[Web4lib] Phishing exploits in emails

[Jonathan Gorman]

> Because the product is open source anyone can download it and examine it 
> for possible security holes, the look for places that have installed the 
> software and enter the system through a hole that, because it is open 
> source, is more easily discovered.


Mentioning Open Source here is a little bit of a red herring don't you 
think?  One of the major issues is unpatched systems, regardless of 
whether they're closed or open.  There exists tools for looking for 
examining exploits or mistakes in compiled binaries.  Worse case scenario, 
anyone can use tools to dump the binary back out into assembler.

In fact, when I think of several of the largest-scale compromises, they 
tend to all be unpatched closed-source systems.  Code Red, ILoveYou, and 
the countless IE 5/6 ActiveX exploits were all used unpatched closed 
source systems.

I agree that open-source code by it's nature can lead to people snooping 
through the code.  But it's not unheard of for the source of closed-source 
products to get leaked or for hackers to target systems that might have 
source code for closed programs.  At least with open source there is the 
possibility of using a third-party to analyize a piece of software for 
security exploits.

Jon Gorman