Bugtraq mailing list archives
RE: Windows Update: A single point of failure for the world's economy?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 4 Sep 2003 09:59:05 -0500
-----Original Message----- From: Jeremy C. Reed [mailto:reed () reedmedia net] Sent: Wednesday, September 03, 2003 5:12 PM To: Schmehl, Paul L Cc: Stefano Zanero; BugTraq Subject: Re: Windows Update: A single point of failure for the world's economy? cvsup (or cvs) to update to new operating system or ports/pkgsrc sources is different because: - you don't get the final product; the binaries are not built automatically nor installed. - it is used to build from source; and the source code changes can be compared and reviewed by anyone.
I see this argument made all the time, and it's simply hogwash. The number of people actually *qualified* to review the source to ensure that it's not trojaned or doesn't have a buffer overflow or some other programming problem is some miniscule percentage of the people who actually download and compile that same source. It's a baloney argument, and I wish people would stop using it. Quick, name the people that *you* know personally who are qualified and capable of auditing source code. (This is for all the readers.) I know one. I certainly am not. And I know some *very* competent admins who are not. I know a programmer who is, but he doesn't have the time. In the end, we all have to trust that the people distributing software are doing "due diligence", because there simply isn't time to audit it all nor are we (in general) qualified to audit it. If you want to argue that this isn't true, then *please* explain why so many patches are constantly being released for the Linux kernel, for popular applications like sendmail and apache, for damn near every software application that exists today. This list *exists* because those who *write* the code don't know how to program securely. How in the *world* do you expect the average user, or for that matter the way above average user, to be able to know with certainty that there isn't a problem with the source that he's compiling? (Yes, I know about MD5 checksums, PGP sigs, etc. All that does is confirm that the source you're getting is what the developers intended you to get. It does *not* confirm that the code is without problems.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Current thread:
- Re: Windows Update: A single point of failure for the world's economy? Stefano Zanero (Sep 02)
- Re: Windows Update: A single point of failure for the world's economy? Paul Schmehl (Sep 03)
- Re: Windows Update: A single point of failure for the world's economy? Kurt Seifried (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Jeremy C. Reed (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Stefano Zanero (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Barry Fitzgerald (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Lawrence MacIntyre (Sep 03)
- Re: Windows Update: A single point of failure for the world's economy? Andrew Gideon (Sep 03)
- <Possible follow-ups>
- Re: Windows Update: A single point of failure for the world's economy? Aaron Cheek (Sep 04)
- RE: Windows Update: A single point of failure for the world's economy? Schmehl, Paul L (Sep 04)
- RE: Windows Update: A single point of failure for the world's economy? Schmehl, Paul L (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Paul Schmehl (Sep 03)