Boards Golf Society are looking for new members for about the society and their planned outings here!
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards

open source != secure

  • #1
    Registered Users Posts: 332 ✭✭ spod

    ok, so it's blatantly ripped from slashdot, but it says something I've said for a long time, provides concrete examples, and is also probably far more elegantly put then I could be bothered to do.

    Just because you *can* read the source, doesn't mean someone *has* read the source, in it's entirety, comprehended it, done a full audit etc. yadda yadda.

    A very nice example of a hole in pgp5 is cited on /. it's a gaping hole in pgp5 in certain conditions caused by an exceptionally trivial slip up in the code. PGP has long been held up as an example of why open source security software is good, people can audit it, peer review etc. leading to better software.

    The pgp5 hole:

    RandBuf = read(fd, &RandBuf, count); - broken
    read (fd, &RandBuf, 1); - ok

    kinda tricky to spot if you're looking for some obvious nsa planted backdoor..


  • See the "computersecurity news (29/05/00)"


  • shhhh! it's monday morning...

    PGP 5.0 hole was just a small part of the post, the article is far more interesting, it's by the maintainer of mailman a mailing list proggie. It's a nice treatise on why in theory open source, peer review etc. is a good thing(tm) but in practice everyone assumes someone else read over the code plus testing is far less rigourous then for commercial applications.


    think I'ill have a nap..

  • Hmmmm nothing startlingly new in the article. Just seems
    like a rehash of things that have been
    said before but this time getting a programmer who admits he had buggy
    code to say it.

  • Hmmgh

    I wasn't trying to say that the article was new and ground breaking, just that it was well written and refreshingly honest, especially considering it's by the author of a fairly popular piece of open source software.

    It's pointing out something which is pretty self-evident, well, it has been to me for quite a while, but which the gnu crowd, especially people like rms, tend to deny. ie. that just because the source is public the software isn't necessarily heavily audited and secure, in fact it quite probably is developed by people in their spare time and not put through the rigours of testing for commercial software. etc.

    so, just to reiterate, nice, honest if not earth shattering article which I liked and thought other people might like.