Source code debate?
Sam Simpson
"As a cryptography and computer security expert, I have never understood
the current fuss about the open source software movement. In the
cryptography world, we consider open source necessary for good security;
we have for decades."
Think about your security solution. Other people will.
--
Regards,
Paul Le Roux
interest when he's making these statements, after all how does he
get business? well it's consulting, what better way for him to make money
than to spread anti-close-source propaganda while also offering to
review peoples code, what would be more useful is if you could tell us
what operating systems, & tools he's actually using in his office.
In article <3CB38B01...@samsimpson.com>, s...@samsimpson.com says...
Sam Simpson
> Don't you think there is a conflict of
> interest when he's making these statements, after all how does he
> get business?
> well it's consulting, what better way for him to make money
> than to spread anti-close-source propaganda while also offering to
> review peoples code, what would be more useful is if you could tell us
> what operating systems, & tools he's actually using in his office.
He does "closed source" program reviews as well, of course.
This quote was written in 96, when he was not the famous guy he is today.
If it helps, Professor David Wagner says the same thing. So does the
NSA, MoD, Ross Anderson etc.
Paul Le Roux
yes exactly my point:
first create hysteria that anyone who does not release source
code is actually working on behalf of some government, the NSA,
the police, GCHQ, "insert agency here"
next, insist that anyone who does not release code is a ruthless
profiteer who's given no thought to security in the rush to market
next, insist that anyone who makes bold claims cannot have a
"closed source but secure product", and is just selling snake oil
next, insist that export permission could not possibly have
been granted without some kind of backroom deal with aforementioned
agencies
finally build a reputation as an anti-closed-source evangelist, encourage
converts to your cause, now the rub: tarnish by implication
as many companies as possible, and charge them to "certify"
their closed source products as "secure"
In article <3CB44740...@samsimpson.com>, s...@samsimpson.com says...
Sam Simpson
> yes exactly my point:
>
> first create hysteria that anyone who does not release source
> code is actually working on behalf of some government, the NSA,
> the police, GCHQ, "insert agency here"
>
> next, insist that anyone who does not release code is a ruthless
> profiteer who's given no thought to security in the rush to market
>
> next, insist that anyone who makes bold claims cannot have a
> "closed source but secure product", and is just selling snake oil
I don't think anybody necessarily thinks that closed source = snake oil.
Though loads of people do think that closed source = worthless (me
included).
> next, insist that export permission could not possibly have
> been granted without some kind of backroom deal with aforementioned
> agencies
>
> finally build a reputation as an anti-closed-source evangelist, encourage
> converts to your cause, now the rub: tarnish by implication
> as many companies as possible, and charge them to "certify"
> their closed source products as "secure"
Wagner, Anderson, NSA etc don't have the same motives but do have the
same view.
Kin
news:3CB38B01...@samsimpson.com:
> Schneier said in 96 chaps:
>
> "As a cryptography and computer security expert, I have never understood
> the current fuss about the open source software movement. In the
> cryptography world, we consider open source necessary for good security;
> we have for decades."
>
>
> Think about your security solution. Other people will.
>
Heh, the funny thing is that he never released the source code of his
little app Password Safe(that I use and love) until lately.
--
Kin
-Remove NOT and NO_SPAM for personal replies-
And NO SPAM means NO SPAM, be ready to be mail flood if you do not
understand that
Key Id: 0x47873293
Paul Le Roux
an excellent text, all i'm saying is that it seems to me that anyone
making a living from reviewing source code may have devided and self-serving
loyalties when making statements regarding closed source products
In article <3cb7bd19...@news.atl.bellsouth.net>, arnie...@GoFor21.com
says...
>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>Don't you think there is a conflict of
>>interest when he's making these statements, after all how does he
>>get business?
>
>I can't help having serious doubts about the integrity of an encryption
>program written by someone who expresses disrespect for Bruce Schneier.
>--
>"Arnie Mokyl" is actually 94168...@GoFor21.com (94168 23570).
> 01234 56789 <-Use this key to decode my email address and name.
> Other messages to this domain will bounce.
>
Paul Le Roux
been done here thousands of times before...
