[ale] oh... please (slight rant)

Robert Reese ale at sixit.com
Thu Feb 8 02:24:26 EST 2007


Hi Preston,

*********** REPLY SEPARATOR  ***********
On 2/7/2007 at 11:49 AM Preston Boyington wrote:

>i actually was rendered speechless (not an easy feat mind you, i run my
>trap A LOT) when he proclaimed that he could hack any Linux machine in a
>few minutes because it was open-source.

Do you have a spare laptop or PC?  Get a copy of TrueCrypt <http://www.truecrypt.org/> and encrypt the harddrive.  Then install your favorite distro.  Log in, give him root and a desktop full of the source code links.  Then go get one of those cheap kitchen timers and tell him to pick a number between one and sixty.  When the bell goes off, reboot the system and tell him to give you a shout when he's back in.  ;c)   For the glory, put up a $100 bucks to his $10.  Go buy a case of beer and pull up a comfortable chair.  *Enjoy* the show.


>  i sat there for a few seconds
>and then looked at my friend and asked, "he's not doing anything mission
>critical for you, is he?"

I'm an absolute mind-numbing idiot when it comes to Linux.  Windows, on the other hand, is where I've made my living for more than a decade, and DOS before that.  And even I wouldn't recommend a client use Windows for anything "mission critical" that would not accept a level of downtime equal to the time in which it takes a good backup system and a good administrator to recover.


>i readily admit that i am not a Linux guru, database wizard, or web
>tzar, but i have enough intelligence to determine that "many eyes are
>better than a few"!

You are right, of course.  And since you later state that he thinks that proprietary software is more secure because few people can't look at it, he's wrong.  It is not necessarily the number of people looking at it, it's *who* is looking at it.  Every good Windows software cracker has a decompiler and hex editor or three on their computer.  For all intents and purposes, it is the same thing as having the source code if you know what you're doing.  Thankfully, source code is a heII of a lot easier to read than hex/decompiled code, and that's exactly why it's better and more secure.  Yes, it is counter-intuitive, but so are Chinese finger traps!

In this case, the coding is like playing King of The Hill.  In order for a malicious person to take advantage of mistakes and errors in code, he has to be a better coder and/or have more time to evaluate the code.  With open-source code, the code has the opportunity to be inspected by all levels and classes of coders.  In other words, the more people see it, the better it gets because each and every person has strengths and weaknesses.  Coders can add their strengths and remove weaknesses, hardening the code base.  With sincere evaluation, open-source lends itself to better code and more security than closed-source.  Will there be exceptions?  Every day of the week.  But their still exceptions.

Further, just because you have access to the code and to the tools to compile and install it, doesn't necessarily mean you can.  For instance, someone can give me root access and I could do a massive amount of damage.  It doesn't mean I could do anything else but cause damage.  I'm not proficient.  On the other hand, I can try and bulletproof my Linux box and practically anyone on this list can probably have root access in mere seconds.  On the flip side is our resident guru Bob Toxen; I'm willing to bet he can make a system to challenge practically anyone the world over.  The difference, obviously, is expertise and experience.  He is paraphrased as saying that Windows  is unsafe at any speed, and he's right.  However, his lack of experience and expertise with Windows means that he'd find challenges from a well-administered Windows box.  How would he get around that?  Reading and practice.  In other words, he'd increase his experience and expertise as it relates to Windows.

With Whole Disk Encryption, such as what is available from PGP and TrueCrypt, few options exist to get around it.  Primary is covertly capturing keystrokes.... or a gun to the head.  Take your pick.  As I noted before, TrueCrypt is open-source and actually much of PGP's code is reviewable on request and after lots of NDAs.  Many more lives are being shielded by WDE and PGP than are hanging out of Windows; it's not coincidental that I am not aware of any life-endangering systems running Windows.  ;c)

Lastly, take heed in an old saying I remembered while reading your story:
A fool boasts his strengths.  A wise man acknowledges his weaknesses.

Cheers,
Robert~
(Yeah, a long-winded Windows guy that *gets* it.)



------------------------------------------------------
   * Microsoft is NOT a standard. *
------------------------------------------------------




More information about the Ale mailing list