FC: More on terrorists using open source software to wreak havoc

From: Declan McCullagh (declanat_private)
Date: Wed Jun 05 2002 - 09:57:53 PDT

  • Next message: Declan McCullagh: "FC: More on Zero Knowledge's planned public offering"

    Date: Wed, 5 Jun 2002 00:23:29 -0700
    From: carey <careyat_private>
    To: declanat_private
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    I thought this was mildly amusing when I saw it as well.   I decided
    to go hit up Mr. Ken Brown who was listed as the President of ADTI and
    see what his answer to the funding question was.  He sent me a rather
    cryptic, dodgy response.
    Especially strange is  # 3.   Also the tripe about
    'true patriots' was a bit funny.  What, true patriots don't use linux?
    From: "Ken Brown" <kenbrownat_private>
    Sent: Sunday, June 2, 2002 11:02 AM
    To: careyat_private
    Subject: RE: Quick and curious
    Our position is as follows:
    1:  No software is invulnerable.  Thus all software inherently has security
    2:  Those with motivations to crack a software for bad reasons, etc. will do
    so, regardless whether the product is os or proprietary.
    3:  OS is a sound, credible approach for creating systems for the Internet,
    etc.  however, its basis is upon sharing.  While we understand that all OS
    does not have to be shared a majority of it whether it is commercial or
    non-commercial is shared.  GPL and GPL licensed applications are over 80% of
    popular OS products today.  GPL and LGPL stipulate that sharing must occur.
    4.  National security systems must be secret.  Anything or anyone that poses
    any type of indiscreet sharing of intimate information about our
    government's IT infrastructure is an inherent threat.
    Due to increased interest by bad people in our national security system's
    vulnerabilities, we should avoid use of systems that enable, require or
    mandate indiscreet sharing.
    Microsoft and people's hate for Microsoft is irrelevant.  True patriots will
    come to grips with the reality that really bad people want more information
    about our nation's computer systems; and giving bad people indiscreetly any
    information about our systems is reckless.
    -----Original Message-----
    From: carey [mailto:careyat_private]
    Sent: Friday, May 31, 2002 5:12 PM
    To: kenbrownat_private
    Subject: Quick and curious
    I'm sure I -could- find this on the net already, but I'd figure I'd ask you
    Just curious, given your heavy coverage of Microsoft related issues, if you
    received any funding from a Microsoft-based group?
    Also, how long have you been in existence?   I ran across an article today,
    and I was a bit curious.
    Thanks in advance,
    Carey Lening
    ===8<===========End of original message text===========
    Best regards,
      carey                            mailto:careyat_private
    Date: Wed, 05 Jun 2002 17:57:42 +1000
    From: Nathan Cochrane <ncochraneat_private>
    Reply-To: ncochraneat_private
    Organization: The Age newspaper
    To: declanat_private
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    I just had a browse around the ADTI site and I think the institution 
    suffers a weird form of cognitive dissonance that makes their stance on 
    free software even more hard to reconcile with their mission.
    "Since 1988 the Alexis de Tocqueville Institution has studied the spread 
    and perfection of democracy around the world.
    "Among these liberal ideals are civil liberty, political equality, and 
    economic freedom and opportunity."
    How can a monopoly ever be considered preferable to a free and open 
    marketplace, or the contributions of volunteers, freely given, in pursuit 
    of an ideal, such as free software?
    I just don't get it.
    From: "Blane Warrene" <bwarreneat_private>
    To: declanat_private
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    Date: Wed, 05 Jun 2002 10:01:01 -0400
    How easily they overlooked the fact that one of the prime characteristics 
    of open-source software is the ability to customize and re-compile a kernel 
    or application (in essence make it proprietary for the individual or 
    institution using the software), closing doors left open in the original 
    source.  This also changes the footprint of the application, making it much 
    more difficult for an outsider to "find their way in" to your installation 
    without your internal secured (we hope) documentation.
    We have done this with several servers - re-building them for internal use 
    only, effectively changing the nature of the OS to meet our needs.
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    From: Steve Stearns <sternoat_private>
    To: declanat_private
    Something came to mind recently that ties well into the white paper on
    open source security risks from the Alexis de Tocqueville Institute.
    Microsoft has openly admitted in court that there are significant
    security vulnerabilities in their products.  Vulnerabilities so
    substantial that they believe it would be a national security threat to
    open up certain parts of the source code.  What protections exist to
    keep that information out of terrorist hands?
    The security presumption in open source is that, yes, there will be
    bugs, but if everybody can see them, there is a chance for the "good
    guys" to find and solve those problems before the "bad guys" exploit
    them.  The security presumption in proprietary code is that the
