The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #336 [Re: Source] (1 message, 996 bytes)
NOTICE: recognises the rights of all third-party works.


To: phage
Date: Tue 09:29:36 06/12/1988 EST
Subject: Re: Source
References: [Thread Prev: 330] [Thread Next: 332] [Message Prev: 334] [Message Next: 335]

>From: Gene Spafford <>
>Let me add something to that list I posted -- I'm not advocating
>that source be kept from all users.  I'm advocating that source
>be kept from users by default.
Oooh, boy.  This is not good; it's too easy to fall into the "security
through obscurity" mode here, as well as the obnoxious attitude many
vendors have about making source available.  I'm also highly unconvinced
that maintaining a list of who has access to source gives you any useful
handle on who's gonna be cracking your system.  All your doing is burying
your head in the sand; the bad guy is gonna come from somewhere else,
where people are so "careful."

>Making things wide open by default is not the way to have better
I disagree.  You increase the gene pool of "good system programmers." Some
of them will be Evil and will try to hurt the community, most will be Good
and try to benefit the community.

>However, it can give clues to users just
>looking around for weaknesses ("Hmmm, which utilities use 'gets'
>or 'system'?")
It depends on if you think most of the people who look for this are Good
or Evil.  I believe Good, or at worst Incompetent.

Prediction:  In two years machines will be running a full GNU system, and
complete source for a Un*x-like OS will be very widely available.  Don't
hide your head in the sand.  The only really valid reason to limit source
access is because you signed some piece of paper that said you would do

	/rich $alz