On Sunday, 8 בApril 2007 00:00, Geoffrey S. Mendelson wrote: > First of all, the probablility in the real world of someone > being able to verify the source code is "clean" is not very large. > Few people can actually read source code to the point that a hidden > exploit is not present. Even those that can, rarely do so.
Maybe, but the probability is still higher than in a closed source. > Have you looked at the source code for any of the open source > applications you run? > Not little bits here and there, but the entire "program"? Usually only the little bits that interest me personally, maybe other people look at other bits (or maybe not). However, our mythical attacker does not know which bits and pieces would be read by someone. So basically we really play a probability game here. How many people have read the source of a typical proprietary application? If you lived in the corporate world, you already know the answer... > There was for example a trojan placed in one of the more common TCP/IP > utilities (I forget which it was, either traceroute or tcpdump) and it > even made it to a few distributions of various operating systems. Good example. Let's examine some of the facts: http://www.cert.org/advisories/CA-2002-30.html "...These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT." Hmmm... roughly *two days* to discovery and damage control. Do you think a proprietary application would have scored better? I'll feed you with a better example: http://www.cert.org/advisories/CA-2001-01.html "Interbase Server Contains Compiled-in Back Door Account" This backdoor took *6 months* to be discovered since the open-sourcing of this database (now called Firebird). This is a very long time... However, it was discovered that the backdoor was inserted to the codebase in 1994. Yes that's *six years* in which the database was proprietary and was sold by a respectable company (Borland) to respectable customers (e.g: Motorola, Nokia, Boeing and the Boston Stock Exchange). > With closed source programs where the source code and the distribution > of compiled programs is tightly controlled, the skill level required of a > person modifiying it for nefareous purposes is much higher. Eastern Eggs -- do you know any big proprietary application without ones? Care to explain how these filter into the code in a "tightly controlled" environment? Don't make us laugh. Geoff, maybe development process was tightly controlled in 60's but it surely ain't even close to this now. In the crazy race for "time-to-market" almost no one care about real bugs (as long as they are not show stoppers). For most managers security related bugs look even more vague and hypothetical problem that only paranoids are worried about unless it is already on CNN. Cheers, -- Oron Peled Voice/Fax: +972-4-8228492 [EMAIL PROTECTED] http://www.actcom.co.il/~oron ICQ UIN: 16527398 .. Complex problems have simple, easy to understand wrong answers. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
