The other side of openness is that it's not just the good guys who can read the code and find bugs to exploit. The bad guys also have arguably a stronger motivation, money, to find them than the good guys who are rewarded by a warm fuzzy feeling.
If the code is not published then you can only use black box testing to find the bugs, along with the nous that comes from experience of the types of mistakes that programmers routinely make. It's far easier in my experience to find bugs using white box as well as black box testing, but it works the same way for the goodies and the baddies. B > On 10 Apr 2014, at 23:40, "Bruce Walker" <bruce.wal...@gmail.com> wrote: > > We're really talking averages here. Yes, this is a nasty bug that > leads to a serious vulnerability, but in general and over time the > more eyes that can see code the more likely that errors will be > caught. And if you examine the OpenBSD record you'll see that it has > worked well. > > Microsoft's closed-source model has a very poor record. There's > nothing to crow about there. Windows and its vulnerability of the week > club is the poster child for what happens when a badly designed system > is deployed so widely. The only people that lay eyes on that code are > Microsoft engineers, and I wouldn't give them the time of day when it > comes to secure code. Most of the spam and malware that arrives every > second is hosted on and delivered from infected Windows boxes, both > clients and servers, well organized (by miscreants) into botnets. > > Having spent a number of years designing, writing, auditing and > analyzing secure code I can tell you that it's hard and very > stressful. With either model -- open or closed -- you are always one > small blunder away from introducing an exploitable vulnerability into > your product. > > >> On Thu, Apr 10, 2014 at 2:51 PM, Gerrit Visser <gerrit...@psgv.ca> wrote: >> Sometimes you get what you pay for. Certainly puts a dent in the >> peer-reviewed code is more secure mantra. >> >> Gerrit >> >> -----Original Message----- >> From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy >> Sent: Thursday, April 10, 2014 1:50 PM >> To: Pentax-Discuss Mail List >> Subject: Re: Heartbleed >> >> I found a local internet service provider (and web host) that was vulnerable >> and alerted them. >> >> Interesting that this DOES NOT affect the Windows web server (IIS). >> Probably the first time in history that IIS web admins are happy that they >> manage a Microsoft product. >> >>> On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy <pixelsmi...@gmail.com> wrote: >>> That's a very good point Steve. (I generally consider anything that I >>> haven't already thought of as a Good Point). >>> : ) >>> >>> Now who in the world do we think might have the resources to store >>> huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] >>> http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh >>> ind-the-heartbleed-security >>> >>> >>> >>>> On Thu, Apr 10, 2014 at 11:54 AM, steve harley <p...@paper-ape.com> wrote: >>>> on 2014-04-10 10:29 Darren Addy wrote >>>> >>>>> What the HeartBleed Attack Really Means: >>>>> >>>>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets >>>>> -telltale-heartbleed.html >>>> >>>> >>>> it's amusing to see the media rush to explain Heartbleed; perhaps it >>>> will increase technical literacy and cause an appropriate correction >>>> in the trust we have for internet services >>>> >>>> that article is surprisingly good, but it misses slightly on what it >>>> calls a "worst-case scenario" -- the worst case is that some entities >>>> stored huge amounts of encrypted internet traffic, even from before >>>> the date the bug was introduced into OpenSSL, and now Heartbleed has >>>> been used to get the keys to unlock that trove >>>> >>>> also unstated is how Heartbleed will encourage more entities to store >>>> as much encrypted traffic as possible on the expectation that there >>>> will be other bugs to get the newer keys >>>> >>>> >>>> >>>> >>>> -- >>>> PDML Pentax-Discuss Mail List >>>> PDML@pdml.net >>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>> to UNSUBSCRIBE from the PDML, please visit the link directly above >>>> and follow the directions. >>> >>> >>> >>> -- >>> Photographers must learn not to be ashamed to have their photographs >>> look like photographs. >>> ~ Alfred Stieglitz >> >> >> >> -- >> Photographers must learn not to be ashamed to have their photographs look >> like photographs. >> ~ Alfred Stieglitz >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. >> >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > > > -- > -bmw > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
