[COMP] Re: Fw: Closed source is more secure

Ok Mr Whatever-ur-name is , Sorry to be so impolite but
I DIDN'T FW:CLOSED SOU........SECURE=20
I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY =
BTW. THIS IS MY UNIVERSITY ADRESS------------
THIS UNIVERSITY AINT OPEN AT 20:51!

YT=20
Christina

>>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>>

On Wednesday 18 April 2001 20:51, you wrote:
> > Sure it is. MS fruitcake explains why.
> >
> > <http://www.theregister.co.uk/content/8/18286.html>
>
> argh ...

AAH!  Ok, let's take this one point at a time. =3D)

(btw, "MS" below refers either to comments made by the Microsoft rep, =
or=20
chunks written by the Register)

MS:  "The head of Microsoft's security response team argued here =
Thursday=20
that closed source software is more secure than open source projects, =
in=20
part because nobody's reviewing open source code for security flaws. "

Me: Wrong.  Case in point: OpenBSD, a project that's entirely *about*=20
auditing code for weaknesses.

MS: "Review is boring and time consuming, and it's hard," said Steve=20
Lipner, manager of Microsoft's security response center. "Simply putting=20=

the source code out there and telling folks 'here it is' doesn't provide=20=

any assurance or degree of likelihood that the review will occur."=20

Me:  Eh, let's say correct.  Code review is hard and time consuming. =20
Boring?  Depends who you are.  Either way, it's obviously not happening =
at=20
Microsoft, either.  See point #1 -- code audits are happening *constantly*=
=20
in the open source world.

MS: "Lipner, who oversees Microsoft's response to newly-reported =
security=20
holes in its products, took the opportunity to point out "the repeated =
and=20
recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so =
on.=20
The repeated theme is people use this stuff, but they don't spend time=20
security reviewing."=20

Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=20
anyway, and have been for years.  They're crappy, poorly-written =
products,=20
and that has nothing to do with whether or not their source code is open. =
=20
Example: djbdns, my DNS package of choice, is also open, and gauranteed =
by=20
the author not to have any holes, or he'll personally pay you 500 bucks.

MS: "Lipner slammed the open source development process, suggesting =
that=20
the often-voluntary nature of creating works like the Linux operating=20
system make it less disciplined, and less secure. "The open source =
model=20
tends to emphasize design and development. Testing is boring and=20
expensive."

Me: Less disciplined?!  When was the last time a fix for hole in =
something=20
open took weeks to get a fix for?  Why is it that a multi-national, =
multi=20
billion-dollar company can't release a patch for a simple problem within =
a=20
reasonable amount of time?  Sounds like poor software development=20
practices to me.

MS: By contrast, Microsoft does extensive testing on every product, and =
on=20
every patch, said Lipner. "People ask us why our security patches take =
so=20
long. One of the reasons they take so long is because we test them."=20

Me: Ah-hah, thanks for answering that one, Lipner.  Uhm, wait, did =
*you*=20
come up with that on your own, or did Marketing hand you that on company=20=

letterhead?  So it takes you weeks to test patches?  Well, that's =
funny,=20
see, because generally, when a problem is found in open source stuff, a=20
working patch is supplied by the person who found the problem. =20
...Strange...

MS: "Lipner closed by warning that the nature of open source development=20=

may lend itself to abuse by malicious coders, who could devilishly =
clever=20
'trapdoors' in the code that escapes detection, hidden in plain sight."

Me: Ugh, I'm gonna be sick.  The backdoors argument again, eh?  Well,=20
let's try to prove there aren't any in any one of Microsoft's products. =
=20

MS: Under polite questioning from the audience, Lipner acknowledged =
that=20
some closed-source commercial products have been found to have trapdoors=20=

themselves.

Me: Well, so kind of you to acknowledge that -- why not make it part of=20
your already-shaky argument for next time...

...

EndRant();

John



--=20
# John Madden  weez@xxxxxxxxxxxxx ICQ: 2EB9EA
# FreeLists, Free mailing lists for all: http://www.freelists.org=20
# UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us=
=20
# Linux, Apache, Perl and C: All the best things in life are free!

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to http://www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20
List Archives: http://www.freelists.org/archives/computers=20
Administrative Contact: weez@xxxxxxxxxxxxx=20

Get computer help: http://avenir.dhs.org=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
========================================
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to http://www.freelists.org/cgi-bin/webpage?webpage_id=11 
List Archives: http://www.freelists.org/archives/computers
Administrative Contact: weez@xxxxxxxxxxxxx

Get computer help: http://avenir.dhs.org
========================================

Other related posts: