Re: [ISN] Closed source is more secure -- MS

From: security curmudgeon (jerichoat_private)
Date: Mon Apr 16 2001 - 06:00:55 PDT

  • Next message: Robert G. Ferrell: "Re: [ISN] Ex-Soviet States a Hotbed for World-Class Hacking"

    > http://www.theregister.co.uk/content/8/18286.html
    >
    > By: Kevin Poulsen
    > Posted: 13/04/2001 at 08:27 GMT
    >
    > The head of Microsoft's security response team argued here Thursday that
    > closed source software is more secure than open source projects, in part
    > because nobody's reviewing open source code for security flaws.
    
    I think this is fairly easy to prove false. Look at the past few months of
    Bugtraq and you will see a wide variety of bugs being found in third party
    software by various security teams. People are auditing the code of
    various web servers, mail clients, and more.
    
    Speaking of 'prove'.. it still amuses me that these windbags get on the
    podium and spew this crap with no factual backing.
    
    > "Review is boring and time consuming, and it's hard," said Steve Lipner,
    > manager of Microsoft's security response center. "Simply putting the
    > source code out there and telling folks 'here it is' doesn't provide any
    > assurance or degree of likelihood that the review will occur."
    
    And with Windows product track record as far as security, I think it is
    safe to question Microsoft's closed source 'review'. Not only do we see
    security vulnerabilities being discovered almost daily, we have
    Microsoft patches re-opening previously 'closed' holes. What kind of
    review process is that?
    
    > "The vendor eyes in a security review tend to be dedicated, trained,
    > full time and paid," Lipner said.
    
    I wonder if he said this with a straight face, or if the audience was
    polite enough not to laugh too loud. Microsoft talking about security in
    any capacity is a joke. There is a demonstrated and proven track record of
    this.
    
    > Lipner, who oversees Microsoft's response to newly-reported security
    > holes in its products, took the opportunity to point out "the repeated
    > and recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and
    > so on. The repeated theme is people use this stuff, but they don't
    > spend time security reviewing."
    
    Much like repeated vulnerabilities in Microsoft IIS?
    
    > Making source code public also increases the risk that attackers will
    > find a crucial security hole that reviewers missed, said Lipner. "That
    > argument sounds like an argument for 'security through obscurity,' and I
    > apologize. The facts are there."
    
    Facts.. what facts? This is windbag opinion until facts are brought to the
    table, which they haven't been.
    
    > By contrast, Microsoft does extensive testing on every product, and on
    > every patch, said Lipner. "People ask us why our security patches take
    > so long. One of the reasons they take so long is because we test
    > them."
    
    Search the bugtraq archives for the last few weeks and you will find
    several cases of this being proven false. Not only did one patch re-open a
    previous hole, another patch was found to only work on a very specific
    version of NT or 2k.
    
    > Lipner closed by warning that the nature of open source development
    > may lend itself to abuse by malicious coders, who could devilishly
    > clever 'trapdoors' in the code that escapes detection, hidden in plain
    > sight.
    
    This risk is present with any software, open or closed. There are several
    cases in the past of commercial closed source products having backdoors.
    Blizzard, ID, etc.
    
    > Under polite questioning from the audience, Lipner acknowledged that
    > some closed-source commercial products have been found to have
    > trapdoors themselves.
    
    Doh!
    
    > "Looking at products that come from commercial vendors, it seems the
    > customer has very little guarantee that the software has been
    > reviewed," said one conferee. "Industry has not acquitted itself
    > well."
    
    Glad others are confronting the windbags.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 02:55:54 PDT