Frontends for Windows

Ryan Malayter rmalayter@bai.org
Tue Nov 20 07:40:01 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>From: Nick Andriash [mailto:andriash@telus.net] 

>If I choose to try WinPT for a Windows Front-end how can I be 
>sure that
>it's code was "reviewed by security experts for defects", or is
that
>review a presumption on your part? Can you show me the Reports or
>provide a URL where I can read up on the review?
> 
>I understand what you are saying, but I was wondering if there is
some
>kind of authoritative body that performs those reviews? What 
>evidence is
>there that the code has even been looked at by these experts?

That's the real problem with evaluating security, and it negates a
good deal of the benefit of open source in my mind. There is no
authoritative body that performs rigrous testing, and finding review
literature about this program or that C library can be quite
difficult. 

In theory, www.cert.org should handle this sort of thing. But they're
really a reporting organization, and they don't announce bugs until
vendors have a hole patched or it is a critcal-mass problem. If the
vendor doesn't patch the hole, CERT doesn't announce it, for fear of
giving harckers ammunition. And CERT doesn't have the funding to have
hordes of security consultants sitting around looking at code.

There are other good sources, like www.securityfocus.com, the bugtraq
mailing lists, and others that attempt to coallate security
information. There's a lot of academic literature out there at
university sites as well, especially with regards to cryptography.
But other than that, do some google searching for announcements about
a particular package. - you're on your own when it comes to finding
info about the software you want to use. 

The one thing you can do is use established, widely-deployed
open-source systems, like Linux, FreeBSD, and the Apache web server.
Thes have been poked and prodded by almost every hacker and security
expert out there, and when properly set up, they're quite secure.

The thing about WinPT is that the source code, while it may not have
been thoroughly reviewed by the security community at large, is still
publicly available. This is a huge guard against deliberately
malicious or grossly insecure "window-dressing" code. If there were
really bad stuff in there, it's used by enough folks that somebody
probably would have cried foul. With closed-source software, there's
simply no chance of that happening until the insecure software is
compromised.

As far as esoteric security bugs (e.g. buffer overflow
vilerabilities), WinPT may not be popular enough to have been
reviewed by experts thoroughly. A google search for "WinPT" and
"expolit" didn't turn up anything of consequence. Open-source
software in general on Windows isn't very popular yet, but hopefully,
some day...

Just so you know, I like and use both GPGshell and WinPT at home and
work. My security needs aren't great, so the closed-source nature of
GPGshell doesn't bother me too much. After all, I run it on Windows.
But I realize there are more secure ways to do things than the way I
do them, and I'm using WinPT more and more to support the open-source
movement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.4.0
Comment: For info see http://www.gnupg.org

iD8DBQE7+fm59wZiZHyXot4RAl2zAJ9rRK4u00Fjw1IkJqbNzeybSDW5dQCgis3n
B1mpFpEvXyCyFnxGaWMn5e4=
=ab6g
-----END PGP SIGNATURE-----