Think tank questioning Open Source security runs Apache on its Web site, but author defends study   Wednesday June 05, 2002 - [ 06:30 PM GMT ] Topic - Security -  - By Grant Gross - If using Open Source software makes government computer systems susceptible to terrorists as a forthcoming white paper by conservative think tank Alexis de Tocqueville Institution claims, then ADTI's own Web site is at risk. ADTI.net runs a version of ... Apache. This fact was pointed out by Richard M. Smith on Declan McCullagh's Politech email list. So I went to Netcraft.com and checked for myself. Sure enough: "The site www.adti.net is running Rapidsite/Apa/1.3.20 (Unix) FrontPage/4.0.4.3 mod_ssl/2.8.4 OpenSSL/0.9.6 on IRIX." Web host Rapidsite uses a customized of the Open Source Apache Web server, and Adti.net also runs OpenSSL, the Open Source Secure Sockets Layer toolkit. ADTI president Ken Brown, whose white paper says Open Source software provides hackers/crackers its "blueprint," volunteers the fact that the site runs on Apache before I can ask him about it during a chat earlier today. "We're pro-Open Source here at de Tocqueville," he says. My response to Brown: "Huh?" Brown answers that his white paper specifically questions the security of the GNU General Public License, not other BSD-like Open Source licenses, such the Apache Software License, although the white paper's press release doesn't make the distinction. "[Open Source] is great for experimentation, and it's great for research," Brown says. "We're talking about national security, and when it comes to the whole issue of hacking a system, we conclude and we will defend to the end, that more information is better [for hackers/crackers]. If you provide more code, you're giving a [hacker] person more information. At the end of the day, you're educating people about what you've done, and we don't see any real benefit to that, especially if it's a bad person." So BSD good, GPL bad? That sounds exactly like Microsoft's position lately, although I'm not sure what a big difference that makes in this case, because both licenses allow access to the source code. So the issue apparently is that seeing the source code, or the blueprint, isn't really the problem, but making the your changes available to others suddenly opens up all kinds of new security holes. Last time I checked, the GPL doesn't require you to share your passwords or upload your SSH key to Richard Stallman. So we have a think tank that doesn't put its money where its mouth is. Smith, on Politech, also says the Alexis de Tocqueville Institution has gotten funding from Microsoft in the past, and a a story at Wired.com today confirms that. The think tank has been a Microsoft antitrust apologist in the past. (That's just one of more than a half dozen pro-Microsoft papers on ADTI.net, pointed out by OSDN programmer Jamie McCarthy on Politech.) Why isn't that a surprise? Of course, Microsoft doesn't always put its money where its mouth is, either. Remember Microsoft's anti-Unix site Wehavethewayout.com, which was originally running FreeBSD? I ask Brown about Microsoft funding for this specific study, and he says it's against ADTI's policy to comment on who funds its studies. I suggest that not disclosing the paper's financial backers may cause people to question the validity of the study. Brown answers: "I have a lot of faith in the American people. If somebody wrote something tomorrow that everyone should move to California, people aren't going to get up and move to California. It has nothing to do with a travel organization funding the study, it has to do with common sense. We think that something should be challenged on its merits." So Brown and I move on to the merits of the white paper's conclusions. He agrees when I suggest Microsoft products have a long history of security problems. "Our position is not that one system is better than another," Brown adds. "We never said that. Our paper is about Open Source, that's it." Still, I press Brown on the Microsoft alternative to Open Source, given Brown's theory that Open Source can be exploited by terrorists. He claims "volunteer" organizations like Open Source projects don't have much of a chance of competing with huge corporate initiatives. His reasoning: "You get 10 smart people together in a room, and they'll come up with some pretty good code. You get 100 smart people together, and they'll come up with some even better code ... and on and on from there, assuming there's some break-off point and somebody can't make it any better." He continues: "Now, let's change the model from numbers of people to accountability, warranties, customer service, manuals, that kind of thing. You take an organization that doesn't have any accountability, that provides no warranties, no guarantees for its services, is not financially rewarded necessarily for providing its fixes, I don't think it can compare in