Re: [ISN] Closed source is more secure -- MS

From: InfoSec News (isnat_private)
Date: Mon Apr 16 2001 - 11:56:25 PDT

  • Next message: security curmudgeon: "Re: [ISN] Closed source is more secure -- MS"

    Forwarded by: seraphim <seraphimat_private>
    This is blasphemous -
    In no way does making closed source software "more secure" or "less
    open to attacks."  The reason open source is so well taken is the
    simple (and obvious?) fact that it is open to everyone, and can be
    reviewed openly and freely. Md5 checksums exist to maintain developer
    to consumer malicious hackers changing open source code
    and implementing back doors/trojans is out of the question. I would
    think it very difficult to forge a md5 checksum.
    Lets put our least favorite Operating System under scrutiny -
    Micorosft Windows is closed source - meaning Microsoft can put what
    ever they feel like into the code....and only tell the consumer what
    they want to hear. Easter Eggs anyone?  It is very much more plausible
    to implement malicious code/backdoors/trojans in a closed source
    enviroment, assuming the intent to do so is internal to the company
    designing the software. Which might just be the case - If Microsoft
    coders can put Easter Eggs in their software...what stops a skilled
    coder working for Microsoft to put in backdoors or any other nasty
    The idea Lipner is failing to grasp is that by opening our software to
    the public, and letting coders/hackers break the code and test it, is
    to simply make it stronger. By abusing the code it gets better -
    Coders/hackers find a weakness - their authors fix it - and the
    program becomes stronger. And need we mention Open source software is
    a ultra cheaper (more like free?) then closed software scenarios.
    Just my two cents -
    ----- Original Message -----
    From: InfoSec News <isnat_private>
    To: <ISNat_private>
    Sent: Saturday, April 14, 2001 1:26 PM
    Subject: [ISN] Closed source is more secure -- MS
    > By: Kevin Poulsen
    > Posted: 13/04/2001 at 08:27 GMT
    > The head of Microsoft's security response team argued here
    > Thursday that closed source software is more secure than open
    > source projects, in part because nobody's reviewing open source
    > code for security flaws.
    > "Review is boring and time consuming, and it's hard," said Steve
    > Lipner, manager of Microsoft's security response center. "Simply
    > putting the source code out there and telling folks 'here it is'
    > doesn't provide any assurance or degree of likelihood that the
    > review will occur."
    ISN is hosted by
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 02:53:38 PDT