Return-Path: <sentto-279987-4796-1023768178-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 10 Jun 2002 21:07:14 -0700 (PDT) Received: (qmail 6119 invoked by uid 510); 11 Jun 2002 04:03:14 -0000 Received: from n14.grp.scd.yahoo.com (66.218.66.69) by all.net with SMTP; 11 Jun 2002 04:03:14 -0000 X-eGroups-Return: sentto-279987-4796-1023768178-fc=all.net@returns.groups.yahoo.com Received: from [66.218.66.97] by n14.grp.scd.yahoo.com with NNFMP; 11 Jun 2002 04:02:58 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_3_2); 11 Jun 2002 04:02:58 -0000 Received: (qmail 49635 invoked from network); 11 Jun 2002 04:02:58 -0000 Received: from unknown (66.218.66.216) by m14.grp.scd.yahoo.com with QMQP; 11 Jun 2002 04:02:58 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 11 Jun 2002 04:02:57 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g5B46I514895 for iwar@onelist.com; Mon, 10 Jun 2002 21:06:18 -0700 Message-Id: <200206110406.g5B46I514895@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 10 Jun 2002 21:06:18 -0700 (PDT) Subject: [iwar] [fc:MS-funded.think.tank.propagates.open-source.lies] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=1.1 required=5.0 tests=CLICK_BELOW,SUPERLONG_LINE,DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: * MS-funded think tank propagates open-source lies By Thomas C Greene in Washington Posted: 10/06/2002 at 17:43 GMT A Washington think tank called the Alexis de Tocqueville Institution has released its anticipated study of the dangers of open-source software. Much to our disappointment, the organization's press release, which last week promised that the study would explain in gory detail how open-source software will foster international terrorism, turns out to have been a tissue of headline-pimping lies. Indeed, the paper never mentions terrorism at all. Instead, it overflows with the usual half-truth drivel about the economic dangers of the GPL which one can find re-hashed daily on the Microsoft 'Press Pass' PR site and the editorial pages of ZD-Net News. More than half the paper is an enumeration of the Crimes against Commerce of Richard Stallman. As for system security, the paper allows that having the source code to a well-secured OS or application is little help to an attacker, just as knowing the layout of Fort Knox isn't going to help you sneak in and empty the joint. But it tries to persuade us that not having the source code means we're all safe from hackers. "If you open the blueprints for every aspect of it to the world your adversary can reconstruct a test lab in which he can create tools he may need," the paper quotes one consultant as saying. But what's not said is that one can just as easily construct a 'test lab' for a closed-source product and torture it in a thousand ways to find exploitable points of failure. Indeed, this is how the myriad holes in Microsoft's closed-source products have been found. Additionally, the paper never mentions the vast difference in patch turnaround time between the open source and proprietary software vendors. It never mentions that proprietary vendors can conceal security flaws and leave their customers vulnerable until some bright empiricist finds one of them and blows the whistle. It never mentions that the most significant holes, worms and viruses affect only Microsoft products. If these hypocrites want to focus on economic impact, then let's hear some numbers on the costs associated with security stuff-ups. Linux has a small market share in most areas, but since most of the Web is running Apache, a comparison with IIS over Windows of time spent struggling to sort out security issues, costs from lost data, and so on should tell us a great deal about which is cheaper, and safer, to run. For some more FUD, the author suggests that if the DoD were to use any GPL'd code in a classified software project, they'd have to publish the source code for all to see. I'm afraid that's wrong. They would only have to make the source available if they were to make the software available. But if it's classified they won't, so the issue is moot. Contrary to the author's nonsense, the GPL doesn't compel anyone to make their creations public. It only forces them to provide sources if they should choose to make them public. Then of course there's this Internet distribution thing, which puts us all at terrible risk: "Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus." We're supposed to imagine a government bureau or a Fortune 500 company downloading kernel patches from some Tuxerz-R-Us board and installing them on critical systems. The author makes a similar appeal to improbability when he warns us that open-source systems don't have adequate tech support. "Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them." First off, closed-source products are just as often distributed in precisely this manner. Second, your major government bureaux and corporations are going to go through a major distributor or they're going to hire a qualified staff to build what they need. Either way, technical support will be there. There's no need to lie about this, unless you're getting paid to lie about it. In our original story we mentioned that the Alexis de Tocqueville Institution takes money from Microsoft, but we couldn't say whether or not the company actually sponsored this report. We still don't know; but if style and FUD are any guide, and we were to venture a guess, we'd say this one's got "Redmond" written all over it. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get the strongest server security 128-bit SSL encryption! Download VeriSign's FREE guide, "Securing Your Web Site for Business" and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://us.click.yahoo.com/QzQ9wC/PyKEAA/Zr0HAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT