[ISN] Microsoft to reveal Palladium source code

From: InfoSec News (isnat_private)
Date: Wed Jun 26 2002 - 00:57:04 PDT

  • Next message: InfoSec News: "[ISN] Best Buy suing over e-mail porn scam"

    By: Robert Lemos
    6/24/02 5:45 PM
    Source: News.com  
    Microsoft, long a proponent of keeping source code secret, plans to
    publish the source code to a critical part of its Palladium project to
    enhance security, a representative of the software giant said Monday.
    The component -- some thousands of lines of source code--is the basic
    foundation of the security proposed in Microsoft's project and, as
    such, is the linchpin for the software giant's trusted-computing
    "We will be publishing the source code because people will need to
    trust this," said Mario Juarez, group product manager for the
    Palladium project at Microsoft. "To get people to believe in what is
    happening in that little piece of code is critical."
    On Monday, Microsoft took the wraps off its project, code-named
    Palladium, to design new hardware and software that could better
    guarantee the security of user data and let companies control data
    that they "own" while on a consumer's PC.
    However, as part of the public push for acceptance of its technology,
    Microsoft plans to release the source code to the guts of the software
    component, called the "secure processing environment."
    In the past, Microsoft has argued that opening such critical code
    could undermine security. But Juarez doesn't think so. "Not at all,"  
    he said. "In fact, it enhances the security of the code. The RSA
    (encryption) algorithm was published at the outset; that's why it's
    trusted today."
    That admission could undermine the company's repeated claims that
    opening the Windows source code would hurt the security of the
    company's flagship operating system. The company has used the
    assertions to fight against potential antitrust penalties that would
    require it to show competitors pieces--or all--of its code.
    During testimony in the antitrust case against Microsoft, Jim Allchin,
    senior vice president for Windows, said that any remedy that required
    the company to reveal the operating system's source code would
    strengthen hackers' and virus writers' ability to circumvent
    "The more creators of viruses know about how antivirus mechanisms in
    Windows operating systems work, the easier it will be to create
    viruses or disable or destroy those mechanisms," Allchin testified.
    Programs that are published under open-source tenets allow anyone to
    look at the software's source code. Unlike, say, Microsoft Windows XP,
    which only comes packaged as extremely difficult-to-understand binary
    code, an open-source program lets people copy or modify code to
    include improvements--as long as the new code is republished.
    The open-source software community and closed-source advocates have
    long argued that their own development process leads to better
    security. Both sides, however, have had major breaches in security.  
    Microsoft's Web server had an easily exploitable hole that led to the
    Code Red worm epidemic almost a year ago. Linux and other Unix-like
    systems had a major flaw in the WU-FTP server, a popular program for
    hosting files for downloading. That flaw allowed numerous hackers and
    some worms to break into unpatched servers.
    A recent research paper argued that open-source and closed-source
    software had essentially the same security.
    While Microsoft's Juarez doesn't promise that the source code to the
    secure processing environment will be open source, he did say that it
    will be published.
    Bruce Perens, an open-source evangelist and creator of the open-source
    definition, said that Microsoft does seem to be contradicting its
    prior statements.
    "I think what Microsoft is admitting is that it can disclose the
    source code to the whole world, and not necessarily hurt the security
    of the program," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 04:07:14 PDT