Personal tools
You are here: Home Writings A debate on Open Source security

A debate on Open Source security

A debate on the security of Open Source software.

From treed@ultraviolet.org Wed Nov 18 11:32:08 1998 -0800
Date: Wed, 18 Nov 1998 11:32:08 -0800 (PST)
From: Tracy R Reed 
To: lewm@sj.bigger.net
Subject: security?
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 1

You wrote:

>I refer specifically to the security issues raised in regard to open
>source.

What security issues? The article didn't mention security.

--
Tracy Reed      http://www.ultraviolet.org
In 1984 mainstream users were choosing VMS over UNIX.  Ten years later
they are choosing Windows over UNIX.  What part of that message aren't you
getting? - Tom Payne


From treed@ultraviolet.org Sat Nov 21 19:59:24 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 22541 invoked by uid 0); 21 Nov 1998 19:59:21 -0000
Received: from dfw-ix9.ix.netcom.com (206.214.98.9)
  by dt052n1a.san.rr.com with SMTP; 21 Nov 1998 19:59:21 -0000
Received: (from smap@localhost)
          by dfw-ix9.ix.netcom.com (8.8.4/8.8.4)
	  id NAA08165 for ; Sat, 21 Nov 1998 13:58:52 -0600 (CST)
Received: from sji-ca3-166.ix.netcom.com(209.109.233.166) by dfw-ix9.ix.netcom.com via smap (V1.3)
	id rma008148; Sat Nov 21 13:58:29 1998
Message-ID: <36571B58.89B6D56A@lamlaw.com>
Date: Sat, 21 Nov 1998 11:58:16 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: treed@ultraviolet.org
Subject: OSS Security
References: <36570E49.14E65BC6@sj.bigger.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 3

Tracy,

Please see the following web page for security issues related to OS.

http://LewisMettler.software-engineering.webjump.com/

Lewis

> 
> -------- Original Message --------
> Subject: security?
> Date: Wed, 18 Nov 1998 11:32:08 -0800 (PST)
> From: Tracy R Reed 
> To: lewm@sj.bigger.net
> 
> You wrote:
> 
> >I refer specifically to the security issues raised in regard to open
> >source.
> 
> What security issues? The article didn't mention security.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> In 1984 mainstream users were choosing VMS over UNIX.  Ten years later
> they are choosing Windows over UNIX.  What part of that message aren't
> you
> getting? - Tom Payne

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 12:57:23 1998 -0800
Date: Mon, 23 Nov 1998 12:57:22 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <36571B58.89B6D56A@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 4

On Sat, 21 Nov 1998, Lewis A. Mettler wrote:

> Please see the following web page for security issues related to OS.
> 
> http://LewisMettler.software-engineering.webjump.com/

Very interesting. A few comments:

>I just do not count machines locked away such that no one can touch them.

Ditto. Once someone has phsyical access to the hardware, all bets are off.

>How does the system make certain that only the authorized persons can
>gain "top dog" status?  Well. The OS does that.  But, the OS (one rule or
>all of them) can be changed.  How can it be changed?

This applies to all OS's and has little to do with Open Source.

>The OS can simply be changed by altering the source code and preparing a
>new build of the OS.  That new build can be installed.  And, ONLY THE

"simply"? Easier said than done. This applies to commercial OS's too BTW.

>not controlled by the current version installed on the machine, but
>rather by whomever happens to have the source code and access to the
>machine last such that a new version of the OS can be installed.  Only

Here's where you overlook something VERY important: The bad guys have the
source code to the commercial operating systems too. Do you know what a
"root kit" is? It is a special set of operating system components which
are used to replace programs in a machine which allow the attacker to hide
his tracks and to regain access later. One needs root access to be able to
install it. This is often achieved via buffer overflow or poor password
security. One needs the source to buld the root kit. This is often
obtained through leaked source via source licensing. Root kits exist for
all of the major commercial unix's. It is not possible to make one without
the source, as you mentioned.

Security through obscurity is no security at all.

>The result is that the security of an open source system is only as good
>as the most recent installation is an honest one.  But, it may be next to
>impossible to guarantee that such is the case.

Not true at all. Are you familiar with a program called tripwire? After I
install a secure system I run tripwire over all of the files installed
which generates md5 checksums. These checksums are stored on a physically
write protected floppy. New checksums are generated every night and
compared with the checksums on the floppy. A report is mailed to the
administrator of new files, deleted files, and files that changed. I run
this on my system at home with a dedicated net connection and on the
firewall at work. It works extremely well. This program has been around
for years.

>Are you going to send someone around to each machine everyday to verify
>the OS has not been reinstalled with a bogus version?

My systems do that every night automatically with tripwire.

>This is a serious problem.  The only solution is by way of managerial
>acts and  procedures. 

Nope. The astute admin is aware of the technical solutions which I have
presented.

>Save your complaints about the security or lack of security for closed
>systems.  

Closed source systems have all of the security problems that open source
systems have. But open source systems have peer review. I think this gives
them the edge.

>Save your charges that this is only FUD.  You should fear the problem.
>But, there is no uncertainly or doubt about it.

I think my comments above show that it is FUD, even though it may not be
spread out of malice, but rather lack of information.

>How do you attack an open source OS?  Find the rule that gets into your
>way and change it.  Compile the program.  And, install the new build.
>Simple and unlimited.  And, possibly not detectable.

You attack a closed source OS in exactly the same way, and it is
definitely detectable.

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady


From treed@ultraviolet.org Mon Nov 23 21:10:28 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 24260 invoked by uid 0); 23 Nov 1998 21:10:28 -0000
Received: from dfw-ix1.ix.netcom.com (206.214.98.1)
  by dt052n99.san.rr.com with SMTP; 23 Nov 1998 21:10:28 -0000
Received: (from smap@localhost)
          by dfw-ix1.ix.netcom.com (8.8.4/8.8.4)
	  id PAA19025 for ; Mon, 23 Nov 1998 15:09:50 -0600 (CST)
Received: from sji-ca36-215.ix.netcom.com(207.92.172.215) by dfw-ix1.ix.netcom.com via smap (V1.3)
	id rma018982; Mon Nov 23 15:09:15 1998
Message-ID: <3659CEE8.51820A09@lamlaw.com>
Date: Mon, 23 Nov 1998 13:08:56 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 5

Tracy,

Tracy R Reed wrote:
> 
> On Sat, 21 Nov 1998, Lewis A. Mettler wrote:
> 
> > Please see the following web page for security issues related to OS.
> >
> > http://LewisMettler.software-engineering.webjump.com/
> 
> Very interesting. A few comments:
> 
> >I just do not count machines locked away such that no one can touch them.
> 
> Ditto. Once someone has phsyical access to the hardware, all bets are off.

False.  Security has been a required capability of computers systems for
a long time.  Even those machine with physical access.

> 
> >How does the system make certain that only the authorized persons can
> >gain "top dog" status?  Well. The OS does that.  But, the OS (one rule or
> >all of them) can be changed.  How can it be changed?
> 
> This applies to all OS's and has little to do with Open Source.

Do not equate security where you can not change the rules with one where
you can.  They do not equate at all.

> 
> >The OS can simply be changed by altering the source code and preparing a
> >new build of the OS.  That new build can be installed.  And, ONLY THE
> 
> "simply"? Easier said than done. This applies to commercial OS's too BTW.

False.  Without the source code, it is very difficult to complete that
same acts that are simple with it.

Do you seriously suggest that you can debug and fix any application just
as easily without the source code?

I know of no one who thinks so.

And open source makes it just as easy to sabotage as fix.  

This is not the same as without the source. And, it never will be.

> 
> >not controlled by the current version installed on the machine, but
> >rather by whomever happens to have the source code and access to the
> >machine last such that a new version of the OS can be installed.  Only
> 
> Here's where you overlook something VERY important: The bad guys have the
> source code to the commercial operating systems too. Do you know what a
> "root kit" is? It is a special set of operating system components which
> are used to replace programs in a machine which allow the attacker to hide
> his tracks and to regain access later. One needs root access to be able to
> install it. This is often achieved via buffer overflow or poor password
> security. One needs the source to buld the root kit. This is often
> obtained through leaked source via source licensing. Root kits exist for
> all of the major commercial unix's. It is not possible to make one without
> the source, as you mentioned.
> 
> Security through obscurity is no security at all.

False.  It makes a nice tag line.  But, is is false.  A awful lot of
security is based upon obscurity.

You are only wishfully thinking.

> 
> >The result is that the security of an open source system is only as good
> >as the most recent installation is an honest one.  But, it may be next to
> >impossible to guarantee that such is the case.
> 
> Not true at all. Are you familiar with a program called tripwire? After I
> install a secure system I run tripwire over all of the files installed
> which generates md5 checksums. These checksums are stored on a physically
> write protected floppy. New checksums are generated every night and
> compared with the checksums on the floppy. A report is mailed to the
> administrator of new files, deleted files, and files that changed. I run
> this on my system at home with a dedicated net connection and on the
> firewall at work. It works extremely well. This program has been around
> for years.
> 
> >Are you going to send someone around to each machine everyday to verify
> >the OS has not been reinstalled with a bogus version?
> 
> My systems do that every night automatically with tripwire.
> 
> >This is a serious problem.  The only solution is by way of managerial
> >acts and  procedures.
> 
> Nope. The astute admin is aware of the technical solutions which I have
> presented.

Perhaps.  But what is the extra expense?

> 
> >Save your complaints about the security or lack of security for closed
> >systems.
> 
> Closed source systems have all of the security problems that open source
> systems have. But open source systems have peer review. I think this gives
> them the edge.

This is a false statement. It is simply not true.



> 
> >Save your charges that this is only FUD.  You should fear the problem.
> >But, there is no uncertainly or doubt about it.
> 
> I think my comments above show that it is FUD, even though it may not be
> spread out of malice, but rather lack of information.
> 
> >How do you attack an open source OS?  Find the rule that gets into your
> >way and change it.  Compile the program.  And, install the new build.
> >Simple and unlimited.  And, possibly not detectable.
> 
> You attack a closed source OS in exactly the same way, and it is
> definitely detectable.

False.  You do not understand the problem at all.

> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 13:53:05 1998 -0800
Date: Mon, 23 Nov 1998 13:53:04 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <3659CEE8.51820A09@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 6

On Mon, 23 Nov 1998, Lewis A. Mettler wrote:

> False.  Security has been a required capability of computers systems for
> a long time.  Even those machine with physical access.

huh? Yeah, security against someone with physical access is nice, but
neither closed source nor open source software has this because it is a
hardware issue. I probably shouldn't have even addressed the issue because
it is not relevant to open/closed source but how do you propose to secure
a system from intruders who have physical access to the hardware? I do not
know of any operating systems that do this because this is beyond the
scope of operating systems. I don't really even know of any hardware
solutions that do this short of lock and key which is exactly what I use
to secure my hardware.

> Do not equate security where you can not change the rules with one where
> you can.  They do not equate at all.

That is not what I am doing. The OS controls the rules and makes certain
that only authorized persons can gain root access whether the OS is closed
or open sourced. This is what I am equating.

> False.  Without the source code, it is very difficult to complete that
> same acts that are simple with it.

You said the OS can be changed by altering the source code and preparing a
new build of the OS. This is true of closed and open sourced OS's.
Traditionally, only the developer of the closed source OS can do this. But
he CAN do it. True, one needs the source to do this.

> Do you seriously suggest that you can debug and fix any application just
> as easily without the source code?

Nope, not at all.

> False.  It makes a nice tag line.  But, is is false.  A awful lot of
> security is based upon obscurity.

How many times have passwords been guessed, sniffed, decrypted? Bugs in
source been found and exploited? Security through obscurity is being
broken all the time. I think history speaks for itself. I do not know of
any cases, however, where a SecureID token or 1024 bit public key has been
foiled. Luminaries such as Bruce Schneir and Phil Zimmerman agree with me
on this one.

