op 10 Linux FUD Patterns, Part 5
,----[ Quote ]
| FUDsters will argue that any security software for which the source code is
| freely available to the public is inherently not secure. This is based on the
| assumption that the source code will either reveal the secret functionality
| that makes the security software work or expose bugs in the security software
| itself that can be exploited as well.
| First, if someone cannot open their source because they are afraid it may
| reveal secret functionality, then it wasn properly designed from the start.
| The worst-possible example of this is hardcoding passwords in programs,
| especially if they are scripts stored in clear text. Good security schemes,
| such as encryption, rely directly on information the user provides, and often
| make use of one-way functions.
| Second, Open Source software is available for public scrutiny. If you cannot
| read and understand the code yourself, rest assured that there are many folks
| out there that can and do. Why? Because many businesses do actually use Open
| Source software and have everything to lose if they don test it out first.
| That being said, I consider many corporate estimonialssponsoring one OS
| or another based on security or other factors to be FUD, mainly because they
| often appear in paid advertisements and seldom reveal the details of tests
| performed to lead to such conclusions. Independent certification and research
| performed by government or other nonprofit entities are usually the most
| objective and reliable.
| Aside from learning the code, another way to test an application security
| strength or to see if it transmits private data is to watch (or niff the
| port on which it communicates using a network monitoring tool. Such data may
| be encrypted, but the (data) size and timing of requests made by the client
| software should be consistent and reasonable. This is a technical task, but a
| bit easier than learning how the code works. Just remember, sniffing outside
| of your own network may be considered illegal.
| Finally, there are many Linux opponents that would jump at the chance to
| expose real security weaknesses in Linux and its applications. These are
| often vendors of competing software and have both the money and channels to
| make themselves heard. When such a claim appears on the Web, look for
| specific details about the vulnerability. If there are none, it may be FUD.
| Also, check the software website to see if the vulnerability has been
| acknowledged or refuted as well as any status on its repair. Never take such
| claims at face value.
"We should dedicate a cross-group team to come up with ways to leverage Windows
--Jim Allchin, Microsoft fiend
Microsoft is Stupid, Apple is Not
,----[ Quote ]
| If you take a look at the history of OS design by each company, it's pretty
| clear why this is so. Microsoft has historically made an unreliable, ugly,
| and highly insecure operating system based on its own spaghetti/Swiss cheese
| code. This is no secret to anyone who has followed the industry or even used
| Windows on a daily basis. If you are a Windows users you MUST have
| spyware/virus/malware prevention software or,