RE: [ISN] MS vs. open source: Security's the same

From: InfoSec News (isnat_private)
Date: Fri Mar 29 2002 - 01:07:08 PST

  • Next message: InfoSec News: "[ISN] Virus man gives corporates small tick"

    Forwarded from: Joe Klein <jskleinat_private>
    You have opened a can of worms.......
    So how many times will Gates and company "Commit to Security"? It's
    almost like a pattern of Marketing that Microsoft has created over the
    last 20 years.
    If I remember correctly, 
    - Scott Culp went before congress on August 29, 2001 , stating that "Our
      senior executives care passionately about security."
    - Bill Gates... August, 2001 - received a presidential appointment to
      the National Infrastructure Assurance Council (NIAC). The NIAC is
      intended to advise the President and encourage cooperation between 
      the public and private sectors to address physical threats and cyber 
      threats to the Nation's critical infrastructure.
    - Bill Gates - Jan. 15, 2001 - memo to employees, security, in the guise
      of "trustworthiness," has finally zoomed to the top of Microsoft's
    - Craig Mundie, Microsoft's Senior Vice President and Chief Technical
      Officer for Advanced Strategies and Policy, received a presidential
      appointment to the National Security Telecommunications Advisory 
      Council (NSTAC). The NSTAC advises the President on policy and 
      technical issues associated with telecommunications.
    - Steve Lipner, Microsoft's Lead Program Manager for Security, serves 
      on the Congressionally-mandated Computer Systems Security and 
      Privacy Advisory Board.
    - Howard Schmidt, Microsoft's Corporate Security Officer, is deeply
      involved in G8 and United Nations initiatives and serves on the 
      Board of the Partnership for Critical Infrastructure Security, a 
      cross-sector, cross-industry effort supported by the National 
      Security Council and the U.S. Department of Commerce. He recently 
      participated in a U.S.-Australia bilateral meeting on critical 
      infrastructure protection led by the U.S. Departments of State and 
      Commerce. Moreover, he is the first president of the information 
      technology industry's Information Sharing and Analysis Center to 
      coordinate information-sharing among information-technology 
      companies and with the U.S. Government.
    Now let's put this in perspective. Microsoft is working its political
    and PR machine to counter the move by US National Academy of Sciences
    (NAS) with it's "Trust in Cyberspace"
    ( & ).
    In the "Trust in Cyberspace" article, it suggestions to "Possible
    options include steps that would increase the exposure of software and
    systems vendors and system operators to liability for system
    This comes after an insightful article from Bruce Schneier
    ( ) summarizing the
    history of Microsoft focus on PR rather then security. This was a
    response to Scott Culp (Manager of the Microsoft Security Response
    Center) .
    Another good one is "Security Flaws May Be Pitfall for Microsoft"
    Or maybe Robert X. Cringely article "The Death of TCP/IP, Why the Age
    of Internet Innocence is Over"
    In the background Microsoft have been trying to get even more legal
    protections by having state legislatures pass versions of a bill
    called the Uniform Computer Information Transactions Act
    ( ).
    Now in order to muzzle its harshest critiques Microsoft launches
    'Gold' security partner program
    (,4125,NAV47_STO66799,00.html ).
    In the program the Security Partners must agree to abide by the
    "Microsoft Code of conduct"
    12-20-2001/0001637554&EDATE= ). It carries out a proposal put forth by
    Microsoft in November 2001 under which information about security
    vulnerabilities would not be disclosed until patches to fix the
    problems are available. Many in the security and research communities
    contend that full disclosure of vulnerabilities is essential for
    creating work-arounds while they wait for patches. Full disclosure can
    also help stave off future security problems, they say.
    So my take on this is simple. Microsoft goal is not security; it is to: 
    1. Reduce its risk of legal actions and to provide evidence of 'due
    2. Interact with lawmakers to convince them that Microsoft is secure and
       the problems are the administrators of the systems and the security
    3. On the PR side, it's to show a fašade of increased security. Try to
       convince media that their product is secure. 
    4. Muzzle Microsoft's harshest critiques with a "Security Partner
       Program". This way you can control at least so of the bad press 
       while getting free help in finding security problems.
    5. Use open source as the standard to compare Microsoft security with
       internally, but convince the media that open source is bad.
    Now let's compare this with open sources:
    Open source has a long history of responding within days to security
    - This history goes back to 1988 when the Morris worm was released on
      the internet and developers had security fixes within hours. 
    - The open source community has no history of hiding, bad mouthing or
      restraining people from discussing security problems. 
    - The open source movement developed because many companies just did not
      want to produce great software. 
    So lets review up to this point. Microsoft is now fixing security
    problems so they can reduce their risk of liability by showing "Due
    Diligence", control discussion and reduce all of the bad press.  The
    open source community fixes problems when they have found and promote
    open discuss on how to improve the security.
    Now which group is more security driven and which is more trying to
    cover their ass.  You decide.
    Joe Klein
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private] On Behalf
    Of InfoSec News
    Sent: Thursday, March 28, 2002 2:03 AM
    To: isnat_private
    Subject: [ISN] MS vs. open source: Security's the same ,14179,2857736,00.h
    By Wayne Rash
    March 25, 2002 
    I already know that you're going to hate what I have to say. You'll no 
    doubt send me strongly worded e-mails. Fine. We have a tough bunch 
    here at ZDNet, and we can take it. 
    When you read about the security problems of some open source 
    applications and operating systems, some of you have nodded 
    approvingly, and muttered words that sound a lot like "I told you so." 
    Let's face it, all the smugness about the superiority of open source 
    code has been pretty hard to take. 
    Of course, the open source people claim that such charges simply 
    aren't true. They say open source products are better because more 
    people work on them and then distribute the patches--meaning that 
    security holes get fixed right away. Microsoft, as the leading vendor 
    of proprietary software, claims the same thing. 
    The fact is, both sides have their share of problems--but neither side 
    has the edge when it comes to fixing security holes. You're just as 
    likely to encounter a security problem with open source code as you 
    are with Microsoft Windows, and the fix is just as likely to appear 
    quickly and be done properly. 
    Normally, this is the point where Microsoft gets trashed for its 
    seemingly endless list of security patches for Windows. That's not 
    going to happen here. Yes, Microsoft does have a long list of security 
    issues for which it has issued patches. But the fact that those 
    patches exist means somebody in Microsoft is making sure those fixes 
    are made. 
    According to Steve Lipner, Microsoft's Director of Security Assurance, 
    the company's Security Response Team operates seven days a week and 
    has been known to issue patches to Windows security within hours of 
    finding out about a problem. This sounds pretty responsive to me, 
    certainly as responsive as the open-source solution to fixes--hoping 
    someone steps up to the plate, creates a fix, and makes it available. 
    The problems with security are not greater or fewer with Microsoft's 
    code versus open source. They're just different. Want another opinion? 
    In the FBI's ongoing list of the top 20 security problems, the number 
    of Windows and open-source problems are about equal. The bottom line 
    is that you should choose your OS or Web server software by how well 
    it meets your needs--because these days, security really isn't the 
    differentiating factor. 
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 04:33:22 PST