Skip to comments.Study: Open source poses security risks
Posted on 05/31/2002 3:15:28 PM PDT by Bush2000
click here to read article
|I had no idea that doing a study on MCSEs couldn't be undertaken by an organization unaffiliated with Microsoft.
This is what we like about you, Bushie: you're shameless. Here's a tax-exempt 501(c) that tells the IRS it exists "to promote freedom and democracy," and it churns out Microsoft FUD. A study promoting MCSE... gimme a break. Then there's the press release they sent out pouring mud on AOL's financials... as though they were stock market analysts. And now they don't like open source.
Sorry, buddy, only you and the other Munchkins are gonna fall for this one; this outfit is for hire, and it's obvious.
Just one minute later, in post 95, you get on my case for presenting guesswork as facts (which I didn't -- notice my phrase "usually presumed").
So I take it you know for a fact that NSA has better stuff? I trust, for the sake of our countries security, that you have no such knowledge.
He was warned several times, then when the moderator put his foot down and said to stop the personal insults or else, he threw one last insult calling the poster who complained to the moderator a whiner and vanished.
He was a sad case.
This reminds me of the thread I posted about .NET.
I said I liked the direction MS was going with .NET, and that .NET was a good first version, but that it needed some improvement before it was ready for mission-critical use.
You said I wasn't pro-.NET enough.
You clearly will not tolerate any criticism of MS.
Anyone criticising MS is a "bigot", you say? Odd how pretty much the only people who are not bigots in your estimation are the MS workers . . .
Wow, there sure are a lot of "bigots" out here, then.
He's been in trouble over and over again here. Had posts pulled, been warned, etc.
But I really think he's paid to post FUD, so I think he has to try and keep from crossing the line. You really have to threaten someone here on FR to get tossed, and he usually avoids direct threats. He'll say, "That is libel!" but won't actually threaten to sue.
So, you equate "best, and most secure" with "blowfish, RSA, PGP"? Yeah. That's why the NSA spends billions on new crypto because the commercial market is the best?
The only truely secure encryption is a one-time cipher, based on radioactive decay, which generates true random numbers. Blowfish, RSA, and PGP are "highly secure," based on the key length. If you don't have an unlimited government budget, like the NSA, you will have to make due with encryption like these. How do you feel about DES, and the way the government strong-armed IBM to shorten the key length when it was developed?
I hate to break it to you, but if you go up against a government, you're going to lose. Try not to forget, that not only do they have unlimited budgets, but they can also use deadly force.
January 15, 2002: Bill Gates outlines Microsoft's commitment to Trustworthy Computing
That makes me feel much better.
Apparently, from the similar reaction that both you and PatrioticAmerican had to this post, being a Microsoft shill harms ones ability to read. Or is it the other way around -- only people with reading disabilities are likely to become Microsoft shills?
Nevermind ... I don't care which.
That's an unprovable assertion, Mark, and you know it. While you may claim that anecdotally, it isn't a fact.
Of course it's anecdotal, because it's based on cases. It's very dificult to come up with a mathematical proof that one OS is more secure than another. What you do is look at a history of installations and configurations, and do a comparison from there:
OpenBSD works closely with BUGTRAQ, and as soon as a vulnerability is discovered, it is irradicated ASAP. OpenBSD is constantly audited (since 1996), and the project subscribes to the concept of full disclosure of security holes and exploits.
OpenBSD is configured to default to a "secure mode," with minimal services and daemons enabled by default. It's been 5 years since an exploit has been found in the default installation!
Steven J. Vaughan-Nichols seems to think that OpenBSD is relatively secure, far more so than any other commercial or open source OS.
NASA (at the Ames Research Center, NASA Advanced Supercomputing Divisions) uses OpenBSD as their firewalls: "In the NAS Division, all this is accomplished by an off-the-shelf PC running the OpenBSD operating system, an Apache web server, the Internet Software Consortium DHCP server, the IPF firewall software -- all freeware. Network and security team members Nicole Boscia and Derek Shaw developed the glue software to make the rest of the components work together -- in about 40 hours."
NetSec lists a number of government agencies that it supplies with security consulting services, and they use OpenBSD.
So, yes, saying that OpenBSD is one of the most "harden-able" and secure OS's around IS anecdotal, since a mathematical proof is almost impossible. On the other hand, it's easily provable that, in general, Microsoft's lackidasical attitude towards security, and their way of "passing the buck" when an exploit is found, leaves their OS and other products highly vulnerable.
That is precisely the reason that open source is no more (and possibly even less) secure than closed source.
Not at all, in fact, just the opposite! With closed source software, the end-user has no way of knowing what sort of back-doors have been inserted into the code. This is the reason that the DAS (I believe it's the DAS-the French Intel Services) refuses to use any Microsoft product!
Try not to forget the US Government's strong arm tactics against IBM when they were developing DES. It was originally slated to use a 64 bit key, but the feds pretty much told IBM that they'd never sell another computer to the government if the key was longer than 56 bits! I wonder why? In open source software, you can try to find back doors and holes in security.
But just because you have the code, doesn't mean that you're going to find every back door. I believe that it was Rob Pike who was giving an ACM lecture, and spoke about a back door that he had put into the login program on early versions of unix. Well, nearly all of the sysadmins there had found it, removed the code, and recompiled the module. He casually mentioned that not only had he written the login program, but he had also written the C compiler, and the C compiler checked for the code in the login program. If it was missing, it would reinsert the code before compiling the login program again.
