[iwar] [fc:Did.MS.Pay.for.Open-Source.Scare?]

From: Fred Cohen (fc@all.net)
Date: 2002-06-05 06:27:45


Return-Path: <sentto-279987-4764-1023283931-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 05 Jun 2002 06:36:07 -0700 (PDT)
Received: (qmail 6376 invoked by uid 510); 5 Jun 2002 13:32:36 -0000
Received: from n17.grp.scd.yahoo.com (66.218.66.72) by all.net with SMTP; 5 Jun 2002 13:32:36 -0000
X-eGroups-Return: sentto-279987-4764-1023283931-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.195] by n17.grp.scd.yahoo.com with NNFMP; 05 Jun 2002 13:32:11 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_3_2); 5 Jun 2002 13:31:30 -0000
Received: (qmail 28204 invoked from network); 5 Jun 2002 13:24:50 -0000
Received: from unknown (66.218.66.217) by m2.grp.scd.yahoo.com with QMQP; 5 Jun 2002 13:24:50 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.scd.yahoo.com with SMTP; 5 Jun 2002 13:24:50 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g55DRkA25238 for iwar@onelist.com; Wed, 5 Jun 2002 06:27:46 -0700
Message-Id: <200206051327.g55DRkA25238@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 5 Jun 2002 06:27:45 -0700 (PDT)
Subject: [iwar] [fc:Did.MS.Pay.for.Open-Source.Scare?]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Did MS Pay for Open-Source Scare?
By Michelle Delio

2:00 a.m. June 5, 2002 PDT

Authors of a new report on the perils of open source software are being very
closed-mouth about their funding sources.

"Opening the Open Source Debate," a white paper slated to be released Friday
by the Alexis de Tocqueville Institution, indicates that open-source
software is inherently less secure than proprietary software. The report
warns governments against relying on open-source software for national
security.

Open-source advocates wondered if the white paper is actually a veiled
Microsoft response to recent reports of rising government and military
interest in open-source systems.

A Microsoft spokesman confirmed that Microsoft provides funding to the
Alexis de Tocqueville Institution.

"We support a diverse array of public policy organizations with which we
share a common interest or public policy agenda such as the de Tocqueville
Institution," the spokesman wrote in an e-mail.

Microsoft did not respond to requests for comment on whether the company
directly sponsored the debate paper. De Tocqueville Institute president Ken
Brown and chairman Gregory Fossedal refused to comment on whether Microsoft
sponsored the report.

"It is not our policy to comment on supporters; I'm sure you can understand.
From this you should not infer that information you have is correct or not
correct; we just don't comment," Fossedal wrote in an e-mail.

"These folks really need to be more straight-forward about this," security
researcher Richard Smith said. "Not commenting makes it appear as if they
have something to hide."

A Microsoft spokesman did say that open-source software is not innately more
or less secure than proprietary software.

"Microsoft has held the position that security is an industry-wide issue and
software is only one part of it. Implementation and administration are also
key in security."

Most security experts do believe that open source is neither more nor less
secure than propriety software. How a systems administrator configures and
maintains the application is equally important.

Open-source software allows programmers to view and modify the software's
program code. Closed-source software code is not viewable to all.

Since malicious hackers cannot view the underlying code of propriety
software, they can't study it to discover possible exploits, a principle
known as "security through obscurity," according to Bill Wall and Darwin
Ammala of Harris Corporation's STAT computer security unit.

But open source software is presented to a very large and knowledgeable
audience of software development peers. This substantially large body of
reviewers provides deep scrutiny to software. They are able to test a wide
variety of scenarios and feed improvements back into the code base. Over
time this strengthens the software, Wall and Ammala added.

A recent report by Gartner Group analyst John Pescatore suggested that
open-source style review would make Microsoft's software more trustworthy.

But the question of whether closed- or open-source software is inherently
more secure can't really be answered because the issue has not been
subjected to rigorous analysis, security experts said.

Wall said such an analysis should be done within the software engineering
research community by an entity such as the Software Engineering Institute
(SEI) or the Defense Advanced Research Projects Agency (DARPA).

"I would really like to see rigorous testing with hard statistics and not
mere speculation on an issue as serious as this," Smith said.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tied to your PC? Cut Loose and
Stay connected with Yahoo! Mobile
http://us.click.yahoo.com/QBCcSD/o1CEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT