>
> > > Here's a simple quick question, the answer to which will vary
> > > from person to person. Why do you want the source for your security tools?
>
> How can anyone really trust *any* software they do not have the source for?
> If you didn't compile it yourself, you cannot trust it.
Well, you do not see many companies refusing to use most of the software
packages that do not include source. I guess a lot of people don't mind
mistrusting their software, ie Netscape, Windows and almost any decent word
processor.
Hey, sendmail8.6.x has had its src available forever and are you saying
you totally trust it?? Oh yeah, we fixed all the bugs in that program. grin.
There's been plenty of programs that with src, it makes it easy for anyone
to insert a trojan and upload and no one notices for months, ie irc client,
wu-ftp, and SATAN. Without src, it is a lot harder for someone to
go into a program and add a trojan.
So, even with src, you can't trust it. You can inspect it, but that
definitely does not mean you will find all the vulnerabilities.
Same goes with disassembling the binary and inspecting that.
Look, just because the src is available on the Internet, does not give it
a stamp of being secure. It just means you have an equal chance of
finding vulnerabilities in the src code, but since most hackers don't mind
staying up all night trying to find the vulnerabilities for free, they
probably have the upper hand in many cases, ie sendmail pipe bug, when CERT
released an advisory saying Hackers were exploiting the problem and no one
was releasing details till someone posted all the info on Usenet, the
hackers definitely had the upper hand.
I haven't heard of any cases where commercial firewalls without src
are any more vulnerable than FWTK. If you know a commercial firewall
product that has vulnerabilities, but does not include src, let us know.
Im sure a few exist, but I do not believe anyone has posted anything to
prove that to Firewalls Mailing list yet.
That's fine if you want to say providing src makes a product more secure,
but most Unix security incidents (especially trojans) suggest otherwise.
The only example I can think of that tends to cause more security problems
by not providing src is SunOs. But I think anyone who has been
in security for awhile knows Sun's are the most popular machine broken
into and they probably have src code more widely available at
Universities and companies more so than any other commercial OS, so hackers
still have access to that src code. Also, many of the security
problems stemming from SunOs, is not due to lack of src being
available, but more so, of how fast a company deals with the issues and
how seriously they takes them. Sun is getting better. HP is a good
counter example where the company doesn't provide src and you do
not hear many people complaining HPUX being so insecure, even tho the
occasional vulnerability appears from time to time.
Cheers,
Christopher
--
Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc. Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071
Follow-Ups:
-
Re: TRUST US
From: peter @
nmti .
com (Peter da Silva)
-
Re: TRUST US
From: "Simon J. Gerraty" <sjg @
zen .
void .
oz .
au>
-
Re: TRUST US
From: joshua geller <alkahest!joshua @
dee .
retix .
com>
References:
-
Re: TRUST US
From: bentley @
sugar-land .
oilfield .
slb .
com (Michael Bentley)
|
|
