Mozilla and Security
Tuesday March 28th, 2000
Nothing like a little rhetoric to get you hopping in the morning. This latest comes from some guy called AP who made a submission to Slashdot regarding a discussion currently going on in n.p.m.security. In it, he states that the Mozilla team is contemplating limiting access to security bugs, implying that the team is substituting obscurity for security. He fans the flames by saying "Are Mozilla developers missing the point of open source (implying open security bugs) or are they under pressure from Netscape?"
If you read the discussion thread titled "Security bugs and disclosure" in n.p.m.security, you will see that the discussion is not exactly what AP portrayed, and mozilla.org members are actually having a serious discussion about disclosure, security and Open Source. This is what Open Source is about, people!!! What kind of access would you have to this kind of discussion if the process was closed? Open Source isn't just about open code - it's about open discussion, as well. And mozilla.org has provided ample opportunity for discussion regarding practically every level of the development process. I think the fact that AP came across this discussion at all proves that the discussion process is adequately open.
If you have opinions regarding this, you should feel free to post them in the security newsgroup, but please read the previous posts in the thread, because they are reasonable posts from people who are trying to do the right thing.
#13 We Should get the source and the bugs!
by bambamm20 <firstname.lastname@example.org>
Tuesday April 25th, 2000 8:19 AM
You are replying to this message
As an advocate for the opensouce movement I do have to say that releasing the bugs is the best option. The enduser should be made aware of where and how is he vulnerable. The end user should also be able to fix and tailor the code to fix these "bugs". Hey all lets get a grip here for a second. Opensource is all about open source. equal playing field. Only making a selected few aware of where the security bugs are makes a solution to the bugs much more distant, if you release the information then you can have thousands upon thousands of coders looking for a solution to the bugs. As they say the more the merry. More people being able and empowerd to fix what is wrong with the product brings about a better turn around time. the solution will come much faster, eventually some one out there will come across the proper solution and contribute it to the project. As some one said before ti doesn't take much to hack, it really doesn't take much to punch a PHAT security hole in a browser. Not to self incriminate myself or something but IE is still pretty vulnerable, and yes there are solutions for the "big hole" yet, I don't know the source code so i can't fix it and contribute it to them. Same goes for netscape, it is vulnerable too. Exploits to security breeches are easy to develop even without knowing what to expoit. Im response to some ones coment a couple messages ago. Someone mentioned that only the ones who wrote the source code can understand it, I think that is total missinformation and propaganda on that persons part. Mostlikely all that person does is surf the web and knows nothing about coding. To make this a point anyone can contribute to MOZILLA this is why, It is modular. In other words it is broken up into several peices which work together. so if a programmer one day decides to look at the code and wants to adjust something to make it function better, he can. That was the problem with netscape it was a sloppy code all slapped together noone new the righside up or down. Tat is why they decided to start from scrath!. Now a good programmer can come and look at it and make adjustments without much effort. Another note on this subject is that this is what the open-source comunity is all about. Being able to voulinteer code that is helpfull. so that is a minus for that member who i wont mention which stated that only the person ho wrote the programm can understand it, Just the oposite guy! and on that notion that is one of the cornerstones of opensource. Being able to vey code and change it to suit you if you understand how to programm. Free The BUGS empower the end user.