Re: clarification - reasons as to why commercial software *could* be better

[vb () dontpanic ulm ccc de]

On Thu, Nov 13, 2003 at 04:41:53AM -0800, Gadi Evron wrote:
> First of all, notice the subject.. *could* be better, not *is* better.

Also "could be better" is wrong.

There are good (financial) reasons for closed source software also.
But I cannot see one of them in your list.

> Microsoft, we all don't like Microsoft

Please do not use such generalisations - I already stated that I have
nothing against Microsoft, and that I meant seriously.

> Microsoft is not a very good representation of commercial software when 
> it comes to security.

For some software fortunately you're right.
For some software unfortunately you're wrong.

> Many companies chose commercial software because of the arguments I 
> presented earlier, and pasted again below.

But these companies make a mistake.

> And excuse me, but with all the respect in the world.. as to my LAST 
> point (3) - when one doesn't have the source code, one finds it more 
> difficult, AGAIN, to a level, to find holes in the software.

Sorry, I cannot see that at all. Obviously you don't know people
who do that.

Additionally, the opposite is true. You're even more secure with
OpenSource, because then many people you can trust in check the
code by just reading source. Those people also could check the
code by debugging the object code. But they won't do that. Why?
Those people usually don't read source for finding security flaws
but for personal interest or for developing purposes. And coming 
by they're detecting possible problems - and publicate them.

> > 1. A serious (note serious) commercial company that has a crew working
> >    on addressing security concerns, and updating the product.
> Note, serious company ?

Yes. I noted. ;-)

> > 2. A commercial company providing with liability (and responsibility)
> >    for the software you use (in other words - tech support and
> >    someone to blame).
> Who talked about law suits? I mentioned tech support and blame.
> </cynic>

You're able to receive tech support and someone to blame for Free
Software also. It is a well known lie that for Free Software commercial
support does not exist support at all. (I think, we're not talking about
OpenSource Software here, but about Free Software, right?)

> > 3. No source (!!) available for people to examine, thus making it, to
> >    a level, harder to locate security "holes" - for outsides in any
> >    case.
> Read again what I said - TO a level, harder.

Quite the contrary is true - no source available does not detain anybody
from finding security holes, apart from many of the people who care for
their removal.

VB.
-- 
Volker Birk, Postfach 1540, 88334 Bad Waldsee, Germany
Phone +49 (7524) 912142, Fax +49 (7524) 996807, dingens () bumens org
http://fdik.org, Deutsches IRCNet fdik!~c_vbirk () wega rz uni-ulm de
PGP-Key: http://www.x-pie.de/vb.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html