"The head of Microsoft's security response team argued here Thursday that closed source software is more secure than open source projects, in part because nobody's reviewing open source code for security flaws.

"Review is boring and time consuming, and it's hard," said Steve Lipner, manager of Microsoft's security response center. "Simply putting the source code out there and telling folks 'here it is' doesn't provide any assurance or degree of likelihood that the review will occur."

The comments, delivered at the 2001 RSA Conference, were a challenge to one of the tenets of open source, that 'with many eyes, all bugs are shallow.'

"The vendor eyes in a security review tend to be dedicated, trained, full time and paid," Lipner said.

Lipner argued that network administrators are better off spending their time reading log files and installing patches than poring over source code looking for security holes, and the system of 'peer review' that works well for vetting encryption algorithms, doesn't work to evaluate large pieces of software for flaws."

http://www.securityfocus.com/news/191


What do you all think about this one?

FUDFUDFUDFUDFUDFUDFUDFUDFUD!!

point taken :D

[ 13 April 2001: Message edited by: Sensei ]

I can't speak for DMR, ( ;) ) but I think it is more FUD. They don't like what they see, and are trying to scare corps away from using OpenSource products.

Boo! to M$ :mad:

The availablitity of the source code of security software makes it less difficult for attackers to get a good look at how a system does what it does, but this does not necissarily mean more attacks.

Mr. Lipner seems to be saying that bugs in openly available OS code can be exploited as security risks. An encryption algorithm is relatively simple, compared to a 40 million line operating system, Here Mr. Lipner is implying the more code equals more bugs. This is generally held to be true.

The M$ OS is massive when compared to the size of Linux or most other open-source OS's. Wouldn't it be true that M$ OS has many more holes to exploit. They are just more difficult to find because the source isn't readily available. Though many people seem to be able to exploit the WIN OS much easier than any *NIX OS

I read an article in either Linux Journal or Linux Gazzete (can't quite remeber which), talking about open source vs. Microsoft, and the upshot was (heh, heh) like this;
With closed source software you get a box which you can't look in, with open source you get a box and not only can you look inside, you can tinker with the innards and even take them apart bit by bit if you want. Surely this is an overwhelming advantage. We in the Linux community have the enviable advantage of having heaps and heaps of people (bless them) who actually enjoy revealing the shortcomings of Linux to Linux users. Those who enjoy opening up MS software seem to keep it to their ring of crackers, so that they can cause all sorts of chaotic mayhem and destruction to programs such as Outlook and even (one we had at work recently) Word. So, to put my opinion in perspective I give Mr Lipner or whatever he is called a large two fingered salute.

FUD

Yes bugs/security holes are easier to find in open source software but fixes are then made and released very quickly, often within hours of finding a bug/hole.
In closed source software the bug fixes take months to create and release.

Gee, such an original post...
:rolleyes:
Uhh, sorry Sensei, that's just how I felt.

[ 13 April 2001: Message edited by: ndogg ]

Well even security holes are found in closed source projects. So who gives a damn.

I think the biggest factor for open source is the quick availability of patches for security holes. The stupid Outlook bug has spawned many viruses, and it was only recently fixed because Microsoft had to put the fix into a new version. The time it takes Microsoft to discover where the bug is, fix it, and give the patch to end users is enormous; even if perhaps there are fewer known security holes for Microsoft systems.

If people know the inner workings of an entire operating system, isn't it easier to manipulate it?

... nobody's reviewing open source code for security flaws.


Now we have lies, damn lies, statistics, and borderline fraudulent Microsoft FUD!

:rolleyes:

Originally posted by ndogg:
<STRONG>Gee, such an original post...
:rolleyes:
Uhh, sorry Sensei, that's just how I felt.

[ 13 April 2001: Message edited by: ndogg ]</STRONG>

I don't exactly get what you mean?

I think his position begs the question.
The REAL question is "more secure from whom?". I'd rather trust code that I can see and modify than code that is put out by a company who has already demonstrated a lack of ethics....

