[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fsfe-uk] Windows WMF exploit intentional?
|
From: |
Simon Waters |
|
Subject: |
Re: [Fsfe-uk] Windows WMF exploit intentional? |
|
Date: |
Sat, 14 Jan 2006 21:42:16 +0000 |
|
User-agent: |
Debian Thunderbird 1.0.7 (X11/20051017) |
Chris Croughton wrote:
> On Sat, Jan 14, 2006 at 04:09:07PM +0000, Kevin Donnelly wrote:
>
> Yes, being open has some advantages, and more people /can/ look at it,
> but who has the time? How many Linux users have looked at any of the
> kernel source code at all, let alone the applications?
Seriously looked at large chunks of the Linux kernel code? Probably only
several thousand, or low tens of thousands. It is also extensively
analysed using static analysis tools.
The kernel is the wrong example, large well known bits of code like the
kernel get a relatively solid going over. Indeed people developing
software tools often look for large, well known code bases like the
Linux kernel.
The WMF was due to an API design issue, and that kind of error could
occur readily in free software, especially code that wasn't developed
under keen open scrutiny, but perhaps became free for other reasons.
I certainly think that the core components of many successful free
software projects are often better designed than proprietary
equivalents, but I think Chris is right that many eyes don't always help
in these areas, especially on fringe projects, since even spotting an
issue of this type isn't always sufficient, sometimes these are the most
difficult to fix. Similarly those looking for bloat in some of the
desktop projects seem to have no trouble finding stuff that is hideous.
However I do think that in areas such the static analysis of source
code, free software projects are already well ahead, and it wouldn't
take much effort to improve on this situation.
I think the big pluses are in;
backward compatibility (we can always recompile and fix old code when
needed, where as if Word Perfect needs just a minor tweak for Vista,
someone other than Microsoft will have to do it).
distribution where Microsoft and Apple are just getting to the point
where they can distribute fixes to their own code sensible, the free
software distros have this pretty much fully automated, from one
packager to the whole world.
It is also easy to forget what a desparate state the MS Windows desktop
is in. It is impossible to reasonably secure the common home Microsoft
desktop without making it unuseable, or at least very unfriendly.
Updating software, antivirus, and other antimalware tools is an
unreliable, and painful process.
It is a mistake to think one needs to be perfect to do better in
security. Absolute security is a myth, just as "bugless" code is a
utopia that will never be reached.
Free software should look to exploit its advantages to deploy better
security. I mean if we enhance say the compiler with a security feature,
recompiling everything is slow, but not exactly difficult.
As to the WMF vulnerability being intentional, I think Mr Gibson gets
some strange ideas at times. If Microsoft (or a developer there) wanted
a backdoor in the code (or the NSA wanted one) they could put it in,
along with the flight simulator game, and other hidden garbage, it isn't
as if anyone checks their source code terribly closely as far as we can
tell.
Heck even Linux has implemented some screwy APIs from POSIX and such
like in the interests of "compatibility", despite Linus usually taking
the view that such stuff shouldn't go in.