lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: chill at (Charles E. Hill)
Subject: Microsoft prepares security assault on Linux


> 2. A commercial company providing with liability (and responsibility)
> for the software you use (in other words - someone to blame).

What commercial software company actually offers guarantees and some form
of liability?  I've *never* heard of anyone successfully suing MS or
Oracle or anyone else for their software screwing up.  SAYING you can
blame Microsoft is one thing -- doing it (other than pointing fingers) is

> 3. No source available for people to examine, thus making it, to a
> level, harder to locate security "holes" - for outsides in any case.
>        Gadi Evron (i.e. ge),

You mean like the backdoor inserted -- by company programmers -- into
Borland's/Inprise's Interbase database?  The one that wasn't discovered
until the program was open sourced - several YEARS later?  Yes, it had
been exploited for YEARS by the hacking community.

Putting it bluntly, auditing takes time and skill.  Closed source
companies main priority are NOT stability and security, but "good enough"
so they can sell more software.  Dedicating programmers to do nothing but
fix bugs is a waste of company resources, after that "good enough" line is

At least with open source I have the option of either fixing little bugs
myself, or paying someone to do it.  With closed source, my business is at
the mercy of the software company.

Charles E. Hill
Senior Partner
Herber-Hill LLC

Powered by blists - more mailing lists