======================================================== SECURITY ADVISER InfoWorld.com ======================================================== Thursday, August 30, 2001 Network protection commentary by: P.J. Connolly OPEN SOURCE RULES Posted August 24, 2001 01:01 PM Pacific Time ONCE IN A while, I'm asked how I feel about open-source security tools. After making the usual weak joke about bandages being the best thing for open sores, I give my honest opinion: They're the greatest things since sliced bread. Besides, we all know that security is one area that Microsoft's not going to seize control of anytime soon. The real benefit to choosing security tools where the source code is public -- and I don't really care whether the code is open or "shared" -- is peer review. The tradition of peer review goes back to the 1950s and the 1960s, when university computing centers were the places to be if you wanted to watch the evolution of computing from mere number-crunching to what we now term cyberspace. In the academic environment, source code was free to use or borrow as you saw fit, and that belief system remains today at the core of open-source licensing schemes like BSD (Berkeley Software Distribution) and the GNU GPL (General Public License), which affects -- or as Microsoft would put it, infects -- Linux. Some people would point out that if it weren't for the open attitude prevalent in academic computing, Microsoft might never have gotten off the ground. After all, Bill Gates and Paul Allen had to get Basic from somewhere, and it's not like Harvard suffered any property loss, except perhaps for that roll of punched paper tape. I know this is off-topic, but if I don't mention it, I'll get a dozen e-mails when this column appears -- so that's the last time I mention Microsoft this week. Getting back to my point, and I do have one: Open-source security tools are increasingly important to businesses as ways to evaluate vulnerabilities to common attacks. VeriSign seems to agree, because it is offering a five-day course that covers every important open-source security tool I can think of, and a couple with which I am unfamiliar. I'm curious if any readers who have taken the VeriSign course or a similar one can tell me if he or she learned anything that couldn't have been gleaned from reading the manual. I hope readers are getting a chance to use these tools hands-on, because that's usually the best way to learn. Remember that although open source is open, it is not necessarily perfect. Some tools-- sendmail and BIND in particular come to mind -- have been around for eons in computer time, but bugs continue to crop up in them with the regularity of swallows in Capistrano. It's just as bad to rely on security through openness as it is to believe in security through obscurity. The best advice I can offer is to be careful of where you get your tools, verify the checksums before you install, and watch the bug reports afterward to ensure you're running the most recently fixed version. In my next column, I'll do a wrap-up of Code Red and the lessons we hopefully learned from it. - - - - - - - - - - - - - - - - - - - - - - - - - - - - MORE SECURITY ADVISER For a complete archive of his InfoWorld columns visit http://www2.infoworld.com/cgi/component/columnarchive.wbs?column=swatch INFOWORLD OPINIONS Weekly commentary from the most trusted voices in IT at: http://www.infoworld.com/community/t_opinions.html To join, or start, a discussion on this or any IT-related topic, please visit our InfoWorld forums at http://forums.infoworld.com. Here you can interact and exchange ideas with InfoWorld staff and other readers. - - - - - - - - - - - - - - - - - - - - - - - - - - - - QUOTE OF THE DAY: "IBM, SAP, and Oracle gladly embrace Linux the operating system as a counter to Microsoft in the marketplace. But none of them have the slightest interest in other open-source projects that could threaten their domains." --InfoWorld's Editor in Chief Michael Vizard detects a faint whiff of hypocrisy in vendors' attitudes to open source technologies. http://www.infoworld.com/articles/op/xml/01/08/27/010827opnoise.xml?0830thse - - - - - - - - - - - - - - - - - - - - - - - - - - - - SUBSCRIBE To subscribe to any of InfoWorld's e-mail newsletters, tell your friends and colleagues to go to: http://www.iwsubscribe.com/newsletters/ To subscribe to InfoWorld.com, or InfoWorld Print, or both, go to http://www.iwsubscribe.com UNSUBSCRIBE If you want to unsubscribe from InfoWorld's Newsletters, go to http://iwsubscribe.com/newsletters/unsubscribe/ CHANGE E-MAIL If you want to change the e-mail address where you are receiving InfoWorld newsletters, go to http://iwsubscribe.com/newsletters/adchange/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tell Bob "I Told You So" - What an Opportunity! He talks to lots of smart people. As the inventor of Ethernet and founder of 3Com, he knows a thing or two himself. And he's written dozens of InfoWorld columns about what would, could, and should happen in technology and society. Now, the weekly Bob Metcalfe: Back Talk email newsletter and reader poll lets you give him a thumbs-up or a big raspberry. It's more fun than you can usually get for free. Go to http://www.iwsubscribe.com/newsletters/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - Copyright 2001 InfoWorld Media Group Inc.