Skip to comments.
Study: Open source poses security risks
ZDNet ^
| May 31, 2002, 9:30 AM PT
| Matthew Broersma
Posted on 05/31/2002 3:15:28 PM PDT by Bush2000
click here to read article
Navigation: use the links below to view more comments.
first previous 1-20 ... 101-120, 121-140, 141-160, 161-178 next last
Comment #141 Removed by Moderator
To: Crispy
This type of "secret" exploit would affect closed source as well, maybe even more. Atleast with open source, there is a lot of code review by the community. Who is reviewing Microsofts code? The FBI? The CIA? The NSA? So, this does not make open source "less" secure than closed source.
MS Windows source code is available under license. This is not surprising since the DoD, NSA, and other similar agencies require access to source code. Have a nice day.
To: Dominic Harr
For obvious reasons, I don't believe you.
Are you so insanely self-centered that you think people actually care about what you believe?
To: Dominic Harr
Now, in a discussion about security, you claim this?
I'd be very wary of waving your security thing in the breeze, Mr. Public-Key-Encryption-Is-Inherently-Insecure...
To: Dominic Harr
Harr, while you were in your mother's basement playing hacker and reading Star Trek comics, some of us were out in the real world doing things with our hands that didn't involve our zippers.
To: Dominic Harr
" twice now, in other threads, you claimed to have been things you weren't"
Nice attempt at disinfomration, Harr. I guess you have to have the practice with your anti-Microsoft propaganda. I'll match my bona fids to yours anyday.
To: Bush2000
I have no doubt Open Source is a securities risk!
Microsoft securities will be worth MUCH less as Open Source software eats away at its monopoly...
To: Nick Danger
More seriously, this is BULLSH*T.
When I took a SANS course,they brought up the *best practices* way of developing an security software: PUBLISH THE ALGORITHM and take on all comers, often with a monetary prize to whoever breaks the algorithm. Letting peers ALL OVER THE WORLD see the code has TWO effects:
(1) Those who write the code are MORE CAREFUL because they know their PROFESSIONAL REPUTATION is on the line for everyone to see
(2) Their peers will ACTUALLY FIND THEIR MISTAKES.
As a direct example of why the technique of security through obscurity (Microsoft's way of doing things) DOES NOT WORK, the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...
To: chilepepper
"SANS Institute instructor "
Yep, I knew it. A SANS Institute instructor is the world's expert on security. That's why the DoD uses him to help them publish our national security infrastructure. Not!
Peer review is one thing; publishing your system's specifications is another. Remember, when you publish your system's source code, if your peers do not find all the holes, your enemy will.
To: PatrioticAmerican
Yep, I knew it. A SANS Institute instructor is the world's expert on security. Obviously not! We should always look to an MCSE for advice on cryptanalysis! </SARCASM>
To: B Knotts
Hey, I ddin't hear an MCSE make reference to being an expert on security, but there was a post on the SANS instructor. Keep it real, dood.
To: PatrioticAmerican
OTOH, we have here a whole thread based on a study, which hasn't even been released, from a non-technical ideological "think tank."
I'd even take advice from an MCSE before this group.
To: B Knotts
Totally agree. Neither group is an expert at security. Although Windows NT did get a security rating, it wasn't all that high, and the rest of Microsoft developers are not experts at security. The whole industry needs security experts throughout it.
To: PatrioticAmerican
Yes. The whole open-source vs. closed-source thing is a red herring. Security is a process, not a product.
To: chilepepper
the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...
The encryption wasn't broken, and your instructor did you a disservice by describing it as such. Every DVD player (software and hardware) is equipped with a key which allows it to decrypt the video and audio streams on a standard DVD. The key is burned into every player. It has to use this method because there is no key-distribution scheme. The problem was that somebody discovered the key. It's like you left the key to your front door in the lock. That's not breaking the encryption.
That said, it is correct that security through obscurity generally doesn't work. It is possible to sift through collections of data (located in memory or on disc) looking for very random streams. When you find one, it is often a key or some kind of secret that someone doesn't want you to know. Depending on someone not finding your secrets is a fundamentally flawed design. That is the case with DVD encryption.
To: B Knotts
Yes. The whole open-source vs. closed-source thing is a red herring. Security is a process, not a product.
Agreed. That's why this study has some value. There are people out there who believe that open source security will save their asses. That's an awfully big check to write...
To: PatrioticAmerican
I guess you have to have the practice with your anti-Microsoft propaganda. Ah, yes, any criticism of MS or your skills is "propaganda". And any critics of MS are 'bigots'.
*Yawn*.
You're a salesman, and you have several times now claimed things I know for certain to be untrue. Which is, I suppose, about the only chance you have of selling MS solutions . . . fraud is the only tactic left, now that coercion has been taken off the table!
To: Dominic Harr
"... I know for certain to be untrue..."
Harr, you are so full of slander against Microsoft and anyone who uses them that as an attorney for them, I'd recommend a nice lawsuit so you have to put up or shut up. You have made more remarks about how Microsoft products and technologies do not work, always fail, yadda, yadda, and, yet, you make claims that you want to use them. I'd say, considering your serious bias against Microsoft, that you are not employed by CSC, but by Sun. I work for Ciber, and, as I said, I'd match my bona fids against yours, any day.
To: B Knotts
BTW, I have been getting Business Continuity opportunities, mostly centered around security; intrusion detection, firewalss, etc. Many companies already understand that security is not a product but a process. I just submitted a proposal to an organization notorious for their lack of security. The result usually is a small engagement to find the problems followed by massive changes to their systems and business, with the business end being the most comprehensive.
To: Dominic Harr
"fraud is the only tactic left, now that coercion has been taken off the table!
Sure, Harr. $40+ billion in revenue and Microsoft products and technologies are sold only to those it can coerce or defraud. Harr, you are scared that .NET will uproot Java. Scared that Oracle will no longer dominate in the Enterprise. You hate to have to compete, and Microsoft is giveing your sector of the industry serious competition. I know you don't think so, but keep thinking that. You guys at Sun need a good nap, you're a cranky bunch.
Navigation: use the links below to view more comments.
first previous 1-20 ... 101-120, 121-140, 141-160, 161-178 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson