I can see your point if the Author said that the source was there but it really isn't. Yes it is offered under the GPL as mine. GPL states that the source is available. It is available from Debian or from the download site. If I put the sources to all my tools on the CD there wouldn't be room. If I am not mistaken KNOPPIX has no source available on the CD, but it is available. Also, just because you put source on the CD doesn't mean that it is the same source that you used to compile the tool. I can compile a tool, put a trojan and then put the original sources on the CD and say it's the source I used to compile the tool. So you have the sources big deal, in reality they are the wrong ones. Just because someone says here are the sources doesn't always lend more crediability to a product unless you test it against the compiled version which would be the same as downloading it from the internet and testing the source against the compiled version. So just because KNOPPIX doesn't have the Kernel Source on the CD don't trust it? The reason, I bring this up is that sometimes, because of the open source attidtude we say if it ain't got source then it isn't trusted. Well guess what, people trust Microsoft everyday. Opensource means that the source is available to test against the compiled version. Available doesn't mean on the CD. Now I am not very familiar with KNOPPIX-STD. I do have a copy but haven't tested it. Now if there are tools where you can't find the source or no link to the source then I would say thats another story. What I did was to provide links to the additional tools I installed on my Distro. Also, alot depends on the credability of the Author. Is the Author of KNOPPIX-STD trustworthy enough to trust? These are things that need to be addressed also. If the Author is a known hacker or criminal then I wouldn't trust it. If he is well respected in the infosec comunity then I trust he didn't do anything to the sources. That doesn't mean that I wouldn't test it. I am a law enforcement officer who has to testify in court. I have to meet a higher standard compared to private industry. The way I acomplish this is by building proficiency with tools and at least testing them. I don't want to argue with you, just point out that sometimes to much importance is placed on sources and not enough on testing. Bottom line. Like I said, test it and if it works use it. Now I have heard that some tools on KNOPPIX-STD don't work. I can not confirm this as I have not tested it. Thanks, Ernie Baca Phoenix, Arizona ebaca@linux-forensics.com www.linux-forensics.com >From: "der.hans" >Reply-To: plug-discuss@lists.plug.phoenix.az.us >To: plug-discuss@lists.plug.phoenix.az.us >Subject: Re: Anyone played with Knoppuix-STD yet? >Date: Mon, 14 Jul 2003 00:58:34 -0700 (MST) > >Am 13. Jul, 2003 schwätzte Thomas Cameron so: > > > I know several folks have spoken highly of Knoppix. > > > > http://www.knoppix-std.org/ is a version of Knoppix which is supposed to >be > > specialized for security work. Anyone played with it yet? > >Don't use it!!! > >I got a copy at the meeting Thu. I've been dog-sitting for a friend and >using Knoppix to ssh back home to work from there. Fri I tried knoppix-std. >I went through and looked at what was on the CD. Looked pretty good until >towards the end where he said he had a directory that had source code for >the programs WHEN HE COULD FIND IT. > >Do not trust security code for which you don't have the source code. The >fact that he's including programs for which the source code isn't available >is insane and tells me I certainly don't want to trust him to get it right. > >The moral of the story: don't use knoppix-std until source code is >available >for EVERYTHING on it, and someone with security has done an audit. > >It's great that he's including source code for packages, but source code >should be available for all of them. > >ciao, > >der.hans >-- ># https://www.LuftHans.com/ http://www.AZOTO.org/ ># If you're not learning, you're not living. - der.hans > >--------------------------------------------------- >PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >To subscribe, unsubscribe, or to change you mail settings: >http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus