[linux-elitists] Dateline April 12, 2001 Microsoft: Closed source is more secure

Brenno J.S.A.A.F. de Winter brenno@dewinter.com
Wed Aug 15 04:49:11 PDT 2001

> > SAN FRANCISCO--The head of Microsoft's security response team argued
> > here Thursday that closed source software is more secure than open
> > source projects, in part because nobody's reviewing open source code for
> > security flaws. 
> OpenBSD is, at least. They can't deny that.
Yes and Mr. Guninsky has been discovering so many bugs in closed source M$
projects ...

> > manager of Microsoft's security response center. "Simply putting the
> > source code out there and telling folks 'here it is' doesn't provide any
> > assurance or degree of likelihood that the review will occur."
Nope but no insight in the development process of Microsoft doesn't convince
me that they are doing a better job. They might be doing a better job. :)

> > Lipner argued that network administrators are better off spending their
> > time reading log files and installing patches
Yeah but that is something that goes for open source and close source. It's
very good that he makes a distinction between a network administrator and a
security expert. 

> > It doesn't win
> > anyone fame and fortune... People fix the flaw and move on."
Sure. And we'll just read that Guninsky found another flaw again .... and
again .... and again .... 10x a little famous makes you world famous.

> > Lipner, who oversees Microsoft's response to newly-reported security
> > holes in its products, took the opportunity to point out "the
> > repeated and recurring vulnerabilities in the Unix utilities BIND,
> > WU-FTP, and so on. The repeated theme is people use this stuff, but
> > they don't spend time security reviewing."
> Yes. But it's different with Microsoft software. The difference is ... 
> I forget. Why don't you clue me in?
The difference is here that you stop using the products when needed. We have a
choice where you don't have the choice with M$ is all or nothing in their
vision. UNIX in principle as an Open System has many replaceable elements.
That is the big difference. For this reason I left sendmail and started using
postfix years ago.

> > Lipner closed by warning that the nature of open source development
> > may lend itself to abuse by malicious coders, who could devilishly
> > clever 'trapdoors' in the code that escapes detection, hidden in
> > plain sight.
> BTW, does anybody know if this has *ever* happened? Some histroical
> precedent would be interesting. In theory, such a backdoor wouldn't
> last long, and its existance time should be inversely proportional to
> the popularity of the project (Mozilla DOES NOT COUNT).
Yes. I know of such a backdoor in IIS by Microsoft. But that doesn't count,
since that isn't Open Source.

> > Under polite questioning from the audience, Lipner acknowledged that
> > some closed-source commercial products have been found to have
> > trapdoors themselves.

> Now, Microsoft could claim that isn't exhaustive enough. That's good
> for them. If they have (1) skilled security-conscious programmers
> (2) skilled code reviewers, they obviously aren't using them
> effectively. 
Those arguments are invalid. If you find this to be important enough you could
start the LCRP (Linux Code Review Project) just as there is the Linux
Documentation Project .... If IBM spends some big bucks there are even
professionals doing so.

make dep install modules modules_install,

Brenno J.S.A.A.F. de Winter
De Winter Information Solutions.

More information about the linux-elitists mailing list