[ale] [ISN] Microsoft to reveal Palladium source code (fwd)
John Wells
jb at sourceillustrated.com
Wed Jun 26 13:58:25 EDT 2002
A small concession and strategic move. The simple fact that binaries have
to be signed digitally means that if you or I compile *any* source,
whether kernel, app, etc., it won't run. Only authorized certified
binaries will. That's the kicker...it defeats open source by using one of
its best and most important benefits against itself...
John
Jonathan Rickman said:
>
> This is an interesting twist...
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
> ---------- Forwarded message ----------
> Date: Wed, 26 Jun 2002 02:57:04 -0500 (CDT)
> From: InfoSec News <isn at c4i.org>
> To: isn at attrition.org
> Subject: [ISN] Microsoft to reveal Palladium source code
>
> http://news.cnet.com/investor/news/newsitem/0-9900-1028-20078887-0.html
>
> By: Robert Lemos
> 6/24/02 5:45 PM
> Source: News.com
>
> Microsoft, long a proponent of keeping source code secret, plans to
> publish the source code to a critical part of its Palladium project to
> enhance security, a representative of the software giant said Monday.
>
> The component -- some thousands of lines of source code--is the basic
> foundation of the security proposed in Microsoft's project and, as such,
> is the linchpin for the software giant's trusted-computing
> platform.
>
> "We will be publishing the source code because people will need to trust
> this," said Mario Juarez, group product manager for the
> Palladium project at Microsoft. "To get people to believe in what is
> happening in that little piece of code is critical."
>
> On Monday, Microsoft took the wraps off its project, code-named
> Palladium, to design new hardware and software that could better
> guarantee the security of user data and let companies control data that
> they "own" while on a consumer's PC.
>
> However, as part of the public push for acceptance of its technology,
> Microsoft plans to release the source code to the guts of the software
> component, called the "secure processing environment."
>
> In the past, Microsoft has argued that opening such critical code
> could undermine security. But Juarez doesn't think so. "Not at all," he
> said. "In fact, it enhances the security of the code. The RSA
> (encryption) algorithm was published at the outset; that's why it's
> trusted today."
>
> That admission could undermine the company's repeated claims that
> opening the Windows source code would hurt the security of the
> company's flagship operating system. The company has used the
> assertions to fight against potential antitrust penalties that would
> require it to show competitors pieces--or all--of its code.
>
> During testimony in the antitrust case against Microsoft, Jim Allchin,
> senior vice president for Windows, said that any remedy that required
> the company to reveal the operating system's source code would
> strengthen hackers' and virus writers' ability to circumvent
> protections.
>
> "The more creators of viruses know about how antivirus mechanisms in
> Windows operating systems work, the easier it will be to create
> viruses or disable or destroy those mechanisms," Allchin testified.
>
> Programs that are published under open-source tenets allow anyone to
> look at the software's source code. Unlike, say, Microsoft Windows XP,
> which only comes packaged as extremely difficult-to-understand binary
> code, an open-source program lets people copy or modify code to
> include improvements--as long as the new code is republished.
>
> The open-source software community and closed-source advocates have long
> argued that their own development process leads to better
> security. Both sides, however, have had major breaches in security.
> Microsoft's Web server had an easily exploitable hole that led to the
> Code Red worm epidemic almost a year ago. Linux and other Unix-like
> systems had a major flaw in the WU-FTP server, a popular program for
> hosting files for downloading. That flaw allowed numerous hackers and
> some worms to break into unpatched servers.
>
> A recent research paper argued that open-source and closed-source
> software had essentially the same security.
>
> While Microsoft's Juarez doesn't promise that the source code to the
> secure processing environment will be open source, he did say that it
> will be published.
>
> Bruce Perens, an open-source evangelist and creator of the open-source
> definition, said that Microsoft does seem to be contradicting its
> prior statements.
>
> "I think what Microsoft is admitting is that it can disclose the
> source code to the whole world, and not necessarily hurt the security of
> the program," he said.
>
>
>
> -
> ISN is currently hosted by Attrition.org
>
> To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in
> the BODY of the mail.
>
>
> ---
> This message has been sent through the ALE general discussion list. See
> http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list