From owner-freebsd-questions Sat Aug 12 21:27:27 2000 Delivered-To: freebsd-questions@freebsd.org Received: from smtp-server.tampabay.rr.com (smtp-server1.tampabay.rr.com [24.92.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 75F1437B535 for ; Sat, 12 Aug 2000 21:27:24 -0700 (PDT) (envelope-from werdna@mucow.com) Received: from [10.0.1.4] (136bus30.tampabay.rr.com [24.94.136.30]) by smtp-server.tampabay.rr.com (8.9.3/8.9.3) with ESMTP id AAA25409; Sun, 13 Aug 2000 00:27:20 -0400 (EDT) Mime-Version: 1.0 X-Sender: werdna@mail.mucow.com Message-Id: In-Reply-To: References: Date: Sun, 13 Aug 2000 00:27:17 -0400 To: "Christian Jacken" From: "Andrew C. Greenberg" Subject: Re: How safe is FreeBSD? Cc: Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 1:14 AM -0300 8/13/00, Christian Jacken wrote: >Hello guys, > >sometimes Microsoft supporters get me in serious trouble when it comes to >the questions "how should we trust our main operations to an operating >system made a buch of open source programmers" and "you say that Microsoft >or NSI possibly have a backdoor to Windows2000, but how can we be sure that >there is no backdoor in Red Hat or FreeBSD"? > >Can you help me? Because, unlike Windows2000, you can audit the code yourself. All of the code. Each and every line. You can tell between versions when it was changed and how it was changed. Line by line, each and every line. In comparison, Microsoft does not permit independent code audits, leaving you the options only to leave it, or to take it and rely on Microsoft's representations and warranties: strictly limited to a representation that the code conforms to documentation for a period of 90 days. You might study the documentation all you like, but I suspect you will look in vain for the sentence stating that "there is no backdoor or other security hole in Windows2000." This is a fundamental difference between open source and proprietary software. Should you be incapable of doing the audit yourself, you can of course hire someone else to do that for you. Try to do that with Windows2000. Finally, if you are not inclined to audit code yourself, or to hire someone to audit it for you, you may choose to rely instead upon the consensus of a substantial and long-lived open source community that studies, at least aggregately, all the code. Of course, we could ALL be spies for your competitors, but that would be highly unlikely. Thus, you can trust the consensus of a disinterested community committed to their own self-interest, or you can rely on the non-representations of an entity interested in selling you its software. Relying upon the consensus of others, of course, isn't without risk -- but it would be entirely your choice whether to do so or not. You see, unlike Windows2000, you can audit the code yourself. All of the code. Each and every line. -- Andrew C. Greenberg acg@netwolves.com V.P. Eng., R&D, 813.885.2779 (office) NetWolves Corporation 813.885.2380 (facsimile) www.netwolves.com Please use werdna@mucow.com instead of werdna@gate.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message