Date: Sat, 20 Oct 2001 01:14:20 -0400 From: "Eric S. Raymond" esr@thyrsus.com Subject: If you can't stand the heat...
At
<http://www.microsoft.com/technet/columns/security/noarch.asp>;
one Scott Culp, advertised to us as the “Manager of the
Microsoft Security Response Center”, exhorts people to stop
publishing information on computer security vulnerabilities.
Culp’s rant is a transparently self-serving and dishonest
attempt to shift the onus for epidemics like Code Red, Lion, and
NIMDA away from where it belongs, which is squarely on Microsoft’s
shoddy architecture and negligent engineering.
Culp is certainly right that no software will ever be perfectly
secure — but we know it’s possible to do a great deal better,
before and after the fact, than either Microsoft’s operating-system
design group or Mr. Culp’s bumbling bunch of Keystone Kops has ever
managed.
Open-source developers are not frightened of what Culp calls
“information anarchy”. That’s because we have confidence (a
confidence justified by the track record of Linux, the BSD
operating systems, and Apache) that our security holes will be
infrequent, the compromises they cause will be relatively minor,
and fixes will be rapidly developed and deployed.
And we’re not getting passed over by crackers because we have
fewer sites, either. Apache runs two thirds of the Web servers in
the world. When was the last time you heard about an Apache remote
compromise? There are many fewer IIS websites — and yet they are
constantly getting cracked. Because they’re soft targets.
Ultimately, this is because the `security’ in IIS and Windows is
incompetently designed, and its source code has never been
subjected to independent peer review.
Cryptographers and security experts have known for years that
peer review of open source code is the only reliable way to verify
the effectiveness of encryption systems and other security
software. So Microsoft’s closed-source mode of development
guarantees that customers will continue getting cracked and
Microsoft will continue pointing the finger of blame everywhere
except where it actually belongs. (In Microsoft-speak, this sort of
thing is called `innovation’.)
What Culp is really saying is that he doesn’t believe Microsoft
will ever get its act sufficiently together for Windows or IIS to
survive in a high-threat environment, so Microsoft wants to blame
someone else for the problem.
Here’s what I have to say to Mr. Culp: “If you can’t stand the
heat, get out of the kitchen. And if your OS can’t stand an
environment where attack tools are instantly disseminated, you
don’t belong in the operating-system business.”
Think of it as evolution in action…
—
<Eric S. Raymond>
The conclusion is thus inescapable that the history, concept, and
wording of the second amendment to the Constitution of the United
States, as well as its interpretation by every major commentator and
court in the first half-century after its ratification, indicates
that what is protected is an individual right of a private citizen
to own and carry firearms in a peaceful manner.
-Report of the Subcommittee On The Constitution of the Committee On
The Judiciary, United States Senate, 97th Congress, second session
(February, 1982), SuDoc# Y4.J 89/2: Ar 5/5