote:
Crispin Cowan wrote:
Crispin, now believes that users are fundamentally what holds back security
I was once berated on stage by Jamie Lewis for sounding like I was
placing the blame for poor security on customers themselves.
Fight back harder. Jamie is wrong.
On Mon, 19 Mar 2007, Crispin Cowan wrote:
Since many users are economically motivated, this may explain why users
don't care much about security :)
But... but... but...
I understand the sentiment, but there's something missing in it. Namely,
that the costs related to security are not really
PROTECTED]; Ed Reed; sc-l@securecoding.org
Subject:Re: [SC-L] Economics of Software Vulnerabilities
On Mon, 12 Mar 2007, Crispin Cowan wrote:
Ed Reed wrote:
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long
: [SC-L] Economics of Software Vulnerabilities
Ed Reed wrote:
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long-term
failure to take responsibility for their shoddy code. I was mistaken.
The pool of producers (i.e
On Tue, 13 Mar 2007, Gary McGraw wrote:
In my opinion, though fuzz testing is certainly a useful technique (we've
used it in hardware verification for years), any certification based solely
on fuzz testing for security would be ludicrous. Fuzz testing is not a
silver bullet.
Fuzzing is
Ed Reed wrote:
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long-term
failure to take responsibility for their shoddy code. I was mistaken.
The pool of producers (i.e., the software industry) is probably too
small
On Mon, 12 Mar 2007, Crispin Cowan wrote:
Ed Reed wrote:
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long-term
failure to take responsibility for their shoddy code. I was mistaken.
The pool of producers (i.e.,
20 matches
Mail list logo