Subject: Re: Microsoft: Closed source is more secure
From: Werner Koch <wk@gnupg.org>
Date: Wed, 25 Apr 2001 15:57:33 +0200

Hi!


> http://www.securityfocus.com/news/191
 
> manager of Microsoft's security response center. "Simply putting the
> source code out there and telling folks 'here it is' doesn't provide any
> assurance or degree of likelihood that the review will occur."

He is right there and I know a couple of cases where I fixed a bug
and realized that nobody with a little bit of programming knowledge
could have looked at it.  OTOH, I know that for example quite a
couple of folks are quite familar with the GnuPG code base and
actually contributed fixes to questionable constructs. So it is not
that bad.  

PGP 5 is not Free Software but we can look at the code - there is
evidence that nobody has done a code auditing, enither the NAI folks
nor any one else.

> "The vendor eyes in a security review tend to be dedicated, trained,
> full time and paid," Lipner said.

Given only those simple to detect buffer overflows reported daily
about proprietary products, I don't buy this.

> Lipner argued that network administrators are better off spending their
> time reading log files and installing patches than poring over source
> code looking for security holes, and the system of 'peer review' that

Nobody expects admins to look over the code.  We have thousands of
talented programmers who do this.  There are reports on the code
quality of GNU which claim that this Free Software outperforms any
other proprietary Unix software in robustness and error freeness,
let alone DOS and Windows software.

> "An encryption algorithm is relatively simple, compared to a 40 million
> line operating system," Lipner argued. "And the discovery of an

Someone who designs a 40 million line OS without any internal
security boundaries does not know what he is doing.  Complexity is
the worst enemy of security.

> holes in its products, took the opportunity to point out "the repeated
> and recurring vulnerabilities in the Unix utilities BIND, WU-FTP, and so
> on. The repeated theme is people use this stuff, but they don't spend
> time security reviewing."

Responsible admins don't use wu-ftp or other programs with a large
record of security pitfalls.  Well, Bind is a problem because there
is no other conforming and usable alternative available.  

> By contrast, Microsoft does extensive testing on every product, and on
> every patch, said Lipner. "People ask us why our security patches take
> so long. One of the reasons they take so long is because we test them."

Most of us know the quality of their patches.  And he missed a very
imprtant point:  It is not possible to find design flaws or other
security holes just by testing.  To find those things, independed
design and code auditing is a must. 

> Lipner closed by warning that the nature of open source development may
> lend itself to abuse by malicious coders, who could devilishly clever
> 'trapdoors' in the code that escapes detection, hidden in plain sight.

Well, we could.  But although the MS folks are not able to figure
them out (they even don't find the most obvious bugs in their code),
other hacker will find them.

And because we can't hide our code, the whole world will point their
fingers at a programmer who added delibertely malicious code into
Free Software.  Not could for his reputation.

> Under polite questioning from the audience, Lipner acknowledged that
> some closed-source commercial products have been found to have trapdoors
> themselves.

And that even without access to the source code! Expect a lot more
backdoors in prorietary software.  

> "Looking at products that come from commercial vendors, it seems the
> customer has very little guarantee that the software has been reviewed,"
> said one conferee. "Industry has not acquitted itself well."

Reading Bugtraq proves this to 100%


SCNR to comment on these ridicolous statements.

  Werner


-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus