Yet, one cannot claim that the openness of OSS is just and strictly an advantage. It's a different SW development approach that its structure has its inherited *possible* weaknesses. Identifying and arranging for such incidents in the structure of the development process is what makes this model safe, and indeed, this case is an example of such a "preparation" and successful execution.
In terms of OSS public relations there are two important thigns here:
A. indeed, the openness brings its own "issues" (not to say, problems) that needs to be admitted, not quickly silenced (but of course to supplemented with the complimenting answer -> see B). Such breaches can be easily performed within close source organization, and must have already happened - *but surely not so easily admitted*.
B. Yet, arranging for these issues makes the security of the OSS model at least as good, if not better, than closed source SW, exactly as demonstrated by this real world case and the letters in this thread demonstrated similar breaches within closed source organization and *their* consequences. In short - there is a weak point in the openness model. it is greatly acknowledged and treated hence achieving a better security model. Don't be impressed by the publicity it gets - you just dont hear of such cases in closed source organizations.
My point of view, at least. Boaz.
Gilad Ben-Yossef wrote:
Interesting message I got.
Isn't that a demonstration of the *real* (no FUD) open source model
security break points?
Actually, you just pointed out one of Open Source scurity model greatest strenghts, no weaknesses. How come?
Well, think about what happend here: someone managed to gain unlawfull access to a distribution point of Linux source code and altered the code to instroduce a back door. The fact the file changed was found out by an "sanity check" but the true nature of the change (being a backdoor) was understood when the altered code was inspected by the community.
Now, what would have happend if this was a run of the mill closed source security firm?
First of all, I seriously doubt it that the fact of the change would have been detected at all, but even if it were the sys admin discovering it would "fix the technical problem" and would never ever send it to the R&D (which are another dept. which is hated by the IT team). The nature of the change would never be detected and the back door might never even corrected, assuming the sys admin "fix" woulb to ignore the error.
In short - people breaking in and putting in back door happen in both open and closed source. But only in Open SOurce there's a real chance that someone would discover it. In closed source land it's always "someone else's problem".
Gilad
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