In article <3cb4f2f...@news.atl.bellsouth.net>, alen.i...@GoFor21.com
says...
>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>nobody is expressing disrespect for anybody, his crypto book is
>>an excellent text, all i'm saying is that it seems to me that anyone
>>making a living from reviewing source code may have devided and self-serving
>>loyalties when making statements regarding closed source products
>
>Sorry, I take that back. It wasn't a very sound argument. Authority really
>has little value in a debate of this nature. But I don't agree with Bruce
>Schneier's view simply because it comes from him, I agree with it because it
>makes good sense to me.
>
>So rather than concern ourselves with who wrote the article at
>http://www.counterpane.com/crypto-gram-9909.html#OpenSourceandSecurity
>maybe we should restrict our discussion to the flaws that you've found in
>it. What in particular about that article do you believe is false?
>--
>"Alen I. Morky" is actually 12769...@GoFor21.com (12769 34580).
> 0123 4 56789 <-Use this key to decode my email address and name.
Flare
A message for closed-source security software authors:
You should at least consider releasing the source code
after 1 or 2 years after the product is published.
All your inventions and coding tricks will be mostly
discovered by others and/or not as 'hot' at the time.
People that are looking for open-source products will
then have to use software that is 1 or 2 years behind
the latest technology. To me, this is acceptable as
most products are free of bugs after two years of
development anyway. You would then earn additional
money by selling the product to people who wish to
see the sources.
Regards
David
Paul Le Roux
my posts came before the poster who posted the
message with that link below!!
I have not read the article, nor do I want to
get drawn into open vs closed source debates
because this entire area of discussion has been discussed to death
In article <3cb75b25....@news.atl.bellsouth.net>,
mayo.n...@GoFor21.com says...
>
>Now let me get this straight. You respond to references to the article at
>http://www.counterpane.com/crypto-gram-9909.html#OpenSourceandSecurity
>with this argument:
>
>>Don't you think there is a conflict of
>>interest when he's making these statements...
>
>Then later, you reveal that you haven't even bothered to read the article?
>
>>i have not read the article...
>--
>"Mayo N. Liker" is actually 58932...@GoFor21.com (58932 46071).
Paul Le Roux
in a totally different thread, NOT THIS THREAD!. I replied to his post
criticizing his post not this article itself. This thread started
only 4/10 my comments in this thread preceded the comments of
another poster who posted again, the link to the article
you kindly forced on us below.
As I said before: the closed source vs open source argument's been done
a thousand times, and I certainly don't have the time to go over it all
again, take your crusade to MS they have the time, not me.
In article <3cb76d74....@news.atl.bellsouth.net>,
noam.e...@GoFor21.com says...
>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>maybe you should go back and read all the posts again,
>>my posts came before the poster who posted the
>>message with that link below!!
>
>You posted Message-ID <a8qd2p$nh9$1...@reader05.wxs.nl>, on April 7, 2002, five
>days ago. Within the copied text you incorporated into that post, you
>included the URL of Bruce Schneier's "Open Source and Security" article,
>http://www.counterpane.com/crypto-gram-9909.html#OpenSourceandSecurity which
>is the same article that Sam Simpson quoted from on April 9 to begin this
>thread. You posted this URL yourself five days ago in a follow-up of yours,
>and now you're telling me that *I* should go back and read all the posts?
>
>It's really not a very long article. What if I just hand-deliver it to you?
>
>================================================================
>
>Open Source and Security
>
>As a cryptography and computer security expert, I have never understood the
>current fuss about the open source software movement. In the cryptography
>world, we consider open source necessary for good security; we have for
>decades. Public security is always more secure than proprietary security.
>It's true for cryptographic algorithms, security protocols, and security
>source code. For us, open source isn't just a business model; it's smart
>engineering practice.
>
>Open Source Cryptography
>Cryptography has been espousing open source ideals for decades, although we
>call it "using public algorithms and protocols." The idea is simple:
>cryptography is hard to do right, and the only way to know if something was
>done right is to be able to examine it.
>
>This is vital in cryptography, because security has nothing to do with
>functionality. You can have two algorithms, one secure and the other
>insecure, and they both can work perfectly. They can encrypt and decrypt,
>they can be efficient and have a pretty user interface, they can never
>crash. The only way to tell good cryptography from bad cryptography is to
>have it examined.
