Once again: Open-Source != Security; PGP Provides Example

Once again: Open-Source != Security; PGP Provides Example

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00



http://developer.earthweb.com/journal/techfocus/052600_security.html

and here is some more proof - PGP 5, open source for a year and no one spots
this huge vulnerability:

http://cryptome.org/cipn052400.htm#pgp

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by simon.. » Sun, 31 Dec 1899 09:00:00


What do you expect?

With Linux:

"You get what you don't pay for"

On Mon, 29 May 2000 18:14:29 -0400, "Drestin Black"


>http://developer.earthweb.com/journal/techfocus/052600_security.html

>and here is some more proof - PGP 5, open source for a year and no one spots
>this huge vulnerability:

>http://cryptome.org/cipn052400.htm#pgp


 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Chris Ahlstro » Sun, 31 Dec 1899 09:00:00


It was nice of those hackers to post how they did it, so that particular hole
can
be repaired.  Obviously, giving someone the source code makes it easier to find
flaws in your code.  Nothing really wrong with that.

Of course, as Microsoft proved, you don't need open-source to be left wide
open to a simple attack based on a single mouse click.


> On Mon, 29 May 2000 18:14:29 -0400, "Drestin Black"

> >http://developer.earthweb.com/journal/techfocus/052600_security.html

> >and here is some more proof - PGP 5, open source for a year and no one spots
> >this huge vulnerability:

> From the above article:

> "From a security point of view, the advantages of having the source
> code available for everyone to see far outweighs any benefit hackers
> may gain."

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Leslie Mikese » Sun, 31 Dec 1899 09:00:00




>What do you expect?

>With Linux:

>"You get what you don't pay for"

This has nothing to do with Linux - it is entirely a coding
error in PGP, found by public review that would not
be possible if the source were not open.

>On Mon, 29 May 2000 18:14:29 -0400, "Drestin Black"

>>http://developer.earthweb.com/journal/techfocus/052600_security.html

>>and here is some more proof - PGP 5, open source for a year and no one spots
>>this huge vulnerability:

>>http://cryptome.org/cipn052400.htm#pgp

But it was spotted.  The real question is how many trusted but
non-open packages have had even worse errors for longer than that.

  Les Mikesell

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00





> >What do you expect?

> >With Linux:

> >"You get what you don't pay for"

> This has nothing to do with Linux - it is entirely a coding
> error in PGP, found by public review that would not
> be possible if the source were not open.

bug only exists in the linux and bsd version. that's what.
it was equally possible that it could have been found by internal review as
external. also/hence, were it closed source it's equally possible internal
review would have found it before the exploit was known and irresponsibility
announced to the public instead of sending it privately to the authors.

> >On Mon, 29 May 2000 18:14:29 -0400, "Drestin Black"

> >>http://developer.earthweb.com/journal/techfocus/052600_security.html

> >>and here is some more proof - PGP 5, open source for a year and no one
spots
> >>this huge vulnerability:

> >>http://cryptome.org/cipn052400.htm#pgp

> But it was spotted.  The real question is how many trusted but
> non-open packages have had even worse errors for longer than that.

and how many open packages continue to have errors as long or longer that
are simply "assumed" by downloaders to be safe, ex.: "I'm not a programmer
but I'm sure there are a lot of "really smart guys" who've reviewed this
code for me so I'm sure it's safe" - yea... trust open sores(tm)... I'm sure
everyone is looking out for everyone else, for free...
 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00



Quote:> It was nice of those hackers to post how they did it, so that particular
hole
> can
> be repaired.

Nice how those hackers posted it PUBLICALY FIRST so that it was available to
everyone instead of privately to the author who could have released a patch
at the same time as announcing it. What if someone doesn't read of the
vulnerability  and continues to use the product (not everyone lives in FTP
sites looking for bug fixes) and some /. reader then uses the nicely
publicly provided vulnerability to get in. Gee, thanks open sores(tm)!

Quote:> Obviously, giving someone the source code makes it easier to find
> flaws in your code.  Nothing really wrong with that.

Nothing wrong with that. Of course, providing hackers the souce code makes
it easier for them to find the vulnerabilites in your code faster too. Gee,
I'm SURE they'll hurry up and report it... or will they?

Quote:

> Of course, as Microsoft proved, you don't need open-source to be left wide
> open to a simple attack based on a single mouse click.

and as any programmer knows even open source doesn't prevent simple attacks
based on a single keystroke. What good would having an open sores(tm)
version of an email client like Outlook do to prevent something like the
ILOVEYOU virus? Nothing. You'd have to have scripting turned off. That's got
nothing to do with open or closed source. Don't try to run that line in
here - you'll continue to be laughed at.


> > On Mon, 29 May 2000 18:14:29 -0400, "Drestin Black"

> > >http://developer.earthweb.com/journal/techfocus/052600_security.html

> > >and here is some more proof - PGP 5, open source for a year and no one
spots
> > >this huge vulnerability:

> > From the above article:

> > "From a security point of view, the advantages of having the source
> > code available for everyone to see far outweighs any benefit hackers
> > may gain."

