![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: "Eric S. Raymond" <esr@thyrsus.com>
To: lwn@lwn.net, editors@linuxtoday.com, malda@slashdot.org, editor@linux.com,
editors@newsforge.com
Subject: If you can't stand the heat...
Date: Sat, 20 Oct 2001 01:14:20 -0400
At
<http://www.microsoft.com/technet/columns/security/noarch.asp>
one Scott Culp, advertised to us as the "Manager of the Microsoft
Security Response Center", exhorts people to stop publishing
information on computer security vulnerabilities.
Culp's rant is a transparently self-serving and dishonest attempt to
shift the onus for epidemics like Code Red, Lion, and NIMDA away from
where it belongs, which is squarely on Microsoft's shoddy architecture
and negligent engineering.
Culp is certainly right that no software will ever be perfectly secure
-- but we know it's possible to do a great deal better, before and
after the fact, than either Microsoft's operating-system design group
or Mr. Culp's bumbling bunch of Keystone Kops has ever managed.
Open-source developers are not frightened of what Culp calls
"information anarchy". That's because we have confidence (a
confidence justified by the track record of Linux, the BSD operating
systems, and Apache) that our security holes will be infrequent, the
compromises they cause will be relatively minor, and fixes will be
rapidly developed and deployed.
And we're not getting passed over by crackers because we have fewer
sites, either. Apache runs two thirds of the Web servers in the
world. When was the last time you heard about an Apache remote
compromise? There are many fewer IIS websites -- and yet they are
constantly getting cracked. Because they're soft targets.
Ultimately, this is because the `security' in IIS and Windows is
incompetently designed, and its source code has never been subjected
to independent peer review.
Cryptographers and security experts have known for years that peer
review of open source code is the only reliable way to verify the
effectiveness of encryption systems and other security software. So
Microsoft's closed-source mode of development guarantees that
customers will continue getting cracked and Microsoft will continue
pointing the finger of blame everywhere except where it actually
belongs. (In Microsoft-speak, this sort of thing is called
`innovation'.)
What Culp is really saying is that he doesn't believe Microsoft will ever get
its act sufficiently together for Windows or IIS to survive in a high-threat
environment, so Microsoft wants to blame someone else for the problem.
Here's what I have to say to Mr. Culp: "If you can't stand the heat,
get out of the kitchen. And if your OS can't stand an environment
where attack tools are instantly disseminated, you don't belong in the
operating-system business."
Think of it as evolution in action...
--
<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>
The conclusion is thus inescapable that the history, concept, and
wording of the second amendment to the Constitution of the United
States, as well as its interpretation by every major commentator and
court in the first half-century after its ratification, indicates
that what is protected is an individual right of a private citizen
to own and carry firearms in a peaceful manner.
-- Report of the Subcommittee On The Constitution of the Committee On
The Judiciary, United States Senate, 97th Congress, second session
(February, 1982), SuDoc# Y4.J 89/2: Ar 5/5