Forwarded from: Joe Klein <jskleinat_private> You have opened a can of worms....... <Rant> So how many times will Gates and company "Commit to Security"? It's almost like a pattern of Marketing that Microsoft has created over the last 20 years. If I remember correctly, - Scott Culp went before congress on August 29, 2001 , stating that "Our senior executives care passionately about security." - Bill Gates... August, 2001 - received a presidential appointment to the National Infrastructure Assurance Council (NIAC). The NIAC is intended to advise the President and encourage cooperation between the public and private sectors to address physical threats and cyber threats to the Nation's critical infrastructure. - Bill Gates - Jan. 15, 2001 - memo to employees, security, in the guise of "trustworthiness," has finally zoomed to the top of Microsoft's priorities. - Craig Mundie, Microsoft's Senior Vice President and Chief Technical Officer for Advanced Strategies and Policy, received a presidential appointment to the National Security Telecommunications Advisory Council (NSTAC). The NSTAC advises the President on policy and technical issues associated with telecommunications. - Steve Lipner, Microsoft's Lead Program Manager for Security, serves on the Congressionally-mandated Computer Systems Security and Privacy Advisory Board. - Howard Schmidt, Microsoft's Corporate Security Officer, is deeply involved in G8 and United Nations initiatives and serves on the Board of the Partnership for Critical Infrastructure Security, a cross-sector, cross-industry effort supported by the National Security Council and the U.S. Department of Commerce. He recently participated in a U.S.-Australia bilateral meeting on critical infrastructure protection led by the U.S. Departments of State and Commerce. Moreover, he is the first president of the information technology industry's Information Sharing and Analysis Center to coordinate information-sharing among information-technology companies and with the U.S. Government. Now let's put this in perspective. Microsoft is working its political and PR machine to counter the move by US National Academy of Sciences (NAS) with it's "Trust in Cyberspace" ( http://www.nap.edu/catalog/6161.html & http://news.bbc.co.uk/hi/english/sci/tech/newsid_1762000/1762261.stm ). In the "Trust in Cyberspace" article, it suggestions to "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches," This comes after an insightful article from Bruce Schneier ( http://www.counterpane.com/crypto-gram-0201.html ) summarizing the history of Microsoft focus on PR rather then security. This was a response to Scott Culp (Manager of the Microsoft Security Response Center) http://www.badsoftware.com/uccindex.htm . Another good one is "Security Flaws May Be Pitfall for Microsoft" https://www.latimes.com/business/la-000003463jan14.story?coll=la-headlin es-business-manual Or maybe Robert X. Cringely article "The Death of TCP/IP, Why the Age of Internet Innocence is Over" http://www.pbs.org/cringely/pulpit/pulpit20010802.html. In the background Microsoft have been trying to get even more legal protections by having state legislatures pass versions of a bill called the Uniform Computer Information Transactions Act ( http://www.badsoftware.com/uccindex.htm ). Now in order to muzzle its harshest critiques Microsoft launches 'Gold' security partner program ( http://www.computerworld.com/storyba/0,4125,NAV47_STO66799,00.html ). In the program the Security Partners must agree to abide by the "Microsoft Code of conduct" ( http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/ 12-20-2001/0001637554&EDATE= ). It carries out a proposal put forth by Microsoft in November 2001 under which information about security vulnerabilities would not be disclosed until patches to fix the problems are available. Many in the security and research communities contend that full disclosure of vulnerabilities is essential for creating work-arounds while they wait for patches. Full disclosure can also help stave off future security problems, they say. So my take on this is simple. Microsoft goal is not security; it is to: 1. Reduce its risk of legal actions and to provide evidence of 'due diligence'. 2. Interact with lawmakers to convince them that Microsoft is secure and the problems are the administrators of the systems and the security community. 3. On the PR side, it's to show a fašade of increased security. Try to convince media that their product is secure. 4. Muzzle Microsoft's harshest critiques with a "Security Partner Program". This way you can control at least so of the bad press while getting free help in finding security problems. 5. Use open source as the standard to compare Microsoft security with internally, but convince the media that open source is bad. Now let's compare this with open sources: Open source has a long history of responding within days to security concerns. - This history goes back to 1988 when the Morris worm was released on the internet and developers had security fixes within hours. - The open source community has no history of hiding, bad mouthing or restraining people from discussing security problems. - The open source movement developed because many companies just did not want to produce great software. So lets review up to this point. Microsoft is now fixing security problems so they can reduce their risk of liability by showing "Due Diligence", control discussion and reduce all of the bad press. The open source community fixes problems when they have found and promote open discuss on how to improve the security. Now which group is more security driven and which is more trying to cover their ass. You decide. </Rant> Joe Klein -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private] On Behalf Of InfoSec News Sent: Thursday, March 28, 2002 2:03 AM To: isnat_private Subject: [ISN] MS vs. open source: Security's the same http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2857736,00.h tml By Wayne Rash March 25, 2002 wrashat_private I already know that you're going to hate what I have to say. You'll no doubt send me strongly worded e-mails. Fine. We have a tough bunch here at ZDNet, and we can take it. When you read about the security problems of some open source applications and operating systems, some of you have nodded approvingly, and muttered words that sound a lot like "I told you so." Let's face it, all the smugness about the superiority of open source code has been pretty hard to take. Of course, the open source people claim that such charges simply aren't true. They say open source products are better because more people work on them and then distribute the patches--meaning that security holes get fixed right away. Microsoft, as the leading vendor of proprietary software, claims the same thing. The fact is, both sides have their share of problems--but neither side has the edge when it comes to fixing security holes. You're just as likely to encounter a security problem with open source code as you are with Microsoft Windows, and the fix is just as likely to appear quickly and be done properly. Normally, this is the point where Microsoft gets trashed for its seemingly endless list of security patches for Windows. That's not going to happen here. Yes, Microsoft does have a long list of security issues for which it has issued patches. But the fact that those patches exist means somebody in Microsoft is making sure those fixes are made. According to Steve Lipner, Microsoft's Director of Security Assurance, the company's Security Response Team operates seven days a week and has been known to issue patches to Windows security within hours of finding out about a problem. This sounds pretty responsive to me, certainly as responsive as the open-source solution to fixes--hoping someone steps up to the plate, creates a fix, and makes it available. The problems with security are not greater or fewer with Microsoft's code versus open source. They're just different. Want another opinion? In the FBI's ongoing list of the top 20 security problems, the number of Windows and open-source problems are about equal. The bottom line is that you should choose your OS or Web server software by how well it meets your needs--because these days, security really isn't the differentiating factor. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 04:33:22 PST