> Perhaps.  But what is the extra expense?

All of the tools I have mentioned are free and can be set up in minutes.

> This is a false statement. It is simply not true.

When the bad guys have access to the source, which they do, commercial
OS's inherit the problems of open source OS's.

> False.  You do not understand the problem at all.

So explain it to me.

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady


From treed@ultraviolet.org Mon Nov 23 21:57:27 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 26071 invoked by uid 0); 23 Nov 1998 21:57:26 -0000
Received: from dfw-ix9.ix.netcom.com (206.214.98.9)
  by dt052n99.san.rr.com with SMTP; 23 Nov 1998 21:57:26 -0000
Received: (from smap@localhost)
          by dfw-ix9.ix.netcom.com (8.8.4/8.8.4)
	  id PAA23710 for ; Mon, 23 Nov 1998 15:56:55 -0600 (CST)
Received: from smx-ca12-23.ix.netcom.com(207.92.172.215) by dfw-ix9.ix.netcom.com via smap (V1.3)
	id rma023666; Mon Nov 23 15:56:17 1998
Message-ID: <3659D9EF.8ACDD951@lamlaw.com>
Date: Mon, 23 Nov 1998 13:55:59 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 7

Tracy,

I suggest you study the security differences between having the source
code and not having it.

It is identical to that of having the source code for a customer
application.

When companies write applications they do not discard the source for a
very good reason.

What you are suggesting is that could just as well toss it.

Lewis



Tracy R Reed wrote:
> 
> On Mon, 23 Nov 1998, Lewis A. Mettler wrote:
> 
> > False.  Security has been a required capability of computers systems for
> > a long time.  Even those machine with physical access.
> 
> huh? Yeah, security against someone with physical access is nice, but
> neither closed source nor open source software has this because it is a
> hardware issue. I probably shouldn't have even addressed the issue because
> it is not relevant to open/closed source but how do you propose to secure
> a system from intruders who have physical access to the hardware? I do not
> know of any operating systems that do this because this is beyond the
> scope of operating systems. I don't really even know of any hardware
> solutions that do this short of lock and key which is exactly what I use
> to secure my hardware.
> 
> > Do not equate security where you can not change the rules with one where
> > you can.  They do not equate at all.
> 
> That is not what I am doing. The OS controls the rules and makes certain
> that only authorized persons can gain root access whether the OS is closed
> or open sourced. This is what I am equating.
> 
> > False.  Without the source code, it is very difficult to complete that
> > same acts that are simple with it.
> 
> You said the OS can be changed by altering the source code and preparing a
> new build of the OS. This is true of closed and open sourced OS's.
> Traditionally, only the developer of the closed source OS can do this. But
> he CAN do it. True, one needs the source to do this.
> 
> > Do you seriously suggest that you can debug and fix any application just
> > as easily without the source code?
> 
> Nope, not at all.
> 
> > False.  It makes a nice tag line.  But, is is false.  A awful lot of
> > security is based upon obscurity.
> 
> How many times have passwords been guessed, sniffed, decrypted? Bugs in
> source been found and exploited? Security through obscurity is being
> broken all the time. I think history speaks for itself. I do not know of
> any cases, however, where a SecureID token or 1024 bit public key has been
> foiled. Luminaries such as Bruce Schneir and Phil Zimmerman agree with me
> on this one.
> 
> > Perhaps.  But what is the extra expense?
> 
> All of the tools I have mentioned are free and can be set up in minutes.
> 
> > This is a false statement. It is simply not true.
> 
> When the bad guys have access to the source, which they do, commercial
> OS's inherit the problems of open source OS's.
> 
> > False.  You do not understand the problem at all.
> 
> So explain it to me.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 14:04:58 1998 -0800
Date: Mon, 23 Nov 1998 14:04:58 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <3659D9EF.8ACDD951@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 8

On Mon, 23 Nov 1998, Lewis A. Mettler wrote:

> When companies write applications they do not discard the source for a
> very good reason.
> 
> What you are suggesting is that could just as well toss it.

I have not suggested anywhere that a company should throw away the source
code for their product. What have I said that might seem to imply this?
Throwing away the source code is always a bad idea.

What I AM saying is that keeping the OS code secret because it always
leaks (historicaly proven by the existance of root kits) and that it is in
the best interest of security to open the source.

My point is, and always has been, that there are no security disadvantages
to open source software when compared to closed source software and that
there is an advantage to peer reviewed code.

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady



From treed@ultraviolet.org Mon Nov 23 22:16:23 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 27475 invoked by uid 0); 23 Nov 1998 22:16:23 -0000
Received: from dfw-ix4.ix.netcom.com (206.214.98.4)
  by dt052n99.san.rr.com with SMTP; 23 Nov 1998 22:16:23 -0000
Received: (from smap@localhost)
          by dfw-ix4.ix.netcom.com (8.8.4/8.8.4)
	  id QAA07719 for ; Mon, 23 Nov 1998 16:15:45 -0600 (CST)
Received: from smx-ca12-23.ix.netcom.com(207.92.172.215) by dfw-ix4.ix.netcom.com via smap (V1.3)
	id rma007686; Mon Nov 23 16:15:24 1998
Message-ID: <3659DE69.52BB7860@lamlaw.com>
Date: Mon, 23 Nov 1998 14:15:05 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 9

Tracy,

Well.  Tossing the source is key to understanding the nature of the
security problem with OSS.

You keep saying the words "no security problem with OS".  That is false.

If anyone wants to attack your system it is very much easier with the
source compared to without it.

If anyone wants to fix a bug in your application it is very much easier
with the source compared to without it.

Do you understand the concept?   There are identical.  They use the same
steps.  They may both be accomplished at the same time.

Having the source permits almost anyway to sabotage the system.

Because the source code is available the number and extent of attacks
are unlimited.

Without the source, the number and extent of attacks are limited.

Some are the same either way. Yes.  But, many can ONLY BE CONDUCTED WITH
THE SOURCE CODE.

That is why it is different.

Do you understand what the word "different" means?

Lewis





Tracy R Reed wrote:
> 
> On Mon, 23 Nov 1998, Lewis A. Mettler wrote:
> 
> > When companies write applications they do not discard the source for a
> > very good reason.
> >
> > What you are suggesting is that could just as well toss it.
> 
> I have not suggested anywhere that a company should throw away the source
> code for their product. What have I said that might seem to imply this?
> Throwing away the source code is always a bad idea.
> 
> What I AM saying is that keeping the OS code secret because it always
> leaks (historicaly proven by the existance of root kits) and that it is in
> the best interest of security to open the source.
> 
> My point is, and always has been, that there are no security disadvantages
> to open source software when compared to closed source software and that
> there is an advantage to peer reviewed code.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 14:27:15 1998 -0800
Date: Mon, 23 Nov 1998 14:27:14 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <3659DE69.52BB7860@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 10

On Mon, 23 Nov 1998, Lewis A. Mettler wrote:

> If anyone wants to attack your system it is very much easier with the
> source compared to without it.

I agree with you completely.

> If anyone wants to fix a bug in your application it is very much easier
> with the source compared to without it.

Absolutely.

> Do you understand the concept?   There are identical.  They use the same
> steps.  They may both be accomplished at the same time.

I believe I do.

> Having the source permits almost anyway to sabotage the system.

This depends. You can't sabotage my systems, and you have the source.
There are no known defects in the code which would allow you root access,
thanks to peer review.  I have also demonstrated how even if you got root,
replacing binaries is not possible.

> Because the source code is available the number and extent of attacks
> are unlimited.

Depends on what sort of attacks. If you were able to find a bug in the
source that had been overlooked, it is possible that you might be able to
pull off an attack. The attack would not go undetected if you made any
changes in the filesystem. 

> Without the source, the number and extent of attacks are limited.

True again.

> Some are the same either way. Yes.  But, many can ONLY BE CONDUCTED WITH
> THE SOURCE CODE.

I agree absolutely.

Now, hear this:

THE REAL BAD GUYS HAVE THE SOURCE!!!!!!!!!!!!!

YES! It's true! Solaris! HP-UX! SCO! Even....*GASP*....Windows NT!!!!!!!!!

I'll pause while you regain your composure...

Now that the people who attack your systems have the source code, what do
you propose to do about it?

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady


From treed@ultraviolet.org Mon Nov 23 22:44:14 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 30951 invoked by uid 0); 23 Nov 1998 22:44:13 -0000
Received: from dfw-ix11.ix.netcom.com (206.214.98.11)
  by dt052n99.san.rr.com with SMTP; 23 Nov 1998 22:44:13 -0000
Received: (from smap@localhost)
          by dfw-ix11.ix.netcom.com (8.8.4/8.8.4)
	  id QAA14885 for ; Mon, 23 Nov 1998 16:43:36 -0600 (CST)
Received: from smx-ca12-23.ix.netcom.com(207.92.172.215) by dfw-ix11.ix.netcom.com via smap (V1.3)
	id rma014768; Mon Nov 23 16:42:52 1998
Message-ID: <3659E4D9.C465530D@lamlaw.com>
Date: Mon, 23 Nov 1998 14:42:33 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 11

Tracy,

With the source code, I do not need anything from you but access.

You must still be assuming that a defect is the source of the attack. 
It is not.

It is simply the ability to re-write parts of the OS and install it.

I do not even need your "root" pass.

I can replace your entire OS at will.  And, so can 7+ millions others
including some you hire.

Lewis



Tracy R Reed wrote:
> 
> On Mon, 23 Nov 1998, Lewis A. Mettler wrote:
> 
> > If anyone wants to attack your system it is very much easier with the
> > source compared to without it.
> 
> I agree with you completely.
> 
> > If anyone wants to fix a bug in your application it is very much easier
> > with the source compared to without it.
> 
> Absolutely.
> 
> > Do you understand the concept?   There are identical.  They use the same
> > steps.  They may both be accomplished at the same time.
> 
> I believe I do.
> 
> > Having the source permits almost anyway to sabotage the system.
> 
> This depends. You can't sabotage my systems, and you have the source.
> There are no known defects in the code which would allow you root access,
> thanks to peer review.  I have also demonstrated how even if you got root,
> replacing binaries is not possible.
> 
> > Because the source code is available the number and extent of attacks
> > are unlimited.
> 
> Depends on what sort of attacks. If you were able to find a bug in the
> source that had been overlooked, it is possible that you might be able to
> pull off an attack. The attack would not go undetected if you made any
> changes in the filesystem.
> 
> > Without the source, the number and extent of attacks are limited.
> 
> True again.
> 
> > Some are the same either way. Yes.  But, many can ONLY BE CONDUCTED WITH
> > THE SOURCE CODE.
> 
> I agree absolutely.
> 
> Now, hear this:
> 
> THE REAL BAD GUYS HAVE THE SOURCE!!!!!!!!!!!!!
> 
> YES! It's true! Solaris! HP-UX! SCO! Even....*GASP*....Windows NT!!!!!!!!!
> 
> I'll pause while you regain your composure...
> 
> Now that the people who attack your systems have the source code, what do
> you propose to do about it?
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 16:28:40 1998 -0800
Date: Mon, 23 Nov 1998 16:28:40 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <3659E4D9.C465530D@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 12

On Mon, 23 Nov 1998, Lewis A. Mettler wrote:

> It is simply the ability to re-write parts of the OS and install it.
> 
> I do not even need your "root" pass.
> 
> I can replace your entire OS at will.  And, so can 7+ millions others
> including some you hire.

So how can they do this? How could someone reinstall part of the OS on the
machine I am typing on assuming that there are no code defects? How would
they get into the machine to do this? 