Gunney

Originally posted by Sensei:
<STRONG>I don't exactly get what you mean?</STRONG>

This isn't exactly the first time that Microsoft or anyone else with similar stance has made this claim.

so thats why microsoft is better. thanks for clearing this up mr. lipner. i couldn't figure out why people were using slow, unstable, barely configurable microsoft products with expensive licensing costs. it all makes sense now. im going to trade my linux firewall for a win2000 machine with tcp/ip filtering.

i guess the nsa should have developed se2000 instead of selinux.

i will go out in the sun before i break a window only if i can't find my tux.

[ 13 April 2001: Message edited by: etekk ]

"Review is boring and time consuming, and it's hard," said Steve Lipner,
manager of Microsoft's security response center. "Simply putting the
source code out there and telling folks 'here it is' doesn't provide any assurance or degree of likelihood that the review will occur."

Methinks that MSFT has forgotten about
OpenBSD (http://www.openbsd.org).

Unfortunately, they're right. The problem I see with this is as follows;

How can they divert any of their programmers over to security when they still can't get rid of BSOD every other time I try to play a dvd?

I would hope their programmers are working on my dvd issue.

In other words, Microsoft has enough issues with regular bugs; Who has time for security bugs too?

[ 14 April 2001: Message edited by: tnordloh ]

Originally posted by Sensei:
"The head of Microsoft's security response team argued here Thursday that closed source software is more secure than open source projects, in part because nobody's reviewing open source code for security flaws.


Microsoft can say this when they want, to whom they want and as often as they want. Why? Because open source does not have a figurehead, there is no one that can stand up and refute MS's FUD publically and because of that MS can lie to the world with virtual impunity. And they do, frequently.

I KNOW that if I found a Kernal bug, that constituted a security risk, it would be fixed immediately. The bug would be made common knowledge by the community and the fix made freely available. There would be no lies, no cover up, just a fix. Simple.

I also KNOW that when bugs are brought to MS's attention (especially security related ones), more often than not, they will deny that it even exists. Meanwhile they have their repairmen beavering away in the background trying to fix it. Once fixed (later that same year) they release a new service pack, claim that it adds functionality and generally keep quiet about the whole thing.

Closed source=&gt;Marketing=Lies
Open source=&gt;Common knowledge=Truth

Another difference I have noted is that MS bugs tend to attract the attention of exploiting a**holes, whereas open source bugs tend to attract intelligent, helpfull fix-it folks. I know where I feel safest.

_Moss

The news post wasn't in reference to MS producing FUD in general, but specifically what Lipner said. I don't think I've ever seen an article with Mr. Lipner quoted?

What I meant to say is that open source is better than closed source.

While I'm quite a staunch open source activist (though I'm no RMS, who wants a GPL on everything), I can see the points they make and they are valid ... under certain situations. These situations coincide with the ones that are discussed when discussing if open source is a viable way of developing large software projects.

The thing is, when you have a project that is as glorious and high profile as the Linux kernel, then yes it will be successful with the open source model. The hacker ego wants to do anything they can to get a kernel patch submitted. It's a *nix hacker dream resume item. Same goes for other big and popular projects like Apache, XFree86, etc. But, when you have smaller projects that aren't as well developed, then the model doesn't work so well. People will lament not having a feature in something, but won't find it worth their time to code that feature for it even though they are perfectly capable of doing so.

The way it seems to me that open source succeeds is if you have someone who is really geeked about doing a certain project and works rather hard on it until there are rather good betas of it out there. Then people begin to use it and they come to depend upon it to provide some sort of service. Then, since they don't want to see it die, they work on it to make it better. It's egotistical, yes, but it still works.

Originally posted by Strike:
<STRONG>While I'm quite a staunch open source activist (though I'm no RMS, who wants a GPL on everything), I can see the points they make and they are valid ... under certain situations. These situations coincide with the ones that are discussed when discussing if open source is a viable way of developing large software projects.

The thing is, when you have a project that is as glorious and high profile as the Linux kernel, then yes it will be successful with the open source model. The hacker ego wants to do anything they can to get a kernel patch submitted. It's a *nix hacker dream resume item. Same goes for other big and popular projects like Apache, XFree86, etc. But, when you have smaller projects that aren't as well developed, then the model doesn't work so well. People will lament not having a feature in something, but won't find it worth their time to code that feature for it even though they are perfectly capable of doing so.

