On Fri, Jun 20, 2003 at 12:55:58AM -0500, David Phillips wrote: > Munir Nassar writes: > > i bet you ten bucks that somebody will find a security hole. it is not > > that i doubt your coding skills but it is a fact that security holes > > are a fact of life. > > Only ten? Care to make it interesting? Yes: I duble-dog-dare you. > Security holes are not a fact of > life. Security holes come from being ignorant, having poor / sloppy coding > skills and not being mindful of security. ... as opposed to the regular software bugs which just magically appear... > It is not difficult to write > secure code in a scripting language. If I was not certain that I could > write secure applications, then I would be looking for a new line of work. > > > consider this: > > the openbsd hackers pride themselves in secure code... they code audit > > everything before it can be used. one could argue that they are > > security experts. > > Consider this: qmail, one of the most widely deployed MTAs, has never had a > security hole. It was first released in January of 1996. qmail has not had a discovered and publicized security hole. That does not say _anything_. The fact that no security hole has been discovered in 7 years says something, but don't bet your life on that. And what good is qmail's security when the box is rooted through bind/apache/whatever? Before you declare your application secure, you better audit the whole stack - from TCP/IP to your database. Good luck. Go and read the excelent "Secrets and Lies" by Bruce Schneier. florin -- "NT is to UNIX what a doughnut is to a particle accelerator." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20030620/819ef324/attachment.pgp