Re: [gentoo-dev] minimalistic emerge

[Igor <lanthruster@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3359 bytes --]

Hello Paweł,

Saturday, August 9, 2014, 1:34:29 PM, you wrote:

> Possibly relevant article would be
> <http://www.site-reliability-engineering.info/2014/04/what-is-site-reliability-engineering.html>

>>> The number of bugs is the same. It's more difficult to hack into 1996 system 
>>> than in 2012.

> Do you have any evidence to back that claim? There are tons of known
> vulnerabilities in '96-era software, and automated exploits for them.

> By the way, I can see a point in your thread. Our updates and package
> manager could be improved. They have improved greatly in the last few
> years. I think I can safely say we welcome further contributions of
> patches, packaging and testing effort, especially helping automate many
> of these tasks.

In my experience - hacking into 96 system with a 0 door is much harder 
than in 2014. In most cases unless you're an expert on 96 software which 
is difficult nowadays due to human memory. To really break in you need to
reproduce server environment as close as possible or/and have a clear 
understanding how this particular software works. Try to assemble a 
96 system on modern hardware or assemble it as they were back in 96,
not all sources are online any longer, that is a hard job. 2014 systems 
are much easier to assemble and get a peek to the sources is a trifle.

As Linux software is open-source it's often easier to break in Linux 
than in Windows systems. The open source is only theoretically safer. 
Many belive that because the code is open - it's reviewed and checked 
and the number of critical bugs is low. But the reality is that there 
is usually no time to review code. Many modern software is very complex 
with millions lines and it's not realistic to check or 
understand how it works before you use it in your project. Tell me 
how many libraries that you use right now are reviewed by you personally? 
Not many. And that is a door that is NEVER going to be closed. There are
bugs, rest assured, if you pull any soft right now and spend time 
you will find them. If you have an expertise on cross platforms - you 
will find even more as developers used to focus on one platform the birth 
platform.

If you compare the number of bugs you find in 1996 software and in 2014 
- the numbers would approximately be the same.

Usually 1996 system is patched or protected against known issues and you 
have to deal with "unknown" which in case of 1996 is much harder.

Another weak link with open source is software developers. Many of them 
spend a lot of time on their software not always getting a fair monetary
reward. So if you a very shrewd and have resources - you go to developers 
and offer them money to introduce a subtle bug into the main tree. After 
the software is adopted then you have open doors in EVERY "updated" 
linux on the planet. 

Personally I belive Heart Bleed bug is one of such. You can never proof 
if the bug is artificial or not - how? 

The same true for Microsoft soft. You can basically go to a ntkernel 
developer offer him 500 000$ if have them and he would add a bug and 
explain you how to use it and you're everywhere :-) but this is usually 
the government's methods. They used to keep them secret. 

-- 
Best regards,
 Igor                            mailto:lanthruster@gmail.com

[-- Attachment #2: Type: text/html, Size: 4649 bytes --]