>
>Even worse, it doesn't do any good to have a bunch of random people examine
>the code; the only way to tell good cryptography from bad cryptography is to
>have it examined by experts. Analyzing cryptography is hard, and there are
>very few people in the world who can do it competently. Before an algorithm
>can really be considered secure, it needs to be examined by many experts
>over the course of years.
>
>This argues very strongly for open source cryptographic algorithms. Since
>the only way to have any confidence in an algorithm's security is to have
>experts examine it, and the only way they will spend the time necessary to
>adequately examine it is to allow them to publish research papers about it,
>the algorithm has to be public. A proprietary algorithm, no matter who
>designed it and who was paid under NDA to evaluate it, is much riskier than
>a public algorithm.
>
>The counter-argument you sometimes hear is that secret cryptography is
>stronger because it is secret, and public algorithms are riskier because
>they are public. This sounds plausible, until you think about it for a
>minute. Public algorithms are designed to be secure even though they are
>public; that's how they're made. So there's no risk in making them public.
>If an algorithm is only secure if it remains secret, then it will only be
>secure until someone reverse-engineers and publishes the algorithms. A
>variety of secret digital cellular telephone algorithms have been "outed"
>and promptly broken, illustrating the futility of that argument.
>
>Instead of using public algorithms, the U.S. digital cellular companies
>decided to create their own proprietary cryptography. Over the past few
>years, different algorithms have been made public. (No, the cell phone
>industry didn't want them made public. What generally happens is that a
>cryptographer receives a confidential specification in a plain brown
>wrapper.) And once they have been made public, they have been broken. Now
>the U.S. cellular industry is considering public algorithms to replace their
>broken proprietary ones.
>
>On the other hand, the popular e-mail encryption program PGP has always used
>public algorithms. And none of those algorithms has ever been broken. The
>same is true for the various Internet cryptographic protocols: SSL, S/MIME,
>IPSec, SSH, and so on.
>
>================================================================
>--
>"Noam E. Kirly" is actually 84719...@GoFor21.com (84719 06352).
Paul Le Roux
oki.y....@GoFor21.com says...
>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>That was a follow up to Arneil Moky's article
>>in a totally different thread, NOT THIS THREAD!. I replied to his post
>>criticizing his post not this article itself. This thread started
>>only 4/10 my comments in this thread preceded the comments of
>>another poster who posted again, the link to the article
>>you kindly forced on us below.
>
>pure faith that you're intelligent and knowledgable enough about cryptography
>and computer programming to flawlessly implement standard encryption
>algorithms within a very tricky form of security software; that you have
>successfully accomplished, on the first try, a feat equivalent to the sort
>that the programming teams of Microsoft fail at over and over again.
>
no you can see this for yourself in E4M, don't take my word for it look
at the code - you are a programmer I trust?
>And yet, after all this time, you still haven't figured out the simple code
>in my sig and realized what has been obvious to virtually everyone else on
>Usenet since I began this anti-spam practice several years ago - that each of
>my posts features a different anagram of my name, but they all come from me.
to be honest I never paid much attention to your posts.
Shaun Hollingworth
<nob...@dizum.com> wrote:
><yes exactly the point, any open source fanatics out there who
><know how to both make money and publish source?
><i'd like to hear from you.
>
>Here's what I don't understand: someone, in another thread, mentioned that
>there are warez copies of DC available. DC doesn't have source code available
>and yet it is cracked.
I do not know which version is cracked... But all they attack is the
installer....
>So if a prog can be cracked anyway, w/o source code,
>why is giving away source code problematic? Is it a question of being able
>to steal certain design ideas specific to that program if the source code is
>made available?
Yes. And to make their job a lot easier, getting it to work on systems
such as Windows...
Shaun.
Shaun Hollingworth
Mokyl) wrote:
>pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>Don't you think there is a conflict of
>>interest when he's making these statements, after all how does he
>>get business?
>
>I can't help having serious doubts about the integrity of an encryption
>program written by someone who expresses disrespect for Bruce Schneier.
