Christina, This is a mailing list forum. People post to the list and it gets distributed to everybody who is subscribed to the list. There is no need to shout either. Regards, Shaun ----- Original Message ----- From: "Christina Valayadun" <201502129@xxxxxxxxxxxxx> To: <computers@xxxxxxxxxxxxxxxxx> Sent: Thursday, April 19, 2001 7:45 PM Subject: [COMP] Re: Fw: Closed source is more secure > > Ok Mr Whatever-ur-name is , Sorry to be so impolite but > I DIDN'T FW:CLOSED SOU........SECURE=20 > I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY = > BTW. THIS IS MY UNIVERSITY ADRESS------------ > THIS UNIVERSITY AINT OPEN AT 20:51! > > YT=20 > Christina > > >>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>> > > On Wednesday 18 April 2001 20:51, you wrote: > > > Sure it is. MS fruitcake explains why. > > > > > > <http://www.theregister.co.uk/content/8/18286.html> > > > > argh ... > > AAH! Ok, let's take this one point at a time. =3D) > > (btw, "MS" below refers either to comments made by the Microsoft rep, = > or=20 > chunks written by the Register) > > MS: "The head of Microsoft's security response team argued here = > Thursday=20 > that closed source software is more secure than open source projects, = > in=20 > part because nobody's reviewing open source code for security flaws. " > > Me: Wrong. Case in point: OpenBSD, a project that's entirely *about*=20 > auditing code for weaknesses. > > MS: "Review is boring and time consuming, and it's hard," said Steve=20 > Lipner, manager of Microsoft's security response center. "Simply putting=20= > > the source code out there and telling folks 'here it is' doesn't provide=20= > > any assurance or degree of likelihood that the review will occur."=20 > > Me: Eh, let's say correct. Code review is hard and time consuming. =20 > Boring? Depends who you are. Either way, it's obviously not happening = > at=20 > Microsoft, either. See point #1 -- code audits are happening *constantly*= > =20 > in the open source world. > > MS: "Lipner, who oversees Microsoft's response to newly-reported = > security=20 > holes in its products, took the opportunity to point out "the repeated = > and=20 > recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so = > on.=20 > The repeated theme is people use this stuff, but they don't spend time=20 > security reviewing."=20 > > Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=20 > anyway, and have been for years. They're crappy, poorly-written = > products,=20 > and that has nothing to do with whether or not their source code is open. = > =20 > Example: djbdns, my DNS package of choice, is also open, and gauranteed = > by=20 > the author not to have any holes, or he'll personally pay you 500 bucks. > > MS: "Lipner slammed the open source development process, suggesting = > that=20 > the often-voluntary nature of creating works like the Linux operating=20 > system make it less disciplined, and less secure. "The open source = > model=20 > tends to emphasize design and development. Testing is boring and=20 > expensive." > > Me: Less disciplined?! When was the last time a fix for hole in = > something=20 > open took weeks to get a fix for? Why is it that a multi-national, = > multi=20 > billion-dollar company can't release a patch for a simple problem within = > a=20 > reasonable amount of time? Sounds like poor software development=20 > practices to me. > > MS: By contrast, Microsoft does extensive testing on every product, and = > on=20 > every patch, said Lipner. "People ask us why our security patches take = > so=20 > long. One of the reasons they take so long is because we test them."=20 > > Me: Ah-hah, thanks for answering that one, Lipner. Uhm, wait, did = > *you*=20 > come up with that on your own, or did Marketing hand you that on company=20= > > letterhead? So it takes you weeks to test patches? Well, that's = > funny,=20 > see, because generally, when a problem is found in open source stuff, a=20 > working patch is supplied by the person who found the problem. =20 > ...Strange... > > MS: "Lipner closed by warning that the nature of open source development=20= > > may lend itself to abuse by malicious coders, who could devilishly = > clever=20 > 'trapdoors' in the code that escapes detection, hidden in plain sight." > > Me: Ugh, I'm gonna be sick. The backdoors argument again, eh? Well,=20 > let's try to prove there aren't any in any one of Microsoft's products. = > =20 > > MS: Under polite questioning from the audience, Lipner acknowledged = > that=20 > some closed-source commercial products have been found to have trapdoors=20= > > themselves. > > Me: Well, so kind of you to acknowledge that -- why not make it part of=20 > your already-shaky argument for next time... > > ... > > EndRant(); > > John > > > > --=20 > # John Madden weez@xxxxxxxxxxxxx ICQ: 2EB9EA > # FreeLists, Free mailing lists for all: //www.freelists.org=20 > # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us= > =20 > # Linux, Apache, Perl and C: All the best things in life are free! > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Avenir Web's Computers Mailing List > > List Modes, Subscription, and General Info: > Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20 > List Archives: //www.freelists.org/archives/computers=20 > Administrative Contact: weez@xxxxxxxxxxxxx=20 > > Get computer help: http://avenir.dhs.org=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > ======================================== > Avenir Web's Computers Mailing List > > List Modes, Subscription, and General Info: > Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 > List Archives: //www.freelists.org/archives/computers > Administrative Contact: weez@xxxxxxxxxxxxx > > Get computer help: http://avenir.dhs.org > ======================================== > ======================================== Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 List Archives: //www.freelists.org/archives/computers Administrative Contact: weez@xxxxxxxxxxxxx Get computer help: http://avenir.dhs.org ========================================