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady


From treed@ultraviolet.org Tue Nov 24 00:45:51 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 3548 invoked by uid 0); 24 Nov 1998 00:45:51 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 00:45:51 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id SAA19089 for ; Mon, 23 Nov 1998 18:45:14 -0600 (CST)
Received: from sji-ca36-215.ix.netcom.com(207.92.172.215) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma019043; Mon Nov 23 18:44:40 1998
Message-ID: <365A0165.73CC3AB5@lamlaw.com>
Date: Mon, 23 Nov 1998 16:44:21 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 13

Tracy,

Are you playing dumb?

Do you know how to install an OS?

Lewis

Tracy R Reed wrote:
> 
> On Mon, 23 Nov 1998, Lewis A. Mettler wrote:
> 
> > It is simply the ability to re-write parts of the OS and install it.
> >
> > I do not even need your "root" pass.
> >
> > I can replace your entire OS at will.  And, so can 7+ millions others
> > including some you hire.
> 
> So how can they do this? How could someone reinstall part of the OS on the
> machine I am typing on assuming that there are no code defects? How would
> they get into the machine to do this?
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Mon Nov 23 16:57:56 1998 -0800
Date: Mon, 23 Nov 1998 16:57:55 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365A0165.73CC3AB5@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 14

On Mon, 23 Nov 1998, Lewis A. Mettler wrote:

> Tracy,
> 
> Are you playing dumb?
> 
> Do you know how to install an OS?

Yes, I do know how. It seems that you are being deliverately vague in an
effort to conseal the weakness of your position.

Let me guess at what it is you are saying:

A: Someone with physical access to my machine can reinstall a modified
version of the OS, giving them access.

My reply to this would be that they can do the same thing with commercial
operating systems. Although getting physical access to the hardware is
*extremely* difficult. You actually have to perform physical breaking and
entering and get in and out undetected. Here we have 3 locked doors and a
two alarm systems standing between the computer and the parking lot. But
since hackers have access to the source of commercial operating systems,
it is possible if they were to gain physical access to the machine. Of
course, someone would probably notice a reboot of the machine, logs on
other machines would indicate that it was inaccessable for a while,
and there would be evidence of physical break in. This ploy is not likely
to succede. At least the attackers could regenerate the tripwire database.
:)

B: Someone with network access to my machine can somehow reinstall my
operating system or some part of it over the network.

This *requires* a defect in the OS, by definition. Either in the design or
in the implementation of the OS, there must be a defect. Operating system
files should not be modifiable in any way by unauthorized individuals. If
they are, it is a defect.

--
Tracy Reed      http://www.ultraviolet.org
"We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
by Steven McGeady


From treed@ultraviolet.org Tue Nov 24 18:24:31 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 10215 invoked by uid 0); 24 Nov 1998 18:24:31 -0000
Received: from dfw-ix14.ix.netcom.com (206.214.98.14)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 18:24:31 -0000
Received: (from smap@localhost)
          by dfw-ix14.ix.netcom.com (8.8.4/8.8.4)
	  id MAA25549 for ; Tue, 24 Nov 1998 12:23:56 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix14.ix.netcom.com via smap (V1.3)
	id rma025487; Tue Nov 24 12:23:24 1998
Message-ID: <365AF986.60D1C57@lamlaw.com>
Date: Tue, 24 Nov 1998 10:23:02 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 15

Tracy,

Please see inserts.

Tracy R Reed wrote:
> 
> On Mon, 23 Nov 1998, Lewis A. Mettler wrote:
> 
> > Tracy,
> >
> > Are you playing dumb?
> >
> > Do you know how to install an OS?
> 
> Yes, I do know how. It seems that you are being deliverately vague in an
> effort to conseal the weakness of your position.
> 
> Let me guess at what it is you are saying:
> 
> A: Someone with physical access to my machine can reinstall a modified
> version of the OS, giving them access.
> 
> My reply to this would be that they can do the same thing with commercial
> operating systems. 

Absolutely false.  Please try re-writing Windows NT and install it.

Please try re-writing HP-UX and installing your version.





> Although getting physical access to the hardware is
> *extremely* difficult. 

False.  Companies hire people every day and give them access as part of
their job.

Those are the people you need to worry about.  You still assume some guy
down the street.

I do not.

Security problems are not nor have they ever been limited to the
"outsider".

Disgruntled employees have always been a major security problem.  They
are even more of a threat with OS.

Lewis



> You actually have to perform physical breaking and
> entering and get in and out undetected. Here we have 3 locked doors and a
> two alarm systems standing between the computer and the parking lot. But
> since hackers have access to the source of commercial operating systems,
> it is possible if they were to gain physical access to the machine. Of
> course, someone would probably notice a reboot of the machine, logs on
> other machines would indicate that it was inaccessable for a while,
> and there would be evidence of physical break in. This ploy is not likely
> to succede. At least the attackers could regenerate the tripwire database.
> :)
> 
> B: Someone with network access to my machine can somehow reinstall my
> operating system or some part of it over the network.
> 
> This *requires* a defect in the OS, by definition. Either in the design or
> in the implementation of the OS, there must be a defect. Operating system
> files should not be modifiable in any way by unauthorized individuals. If
> they are, it is a defect.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "We blew it -- too big, too slow..." - Bill Gates talking about NT, as noted
> by Steven McGeady

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 10:28:16 1998 -0800
Date: Tue, 24 Nov 1998 10:28:16 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365AF986.60D1C57@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 16

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> > My reply to this would be that they can do the same thing with commercial
> > operating systems. 
> 
> Absolutely false.  Please try re-writing Windows NT and install it.
> 
> Please try re-writing HP-UX and installing your version.

You still don't get it. The source to these things is available! Not
legally, by any means, but it is there. Rewriting NT and HP-UX is
possible and has been done.

> Disgruntled employees have always been a major security problem.  They
> are even more of a threat with OS.

Yes, and they can get the OS source no matter what OS you use.

--
Tracy Reed      http://www.ultraviolet.org
Your mouse has moved. Please wait while Windows reboots so the change can
take effect.


From treed@ultraviolet.org Tue Nov 24 18:33:18 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 10640 invoked by uid 0); 24 Nov 1998 18:33:17 -0000
Received: from dfw-ix11.ix.netcom.com (206.214.98.11)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 18:33:17 -0000
Received: (from smap@localhost)
          by dfw-ix11.ix.netcom.com (8.8.4/8.8.4)
	  id MAA28580 for ; Tue, 24 Nov 1998 12:31:12 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix11.ix.netcom.com via smap (V1.3)
	id rma028554; Tue Nov 24 12:30:49 1998
Message-ID: <365AFB43.18FB651@lamlaw.com>
Date: Tue, 24 Nov 1998 10:30:27 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 17

Tracy,

Being available to someone is not the same as being available for $40
down at the corner store.

Lewis

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > > My reply to this would be that they can do the same thing with commercial
> > > operating systems.
> >
> > Absolutely false.  Please try re-writing Windows NT and install it.
> >
> > Please try re-writing HP-UX and installing your version.
> 
> You still don't get it. The source to these things is available! Not
> legally, by any means, but it is there. Rewriting NT and HP-UX is
> possible and has been done.
> 
> > Disgruntled employees have always been a major security problem.  They
> > are even more of a threat with OS.
> 
> Yes, and they can get the OS source no matter what OS you use.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Your mouse has moved. Please wait while Windows reboots so the change can
> take effect.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 10:48:10 1998 -0800
Date: Tue, 24 Nov 1998 10:48:10 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365AFB43.18FB651@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 18

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Being available to someone is not the same as being available for $40
> down at the corner store.

To the kind of people who are going to be breaking into major financial
institutions, systems containing trade secrets, and other places who have
a lot to lose, they are exactly the same.

Your attack scenario requires physical access to the machine. I can
provide more than adequate physical security to mitigate this risk. The
only avenue left is logical attack. It makes sense to me (and the worlds
leading computer security authorities) that peer reviewed code is the best
way to prevent that. Bernstein, Venema, Scheier, Zimmerman, Blaze, Diffie,
Helman, they all seem to agree that open code is better code. Who are you
to disagree with not only these people but the entire security industry at
large? Please cite one reference other than your own web page which
promotes closed source as a superior security solution.

And you still have not explained how someone is going to reinstall my OS
in the first place. To suggest that one of the few people with keys to the
computer room would do so is pointless because this can happen to
commercial operating systems as well. You keep harping on source
availability. Not only is it proven that commercial OS source is available
illegally, but all you have to do is boot the system from a boot disk and
put "+ +" in the ~root/.rhosts file and you can login from anywhere
anyway. Changing the source is NOT the only way to backdoor a system.
There are many runtime configurations which can be setup that will allow
this sort of thing.

--
Tracy Reed      http://www.ultraviolet.org
Your mouse has moved. Please wait while Windows reboots so the change can
take effect.


From treed@ultraviolet.org Tue Nov 24 18:57:34 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 12696 invoked by uid 0); 24 Nov 1998 18:57:34 -0000
Received: from dfw-ix13.ix.netcom.com (206.214.98.13)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 18:57:34 -0000
Received: (from smap@localhost)
          by dfw-ix13.ix.netcom.com (8.8.4/8.8.4)
	  id MAA24990 for ; Tue, 24 Nov 1998 12:57:03 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix13.ix.netcom.com via smap (V1.3)
	id rma024922; Tue Nov 24 12:56:39 1998
Message-ID: <365B0151.24C0DF3A@lamlaw.com>
Date: Tue, 24 Nov 1998 10:56:17 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 19

Tracy,

You continue to ignore the problem.

I do not think I can help you.

Lewis

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Being available to someone is not the same as being available for $40
> > down at the corner store.
> 
> To the kind of people who are going to be breaking into major financial
> institutions, systems containing trade secrets, and other places who have
> a lot to lose, they are exactly the same.
> 
> Your attack scenario requires physical access to the machine. I can
> provide more than adequate physical security to mitigate this risk. The
> only avenue left is logical attack. It makes sense to me (and the worlds
> leading computer security authorities) that peer reviewed code is the best
> way to prevent that. Bernstein, Venema, Scheier, Zimmerman, Blaze, Diffie,
> Helman, they all seem to agree that open code is better code. Who are you
> to disagree with not only these people but the entire security industry at
> large? Please cite one reference other than your own web page which
> promotes closed source as a superior security solution.
> 
> And you still have not explained how someone is going to reinstall my OS
> in the first place. To suggest that one of the few people with keys to the
> computer room would do so is pointless because this can happen to
> commercial operating systems as well. You keep harping on source
> availability. Not only is it proven that commercial OS source is available
> illegally, but all you have to do is boot the system from a boot disk and
> put "+ +" in the ~root/.rhosts file and you can login from anywhere
> anyway. Changing the source is NOT the only way to backdoor a system.
> There are many runtime configurations which can be setup that will allow
> this sort of thing.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Your mouse has moved. Please wait while Windows reboots so the change can
> take effect.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 11:17:08 1998 -0800
Date: Tue, 24 Nov 1998 11:17:08 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B0151.24C0DF3A@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 20

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> You continue to ignore the problem.

You are yet to state clearly what you think the problem really is. 

If you think the problem is source availability, it is impossible to
solve because the source always finds a way to leak out. It is very
foolish to base security on the assumption that the source is not
available, and that seems to be what you are advocating. Given that it is
an impossible problem to solve, we may as well make the best of it by
utilizing all of those eyeballs to spot bugs. Counting on the source being
hard to find as part of your security model is a recipe for disaster.

If you think the problem is physical security, that is solvable depending
on how determined the attacker is. 

Unknowns are always a security risk. Open source software greatly reduces
the number of unknowns. With open source software, I can be entirely in
control of my own security. I don't have to trust anyone else or rely on
them to do their job properly in order to ensure my own security. The same
cannot be said for any closed source product.

