Ok Mr Whatever-ur-name is , Sorry to be so impolite but I DIDN'T FW:CLOSED SOU........SECURE=20 I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY = BTW. THIS IS MY UNIVERSITY ADRESS------------ THIS UNIVERSITY AINT OPEN AT 20:51! YT=20 Christina >>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>> On Wednesday 18 April 2001 20:51, you wrote: > > Sure it is. MS fruitcake explains why. > > > > <http://www.theregister.co.uk/content/8/18286.html> > > argh ... AAH! Ok, let's take this one point at a time. =3D) (btw, "MS" below refers either to comments made by the Microsoft rep, = or=20 chunks written by the Register) MS: "The head of Microsoft's security response team argued here = Thursday=20 that closed source software is more secure than open source projects, = in=20 part because nobody's reviewing open source code for security flaws. " Me: Wrong. Case in point: OpenBSD, a project that's entirely *about*=20 auditing code for weaknesses. MS: "Review is boring and time consuming, and it's hard," said Steve=20 Lipner, manager of Microsoft's security response center. "Simply putting=20= the source code out there and telling folks 'here it is' doesn't provide=20= any assurance or degree of likelihood that the review will occur."=20 Me: Eh, let's say correct. Code review is hard and time consuming. =20 Boring? Depends who you are. Either way, it's obviously not happening = at=20 Microsoft, either. See point #1 -- code audits are happening *constantly*= =20 in the open source world. MS: "Lipner, who oversees Microsoft's response to newly-reported = security=20 holes in its products, took the opportunity to point out "the repeated = and=20 recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so = on.=20 The repeated theme is people use this stuff, but they don't spend time=20 security reviewing."=20 Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=20 anyway, and have been for years. They're crappy, poorly-written = products,=20 and that has nothing to do with whether or not their source code is open. = =20 Example: djbdns, my DNS package of choice, is also open, and gauranteed = by=20 the author not to have any holes, or he'll personally pay you 500 bucks. MS: "Lipner slammed the open source development process, suggesting = that=20 the often-voluntary nature of creating works like the Linux operating=20 system make it less disciplined, and less secure. "The open source = model=20 tends to emphasize design and development. Testing is boring and=20 expensive." Me: Less disciplined?! When was the last time a fix for hole in = something=20 open took weeks to get a fix for? Why is it that a multi-national, = multi=20 billion-dollar company can't release a patch for a simple problem within = a=20 reasonable amount of time? Sounds like poor software development=20 practices to me. MS: By contrast, Microsoft does extensive testing on every product, and = on=20 every patch, said Lipner. "People ask us why our security patches take = so=20 long. One of the reasons they take so long is because we test them."=20 Me: Ah-hah, thanks for answering that one, Lipner. Uhm, wait, did = *you*=20 come up with that on your own, or did Marketing hand you that on company=20= letterhead? So it takes you weeks to test patches? Well, that's = funny,=20 see, because generally, when a problem is found in open source stuff, a=20 working patch is supplied by the person who found the problem. =20 ...Strange... MS: "Lipner closed by warning that the nature of open source development=20= may lend itself to abuse by malicious coders, who could devilishly = clever=20 'trapdoors' in the code that escapes detection, hidden in plain sight." Me: Ugh, I'm gonna be sick. The backdoors argument again, eh? Well,=20 let's try to prove there aren't any in any one of Microsoft's products. = =20 MS: Under polite questioning from the audience, Lipner acknowledged = that=20 some closed-source commercial products have been found to have trapdoors=20= themselves. Me: Well, so kind of you to acknowledge that -- why not make it part of=20 your already-shaky argument for next time... ... EndRant(); John --=20 # John Madden weez@xxxxxxxxxxxxx ICQ: 2EB9EA # FreeLists, Free mailing lists for all: //www.freelists.org=20 # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us= =20 # Linux, Apache, Perl and C: All the best things in life are free! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20 List Archives: //www.freelists.org/archives/computers=20 Administrative Contact: weez@xxxxxxxxxxxxx=20 Get computer help: http://avenir.dhs.org=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ======================================== Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 List Archives: //www.freelists.org/archives/computers Administrative Contact: weez@xxxxxxxxxxxxx Get computer help: http://avenir.dhs.org ========================================