>--
I don't even have respect for God, and I think he's still generally
more highly regarded than Bruce......... ;)
Healthy skeptism isn't always a bad thing, as the folk here
demonstrate only too often....
Regards,
Shaun.
Shaun Hollingworth
wrote:
>i have not read the article, but the entire closed v's open thing's
>been done here thousands of times before...
>
Yep... And the "know alls" here, still have not given us any idea how
to remain commercially viable whilst at the same time opening up
everything for inspection and to be ripped off.......
I _WANT_ my work to be open source.
I also _WANT_ to afford to eat.
Shaun.
Sam Simpson
It's your job (where your = SecureStar) job to make money.
Despite Paul rubishing of well reputed cryptographers, the fact is that
the product you sell breaks good security practices simply by the lack
of source availability.
There probably isn't a good way to sell software, protect your IP and
satisfy good security principles.
But that doesn't make the security principles any less valid - it just
means that your target market should be those users who don't understand
good security practices.
Fortunate for SecureStar, the number of people who appreciate these
security principles is low so your market shouldn't be hindered by lack
of source code.
Shaun Hollingworth
wrote:
>I view it as my job to educate about good security practices.
>
>It's your job (where your = SecureStar) job to make money.
>
>Despite Paul rubishing of well reputed cryptographers, the fact is that
>the product you sell breaks good security practices simply by the lack
>of source availability.
Paul didn't rubbish anyone IMO. He simply said that their may be some
kind of conflict of interests.... And that it may be in the
commercial interest of such cryptographers to maintain thieir
argument.
>
>There probably isn't a good way to sell software, protect your IP and
>satisfy good security principles.
I intend to release a veneer for the operating system, whose purpose
is to build an OTFE disk encryption system. Then I will write a new
version of DriveCrypt around it.
That veener will be so flexible and well documented that people would
be even able to write their OWN OTFE disk encrytion tools using it if
they wanted, and the only restriction is that it would have to appear
to the system as a container or partition and create a new drive
letter..... and possibly a folder on XP....
We will release ALL the source for our tool except for the OS veneer.
If people want to use it commercially or give it to other people ith
code they have written they will have to licence it from us, or come
to some agreement with us.
So imagine if you would, that DriveCrypt 4 was designed to run under
a combination of ShaunOS and Windows, Nether which have source code
available. However the program (DriveCrypt) would have source
available, along with any associated device driver dealing with the
crypto I/O. Neither ShaunOS Nor windows would deal with ANY cryto
routines or key handling, nor would any key or critical data be stored
in any of its buffers.
That is the plan I have in my head.
That people could write their own OTFE system using any crypto code
they wanted, surely will go some way to validate the system, and allay
suspicions... At least for most people.... The only thing I am asking
of them, then is to truse me, more than they might trust Microsoft...
:)
But the current product will need a complete re-write, and it might
as well be done when we re-vamp the product. IE DriiveCrypt 4, where
we will also attempt to firmly deal with other criticisms people have
made of the program.
>
>But that doesn't make the security principles any less valid - it just
>means that your target market should be those users who don't understand
>good security practices.
The target market is anyone who has a use for the software we
sell.....
>
>Fortunate for SecureStar, the number of people who appreciate these
>security principles is low so your market shouldn't be hindered by lack
>of source code.
Sometimes I wish you would accept in public, that I am committed to
the argument as much as I can be, and you are preaching to the
converted. So too, is Paul and W.Hafner etc. The problem for us, is to
solve the issue so far as possible, in a way which is commecrially
viable so we can stay in the business... The only other option from is
would be for people to get nothing at all and for me to go sweep the
roads of Wickersley..... or get a job behind the bar at Wickersley
Social Club....
Perhaps people who are so committed to the open source argument should
write all the code, and try and make a living at it.....
Regards,
Shaun.
Sam Simpson
> On Sun, 14 Apr 2002 22:04:52 +0100, Sam Simpson <s...@samsimpson.com>
> wrote:
<SNIP>
>>But that doesn't make the security principles any less valid - it just
>>means that your target market should be those users who don't understand
>>good security practices.
>
> The target market is anyone who has a use for the software we sell.....
With the caveats mentioned previously about lack of source release, of
course (at the moment...)
>
>>Fortunate for SecureStar, the number of people who appreciate these
>>security principles is low so your market shouldn't be hindered by lack
>>of source code.
>
> Sometimes I wish you would accept in public, that I am committed to the
> argument as much as I can be, and you are preaching to the converted.
I've certainly mentioned that before in this group. I know I'm preaching
to the converted, when you read these mails, but others that read these
mails "don't get it".
> So
> too, is Paul and W.Hafner etc. The problem for us, is to solve the issue
> so far as possible, in a way which is commecrially viable so we can stay
> in the business... The only other option from is would be for people to
> get nothing at all and for me to go sweep the roads of Wickersley.....
> or get a job behind the bar at Wickersley Social Club....
>
> Perhaps people who are so committed to the open source argument should
> write all the code, and try and make a living at it.....
People do that all the time. Other people don't make a living for it but
do it out of a sense of community.
*BIG* developments, such as the whole of Linux, Apache, OpenOffice,
Mozilla, Postgres, KDE, Gnome, Mono etc *are* released open source.
Shaun Hollingworth
wrote:
>
>People do that all the time.
Not out of programs like DriveCrypt they don't.........
>Other people don't make a living for it but
>do it out of a sense of community.
>
>*BIG* developments, such as the whole of Linux, Apache, OpenOffice,
>Mozilla, Postgres, KDE, Gnome, Mono etc *are* released open source.
>
I've no doubt about it..... I am sure if we ever port DriveCrypt to
Linux, it too, will be fully open source. But I am waiting for
Scramdisk Linux to be finished, so I can rip it off........ ;)
What I really mean is that I am willing enough to release the source
for the encrypter... I am not willing to tell people how to make disks
appear on XP, and deal with all the system IOCTLS etc which get issued
to the disk drive code....
It seems that the new idea of an OS veneer, for some none cryptdo suff
may be a runner..... But I have other tasks to deal with before
that...
Regards,
Shaun.
Paul Le Roux
>
>I view it as my job to educate about good security practices.
>
But what on earth qualifies you from my grandmother in this regard?
>It's your job (where your = SecureStar) job to make money.
>
>Despite Paul rubishing of well reputed cryptographers, the fact is that
>the product you sell breaks good security practices simply by the lack
>of source availability.
>
Nobodies rubbishing anyone, I have the utmost respect for Schneiers work,
especially his excellent book(s). I am just pointing out that in
relation to his open source statements, and the "Crypto-Gram"
there may well be "conflicts of interest". I don't ever recall
rubbishing him (a. because he does not deserve that and b. because
it would open me to a liable suit)....
My criticism is that if you make substantial revenues from reviewing source,
it seems to me that scare mongering about closed source, and the hidden
dangers of closed source is a good revenue spinner.
>There probably isn't a good way to sell software, protect your IP and
>satisfy good security principles.
well lets hear them!
>
>But that doesn't make the security principles any less valid - it just
>means that your target market should be those users who don't understand
>good security practices.
>
So i'm still waiting for your ideas on what good security practices
are in the real world, if it's don't use anything that's closed source
just because it's closed source, I would say that's foolish, it should
be don't use anything where you have not read every line of source code,
why should I trust an open source product anymore than a closed source one
given that I don't have time to review
each line of code even if I could understand what the original programmer
intended! This whole thing is a farce, if I give you 20 000 lines of assembler
code can you tell me what's wrong with it? where the security issues are?
>Fortunate for SecureStar, the number of people who appreciate these
>security principles is low so your market shouldn't be hindered by lack
>of source code.
>
But again they are your principles which seem to be i'll defined
unles you are saying trust everything that's open source without looking
at the code - or are you saying trust open source because someone somewhere
should have looked at it --- which seems equally dangerous!
Andy Jeffries
>>Other people don't make a living for it but do it out of a sense of
>>community.
>>
>>*BIG* developments, such as the whole of Linux, Apache, OpenOffice,
>>Mozilla, Postgres, KDE, Gnome, Mono etc *are* released open source.
