"In the previous message, Andrew Watts said..." > > > Sure - if you want your security to be dependent on a black box. And > > you really believe that NO contributed code was not included in it, code > > for which the orignal writers are not getting a DIME? The price would > > be reasonable, IF IT INCLUDED SOURCE. But it doesn't. For source its > > well over a grand. Its back to security through obscurity (only now > > its 'security through black boxes'). I see you ignored the point I made above. How come I am not surprised? About the price being reasonable if it included source. But source is priced more like it was from AT&Ts toolbox. It only means the well-to-do crackers will be getting it - initially. > Have you seen a copy of the commercial product? Have you asked the supplier > for a copy of the source to check your allegation that contributed code > was used in it? Because let's face it, you basically just accused them I said do you really believe it is totally free of contributed code? Code contributers would not be getting a dime for? It would take a past contributer going over it with a fine tooth comb to determine that. And there are a lot of people who have contributed code in one way or another that has worked its way around in the freeware stuff. Yeh, right. He's gonna give me source to inspect - sure if I pay a grand for it. I don't really want to waste my time (or funds in 4 figures) in that regard. Which I have no intent to do. Which was my main point. The fact remains, if it does contain any code or is based on any code that was provided as a patch or a port to another platform, it contains contributed code as far as I am concerned. And I really doubt if those contributers are being offered a piece of the action. Perhaps I am wrong, but I doubt it - or it will be after the point was brought up. I really doubt if they threw all the ideas and code from the old version away, and did it all totally from scratch. If they did, its probably delightfully buggy, because any bugfixes (especially platform specific ones) would be omitted. > of that. Have you also consulted with the supplier to find out what > information he will supply regarding what the program checks for, > and what holes it attempts to discover and correct? Perhaps the supplier > will be more than happy to share with those who purchase this product > information about the particular security problems. I don't know these The point is, when one puts out money, they should know that UP FRONT. > things for a fact, but have _you_ investigated first, it semems you're > making alot of assumptions on behalf of the supplier which may turn > out to be totally unfounded. Perhaps. We will see. Maybe they will change their policy and charge a sane price. If that were to occur, I would say a lot of good has been done. Ain't gonna be done because one guy contacts them on the quiet, it will be done if people say "Yeh, what about this?". > > The bad taste remains. I smell a gouge playing on fear. If they decide > > to make the sources affordable, perhaps I will change my viewpoint. > > Otherwise, they are making the decisions FOR the using admin, not allowing > > him to decide what he wants to check. > > How many people who sell word processors provide it with source? How many This is not a word processor. It is a security analysis tool, with a vendor deciding what you should and should not analyze IN ADVANCE - making the assumption a customer will abuse it UP FRONT. I am so happy he is so delighted to make those decisions FOR you. Sort of like our nanny-at-gunpoint government doing the same for us. It is not expected to run on one or two platforms, but dozens, perhaps hundreds. With all manner of alterations, and adaptations. That does not go well with a one-size-fits-all scheme. That is another reason source is needed for this application - its not going to be run on a canned MSDOS box that is highly predictable. Its going to run on machines the vendor has no way of knowing what all the internal structures are like. And he is surely not expecting someone to give him root access so he can build it on a customer's machine, to run at root privs, and not leave source. Would you let me do that on your machine if I claimed I had a great new widget? I doubt it. I sure as hell wouldn't let someone do it on MINE, unless I knew him WELL. Either personally or via a track record. I see neither here. > companies who sell packages which make minor kernel patches provide > it with entire source? Sweet bugger all do. So why should this be any > different? They are usually ESTABLISHED vendors with a track record. I don't see that in this case. > > As I said: NO SALE. > > I Say: Give it a chance. (But then no one probably gives a rats ass what I > think, perhaps they dont care what you think either? :) Lifes a bitch and then you die, too. So what? If they were to offer it with source, for a reasonable price I wouldn't be so negatively inclined (I wouldn't have said anything, most likely), but they DIDN'T, but I mentioned that before, and you chose to ignore it then, too. I expressed my views, I was not surprised all the apologists and obscurity buffs would come out of the woodwork. Go ahead and red-cross, I am done discussing it. I made my views known; the fact they are not Polticially Correct is not something I am particularly concerned about. I gave up 'PC-ness' years ago. There is a differnce between making a product and a profit and trying to gouge the community. But the CLAIMED reason for all this was to 'prevent abuse', not profit. So you figure it out. I still say denying source is a ripoff, justified by exploiting FUD. > Me. -- pat@rwing [If all fails, try: rwing!pat@ole.cdac.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.