Date: Tue, 29 Jun 2004 15:30:19 -0500 From: Kevin Lyons <kevin_lyons@ofdengineering.com> To: Paul Robinson <paul@iconoplex.co.uk> Cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons Message-ID: <40E1D15B.5040605@ofdengineering.com> In-Reply-To: <20040629201433.GV34683@iconoplex.co.uk> References: <40E1A6C0.2040406@ofdengineering.com> <40E1B3B5.1020906@palisadesys.com> <40E1B7A3.3040409@ofdengineering.com> <20040629201433.GV34683@iconoplex.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Robinson wrote: > On Tue, Jun 29, 2004 at 01:40:35PM -0500, Kevin Lyons wrote: > > >>Well, point being that more layers/lines of code added, the more >>potential vulnerabilities. > > > Myth. Which is more vulnerable to attack - the kernel that gets compiled > when you build GENERIC, or a few lines that strcpy's some input recieved > over a socket running as root? > > LOC is about as effective a measure of potential vulnerabilities as it is a > measure of how productive a developer is or the quality of the design > process - i.e. it's useless and the myth has been thrown around for god > knows how long by people who really should know better.* > > Well-written code is well-written, no matter how many lines long it is. > Ditto for badly-written code. I've seen 20-liners that could be broken by a > competent 13-year old, and 20,000-liners that were impregnable. I am not > alone. Hmmm, sounds like the exception that proves the rule. This is a nice argument, but with real world large projects, i.e. with all things being more-or-less equal, more (normal distribution quality i.e. AVG) code is more potential vulnerabilities. I (and microsoft no doubt) would love to hear of any proof that contradicts this apparent common sense construction. Is there an ACM or IEEE article that quantifies this? > >>I don't think we can say the FreeBSD or >>TrustedBSD developers are any more exploit immune than other folks. > > > Based on the number of security announcements over the last 5 years, I could > argue very convincingly that the FreeBSD and TrustedBSD developers are far > more exploit immune than the Microsoft OS developers. > > Of course, it would be complete bullshit, but that's not the point. :-) > >>Not ranting/trolling. Thanks for the info, that is good. As I said, i >>have not installed/configured it yet. I have been noticing feaping >>creaturism in freebsd as of late so I was simply concerned about it. > > > "Of late"? You've *JUST* noticed? Wow. :-) I will rephrase, I noticed enough to finally comment. > > * - yes, I know. I expect this now to explode into a silly thread. People > really should know better. > -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E1D15B.5040605>