Subject: Re: anti/Law
From: Rich Persaud <persaudl@autometa.com>
Date: Wed, 14 Apr 1999 14:38:58 -0700

At 12:07 PM 4/14/99 , Kragen Sitaker wrote:
>Rich Persaud wrote:
>> Open source lets a non-specialist exploit security weaknesses, increasing
>> your statistical chance of being attacked.  This additional testing volume
>> increases the priority of getting the problem fixed.
>>
>> This is nonsense.

Maybe.  I omitted a few steps between cause and effect.

[abbreviation: OS=open source]

OS and non-OS licenses produce different cultures of development, defense 
and attack.

Non-OS licenses produce a small number of elite developers, defenders and 
attackers.  Obtaining the education necessary to join this elite requires 
access to the elite, their organizations, or reverse-engineering from 
publicly available documents and binaries. Having paid the price of joining 
the elite, one is often motivated by the intellectual challenge of 
obtaining the most results with the least amount of information.

OS licenses produce a large number (over time) of developers, defenders and 
attackers.  The complexity of the domain and quality of documentation will 
determine the rate of knowledge dissemination.  Given that internal 
information about the product is widely available, one no longer competes 
for privileged access to such information. People compete based on their 
ability to derive new information from the public information base. That 
new information could be usage scenarios, feature additions, security 
weaknesses or automated attacks (which are security tests).

> rootshell.com lets a non-specialist exploit security weaknesses, in
> both free software and proprietary software.  Once a specialist has
> packaged an attack into an easy-to-use tool, anyone can apply it --
> regardless of whether the target is open source or not.

The packaging of the easy-to-use tool can itself be an OS effort, leading 
to an market of OS security test infrastructures.  Which culture leads to a 
more desirable result? The proprietary one that yields proprietary attacks? 
Or an open one that yields open attacks? What is the value of attacking 
oneself? The attack tools become a complement to the main product, 
stimulating its evolution.

>Rich Persaud wrote:
>> Open source lets a non-specialist exploit security weaknesses, increasing
>> your statistical chance of being attacked.  This additional testing volume
>> increases the priority of getting the problem fixed.

I'll take the first sentence back. You're correct that it's packaging, not 
OS that lets the non-specialist exploit security weaknesses.  But is it 
possible that OS code leads to the production of more specialists (thanks 
to the educational value of source code for products and attacks)? More 
specialists increases the production capacity for packaged attacks 
(security regression tests).

OS software eliminates the use of white-box product knowledge as a 
competitive differentiator and enables the development of OS white-box 
regression tests.

Rich