[Web4lib] Phishing exploits in emails
Micah Stevens
micah at raincross-tech.com
Thu Feb 8 11:22:35 EST 2007
On 02/08/2007 07:32 AM, Jonathan Gorman wrote:
>
>> Because the product is open source anyone can download it and examine
>> it for possible security holes, the look for places that have
>> installed the software and enter the system through a hole that,
>> because it is open source, is more easily discovered.
>
> Mentioning Open Source here is a little bit of a red herring don't you
> think? One of the major issues is unpatched systems, regardless of
> whether they're closed or open. There exists tools for looking for
> examining exploits or mistakes in compiled binaries. Worse case
> scenario, anyone can use tools to dump the binary back out into
> assembler.
>
> In fact, when I think of several of the largest-scale compromises,
> they tend to all be unpatched closed-source systems. Code Red,
> ILoveYou, and the countless IE 5/6 ActiveX exploits were all used
> unpatched closed source systems.
>
> I agree that open-source code by it's nature can lead to people
> snooping through the code. But it's not unheard of for the source of
> closed-source products to get leaked or for hackers to target systems
> that might have source code for closed programs. At least with open
> source there is the possibility of using a third-party to analyize a
> piece of software for security exploits.
>
> Jon Gorman
>
Agreed, open source has greater visibility and therefore a greater
audience of people 'doing good' then people 'doing bad'. Smaller
projects are a different beast, but the large ones, such as Apache for
example I would trust more than a closed source system for exactly this
reason. But if you don't patch your system, anything is dangerous.
-Micah
More information about the Web4lib
mailing list