On Wed, 25 Apr 2001, you wrote: > -----Original Message----- > From: Keith Bostic [mailto:bostic@sleepycat.com] > Sent: Wednesday, April 25, 2001 6:09 AM > To: fsb@crynwr.com > Subject: Microsoft: Closed source is more secure > > > http://www.securityfocus.com/news/191 > > Microsoft: Closed source is more secure > Redmond's security response chief warns the RSA Conference of the perils > of open source. > By Kevin Poulsen > April 12, 2001 1:46 PM PT > > SAN FRANCISCO--The head of Microsoft's security response team argued > here Thursday that closed source software is more secure than open > source projects, in part because nobody's reviewing open source code for > security flaws. > > "Review is boring and time consuming, and it's hard," said Steve Lipner, > manager of Microsoft's security response center. "Simply putting the > source code out there and telling folks 'here it is' doesn't provide any > assurance or degree of likelihood that the review will occur." > > The comments, delivered at the 2001 RSA Conference, were a challenge to > one of the tenets of open source, that 'with many eyes, all bugs are > shallow.' > > "The vendor eyes in a security review tend to be dedicated, trained, > full time and paid," Lipner said. > > Lipner argued that network administrators are better off spending their > time reading log files and installing patches than poring over source > code looking for security holes, and the system of 'peer review' that > works well for vetting encryption algorithms, doesn't work to evaluate > large pieces of software for flaws. > > "An encryption algorithm is relatively simple, compared to a 40 million > line operating system," Lipner argued. "And the discovery of an > individual software flaw doesn't pay off much... It doesn't win anyone > fame and fortune... People fix the flaw and move on." > > Lipner, who oversees Microsoft's response to newly-reported security > holes in its products, took the opportunity to point out "the repeated > and recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so > on. The repeated theme is people use this stuff, but they don't spend > time security reviewing." > > 'The open source model tends to emphasize design and development. > Testing is boring and expensive.' > -- Steve Lipner, Microsoft > > Trapdoor risk? > Making source code public also increases the risk that attackers will > find a crucial security hole that reviewers missed, said Lipner. "That > argument sounds like an argument for 'security through obscurity,' and I > apologize. The facts are there." > > Lipner slammed the open source development process, suggesting that the > often-voluntary nature of creating works like the Linux operating system > make it less disciplined, and less secure. "The open source model tends > to emphasize design and development. Testing is boring and expensive." > > By contrast, Microsoft does extensive testing on every product, and on > every patch, said Lipner. "People ask us why our security patches take > so long. One of the reasons they take so long is because we test them." > > Lipner closed by warning that the nature of open source development may > lend itself to abuse by malicious coders, who could devilishly clever > 'trapdoors' in the code that escapes detection, hidden in plain sight. > > Under polite questioning from the audience, Lipner acknowledged that > some closed-source commercial products have been found to have trapdoors > themselves. > > Other conferees expressed skepticism that closed source software > receives more thorough security reviews than open source code. > > "Looking at products that come from commercial vendors, it seems the > customer has very little guarantee that the software has been reviewed," > said one conferee. "Industry has not acquitted itself well." > ________________________________________________ Funny how he can say that when MicroSofts own systems got compromised ;P > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss