Malicious hackers have a lot more time on their hands than
They do not, however, tend to publish bugs. So, what you see
in public is that the many good guys who look at systems with source
available announce problems, while the bad guys, who look at both
source and binaries, do not announce problems. This is what
statisticians refer to as the self-selection problem.
Drawing inferences from bad data will probably lead you to bad
David Vincenzetti wrote:
| Sendmail full sources are available, they can be studied
| and examined by everyone, and they can be studied by malicious
| hackers too. ActiveX sources are not available, and it is
| harder, for a malicious hacker, to spot new bugs.
| Sendmail is a crystal box while ActiveX is a black box
| (remember the old Security Thru Obscurity model?:-).
Pet peeve of the day: Security companies whose protocols dare not
speak their name, because they don't have one. Guilty company of the
day is now V-One.