|
| -----Original Message----- | [mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of James Rich | On Tue, 17 Feb 2004, Adam Lang wrote: | | > The reverse is also true, which is the theory behind open | source. The good | > guys get to see the code now also and can see what holes there | are that only | > MS knew about. that is why your comment "clearly seeing things that we | > can'" is wrong. Now you can see as much as the bad guy can | see. The code | > being out there puts everyone on even footing in regards to knowing how | > things work. | | In this case that isn't necessarily true. There are very few things I disagree with Leif about, but this one Adam mentions is one. I find it Very hard to believe that anyone would suggest that "the code being out there puts everyone on even footing". Criminals are incented, and the assumption is that non-criminals will, in each and every case, be smarter than the criminals. I believe this to be a dangerous assumption, in the first place, and false due to the fact that criminals are the more highly incented. | With open source, the good guys | do get to see the code, and do far more than the bad guys bother to. This is an arrogant assumption, imv, and not supported by any facts that I know of. Not that the good guys don't do an IMMENSE amount of good work, but it Only Takes One bad guy to be successful and the house of cards comes down. It doesn't matter How much good the good guys do, if that one bad guy is successful, unfortunately. Speed of correction is a moot point, once the ballot boxes have been stuffed and people wrongly elected. | However, the good guys don't want trouble with MS and don't want to | violate any copyright laws or use technology without license or taint | their ability to work unfettered. Looking at the MS code can cause all of | these problems. Because of the license of the code, the good guys aren't | looking at it. They don't want to jeopardize their careers by looking at | unlicensed code, and I don't want to either. As Jim Franz just pointed out, there are very dedicated people who (either by looking at code, reverse-engineering, trial-and-error) ARE finding a large number of the most dangerous holes. There is a guy in Europe (forget name, and there are several groups, afaik) who has been doing this for years, and been quite successful in finding these flaws, by whatever techniques he uses. Btw, what James said IS the reason I've not ever looked at GPL code, afaik. Maybe looked at an Apache mod or two, just to see what they were about but couldn't understand much anyway. (And I still recall a post from Craig Rutledge as to what would happen to people that used HIS code...;-) | | James Rich | | "As for security, being lectured by Linus Torvalds, et al is like receiving wise words | on the subject of compassion from Stalin." - jt
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
