Erik said: > Don't you ever get tired of this sort of crap? Any experienced > sysadmin knows that security is largely a function of how well the > sysadmin sets up and maintains the system for security (or lack > thereof), regardless of operating system. The only real difference > is that for the really gung-ho sysadmin who is willing and able to > get into every detail (including possibly modifying source code), > there are more levers available to tweak and lock down the system > when running open source.
That's not the only factor at work. Designing secure protocols and secure systems is incredibly hard, and the only way to have any degree of confidence at all is to subject the design or implementation to a wide range of examinations and criticisms. With open source products, the pool of critics is much wider than with any closed source product, and so it's only open source products that have a hope of being secure (and even then many of them will not be). Microsoft, for example, have on occasions completely screwed up the security of their protocols by extending public protocols (which have withstood the acidic scrutiny of the whole cryptology community) with their own extensions (which looked okay to their in-house experts but turned out to be flawed). There's a good discussion of this in Bruce Schneier's _Secrets and Lies_. Rich _______________________________________________ http://www.mccmedia.com/mailman/listinfo/brin-l
