[clug] Anti-Virus Software
Daniel Pittman
daniel at rimspace.net
Mon Jul 5 23:05:14 MDT 2010
Paul Wayper <paulway at mabula.net> writes:
> On 06/27/2010 12:39 PM, Daniel Pittman wrote:
>> Paul Wayper <paulway at mabula.net> writes:
>>> On 06/25/2010 01:16 PM, Kevin Pulo wrote:
>>>> On Fri, Jun 25, 2010 at 12:24:41PM +1000, Paul Wayper wrote:
Digging up an old thread, because this seems very apropos the discussion:
[...]
>> I am interested, in large part, because the studies I am aware of seem to keep
>> coming up with approximately the same bugs-per-line metrics as closed
>> software, and so on, so I don't feel comfortable personally making a claim
>> that OSS is any better than CSS [in terms of overall security or quality].
>
> 'Bugs-per-line' and many other metrics have never been good ways to measure
> security, or even quality.
[...]
> * Having the source code there to view makes it easier for security
> researchers to review and improve it.
So, part of our discussion involved the problems of this claim, both in terms
of the willingness of people to do this security review, and the ability of
attackers to hide defects in plain sight.
On the second front there is now some empirical testing being arranged:
https://backdoorhiding.appspot.com/
Hiding Backdoors in plain sight
The CoreTex Competitions Team from Core Security is happy to announce the
1st Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x12 this
year!
Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundredths may not be an easy
task. Positively and unequivocally identifying a cleverly hidden backdoor
may be extremely difficult as well. But doing both things at DEFCON 0x12
could be a lot of fun!
Regards,
Daniel
--
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
More information about the linux
mailing list