From owner-freebsd-chat@FreeBSD.ORG Tue Jun 29 20:45:00 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D45716A4CE for ; Tue, 29 Jun 2004 20:45:00 +0000 (GMT) Received: from mail1.atl.registeredsite.com (mail1.atl.registeredsite.com [64.224.219.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16B4143D54 for ; Tue, 29 Jun 2004 20:45:00 +0000 (GMT) (envelope-from kevin_lyons@ofdengineering.com) Received: from imta01a2.registeredsite.com (imta01a2.registeredsite.com [64.225.255.10])i5TKiaYU027733; Tue, 29 Jun 2004 20:44:36 GMT Received: from ofdengineering.com ([66.137.123.97]) by imta01a2.registeredsite.com with ESMTP <20040629204436.RVG4075.imta01a2.registeredsite.com@ofdengineering.com>; Tue, 29 Jun 2004 16:44:36 -0400 Message-ID: <40E1D4AF.9040909@ofdengineering.com> Date: Tue, 29 Jun 2004 15:44:31 -0500 From: Kevin Lyons User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Robinson References: <40E1A6C0.2040406@ofdengineering.com> <40E1B3B5.1020906@palisadesys.com> <40E1B7A3.3040409@ofdengineering.com> <20040629201433.GV34683@iconoplex.co.uk> <40E1D15B.5040605@ofdengineering.com> <20040629203624.GW34683@iconoplex.co.uk> In-Reply-To: <20040629203624.GW34683@iconoplex.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 20:45:00 -0000 Paul Robinson wrote: > On Tue, Jun 29, 2004 at 03:30:19PM -0500, Kevin Lyons wrote: > > >>Is there an ACM or IEEE article that quantifies this? > > > You can not write an accurate assessment of potential vulnerabilites, only > discovered ones. Well then discovered vulnerabilities vs. code size? When one says something is a Myth, it is always nice to be able to prove why? > It does not take a genius to work out that it only takes one line of badly > written code to introduce a vulnerability. It does not take a genius to > realise that badly written code is as much a management issue as any other. Does it take a genius to realize the normal distribution and random coding errors by competent programmers occur all the time (even by security consiious programmers) and that the more code is written, therefore the probability of a vulnerability increases linearly? > It certainly does not take a genius to asset that well written code > impregnable code is well written and impregnable no matter how many lines of > code it is made up of. Given the perfect programmer that is a true statement. > > >>>"Of late"? You've *JUST* noticed? Wow. :-) >> >>I will rephrase, I noticed enough to finally comment. > > > Even so. :-) > -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com