--
Tracy Reed      http://www.ultraviolet.org
Your mouse has moved. Please wait while Windows reboots so the change can
take effect.


From treed@ultraviolet.org Tue Nov 24 19:37:01 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 19798 invoked by uid 0); 24 Nov 1998 19:36:59 -0000
Received: from dfw-ix5.ix.netcom.com (206.214.98.5)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 19:36:59 -0000
Received: (from smap@localhost)
          by dfw-ix5.ix.netcom.com (8.8.4/8.8.4)
	  id NAA17582 for ; Tue, 24 Nov 1998 13:36:19 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix5.ix.netcom.com via smap (V1.3)
	id rma017548; Tue Nov 24 13:35:53 1998
Message-ID: <365B0A83.D3987BB5@lamlaw.com>
Date: Tue, 24 Nov 1998 11:35:31 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 21

Tracy,

Please see my web page.

If you still can not answer the question of who will carry out the
attack and how they do it, then maybe I can not help you.

I find it amazing that a concept that appeared obvious to HP in the
early 70's is so hard for you to grasp.

If you can change the source code, then nothing by way of security that
the OS provides can be counted on.  Why?  Because it can just be
changed.

If you can de-bug it, I can sabotage it.  Same time. Same way.  Same
steps.  Same person.

Lewis



Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > You continue to ignore the problem.
> 
> You are yet to state clearly what you think the problem really is.
> 
> If you think the problem is source availability, it is impossible to
> solve because the source always finds a way to leak out. It is very
> foolish to base security on the assumption that the source is not
> available, and that seems to be what you are advocating. Given that it is
> an impossible problem to solve, we may as well make the best of it by
> utilizing all of those eyeballs to spot bugs. Counting on the source being
> hard to find as part of your security model is a recipe for disaster.
> 
> If you think the problem is physical security, that is solvable depending
> on how determined the attacker is.
> 
> Unknowns are always a security risk. Open source software greatly reduces
> the number of unknowns. With open source software, I can be entirely in
> control of my own security. I don't have to trust anyone else or rely on
> them to do their job properly in order to ensure my own security. The same
> cannot be said for any closed source product.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Your mouse has moved. Please wait while Windows reboots so the change can
> take effect.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 15:30:45 1998 -0800
Date: Tue, 24 Nov 1998 15:30:45 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B0A83.D3987BB5@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 22

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Please see my web page.

I saw it and commented on it in the first email I sent you. I stand by
those comments.

> If you still can not answer the question of who will carry out the
> attack and how they do it, then maybe I can not help you.
>
> I find it amazing that a concept that appeared obvious to HP in the
> early 70's is so hard for you to grasp.

You continue to dodge my questions and dissmiss the answers as "obvious".
Please cite a reference to this concept that was obvious to HP in the
70's. I cite "Applied Cryptography" by Bruce Scheier in support of the
idea that security by obscurity is no security at all. It's more than a
good tagline, it's a fact. 

Perhaps you really are a genious and know the subject better than any of
the people currently recognized to be experts. I encourage you to submit
your papers to the ACM.

> If you can change the source code, then nothing by way of security that
> the OS provides can be counted on.  Why?  Because it can just be
> changed.

What you don't seem to be getting is that this applies to closed source
operating systems as well because the source isn't really closed. All it
takes is for one copy of the source to leak and pretty soon everyone has
root kits for that OS. This is exactly what has happened.

Not only that, but YOU cannot change the source code on MY system without
exploiting a software defect. You may claim physical attack, but closed
source OS's are susceptable to this as well.

--
Tracy Reed      http://www.ultraviolet.org
Your mouse has moved. Please wait while Windows reboots so the change can
take effect.



From treed@ultraviolet.org Tue Nov 24 23:36:22 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 9464 invoked by uid 0); 24 Nov 1998 23:36:21 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 23:36:21 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id RAA00029 for ; Tue, 24 Nov 1998 17:35:46 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma029998; Tue Nov 24 17:35:32 1998
Message-ID: <365B42AE.C4981D0B@lamlaw.com>
Date: Tue, 24 Nov 1998 15:35:10 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 23

Tracy,

Obscurity is a prime consideration in security of all matters from
computer security to nuclear missiles.

Nothing in security is absolute.  But all efforts to obscure help.

Your continued suggestion that there are no differences between open and
closed are not even creditable.  Sorry.

Lewis


Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Please see my web page.
> 
> I saw it and commented on it in the first email I sent you. I stand by
> those comments.
> 
> > If you still can not answer the question of who will carry out the
> > attack and how they do it, then maybe I can not help you.
> >
> > I find it amazing that a concept that appeared obvious to HP in the
> > early 70's is so hard for you to grasp.
> 
> You continue to dodge my questions and dissmiss the answers as "obvious".
> Please cite a reference to this concept that was obvious to HP in the
> 70's. I cite "Applied Cryptography" by Bruce Scheier in support of the
> idea that security by obscurity is no security at all. It's more than a
> good tagline, it's a fact.
> 
> Perhaps you really are a genious and know the subject better than any of
> the people currently recognized to be experts. I encourage you to submit
> your papers to the ACM.
> 
> > If you can change the source code, then nothing by way of security that
> > the OS provides can be counted on.  Why?  Because it can just be
> > changed.
> 
> What you don't seem to be getting is that this applies to closed source
> operating systems as well because the source isn't really closed. All it
> takes is for one copy of the source to leak and pretty soon everyone has
> root kits for that OS. This is exactly what has happened.
> 
> Not only that, but YOU cannot change the source code on MY system without
> exploiting a software defect. You may claim physical attack, but closed
> source OS's are susceptable to this as well.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Your mouse has moved. Please wait while Windows reboots so the change can
> take effect.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 15:43:38 1998 -0800
Date: Tue, 24 Nov 1998 15:43:38 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B42AE.C4981D0B@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 24

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Obscurity is a prime consideration in security of all matters from
> computer security to nuclear missiles.

This is true. But obscurity in the case of source code is not possible.
And given the choice between a public but known good algorithm and a
private but possibly flawed algorithm, which would you chose?

I would chose the former. You never know when that algorithm is going to
suddenly go public and put your system in jeopardy.

> Nothing in security is absolute.  But all efforts to obscure help.
> 
> Your continued suggestion that there are no differences between open and
> closed are not even creditable.  Sorry.

I don't think I have said tehre were no differences. There are definitely
differences. One is more secure than the otehr. Guess which one.

> > You continue to dodge my questions and dissmiss the answers as "obvious".
> > Please cite a reference to this concept that was obvious to HP in the
> > 70's. I cite "Applied Cryptography" by Bruce Scheier in support of the
> > idea that security by obscurity is no security at all. It's more than a
> > good tagline, it's a fact.

You continue to ignore this part of my argument.

--
Tracy Reed      http://www.ultraviolet.org
If Microsoft built cars instead of software, the airbag system would say
"Are you sure?" before going off.


From treed@ultraviolet.org Tue Nov 24 23:44:58 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 11123 invoked by uid 0); 24 Nov 1998 23:44:57 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 23:44:57 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id RAA01107 for ; Tue, 24 Nov 1998 17:44:45 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma001084; Tue Nov 24 17:44:28 1998
Message-ID: <365B44C7.2B9B4764@lamlaw.com>
Date: Tue, 24 Nov 1998 15:44:07 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 25

Tracy,

Maybe I personally can not change your OS, but anyone you hire can.

You continue to assume an outside attack.  That is false.

The security problem created with open source is an inside attack.

Hint:  The same person you hire to fix a bug can easily sabotage it
anyway he may want.

Do you understand now?

Give me the name of your employee you hired to run your system, and I
will give you the name of the person who can easily attack your system. 
How that person will do it is unlimited. And, that is a very serious
problem.

If you so-called experts do not understand this, then they are not
experts at all.

Lewis

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Please see my web page.
> 
> I saw it and commented on it in the first email I sent you. I stand by
> those comments.
> 
> > If you still can not answer the question of who will carry out the
> > attack and how they do it, then maybe I can not help you.
> >
> > I find it amazing that a concept that appeared obvious to HP in the
> > early 70's is so hard for you to grasp.
> 
> You continue to dodge my questions and dissmiss the answers as "obvious".
> Please cite a reference to this concept that was obvious to HP in the
> 70's. I cite "Applied Cryptography" by Bruce Scheier in support of the
> idea that security by obscurity is no security at all. It's more than a
> good tagline, it's a fact.
> 
> Perhaps you really are a genious and know the subject better than any of
> the people currently recognized to be experts. I encourage you to submit
> your papers to the ACM.
> 
> > If you can change the source code, then nothing by way of security that
> > the OS provides can be counted on.  Why?  Because it can just be
> > changed.
> 
> What you don't seem to be getting is that this applies to closed source
> operating systems as well because the source isn't really closed. All it
> takes is for one copy of the source to leak and pretty soon everyone has
> root kits for that OS. This is exactly what has happened.
> 
> Not only that, but YOU cannot change the source code on MY system without
> exploiting a software defect. You may claim physical attack, but closed
> source OS's are susceptable to this as well.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Your mouse has moved. Please wait while Windows reboots so the change can
> take effect.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 15:54:40 1998 -0800
Date: Tue, 24 Nov 1998 15:54:40 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B44C7.2B9B4764@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 26

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Maybe I personally can not change your OS, but anyone you hire can.

And they can do so with any closed source OS as well.

> You continue to assume an outside attack.  That is false.

Outside attack is by far the most common. Inside attack is extremely rare.
But ok, I shall consider inside attack, despite the fact that we average
two probes a day on our firewall and have never had an inside atack in 15
years of operating this company.

> Give me the name of your employee you hired to run your system, and I
> will give you the name of the person who can easily attack your system. 
> How that person will do it is unlimited. And, that is a very serious
> problem.

A person on the inside can just as easily do this with a commercial OS.
Even if they cannot get the source (Gee, even I know people with Solaris
source, and I know some universities have NT source) they can boot the
thing with boot media (it's right there on the shelf) and suid a shell
hidden away somewhere, add an account, put + + in a .rhosts file, whatever
they want. It's actually easier to do one of these things than it is to
modify the source. And if they really do want to replace system binaries,
they can use someone elses precompiled root kit. They don't need the
source. 

I've seen more than enough commercial OS's get rooted to know that hiding
the source isn't gaining them anything.

--
Tracy Reed      http://www.ultraviolet.org
If Microsoft built cars instead of software, the airbag system would say
"Are you sure?" before going off.



From treed@ultraviolet.org Tue Nov 24 23:49:25 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 11205 invoked by uid 0); 24 Nov 1998 23:49:24 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 24 Nov 1998 23:49:24 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id RAA01512 for ; Tue, 24 Nov 1998 17:48:49 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma001495; Tue Nov 24 17:48:42 1998
Message-ID: <365B45C5.E9034F7A@lamlaw.com>
Date: Tue, 24 Nov 1998 15:48:21 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 27

Tracy,

Does your employee have the source code for NT or Solaris or HP-UX such
that it can be compiled and installed on your machine?

I do not think so.  And, it is your employee you need to worry about.

I can think of a thousand ways to easily compromise your Os system that
you will never be able to pull off on any closed source system.

OSS is open to an unlimited number of attacks and most of them are
completely undetectable.

