lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: [inbox] Re: RE: Linux (in)security

On Thu, 23 Oct 2003, Curt Purdy wrote:

> This is the reason open-source is inherently more secure.

Oh please. Count Apache bugs this year. Compare to IIS in the same period.
There's nothing inherent to any of the development models. There are good
developers and bad developers on both sides. There are projects and/or
components that are more secure, and ones that are less secure.

Finding bugs in closed source is trivial, and so is finding them in open
source - protocols are usually well-documented or easy to rev-eng, and
very few vulnerabilities both in CS and OS result from through source code
audits, as opposed to just brute force, fuzz, "what ifs" or dumb luck.

Closed source bugs, if you look at them, are often equally complex and
nontrivial as OS bugs, suggesting there is no real problem with testing CS
code.

> First, people can actually audit it for security (you think IBM
> recommended Linux without going over every single line of code?)

Yes.

That said, from now on, we are on a crash course to a pointless flame
war, I'm going to shut up now.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-10-23 21:39 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