February 17, 2004

Open Security: No Litmus Test

Chuck Talk writes "I read with some interest Larry Seltzer's article of the ideation that the source code leak for some portions of the Windows Operating Systems would prove a novel test for security. I am not sure how that can be so, for there is a whole host of issues that complicate the views that this could be considered some sort of litmus test for open-source security.

The simplest truth is that Microsoft cannot open its source code simply because there is so much cross-licensed code underlying their source. The legal hurdles to opening Microsoft source would be problematic if not a downright end-game for the company that has bought, crushed and rolled over all of its competition on the way to becoming what it is today.

I don't mean any disrespect to Larry, really, but I disagree with his statement:"If there are still meaningful attacks to wring out of the code, it will only be because there is security value in obscurity."

That is reaching for a conclusion. If there are attacks found, might it not be because there was a vulnerability there in the first place? Maybe what is found is a critical piece that is then patched by the White Hats that knocks out some of the other vulnerabilities that are widely distributed. I still do not believe that by keeping everything locked away that you always create value and best practices. Intelligence and other assets that need protection should be kept secret. Commercial Operating Systems that deliver infrastructure services need to be able to be quickly and adroitly patched, repaired and corrected."

Link: orangecrate.com


  • Security
Click Here!