Great Circle Associates Firewalls
(July 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Source Code sharing (was Re: Check Point response to Mossad rumor)
From: Bill Stout <stoutb @ pios . com>
Date: Thu, 10 Jul 1997 17:13:03 -0400
To: firewalls @ greatcircle . com 
At 10:06 AM 7/10/97 -0400, Chris Inskeep wrote:
>Is it common for security application software vendors to license copies
>of their source code -- surely everyone agrees that a firewall is an
>application running atop an operating system?  See, that is where we're
>in a different ballpark from Sun (or the other UNIX vendors) and
>Microsoft (DOES Bill sell source licenses for NT? -- I'd think so, but
>don't really know for sure.)  But more to the point, does ORACLE,
>Informix, or Sybase sell source licenses for their trusted RDBMS's? 
>Does SAIC or PRC sell source licenses for their centralized audit
>products?  Does ICL sell source licenses for its unitary logon systems?

Many people share source, under threat of dire consequences from the author
if the source is 'compromised' by the sharee.  Also sometimes government
contract requires a copy of source to be surrendered if the vendor goes out
of business.

As a systems manager at <Japanese mainframe company> I had access to source
from multiple vendors including IBM, Oracle, Informix, and others.  We had
to test and approve software which was to run on our IBM-compatible
Mainframes (running UNIX in our case), and occasionally debug and point out
errors to the vendors.  Having source from both Oracle and Informix (not to
mention suspected compeditive interest from IBM and Amdahl) made me very
conscious about the security of my net from both the internet and our
partners.  

I was told <Japanese mainframe company> had NT source code (which caught my
attention), but all source is strongly protected even internally.  I suspect
that DEC, Tandem, Intel, MIPs, Motorola and Compaq also have NT code.  

I convinced the group to start bundling the Apache webserver source (with
Apache group O.K.) with OSF/1 Unix for Mainframes (after much binaries vs.
source debate), though they wouldn't go as far as Stronghold (worked fine,
crypto export concerns stopped it).  (Cool since your data warehouse is
there too, bad for promoting the division of business rules from data, but I
digress). Since you can partition a Mainframe as if it were multiple systems
(w/B-level internal security except maybe covert channel signaling via
system load), I also considered asking a few programmers to compile TIS
source for a partition, but then remembered that though Mainframes have lots
of bandwidth internally, aren't the fastest network servers, though again I
digress...

Bill Stout
Indexed By Date Previous: Training Sources for security/firewall knowledge..
From: Mark Teicher <mht @ clark . net>
Next: Re: Firewall and B2??
From: Leonard Miyata <leonard @ geminisecure . com>
Indexed By Thread Previous: (related, but off-topic) Networking Profession...
From: ubik <ubik @ pdnt . com>
Next: [no subject]
From: "Axel Quero" <axelque @ mail . compusep . com>
Google
 
Search Internet Search www.greatcircle.com