Lewis

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Obscurity is a prime consideration in security of all matters from
> > computer security to nuclear missiles.
> 
> This is true. But obscurity in the case of source code is not possible.
> And given the choice between a public but known good algorithm and a
> private but possibly flawed algorithm, which would you chose?
> 
> I would chose the former. You never know when that algorithm is going to
> suddenly go public and put your system in jeopardy.
> 
> > Nothing in security is absolute.  But all efforts to obscure help.
> >
> > Your continued suggestion that there are no differences between open and
> > closed are not even creditable.  Sorry.
> 
> I don't think I have said tehre were no differences. There are definitely
> differences. One is more secure than the otehr. Guess which one.
> 
> > > You continue to dodge my questions and dissmiss the answers as "obvious".
> > > Please cite a reference to this concept that was obvious to HP in the
> > > 70's. I cite "Applied Cryptography" by Bruce Scheier in support of the
> > > idea that security by obscurity is no security at all. It's more than a
> > > good tagline, it's a fact.
> 
> You continue to ignore this part of my argument.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> If Microsoft built cars instead of software, the airbag system would say
> "Are you sure?" before going off.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Tue Nov 24 15:56:31 1998 -0800
Date: Tue, 24 Nov 1998 15:56:31 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B45C5.E9034F7A@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 28

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Does your employee have the source code for NT or Solaris or HP-UX such
> that it can be compiled and installed on your machine?

Maybe. They definitely have access to precompiled rootkits via the
Internet though.

> I can think of a thousand ways to easily compromise your Os system that
> you will never be able to pull off on any closed source system.

Such as?

> OSS is open to an unlimited number of attacks and most of them are
> completely undetectable.

What sort of attacks won't an md5 checksum catch?

--
Tracy Reed      http://www.ultraviolet.org
If Microsoft built cars instead of software, the airbag system would say
"Are you sure?" before going off.


From treed@ultraviolet.org Wed Nov 25 00:00:42 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 11456 invoked by uid 0); 25 Nov 1998 00:00:39 -0000
Received: from dfw-ix5.ix.netcom.com (206.214.98.5)
  by dt052n99.san.rr.com with SMTP; 25 Nov 1998 00:00:39 -0000
Received: (from smap@localhost)
          by dfw-ix5.ix.netcom.com (8.8.4/8.8.4)
	  id SAA22173 for ; Tue, 24 Nov 1998 18:00:06 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix5.ix.netcom.com via smap (V1.3)
	id rma022148; Tue Nov 24 17:59:59 1998
Message-ID: <365B486A.808121FB@lamlaw.com>
Date: Tue, 24 Nov 1998 15:59:38 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 29

Tracy,

Nope.  There are many operating systems that you can not change at all.

That is not even at issue.

The issue is whether you make it easy or hard.  With the source is
always easier than without.  Unless you want to argue you can fix a bug
faster without the source code than you can with it.

Go ahead.  Make that statement.

The point made and proven is that open source creates additional
security risks simply due to the fact that the source is readily
available.  That is a true statement.

You can fix any problem easier with the source and you can sabotage any
OS easier with the source.

Lewis

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Maybe I personally can not change your OS, but anyone you hire can.
> 
> And they can do so with any closed source OS as well.
> 
> > You continue to assume an outside attack.  That is false.
> 
> Outside attack is by far the most common. Inside attack is extremely rare.
> But ok, I shall consider inside attack, despite the fact that we average
> two probes a day on our firewall and have never had an inside atack in 15
> years of operating this company.
> 
> > Give me the name of your employee you hired to run your system, and I
> > will give you the name of the person who can easily attack your system.
> > How that person will do it is unlimited. And, that is a very serious
> > problem.
> 
> A person on the inside can just as easily do this with a commercial OS.
> Even if they cannot get the source (Gee, even I know people with Solaris
> source, and I know some universities have NT source) they can boot the
> thing with boot media (it's right there on the shelf) and suid a shell
> hidden away somewhere, add an account, put + + in a .rhosts file, whatever
> they want. It's actually easier to do one of these things than it is to
> modify the source. And if they really do want to replace system binaries,
> they can use someone elses precompiled root kit. They don't need the
> source.
> 
> I've seen more than enough commercial OS's get rooted to know that hiding
> the source isn't gaining them anything.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> If Microsoft built cars instead of software, the airbag system would say
> "Are you sure?" before going off.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Wed Nov 25 00:03:48 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 12349 invoked by uid 0); 25 Nov 1998 00:03:39 -0000
Received: from dfw-ix5.ix.netcom.com (206.214.98.5)
  by dt052n99.san.rr.com with SMTP; 25 Nov 1998 00:03:39 -0000
Received: (from smap@localhost)
          by dfw-ix5.ix.netcom.com (8.8.4/8.8.4)
	  id SAA22564 for ; Tue, 24 Nov 1998 18:03:19 -0600 (CST)
Received: from sji-ca1-185.ix.netcom.com(209.109.232.185) by dfw-ix5.ix.netcom.com via smap (V1.3)
	id rma022505; Tue Nov 24 18:02:41 1998
Message-ID: <365B490B.E8D3E4BA@lamlaw.com>
Date: Tue, 24 Nov 1998 16:02:19 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 30

Tracy,

How about disabling md5 checksum?  

Remember, if I have the source code I can disable any rule or procedure
used.  I can just cut it short and have it report a "pass".

You still assume some code is not subject to change (as if the source
was not available).

If the source is not available then I agree.  Some rules might apply.

However, when the source is available not one of them apply.  I can
change them all.

Lewis


Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Does your employee have the source code for NT or Solaris or HP-UX such
> > that it can be compiled and installed on your machine?
> 
> Maybe. They definitely have access to precompiled rootkits via the
> Internet though.
> 
> > I can think of a thousand ways to easily compromise your Os system that
> > you will never be able to pull off on any closed source system.
> 
> Such as?
> 
> > OSS is open to an unlimited number of attacks and most of them are
> > completely undetectable.
> 
> What sort of attacks won't an md5 checksum catch?
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> If Microsoft built cars instead of software, the airbag system would say
> "Are you sure?" before going off.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Wed Dec  9 15:54:49 1998 -0800
Date: Wed, 9 Dec 1998 15:54:49 -0800 (PST)
From: Tracy R Reed 
To: lmettler@lamlaw.com
Subject: OSS Security
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 31


http://www.LinuxWorld.com/linuxworld/lw-1998-11/lw-11-ramparts.html

--
Tracy Reed      http://www.ultraviolet.org
"witness the advance of Linux, a new version of UNIX developed by a single
individual" - Microsoft response to U.S. Department of Justice allegations
refuting the government's charges


From treed@ultraviolet.org Thu Dec 10 16:21:02 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 12339 invoked by uid 0); 10 Dec 1998 16:21:01 -0000
Received: from dfw-ix15.ix.netcom.com (206.214.98.15)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 16:21:01 -0000
Received: (from smap@localhost)
          by dfw-ix15.ix.netcom.com (8.8.4/8.8.4)
	  id KAA14281 for ; Thu, 10 Dec 1998 10:20:26 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix15.ix.netcom.com via smap (V1.3)
	id rma013982; Thu Dec 10 10:19:10 1998
Message-ID: <366FF527.EC2095C1@lamlaw.com>
Date: Thu, 10 Dec 1998 08:21:59 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 32

Tracy,

Did they discuss the security problems created by open source?

Tracy R Reed wrote:
> 
> http://www.LinuxWorld.com/linuxworld/lw-1998-11/lw-11-ramparts.html
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "witness the advance of Linux, a new version of UNIX developed by a single
> individual" - Microsoft response to U.S. Department of Justice allegations
> refuting the government's charges

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 08:41:28 1998 -0800
Date: Thu, 10 Dec 1998 08:41:27 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <366FF527.EC2095C1@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 33

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> Tracy,
> 
> Did they discuss the security problems created by open source?

Yes.

--
Tracy Reed      http://www.ultraviolet.org
* Maelcum likes his flame broiled dragon on sourdough


From treed@ultraviolet.org Thu Dec 10 17:38:51 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 24252 invoked by uid 0); 10 Dec 1998 17:38:50 -0000
Received: from dfw-ix8.ix.netcom.com (206.214.98.8)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 17:38:50 -0000
Received: (from smap@localhost)
          by dfw-ix8.ix.netcom.com (8.8.4/8.8.4)
	  id LAA00379 for ; Thu, 10 Dec 1998 11:38:08 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix8.ix.netcom.com via smap (V1.3)
	id rmaa00228; Thu Dec 10 11:37:13 1998
Message-ID: <36700773.38111C4@lamlaw.com>
Date: Thu, 10 Dec 1998 09:40:03 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 34

Tracy,

Sorry.  It ignores it.

Read it again and point out to me where it even discusses it.

If you still do not understand the problem, read my articles again.

Perhaps you should consult a knowledgeable security expert instead of a
promotional piece.

Lewis


Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > Tracy,
> >
> > Did they discuss the security problems created by open source?
> 
> Yes.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> * Maelcum likes his flame broiled dragon on sourdough

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 09:47:40 1998 -0800
Date: Thu, 10 Dec 1998 09:47:40 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <36700773.38111C4@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 35

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> Tracy,
> 
> Sorry.  It ignores it.
> 
> Read it again and point out to me where it even discusses it.

Look at the title:

      Musings on open source security models
      Does open source mean open season for crackers?

That alone implies a discussion of security and open source software! The
problem is you don't agree with their conclusion. 

> If you still do not understand the problem, read my articles again.
> 
> Perhaps you should consult a knowledgeable security expert instead of a
> promotional piece.

I understand the problem and I addressed every point you made while you
constantly dodged and evaded my own. I have consulted knowledgeable
securtiy experts and cited them. You have not cited a single one.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq



From treed@ultraviolet.org Thu Dec 10 09:55:27 1998 -0800
Date: Thu, 10 Dec 1998 09:55:27 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B486A.808121FB@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 36

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> Nope.  There are many operating systems that you can not change at all.

Name one. You are correct in that if it has source code, it can be
changed. Every OS has source code.

> The issue is whether you make it easy or hard.  With the source is
> always easier than without.  Unless you want to argue you can fix a bug
> faster without the source code than you can with it.

Having source available makes it much more difficult to compromise the
system such that you can alter it in the first place.

> The point made and proven is that open source creates additional
> security risks simply due to the fact that the source is readily
> available.  That is a true statement.

You continue to assert that your opinions is fact without any evidence to
back it up. I have presented the opinions of experts, papers, references,
etc. and you have produced nothing but hot air.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 10:03:03 1998 -0800
Date: Thu, 10 Dec 1998 10:03:03 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <365B490B.E8D3E4BA@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 37

On Tue, 24 Nov 1998, Lewis A. Mettler wrote:

> How about disabling md5 checksum?  

You don't seem to understand how this works. First, that would require
somehow getting root. Second, I am going to notice when I don't get my
tripwire report. I am then going to mount the read only floppy and run it
by hand and discover whatever has gone on.

> Remember, if I have the source code I can disable any rule or procedure
> used.  I can just cut it short and have it report a "pass".

No, you can't. Unless you know how to write to a physically write
protected floppy.

> You still assume some code is not subject to change (as if the source
> was not available).

Of course the code is subject to change. The difficulty which you have not
yet addressed is how you are going to get your changed source code ont o
my machine.

> However, when the source is available not one of them apply.  I can
> change them all.

You have once again conveniently forgotten that the source code is
available, even to commercial OS's. There are root kits for commercial
OS's. I would much rather base my security on the assumption that the code
is available and implement far better security models than on the
assumption that it will never be available.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 18:26:53 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 2010 invoked by uid 0); 10 Dec 1998 18:26:53 -0000
Received: from dfw-ix6.ix.netcom.com (206.214.98.6)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 18:26:53 -0000
Received: (from smap@localhost)
          by dfw-ix6.ix.netcom.com (8.8.4/8.8.4)
	  id MAA18938 for ; Thu, 10 Dec 1998 12:26:24 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix6.ix.netcom.com via smap (V1.3)
	id rma018881; Thu Dec 10 12:25:46 1998
Message-ID: <367012D4.9EDCC7BB@lamlaw.com>
Date: Thu, 10 Dec 1998 10:28:36 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 38

Tracy,

If you do not understand the problem, you can just say so.

That article fails in fact to address it.  The author does not even
understand it.  That is clear.

