Preaching to the Choir. [And a Walk Down Memory Lane]
- From: "M.K. Chatterji" <chat@xxxxxxxxxxxxxxxxxxxxxx>
- To: technocracy@xxxxxxxxxxxxx
- Date: Thu, 30 Aug 2001 22:02:29 -0600
========================================================
SECURITY ADVISER InfoWorld.com
========================================================
Thursday, August 30, 2001
Network protection commentary by: P.J. Connolly
OPEN SOURCE RULES
Posted August 24, 2001 01:01 PM Pacific Time
ONCE IN A while, I'm asked how I feel about open-source
security tools. After making the usual weak joke about
bandages being the best thing for open sores, I give
my honest opinion: They're the greatest things since
sliced bread. Besides, we all know that security is
one area that Microsoft's not going to seize control
of anytime soon. The real benefit to choosing security
tools where the source code is public -- and I don't
really care whether the code is open or "shared" -- is
peer review.
The tradition of peer review goes back to the 1950s and
the 1960s, when university computing centers were the
places to be if you wanted to watch the evolution of
computing from mere number-crunching to what we now
term cyberspace. In the academic environment, source
code was free to use or borrow as you saw fit, and
that belief system remains today at the core of
open-source licensing schemes like BSD (Berkeley
Software Distribution) and the GNU GPL (General
Public License), which affects -- or as Microsoft
would put it, infects -- Linux.
Some people would point out that if it weren't for the
open attitude prevalent in academic computing,
Microsoft might never have gotten off the ground.
After all, Bill Gates and Paul Allen had to get Basic
from somewhere, and it's not like Harvard suffered any
property loss, except perhaps for that roll of punched
paper tape. I know this is off-topic, but if I don't
mention it, I'll get a dozen e-mails when this column
appears -- so that's the last time I mention Microsoft
this week.
Getting back to my point, and I do have one:
Open-source security tools are increasingly important
to businesses as ways to evaluate vulnerabilities to
common attacks. VeriSign seems to agree, because it is
offering a five-day course that covers every important
open-source security tool I can think of, and a couple
with which I am unfamiliar. I'm curious if any readers
who have taken the VeriSign course or a similar one
can tell me if he or she learned anything that
couldn't have been gleaned from reading the manual. I
hope readers are getting a chance to use these tools
hands-on, because that's usually the best way to learn.
Remember that although open source is open, it is not
necessarily perfect. Some tools-- sendmail and BIND in
particular come to mind -- have been around for eons
in computer time, but bugs continue to crop up in them
with the regularity of swallows in Capistrano. It's
just as bad to rely on security through openness as it
is to believe in security through obscurity. The best
advice I can offer is to be careful of where you get
your tools, verify the checksums before you install,
and watch the bug reports afterward to ensure you're
running the most recently fixed version.
In my next column, I'll do a wrap-up of Code Red and
the lessons we hopefully learned from it.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
MORE SECURITY
ADVISER
For a complete archive of his
InfoWorld columns visit
http://www2.infoworld.com/cgi/component/columnarchive.wbs?column=swatch
INFOWORLD OPINIONS
Weekly commentary from the most trusted voices in
IT at: http://www.infoworld.com/community/t_opinions.html
To join, or start, a discussion on this or any IT-related
topic, please visit our InfoWorld forums at
http://forums.infoworld.com.
Here you can interact and
exchange ideas with InfoWorld staff and other
readers.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
QUOTE OF THE DAY:
"IBM, SAP, and Oracle gladly embrace Linux the operating
system as a counter to Microsoft in the marketplace. But none
of them have the slightest interest in other open-source
projects that could threaten their domains."
--InfoWorld's Editor in Chief Michael Vizard detects a faint
whiff of hypocrisy in vendors' attitudes to open source
technologies.
http://www.infoworld.com/articles/op/xml/01/08/27/010827opnoise.xml?0830thse
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
SUBSCRIBE
To subscribe to any of InfoWorld's e-mail newsletters,
tell your friends and colleagues to go to:
http://www.iwsubscribe.com/newsletters/
To subscribe to InfoWorld.com, or InfoWorld Print,
or both, go to http://www.iwsubscribe.com
UNSUBSCRIBE
If you want to unsubscribe from InfoWorld's Newsletters,
go to http://iwsubscribe.com/newsletters/unsubscribe/
CHANGE E-MAIL
If you want to change the e-mail address where
you are receiving InfoWorld newsletters, go to
http://iwsubscribe.com/newsletters/adchange/
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tell Bob "I Told
You So" - What an Opportunity!
He talks to lots of smart people. As the inventor of
Ethernet and founder
of 3Com, he knows a thing or
two himself. And he's written dozens of InfoWorld
columns
about what would, could, and should happen in technology
and society.
Now, the weekly Bob Metcalfe: Back Talk
email newsletter and reader poll lets you give him a
thumbs-up or a big
raspberry. It's more fun than you can
usually get for free. Go to http://www.iwsubscribe.com/newsletters/
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Copyright 2001
InfoWorld Media Group Inc.
Other related posts:
- » Preaching to the Choir. [And a Walk Down Memory Lane]
