From owner-freebsd-chat@FreeBSD.ORG Tue Jun 29 20:30:37 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05E6F16A4CE for ; Tue, 29 Jun 2004 20:30:37 +0000 (GMT) Received: from mail9.atl.registeredsite.com (mail9.atl.registeredsite.com [64.224.219.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id B671643D3F for ; Tue, 29 Jun 2004 20:30:36 +0000 (GMT) (envelope-from kevin_lyons@ofdengineering.com) Received: from imta02a2.registeredsite.com (imta02a2.registeredsite.com [64.225.255.11])i5TKUOnq011637; Tue, 29 Jun 2004 20:30:24 GMT Received: from ofdengineering.com ([66.137.123.97]) by imta02a2.registeredsite.com with ESMTP <20040629203023.VWEU4947.imta02a2.registeredsite.com@ofdengineering.com>; Tue, 29 Jun 2004 16:30:23 -0400 Message-ID: <40E1D15B.5040605@ofdengineering.com> Date: Tue, 29 Jun 2004 15:30:19 -0500 From: Kevin Lyons User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Robinson References: <40E1A6C0.2040406@ofdengineering.com> <40E1B3B5.1020906@palisadesys.com> <40E1B7A3.3040409@ofdengineering.com> <20040629201433.GV34683@iconoplex.co.uk> In-Reply-To: <20040629201433.GV34683@iconoplex.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 20:30:37 -0000 Paul Robinson wrote: > On Tue, Jun 29, 2004 at 01:40:35PM -0500, Kevin Lyons wrote: > > >>Well, point being that more layers/lines of code added, the more >>potential vulnerabilities. > > > Myth. Which is more vulnerable to attack - the kernel that gets compiled > when you build GENERIC, or a few lines that strcpy's some input recieved > over a socket running as root? > > LOC is about as effective a measure of potential vulnerabilities as it is a > measure of how productive a developer is or the quality of the design > process - i.e. it's useless and the myth has been thrown around for god > knows how long by people who really should know better.* > > Well-written code is well-written, no matter how many lines long it is. > Ditto for badly-written code. I've seen 20-liners that could be broken by a > competent 13-year old, and 20,000-liners that were impregnable. I am not > alone. Hmmm, sounds like the exception that proves the rule. This is a nice argument, but with real world large projects, i.e. with all things being more-or-less equal, more (normal distribution quality i.e. AVG) code is more potential vulnerabilities. I (and microsoft no doubt) would love to hear of any proof that contradicts this apparent common sense construction. Is there an ACM or IEEE article that quantifies this? > >>I don't think we can say the FreeBSD or >>TrustedBSD developers are any more exploit immune than other folks. > > > Based on the number of security announcements over the last 5 years, I could > argue very convincingly that the FreeBSD and TrustedBSD developers are far > more exploit immune than the Microsoft OS developers. > > Of course, it would be complete bullshit, but that's not the point. :-) > >>Not ranting/trolling. Thanks for the info, that is good. As I said, i >>have not installed/configured it yet. I have been noticing feaping >>creaturism in freebsd as of late so I was simply concerned about it. > > > "Of late"? You've *JUST* noticed? Wow. :-) I will rephrase, I noticed enough to finally comment. > > * - yes, I know. I expect this now to explode into a silly thread. People > really should know better. > -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com