The way it seems to me that open source succeeds is if you have someone who is really geeked about doing a certain project and works rather hard on it until there are rather good betas of it out there. Then people begin to use it and they come to depend upon it to provide some sort of service. Then, since they don't want to see it die, they work on it to make it better. It's egotistical, yes, but it still works.</STRONG>

Yeah, quite true. But the same can be said of small companies that that are 100% closed source. Quite allot of their products never hit the streets, or they hit the streets with bugs intact.

The bueaty of open source is that if the originator doesn't have the time/resources to fix bugs, the end users can take over.

And as for the big projects, they get fixed almost instantly, because as you say lots of people want a peice of the pie. Microsoft, even being the wealthiest software company, cannot make the same claim.

_Moss

Originally posted by Arthritic_Moss:
<STRONG>Yeah, quite true. But the same can be said of small companies that that are 100% closed source. Quite allot of their products never hit the streets, or they hit the streets with bugs intact.

The bueaty of open source is that if the originator doesn't have the time/resources to fix bugs, the end users can take over.

And as for the big projects, they get fixed almost instantly, because as you say lots of people want a peice of the pie. Microsoft, even being the wealthiest software company, cannot make the same claim.

_Moss</STRONG>
Good points.

Yeah, I forgot to mention how security fits in with my little blurb exactly. I spoke mostly about adding features, but just replace that with fixing security holes (security is a good feature to have), and there you have it.

I hadn't even thought of small closed-source projects, because I honestly don't ever really deal with them. There's a good reason for that because as you pointed out, they don't get the code scrutiny that open source projects (no matter how little) can achieve. The only small closed-source projects I can really say I ever deal with are things like shareware Windows games :)

Originally posted by Sensei:
[QB]

"The vendor eyes in a security review tend to be dedicated, trained, full time and paid," Lipner said.

Lipner argued that network administrators are better off spending their time reading log files and installing patches than poring over source code looking for security holes, and the system of 'peer review' that works well for vetting encryption algorithms, doesn't work to evaluate large pieces of software for flaws."

This is said by the same company that is notified of a security flaw and takes 6 months to release a patch. When this happens in Linux it takes hours to days. I surprised noone else pointed out that little incongruity.

FUDFUDFUDFUDFUDFUDFUDFUDFUD!!

point taken
[ 13 April 2001: Message edited by: Sensei ]


Sorry Sensei, just my initial reaction, so what else could I do? ;)

[ 15 April 2001: Message edited by: DMR ]

Originally posted by Molecule Man:

<STRONG>
This is said by the same company that is notified of a security flaw and takes 6 months to release a patch. When this happens in Linux it takes hours to days. I surprised noone else pointed out that little incongruity.</STRONG>

That's exactly the point...

Exactly when has Microsoft put out anything that was secure for more than about, let's say, an hour? ;)

What I think Mr Lipner here is saying is that he nor anyone from Microsoft dont give a **** abouts its consumers, and would rather do something else than TRY to make them happy and make them feel more secure in thier day to day activities.

...WANKERS...

I _really_ hate Bill Gates, he certainly makes things hard for everyone.

My 4 pennies worth...

TTFN,
ScRApZ_1 :p

Microsoft might as well be closed source regardless. I just went and checked the Winword file in my Office directory. 8.39 megabytes. Who is gonna troubleshoot that?

With closed source software you get a box which you can't look in, with open source you get a box and not only can you look inside, you can tinker with the innards and even take them apart bit by bit if you want. Surely this is an overwhelming advantage.

To whom ? Hackers ?

MS Operating Systems arent the best in terms of stability or security, but neither are Linux machines in fact they are great at all. The most secure systems have proven to be using Novel Netware, then Apple OS9 and then BSD, then Unix, Then Linux. It really depends on the Administrator and how they configure the machines.

[ 27 April 2001: Message edited by: Luke-Skywalker ]

Originally posted by Luke-Skywalker:
<STRONG>To whom ? Hackers ?</STRONG>

Yes, hackers.

Hackers like Linus Torvalds, Alan Cox, Eric Raymond, Richard Stallman -- gentlemen who have each all written more software in one year than Bill Gates has in his entire life.

