[ale] CISSP != happy + OSS

George Allen glallen01 at gmail.com
Fri Oct 22 07:36:36 EDT 2010


I'm taking a CISSP course this week, and unfortunately have to miss
the selinux presentation because of it. But it's pretty amazing the
bias against opensource built into the course. It even involves a bit
of dissonance: nmap, tripwire, nessus, backtrack all these tools are
open-source, but the same people talk about "Open-source code gives
false security, just because more people can look at the code doesn't
mean someone will write a vulnerability into it. Or that someone will
find a vulnerability and not say anything until after they exploit
it."

At this point I piped up to say "Doesn't what you just said violate
Kerckhoff's principle that you just talked about - that a
cryptographic algorithm should derive it's security from the key, not
from the secrecy of the algorithm? Then how can you say publishing an
algorithm leads to security with cryptology, and then violates
security with software at large?"

He didn't really address it.

Still, I think the perception is that opensource is made up of random
patches from any kid drinking mountain dew in their mom's basement.
And they don't realize that there's a whole system which actually
rejects many patches, and does levels of quality control on both
incoming and included patches. Maybe this is one thing the advocates
also need to emphasize is that linux is developed with a process and
albiet with the 'bazaar' it's not flat out anarchy.


More information about the Ale mailing list