Secure Coding mailing list archives

RE: White paper: "Many Eyes" - No Assurance Against Many Spies

From: "Dave Paris" <dparis () w3works com>
Date: Fri, 30 Apr 2004 19:44:43 +0100

A couple key phrases come to mind when reading this:

1) conflict of interest (he's selling "a solution")
2) inappropriate comparison (embedded OS vs. general OS)

I have no problems with someone pointing out flaws in XYZ product when compared to ABC product, provided:

a) they're an independent, uninvolved 3rd party
and 
b) the two products are identical in feature, function, and purpose.

So there are "a couple trusted people" who do the core work.  I wonder what their price is to put a flaw in the 
product?  If they're smart enough to know the entire system, they're undoubtedly smart enough to hide a subtle flaw.  
Money?  Compromising photos?  Threats against themselves or families?  What would it take?

Frankly, I found the entire article nothing but a not-so-thinly veiled advertisement.  Would he be so bold in comparing 
against VxWorks or QNX?  Those are his direct competitors, not the general Linux kernel.  If he wants to go head to 
head against Linux, he needs to specifically cite and compare against the embedded Linux distributions, be it uClinux 
or other.

Kind Regards,
-dsp

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Kenneth R. van Wyk
Sent: Thursday, April 29, 2004 8:25 AM
To: [EMAIL PROTECTED]
Subject: [SC-L] White paper: "Many Eyes" - No Assurance Against Many
Spies


FYI, there's a white paper out by Dan O'Dowd of Green Hills Software (see 
http://www.ghs.com/linux/manyeyes.html) that "It is trivial to 
infiltrate the 
loose association of Linux organizations which have developers 
all over the 
world, especially when these organizations don't even try to prevent 
infiltration, they accept code from anyone."

Although I don't agree with the positions expressed in the paper, 
I still find it
interesting to hear what folks have to say.  A story re the paper 
has been 
picked up by Computerworld and LinuxSecurity.com thus far.

Cheers,

Ken van Wyk
http://www.KRvW.com

Current thread:

White paper: "Many Eyes" - No Assurance Against Many Spies Kenneth R. van Wyk (Apr 29)
- Re: White paper: "Many Eyes" - No Assurance Against Many Spies dtalk-ml (Apr 29)
- RE: White paper: "Many Eyes" - No Assurance Against Many Spies Dave Paris (Apr 30)
  - Re: White paper: "Many Eyes" - No Assurance Against Many Spies der Mouse (Apr 30)
- <Possible follow-ups>
- RE: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Jeremy Epstein (Apr 29)
  - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies James Walden (Apr 30)
  - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (Apr 30)
    - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies ljknews (Apr 30)
    - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Glenn and Mary Everhart (May 03)
    - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Crispin Cowan (May 03)
    - Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (May 04)