Return-Path: <sentto-279987-4764-1023283931-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 05 Jun 2002 06:36:07 -0700 (PDT) Received: (qmail 6376 invoked by uid 510); 5 Jun 2002 13:32:36 -0000 Received: from n17.grp.scd.yahoo.com (66.218.66.72) by all.net with SMTP; 5 Jun 2002 13:32:36 -0000 X-eGroups-Return: sentto-279987-4764-1023283931-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.195] by n17.grp.scd.yahoo.com with NNFMP; 05 Jun 2002 13:32:11 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_3_2); 5 Jun 2002 13:31:30 -0000 Received: (qmail 28204 invoked from network); 5 Jun 2002 13:24:50 -0000 Received: from unknown (66.218.66.217) by m2.grp.scd.yahoo.com with QMQP; 5 Jun 2002 13:24:50 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.scd.yahoo.com with SMTP; 5 Jun 2002 13:24:50 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g55DRkA25238 for iwar@onelist.com; Wed, 5 Jun 2002 06:27:46 -0700 Message-Id: <200206051327.g55DRkA25238@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 5 Jun 2002 06:27:45 -0700 (PDT) Subject: [iwar] [fc:Did.MS.Pay.for.Open-Source.Scare?] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: Did MS Pay for Open-Source Scare? By Michelle Delio 2:00 a.m. June 5, 2002 PDT Authors of a new report on the perils of open source software are being very closed-mouth about their funding sources. "Opening the Open Source Debate," a white paper slated to be released Friday by the Alexis de Tocqueville Institution, indicates that open-source software is inherently less secure than proprietary software. The report warns governments against relying on open-source software for national security. Open-source advocates wondered if the white paper is actually a veiled Microsoft response to recent reports of rising government and military interest in open-source systems. A Microsoft spokesman confirmed that Microsoft provides funding to the Alexis de Tocqueville Institution. "We support a diverse array of public policy organizations with which we share a common interest or public policy agenda such as the de Tocqueville Institution," the spokesman wrote in an e-mail. Microsoft did not respond to requests for comment on whether the company directly sponsored the debate paper. De Tocqueville Institute president Ken Brown and chairman Gregory Fossedal refused to comment on whether Microsoft sponsored the report. "It is not our policy to comment on supporters; I'm sure you can understand. From this you should not infer that information you have is correct or not correct; we just don't comment," Fossedal wrote in an e-mail. "These folks really need to be more straight-forward about this," security researcher Richard Smith said. "Not commenting makes it appear as if they have something to hide." A Microsoft spokesman did say that open-source software is not innately more or less secure than proprietary software. "Microsoft has held the position that security is an industry-wide issue and software is only one part of it. Implementation and administration are also key in security." Most security experts do believe that open source is neither more nor less secure than propriety software. How a systems administrator configures and maintains the application is equally important. Open-source software allows programmers to view and modify the software's program code. Closed-source software code is not viewable to all. Since malicious hackers cannot view the underlying code of propriety software, they can't study it to discover possible exploits, a principle known as "security through obscurity," according to Bill Wall and Darwin Ammala of Harris Corporation's STAT computer security unit. But open source software is presented to a very large and knowledgeable audience of software development peers. This substantially large body of reviewers provides deep scrutiny to software. They are able to test a wide variety of scenarios and feed improvements back into the code base. Over time this strengthens the software, Wall and Ammala added. A recent report by Gartner Group analyst John Pescatore suggested that open-source style review would make Microsoft's software more trustworthy. But the question of whether closed- or open-source software is inherently more secure can't really be answered because the issue has not been subjected to rigorous analysis, security experts said. Wall said such an analysis should be done within the software engineering research community by an entity such as the Software Engineering Institute (SEI) or the Defense Advanced Research Projects Agency (DARPA). "I would really like to see rigorous testing with hard statistics and not mere speculation on an issue as serious as this," Smith said. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Tied to your PC? Cut Loose and Stay connected with Yahoo! Mobile http://us.click.yahoo.com/QBCcSD/o1CEAA/sXBHAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT