Preaching to the Choir. [And a Walk Down Memory Lane]

  • From: "M.K. Chatterji" <chat@xxxxxxxxxxxxxxxxxxxxxx>
  • To: technocracy@xxxxxxxxxxxxx
  • Date: Thu, 30 Aug 2001 22:02:29 -0600

  SECURITY ADVISER                 

  Thursday, August 30, 2001

  Network protection commentary by:       P.J. Connolly


  Posted August 24, 2001 01:01 PM  Pacific Time

  ONCE IN A while, I'm asked how I feel about open-source
  security tools. After making the usual weak joke about
  bandages being the best thing for open sores, I give
  my honest opinion: They're the greatest things since
  sliced bread. Besides, we all know that security is
  one area that Microsoft's not going to seize control
  of anytime soon. The real benefit to choosing security
  tools where the source code is public -- and I don't
  really care whether the code is open or "shared" -- is
  peer review.

  The tradition of peer review goes back to the 1950s and
  the 1960s, when university computing centers were the
  places to be if you wanted to watch the evolution of
  computing from mere number-crunching to what we now
  term cyberspace. In the academic environment, source
  code was free to use or borrow as you saw fit, and
  that belief system remains today at the core of
  open-source licensing schemes like BSD (Berkeley
  Software Distribution) and the GNU GPL  (General
  Public License), which affects -- or as Microsoft
  would put it, infects -- Linux.

  Some people would point out that if it weren't for the
  open attitude prevalent in academic computing,
  Microsoft might never have gotten off the ground.
  After all, Bill Gates and Paul Allen had to get Basic
  from somewhere, and it's not like Harvard suffered any
  property loss, except perhaps for that roll of punched
  paper tape. I know this is off-topic, but if I don't
  mention it, I'll get a dozen  e-mails when this column
  appears -- so that's the last time I mention Microsoft
  this week.

  Getting back to my point, and I do have one:
  Open-source security tools are increasingly important
  to businesses as ways to evaluate vulnerabilities to
  common attacks. VeriSign seems to agree, because it is
  offering a five-day course that covers every important
  open-source security tool I can think of, and a couple
  with which I am unfamiliar. I'm curious if any readers
  who have taken the VeriSign course or a similar one
  can tell me if he or she learned anything that
  couldn't have been gleaned from reading the manual. I
  hope readers are getting a chance to use these tools
  hands-on, because that's usually the best way to learn.

  Remember that although open source is open, it is not
  necessarily perfect. Some tools-- sendmail and BIND in
  particular come to mind -- have been around for eons
  in computer time, but bugs continue to crop up in them
  with the regularity of swallows in Capistrano. It's
  just as bad to rely on security through openness as it
  is to believe in security through obscurity. The best
  advice I can offer is to be careful of where you get
  your tools, verify the checksums before you install,
  and watch the bug reports afterward to ensure you're
  running the most recently fixed version.

  In my next column, I'll do a wrap-up of Code Red and
  the lessons we hopefully learned from it.

  - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  For a complete archive of his
  InfoWorld columns visit

  Weekly commentary from the most trusted voices in
  IT at:

  To join, or start, a discussion on this or any IT-related
  topic, please visit our InfoWorld forums at
  Here you can interact and
  exchange ideas with InfoWorld staff and other
  - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  "IBM, SAP, and Oracle gladly embrace Linux the operating
  system as a counter to Microsoft in the marketplace. But none
  of them have the slightest interest in other open-source
  projects that could threaten their domains."

  --InfoWorld's Editor in Chief Michael Vizard detects a faint
  whiff of hypocrisy in vendors' attitudes to open source

  - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  To subscribe to any of InfoWorld's e-mail newsletters,
  tell your friends and colleagues to go to:

  To subscribe to, or InfoWorld Print,
  or both, go to

  If you want to unsubscribe from InfoWorld's Newsletters,
  go to

  If you want to change the e-mail address where
  you are receiving InfoWorld newsletters, go to

  - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Tell Bob "I Told
  You So" - What an Opportunity!
  He talks to lots of smart people. As the inventor of
  Ethernet and founder
  of 3Com, he knows a thing or
  two himself. And he's written dozens of InfoWorld
  about what would, could, and should happen in technology
  and society.
  Now, the weekly Bob Metcalfe: Back Talk
  email newsletter and reader poll lets you give him a
  thumbs-up or a big
  raspberry. It's more fun than you can
  usually get for free. Go to

  - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Copyright 2001
  InfoWorld Media Group Inc.

Other related posts:

  • » Preaching to the Choir. [And a Walk Down Memory Lane]