Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: sincity_mark () INAME COM (Mark L. Jackson)
Date: Wed, 9 Feb 2000 21:29:42 -0800
Blue Boar said: To answer a few specifics: Notes/Domino has had a web component for like 2 or 3 years, not 10. The original post did not say anything about NOTES being a 'web server'. Technically it does the same thing a web server, though. FYI: The code that NOTES (Domino) uses has been around longer than Apache. Blue Boar said: I find your faith ... disturbing. As opposed to your faith in Apache, I presume? If NOTES fails IBM takes the blame, if Apache fails who takes the blame? A small cadre of 'open source' devs with little to lose? Blue Boar said: ...I agree that code review is one of the bigger factors for how secure something should be considered. We don't know how much Notes has had, it's not published. Code Review is one of the bigger blah blah blah. Oh please. The only thing that matters is how it performs. I have seen 'open source' code that did not work nor would it ever work. Yet it is openly available for code review! Code review does not guarantee anything. Any idiot can read the code, does not meant they can find a bug. The biggest problem with 'open source' software is that there is very little (if any) accountability. 'Code review is not substitute. Who cares if I can see the source code. If you can compile it, you can corrupt it. Yes I know a lot of you will not agree, but then you probably are not 'on the hook' for a companies performance. Blue Boar said: Another indicator for how secure something might be is past bugs: Again the only way to measure security is whether you can break into a system or not. Number of past bugs has no bearing on security. The only thing that matters is whether you can exploit a bug to get into the system. That depends on the current status of the system that you would be attempting to breach. Number of past bugs *might* be an indicator of whether their will be future bugs, then again bugs are a naturally occurring incident. Blue Boar said: These things would *seem* to indicate that IBM/Lotus is still stuck in the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive auditing. How would they seem to indicate anything other than it is software. If you were to apply this statement to Apache then you would have to conclude the same thing. Isn't 'open source' about finding and fixing bugs 'after the fact'. You seemed to labor under the assumption that you can have it both ways; code review for open source to search for bugs, but not for proprietary apps. All the while hailing the find it and fix it mentality as good for 'open source' but not for proprietary. I use IBM tools, work on an AS/400, and deal extensively with IBM. I can say from experience that IBM *DOES* extensive debugging. Why you would make such a ludicrous statement shows an incredible ignorance and arrogance. By the way how do you know they ever coded this way. Blue Boar said: In addition, Notes (the whole collection of things called Notes) is pretty large and complex, and includes it's own databases and access-lists. This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely. So what you are saying is big almost always equals bugs. Then I would have to say that UNIX (and the clones) are full of bugs. *BUT* you said that code review (as most UNIX, Linux go through) is one of the best ways to get rid of bugs. Quite a conundrum wouldn't you say. Does that also mean that 'open sauce' is stuck in the wait-for-bugs-then-fix-them mode. First it is bad then it is good which is it? You also seem to say that a cadre of developers without any contact, coming from disparate points on the globe, all with differing ideas and directions can create a better piece of software than a group of developers working for the same company, with the same agenda, and reliant on that companies success. THAT IS BIZARRE. FOCUS always wins. Blue Boar said: In addition, there's lots of room for misconfiguration. You of course are speaking of 'open source' products like Linux, Apache etc.... Blue Boar said: In short, I think calling Notes "secure" as a blanket statement is at best generous. and I find your rebuttals lacking in any in substance. In conclusion: No software is totally secure. Most apps are at the mercy of users, and other apps, and especially the O/S. One app that is not secure on NT might well be on OS/400 or eS/390 or Solaris etc... Number of bugs indicate little when taken out of context. UNIX for years was riddled with bugs, that does not in and of itself make it insecure. Blanket statements like 'big is buggy', 'open source' is good, are nonsense and are of no use to anyone. If you are unwilling to consider the current situation and how the software will be used within that situation then you will only cause more problems. There is no one best platform, O/S, app. There is a current best for each time and place. That is what has to be considered.
Current thread:
- Re: fooling hubs [ARP Spoofing], (continued)
- Re: fooling hubs [ARP Spoofing] Jeff Bachtel (Feb 05)
- Re: fooling hubs [ARP Spoofing] H D Moore (Feb 07)
- Notes Domino Server Platform for e-commerce? Baasner, Frank (Feb 07)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Mark L. Jackson (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Allan Jacobsen (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan R Permeh (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
- Re: fooling hubs [ARP Spoofing] Jeff Bachtel (Feb 05)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)
- Hellvisory #0001! Lucifer Mirza (Feb 09)
- Re: its: recursion Blue Boar (Feb 09)