efficiency to an organization that does. You can't say a volunteer group is necessarily always going to as efficient as a group that's contracted." I don't even know where to start to respond to that statement. The hundreds of horror stories about getting tech support from Microsoft and other large computer companies run through my head. Brown has limited time to talk, so instead I suggest that people often do better work for volunteer organizations than their employers, because they're doing what they love, not what they're getting paid for. "The fact is, I want a guarantee as a businessman, I want accountability," Brown answers. Brown should talk to Microsoft about guarantees. One NewsForge reader points out something I'd nearly forgotten: The Windows End User License Agreement specifically disclaims any obligation of a warranty. It seems that Brown's holding Open Source up to a standard he doesn't expect from his past financial backer. And, besides, if you find a software company willing to sell you a system it guarantees can never be cracked, ask if it can add some snake oil to your order. Okay, I point out, in the case of security, it appears as if the Open Source model somehow works better, especially when compared to Microsoft. Even when I take into account that many Microsoft products are used by millions of people, many of whom shouldn't have gotten a license to operate a computer in the first place, Open Source products seem to have fewer serious security problems, not to mention that Open Source bugs seems to get fixed a whole lot faster. The "many eyes squash many bugs" explanation seems to hold water, and although most Open Source projects aren't created by 100 smart people sitting in a room together, the model Brown likes, they are created by hundreds of people talking on the Web together, and these are generally people who care as deeply about their projects as Boston Red Sox fans care about another late-season choke. No, most Open Source coders aren't paid, but neither are the rabid Red Sox fans. "In the case of security, it appears that Open Source products have fewer security vulnerabilities," I say to Brown. "So somewhere, there's an efficiency there." Brown seems to back off: "What we've been suggesting in our study ... is that this deserves more study. And that's where we stand. We think there should be a commission to do a rigorous test and do a study. We didn't do a [security] study comparing proprietary software to Open Source, and I'd like unbiased community of people to do this kind of study." I point to studies like a recent one from Gartner Group that suggests Microsoft security would benefit from an Open Source-style review. But, I add, the Open Source community would probably welcome an unbiased study of that sort. So Brown and I finally find some common ground. The white paper, which has gotten unquestioning coverage at places like ZDNet, is scheduled to be released Friday and will also include critiques about Open Source attitudes about intellectual property and Open Source. Brown, who says he has four years of experience writing about technology, authored the study with help from several others after more than six months of interviews about Open Source, he says. I remain intrigued by Brown's assertion that showing the source code "blueprint" makes Open Source software more vulnerable to terrorists. That theory leaves out the assumption that sysadmins have a variety of tools at their disposal to make systems more secure. Most people who know much more about information security than I do would advise people worried about security to never install a default Web server or operating system, whether its Open Source or proprietary. You need to take the precautions available and keep up with the security updates, and you need to realize that no system is totally invulnerable. As Brown says he has to get off the phone, I give him another blueprint scenario: Let's pretend you and I are burglars, I tell him. We're considering breaking into two houses. We have the blueprint for the first house, let's call it the Open Source house. We know how the house is laid out, we know where the doors are, but we also know that there are locks on the windows, there are dead-bolt locks on all the doors, there's a burglar alarm installed, there are two 100-pound Rottweilers living inside, and the owner keeps a loaded double-barrel shotgun somewhere in the house. Let's call the second house the Microsoft house. We don't have a blueprint, but we know the owner doesn't have locks on the windows, has no dogs, guns, or burglar alarm, and tends to leave the back door unlocked. So, I ask Brown, which house are we going to break into? Does the blueprint really help us? Brown doesn't have much of an answer to that.