>
> I've no doubt about it..... I am sure if we ever port DriveCrypt to
> Linux, it too, will be fully open source. But I am waiting for Scramdisk
> Linux to be finished, so I can rip it off........ ;)
I know this was said with a smiley, but you are more than welcome to rip
off the code and use it in DriveCrypt for Linux...as long as you release
the source code to it under the GPL.
> What I really mean is that I am willing enough to release the source for
> the encrypter... I am not willing to tell people how to make disks
> appear on XP, and deal with all the system IOCTLS etc which get issued
> to the disk drive code....
>
> It seems that the new idea of an OS veneer, for some none cryptdo suff
> may be a runner..... But I have other tasks to deal with before that...
Sounds like a good idea to me. Not as good as having the full code, but
the best compromise I can see based on the conflicts of interest under
discussion.
Cheers,
--
Andy Jeffries
Linux/PHP Programmer
http://www.andyjeffries.co.uk/
- Windows Crash HOWTO: compile the code below in VC++ and run it!
main (){for(;;){printf("Hung up\t\b\b\b\b\b\b");}}
Sam Simpson
> In article <3CB9EEF4...@samsimpson.com>, s...@samsimpson.com says...
>>
>>I view it as my job to educate about good security practices.
>>
>>
> But what on earth qualifies you from my grandmother in this regard?
Your grandmother may be a good InfoSec practitioner for all I know, so I
can't argue with that point ;)
>>It's your job (where your = SecureStar) job to make money.
>>
>>Despite Paul rubishing of well reputed cryptographers, the fact is that
>>the product you sell breaks good security practices simply by the lack
>>of source availability.
>>
>>
> Nobodies rubbishing anyone, I have the utmost respect for Schneiers
> work, especially his excellent book(s). I am just pointing out that in
> relation to his open source statements, and the "Crypto-Gram" there may
> well be "conflicts of interest". I don't ever recall rubbishing him (a.
> because he does not deserve that and b. because it would open me to a
> liable suit)....
>
> My criticism is that if you make substantial revenues from reviewing
> source,
Which to my knowledge he doesn't. Cite?
> it seems to me that scare mongering about closed source, and the
> hidden dangers of closed source is a good revenue spinner.
Yeah. Or maybe we can drop the conspiracy theory and believe that all of
these independant, educated professionals are talking about "best
practice".
>>There probably isn't a good way to sell software, protect your IP and
>>satisfy good security principles.
>
> well lets hear them!
Hear what? I've said there "probably isn't" e.g. I don't have, and I
haven't seen a solution.
Still besides the point, you are selling a solution that doesn't meet the
simple hurdle of "peer-review".
>>But that doesn't make the security principles any less valid - it just
>>means that your target market should be those users who don't understand
>>good security practices.
>>
>>
> So i'm still waiting for your ideas on what good security practices are
> in the real world,
People have written whole books on this subjects, see e.g. Security
Engineering by Anderson.
> if it's don't use anything that's closed source just
> because it's closed source, I would say that's foolish, it should be
> don't use anything where you have not read every line of source code,
> why should I trust an open source product anymore than a closed source
> one given that I don't have time to review each line of code even if I
> could understand what the original programmer intended!
Compare the development of IE with Mozilla. (some) People know what
every line does in Mozilla. It's auditable. People can review code and
say "oh, I think we're going to have a 'back button' problem (see e.g.
http://online.securityfocus.com/archive/1/267561) with this
code". This kind of peer review happens with open source code, and it
doesn't with closed source.
> This whole thing
> is a farce, if I give you 20 000 lines of assembler code can you tell me
> what's wrong with it? where the security issues are?
Given time and motivation, yes.
>>Fortunate for SecureStar, the number of people who appreciate these
>>security principles is low so your market shouldn't be hindered by lack
>>of source code.
>>
>>
> But again they are your principles which seem to be i'll defined unles
> you are saying trust everything that's open source without looking at
> the code - or are you saying trust open source because someone somewhere
> should have looked at it --- which seems equally dangerous!
Erm, I've looked at the code of e4m, Scramdisk, PGP, GPG etc.
Opening source code to Mozilla, apache et al certainly hasn't hurt
security - compare to IE, IIS etc.