Please name the employee that you have assigned to patch the open source
OS you use.  Give me the name.

I will tell you what he can do to sabotage your system.

Lewis




Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > Tracy,
> >
> > Sorry.  It ignores it.
> >
> > Read it again and point out to me where it even discusses it.
> 
> Look at the title:
> 
>       Musings on open source security models
>       Does open source mean open season for crackers?
> 
> That alone implies a discussion of security and open source software! The
> problem is you don't agree with their conclusion.
> 
> > If you still do not understand the problem, read my articles again.
> >
> > Perhaps you should consult a knowledgeable security expert instead of a
> > promotional piece.
> 
> I understand the problem and I addressed every point you made while you
> constantly dodged and evaded my own. I have consulted knowledgeable
> securtiy experts and cited them. You have not cited a single one.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 10:31:43 1998 -0800
Date: Thu, 10 Dec 1998 10:31:43 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <367012D4.9EDCC7BB@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 39

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> If you do not understand the problem, you can just say so.

I do understand the problem. You are trying to insult my intelligence to
bolster your case. It won't work.

> Please name the employee that you have assigned to patch the open source
> OS you use.  Give me the name.
> 
> I will tell you what he can do to sabotage your system.

I am that person. And I can sabotage our HP-UX, SCO, and NT systems just
as well.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 18:30:28 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 2264 invoked by uid 0); 10 Dec 1998 18:30:27 -0000
Received: from dfw-ix6.ix.netcom.com (206.214.98.6)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 18:30:27 -0000
Received: (from smap@localhost)
          by dfw-ix6.ix.netcom.com (8.8.4/8.8.4)
	  id MAA19355 for ; Thu, 10 Dec 1998 12:29:56 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix6.ix.netcom.com via smap (V1.3)
	id rma019266; Thu Dec 10 12:29:14 1998
Message-ID: <367013A6.611C80D3@lamlaw.com>
Date: Thu, 10 Dec 1998 10:32:06 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 40

Tracy,

Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > Nope.  There are many operating systems that you can not change at all.
> 
> Name one. You are correct in that if it has source code, it can be
> changed. Every OS has source code.
> 
> > The issue is whether you make it easy or hard.  With the source is
> > always easier than without.  Unless you want to argue you can fix a bug
> > faster without the source code than you can with it.
> 
> Having source available makes it much more difficult to compromise the
> system such that you can alter it in the first place.

False.  Absolutely false.  What you are suggesting is that it is easy to
fix bugs without the source code.

It is easier to fix bugs with the source code.
It is easier to sabotage with the source code.

The steps are identical.


> 
> > The point made and proven is that open source creates additional
> > security risks simply due to the fact that the source is readily
> > available.  That is a true statement.
> 
> You continue to assert that your opinions is fact without any evidence to
> back it up. I have presented the opinions of experts, papers, references,
> etc. and you have produced nothing but hot air.

I do not need an expert to tell me that I can sabotage any system for
which I have the source code.

Hint:  Any programmers knows that source code can be changed to fix a
bug or sabotage the application.

The process is identical.


> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 10:58:29 1998 -0800
Date: Thu, 10 Dec 1998 10:58:29 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <367013A6.611C80D3@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 41

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> > Having source available makes it much more difficult to compromise the
> > system such that you can alter it in the first place.
> 
> False.  Absolutely false.  What you are suggesting is that it is easy to
> fix bugs without the source code.

I am not suggesting that at all. You have been doing a lot of hand waving
throughout this whole exchange. No, it is not easy to fix bugs without the
source code. That is why open source is more secure. The whole world knows
how RSA cryptography works, does that make it less secure? Not really.
Because the algorithm has undergone extensive scrutiny. Nobody has to be
trusted because everything can be verified with our own eyes. Flaws in the
algorithms are discovered and repaired making the code as close to perfect
as possible.

> I do not need an expert to tell me that I can sabotage any system for
> which I have the source code.

I think you do need an expert to tell you that open source systems are far
easier to verify and ensure code correctness than closed systems.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 18:37:17 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 2453 invoked by uid 0); 10 Dec 1998 18:37:17 -0000
Received: from dfw-ix6.ix.netcom.com (206.214.98.6)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 18:37:17 -0000
Received: (from smap@localhost)
          by dfw-ix6.ix.netcom.com (8.8.4/8.8.4)
	  id MAA20322 for ; Thu, 10 Dec 1998 12:36:47 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix6.ix.netcom.com via smap (V1.3)
	id rma020282; Thu Dec 10 12:36:34 1998
Message-ID: <3670155D.42F2441F@lamlaw.com>
Date: Thu, 10 Dec 1998 10:39:25 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 42



Tracy R Reed wrote:
> 
> On Tue, 24 Nov 1998, Lewis A. Mettler wrote:
> 
> > How about disabling md5 checksum?
> 
> You don't seem to understand how this works. First, that would require
> somehow getting root. 

False.  No root is required from any person before re-installing a bogus
OS.


> Second, I am going to notice when I don't get my
> tripwire report. I am then going to mount the read only floppy and run it
> by hand and discover whatever has gone on.

So. You will only find out about the sabotage when?  How often?  Have
you check today already?  Do you check every hour?

What makes you even think that your test will trip up?  Your employee
fixed it so that your silly test would pass.



> 
> > Remember, if I have the source code I can disable any rule or procedure
> > used.  I can just cut it short and have it report a "pass".
> 
> No, you can't. Unless you know how to write to a physically write
> protected floppy.


I can recompile the OS at any time.  

My OS does not use your floppy.  I changed that code.


> 
> > You still assume some code is not subject to change (as if the source
> > was not available).
> 
> Of course the code is subject to change. The difficulty which you have not
> yet addressed is how you are going to get your changed source code ont o
> my machine.

You assume the employee doing your work is not the source of the
problem.

That is an assumption which you can not make.

> 
> > However, when the source is available not one of them apply.  I can
> > change them all.
> 
> You have once again conveniently forgotten that the source code is
> available, even to commercial OS's. There are root kits for commercial
> OS's. I would much rather base my security on the assumption that the code
> is available and implement far better security models than on the
> assumption that it will never be available.

False.  You do not even know about which you speak.

The risk is directly proportional to the number of people who have the
source code.

Linux gives it out to 7 or 8 millions.  How many have the source for
HP-UX?  Solaris?  NT?  AS/400?

And, how many of those can actually recompile a bogus version and
install it?

With open source that is easy to do.  With close source it is much
harder.

All security is relative.  And, with this problem open source is
absolutely the worst case.

> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 11:17:17 1998 -0800
Date: Thu, 10 Dec 1998 11:17:17 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <3670155D.42F2441F@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 43

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> False.  No root is required from any person before re-installing a bogus
> OS.

You are once again assuming physical access because it is convenient for
you. Given physical access, any commercial OS can be compromised as well.
This has nothing to do with open source.

> So. You will only find out about the sabotage when?  How often?  Have
> you check today already?  Do you check every hour?

I will find out about any changes each morning. It runs once a day. Yes, I
have checked already. I could check every hour if I wanted to put that
much cpu time into it. But this is only the firewall for a financial
institution. Running tripwire every hour would be excessive.

> What makes you even think that your test will trip up?  Your employee
> fixed it so that your silly test would pass.

I am the employee. I am not going to sabotage my own system. Another
employee could, but they could do that to a commercial OS as well. In
fact, they could just help themselves to the petty cash in the office too.
That is a human resources problem, not a software problem.

> I can recompile the OS at any time.  
> 
> My OS does not use your floppy.  I changed that code.

Again, hardware access. I can sabotage any commercial OS given hardware
access.

> You assume the employee doing your work is not the source of the
> problem.
> 
> That is an assumption which you can not make.

It is also beyond the scope of software engineering to solve such personel
problems.

> The risk is directly proportional to the number of people who have the
> source code.

The risk is inversely proportional. I don't have to worry about what
happens to my OS when the source code leaks. You do.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 18:42:33 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 2786 invoked by uid 0); 10 Dec 1998 18:42:32 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 18:42:32 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id MAA05904 for ; Thu, 10 Dec 1998 12:41:58 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma005870; Thu Dec 10 12:41:28 1998
Message-ID: <36701683.DD55CC17@lamlaw.com>
Date: Thu, 10 Dec 1998 10:44:19 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 44

Tracy,

I do not believe you.

Please disable the requirement for users to provide passwords when they
log onto HP-UX.

Go ahead. Do that.  Let me know when you have completed that.

Then put the capability back in and modify it so that if you log on as
"bogusguy" you always get root access regardless of the password
submitted.  Let me know when you have completed that for HP-UX.

Then modify the OS so that everyone else logs on as normal but you get
"root" access regardless of the user name so long as you use "special"
as the password.  Let me know when you have completed that.

With open source, anyone can do all of these easily.

And, you will never know it.

Lewis






Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > If you do not understand the problem, you can just say so.
> 
> I do understand the problem. You are trying to insult my intelligence to
> bolster your case. It won't work.
> 
> > Please name the employee that you have assigned to patch the open source
> > OS you use.  Give me the name.
> >
> > I will tell you what he can do to sabotage your system.
> 
> I am that person. And I can sabotage our HP-UX, SCO, and NT systems just
> as well.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 11:29:02 1998 -0800
Date: Thu, 10 Dec 1998 11:29:02 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <36701683.DD55CC17@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 
X-Keywords:
X-UID: 45

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> Please disable the requirement for users to provide passwords when they
> log onto HP-UX.
> 
> Go ahead. Do that.  Let me know when you have completed that.

Done. Just blank the password field. Or put + + into the .rhosts file. Or
use hosts.equiv.

> Then put the capability back in and modify it so that if you log on as
> "bogusguy" you always get root access regardless of the password
> submitted.  Let me know when you have completed that for HP-UX.

Done. Account "bogusguy" with uid 0 and no password set.

> Then modify the OS so that everyone else logs on as normal but you get
> "root" access regardless of the user name so long as you use "special"
> as the password.  Let me know when you have completed that.

This is a bit trickier. I would use a sniffer which looks for someone to
enter "special" as their password and then opens a port with access to a
privilidged shell.

Anyone with physical access to the machine can do any of these things.
On a commercial OS. The bottom line is that I don't want my data
compromised. Not letting the OS be compromised is just a means to an end.
As long as you allow physical access, you have allowed the data to be
compromised. This has nothing to do with open source software.

> With open source, anyone can do all of these easily.

I have just shown that it can be done with commercial software as well.

> And, you will never know it.

You would know it if you ran tripwire.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 19:28:11 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 9468 invoked by uid 0); 10 Dec 1998 19:28:10 -0000
Received: from dfw-ix3.ix.netcom.com (206.214.98.3)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 19:28:10 -0000
Received: (from smap@localhost)
          by dfw-ix3.ix.netcom.com (8.8.4/8.8.4)
	  id NAA29774 for ; Thu, 10 Dec 1998 13:27:37 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix3.ix.netcom.com via smap (V1.3)
	id rma029710; Thu Dec 10 13:27:22 1998
Message-ID: <36702145.13144899@lamlaw.com>
Date: Thu, 10 Dec 1998 11:30:13 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 46

Tracy,




Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > > Having source available makes it much more difficult to compromise the
> > > system such that you can alter it in the first place.
> >
> > False.  Absolutely false.  What you are suggesting is that it is easy to
> > fix bugs without the source code.
> 
> I am not suggesting that at all. You have been doing a lot of hand waving
> throughout this whole exchange. No, it is not easy to fix bugs without the
> source code. That is why open source is more secure. The whole world knows
> how RSA cryptography works, does that make it less secure? Not really.
> Because the algorithm has undergone extensive scrutiny. Nobody has to be
> trusted because everything can be verified with our own eyes. Flaws in the
> algorithms are discovered and repaired making the code as close to perfect
> as possible.