	On the other hand ...      (#14905) by Anonymous Reader on 2002.06.05 13:51 I don't really understand the crooked business mind. I hope MS gave him top dollar for that soul. [ Reply to This | Parent ] In answer to your query      (#14907) by Anonymous Reader on 2002.06.05 14:07 I'd say, without advocating the act itself, that theoretically, one should burglarize the open source house, since you know where the dangers are and how to minimize, preferably eliminate, them as a source of concern. That last analogy really doesn't work all that well, when it comes down to it. [ Reply to This | Parent ] Re:In answer to your query by grant 2002.06.05 14:10 Re:In answer to your query by Anonymous Reader 2002.06.05 15:50 Re:In answer to your query by grant 2002.06.05 16:03 Re:In answer to your query by fitzix 2002.06.05 22:29 Re:In answer to your query by Anonymous Reader 2002.06.06 2:39 Re:In answer to your query by Anonymous Reader 2002.06.06 3:19 Re:In answer to your query by rycamor 2002.06.06 10:37 The study is "concerned" with security?      (#14911) by Rocky on 2002.06.05 14:30   | User Info | Home Page | While the author *may* have some valid points in the "study", unless he's proposing implementing OS/400 or higher he's got a problem. In regards to the desktop the alternative to Linux, the virus otherwise known as Windows, security sucks and it's been proven and proven and demonstrated over and over again. So - my suggestion is this - if indeed he's truly "concerned" about security - put AIX or other form of Unix (Solaris?) as the desktop - it's proprietary and a whole lot more secure than Windows will EVER be. [ Reply to This | Parent ] gota love FUD      (#14914) by Anonymous Reader on 2002.06.05 14:49 If this study was so concerned with security, they wouldn't have been so overconcerned with the differences between the GPL and BSD style licenses. If as he is saying Open Source software is more vulnerable due to the source being available to anyone who wants it, then it shouldn't make a difference how said software is licensed. BSD or GPL or whatever, if the source is available, you would think it would be the same situation. I fail to see how GPL'd software is more vulnerable that BSD'd software. Linux compared to NetBSD; there isn't a huge difference in security between them if you look at their histories. When this 'white papaer' is released it shall be interesting to tear it apart looking for FUD and lies. And this study seems to have been funded by Microsoft, hmm... intersting. [ Reply to This | Parent ] Re:gota love FUD by Anonymous Reader 2002.06.06 23:22 This reminds me of the 1970's.      (#14916) by Anonymous Reader on 2002.06.05 15:11 In that decade, anti-marijuana pundits had to sit back for awhile and stop being pushy, because of the groundswell of interest. But they did engage in some pseudo-academic-science baloney and kept saying they weren't saying that bla bla bla...then all of a sudden all the newspapers started printing 72-point headlines about how horrible it was, according to these studies (nenver mind they had to retract most of them...) That reminds me of this story. Now, all I have to do is wait for the 72-point headlines from some rich man's newspaper or Internet site: STUDIES PROVE LINUX IS INSECURE!!!!! Then, of course, there'll be the 8-point retraction on page 78 below the right-hand corner of the auto ad, just abouve the 72-point heading for a sale on Microsoft products.... Maybe there'll even be some video bites on TV with some bad-hair guy mumbling about how his Line-ux box was infected by a virus.... Funny thing is, I keep getting these e-mails that want to open Media Player, and do bad things to my Microsoft Outlook, and the anti-virus product makers wring their hands. Because Media Player *has* to be able to run arbitrary code, allowing markerters to "provide" synchronized video, sound, and web pages..... ...in my E-mail? "the more things change, the more they stay the same." [ Reply to This | Parent ] Microsoft developing in secret is better off?      (#14925) by Anonymous Reader on 2002.06.05 16:07 Have you ever tried to get Microsoft or any other large software company to make changes? Albeit, the problems may be difficult or only affect a few people. Still, fundamental short cuts to meet closed source release deadlines affect quality. Ones that turn out to be bad architectural design problems cause significant problems. Once in place these are very difficult changes for a closed source project to correct. In a open source project someone who's likely affected by the problem will take the time and resources required to correct the problem themselves and return the code to the community. Everyone benefits from the cooperative model. The Internet and early software development exists and is successful because of this model. Back then it was mostly about hardware sales. The freely available software lead to hardware sales. This doesn't happen today with closed source projects. That's fine as a software has to have profits from their closed source projects, its what drive software companies. The two are different approaches. Without an incentive for true design and quality the pressures of closed source projects at times lead to real deadlines that affect a users ability to work through resulting compromises problems. The open source model provides a real way to work through problem. Is this free -- No. But you can teach a person to fish or feed the individual. Given the need to eat I'd prefer to have the required skill sets to be somewhat self-sufficient. It’s all about having a choice and it’s a choice that can be made on a project-by-project basis. The two can coexist if the closed source environment can compete with the overall quality volunteers are effectively able to produce with or without corporate sponsors from their employers or through their personal time. [ Reply to This | Parent ] 100's of smart people      (#14929) by Anonymous Reader on 2002.06.05 16:26 Actually it's been shown that throwing additional developers at a project will usually slow it down. [ Reply to This | Parent ] Re:100's of smart people by Anonymous Reader 2002.06.05 20:24 You should have told Mr. Brown...      (#14930) by Anonymous Reader on 2002.06.05 16:33 ...even the resident of the MS house doesn't have the blueprints. Damnit, he can't even find his way from one room to the next, let alone be certain no one can break into it! And then he has to pay $35 for a technician to change a stupid light bulb. Of course, we can't tell you how to do that; that's Proprietary! Someone might figure out how to break in! Duuuuhhhhh!!!! And soon after the light bulb has been 'upgraded', the damn toilet won't flush anymore!!! Etc., etc., etc., etc., etc..... [ Reply to This | Parent ] Re:You should have told Mr. Brown... by Anonymous Reader 2002.06.06 12:33 blueprints are a bad analogy      (#14932) by Anonymous Reader on 2002.06.05 17:22 hello, I think that comparing the security of a physical structure like a building and software is misleading. The idea that a building is (debatably) more secure because the blueprints are secret does not hold up for software. Here's why. If a house was like software, then anyone who wished to could download an exact copy of your house at no cost or little cost. They could then use this copy to practice breaking in. Furthermore, they could scan the copy of your house to see what is inside the walls. And they could even take it apart to see how it is built. This may not give them the blueprints, nor would it provide them with the information that they need to build another house, but as Microsoft has proven again and again, and again, it provides enough information to break in to your house. Having the source code to software only helps you to break into it if there are obvious flaws, or hidden backdoors, or hardcoded passwords. An excellant explanation of this can be found in the "Secure Programming Howto" Rick [ Reply to This | Parent ] Re:blueprints are a bad analogy by Anonymous Reader 2002.06.05 20:16 Why does Windows still have the "libz" hole?      (#14949) by thebs on 2002.06.05 21:03   | User Info | Home Page | If BSD software allows companies to take Open Source and make it "secure" by closing it, why does Windows still have the "libz" buffer overrun hole? It couldn't be because Microsoft doesn't change the Open Source it uses but just uses it "as-is," could it? I can look past the bias and hypocritcal aspects of this study. That's all viewpoint and PR spin as far as I'm concerned. But to say GPL and BSD differ on source code availability and that "closed" versions of BSD code are better? Com'mon! That's outside reality! Just look at Windows! -- Bryan (fka TheBS) I hate "Microsoft Bigots" almost as much as the "Anything-But-Microsoft" ones. [ Reply to This | Parent ] Reverse Economies of Scale      (#14951) by Zrd11 on 2002.06.05 21:42   | User Info | Home Page | I love the quote: "You get 10 smart people together in a room, and they'll come up with some pretty good code. You get 100 smart people together, and they'll come up with some even better code." It's obvious to me that this person has never worked on a real software team. The bigger the team, the greater the chance that someone's going to screw up and put something stupid in the code. This is especially true when you've got a mix if experienced and inexperienced programmers on a project. -- Your Servant B. Baggins [ Reply to This | Parent ] Chris Nandor might take exception...      (#14952) by Anonymous Reader on 2002.06.05 21:44 He IS a rabid BoSox fan. Go BoSox! [ Reply to This | Parent ] An e-mail exchange with the ADTI president      (#14956) by Anonymous Reader on 2002.06.05 22:33 Ken Brown is the president of ADTI. My first letter, quoted herein, was sent to him at ADTI. (I posted a copy of my letter in the first newsforge announcement of this study.) Here is his response. My responses to him are in followup posts. ------------------------------------------- Subject: RE: Terrorists and open source software Date: 2002.06.02 09:35 From: Ken Brown To: Karl O . Pinc Karl, Our position is as follows: 1: No software is invulnerable. Thus all software has inherently security problems 2: Those with motivations to crack a software for bad reasons, etc. will do so, regardless whether the product is os or proprietary. 