Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)
From: Adam Shostack <adam @ homeport . org>
Date: Mon, 3 Feb 1997 22:21:59 -0500 (EST)
To: vince @ cryptonet . it (David Vincenzetti)
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <199702031025 . LAA07956 @ relay . cryptonet . it> from David Vincenzetti at "Feb 3, 97 11:17:58 am" 
	Malicious hackers have a lot more time on their hands than
good guys.

	They do not, however, tend to publish bugs.  So, what you see
in public is that the many good guys who look at systems with source
available announce problems, while the bad guys, who look at both
source and binaries, do not announce problems.  This is what
statisticians refer to as the self-selection problem.

	Drawing inferences from bad data will probably lead you to bad
inferences.

Adam


David Vincenzetti wrote:
| Sendmail full sources are available, they can be studied
| and examined by everyone, and they can be studied by malicious
| hackers too.  ActiveX sources are not available, and it is
| harder, for a malicious hacker, to spot new bugs.
| Sendmail is a crystal box while ActiveX is a black box
| (remember the old Security Thru Obscurity model?:-).

-- 
Pet peeve of the day: Security companies whose protocols dare not
speak their name, because they don't have one. Guilty company of the
day is now V-One.
References:
Indexed By Date Previous: Encryption Software mailing list
From: Steven Herod <sherod @ medeserv . com . au>
Next: NT Firewall
From: Jeremy Johnson <Jeremy @ fordnet . com>
Indexed By Thread Previous: Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)
From: peter @ baileynm . com (Peter da Silva)
Next: About NAT
From: Carl . Ma @ PRC . Sun . COM (Carl Ma - SE Trainee)
Google
 
Search Internet Search www.greatcircle.com