Re: Trend says open source is automatically insecure

[security curmudgeon <jericho () attrition org>]

On Sat, 15 Jan 2011, Paul Ferguson wrote:

: On Sat, Jan 15, 2011 at 4:10 PM, Rob, grandpa of Ryan, Trevor, Devon &
: Hannah <rMslade () shaw ca> wrote:
: 
: > http://bit.ly/fp9Azh+
: 
: Actually, what Steve Chang (our Chairman) said was ?Android is 
: open-source, which means the hacker can also understand the underlying 
: architecture and source code.?
: 
: People have really blown his remarks out of proportion.

It is still an alarmist and silly statement, and really shows that he 
isn't familiar with vulnerabilities and history. While it can help, it 
certainly isn't necessary to find vulnerabilities in a product:

http://osvdb.org/search?search[vuln_title]=trend+micro&search[text_type]=titles

He also said:

   ".. It's impossible for certain types of viruses" to operate on the 
    iPhone, he said.

Using the word 'impossible' in the land of vulnerabilities and exploits is 
dangerous. I believe the l0pht demonstrated that with some 'theoretical' 
vulnerability in Sendmail.

And:

   "Chang said he's betting Android users will start to buy more security 
    software for mobile devices."

If Trend Micro doesn't offer Droid based security software right now, I'd 
bet a few bucks they will in the next quarter or two. Oh wait, if I keep 
reading..

   "On Jan. 7, Tokyo-based Trend Micro released Mobile Security for 
    Android, .."

There we go, the foundation of his statements! BTW, do you still work for 
Trend Micro Paul?

- security curmudgeon
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.