lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FB37C11.2060000@egotistical.reprehensible.net>
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: clarification - reasons as to why commercial software *could* be
 better

Okay. This all starts to have the feeling of a flame war to me, so I 
will summaries what I think was mis-understood, explain where I start 
and my reasoning and call it a.. morning.

First of all, notice the subject.. *could* be better, not *is* better.

I do believe in open source, and most of my machines are open source based.

Microsoft, we all don't like Microsoft, ranging from being uncomfortable 
with it to pure hate. I just don't see why we have to blame the whole 
world with Microsoft.
Microsoft is not a very good representation of commercial software when 
it comes to security. On the other hand, when you count economic success...

As to open source, and whether it is more secure or not, is really a 
matter of personal opinion, one could present arguments either way.

Many companies chose commercial software because of the arguments I 
presented earlier, and pasted again below.

MY POINT was, that there are things to be said for commercial software, 
whether they are theoretical or practical, that can be presented against 
open source software as better.
The over-all comparison is a very different issue. I was not comparing 
it to open source software. I keep an open mind.

And excuse me, but with all the respect in the world.. as to my LAST 
point (3) - when one doesn't have the source code, one finds it more 
difficult, AGAIN, to a level, to find holes in the software.

NOT every kid in the world who *knows* how to read code, also knows how 
to even.. use a disassembler. If that takes some kids off the software's 
"back". it is a plus. Is it a major one? I think it is. But that is only 
my opinion.

I don't really understand why some of you would chose to attack the 
whole issue, and myself personally, rather than present arguments 
against commercial software, instead of _for_ open source, i need no 
convincing there. I even stated that I personally am for open source.. 
go figure. This was not the subject of the email message.

Blind zealots! :)

Personally, I'd rather view the code and find any potential risks 
myself, but it doesn't change the fact that when a serious company (as i 
mentioned before, serious) releases a product, it may, to a level, be 
better because of all the perks you get by relying on it being 
commercial software. On the good side, as I mentioned earlier, can be:

 > 1. A serious (note serious) commercial company that has a crew working
 >    on addressing security concerns, and updating the product.

Note, serious company ?

 > 2. A commercial company providing with liability (and responsibility)
 >    for the software you use (in other words - tech support and
 >    someone to blame).

Who talked about law suits? I mentioned tech support and blame.
</cynic>

 > 3. No source (!!) available for people to examine, thus making it, to
 >    a level, harder to locate security "holes" - for outsides in any
 >    case.

Read again what I said - TO a level, harder.

I hope this clears things.

I would like to thank those of you who answered seriously, especially 
those who disagreed with me

To all the trolls: remember, this is the Internet. 10 years from now 
someone will Google (or whatever else) you and see you as a troll. :o)

-- 
       Gadi Evron (i.e. ge),
       ge@...uxbox.org.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf

PGP key for ge@...uxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email 
messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