Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: wozz+exploit-dev () WOOKIE NET (Wozz)
Date: Thu, 10 Feb 2000 03:09:55 -0700
On Wed, Feb 09, 2000 at 09:29:42PM -0800, Mark L. Jackson wrote:
As opposed to your faith in Apache, I presume? If NOTES fails IBM takes the blame, if Apache fails who takes the blame? A small cadre of 'open source' devs with little to lose?
me and X thousand other developers can fix the bugs in Apache when they come up. What if IBM decides that the bug isn't a real bug. What do you do then?
Blue Boar said: ...I agree that code review is one of the bigger factors for how secure something should be considered. We don't know how much Notes has had, it's not published. Code Review is one of the bigger blah blah blah. Oh please. The only thing that matters is how it performs. I have seen 'open source' code that did not work nor would it ever work. Yet it is openly available for code review!
There's a difference between Open Source and code thats been reviewed for security holes. OpenBSD vs Linux is a prime example of this.
Code review does not guarantee anything. Any idiot can read the code, does not meant they can find a bug.
But the Apache folks aren't "any idiot". Do you know who wrote Domino? How do you know they're not drooling feeble nimrods?
The biggest problem with 'open source' software is that there is very little (if any) accountability. 'Code review is not substitute. Who cares if I can see the source code. If you can compile it, you can corrupt it. Yes I know a lot of you will not agree, but then you probably are not 'on the hook' for a companies performance.
I'm on the hook. I'm the security admin for a BIG cable modem provider, and I use only Open Source (or Open Source derived) stuff for my security boxes.
Blue Boar said: Another indicator for how secure something might be is past bugs: Again the only way to measure security is whether you can break into a system or not. Number of past bugs has no bearing on security. The only thing that matters is whether you can exploit a bug to get into the system. That depends on the current status of the system that you would be attempting to breach. Number of past bugs *might* be an indicator of whether their will be future bugs, then again bugs are a naturally occurring incident.
So, if they're naturally occuring, there's no reason to assume Domino is secure.
Blue Boar said: These things would *seem* to indicate that IBM/Lotus is still stuck in the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive auditing. How would they seem to indicate anything other than it is software. If you were to apply this statement to Apache then you would have to conclude the same thing. Isn't 'open source' about finding and fixing bugs 'after the fact'. You seemed to labor under the assumption that you can have it both ways; code review for open source to search for bugs, but not for proprietary apps. All the while hailing the find it and fix it mentality as good for 'open source' but not for proprietary.
Code Review is about finding and fixing the bugs BEFORE the fact. Fixing a bug after its been found is not a code review. Open Source has nothing to do with it. Open Source is not a development model, its a theory for how software should be developed. Again, OpenBSD vs Linux is a prime example. Two different development models, two different results as regards security.
I use IBM tools, work on an AS/400, and deal extensively with IBM. I can say from experience that IBM *DOES* extensive debugging. Why you would make such a ludicrous statement shows an incredible ignorance and arrogance.
In general, open software is better software. Debugging != code review
By the way how do you know they ever coded this way. Blue Boar said: In addition, Notes (the whole collection of things called Notes) is pretty large and complex, and includes it's own databases and access-lists. This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely. So what you are saying is big almost always equals bugs. Then I would have to say that UNIX (and the clones) are full of bugs. *BUT* you said that code review (as most UNIX, Linux go through) is one of the best ways to get rid of bugs. Quite a conundrum wouldn't you say. Does that also mean that 'open sauce' is stuck in the wait-for-bugs-then-fix-them mode. First it is bad then it is good which is it?
I don't think you understand what a code review is. Open Source is not inherently code reviewed. Open Source provides the capability for anyone to do a code review, but that doesn't means its been done. As far as I know, Linux has never gone through an extensive security code review (partly because there are so many different flavors of Linux it would be sort of pointless). OpenBSD on the other hand, has. Once again, Code Review != wait-for-bugs-then-fix-them.
You also seem to say that a cadre of developers without any contact, coming from disparate points on the globe, all with differing ideas and directions can create a better piece of software than a group of developers working for the same company, with the same agenda, and reliant on that companies success. THAT IS BIZARRE. FOCUS always wins.
Bzzt, best code wins. And to imply that Open Source developers have no contact is even more BIZARRE. Most open source projects I've been involved with have a lot more communication going on than your typical corporate development group. Someone's been to a few too many "team-building" exercises.
Blue Boar said: In addition, there's lots of room for misconfiguration. You of course are speaking of 'open source' products like Linux, Apache etc....
Anyone can misconfigure something. The nice thing about open source, is if you are confused about how something is configured, you can read the code and find out. If you are confused about how to configure a closed source product, you have to rely on the support folks for the product knowing what they're doing
Blue Boar said: In short, I think calling Notes "secure" as a blanket statement is at best generous. and I find your rebuttals lacking in any in substance.
And I, yours.
In conclusion: No software is totally secure. Most apps are at the mercy of users, and other apps, and especially the O/S. One app that is not secure on NT might well be on OS/400 or eS/390 or Solaris etc... Number of bugs indicate little when taken out of context. UNIX for years was riddled with bugs, that does not in and of itself make it insecure. Blanket statements like 'big is buggy', 'open source' is good, are nonsense and are of no use to anyone. If you are unwilling to consider the current situation and how the software will be used within that situation then you will only cause more problems. There is no one best platform, O/S, app. There is a current best for each time and place. That is what has to be considered.
Surprisingly, I agree completely with these last three paragraphs. And increasingly, folks are finding the current best to be Open Sourced ;)
Current thread:
- Re: Notes Domino Server Platform for e-commerce? andrej () KTU EDU (Feb 09)
- <Possible follow-ups>
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Martin Bishop (Feb 10)