Peter Risdon

Cambridge

Writer and consultant

I'm on the relevant security mailing list so received these reports last week and have looked at most of them in some detail. Almost all concern buffer overflows - based on a known issue with programming technique that these students were looking for. DJB has strong and well known views on this widespread but easily avoided/corrected type of programming error.

Most of the software affected is niche, to say the least, and does not form part of any mainstream unix base system. To call these Unix errors is like calling a flaw in some little-used Windows application a "Windows Security Flaw".

The open source paradigm includes the distribution of source code in order that issues like this can be spotted and fixed (some of the affected software has already been corrected). This is an example of this paradigm working - none of these problems were the basis of real-world exploits and now they won't be because they can be put right first. Many of them were only capable of being exploited under very specific circumstances.

No comparable security auditing process happens in the world of closed-source software. An alternative headline could have been: Unix security tightened even further.

In fact, while we're quoting Bernstein, it's worth noting that he knows his security onions - qmail and djbdns, his two big software packages, both still have unclaimed $500 rewards for finding ANY security issues in them. He teaches a course in computer security, as readers of your article will have gathered. But he refuses to discuss Windows on this course, on the grounds that he believes it can't be made secure, period.