[COMP] Re: Fw: Closed source is more secure

• From: "Shaun Ewing" <shaun@xxxxxxxxxxxxx>
• To: <computers@xxxxxxxxxxxxxxxxx>
• Date: Thu, 19 Apr 2001 20:33:43 +1000

Christina,
This is a mailing list forum. People post to the list and it gets
distributed to everybody who is subscribed to the list.

There is no need to shout either.

Regards,
 Shaun

----- Original Message -----
From: "Christina Valayadun" <201502129@xxxxxxxxxxxxx>
To: <computers@xxxxxxxxxxxxxxxxx>
Sent: Thursday, April 19, 2001 7:45 PM
Subject: [COMP] Re: Fw: Closed source is more secure


>
> Ok Mr Whatever-ur-name is , Sorry to be so impolite but
> I DIDN'T FW:CLOSED SOU........SECURE=20
> I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY =
> BTW. THIS IS MY UNIVERSITY ADRESS------------
> THIS UNIVERSITY AINT OPEN AT 20:51!
>
> YT=20
> Christina
>
> >>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>>
>
> On Wednesday 18 April 2001 20:51, you wrote:
> > > Sure it is. MS fruitcake explains why.
> > >
> > > <http://www.theregister.co.uk/content/8/18286.html>
> >
> > argh ...
>
> AAH!  Ok, let's take this one point at a time. =3D)
>
> (btw, "MS" below refers either to comments made by the Microsoft rep, =
> or=20
> chunks written by the Register)
>
> MS:  "The head of Microsoft's security response team argued here =
> Thursday=20
> that closed source software is more secure than open source projects, =
> in=20
> part because nobody's reviewing open source code for security flaws. "
>
> Me: Wrong.  Case in point: OpenBSD, a project that's entirely *about*=20
> auditing code for weaknesses.
>
> MS: "Review is boring and time consuming, and it's hard," said Steve=20
> Lipner, manager of Microsoft's security response center. "Simply
putting=20=
>
> the source code out there and telling folks 'here it is' doesn't
provide=20=
>
> any assurance or degree of likelihood that the review will occur."=20
>
> Me:  Eh, let's say correct.  Code review is hard and time consuming. =20
> Boring?  Depends who you are.  Either way, it's obviously not happening =
> at=20
> Microsoft, either.  See point #1 -- code audits are happening
*constantly*=
> =20
> in the open source world.
>
> MS: "Lipner, who oversees Microsoft's response to newly-reported =
> security=20
> holes in its products, took the opportunity to point out "the repeated =
> and=20
> recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so =
> on.=20
> The repeated theme is people use this stuff, but they don't spend time=20
> security reviewing."=20
>
> Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=20
> anyway, and have been for years.  They're crappy, poorly-written =
> products,=20
> and that has nothing to do with whether or not their source code is open.
=
> =20
> Example: djbdns, my DNS package of choice, is also open, and gauranteed =
> by=20
> the author not to have any holes, or he'll personally pay you 500 bucks.
>
> MS: "Lipner slammed the open source development process, suggesting =
> that=20
> the often-voluntary nature of creating works like the Linux operating=20
> system make it less disciplined, and less secure. "The open source =
> model=20
> tends to emphasize design and development. Testing is boring and=20
> expensive."
>
> Me: Less disciplined?!  When was the last time a fix for hole in =
> something=20
> open took weeks to get a fix for?  Why is it that a multi-national, =
> multi=20
> billion-dollar company can't release a patch for a simple problem within =
> a=20
> reasonable amount of time?  Sounds like poor software development=20
> practices to me.
>
> MS: By contrast, Microsoft does extensive testing on every product, and =
> on=20
> every patch, said Lipner. "People ask us why our security patches take =
> so=20
> long. One of the reasons they take so long is because we test them."=20
>
> Me: Ah-hah, thanks for answering that one, Lipner.  Uhm, wait, did =
> *you*=20
> come up with that on your own, or did Marketing hand you that on
company=20=
>
> letterhead?  So it takes you weeks to test patches?  Well, that's =
> funny,=20
> see, because generally, when a problem is found in open source stuff, a=20
> working patch is supplied by the person who found the problem. =20
> ...Strange...
>
> MS: "Lipner closed by warning that the nature of open source
development=20=
>
> may lend itself to abuse by malicious coders, who could devilishly =
> clever=20
> 'trapdoors' in the code that escapes detection, hidden in plain sight."
>
> Me: Ugh, I'm gonna be sick.  The backdoors argument again, eh?  Well,=20
> let's try to prove there aren't any in any one of Microsoft's products. =
> =20
>
> MS: Under polite questioning from the audience, Lipner acknowledged =
> that=20
> some closed-source commercial products have been found to have
trapdoors=20=
>
> themselves.
>
> Me: Well, so kind of you to acknowledge that -- why not make it part of=20
> your already-shaky argument for next time...
>
> ...
>
> EndRant();
>
> John
>
>
>
> --=20
> # John Madden  weez@xxxxxxxxxxxxx ICQ: 2EB9EA
> # FreeLists, Free mailing lists for all: //www.freelists.org=20
> # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us=
> =20
> # Linux, Apache, Perl and C: All the best things in life are free!
>
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Avenir Web's Computers Mailing List
>
> List Modes, Subscription, and General Info:
> Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20
> List Archives: //www.freelists.org/archives/computers=20
> Administrative Contact: weez@xxxxxxxxxxxxx=20
>
> Get computer help: http://avenir.dhs.org=20
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> ========================================
> Avenir Web's Computers Mailing List
>
> List Modes, Subscription, and General Info:
> Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11
> List Archives: //www.freelists.org/archives/computers
> Administrative Contact: weez@xxxxxxxxxxxxx
>
> Get computer help: http://avenir.dhs.org
> ========================================
>

========================================
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 
List Archives: //www.freelists.org/archives/computers
Administrative Contact: weez@xxxxxxxxxxxxx

Get computer help: http://avenir.dhs.org
========================================

• References:
  • [COMP] Re: Fw: Closed source is more secure
    • From: Christina Valayadun

Other related posts:

• » [COMP] Fw: Closed source is more secure
• » [COMP] Re: Fw: Closed source is more secure
• » [COMP] Re: Fw: Closed source is more secure
• » [COMP] Re: Fw: Closed source is more secure
• » [COMP] Re: Fw: Closed source is more secure
• » [COMP] Re: Fw: Closed source is more secure

1. Home
2. computers
3. Archive
4. 04-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---