>Open architecture favors security -- the likelihood of a lone genius
>finding a flaw is no greater than that of responsible persons finding
>one, probably less.
I don't think this is true. If it was true, then there would be no
such thing as an "expert.
However, I do agree that the probability of a sufficient number of
less-skilled persons finding a flaw increases with the amount of
persons testing the implementation.
That is why I question if it is any profit to Microsoft to release
information about the implementation of security in their products "to
the wild", when it's probably already been reviewed internally by
their own experts.
The problem that I see here is what happens when one of those
"less-skilled" persons finds a flaw. We all have different ideas of
what constitutes a reward in those circumstances.
A typical example is the IIS GET vulnerability that Eugene Kalinin
discovered when trying to attack my test proxy server. My reward (and
probably his) is that we identified a security flaw under controlled
conditions before it could be exploited in the wild, and managed to
get a solution from MS to ensure that it couldn't be exploited in the
future. Someone else's idea of a reward for this situation might be
posting a message about this on several bulletin boards, then standing
back and watching the fireworks until MS provided a fix.
Anyway, that's enough pontification from me on this issue. 'tis the
season and all that ... :-). I'll try to leave any further
pontification up to the experts :-).
Best Wishes for the Season to everyone,
Brian Steele
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