3: OS is a sound, credible approach for creating systems for the Internet, etc. however, its basis is upon sharing. While we understand that all OS does not have to be shared a majority of it whether it is commercial or non-commercial is shared. GPL license, and GPL applications are over 80% of popular OS products today. GPL and LGPL stipulate that sharing must occur. 4. National security systems must be secret. Anything or anyone that poses any type of indiscreet sharing is an inherent threat. Therefore: Due to increased interest by bad people to our national security system's vulnerabilities, we should avoid use of systems which enable, require or mandate indiscreet sharing. Microsoft and people's hate for Microsoft is irrelevant. True patriots will come to grips with the reality that really bad people want more information about our nation's computer systems. True patriots would insist that giving them anything about our systems is reckless. kb -----Original Message----- From: Karl O . Pinc [mailto:kop@meme.com] Sent: Friday, May 31, 2002 11:44 AM To: kenbrown@adti.net Subject: Terrorists and open source software Hello, I just saw an announcement (http://newsvac.newsforge.com/newsvac/02/05/31/101 7224.shtml?tid=52) on a paper you are said to release next week "Opening the Open Source Debate". Based on the content of this announcement, it appears you could look pretty silly when someone points out that the Internet itself is run, now, on open source software. The core fabric of the domain name system, which provides domain names like adti.net, uses the open source software "bind", from the Internet Software Consortium (http://www.isc.org). More than half of the existing domains, an even larger percentage if you count only domains that are being used, serve web pages using the open source Apache web server. (See http://www.apache.org and http://www.netcraft.com/survey.) Most e-mail is delivered with the open source mail transfer agents sendmail, postfix, and qmail. (See http://www.sendmail.org, http://wwww.postfix.org, and http://www.qmail.org.) The list goes on. This open source infrastructure has proven itself to be secure and reliable. It has withstood the attacks mounted against it by all comers, hackers, terrorists, and idle vandals, for years. Quite arguably it has a _far_ better performance record when it comes to protecting this increasingly vital national resource than it's closed source equivalents. I hope your paper considers the record of open source software has vis a vie securing the infrastructure of the Internet, a resource which by it's very nature is constantly open to attack. Any paper on the risks of open source which does not examine this proven performance record is fatally flawed. Regards, Karl [ Reply to This | Parent ] Re:An e-mail exchange with the ADTI president by Anonymous Reader 2002.06.05 22:36 Re:An e-mail exchange with the ADTI president by Anonymous Reader 2002.06.05 22:39 Re:An e-mail exchange with the ADTI president by fitzix 2002.06.05 22:51 Re:An e-mail exchange with the ADTI president by Anonymous Reader 2002.06.05 23:02 Re:An e-mail exchange with the ADTI president by Anonymous Reader 2002.06.05 23:34 my own response by gus3 2002.06.06 13:14 Warranties...      (#14958) by fitzix on 2002.06.05 22:38   | User Info | Umm - Mr. Brown should note that the MS EULA has a "No Warranty" clause. If MS' software allows someone to break into your business, you're just as helpless to sue as when running Free Software... The "warranty and accountability" line is an old piece of FUD that uses emotional reactions in support of a lack of personal responsibility for one's (lack of) action. Now, maybe you just couldn't find that darned security hole or you just didn't have time. Legally, it doesn't matter -- it would only be a stupid company/developer that would put a complete warranty on the software. Almost nobody does it, and Microsoft certainly doesn't do it. There's no debate on that issue -- it's black and white in the MS EULA. Mr. Brown might take an interest in reading it someday. [ Reply to This | Parent ] Go for the blueprinted house      (#14967) by Anonymous Reader on 2002.06.06 0:28 Locks on windows are easy. So let's make it a window entry. Since we've been planning this for a couple of months, we have already triggered the alarm system on several occasions. We know where the vulnerabilities are. And the owner thinks there's something wrong with the system. But the alarm company finds nothing. Several more triggers, and now the alarm company has minimized the sensitivities on the sensors. And made larger contact areas on the magnets. And secured the window tape better. We've also been watching the house/studying the blueprints. We know that the shotgun is either in the bedroom or living room from past experience, more than likely in the bedroom. We also know from our surveillance jaunts that the Rottweilers have free roam of the first floor, stairs, and hallways of the second floor. This means there are no motion sensors or mats with pressure sensitive switches in these locations. We schedule the job. The parents normally work until about 6:00, and haven't gotten back home at night until about 7:00. The single child stays with his girlfriend until dinnertime, at which point he normally drives home around 7:30. It's winter. Short daylight hours. We schedule the job for a night around the new moon, for even less daylight. Tomorrow night looks like it. It's going to rain. Perfect. No eyeballs on the street, and the rain will cover us if we make a little noise. Step 1. Use a van that will hold the safe we're going to hoist from the second floor window to the floor outside the side of the house. We use a second floor window because through previous experience, and previous tests on the house, we know that the alarm company has not installed magnets on the second floor bathroom windows. They never dreamed we'd come in from there, and listening to the owners, against the alarm company's better judgement, the second floor bathroom window contacts, and several other second floor windows have not had magnets/sensors installed yet. The owners don't place a high priority on this, they just want to relax when they get home from work, and have no time right now to stay home to watch the house while the alarm company finishes the job. The house is well protected, who would be dumb enough to try and come in through a second floor window? That window is at least thirty feet up, and is on a side that can be seen from the side of the house. Besides, the owners have the dogs... Step 2. We're dressed like servicemen in case of anything. We have a lookout position near the front of the house in a car, with a radio. A second lookout is parked five blocks away, at the entrance of the area. The third lookout is parked across the street from where the parents work. Everyone has radios. We know the parents are still hard at work. Step 3. We open the second floor window, after scaling to the roof with our portable equipment. We toss in the drugged food for the dogs. Five minutes later, the dogs are out. The safe is easy. Bedroom. Bypass the plunger switch near the base of the bedroom door. It's wood, so that takes less than 30 seconds. Check for button triggers under the safe wheels, none, roll it out to the second floor hallway. Attach the straps, hoist it up to window ledge, out the window, down to exterior first floor with the special portable hoist we rigged up that is now on the roof of the house, positioned above the second floor bathroom window. Step 4. Problem. The couple's kid (he's 17) drives home. We've got the safe on the floor, outside the side of the house. He drives up the driveway at the front of the house. Therefore he doesn't see the van parked at the back. Tense moments... He enters the first floor, picks up a schoolbook at the base of the stairs, then exits, and drives away. Unknown to us, he notices the lookout at the front of the house through his rearview mirror. Fortunately, the windows of the lookout car are heavily tinted, so he sees no one inside. Unfortunately, and unknown to us at the time, Read the rest of this comment... [ Reply to This | Parent ] Re:Go for the blueprinted house by Anonymous Reader 2002.06.06 0:39 Re:Go for the blueprinted house by Anonymous Reader 2002.06.06 3:59 Re:Go for the blueprinted house by Anonymous Reader 2002.06.06 7:31 Re:Go for the blueprinted house by Anonymous Reader 2002.06.06 11:02 Funny      (#14980) by Anonymous Reader on 2002.06.06 5:07 Funny: when someone keeps saying OpenSource is insecure, more expensive (TCO), user-unfriendly, etc., you just keep asking for reasons and proof, and see: they´ll retreat in no time... :-) Seems it is much easier to bash OpenSource than to prove your statements. Knowlegde is power! :-) [ Reply to This | Parent ] People are the lowest-common security denominator      (#14986) by Anonymous Reader on 2002.06.06 7:17 The Alexis de Tocqueville Institution needs to take a hard look at its own security. They are running their website using a hacked version of Apache on SGI IRIX servers. They are also running a wide-open anonymous FTP server that contains easily accessible passwd files (containing usernames with NO PASSWORDS, I might add). You can run the "most secure" closed or open-source software in the world. In the hands of a sloppy administrator, you're vulnerable irrespective of which you choose. [ Reply to This | Parent ] Which is what?      (#14991) by Anonymous Reader on 2002.06.06 7:58 "You take an organization that doesn't have any accountability, that provides no warranties, no guarantees for its services, is not financially rewarded necessarily for providing its fixes, I don't think it can compare in efficiency to an organization that does." Ok, the first definitely describes commercial software, but it's rare that free software provides any of it either, so I dont quite get what he's trying to compare to what. This guy must have missed reading his licenses the last 20 years. And I've yet to see any guarantee ever translate into a payout when it fails. [ Reply to This | Parent ] Security through obscurity again      (#15008) by Anonymous Reader on 2002.06.06 10:37 Bruce Schneier say it better than I can, and he's an expert in the security and cryptography areas. So I'll point here [counterpane.com], to his latest explaination of the subject. The benefit is peer review. Cryptography is hard, and almost all cryptographic systems are insecure. It takes the cryptographic community, working over years, to properly vet a system. Almost all secure cryptographic systems were developed with public and published algorithms and protocols. I can't think of a single cryptographic system developed in secret that, when eventually disclosed to the public, didn't have flaws discovered by the cryptographic community. And this includes the Skipjack algorithm and the Clipper protocol, both NSA-developed. ... Kerckhoffs' Principle is just one half of the decision process. Just because security does not require that something be kept secret, it doesn't mean that it is automatically smart to publicize it. There are two characteristics that make publication so powerful in cryptography. One, there is a large group of people who are capable and willing to evaluate cryptographic systems, and publishing is a way to harness the expertise of those people. And two, there are others who need to build cryptographic systems and are on the same side, so everyone can learn from the mistakes of others. If cryptography did not have these characteristics, there would be no benefit in publishing. [ Reply to This | Parent ] Rewards?      (#15009) by Anonymous Reader on 2002.06.06 10:51 Concerning the following quote: "You take an organization that doesn't have any accountability, that provides no warranties, no guarantees for its services, is not financially rewarded necessarily for providing its fixes, I don't think it can compare in efficiency to an organization that does. You can't say a volunteer group is necessarily always going to as efficient as a group that's contracted." Since when is M$ financially rewarded for providing fixes? If anything, they've proved that it is _not_ financially rewarded, so in response, it takes a two-pronged approach: 1) Take a frustratingly long time to even _acknowledge_ a fix is necessary, then take forever to provide that fix, since a fix is typically no-charge, being it was your mistake to begin with, which leads us to: 2) Distribute the fix as part of an _upgrade_, which you then charge for and force people, who need the fix for business/security purposes to have to pay for. This is just as unethical as intentionally and unnecessarily changing the binary format of a document for each release of the same application. Built-in obsolescense. And we're not talking 4 generations back, this is done with basically sequential upgrade. I hope M$ has enjoyed the ride, because IBM was a monopoly, AT&T was a monopoly, etc. All the fools think they're smarter than the other poor saps that preceeded them. It's sad to see over and over again how greed eventually corrupts. Well, I can see, by reading the latest press over the last 6 months, that M$ is now on the decline. Licensing rebellion, whole governments (national and local), school districts, corporations, etc. evaluating/moving to open source., changing their business model (companies don't do this lightly, they have to see an inevetable end to their revenue streams). Sheesh, ask this guy, if distributing open source code is such a bad idea, why is the NSA even contributing source to Linux to make it more secure? [ Reply to This | Parent ] Re:Rewards? by Anonymous Reader 2002.06.06 11:15 Is this from the research or marketing department?      (#15015) by olsonco on 2002.06.06 11:39   | User Info | " ... he says it's against ADTI's policy to comment on who funds its studies." Kudos to Grant Gross for asking pointed and relevant questions. The answer to the question about funding pretty much wrapped up the interview for me. It is clear from the response that the author of the study is not a reputable researcher, and should, in fact, perhaps change his title from whatever it is to something with the word "marketing" in it. I wonder how much it costs for this author to produce a study? Are the prices based on billable hours or do they also reflect the relative implausibility of the conclusions? I was also amused by the response, "What we've been suggesting in our study ... is that this deserves more study. And that's where we stand." This seems to be the standard response from those trying to defend indefensible positions. Is my memory fading, or was it the tobacco companies who were taking the position that the link to smoking and tobacco "needs more study" and simultaneously funding "scientists" whose studies questioned the statistics. And correct me if I'm wrong, but wasnt the strongly pro-oil Bush administration, in stark contradiction to majority of the best climate scientists on the planet, stating that any link between human activities and climate change "needs more study" while at the same time big oil was funding "scientists" to refute the statistics? (This story [cnn.com] gave me a good chuckle.) Who knows. Maybe his study has some good points. But his affiliation and his rhetoric make it clear that the study is a joke. [ Reply to This | Parent ] OSS      (#15058) by Anonymous Reader on 2002.06.06 17:05 WELL IF OPEN SOURCE IS SO INSECURE HOW COME WHEN YOU GO TO WEBSITES ON COMPUTER SECURITY mICOSOFT ALWAYS HAVE SOME KIND OF SECURITY FLAW EVEN WHEN IT JUST BEEN RELEASED. ie (WINDOWS XP) [ Reply to This | Parent ] software and security risk      (#15071) by leo97330 on 2002.06.06 20:52   | User Info | Hi, I think the article was really interesting. With so many different software programs available today and some of the logistics not that easily understandable, I can see where some people might be a bit concerned. My idea: if the computer is a stand alone and not connected to a network or the internet, than there cannot be a risk. If the computer has a unique IP address, then why don't these great designers, put together an IP address firewall program? It may prevent hackers from getting what they want. [ Reply to This | Parent ] I'm less afraid of terrorists and more afraid of      (#15077) by Anonymous Reader on 2002.06.06 23:28 Microsoft extorting me. "Give us $450 or you'll never see the content of your bosses Word 97 files on your Word 95 desktop again!" [ Reply to This | Parent ] Open source vs Closed source in security camras      (#15132) by Anonymous Reader on 2002.06.07 12:39 Closed source: Hide camras. Result.. Standard 7/11 crook finds camras (the mirrored domes) and avoids them. Place is picked clean. Just becouse the avrage person (who wouldn't know how to hack in the first place) couldn't find the security holes dosen't mean an expert crook (who would actually use this information) couldn't. To make matters worse the crook makes a hack tool and gives it around. Eventually weeks later it lands in the hands of an avrage jo who wouldn't have any hope of hacking into a system normally. Net result.. your ripped off by a crook who learnned how to hack into your website from a 10 year old text file. Your closed source.. nobody could fix it except the company that made it... Apple pretended the Mac powersuply defect didn't exist before repairing it simply becouse so many Macs were dead. Microsoft pretended all the defects in Win 3.11 didn't exist untill Windows 95.. then pretended the defects were fixed untill otherwise was proven. IBM and Intel had to be sued before they'd fix the Pentium and Os/2 warp. This is what your trusting your survival on... In fact text files on how to terrorise K Mart I downloaded 10 years ago probably still work today. Vs Open source... Radio Shack has a habbit of placing a consummer video camra in the store for security. Crooks spray paint the lens... sorry already cought on tape... Crooks steal camra.. ok that works... Crooks steal camra.. ok this time the camra transmits to a VCR located in a back room. Crooks look for VCR... get cought still in store.. VCR well hidden... If some day they find the VCR then they'll probably go even higher tech and stream it over the net to a video bank located elsewhere.. or sevral elsewheres... No security is perfict eventually crooks find a way to break it. You need the blueprints so you can make the changes yourself. GPL vs BSD... Just means BSD = I can make a commertal product... GPL = I can't make a commertal product with out giving source code. Quite frankly for most programmers if somebody could make a commertal product out of the code they make.. they'll never release it.. code.. binrays.. anything. Most programmers have to eat... the last thing any open source programmer needs is to be compeating against his own free software. I'm all open to selling my work btw.. if you want to use my GPLed code for commertal projects just call me and we'll hangle a price... And you get to see the code before hand... you'll never get this sort of deal from your avrage commertal develuper... [ Reply to This | Parent ]