Author: Arnt Karlsen Date: To: dng Subject: Re: [DNG] 1,000(?) eyes security Re: A Devuan kernel?
On Mon, 9 Jul 2018 22:35:37 +0200, Antony wrote in message
<201807092235.37608.Antony.Stone@???>:
> On Monday 09 July 2018 at 22:10:03, Hendrik Boom wrote:
>
> > On Tue, Jul 10, 2018 at 01:12:58AM +1000, terryc wrote:
> > > On Mon, 9 Jul 2018 16:48:34 +0200 Alessandro Selli wrote:
> > > > "Since the beginning of the git era (the 2.6.11 release in
> > > > 2005), a total of 15,637 developers have contributed to the
> > > > Linux kernel; those developers worked for a minimum of 1,513
> > > > companies."
> > > >
> > > > And this lists only those developers and companies who
> > > > contributed to the official code; it does not list security
> > > > auditors or developers/companies who work on custom versions of
> > > > the kernel.
> > >
> > > The statement that started the claim was first made by ESR.
> > > The rebuttal is all the security holes that have been found in
> > > the code in various applications through out the Linux Epoch.
> >
> > I'm not at all convince that the security holes constitute a
> > rebuttal. Methings they could equally be evidence that having all
> > those eyes on the kernel source code is weeding out such security
> > holes. After all, do we know how many security holes are detected
> > by no one reading kernel code?
>
> I would look to Microsoft Windows for this.
>
> Quite a number of security holes have been discovered in versions of
> MS Windows over the years, and I'm pretty certain that the vast
> majority were discovered by people with no access to the source code.
>
> It's often commented that closed-source software has more bugs &
> vulnerabilities in it because the developers think "no-one's going to
> see this, so no-one's going to find the bugs" whereas open source
> developers know that anyone can see the mistakes they make, so they
> pay more attention to not making them.
>
> Whether that's true or not is hard to determine, but for me the mere
> discovery of so many problems in MS Windows by people with no access
> to the source code tells me that bugs and security holes will be
> found, given sufficient incentive (eg: the overwhelming number of
> Windows PCs on the planet), whether the source is open or not.
.._one_ way of using this knowledge, is keep a few sacrifical Wintendos
in a "lan" tarpit, and pose as "one of them", e.g. "about to fall over"
to try get the bad guys to try save their catch, and buy you time to
evade them.
> Thus (coming back to the original argument) I find it hard to believe
> that backdoors and similar deliberate insertions of suspicious code
> wouldn't have been found by people responsible enough to publicise
> what they discover, given that it's clearly possible to do, either
> with access to the source code or without.
..the best way is have people look for weird behavior, you don't
need to know how to read kernel source or what to look for, to
recognise new "weird shit it didn't do before yesterday", even
WWI security skills will work fine here, and that means, say,
7 billion eyes watching.
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.