Mylos

Open Source and security audits

Phil Windley quoted me as a skeptic. Since his website is widely read and this is a hot-button issue for many people, I would just like to clarify my position on the issue.

I think open source is quasi-necessary but not sufficient for true security. Closed source solutions basically means blind trust in a vendor. I wouldn’t take relatively serious vendors like Oracle or Sun at face value, let alone one with a chequered past like Microsoft.

That said, the availability of source is not in itself a guarantee that security bugs will be found proactively, for two reasons:

  1. The “with enough eyeballs, all bugs are shallow” fallacy. While this may be true of a known bug, security is like the proverbial weakest link in a chain. Once a security bug is identified, it is relatively easy to fix and distribute, the real problem is becoming aware of its existence in the first place. This can only be done by systematic source audits searching for patterns like buffer overflows. This kind of systematic audit, as practised by the OpenBSD team or some companies like SuSE is neither easy nor cheap. It will certainly not come about because a casual source browser stumbled upon an issue

  2. Secondly, even a full audit of source code is not sufficient to identify all vulnerabilities. Ken Thompson, the inventor of Unix, demonstrated this in his classic paper Reflections on Trusting Trust (PDF) where he put a backdoor into the login program and successfully concealed his tracks in the source by moving the backdoor to bootstrapped compiler binaries.

Good riddance to CRT monitors

From CNET News.com:

Flat-panel monitors to take market lead

Flat-panel monitors for desktop computers are expected to surpass traditional cathode ray tube monitors in revenue this year, a sea change for the display industry.

And a good thing too. CRT monitors contain large quantities of toxic materials such as lead, and their disposal comes at a terrible human cost. All my home desktop machines now have LCD monitors. If you are in the market for a monitor, please spend the extra $100 or so. Your eyes and the planet will thank you.

Batteries over two millennia old!

This BBC article (via Slashdot) describes the fascinating discovery of batteries in Baghdad dating to 200 BC. They were basically clay pots with copper cylinder cores that were to be immersed in some electrolyte such as wine or vinegar. Their purpose is still unknown.

Eat your heart out, Energizer bunny!

Coble says internment of Japanese-Americans was appropriate

Charlotte Observer

Rep. Coble (R-NC) stated on radio he feels the internment of Japanese-Americans during World War II was justified and appropriate given the circumstances. He justifies his position with the bogus argument that this was done for their own protection.

Rep. Mike Honda (D-CA) was interned as a chld with his family at a concentration camp like Manzanar. I had the privilege to hear him speak a few months ago, and he recalled his father saying: “Mike if it’s for your own protection, you have to wonder why you’re inside barbed wire with machine guns pointed at you.”

The problem is, Rep. Coble is not just another faceless bigot disgracing Congress. He is the chairman of the Judiciary Subcommittee on Crime, Terrorism and Homeland Security. Like Trent Lott before him, he should be made to resign as his positions show just how unfit he is for that office.