From: Dragos Ruiu (drDURSEC.COM)
Date: Fri May 05 2000 - 02:13:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(Re: posting at bottom)

Mr Babcock wrote in Interctive Week....
> "Open source code is great for rapid development, but there's no quality
> assurance role in the typical open source project the way there is in
> commercial software. It's a hobby for people," said Chris Rouland, director of
> the bug identification task force at security package vendor Internet Security
> Systems.

This assertion is patently silly.

If there is no QA in Linux... then why do I have two Windows systems that
can't manage to stay up for four hours at most without crashing (a situation
typical of mine and others' Windows/NT experiences), and a Linux system
(Yes, RedHat even) that has accumulated maybe 10 Minutes of down time
in one reboot in *Two*Years* when there was a UPS failure(a situation typical
of many peoples' linux/unix experiences)? There are lots of bullets for all
sides in the OS religious wars, but Mr. Rouland's assertion is a Red Herring.

Let's get serious here. Sure ISS or Microsoft has x.y QA engineers per
developer and the Linux kernel relies on the entire world as its QA base.
But let's not mistake that dedicated staff for _Quality_ or processes that
Assure Quality - because their real world track record points against it..

I'm not a "security expert," like Mr. Rouland because anyone who knows
anything about security knows that it's always dangerous to call yourself a
"security expert." I'm wary of people who call themselves "security experts,"
and Mr. Rouland's assertions and their lack of logic does nothing but reinforce
that waryness.

I also question why ZD is propagating nonsense such as this? I suppose just
because ISS said it. But, surely you can find someone who knows something
about security who can come up with more useful reasoning and information for
you than this marketing hype. Let me throw my opinion behind those many others
that think that the Marketing Advisories emanating from ISS and the
subsequent misinformed spectacles in the press grow tiresome.

How have we wound up with -defects- being so glamorous? Baffling really.

cheers,
--dr

--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld,
 Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD
   Lance Spitzner/Sun, Fyodor Yarochkin/KALUG, Max Vision/whitehats.com

Message: 4
Date: Thu, 4 May 2000 02:36:46 -0500
From: William Knowles <wkC4I.ORG>
Subject: Re: Linux: Testing, Security Concerns Raised

[Forwarded by: Bob Toxen <bobcavu.com>]

William,

> Approved-By: isnC4I.ORG
> Delivered-To: isnlists.securityfocus.com
> Delivered-To: isnsecurityfocus.com
> Date: Wed, 3 May 2000 02:28:03 -0500
> From: William Knowles <wkC4I.ORG>
> Subject: [ISN] Linux: Testing, Security Concerns Raised
> To: ISNSECURITYFOCUS.COM

> http://www.zdnet.com/intweek/stories/news/0,4164,2558624,00.html

> By Charles Babcock, Interctive Week
> May 1, 2000 11:50 AM PT

> A security hole has appeared in a recent version of Red Hat Linux, and
> a security expert said it highlights a more general weakness in open
> source code products: no quality assurance testing before hitting the
> market. Officials at Red Hat disputed the assertion, but moved quickly
> to close the hole.

> The security opening came as a surprise to some Linux users, who have
> considered the operating system (OS) either so well-designed or so
> obscure that it didnt have the same security problems as Windows. Now
> most parties agree that is not the case. The appearance of a security
> issue at a time when users are still asking for more applications is
> unlikely to bolster the fortunes of Linux stocks, which tumbled faster
> and farther than general technology issues in April.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]