FW: Microsoft: Closed source is more secure

Nigel Sollars plug-discuss@lists.PLUG.phoenix.az.us
Wed, 25 Apr 2001 16:49:57 +0000


On Wed, 25 Apr 2001, you wrote:
> -----Original Message-----
> From: Keith Bostic [mailto:bostic@sleepycat.com]
> Sent: Wednesday, April 25, 2001 6:09 AM
> To: fsb@crynwr.com
> Subject: Microsoft: Closed source is more secure
> 
> 
> http://www.securityfocus.com/news/191
> 
> Microsoft: Closed source is more secure
> Redmond's security response chief warns the RSA Conference of the perils
> of open source.
> By Kevin Poulsen
> April 12, 2001 1:46 PM PT
> 
> SAN FRANCISCO--The head of Microsoft's security response team argued
> here Thursday that closed source software is more secure than open
> source projects, in part because nobody's reviewing open source code for
> security flaws.
> 
> "Review is boring and time consuming, and it's hard," said Steve Lipner,
> manager of Microsoft's security response center. "Simply putting the
> source code out there and telling folks 'here it is' doesn't provide any
> assurance or degree of likelihood that the review will occur."
> 
> The comments, delivered at the 2001 RSA Conference, were a challenge to
> one of the tenets of open source, that 'with many eyes, all bugs are
> shallow.'
> 
> "The vendor eyes in a security review tend to be dedicated, trained,
> full time and paid," Lipner said.
> 
> Lipner argued that network administrators are better off spending their
> time reading log files and installing patches than poring over source
> code looking for security holes, and the system of 'peer review' that
> works well for vetting encryption algorithms, doesn't work to evaluate
> large pieces of software for flaws.
> 
> "An encryption algorithm is relatively simple, compared to a 40 million
> line operating system," Lipner argued. "And the discovery of an
> individual software flaw doesn't pay off much... It doesn't win anyone
> fame and fortune... People fix the flaw and move on."
> 
> Lipner, who oversees Microsoft's response to newly-reported security
> holes in its products, took the opportunity to point out "the repeated
> and recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so
> on. The repeated theme is people use this stuff, but they don't spend
> time security reviewing."
> 
> 'The open source model tends to emphasize design and development.
> Testing is boring and expensive.'
> -- Steve Lipner, Microsoft
> 
> Trapdoor risk?
> Making source code public also increases the risk that attackers will
> find a crucial security hole that reviewers missed, said Lipner. "That
> argument sounds like an argument for 'security through obscurity,' and I
> apologize. The facts are there."
> 
> Lipner slammed the open source development process, suggesting that the
> often-voluntary nature of creating works like the Linux operating system
> make it less disciplined, and less secure. "The open source model tends
> to emphasize design and development. Testing is boring and expensive."
> 
> By contrast, Microsoft does extensive testing on every product, and on
> every patch, said Lipner. "People ask us why our security patches take
> so long. One of the reasons they take so long is because we test them."
> 
> Lipner closed by warning that the nature of open source development may
> lend itself to abuse by malicious coders, who could devilishly clever
> 'trapdoors' in the code that escapes detection, hidden in plain sight.
> 
> Under polite questioning from the audience, Lipner acknowledged that
> some closed-source commercial products have been found to have trapdoors
> themselves.
> 
> Other conferees expressed skepticism that closed source software
> receives more thorough security reviews than open source code.
> 
> "Looking at products that come from commercial vendors, it seems the
> customer has very little guarantee that the software has been reviewed,"
> said one conferee. "Industry has not acquitted itself well."
> ________________________________________________

 Funny how he can say that when MicroSofts own systems got compromised ;P

> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss