From: Tony Williams 

Geo. wrote:
> "Tony Williams"  wrote in message
> news:3de9007f$1{at}w3.nls.net...
>
>
>>>are the same people who widely scrutinized the original module that has
>
> the
>
>>>"security exploit" going to be doing the scrutinizing
of the fix?
>>>
>>
>>I would think so, as well as others who know their track record...
>
>
> What motivation do they have to do a good job, does their livelyhood depend
> upon the reputation of this code?

Thier pride does, and that can be a more powerful motivator. To some extent
their livelihood can depend on it; not all open source coders do it in
their spare time.

> I can go on and on with this but the net result is that from my pov,
> security wise there is little difference between open and closed source
> programs. As proof, check the CERT top ten list and determine which of the
> top 7 are open/closed source.

I started out agreeing that the number of exploits is more or less the
same. My point is that the fixes to open-source apps are made available to
the end users more quickly.

--
Tony

> http://www.sans.org/topten.htm
>
> 1. BIND
> 2. Vulnerable CGI programs and application extensions (e.g., ColdFusion)
> installed on web servers.
> 3. Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk),
> rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root
> compromise
> 4. RDS security hole in the Microsoft Internet Information Server (IIS)
> 5. Sendmail and MIME buffer overflows as well as pipe attacks that allow
> immediate root compromise.
> 6. sadmind and mountd
> 7. Global file sharing and inappropriate information sharing via NetBIOS and
> Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port
> 2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548.
>
> seems open/closed source makes no difference to me..
>
> Geo.
>
>

--- BBBS/NT v4.01 Flag-4