    vulnerabilities can't be found without access to the source code.  That
    presumption is only as good as the security measures that are in place
    within the company that writes the software.  So, how hard would it
    really be for terrorists or foreign agents to infiltrate Microsoft?
    To put the scope of this threat into some perspective, think about how
    many people within Microsoft had to be aware of these security problems
    in order for it to make its way to a company executive who could allude
    to it in court.  How many layers of managers and development teams did
    that information pass through?  The more people who become aware of the
    problem, the more risk that any one of those people is an infiltrator,
    or potentially corruptible.
    So how "confidential" is closed source software really?
    Date: Wed,  5 Jun 2002 12:16:42 -0400
    From: Jamie McCarthy <jamieat_private>
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    To: declanat_private
    X-Priority: 3
    declanat_private (Declan McCullagh) writes:
     > Just because an entity receives MS cash does not necessarily mean
     > MS dictates its opinions.
    Tell that to the Institution itself;  they seemed eager to play
    "follow the money" back in 2000 (though this "study" they hinted
    at doesn't seem to actually have been released):
         An Alexis de Tocqueville Institution study to be published
         this spring, he said, is finding that a large number of
         major soft dollar donors to the Democratic Party over the
         last three election cycles are now plaintiffs, witnesses,
         or beneficiaries in U.S. anti-trust cases.
    Sure, maybe MS cash doesn't influence their opinions.  Maybe they are
    just a bunch of guys who really like to sit around and write opinion
    piece after opinion piece, and do study after study, showing that
    Microsoft is the greatest company in the world:
         in which we see that many top firms think the MCSE is a
         valuable certification
         the antitrust suit will destroy American tech leadership
         Sept. 7, 1999: "if Microsoft actually is crushing competitors,
         then what accounts for those companies' rising stock?  Since
         the federal government took Microsoft to court, Amazon.com is
         up 838 percent, AOL up 555 percent..."
         January 20, 2000: "The recently announced $350 billion merger
         between AOL and Time-Wamer, FFI says, is an indication that
         Netscape Navigator owner AOL has nor been crushed by Microsoft's
         'monopoly,' else how could it participate in this deal, the
         biggest ever recorded?"
         Japan, Switzerland, and the EU oppose Microsoft antitrust suit
         Microsoft should be exempt from antitrust because "unlike
         oil and aluminum, ideas and innovative technology can be
         controlled by no company" -- that's a deep understanding of
         the issues
    And here's their pride and joy, a study showing that MCSEs
    (Microsoft Certified Systems Engineers) are really in demand,
    and they make good money!
         "A MCSE Introduction -- Training for the Digital Age"
         "Any advice for MCSE's?" "Stick with it. If you are under
         financial pressure it will be worth it to get certified and
         don't get discouraged because it will pay off."
         "[Getting MCSE certified] has made a huge transition.  I
         have met a lot of new people and people respect me more...
         I know I will find a good job once I graduate."
    and a bushel of reprintings of their press release for that study --
    the ATDI is just *so proud* that actual newspapers picked it up and
    ran blurbs on it:
         the Pennsboro News... <http://www.adti.net/html_files/technology/
         the Pelham Sun... <http://www.adti.net/html_files/technology/
         the Pioneer Shopper... <http://www.adti.net/html_files/technology/
         The Purple Squirrel... <http://www.adti.net/html_files/technology/
    ...and many others in their posse of pusillanimous pressmonkeys.
    I'd never heard of the ADTI before this, but after spending an hour
    or two crawling their site -- which by the way is hosted on unix
    by the open-source software Apache -- I think it's unlikely that
    there exists anywhere in the world a more toadying opinionfactory,
    begging to trade persuasion stamped "nonpartisan" for corporate cash.
    Most "think-tanks" have erected a much better facade.  The ADTI's
    is balsa wood and refrigerator boxes.
    "In the United States, the majority undertakes to supply a
    multitude of ready-made opinions for the use of individuals,
    who are thus relieved from the necessity of forming opinions
    of their own." -- Alexis de Tocqueville
    From: "Thomas Leavitt" <thomasleavittat_private>
    To: declanat_private
    Subject: Re: FC: Terrorists could use open source software to wreak havoc!
    Date: Wed, 05 Jun 2002 08:56:59 -0700
    The whole "open source software is insecure" argument is specious... you 
    only have to look at the example of IRIX (SGI's proprietary version of 
    Unix) to see that security exploit techniques that target common 
    programming errors don't require access to source code. I remember seeing 
    almost daily reports that one or more new buffer overrun exploits had been 
    discovered at one point - and that is only one technique.
    Thomas Leavitt
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/

    This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 10:36:55 PDT