L.A.M.E. on Slashdot

Post #41,527 by drewk 6/7/02 10:29:42 AM Reply	L.A.M.E. on Slashdot From [link\|http://slashdot.org/comments.pl?sid=33782&cid=3655471\|here]: A few months ago I posted a number a few articles on my own web site about the security risk created by open source. No doubt a few /.ers recall finding out about the so-called attack upon open source and pried open their emailer. Problem was that it was not an attack upon open source at all but rather a rather strong suggestion that having the source code for an application or OS can have its downside. And, that is that anyone who has access to that code and your machine can modify it as they see fit. And, those modifications may not be with "your" approval (assuming you own the joint). The point was that having source code comes with a price. And, that price is additional vigilance and perhaps some controls. It is known that a sizable threat comes from within and not only over the internet or lan. And, those who are in a position to alter your OS or key application also have the ability to abuse that access. === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #41,533 by CRConrad 6/7/02 11:11:51 AM Reply	I was wrong; he doesn't sound so "reformed" at all... <SIGH>
Post #41,535 by Meerkat 6/7/02 11:35:21 AM Reply	Quoting out of context can be fun And, those who are in a position to alter your OS or key application also have the ability to abuse that access. Isn't this the big problem most sensible people have with Microsoft? On and on and on and on, and on and on and on goes John.
Post #41,539 by drewk 6/7/02 11:45:21 AM Reply	Thing is, he kind of has a point Only problem is, his point is, "Things that aren't the same are different." === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #41,538 by folkert 6/7/02 11:41:42 AM Reply	Re: L.A.M.E. on Slashdot BWahahaha.... I got to Moderate(not meta-moderate) that one down... BWAHAHAHAH! `greg, curley95@attbi.com -- REMEMBER ED CURRY!!!`
Post #41,555 by Brandioch 6/7/02 12:43:09 PM Reply	He's still worried about his secretary? Do you think he'll be able to understand the concept of [link\|http://www.ddj.com/articles/1999/9912/\|Attack Trees]? His point is that.... On identically insecure machines..... That being, the machines have no physical security or scheduled remote security checks.... An individual with enough time to completely reload and reconfigure your machine.... Will have a SLIGHTLY (my word) easier time if said person has the source code to your OS and apps. Now, in MY experience, simply swapping the keyboard on your machine (you have physical access, remember) with one that will record keystrokes and then complaining that it doesn't work will accomplish the same goal. The admin will attempt to login using his/her username/password and you have their info. Now, this requires less time, less expertise, less everything and there is no chance you will be caught because you failed to copy someone's configuration file correctly. So, is Open Source MORE insecure that closed source IF you have to IGNORE the EASIER attacks on BOTH? Suppose you have a choice of two banks. Both banks leave their money in handy bags on the front porch at night so the customers can withdraw whatever they want and leave a signed note saying what they took. But bank #2 doesn't check the signatures on the notes. Which bank is more insecure? Duh! Bank #2 is more insecure because you can sign someone else's name! In other words, a "security" evaluation that requires a stated level of INSECURITY is not a security evaluation. There is no security without physical security.
Post #41,583 by Ashton 6/7/02 4:39:08 PM Reply	Now imagine the New M$ freebie keyboard bundle.. ..maybe with another cockamamie Windoze-oriented key like, Press to RRR And ..inside, a tad o' flash-ROM and a few listener flags: IF online THEN send contents piggybacked on the "Is My Copy of XP Legit?" packet-set, er ---> send it Home. {sigh} as 'lectronics gets teenier and teenier, why INSIDE that apparently innocent "keyboard BIOS" chip could be - a mere HAL-8999, a parsin and a savin and a notatin and.. Callin Home just often enough.. Take That! LAM,E Gotta LOVE them 'encapsulated' stealth packets! (the next Big Thing, if I read correctly) Ashton Advanced Product Development, Redmond What ~~do you want to~~ will you send us Today?

Welcome to IWETHEY!