Kevin Poulsen, SecurityFocus 2001-04-12
Redmond's security response chief warns the RSA Conference of the perils of open source.
Colapse all |
Post comment
Security under MS products VS. Linux, *BSD
2001-04-12
giard.pascal (at) teccart.qc (dot) ca [email concealed]
giard.pascal (at) teccart.qc (dot) ca [email concealed]
Now I know
2001-04-12
Anonymous
Anonymous
Why I have so many problems with Microsoft products.
The security people are fully paid anyway, so by hiding their oversights in obscurity they can recive that money a little while longer.
While the open source people put their products on open stage for everyone to see and feel and touch and ge...
[ more ] [ reply ]
The security people are fully paid anyway, so by hiding their oversights in obscurity they can recive that money a little while longer.
While the open source people put their products on open stage for everyone to see and feel and touch and ge...
[ more ] [ reply ]
Crock of sh*t...
2001-04-12
Jim Powers
Jim Powers
Look, I'm NOT a Linux zealot, but I do read a bunch of the on-line Linux and open-source 'zines and follow some of the discussion groups. The activity related to developing patches to security holes in open-source products is quite vigerous. Clearly, the fact that the source code for open source p...
[ more ] [ reply ]
[ more ] [ reply ]
MS - Lipner Comments
2001-04-13
Nilanjan Chaks
Nilanjan Chaks
This kind of comments seem to suggest that MS is trying to build up on the common falacy that open source softwares are not secure because of their open nature. He only seems to be adding fuel to the fire and mis-conception.
And recalling the BIND and WU-FTP compromises doesnt do proper justice t...
[ more ] [ reply ]
And recalling the BIND and WU-FTP compromises doesnt do proper justice t...
[ more ] [ reply ]
RE: Microsoft: Closed source is more secure
2001-04-13
Kimico Myers
Kimico Myers
First, with the reputation that MS products have for being insecure, unreliable and just plain bad he should be the LAST person to comment on how bad a model the open source one is.
Since you used BIND in one of your examples let me ask you this: If you have such "secure" software why are the ma...
[ more ] [ reply ]
Since you used BIND in one of your examples let me ask you this: If you have such "secure" software why are the ma...
[ more ] [ reply ]
opensource less secure?
2001-04-13
osiris
osiris
well.. I think microsoft should really consider to make everything opensource. Because if you watch recent statistics of defacements mirrors for example, microsoft products are the most hacked / compromised systems out there.
Maybe it's just because people wordwide can contribute to an opensource...
[ more ] [ reply ]
Maybe it's just because people wordwide can contribute to an opensource...
[ more ] [ reply ]
Microsoft should get a clue.
2001-04-13
Reaperx1
Reaperx1
He has some points but his statements are as widesweeping as the statements garnering the fallacy that OSS software is inherently secure. NO software is inherently secure. At least with OSS, I have the opportunity to fix the holes that I do find, not wait for some big redmond corporation to decide...
[ more ] [ reply ]
[ more ] [ reply ]
I don´t a gree that Open Source Software is "Boring and Expensive"
2001-04-13
Manuel
Manuel
Expensive?. Of course it is not expensive nor boring. I find Open Source Software more "stable", funny and less expensive than the Microsoft Software. Any software from microsoft is more "expensive" than OpenSource Software. So why Apple took the source code of an operating system like FreeBSD to ma...
[ more ] [ reply ]
[ more ] [ reply ]
Wha??
2001-04-13
bleezer (at) plz (dot) com [email concealed]
bleezer (at) plz (dot) com [email concealed]
Is microsoft trying to compare buffer overflow weaknesses in some open-source software (ie. bind, sendmail,etc) with the gaping security holes in products like outlook, etc?
And could he please explain what security (if any) quality assurance checks products like Win95, 98, ME went through. Consi...
[ more ] [ reply ]
And could he please explain what security (if any) quality assurance checks products like Win95, 98, ME went through. Consi...
[ more ] [ reply ]
Closed source more secure? Really?
2001-04-13
counter_counterinsurgency (at) nospam.hotmail (dot) com [email concealed]
counter_counterinsurgency (at) nospam.hotmail (dot) com [email concealed]
I'll remember Lipner's comments about the security of closed source every time I hit "Cancel" on the login dialog box for Windows 98. All joking aside, one factor in favor of open source is that designers can resist the temptation to add features that might have security side-effects. Microsoft ha...
[ more ] [ reply ]
[ more ] [ reply ]
Is Microsoft code more secure than open alternatives?
