On Fri, 07 Mar 2003 18:53:27 +0800 Chong Yu Meng <[EMAIL PROTECTED]> wrote:
> Actually, I've always had trouble buying into the "thousand eyes" > theory, because it assumes too much about the developer community. Call > me cynical, but I've seen too many instances of a really obvious problem > or contradiction escaping the eyes of a great many people, and I'm not > just talking about Linux here. I can agree on that. Not every line of code has even two people look at it. But it is a lot better than the alternative. No eyes except some Microserf trying to keep up with the rest of the behemoth to keep it fed. No sir. The Sendmail vulnerability wasn't found by some hacker making a Code Red or Code Blue to exploit it. It was found by ISS, a security company, who was going through a "routine code review". Actually, I'd think less ideal things of him on finding the Snort issue. I'm thinking "competition" at that point. > Security can be defined in many, many ways. And I don't think > certification alone is a "guarantee" of security, because certification > implies a series of tests, which must be standardized, by definition. > This does not allow for the kind of improvisations that are commonplace > on the Internet, and cannot possibly test every possible scenario, > present and future. Unfortunately, a lot of the proprietary world can't wrap it's mind around anything that doesn't cost big bucks. Another example of trusting the money-sink. _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
