Subject: Current events and free software
From: Ben_Tilly@trepp.com
Date: Tue, 18 Sep 2001 12:43:09 -0400


In the wake of the tragic events at the WTC, there is a heightened
interest in security around the world.  One week later, almost to the
hour, a worm was launched attacking numerous holes in Microsoft
software.  It has spread incredibly fast, generating huge amounts of
traffic and causing disruptions to regular service.

It is to be hoped that this will lead to calls for a more robust
software infrastructure.  You certainly have to wonder whether the
timing is entirely coincidence.

Microsoft has an answer to this, of course.  Their answer is .NET, and
I believe that the SSSCA is an attempt to shove it down our collective
throats in the name of "security".  The analysis that led me to that
conclusion appeared on this list and exists in our archives at
http://www.crynwr.com/cgi-bin/ezmlm-cgi?mss:6169:200109:jjboaddhgocelmndgcff
if you missed it the first time.  Current events the next day made
many of us, myself included, have more important things than Microsoft
to worry about...

However given that we are experiencing a rather large public failure
of Microsoft software, I am hopeful that people may be willing to pay
attention to a different answer.  Apache has a sterling security
record.  IIS does not.  Apache is deployed on more sites than IIS and
yet it is the less widely-deployed IIS that made an easy security
target.  I think that this is an excellent time to point facts like
those out to the public, and make people of why they are better off
trusting and promoting free software.

At the least we should make it clear to politicians why it is bad for
security to push forward on the SSSCA and make illegal software with a
good security record, while in all likelyhood mandating the use of
software from companies with a bad record.

This is, of course, a sad reason to have the opportunity.  But still
the opportunity is there, and I don't think should be missed.

Cheers,
Ben