2001-04-13
Larry Fahnoe <fahnoe (at) FahnoeTech (dot) com [email concealed]>
Larry Fahnoe <fahnoe (at) FahnoeTech (dot) com [email concealed]>
Mr Lipner states that Microsoft has extensive software testing devoted to security issues, and that
because such testing is both boring and expensive it is not likely to be done well outside of the
commercial software development environment. Fine, I'm pleased to hear that Microsoft conducts
te...
[ more ] [ reply ]
because such testing is both boring and expensive it is not likely to be done well outside of the
commercial software development environment. Fine, I'm pleased to hear that Microsoft conducts
te...
[ more ] [ reply ]
Open Souce security
2001-04-13
Charles E. Hill
Charles E. Hill
In regards to no one in Open Source land not going over the OS with an eye for security flaws, did no one remember OpenBSD? Isn't that *exactly* what they do?
In the end, with an open source product, I have the OPTION of a full security audit. Whether I do it myself, or it is done by a professi...
[ more ] [ reply ]
In the end, with an open source product, I have the OPTION of a full security audit. Whether I do it myself, or it is done by a professi...
[ more ] [ reply ]
Microsoft: Closed source is more secure FSVO secure
2001-04-13
Shmuel (Seymour J.) Metz <shmuel (at) acm (dot) org [email concealed]> (2 replies)
Shmuel (Seymour J.) Metz <shmuel (at) acm (dot) org [email concealed]> (2 replies)
In "Microsoft: Closed source is more secure", Kevin Poulsen quotes Steve Lipner
as saying "The vendor eyes in a security review tend to be dedicated, trained,
full time and paid," but Microsoft's track record for security problems suggests
otherwise. The open source community includes a number o...
[ more ] [ reply ]
as saying "The vendor eyes in a security review tend to be dedicated, trained,
full time and paid," but Microsoft's track record for security problems suggests
otherwise. The open source community includes a number o...
[ more ] [ reply ]
Closed source burdened by "boring, expensive" QA
2001-04-16
counter_counterinsurgency (at) nospam.hotmail (dot) com [email concealed]
counter_counterinsurgency (at) nospam.hotmail (dot) com [email concealed]
When a product is already behind schedule and shipping late, I can just imagine how much pressure there is for security and QA to "accelerate" the review process. Somewhere, the bugs and vulnerabilities are probably ranked and prioritized (sorted by their cost-to-fix vs. the cost-to-M$-if-we-let-it...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft: Closed source is more secure FSVO secure
2001-04-17
bassethound2 (at) yahoo (dot) com [email concealed]
bassethound2 (at) yahoo (dot) com [email concealed]
What we IT types fail to acknowledge in this discussion is this. This statement by Microsoft is not aimed at us techies, it is aimed at the CEO's and managers who sign the checks. It is our duty to try to explain the "vapor" that MS uses to obfuscate the issue. Fact one, is any system completel...
[ more ] [ reply ]
[ more ] [ reply ]
Amazing who __finds__ the holes in Windows
2001-04-13
Will
Will
Review the MS Security bulletins. Note that most are
credited not to Microsoft's own QA staff, but by third
parties, who don't have access to the source to close
the hole before it's disseminated.
If this is what internal vetting fails to pick up, just
imagine the scale of the mistakes they...
[ more ] [ reply ]
credited not to Microsoft's own QA staff, but by third
parties, who don't have access to the source to close
the hole before it's disseminated.
If this is what internal vetting fails to pick up, just
imagine the scale of the mistakes they...
[ more ] [ reply ]
Going through the motions != Security
2001-04-13
topeka (at) catchen (dot) org [email concealed]
topeka (at) catchen (dot) org [email concealed]
It is true that large software companies have the budget to pay developers to examine code for security flaws. But the same problem exists for them: it is hard, potentially boring work. What these companies succeed in doing, is setting up large bureaucracies to make sure code is secure, meetings,...
[ more ] [ reply ]
[ more ] [ reply ]
Closed source software is secure
2001-04-13
soumyac (at) bigfoot (dot) com [email concealed]
soumyac (at) bigfoot (dot) com [email concealed]
I would have agreed with the views, it is so convincing and beautifully put, had I not read my history lesson.
In the same logic we should also agree - democracy is bad, monarchy is good. Because a closed governance system is supposed to give better ruler.
Unfortunately, history has proven it...
[ more ] [ reply ]
In the same logic we should also agree - democracy is bad, monarchy is good. Because a closed governance system is supposed to give better ruler.
Unfortunately, history has proven it...
[ more ] [ reply ]
An observation
2001-04-13
Harry G
Harry G
From what I can see, Microsoft generally uses it purchasers as the beta testers. It is well known that NT is one of the easiest OS's to crack.
Guess they will say anything for a buck. By the way, I am a Windows user, and I am in the process of moving my company AWAY from Windows to Linux, for 3 r...
[ more ] [ reply ]
Guess they will say anything for a buck. By the way, I am a Windows user, and I am in the process of moving my company AWAY from Windows to Linux, for 3 r...
[ more ] [ reply ]
Which explains why...
2001-04-13
Con Zymaris, CEO Cybersource Pty. Ltd. Australia
Con Zymaris, CEO Cybersource Pty. Ltd. Australia
Which explains why Microsoft's security record is _soo_ good, huh? Give me a break. Their OSes are the least secure on the Internet, all developed under a closed source model, and they have the gall to suggest otherwise?
My background is in Science, and in Science, the notion of not publishing resu...
[ more ] [ reply ]
My background is in Science, and in Science, the notion of not publishing resu...
[ more ] [ reply ]
nobody buys ms argument
2001-04-16
j lock <jlock (at) compooter (dot) net [email concealed]>
j lock <jlock (at) compooter (dot) net [email concealed]>
Apparently nobody is buying Microsoft's logic with respect to open-source vs. closed-source. There are pros and cons of both, but security is not one of of closed-source's pros. This is obviously a case of Microsoft trying to hook the software community by ponting out open-sources strong points, a...
[ more ] [ reply ]
[ more ] [ reply ]
So lipner finds security boring, huh?
2001-04-16
KSAJ
KSAJ
The guy in charge of Microsoft's security referring to security reviews as being boring, time consuming, and hard explains a lot about how Microsoft security got so shoddy in the first place. Perhaps he should read 2600 to see how bored people get when reviewing security of a product or service.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Open vs. closed not necessarily it....
2001-04-16
abostaph (at) usa (dot) net [email concealed] (1 replies)
abostaph (at) usa (dot) net [email concealed] (1 replies)
I don't think that security boils down to open source or closed. Both have had their share of problems, and have been discovered, exploited and patched countless times.
I think that the biggest security problem stems from the notion that ease of use is more important than a secure system. And w...
[ more ] [ reply ]
I think that the biggest security problem stems from the notion that ease of use is more important than a secure system. And w...
[ more ] [ reply ]
Open vs. closed not necessarily it....
2001-04-16
Microsoft Defender (2 replies)
Microsoft Defender (2 replies)
I've never seen such one-sided rebuttles in all my life. Bad software is bad business. If Microsoft was even close to the crap this crowd thinks it is then why is Microsoft king of the hill? Give them a little credit - not doing so is showing your own obvious bias. Half of the posters (or more) ...
[ more ] [ reply ]
[ more ] [ reply ]
Open vs. closed not necessarily it....
2001-04-18
Draconis
Draconis
I think the upshot is that it's not that the user end of the market place that really relies on security, although this is beginning to change with various types of broadband connections, but the corporate 'targets' that have a lot to lose if attacked by a published exploit. While there are people ...
[ more ] [ reply ]
[ more ] [ reply ]
Open vs. closed not necessarily it....
2001-04-18
abostaph (at) usa (dot) net [email concealed] (1 replies)
abostaph (at) usa (dot) net [email concealed] (1 replies)
Much of what you say is true. This is America, and I don't think that there is anything at all wrong with charging a fair price for a good product. The problem I have with M$ is that after my initial (usually large) investment in a M$ product, I must then shell out more cash to obtain a 3rd party ...
[ more ] [ reply ]
[ more ] [ reply ]
Open vs. closed not necessarily it....
2001-04-18
M$ Defender
M$ Defender
I have to say I am impressed by the civility of the replies - kudos for not ranting and then TYPING THINGS IN ALL CAPS.
Yes, M$ does not have the greatest track record in security - however, from a logical business standpoint, Microsoft has the most to gain and the least to lose by producing secu...
[ more ] [ reply ]
Yes, M$ does not have the greatest track record in security - however, from a logical business standpoint, Microsoft has the most to gain and the least to lose by producing secu...
[ more ] [ reply ]
I hope Mr Lipner reads this
2001-04-17
dirge
dirge
I am very happy that my peers are rebuffing Mr Lipner's baseless comments. The Open Source movement has provided the masses with something that Microsoft has no interest in. Caring, concern and honesty. Those qualities are lacking in MS products and procedures. Anyone who has used MS products profes...