Hackers like the hundreds of people involved in Linux kernel development. Hackers like the thousands of people developing Debian and other free operating systems in the Linux family. Hackers like the BSD core team -- even though it's not my favorite OS, I admire their skillz.

Hackers like the people who create the medical software that saves millions of lives a year, hackers who write the software that controls power plants, submarines, radar and weather tracking systems, and all the world's high-tech facilities. Hackers who write the software that makes scientific progress possible. Hackers who got NASA into space. Hackers who built the software that controls the International Space Station. Hackers that created the software for research into fields of science that didn't even exist a decade ago.

Yes, hackers. Please look up that word meant before it was villified by the mass media.

The most secure systems have proven to be using Novel Netware, then Apple OS9 and then BSD, then Unix, Then Linux.

I'd love to see where this 'proven' stuff comes from. My guess is you pulled it out of your butt.

I can't speak for the others, but Netware is pretty damn stable.

Now, to be fair, it might just be that stable because it is a special purpose OS and therefore lacks a lot of the general purpose stuff that can get you into trouble. :rolleyes:

However, I did have my first actual Novell crash last week, after 6 years of running three offices on it. One crash in 18 server years is not that bad, IMHO.

YMMV

Originally posted by Craig McPherson:
<STRONG>Hackers like the people who create the medical software that saves millions of lives a year,</STRONG>

i have a freind that writes medical style software http://www.sequest.net/home.html

they are written in delphi and run on 98/NT/2000 and can connect to any backend database.

he doesnt do that any more though, now he is a full DBA and works on optimizing customer databases.

Yes, hackers.

Hackers like Linus Torvalds, Alan Cox, Eric Raymond, Richard Stallman -- gentlemen who have each all written more software in one year than Bill Gates has in his entire life.

Hackers like the hundreds of people involved in Linux kernel development. Hackers like the thousands of people developing Debian and other free operating systems in the Linux family. Hackers like the BSD core team -- even though it's not my favorite OS, I admire their skillz.

Hackers like the people who create the medical software that saves millions of lives a year, hackers who write the software that controls power plants, submarines, radar and weather tracking systems, and all the world's high-tech facilities. Hackers who write the software that makes scientific progress possible. Hackers who got NASA into space. Hackers who built the software that controls the International Space Station. Hackers that created the software for research into fields of science that didn't even exist a decade ago.

Yes, hackers. Please look up that word meant before it was villified by the mass media.

I think programer, developer, coder, disasembler or debugger is the word you are looking for not a Hacker. Hackers try to expose security flaws for whatever reason (insert illegal/unethical action here).

Yes, hackers. Please look up that word meant before it was villified by the mass media.

Why ? At the risk of sounding like you come accross i dont need to because i know better.

I'd love to see where this 'proven' stuff comes from. My guess is you pulled it out of your butt.

I can hold my tongue, thats more than i can say for you. This information is actually from a recent study published by Novel. I have a paper copy from which my EDS onsite support ( i work for the state govt and EDS look after our fileservers), but i cant find it on the net.

All i can say is that i get to work with fileservers, web servers, database servers for for over 100 thousand end users with state of the art technology. If you think i am pulling that out of my butt then it doesnt really bother me, i dont need to justify myself.

The word "hacker" before it was bastardized by the media was a person who would force their way into a system just for educational purposes. They wouldn't do anything to the system they got into except look around.

Heh. Guess you're right. I won't tell you what kind of damage I could do to the Novell Network at work, because I value my job and I use my real name here. Let's just say that I don't buy Novell's claim about secure networks. I think that security relies on the admin, not the particular system.

It just riles me when someone claims something is 'proven' without outlining any sort of proof.

[ 29 April 2001: Message edited by: tnordloh ]

Let's just say that I don't buy Novell's claim about secure networks. I think that security relies on the admin, not the particular system.

The "Big Guns" at work wont even look at using Unix based systems for anything else than low end mailservers and backend databases, which is a shame. They only do novell and MS.

I should put :) :) :) eveywhere because anything i say sounds rude/short/abusive. I just hate typing and talking. :D

Any time the "hacker" dispute comes up, I find I must fall back on my bible: The Jargon File
http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html