× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2004

RE: Be very careful from now on...

| -----Original Message-----
| [mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of James Rich


| On Tue, 17 Feb 2004, Adam Lang wrote:
|
| > The reverse is also true, which is the theory behind open
| source.  The good
| > guys get to see the code now also and can see what holes there
| are that only
| > MS knew about.  that is why your comment "clearly seeing things that we
| > can'" is wrong.  Now you can see as much as the bad guy can
| see.  The code
| > being out there puts everyone on even footing in regards to knowing how
| > things work.
|
| In this case that isn't necessarily true.

There are very few things I disagree with Leif about, but this one Adam
mentions is one.  I find it Very hard to believe that anyone would suggest
that "the code being out there puts everyone on even footing".  Criminals
are incented, and the assumption is that non-criminals will, in each and
every case, be smarter than the criminals.  I believe this to be a dangerous
assumption, in the first place, and false due to the fact that criminals are
the more highly incented.

| With open source, the good guys
| do get to see the code, and do far more than the bad guys bother to.

This is an arrogant assumption, imv, and not supported by any facts that I
know of.  Not that the good guys don't do an IMMENSE amount of good work,
but it Only Takes One bad guy to be successful and the house of cards comes
down.  It doesn't matter How much good the good guys do, if that one bad guy
is successful, unfortunately.  Speed of correction is a moot point, once the
ballot boxes have been stuffed and people wrongly elected.

| However, the good guys don't want trouble with MS and don't want to
| violate any copyright laws or use technology without license or taint
| their ability to work unfettered.  Looking at the MS code can cause all of
| these problems.  Because of the license of the code, the good guys aren't
| looking at it.  They don't want to jeopardize their careers by looking at
| unlicensed code, and I don't want to either.

As Jim Franz just pointed out, there are very dedicated people who (either
by looking at code, reverse-engineering, trial-and-error) ARE finding a
large number of the most dangerous holes.  There is a guy in Europe (forget
name, and there are several groups, afaik) who has been doing this for
years, and been quite successful in finding these flaws, by whatever
techniques he uses.

Btw, what James said IS the reason I've not ever looked at GPL code, afaik.
Maybe looked at an Apache mod or two, just to see what they were about but
couldn't understand much anyway.  (And I still recall a post from Craig
Rutledge as to what would happen to people that used HIS code...;-)

|
| James Rich
|
| "As for security, being lectured by Linus Torvalds, et al is like
receiving wise words
| on the subject of compassion from Stalin."

- jt

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.