[ more ] [ reply ]
[ more ] [ reply ]
Security Vulnerability Open Source vs Closed Source
2001-04-17
Rod <snaketails (at) optushome.com (dot) au [email concealed]>
Rod <snaketails (at) optushome.com (dot) au [email concealed]>
Ok, starting off, Open source does have the disadvantage of allowing "prospective" hackers/virus creators the ability to view code and find holes, but read it the same statement looking from OpenSource point of view.
"Review is boring and time consuming, and it's hard," said Steve Lipner
So, h...
[ more ] [ reply ]
"Review is boring and time consuming, and it's hard," said Steve Lipner
So, h...
[ more ] [ reply ]
who gets cracked more?
2001-04-18
TauRine (1 replies)
TauRine (1 replies)
who gets cracked more?
2001-04-18
M$ Defender (3 replies)
M$ Defender (3 replies)
Easy - Linux.
Anyone who subscribes to BUGTRAQ knows Linux holes pollute their inbox far more than M$ bugs.
Linux security is a myth. No one has a secure OS - OpenBSD is probably as close to nirvana as it gets but at the expense of functionality in my opinion. We want security but we also ...
[ more ] [ reply ]
Anyone who subscribes to BUGTRAQ knows Linux holes pollute their inbox far more than M$ bugs.
Linux security is a myth. No one has a secure OS - OpenBSD is probably as close to nirvana as it gets but at the expense of functionality in my opinion. We want security but we also ...
[ more ] [ reply ]
who gets cracked more?
2001-04-18
brian (1 replies)
brian (1 replies)
--Anyone who subscribes to BUGTRAQ knows Linux holes --pollute their inbox far more than M$ bugs.
A major reason that linux bugs are more often discovered than windows bugs is simply because linux is open sourced. the facts are that it's much more simple for people to grep through c++ code looki...
[ more ] [ reply ]
A major reason that linux bugs are more often discovered than windows bugs is simply because linux is open sourced. the facts are that it's much more simple for people to grep through c++ code looki...
[ more ] [ reply ]
who gets cracked more?
2001-04-18
M$ Defender
M$ Defender
You totally missed the point - look at the subject line. Are you really telling me that because more security hole alerts come out for Linux that means it is MORE secure? This is the exact rationale you guys have been using against Microsoft and now faced with numbers suddenly more problems means ...
[ more ] [ reply ]
[ more ] [ reply ]
who gets cracked more?
2001-04-18
dirge
dirge
"Please don't confuse OS with application"
I would have to say that you would have to count a lot of the Linux hacks out. bugtraq gets more 'application' bugs than anything. ftpd, bind, and ntp are all 'services' not necessary to operate or network the system. However, if you compare that with n...
[ more ] [ reply ]
I would have to say that you would have to count a lot of the Linux hacks out. bugtraq gets more 'application' bugs than anything. ftpd, bind, and ntp are all 'services' not necessary to operate or network the system. However, if you compare that with n...
[ more ] [ reply ]
His arguments contradict each other!
2001-04-19
nobody important
nobody important
The two main points of the discussion are:
(1) The public can't be trusted with source code because our software reviewers are trained, paid professionals. Nobody else is competent to find bugs and security holes.
(2) The public can't be trusted with source code because they'll find bugs and sec...
[ more ] [ reply ]
(1) The public can't be trusted with source code because our software reviewers are trained, paid professionals. Nobody else is competent to find bugs and security holes.
(2) The public can't be trusted with source code because they'll find bugs and sec...
[ more ] [ reply ]
Closed Source products often contain obvious bugs
2001-04-19
A Reader
A Reader
Closed Source products often contain obvious bugs. You don't need
the sources to find them.
But apparently companies that distribute closed source software think
they don't have to obey elemetary rules for computer security.
Or they think they don't need to fix such bugs.
Until somebody fin...
[ more ] [ reply ]
the sources to find them.
But apparently companies that distribute closed source software think
they don't have to obey elemetary rules for computer security.
Or they think they don't need to fix such bugs.
Until somebody fin...
[ more ] [ reply ]
they don't care about security while you,
at microsoft do, is false...
Okay security holes in bind, lprng, telnet, ssh, etc.
but they always get fixed quick...
While on microsoft's side, wut is there to say about the
new security issue in IE5.5, it takes tim...
[ more ] [ reply ]