Date: Sun, 11 Feb 2001 21:19:01 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Terry Lambert" <tlambert@primenet.com> Cc: "Matt Heckaman" <matt@LUCIDA.CA>, "Kris Kennaway" <kris@obsecurity.org>, "FreeBSD-ADVOCACY" <freebsd-advocacy@FreeBSD.ORG> Subject: RE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Message-ID: <000401c094b3$4f1050a0$1401a8c0@tedm.placo.com> In-Reply-To: <200102120258.TAA17366@usr08.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I posted that as a smart-assed comment, but in all seriousness it depends on your definition of a security hole. From a technical, programmers point of view, a security hole is a hole that's just sitting there waiting for someone to come along and take advantage of. The mere fact that nobody (including the programmer) is aware it's there doesen't make the hole go away. But, from the popular press's point of view, and from an administrative point of view, a security hole is equivalent to an "exploited security hole" while an unknown security hole is of no account. The popular press doesen't give consideration to unexploited, potential security holes or they wouldn't call Microsofts OS's secure, nor would any Microsoft OS be able to receive any kind of security certification. (nor would any other OS) The administrators don't give any consideration to unexploited, potential security holes, they build filters only to block known security holes. All this hairsplitting boils down to the old argument of when the CEO or investor or bank investigator asks any programmer or administrator "Is the system secure" we all just smile and nod and say that it is, all the while knowing that it's impossible to make anything 100% secure. And the security industry is the worst about it, because not only do they know that nothing is truly secure, but they get paid every day for telling people that software and devices are secure that cannot in theory be 100% secure. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com > -----Original Message----- > From: owner-freebsd-advocacy@FreeBSD.ORG > [mailto:owner-freebsd-advocacy@FreeBSD.ORG]On Behalf Of Terry Lambert > Sent: Sunday, February 11, 2001 6:58 PM > To: Ted Mittelstaedt > Cc: Matt Heckaman; Kris Kennaway; FreeBSD-ADVOCACY > Subject: Re: FreeBSD Ports Security Advisory: > FreeBSD-SA-01:INSERT_NUMBER_HERE > > > > Say rather than unknown, unpublished. If nobody knew about them they > > wouldn't be security holes now would they? > > If a bug falls in the code, and there's no one there to audit it, > does it still make a security hole? > > Sorry, but if a tree falls in the forest, and there's no one there > to hear it, it still makes a longitudinal compressional wave... and > a sound, if chaos theory is to be believed. > > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-advocacy" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-advocacy" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c094b3$4f1050a0$1401a8c0>