What do you mean, no evidence? I provided full documentation, including scanned copies of the cancelled checks, proving that Microsoft commissioned the study.
but before you post "this study was bought and paid for by Microsoft", try providing some references ...
or be prepared to be labelled an idiot.
I can't connect them directly to the ADTI, but Microsoft does contribute to conservative think tanks. Its hardly idiotic to think that their efforts have influenced the think tanks.
To achieve its aims, Microsoft has done many of the things you'd expect. [...] It retained a dream team of outside federal lobbyists, including Haley Barbour, the former Republican Party chairman, and Jack Quinn, former White House counsel to President Clinton. It began contributing heavily to right-wing, free-market think tanks, such as the Cato Institute and the Heritage Foundation.
You two used to go round and round, but you both gave as good as you got - would you have demanded that he be tossed for what he said to you? (Did you?) And he was as hard on you as anyone at all. Yeah, DJ was over the top sometimes, but most people weren't thin-skinned enough to take it all that personally.
Of course, keep in mind that I was shaped by Usenet long before I landed here - DJ at his worst here was about half as bad as a good opening cheap shot from people who were just getting warmed up on Usenet, so maybe my perspective is skewed ;)
That's where I learned my lessons, too.
As you noticed, I too never took his personal attacks personally. I've never gone to the moderators about anyone here on FR. I wouldn't. I'd just leave if I wasn't enjoying it here anymore, there are too many other boards out there. DJ was completely over the top rude, and was filling these threads with a ton of noise, and was driving posters away from these tech threads.
But he should have respected the other poster and left him alone, in my opinion, and I understand why the moderators decided to step in.
Rats! I knew it was either Ken Thompson or Rob Pike! :-( Too many years since I read the article... Thanks for keeping me straight!
I didn't mean it as an 'accusation', I stated an observation.
What I know, you never will. Needless to say, any argument that commercial cryptology is the best is ignorant of defense systems.
true. They are secure, but not "the best", not by a long shot. Besides, the military systems I have used never used only cryptology to ensure security. They also had additional security through the transmission means, contents, etc. I was a DoD space systems specialist for many years, and used some of the most secured systems out there for satellite command & control. PGP, IDEA? I would expect the NSA already has those algorythms in silicon and can crack them at near real-time speed. I do not know that for fact, but that would be the NSA's MO. I have friends who are FBI and they say that the NSA does NOT cooperate with them. Unless the matter is a national security issue, they have to beg and pull strings to get anything so much as looked at. It seems the military feds have a distain for the commercial feds.
Ah, yes, Google, the source of all black projects. HA! Ya kill me. Disinformation is the best cover out there. Google search. Next time I need to know the the contents of China's next satellite, I'll check them out. Hell, maybe I'll check Google to see what information the FBI is keeping on me. Ya gotta be kidding. Google, the next best thing to actually knowing something.
No system, including Windows NT, which was given a B2 level security classification, is closed. Windows NT required a code review. So does all flavors of trusted UNIX.
The idea that the code must be reviewed for backdoors and security holes is correct. The suggestion that the code should be Open Source is not. I do not want my enemies seeing the code that I am running. They may find a hole that I failed to find and plug. Most systems that I have worked on that had any links to the outside world, or outside the fcility, required a code review, and the code was highly modified from the public versions.
This type of "secret" exploit would affect closed source as well, maybe even more. Atleast with open source, there is a lot of code review by the community. Who is reviewing Microsofts code? The FBI? The CIA? The NSA? So, this does not make open source "less" secure than closed source.
For obvious reasons, I don't believe you.
I think you're like those people who surround Brittney Spears telling her, "Don't listen to the critics honey, you've got talent. After all, you've sold so much!"
Such yes-men are a dime a dozen, so I don't doubt MS has thousands of you on the payroll.
Now wait a minute -- twice now, in other threads, you claimed to have been things you weren't, and claimed to have written systems that didn't exist.
Now, in a discussion about security, you claim this?
Nice attempt at disinfomration, Harr. I guess you have to have the practice with your anti-Microsoft propaganda. I'll match my bona fids to yours anyday.
Microsoft securities will be worth MUCH less as Open Source software eats away at its monopoly...
When I took a SANS course,they brought up the *best practices* way of developing an security software: PUBLISH THE ALGORITHM and take on all comers, often with a monetary prize to whoever breaks the algorithm. Letting peers ALL OVER THE WORLD see the code has TWO effects:
(1) Those who write the code are MORE CAREFUL because they know their PROFESSIONAL REPUTATION is on the line for everyone to see
(2) Their peers will ACTUALLY FIND THEIR MISTAKES.
As a direct example of why the technique of security through obscurity (Microsoft's way of doing things) DOES NOT WORK, the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...
Yep, I knew it. A SANS Institute instructor is the world's expert on security. That's why the DoD uses him to help them publish our national security infrastructure. Not!
Peer review is one thing; publishing your system's specifications is another. Remember, when you publish your system's source code, if your peers do not find all the holes, your enemy will.
Obviously not! We should always look to an MCSE for advice on cryptanalysis! </SARCASM>
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.