From: "Eric S. Raymond" <esr@thyrsus.com> To: lwn@lwn.net, editors@linuxtoday.com, malda@slashdot.org, editor@linux.com, editors@newsforge.com Subject: If you can't stand the heat... Date: Sat, 20 Oct 2001 01:14:20 -0400 At <http://www.microsoft.com/technet/columns/security/noarch.asp> one Scott Culp, advertised to us as the "Manager of the Microsoft Security Response Center", exhorts people to stop publishing information on computer security vulnerabilities. Culp's rant is a transparently self-serving and dishonest attempt to shift the onus for epidemics like Code Red, Lion, and NIMDA away from where it belongs, which is squarely on Microsoft's shoddy architecture and negligent engineering. Culp is certainly right that no software will ever be perfectly secure -- but we know it's possible to do a great deal better, before and after the fact, than either Microsoft's operating-system design group or Mr. Culp's bumbling bunch of Keystone Kops has ever managed. Open-source developers are not frightened of what Culp calls "information anarchy". That's because we have confidence (a confidence justified by the track record of Linux, the BSD operating systems, and Apache) that our security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed. And we're not getting passed over by crackers because we have fewer sites, either. Apache runs two thirds of the Web servers in the world. When was the last time you heard about an Apache remote compromise? There are many fewer IIS websites -- and yet they are constantly getting cracked. Because they're soft targets. Ultimately, this is because the `security' in IIS and Windows is incompetently designed, and its source code has never been subjected to independent peer review. Cryptographers and security experts have known for years that peer review of open source code is the only reliable way to verify the effectiveness of encryption systems and other security software. So Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs. (In Microsoft-speak, this sort of thing is called `innovation'.) What Culp is really saying is that he doesn't believe Microsoft will ever get its act sufficiently together for Windows or IIS to survive in a high-threat environment, so Microsoft wants to blame someone else for the problem. Here's what I have to say to Mr. Culp: "If you can't stand the heat, get out of the kitchen. And if your OS can't stand an environment where attack tools are instantly disseminated, you don't belong in the operating-system business." Think of it as evolution in action... -- <a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a> The conclusion is thus inescapable that the history, concept, and wording of the second amendment to the Constitution of the United States, as well as its interpretation by every major commentator and court in the first half-century after its ratification, indicates that what is protected is an individual right of a private citizen to own and carry firearms in a peaceful manner. -- Report of the Subcommittee On The Constitution of the Committee On The Judiciary, United States Senate, 97th Congress, second session (February, 1982), SuDoc# Y4.J 89/2: Ar 5/5