Sincere apologies Shaun and sorry eveyone YT Chri.... >>> shaun@xxxxxxxxxxxxx 04/19/01 12:33PM >>> Christina, This is a mailing list forum. People post to the list and it gets distributed to everybody who is subscribed to the list. There is no need to shout either. Regards, Shaun ----- Original Message ----- From: "Christina Valayadun" <201502129@xxxxxxxxxxxxx> To: <computers@xxxxxxxxxxxxxxxxx> Sent: Thursday, April 19, 2001 7:45 PM Subject: [COMP] Re: Fw: Closed source is more secure > > Ok Mr Whatever-ur-name is , Sorry to be so impolite but > I DIDN'T FW:CLOSED SOU........SECURE=3D20 > I WAS AT HOME ASLEEP MOST PROBABLY AT 20:51 AND I ONLY JOINED YESTERDAY = =3D > BTW. THIS IS MY UNIVERSITY ADRESS------------ > THIS UNIVERSITY AINT OPEN AT 20:51! > > YT=3D20 > Christina > > >>> weez@xxxxxxxxxxxxx 04/19/01 04:34AM >>> > > On Wednesday 18 April 2001 20:51, you wrote: > > > Sure it is. MS fruitcake explains why. > > > > > > <http://www.theregister.co.uk/content/8/18286.html> > > > > argh ... > > AAH! Ok, let's take this one point at a time. =3D3D) > > (btw, "MS" below refers either to comments made by the Microsoft rep, = =3D > or=3D20 > chunks written by the Register) > > MS: "The head of Microsoft's security response team argued here =3D > Thursday=3D20 > that closed source software is more secure than open source projects, = =3D > in=3D20 > part because nobody's reviewing open source code for security flaws. " > > Me: Wrong. Case in point: OpenBSD, a project that's entirely *about*=3D2= 0 > auditing code for weaknesses. > > MS: "Review is boring and time consuming, and it's hard," said Steve=3D20= > Lipner, manager of Microsoft's security response center. "Simply putting=3D20=3D > > the source code out there and telling folks 'here it is' doesn't provide=3D20=3D > > any assurance or degree of likelihood that the review will occur."=3D20 > > Me: Eh, let's say correct. Code review is hard and time consuming. = =3D20 > Boring? Depends who you are. Either way, it's obviously not happening = =3D > at=3D20 > Microsoft, either. See point #1 -- code audits are happening *constantly*=3D > =3D20 > in the open source world. > > MS: "Lipner, who oversees Microsoft's response to newly-reported =3D > security=3D20 > holes in its products, took the opportunity to point out "the repeated = =3D > and=3D20 > recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so =3D > on.=3D20 > The repeated theme is people use this stuff, but they don't spend = time=3D20 > security reviewing."=3D20 > > Me: Yeah, and if you run wu-ftpd or Bind, you're asking for trouble=3D20 > anyway, and have been for years. They're crappy, poorly-written =3D > products,=3D20 > and that has nothing to do with whether or not their source code is = open. =3D > =3D20 > Example: djbdns, my DNS package of choice, is also open, and gauranteed = =3D > by=3D20 > the author not to have any holes, or he'll personally pay you 500 bucks. > > MS: "Lipner slammed the open source development process, suggesting =3D > that=3D20 > the often-voluntary nature of creating works like the Linux operating=3D2= 0 > system make it less disciplined, and less secure. "The open source =3D > model=3D20 > tends to emphasize design and development. Testing is boring and=3D20 > expensive." > > Me: Less disciplined?! When was the last time a fix for hole in =3D > something=3D20 > open took weeks to get a fix for? Why is it that a multi-national, =3D > multi=3D20 > billion-dollar company can't release a patch for a simple problem within = =3D > a=3D20 > reasonable amount of time? Sounds like poor software development=3D20 > practices to me. > > MS: By contrast, Microsoft does extensive testing on every product, and = =3D > on=3D20 > every patch, said Lipner. "People ask us why our security patches take = =3D > so=3D20 > long. One of the reasons they take so long is because we test them."=3D20= > > Me: Ah-hah, thanks for answering that one, Lipner. Uhm, wait, did =3D > *you*=3D20 > come up with that on your own, or did Marketing hand you that on company=3D20=3D > > letterhead? So it takes you weeks to test patches? Well, that's =3D > funny,=3D20 > see, because generally, when a problem is found in open source stuff, = a=3D20 > working patch is supplied by the person who found the problem. =3D20 > ...Strange... > > MS: "Lipner closed by warning that the nature of open source development=3D20=3D > > may lend itself to abuse by malicious coders, who could devilishly =3D > clever=3D20 > 'trapdoors' in the code that escapes detection, hidden in plain sight." > > Me: Ugh, I'm gonna be sick. The backdoors argument again, eh? = Well,=3D20 > let's try to prove there aren't any in any one of Microsoft's products. = =3D > =3D20 > > MS: Under polite questioning from the audience, Lipner acknowledged =3D > that=3D20 > some closed-source commercial products have been found to have trapdoors=3D20=3D > > themselves. > > Me: Well, so kind of you to acknowledge that -- why not make it part = of=3D20 > your already-shaky argument for next time... > > ... > > EndRant(); > > John > > > > --=3D20 > # John Madden weez@xxxxxxxxxxxxx ICQ: 2EB9EA > # FreeLists, Free mailing lists for all: //www.freelists.org=3D20=20= > # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us= =3D=20 > =3D20 > # Linux, Apache, Perl and C: All the best things in life are free! > > =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D= =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D > =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D > Avenir Web's Computers Mailing List > > List Modes, Subscription, and General Info: > Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D3D11=3D20=20 > List Archives: //www.freelists.org/archives/computers=3D20=20 > Administrative Contact: weez@xxxxxxxxxxxxx=3D20=20 > > Get computer help: http://avenir.dhs.org=3D20=20 > =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D= =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D > =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Avenir Web's Computers Mailing List > > List Modes, Subscription, and General Info: > Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20 > List Archives: //www.freelists.org/archives/computers=20 > Administrative Contact: weez@xxxxxxxxxxxxx=20 > > Get computer help: http://avenir.dhs.org=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to //www.freelists.org/cgi-bin/webpage?webpage_id=3D11=20 List Archives: //www.freelists.org/archives/computers=20 Administrative Contact: weez@xxxxxxxxxxxxx=20 Get computer help: http://avenir.dhs.org=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ======================================== Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to //www.freelists.org/cgi-bin/webpage?webpage_id=11 List Archives: //www.freelists.org/archives/computers Administrative Contact: weez@xxxxxxxxxxxxx Get computer help: http://avenir.dhs.org ========================================