Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

isn logo Information Security News mailing list archives

RE: MS vs. open source: Security's the same
From: InfoSec News <isn () c4i org>
Date: Fri, 29 Mar 2002 03:07:08 -0600 (CST)
Forwarded from: Joe Klein <jsklein () mindspring com>

You have opened a can of worms.......

<Rant>

So how many times will Gates and company "Commit to Security"? It's
almost like a pattern of Marketing that Microsoft has created over the
last 20 years.

If I remember correctly, 

- Scott Culp went before congress on August 29, 2001 , stating that "Our
  senior executives care passionately about security."

- Bill Gates... August, 2001 - received a presidential appointment to
  the National Infrastructure Assurance Council (NIAC). The NIAC is
  intended to advise the President and encourage cooperation between 
  the public and private sectors to address physical threats and cyber 
  threats to the Nation's critical infrastructure.

- Bill Gates - Jan. 15, 2001 - memo to employees, security, in the guise
  of "trustworthiness," has finally zoomed to the top of Microsoft's
  priorities.

- Craig Mundie, Microsoft's Senior Vice President and Chief Technical
  Officer for Advanced Strategies and Policy, received a presidential
  appointment to the National Security Telecommunications Advisory 
  Council (NSTAC). The NSTAC advises the President on policy and 
  technical issues associated with telecommunications.

- Steve Lipner, Microsoft's Lead Program Manager for Security, serves 
  on the Congressionally-mandated Computer Systems Security and 
  Privacy Advisory Board.

- Howard Schmidt, Microsoft's Corporate Security Officer, is deeply
  involved in G8 and United Nations initiatives and serves on the 
  Board of the Partnership for Critical Infrastructure Security, a 
  cross-sector, cross-industry effort supported by the National 
  Security Council and the U.S. Department of Commerce. He recently 
  participated in a U.S.-Australia bilateral meeting on critical 
  infrastructure protection led by the U.S. Departments of State and 
  Commerce. Moreover, he is the first president of the information 
  technology industry's Information Sharing and Analysis Center to 
  coordinate information-sharing among information-technology 
  companies and with the U.S. Government.

Now let's put this in perspective. Microsoft is working its political
and PR machine to counter the move by US National Academy of Sciences
(NAS) with it's "Trust in Cyberspace"

( http://www.nap.edu/catalog/6161.html &
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1762000/1762261.stm ).

In the "Trust in Cyberspace" article, it suggestions to "Possible
options include steps that would increase the exposure of software and
systems vendors and system operators to liability for system
breaches,"

This comes after an insightful article from Bruce Schneier
( http://www.counterpane.com/crypto-gram-0201.html ) summarizing the
history of Microsoft focus on PR rather then security. This was a
response to Scott Culp (Manager of the Microsoft Security Response
Center) http://www.badsoftware.com/uccindex.htm .

Another good one is "Security Flaws May Be Pitfall for Microsoft"
https://www.latimes.com/business/la-000003463jan14.story?coll=la-headlin
es-business-manual

Or maybe Robert X. Cringely article "The Death of TCP/IP, Why the Age
of Internet Innocence is Over"
http://www.pbs.org/cringely/pulpit/pulpit20010802.html.

In the background Microsoft have been trying to get even more legal
protections by having state legislatures pass versions of a bill
called the Uniform Computer Information Transactions Act
( http://www.badsoftware.com/uccindex.htm ).

Now in order to muzzle its harshest critiques Microsoft launches
'Gold' security partner program
( http://www.computerworld.com/storyba/0,4125,NAV47_STO66799,00.html ).
In the program the Security Partners must agree to abide by the
"Microsoft Code of conduct"
( http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/
12-20-2001/0001637554&EDATE= ). It carries out a proposal put forth by
Microsoft in November 2001 under which information about security
vulnerabilities would not be disclosed until patches to fix the
problems are available. Many in the security and research communities
contend that full disclosure of vulnerabilities is essential for
creating work-arounds while they wait for patches. Full disclosure can
also help stave off future security problems, they say.


So my take on this is simple. Microsoft goal is not security; it is to: 

1. Reduce its risk of legal actions and to provide evidence of 'due
   diligence'. 

2. Interact with lawmakers to convince them that Microsoft is secure and
   the problems are the administrators of the systems and the security
   community. 

3. On the PR side, it's to show a façade of increased security. Try to
   convince media that their product is secure. 

4. Muzzle Microsoft's harshest critiques with a "Security Partner
   Program". This way you can control at least so of the bad press 
   while getting free help in finding security problems.

5. Use open source as the standard to compare Microsoft security with
   internally, but convince the media that open source is bad.



Now let's compare this with open sources:

Open source has a long history of responding within days to security
concerns.  

- This history goes back to 1988 when the Morris worm was released on
  the internet and developers had security fixes within hours. 

- The open source community has no history of hiding, bad mouthing or
  restraining people from discussing security problems. 

- The open source movement developed because many companies just did not
  want to produce great software. 
 
So lets review up to this point. Microsoft is now fixing security
problems so they can reduce their risk of liability by showing "Due
Diligence", control discussion and reduce all of the bad press.  The
open source community fixes problems when they have found and promote
open discuss on how to improve the security.

Now which group is more security driven and which is more trying to
cover their ass.  You decide.

</Rant>

Joe Klein


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org] On Behalf
Of InfoSec News
Sent: Thursday, March 28, 2002 2:03 AM
To: isn () attrition org
Subject: [ISN] MS vs. open source: Security's the same 

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2857736,00.h
tml

By Wayne Rash
March 25, 2002 
wrash () mindspring com

I already know that you're going to hate what I have to say. You'll no 
doubt send me strongly worded e-mails. Fine. We have a tough bunch 
here at ZDNet, and we can take it. 

When you read about the security problems of some open source 
applications and operating systems, some of you have nodded 
approvingly, and muttered words that sound a lot like "I told you so." 
Let's face it, all the smugness about the superiority of open source 
code has been pretty hard to take. 

Of course, the open source people claim that such charges simply 
aren't true. They say open source products are better because more 
people work on them and then distribute the patches--meaning that 
security holes get fixed right away. Microsoft, as the leading vendor 
of proprietary software, claims the same thing. 

The fact is, both sides have their share of problems--but neither side 
has the edge when it comes to fixing security holes. You're just as 
likely to encounter a security problem with open source code as you 
are with Microsoft Windows, and the fix is just as likely to appear 
quickly and be done properly. 

Normally, this is the point where Microsoft gets trashed for its 
seemingly endless list of security patches for Windows. That's not 
going to happen here. Yes, Microsoft does have a long list of security 
issues for which it has issued patches. But the fact that those 
patches exist means somebody in Microsoft is making sure those fixes 
are made. 

According to Steve Lipner, Microsoft's Director of Security Assurance, 
the company's Security Response Team operates seven days a week and 
has been known to issue patches to Windows security within hours of 
finding out about a problem. This sounds pretty responsive to me, 
certainly as responsive as the open-source solution to fixes--hoping 
someone steps up to the plate, creates a fix, and makes it available. 

The problems with security are not greater or fewer with Microsoft's 
code versus open source. They're just different. Want another opinion? 
In the FBI's ongoing list of the top 20 security problems, the number 
of Windows and open-source problems are about equal. The bottom line 
is that you should choose your OS or Web server software by how well 
it meets your needs--because these days, security really isn't the 
differentiating factor. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]