Hackers send Sendmail a message [Open Source Software Hacked]</

CNET News.com ^ | October 9, 2002, 4:21 PM PT | Robert Lemos

[Bush2000]

My comments *aren't* aimed at every Linux or Mac user. Just the strident ones who throw stones at other platforms when their own glass house needs tending...

[snooker]

Yep, we pretty much agree. There are some that can review the source code. What for? I can review the code and look for obvious signs of problems, but who has the time. Best to pay a reputable company to do it for you.

But the advantage of having custom mods made in open source code is very real. And the ability to fix bugs which others may call 'features' is very real. This can result in significant competitive advantage to the user of the mods.

The adherance to open standards is also a very real advantage. Your data is hostage to no one.

But by and large the real advantage to open source is you get a choice. The closed source one size only, gives you no choice. Might work for games, but is wanting for real work.

snooker

[for-q-clinton]

As I said earlier I think we pretty much agree on those points.

But there are also good points to COTS (commercial off the shelf) software. For example, deployments. Try to deploy linux and manage it for 100,000 desktops. It's much easier to manage with Windows XP and 3rd party management tools. Plus regardless of what others say it's much easier to use then linux and is just as reliable if not more(assuming you have good IT practices).

Also cost. Yes, cost. Depending on size of roll out and complexity of the application, COTS is often cheaper to buy, maintain, and manage than open source software. Yes, there are times when open source is the more cost effective solution, but often times it's not. Especially in the support arena. If you need someone to manage your windows apps it's probably cheaper than trying to find someone to manage your customized open source app.

There are pros and cons to both. I think MS knows this and they strive to fill the weaknesses in their model. For example, as I mentioned earlier I believe they allow enterprise customers access to their source code.

[rdb3]

For example, deployments. Try to deploy linux and manage it for 100,000 desktops.

100,000 Linux desktops? Stipulate that the desktops would be Red Hat. Give me a team of 25 RHCE sysadmins and I'd have no problem managing an enterprise like that. None at all.

[HAL9000]

What happens if a black hat hacker reads the source code and finds a buffer overrun opportunity and then discovers he can get admin permissions with that buffer overrun?

Obviously, it's bad news for the anyone running that software. If the attacker can get administrative priviliges, they can do anything.

Do the white hats automagically find out at the same instance and have a patch that automagically deploys to all machines that require it?

It's highly unlikely they would discover the same problem at the same instant. But if someone is the victim of an attack, access to the source code can help (a) determine how the attack was achieved and (b) establish effective countermeasures.

So basically I'm asking how does the open source world manage the hotfix process and what do they do to ensure that the bad guys don't use the source code for bad things?

In my opinion, the best defenses are good design methodologies, good programming practices, good testing and peer review.

Input/Output functions, memory moves and other potentially dangerous operations should use good defensive practices like bounds checking. Some languages like Java are designed to encourage safer programming practices. (Microsoft is notorious for their unsafe design and programming practices.)

Data suites should be developed for testing each version of the software and the results should be compared with previous versions. The test data should include invalid data, attempts to overflow buffers, etc.

Most of the key open source network applications (FTP, Apache, rlogin, etc.) do benefit from peer review. Thousands of security issues have been discovered and fixed before the black hats were able to exploit them.

Trustworthy sources of distribution and checksums of distributions are beneficial. That was helpful in catching the sabotaged Sendmail distribution before it became widespread.

[stainlessbanner]

Right on, rdb3. I would rather manage large environments with unix/linux that microsoft. The command line is much more powerful than point and click, if you have the knowledge.

[stainlessbanner]

Just curious, which Microsoft tool are you using to deploy/manage 100k desktops?

I find open source inherently easier to support b/c of the large user community and willingness to share solutions. With COTS, I am often limited to the vendor's tech team, and at their mercy to solve issues.

[isthisnickcool]

You may write checks to techies, but you surely don't understand their lingo.

You are right. I don't "understand their lingo" in the way you describe. I don't have anyone that juvenile working for me.

[Liberal Classic]

No, Bush2000, I know that in business competition is often spoken of in warlike terms, but come on. That's pretty rude, don't you think?

[Bush2000]

No, Bush2000, I know that in business competition is often spoken of in warlike terms, but come on. That's pretty rude, don't you think?

Maybe to the effete among us who have trouble differentiating between metaphor and reality.

[Bush2000]

You are right. I don't "understand their lingo" in the way you describe. I don't have anyone that juvenile working for me.

Of course not. Who would want to work for a humorless guy like you? Have you resorted to banning laughter yet?

[isthisnickcool]

Of course not. Who would want to work for a humorless guy like you? Have you resorted to banning laughter yet?

Humorless is starting threads like this just to cause fights between folks. Or using a forum like this to wage your silly little "holy war". A "war" between Microsoft and "them". A war that's mostly in your head. Because no matter how many times you post your love of Microsoft or your dislike for what is not Microsoft it won't matter.

As much as you wish, nothing you do will change the way the market runs. Nothing. You have no control. Zero.

Humorless? Me? Nah!

Bush2000 is The Microsoft Guy Raging his "holy war" for Bill Gates.