Open source creates a specific security problem related to the fact that
source is available.

You are the one who claims to not see the problem.

By the way, no cryptography is safe if it can be disabled.  And, access
to source code permits anyone to disable it.

> 
> > I do not need an expert to tell me that I can sabotage any system for
> > which I have the source code.
> 
> I think you do need an expert to tell you that open source systems are far
> easier to verify and ensure code correctness than closed systems.

Sorry.  That is not the issue being discussed at all.

I was discussing the security problem created by open source not whether
bad code could be corrected.

I have never even questioned the concept that open source might make it
easier to fix bugs.

Most businesses do not want to spend the time to do so, but if you have
the source, yes it can be done.

For me, it is a waste of time to fix the OS.  That is what I expect to
buy much cheaper.

> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 11:33:14 1998 -0800
Date: Thu, 10 Dec 1998 11:33:13 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <36702145.13144899@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:
X-UID: 47

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> Open source creates a specific security problem related to the fact that
> source is available.
> 
> You are the one who claims to not see the problem.

I think the problem is that we do not agree on what the problem really is.

> By the way, no cryptography is safe if it can be disabled.  And, access
> to source code permits anyone to disable it.

Again, this comes back to how are YOU going to disable MY cryptography?
So you've got the source. You are going to have to break into my office to
do it. 

> Most businesses do not want to spend the time to do so, but if you have
> the source, yes it can be done.
> 
> For me, it is a waste of time to fix the OS.  That is what I expect to
> buy much cheaper.

Fortunately, it only takes 1 business (or individual) to take the time to
fix it. That fix is then propagated to everyone else. The result is a
higher quality product at dramatically lower cost.

--
Tracy Reed      http://www.ultraviolet.org
Every one we don't catch would be a "yet another major ms security hole",
and the theory tells us we can't catch all of them.  So, we're just not
going to start down that path.
        --paulle@microsoft.com 08/06/98 Bugtraq


From treed@ultraviolet.org Thu Dec 10 19:38:58 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 9874 invoked by uid 0); 10 Dec 1998 19:38:57 -0000
Received: from dfw-ix3.ix.netcom.com (206.214.98.3)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 19:38:57 -0000
Received: (from smap@localhost)
          by dfw-ix3.ix.netcom.com (8.8.4/8.8.4)
	  id NAA01184 for ; Thu, 10 Dec 1998 13:38:22 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix3.ix.netcom.com via smap (V1.3)
	id rma001133; Thu Dec 10 13:37:58 1998
Message-ID: <367023C1.E94A4161@lamlaw.com>
Date: Thu, 10 Dec 1998 11:40:49 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
X-Keywords:
X-UID: 48

Tracy,

Yes.  Physical access.  Inside attacks.

That is precisely the security problem created by open source.

Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > False.  No root is required from any person before re-installing a bogus
> > OS.
> 
> You are once again assuming physical access because it is convenient for
> you. Given physical access, any commercial OS can be compromised as well.
> This has nothing to do with open source.

False.  Open source is easy to defeat relative to closed source.

You are truly dense.

I can personally disable any and all features of an open source product.

If you claim you can do likewise with closed source, I will not believe
you.

I know for a fact that you can not do so.  Even if you could it would
take 10 or 100 times longer.  And, security is relative.

If you takes 10 times longer then that is more secure.

> 
> > So. You will only find out about the sabotage when?  How often?  Have
> > you check today already?  Do you check every hour?
> 
> I will find out about any changes each morning. It runs once a day. Yes, I
> have checked already. I could check every hour if I wanted to put that
> much cpu time into it. But this is only the firewall for a financial
> institution. Running tripwire every hour would be excessive.

I find your security measures unacceptable.

> 
> > What makes you even think that your test will trip up?  Your employee
> > fixed it so that your silly test would pass.
> 
> I am the employee. I am not going to sabotage my own system. Another
> employee could, but they could do that to a commercial OS as well. In
> fact, they could just help themselves to the petty cash in the office too.
> That is a human resources problem, not a software problem.

It is true that the owner of business can not steal or embezzle from
himself.

However, you claims of "so called" security did not limit itself to the
situation with no employees.

One man companies may not have to worry about this issue.  But, I know
of few that meet that qualification.

I thought you said it was a financial institution?  Are you a one person
bank?

> 
> > I can recompile the OS at any time.
> >
> > My OS does not use your floppy.  I changed that code.
> 
> Again, hardware access. I can sabotage any commercial OS given hardware
> access.

I do not believe you.  I know of some that you could not defeat even
given physical access for days.

Boast if you must, but I will not believe you.  You are assuming all
systems are as insecure as those you are familiar with.  They are not.

> 
> > You assume the employee doing your work is not the source of the
> > problem.
> >
> > That is an assumption which you can not make.
> 
> It is also beyond the scope of software engineering to solve such personel
> problems.

It is not an engineering problem at all.  It is a management problem. 
It is a people related problem.

> 
> > The risk is directly proportional to the number of people who have the
> > source code.
> 
> The risk is inversely proportional. I don't have to worry about what
> happens to my OS when the source code leaks. You do.

You truly do not understand security issues at all.

> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 19:50:59 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 10200 invoked by uid 0); 10 Dec 1998 19:50:59 -0000
Received: from dfw-ix16.ix.netcom.com (206.214.98.16)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 19:50:59 -0000
Received: (from smap@localhost)
          by dfw-ix16.ix.netcom.com (8.8.4/8.8.4)
	  id NAA10121 for ; Thu, 10 Dec 1998 13:50:23 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix16.ix.netcom.com via smap (V1.3)
	id rma010096; Thu Dec 10 13:50:08 1998
Message-ID: <3670269B.74A2CF01@lamlaw.com>
Date: Thu, 10 Dec 1998 11:52:59 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: 
X-Keywords:
X-UID: 49

Tracy,

Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > Please disable the requirement for users to provide passwords when they
> > log onto HP-UX.
> >
> > Go ahead. Do that.  Let me know when you have completed that.
> 
> Done. Just blank the password field. Or put + + into the .rhosts file. Or
> use hosts.equiv.

Did you need "root" access for that?  I do not assume root access.

If Unix is that easy to defeat then Unix is not a very secure OS at
all.  Sounds like the same trick would disable open source as well.

> 
> > Then put the capability back in and modify it so that if you log on as
> > "bogusguy" you always get root access regardless of the password
> > submitted.  Let me know when you have completed that for HP-UX.
> 
> Done. Account "bogusguy" with uid 0 and no password set.

But, again you assume "root" access to set it up.  I do not.

> 
> > Then modify the OS so that everyone else logs on as normal but you get
> > "root" access regardless of the user name so long as you use "special"
> > as the password.  Let me know when you have completed that.
> 
> This is a bit trickier. I would use a sniffer which looks for someone to
> enter "special" as their password and then opens a port with access to a
> privilidged shell.

But, if you could not run anything until after the OS got the password?

Sounds like you assume access to a new users data prior to them logging
on.  Some OSs do not permit that function by any application except for
the kernel.  And, you can not change that.

Again, you are assuming that all systems are as insecure as those with
which you have experience.  They are not.

I know of some OSs that will not let you run your so-called sniffer. 
Not even if you are "root".

And, my point was that you can not disable that feature either.

> 
> Anyone with physical access to the machine can do any of these things.
> On a commercial OS. The bottom line is that I don't want my data
> compromised. Not letting the OS be compromised is just a means to an end.
> As long as you allow physical access, you have allowed the data to be
> compromised. This has nothing to do with open source software.

False. Some systems do not give you any access at all to any system data
or programs regardless of your "root" status.

Yes.  And, I would never recommend any system where either I or an
employee of mine could disable or change any security feature as
delivered by the manufacturer.  

Your conclusion that it is not related to the source is false. 
Absolutely false.

Access to the source code of the OS effectively disables any ability of
the user to rely upon security provided by the OS.

You are incorrect.  Open source in fact creates unique and distinct
security problems that do not exist without it.


> 
> > With open source, anyone can do all of these easily.
> 
> I have just shown that it can be done with commercial software as well.
> 
> > And, you will never know it.
> 
> You would know it if you ran tripwire.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Thu Dec 10 19:56:30 1998 -0800
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 10451 invoked by uid 0); 10 Dec 1998 19:56:30 -0000
Received: from dfw-ix16.ix.netcom.com (206.214.98.16)
  by dt052n99.san.rr.com with SMTP; 10 Dec 1998 19:56:30 -0000
Received: (from smap@localhost)
          by dfw-ix16.ix.netcom.com (8.8.4/8.8.4)
	  id NAA11023 for ; Thu, 10 Dec 1998 13:55:57 -0600 (CST)
Received: from sji-ca11-201.ix.netcom.com(209.109.237.201) by dfw-ix16.ix.netcom.com via smap (V1.3)
	id rma010976; Thu Dec 10 13:55:36 1998
Message-ID: <367027E3.477C1773@lamlaw.com>
Date: Thu, 10 Dec 1998 11:58:27 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: 
X-Keywords:
X-UID: 50

Tracy,

I have only identified a problem with open source.  It is not the only
problem.  And, I am not trying to assess over all security of any
systems.  I am only discussing the security problem created by open
source.

Lewis

Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > Open source creates a specific security problem related to the fact that
> > source is available.
> >
> > You are the one who claims to not see the problem.
> 
> I think the problem is that we do not agree on what the problem really is.
> 
> > By the way, no cryptography is safe if it can be disabled.  And, access
> > to source code permits anyone to disable it.
> 
> Again, this comes back to how are YOU going to disable MY cryptography?
> So you've got the source. You are going to have to break into my office to
> do it.

Again, you assume outsiders.

I am not taking about outsiders.

I am talking about the people you hire and give the source code to.



> 
> > Most businesses do not want to spend the time to do so, but if you have
> > the source, yes it can be done.
> >
> > For me, it is a waste of time to fix the OS.  That is what I expect to
> > buy much cheaper.
> 
> Fortunately, it only takes 1 business (or individual) to take the time to
> fix it. That fix is then propagated to everyone else. The result is a
> higher quality product at dramatically lower cost.

High paid engineers are too expensive.

Do you expect every business to have on the payroll a person qualified
to batch an OS?

Since when?

I could do that myself, but it is not worth my time to do it.


> 
> --
> Tracy Reed      http://www.ultraviolet.org
> Every one we don't catch would be a "yet another major ms security hole",
> and the theory tells us we can't catch all of them.  So, we're just not
> going to start down that path.
>         --paulle@microsoft.com 08/06/98 Bugtraq

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From treed@ultraviolet.org Fri Dec 11 11:37:14 1998 -0800
Status: 
X-Status: 
X-Keywords:
Date: Fri, 11 Dec 1998 11:37:14 -0800 (PST)
From: Tracy R Reed 
To: "Lewis A. Mettler" 
Subject: Re: OSS Security
In-Reply-To: <367023C1.E94A4161@lamlaw.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Thu, 10 Dec 1998, Lewis A. Mettler wrote:

> You are truly dense.

I think this sums up your argument quite well. You have it firmly planted
in your head that you are right, I am wrong, facts be damned. You can
claim that I simply don't understand all you like but it won't change the
truth. It seems that I have been quite successfully trolled. 
Congratulations.

Judging from:

http://forums.infoworld.com/threads/get.cgi?74183
http://forums.infoworld.com/threads/get.cgi?74243

which someone just pointed me to, I am not alone. You have been presented
with massive amounts of information and opinions from people far more
expert than you and I and you still insist that you are right and everyone
else is wrong. I can not help but wonder what ulterior motive you could
possibly have for trolling people like this. Being a closed source
software developer threatened by open source could possibly be one. Being
located in San Jose, perhaps you are under the influence of other local
software developers could be another. Nothing else really seems to make
sense. After some searching on your postings on the net I have found that
you are fairly infamous for this sort of thing. "proof by repetition"
seems to be a common statement from those who have had dealings with you
in the past. Even the folks I had dinner with last night have read your
postings and agree that your position is completely unsubstantiated and
that you are likely just a troll. Even if you were right, you would have a
hard time convincing anyone of it while maintaining a decent reputation
using the sort of tactics you have demonstrated in our debate and in your
debates which I have read in other places.