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00





> > What do you expect?

> > With Linux:

> > "You get what you don't pay for"

> Haha! What a dumbass! Who's talking about Linux?

well, only the linux version was affect, not the windows version...
 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by lcs3.. » Sun, 31 Dec 1899 09:00:00




Quote:> It was nice of those hackers to post how they did it, so that
particular hole
> can
> be repaired.  Obviously, giving someone the source code makes it
easier to find
> flaws in your code.  Nothing really wrong with that.

> Of course, as Microsoft proved, you don't need open-source to be left
wide
> open to a simple attack based on a single mouse click.

Kind of humorous, isn't it?  All those security experts looking
for buffer overflows and the like that may give a malicious
user the ability to run code on a system, and it turns out
that all one has to do is send out a .vbs attachment and hope
that some small segment of the receipiants won't notice.  I
suspect that if the average computer security expert were a
burgular, he'd spend weeks tunneling through a ba*t wall
instead of climbing through the open bathroom window.

Sent via Deja.com http://www.veryComputer.com/
Before you buy.

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by none » Sun, 31 Dec 1899 09:00:00




> What do you expect?

> With Linux:

> "You get what you don't pay for"

Haha! What a dumbass! Who's talking about Linux?
 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by abrax » Sun, 31 Dec 1899 09:00:00







>> >What do you expect?

>> >With Linux:

>> >"You get what you don't pay for"

>> This has nothing to do with Linux - it is entirely a coding
>> error in PGP, found by public review that would not
>> be possible if the source were not open.
> bug only exists in the linux and bsd version. that's what.
> it was equally possible that it could have been found by internal review as
> external. also/hence, were it closed source it's equally possible internal
> review would have found it before the exploit was known and irresponsibility
> announced to the public instead of sending it privately to the authors.

Just like microsoft's internal review finds all of ITS bugs before someone
exploits them and sends the report to the authors, eh?

Ahem.

-----yttrx

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00









> >> >What do you expect?

> >> >With Linux:

> >> >"You get what you don't pay for"

> >> This has nothing to do with Linux - it is entirely a coding
> >> error in PGP, found by public review that would not
> >> be possible if the source were not open.

> > bug only exists in the linux and bsd version. that's what.
> > it was equally possible that it could have been found by internal review
as
> > external. also/hence, were it closed source it's equally possible
internal
> > review would have found it before the exploit was known and
irresponsibility
> > announced to the public instead of sending it privately to the authors.

> Just like microsoft's internal review finds all of ITS bugs before someone
> exploits them and sends the report to the authors, eh?

I never made that claim nor comparison. It's the
we're-perfect-cause-we're-open-source nose in the air attitude that needs
readjustment to reality. as the subject line reads: Open-source!=Security.
 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by abrax » Sun, 31 Dec 1899 09:00:00



Quote:> I never made that claim nor comparison. It's the
> we're-perfect-cause-we're-open-source

No one has said that.  Theyve merely pointed out the benefits as
opposed to closed source.

You're seeing monsters, drestin.

-----yttrx

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Leslie Mikese » Sun, 31 Dec 1899 09:00:00




>> This has nothing to do with Linux - it is entirely a coding
>> error in PGP, found by public review that would not
>> be possible if the source were not open.

>bug only exists in the linux and bsd version. that's what.

Yes, because they offer a feature that the code uses
incorrectly.

Quote:>it was equally possible that it could have been found by internal review as
>external. also/hence, were it closed source it's equally possible internal
>review would have found it before the exploit was known and irresponsibility
>announced to the public instead of sending it privately to the authors.

There is nothing to make anyone believe that would be the case.

Quote:>> But it was spotted.  The real question is how many trusted but
>> non-open packages have had even worse errors for longer than that.

>and how many open packages continue to have errors as long or longer that
>are simply "assumed" by downloaders to be safe, ex.: "I'm not a programmer
>but I'm sure there are a lot of "really smart guys" who've reviewed this
>code for me so I'm sure it's safe" - yea... trust open sores(tm)... I'm sure
>everyone is looking out for everyone else, for free...

And how is this different from trusting a much smaller number of
people who have seen closed source code and know that not
many other people are ever going to see it?  

  Les Mikesel

 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by Craig Kelle » Sun, 31 Dec 1899 09:00:00







> > > What do you expect?

> > > With Linux:

> > > "You get what you don't pay for"

> > Haha! What a dumbass! Who's talking about Linux?

> well, only the linux version was affect, not the windows version...

Yeah, but most people use the Windows version in conjunction with
Outlook...

I'll say it for everyone else:  Open Source isn't perfect.

There.  Are you happy now?  Will you please go away?

--
The wheel is turning but the hamster is dead.


 
 
 

Once again: Open-Source != Security; PGP Provides Example

Post by simon.. » Sun, 31 Dec 1899 09:00:00


The Windows version seems to not be affected.



>> What do you expect?

>> With Linux:

>> "You get what you don't pay for"

>Haha! What a dumbass! Who's talking about Linux?