Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

open source != secure

  • 29-05-2000 9:45am
    #1
    Registered Users, Registered Users 2 Posts: 332 ✭✭


    http://developer.earthweb.com/journal/techfocus/052600_security.html

    ok, so it's blatantly ripped from slashdot, but it says something I've said for a long time, provides concrete examples, and is also probably far more elegantly put then I could be bothered to do.

    Just because you *can* read the source, doesn't mean someone *has* read the source, in it's entirety, comprehended it, done a full audit etc. yadda yadda.

    A very nice example of a hole in pgp5 is cited on /. http://cryptome.org/cipn052400.htm#pgp it's a gaping hole in pgp5 in certain conditions caused by an exceptionally trivial slip up in the code. PGP has long been held up as an example of why open source security software is good, people can audit it, peer review etc. leading to better software.

    The pgp5 hole:

    RandBuf = read(fd, &RandBuf, count); - broken
    read (fd, &RandBuf, 1); - ok

    kinda tricky to spot if you're looking for some obvious nsa planted backdoor..


Comments

  • Closed Accounts Posts: 60 ✭✭anonym00se


    See the "computersecurity news (29/05/00)"
    thread

    ;]


  • Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    shhhh! it's monday morning...

    PGP 5.0 hole was just a small part of the post, the developer.com article is far more interesting, it's by the maintainer of mailman a mailing list proggie. It's a nice treatise on why in theory open source, peer review etc. is a good thing(tm) but in practice everyone assumes someone else read over the code plus testing is far less rigourous then for commercial applications.

    *yawn*

    think I'ill have a nap..


  • Closed Accounts Posts: 60 ✭✭anonym00se


    Hmmmm nothing startlingly new in the
    developer.com article. Just seems
    like a rehash of things that have been
    said before but this time getting a programmer who admits he had buggy
    code to say it.



  • Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    Hmmgh

    I wasn't trying to say that the developer.com article was new and ground breaking, just that it was well written and refreshingly honest, especially considering it's by the author of a fairly popular piece of open source software.

    It's pointing out something which is pretty self-evident, well, it has been to me for quite a while, but which the gnu crowd, especially people like rms, tend to deny. ie. that just because the source is public the software isn't necessarily heavily audited and secure, in fact it quite probably is developed by people in their spare time and not put through the rigours of testing for commercial software. etc.

    so, just to reiterate, nice, honest if not earth shattering article which I liked and thought other people might like.


Advertisement