[COMP] Re: Fw: Closed source is more secure

  • From: "Christina Valayadun" <201502129@xxxxxxxxxxxxx>
  • To: <computers@xxxxxxxxxxxxxxxxx>
  • Date: Thu, 19 Apr 2001 13:25:35 +0200

Sincere apologies Shaun
and sorry eveyone

YT
Chri....

>>> shaun@xxxxxxxxxxxxx 04/19/01 12:33PM >>>

Christina,
This is a mailing list forum. People post to the list and it gets
distributed to everybody who is subscribed to the list.

There is no need to shout either.

Regards,
 Shaun

----- Original Message -----
From: "Christina Valayadun" <201502129@xxxxxxxxxxxxx>
To: <computers@xxxxxxxxxxxxxxxxx>
Sent: Thursday, April 19, 2001 7:45 PM
Subject: [COMP] Re: Fw: Closed source is more secure


>
> Ok Mr Whatever-ur-name is , Sorry to be so impolite but
> I DIDN'T FW:CLOSED SOU........SECURE=3D20
> I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY =
=3D
> BTW. THIS IS MY UNIVERSITY ADRESS------------
> THIS UNIVERSITY AINT OPEN AT 20:51!
>
> YT=3D20
> Christina
>
> >>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>>
>
> On Wednesday 18 April 2001 20:51, you wrote:
> > > Sure it is. MS fruitcake explains why.
> > >
> > > <http://www.theregister.co.uk/content/8/18286.html>
> >
> > argh ...
>
> AAH!  Ok, let's take this one point at a time. =3D3D)
>
> (btw, "MS" below refers either to comments made by the Microsoft rep, =
=3D
> or=3D20
> chunks written by the Register)
>
> MS:  "The head of Microsoft's security response team argued here =3D
> Thursday=3D20
> that closed source software is more secure than open source projects, =
=3D
> in=3D20
> part because nobody's reviewing open source code for security flaws. "
>
> Me: Wrong.  Case in point: OpenBSD, a project that's entirely *about*=3D2=
0
> auditing code for weaknesses.
>
> MS: "Review is boring and time consuming, and it's hard," said Steve=3D20=

> Lipner, manager of Microsoft's security response center. "Simply
putting=3D20=3D
>
> the source code out there and telling folks 'here it is' doesn't
provide=3D20=3D
>
> any assurance or degree of likelihood that the review will occur."=3D20
>
> Me:  Eh, let's say correct.  Code review is hard and time consuming. =
=3D20
> Boring?  Depends who you are.  Either way, it's obviously not happening =
=3D
> at=3D20
> Microsoft, either.  See point #1 -- code audits are happening
*constantly*=3D
> =3D20
> in the open source world.
>
> MS: "Lipner, who oversees Microsoft's response to newly-reported =3D
> security=3D20
> holes in its products, took the opportunity to point out "the repeated =
=3D
> and=3D20
> recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so =3D
> on.=3D20
> The repeated theme is people use this stuff, but they don't spend =
time=3D20
> security reviewing."=3D20
>
> Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=3D20
> anyway, and have been for years.  They're crappy, poorly-written =3D
> products,=3D20
> and that has nothing to do with whether or not their source code is =
open.
=3D
> =3D20
> Example: djbdns, my DNS package of choice, is also open, and gauranteed =
=3D
> by=3D20
> the author not to have any holes, or he'll personally pay you 500 bucks.
>
> MS: "Lipner slammed the open source development process, suggesting =3D
> that=3D20
> the often-voluntary nature of creating works like the Linux operating=3D2=
0
> system make it less disciplined, and less secure. "The open source =3D
> model=3D20
> tends to emphasize design and development. Testing is boring and=3D20
> expensive."
>
> Me: Less disciplined?!  When was the last time a fix for hole in =3D
> something=3D20
> open took weeks to get a fix for?  Why is it that a multi-national, =3D
> multi=3D20
> billion-dollar company can't release a patch for a simple problem within =
=3D
> a=3D20
> reasonable amount of time?  Sounds like poor software development=3D20
> practices to me.
>
> MS: By contrast, Microsoft does extensive testing on every product, and =
=3D
> on=3D20
> every patch, said Lipner. "People ask us why our security patches take =
=3D
> so=3D20
> long. One of the reasons they take so long is because we test them."=3D20=

>
> Me: Ah-hah, thanks for answering that one, Lipner.  Uhm, wait, did =3D
> *you*=3D20
> come up with that on your own, or did Marketing hand you that on
company=3D20=3D
>
> letterhead?  So it takes you weeks to test patches?  Well, that's =3D
> funny,=3D20
> see, because generally, when a problem is found in open source stuff, =
a=3D20
> working patch is supplied by the person who found the problem. =3D20
> ...Strange...
>
> MS: "Lipner closed by warning that the nature of open source
development=3D20=3D
>
> may lend itself to abuse by malicious coders, who could devilishly =3D
> clever=3D20
> 'trapdoors' in the code that escapes detection, hidden in plain sight."
>
> Me: Ugh, I'm gonna be sick.  The backdoors argument again, eh?  =
Well,=3D20
> let's try to prove there aren't any in any one of Microsoft's products. =
=3D
> =3D20
>
> MS: Under polite questioning from the audience, Lipner acknowledged =3D
> that=3D20
> some closed-source commercial products have been found to have
trapdoors=3D20=3D
>
> themselves.
>
> Me: Well, so kind of you to acknowledge that -- why not make it part =
of=3D20
> your already-shaky argument for next time...
>
> ...
>
> EndRant();
>
> John
>
>
>
> --=3D20
> # John Madden  weez@xxxxxxxxxxxxx ICQ: 2EB9EA
> # FreeLists, Free mailing lists for all: //www.freelists.org=3D20=20=

> # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us=
=3D=20
> =3D20
> # Linux, Apache, Perl and C: All the best things in life are free!
>
>
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D
> Avenir Web's Computers Mailing List
>
> List Modes, Subscription, and General Info:
> Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D3D11=3D20=20
> List Archives: //www.freelists.org/archives/computers=3D20=20
> Administrative Contact: weez@xxxxxxxxxxxxx=3D20=20
>
> Get computer help: http://avenir.dhs.org=3D20=20
>
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Avenir Web's Computers Mailing List
>
> List Modes, Subscription, and General Info:
> Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20
> List Archives: //www.freelists.org/archives/computers=20
> Administrative Contact: weez@xxxxxxxxxxxxx=20
>
> Get computer help: http://avenir.dhs.org=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20
List Archives: //www.freelists.org/archives/computers=20
Administrative Contact: weez@xxxxxxxxxxxxx=20

Get computer help: http://avenir.dhs.org=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
========================================
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 
List Archives: //www.freelists.org/archives/computers
Administrative Contact: weez@xxxxxxxxxxxxx

Get computer help: http://avenir.dhs.org
========================================

Other related posts:

  1. Home
  2. computers
  3. Archive
  4. 04-2001