Firewalls: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)
From:	David Vincenzetti <vince @ cryptonet . it>
Date:	Mon, 3 Feb 1997 11:17:58 +0100 (MET)
To:	Firewalls @ GreatCircle . COM

> Oh, definitely. Russ's comment about it not being the whole OLE environment
> but rather the web-enabled part of it being the poroblem is right on. The
> terminology war, however, is lost... the phrase "ActiveX" is going to be
> forever associated with applets, because that's the obvious technology
> difference between OLE and ActiveX.
> 
> > 	Not all that inconcievable.  There are perfectly viable
> > alternatives to an MS desktop for anyone who feels like using
> > them.
> 
> Unfortunately, no. Not if you want to be able to effectively do business
> in America today. Microsoft's file formats are everywhere, and they work very
> hard at making sure that nothing but their products can use them effectively.
> 
> > 	Microsoft's desktop will always be completely unable to
> > provide any useful security for the exact same reasons as we've seen
> > for years and years with Sendmail.
> 
> It's worse than sendmail. Eric Allman isn't trying to make Sendmail do
> everything (there's no http and nntp in there, for example), and Eric
> *is* concerned about security. It's not at the top of the list, but at
> least it's *on* the list.

Just to play Devils Advocate (I am a openness/source_included
enthusiast!), the main difference between Sendmail and ActiveX
is that the former provides full source while the latter
does not provide any sources. 

Sendmail full sources are available, they can be studied
and examined by everyone, and they can be studied by malicious
hackers too.  ActiveX sources are not available, and it is
harder, for a malicious hacker, to spot new bugs.
Sendmail is a crystal box while ActiveX is a black box
(remember the old Security Thru Obscurity model?:-).

As a matter of fact, a much larger number of bugs are
found for systems whose sources are available.  Installing
patches is an EXPENSIVE activity, so most companies will NOT
install all the patches as they are released by CERTs and
vendors.  Not installing new CERT patches is a bad habit, but
companies usually do not have the knowledge/skills/manpower
for keeping their software up to date.

So, is source availability a real advantage for commercial
companies?

--vince

Follow-Ups:

Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)
From: Adam Shostack <adam @ homeport . org>
Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken)
From: peter @ baileynm . com (Peter da Silva)

Indexed By Date	Previous:	NT port numbers needed From: Arjo Mukherjee 4663 <mukherje @ ebo . dec . com>
Indexed By Date	Next:	About NAT From: Carl . Ma @ PRC . Sun . COM (Carl Ma - SE Trainee)
Indexed By Thread	Previous:	RE: NT port numbers needed From: Bob Benton <bbenton @ swbell . net>
Indexed By Thread	Next:	Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken) From: peter @ baileynm . com (Peter da Silva)