| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: vb at dontpanic.ulm.ccc.de (vb@...tpanic.ulm.ccc.de) Subject: clarification - reasons as to why commercial software *could* be better On Thu, Nov 13, 2003 at 04:41:53AM -0800, Gadi Evron wrote: > First of all, notice the subject.. *could* be better, not *is* better. Also "could be better" is wrong. There are good (financial) reasons for closed source software also. But I cannot see one of them in your list. > Microsoft, we all don't like Microsoft Please do not use such generalisations - I already stated that I have nothing against Microsoft, and that I meant seriously. > Microsoft is not a very good representation of commercial software when > it comes to security. For some software fortunately you're right. For some software unfortunately you're wrong. > Many companies chose commercial software because of the arguments I > presented earlier, and pasted again below. But these companies make a mistake. > And excuse me, but with all the respect in the world.. as to my LAST > point (3) - when one doesn't have the source code, one finds it more > difficult, AGAIN, to a level, to find holes in the software. Sorry, I cannot see that at all. Obviously you don't know people who do that. Additionally, the opposite is true. You're even more secure with OpenSource, because then many people you can trust in check the code by just reading source. Those people also could check the code by debugging the object code. But they won't do that. Why? Those people usually don't read source for finding security flaws but for personal interest or for developing purposes. And coming by they're detecting possible problems - and publicate them. > > 1. A serious (note serious) commercial company that has a crew working > > on addressing security concerns, and updating the product. > Note, serious company ? Yes. I noted. ;-) > > 2. A commercial company providing with liability (and responsibility) > > for the software you use (in other words - tech support and > > someone to blame). > Who talked about law suits? I mentioned tech support and blame. > </cynic> You're able to receive tech support and someone to blame for Free Software also. It is a well known lie that for Free Software commercial support does not exist support at all. (I think, we're not talking about OpenSource Software here, but about Free Software, right?) > > 3. No source (!!) available for people to examine, thus making it, to > > a level, harder to locate security "holes" - for outsides in any > > case. > Read again what I said - TO a level, harder. Quite the contrary is true - no source available does not detain anybody from finding security holes, apart from many of the people who care for their removal. VB. -- Volker Birk, Postfach 1540, 88334 Bad Waldsee, Germany Phone +49 (7524) 912142, Fax +49 (7524) 996807, dingens@...ens.org http://fdik.org, Deutsches IRCNet fdik!~c_vbirk@...a.rz.uni-ulm.de PGP-Key: http://www.x-pie.de/vb.asc
Powered by blists - more mailing lists