| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40E9F369.6030801@science.org> Date: Mon, 05 Jul 2004 14:33:45 -1000 From: Jason Coombs <jasonc@...ence.org> To: Alun Jones <alun@...is.com> Cc: 'Justin Wheeler' <jwheeler@...ademons.com>, 'Radoslav Dejanovic' <radoslav.dejanovic@...us.hr>, bugtraq@...urityfocus.com Subject: Re: Microsoft and Security Alun Jones wrote: > ... okay, so you're arguing that even more QA and more testing should be > <snip> > releasing a smaller fix, with minimal impact, as soon as possible. > <snip> > improving the process, perhaps you should try and express those suggestions > in a coherent manner that could be used ... Aloha, Alun. My suggestion is a simple one that all software developers can manage to incorporate into their busy schedules and tight budgets: Hire an expert to conduct a thorough forensic review of the software before it is released, and publish the forensic analysis report. Any vulnerabilities, flaws, areas that need additional work, portions that were built by subcontractors of questionable skill or loyalties, portions that were offshored, features that the programmers themselves warn are not yet done by placing comments in the source code, third party libraries or code or algorithms that may create intellectual property liability for the end user, and all other issues of computer forensics and computer law should be spelled out as clearly as possible by any company that develops and distributes software to the public. Anyone who does not publish a forensic analysis report along with their software should publish the source code, whether or not they release legal rights to that source code under an open source or free software license. The computing public should not have to reverse engineer software products in order to figure out what they do to the computers on which they are installed and used. Even the Department of Justice knew better than to allow the FBI to build and deploy law enforcement computer technology without hiring an expert to write a forensic report on the product, and the FBI doesn't try to sell "Carnivore" to anyone. http://www.epic.org/privacy/carnivore/ Final Independent Technical Review of the Carnivore System http://www.epic.org/privacy/carnivore/carniv_final.pdf We should require software vendors to take this stuff seriously. Sincerely, Jason Coombs jasonc@...ence.org
Powered by blists - more mailing lists