Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [inbox] Re: RE: Linux (in)security

From: Michal Zalewski <lcamtuf () ghettot org>
Date: Thu, 23 Oct 2003 21:48:15 +0200 (CEST)
On Thu, 23 Oct 2003, Curt Purdy wrote:


This is the reason open-source is inherently more secure.


Oh please. Count Apache bugs this year. Compare to IIS in the same period.
There's nothing inherent to any of the development models. There are good
developers and bad developers on both sides. There are projects and/or
components that are more secure, and ones that are less secure.

Finding bugs in closed source is trivial, and so is finding them in open
source - protocols are usually well-documented or easy to rev-eng, and
very few vulnerabilities both in CS and OS result from through source code
audits, as opposed to just brute force, fuzz, "what ifs" or dumb luck.

Closed source bugs, if you look at them, are often equally complex and
nontrivial as OS bugs, suggesting there is no real problem with testing CS
code.


First, people can actually audit it for security (you think IBM
recommended Linux without going over every single line of code?)


Yes.

That said, from now on, we are on a crash course to a pointless flame
war, I'm going to shut up now.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-10-23 21:39 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: