On Thursday 13 November 2003 01:28, Boaz Rymland wrote: > > Further more, don't get me wrong. I did not conclude my "verdict" on OSS > security from this simple demonstration of a weak point. Not at all. > Without going into details I think the opposite - I prefer openess over > obscurity, taking in mind the price we have to pay for defending against > OSS weak points such as the one demonstrated. > Without saying whether that's a "good" demonstration or a "bad" demonstration, lets remember what the demonstration actually was. - Someone broke into an account authorized of making changes to the kernel source - They than changed a line of code in the kernel source using that account - This code was comitted to the source tree - This was rejected because of inproper procedure, and also because it looked "suspicious" (the comments weren't filled in) - It was stopped at that point; there was never a snapshot of the kernel with that code, not to mention an official release
The analogy to a commercial company is: - Someone breaks into an account that has access to the product CVS tree - That attacker changes the source to insert a Trojan - The break-in is detected, the offending code removes - Nobody ever hears about it - this stays within the company. The security hole is found and plugged and none of the company's customers are aware of this (almost) breach The difference is, you will never hear of the latter case, since it is solved within the company. Therefore there is no way to assess whether these situations appear more on OS projects than on commercial projects. BTW, when I say "never hear", I mean never hear officially. Rumours are always there, but nobody can be certain: http://www.securiteam.com/securitynews/6E00L2000E.html -- - Aviram ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