--
Tracy Reed      http://www.ultraviolet.org
"Bill Gates is a white Persian cat and a monocle away
from becoming another James Bond villain."
"No Mr Bond, I expect you to upgrade." --Dennis Miller


From treed@ultraviolet.org Fri Dec 11 19:41:22 1998 -0800
Status: R
X-Status: 
X-Keywords:
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 4786 invoked by uid 0); 11 Dec 1998 19:41:22 -0000
Received: from dfw-ix2.ix.netcom.com (206.214.98.2)
  by dt052n99.san.rr.com with SMTP; 11 Dec 1998 19:41:22 -0000
Received: (from smap@localhost)
          by dfw-ix2.ix.netcom.com (8.8.4/8.8.4)
	  id NAA21859 for ; Fri, 11 Dec 1998 13:41:08 -0600 (CST)
Received: from sji-ca11-03.ix.netcom.com(209.109.237.3) by dfw-ix2.ix.netcom.com via smap (V1.3)
	id rma021830; Fri Dec 11 13:40:35 1998
Message-ID: <367175DB.43977BED@lamlaw.com>
Date: Fri, 11 Dec 1998 11:43:23 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: OSS Security
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Tracy,

No.  I just happen to know what source code is.

If I can use source code to sabotage your OS, anyone can.  That is very
very easy to do.  You just change the code that you do not like. 
Compile it. And, install it.

These are the same steps you claim can be used to fix a bug.  They are
the same steps.

Sabotaging an open source OS is as simple as fixing a bug.

Maybe you should learn about source code.

Lewis




Tracy R Reed wrote:
> 
> On Thu, 10 Dec 1998, Lewis A. Mettler wrote:
> 
> > You are truly dense.
> 
> I think this sums up your argument quite well. You have it firmly planted
> in your head that you are right, I am wrong, facts be damned. You can
> claim that I simply don't understand all you like but it won't change the
> truth. It seems that I have been quite successfully trolled.
> Congratulations.
> 
> Judging from:
> 
> http://forums.infoworld.com/threads/get.cgi?74183
> http://forums.infoworld.com/threads/get.cgi?74243
> 
> which someone just pointed me to, I am not alone. You have been presented
> with massive amounts of information and opinions from people far more
> expert than you and I and you still insist that you are right and everyone
> else is wrong. I can not help but wonder what ulterior motive you could
> possibly have for trolling people like this. Being a closed source
> software developer threatened by open source could possibly be one. Being
> located in San Jose, perhaps you are under the influence of other local
> software developers could be another. Nothing else really seems to make
> sense. After some searching on your postings on the net I have found that
> you are fairly infamous for this sort of thing. "proof by repetition"
> seems to be a common statement from those who have had dealings with you
> in the past. Even the folks I had dinner with last night have read your
> postings and agree that your position is completely unsubstantiated and
> that you are likely just a troll. Even if you were right, you would have a
> hard time convincing anyone of it while maintaining a decent reputation
> using the sort of tactics you have demonstrated in our debate and in your
> debates which I have read in other places.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "Bill Gates is a white Persian cat and a monocle away
> from becoming another James Bond villain."
> "No Mr Bond, I expect you to upgrade." --Dennis Miller

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From lmettler@lamlaw.com Thu Dec 31 22:09:59 1998
Return-Path: 
Delivered-To: treed@freeside.ultraviolet.org
Received: (qmail 27706 invoked by uid 0); 31 Dec 1998 22:09:59 -0000
Received: from dfw-ix6.ix.netcom.com (206.214.98.6)
  by dt052n99.san.rr.com with SMTP; 31 Dec 1998 22:09:59 -0000
Received: (from smap@localhost)
          by dfw-ix6.ix.netcom.com (8.8.4/8.8.4)
	  id QAA24432 for ; Thu, 31 Dec 1998 16:09:27 -0600 (CST)
Received: from sji-ca33-30.ix.netcom.com(209.109.239.158) by dfw-ix6.ix.netcom.com via smap (V1.3)
	id rma024408; Thu Dec 31 16:09:06 1998
Message-ID: <368BF66D.7E5240AE@lamlaw.com>
Date: Thu, 31 Dec 1998 14:10:53 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: treed@freeside.ultraviolet.org
Subject: Re: Mettler and Open Source Security
References: <19981231212106.25206.qmail@freeside.ultraviolet.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
Content-Length: 2245
Lines: 60

Treed,

treed@freeside.ultraviolet.org wrote:
> 
> In comp.os.linux.advocacy, you wrote:
> >But, yes, employee trust is an issue.  That is why it can be a big mistake to
> >give all employees a key to all offices in the building.  Likewise giving all
> >employees a copy of the source code for the OS providing security.
> 
> You solve this problem by only giving trusted employees physical access to the
> computer. 

Sorry.  Embezzlement has not been solved using your suggestion.  It will
not solve this problem either.

Ever since money has changed hands, there has been no ability to be sure
so called "trusted employees" do not violate their trust.  And,
employees never tell the company when they are about to do so.

> You have not yet explained how physical access to a closed source
> system results in my inability to tamper with it.

That is a non sequitur .  That is not the security issue being
discussed.

However, there are several closed source systems that you would either
not be able to tamper with or your ability to do so will be very
limited.  I have owned and operated systems for years where those with
physical access had only very limited capabilities.  They could not even
re-install the OS without wiping all discs clean.  Neither could they
access data on backups.  They could perform backups.  They could even
restore data provided it originally came from the same system. 

But, close systems are not perfectly safe.  No system is.

However, open source systems are never safe.  The OS can simply be
replaced using my modified OS.  You know, the OS I re-wrote to bypass
any inconvenient security measure that got into my way.

That you could not do on a closed source system.  Given enough time,
maybe.

> 
> In fact, there are a lot of things you have not yet explained.

Let your imagination come up with a way to sabotage the OS.

With access to the source code and with the ability to install your own
custom version, any and everything is relatively easy.

> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "Wherever they burn books they will also, in the end, burn human beings."
> -Heinrich Heine

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://WWW.LAMLaw.com/

From lmettler@lamlaw.com Fri Feb 26 17:36:18 1999
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 9916 invoked by uid 0); 26 Feb 1999 17:36:18 -0000
Received: from dfw-ix11.ix.netcom.com (206.214.98.11)
  by dt053nc9.san.rr.com with SMTP; 26 Feb 1999 17:36:18 -0000
Received: (from smap@localhost)
          by dfw-ix11.ix.netcom.com (8.8.4/8.8.4)
	  id LAA09116 for ; Fri, 26 Feb 1999 11:35:45 -0600 (CST)
Received: from sji-ca3-56.ix.netcom.com(209.109.233.56) by dfw-ix11.ix.netcom.com via smap (V1.3)
	id rma009106; Fri Feb 26 11:35:40 1999
Message-ID: <36D6DB36.234BF65C@lamlaw.com>
Date: Fri, 26 Feb 1999 09:34:46 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: Open Source Security
References: <19990226012713.F32249@ultraviolet.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
X-Status: A
Content-Length: 1471
Lines: 38

Tracy,

Your reasoning is flawed.

Sun opening up their source absolutely proves nothing about whether that
source can be used to sabotage a system.

It absolutely can be.

Lewis

Tracy R Reed wrote:
> 
> L.A.M.:
> 
> A very interesting thing just happened. Sun opened up their source code. It's
> not Open Source(tm) but anyone can get the source code. This is a prime time
> to point out a major flaw in your reasonsing in our previous discussion: All
> those people who bought your argument that OSS was less secure because anyone
> could get the source and backdoor your system easily and went with Solaris
> instead are now screwed. This enforces my point that you cannot count on
> security through obscurity or rely on the fact that the attacker won't have
> source to your OS. Now everyone has access to Solaris source. Who will be next
> to release source? You don't know. So what software are you going to recommend
> people run for a secure system?  Solaris and Linux are now on equal level in
> terms of security, at least by your reasoning.
> 
> --
> Tracy Reed      http://www.ultraviolet.org
> "Although UNIX is more reliable, NT may become more reliable with time"
> - Ron Redman, deputy technical director of the Fleet Introduction
>   Division of the Aegis Program Executive Office, US Navy.

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://www.lamlaw.com/ (web site reviews Microsoft antitrust transcripts
daily)

From lmettler@lamlaw.com Sat Feb 27 18:32:50 1999
Return-Path: 
Delivered-To: treed@ultraviolet.org
Received: (qmail 32622 invoked by uid 0); 27 Feb 1999 18:32:50 -0000
Received: from dfw-ix6.ix.netcom.com (206.214.98.6)
  by dt053nc9.san.rr.com with SMTP; 27 Feb 1999 18:32:50 -0000
Received: (from smap@localhost)
          by dfw-ix6.ix.netcom.com (8.8.4/8.8.4)
	  id MAA08024 for ; Sat, 27 Feb 1999 12:32:15 -0600 (CST)
Received: from sji-ca44-84.ix.netcom.com(209.111.212.212) by dfw-ix6.ix.netcom.com via smap (V1.3)
	id rma007949; Sat Feb 27 12:31:54 1999
Message-ID: <36D839E2.15D7A5F2@lamlaw.com>
Date: Sat, 27 Feb 1999 10:30:58 -0800
From: "Lewis A. Mettler" 
Reply-To: lmettler@lamlaw.com
Organization: Attorney At Law
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Tracy R Reed 
Subject: Re: Open Source Security
References: <19990226012713.F32249@ultraviolet.org> <36D6DB36.234BF65C@lamlaw.com> <19990226212410.F2113@ultraviolet.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: RO
Content-Length: 2042
Lines: 59

Tracy,

You are incorrect.  I have never said closed source is more secure than
open source.

In fact you can not compare the security of any two operating systems on
that basis.

You falsely assume that because I understand a serious security problem
with open source that somehow that answers the whole story.  It does
not.  It can not.

It is no more valid than any claim that open source is more secure.

You have to look at all of the security risks associated with any two
operating systems you might want to compare.

I can compare specific closed systems if that is what you want to do.

But, I have only pointed out that open sources creates a security risk
that does not exist with closed source.  That is absolutely the case. 
How important that risk is depends entirely upon the particular
installation.  And, if you insist upon comparisons, then you must
identify which OS you are comparing it to.

Sun's choice to open their source does not even suggest that it is more
secure after the opening versus before.  The contrary is true however.

Sun's solaris is less secure after the opening.  Why?  Because the
security problem created by open source now applies also to Solaris. 
Now Solaris shops will have to address an additional security problem
they did not face before.  If Sun wants to do that, fine.

Lewis

Tracy R Reed wrote:
> 
> On Fri, Feb 26, 1999 at 09:34:46AM -0800, Lewis A. Mettler wrote:
> > Tracy,
> >
> > Your reasoning is flawed.
> >
> > Sun opening up their source absolutely proves nothing about whether that
> > source can be used to sabotage a system.
> >
> > It absolutely can be.
> 
> Of course it can. I never said it could not. You were presenting closed source
> OS's to be more secure than Open Source OS's. This whole Sun incident should
> point out the flaw in your own reasoning.
> 
> --
> Tracy Reed      http://www.ultraviolet.org

-- 
Lewis A. Mettler, Esq.(Attorney and Software Developer)
lmettler@LAMLaw.com
http://www.lamlaw.com/ (web site reviews Microsoft antitrust transcripts
daily)
Document Actions