[ale] [ISN] Microsoft to reveal Palladium source code (fwd)

Jonathan Rickman jonathan at xcorps.net
Wed Jun 26 12:09:58 EDT 2002 


This is an interesting twist...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

---------- Forwarded message ----------
Date: Wed, 26 Jun 2002 02:57:04 -0500 (CDT)
From: InfoSec News <isn at c4i.org>
To: ale at ale.org
To: isn at attrition.org
Subject: [ISN] Microsoft to reveal Palladium source code

http://news.cnet.com/investor/news/newsitem/0-9900-1028-20078887-0.html

By: Robert Lemos
6/24/02 5:45 PM
Source: News.com

Microsoft, long a proponent of keeping source code secret, plans to
publish the source code to a critical part of its Palladium project to
enhance security, a representative of the software giant said Monday.

The component -- some thousands of lines of source code--is the basic
foundation of the security proposed in Microsoft's project and, as
such, is the linchpin for the software giant's trusted-computing
platform.

"We will be publishing the source code because people will need to
trust this," said Mario Juarez, group product manager for the
Palladium project at Microsoft. "To get people to believe in what is
happening in that little piece of code is critical."

On Monday, Microsoft took the wraps off its project, code-named
Palladium, to design new hardware and software that could better
guarantee the security of user data and let companies control data
that they "own" while on a consumer's PC.

However, as part of the public push for acceptance of its technology,
Microsoft plans to release the source code to the guts of the software
component, called the "secure processing environment."

In the past, Microsoft has argued that opening such critical code
could undermine security. But Juarez doesn't think so. "Not at all,"
he said. "In fact, it enhances the security of the code. The RSA
(encryption) algorithm was published at the outset; that's why it's
trusted today."

That admission could undermine the company's repeated claims that
opening the Windows source code would hurt the security of the
company's flagship operating system. The company has used the
assertions to fight against potential antitrust penalties that would
require it to show competitors pieces--or all--of its code.

During testimony in the antitrust case against Microsoft, Jim Allchin,
senior vice president for Windows, said that any remedy that required
the company to reveal the operating system's source code would
strengthen hackers' and virus writers' ability to circumvent
protections.

"The more creators of viruses know about how antivirus mechanisms in
Windows operating systems work, the easier it will be to create
viruses or disable or destroy those mechanisms," Allchin testified.

Programs that are published under open-source tenets allow anyone to
look at the software's source code. Unlike, say, Microsoft Windows XP,
which only comes packaged as extremely difficult-to-understand binary
code, an open-source program lets people copy or modify code to
include improvements--as long as the new code is republished.

The open-source software community and closed-source advocates have
long argued that their own development process leads to better
security. Both sides, however, have had major breaches in security.
Microsoft's Web server had an easily exploitable hole that led to the
Code Red worm epidemic almost a year ago. Linux and other Unix-like
systems had a major flaw in the WU-FTP server, a popular program for
hosting files for downloading. That flaw allowed numerous hackers and
some worms to break into unpatched servers.

A recent research paper argued that open-source and closed-source
software had essentially the same security.

While Microsoft's Juarez doesn't promise that the source code to the
secure processing environment will be open source, he did say that it
will be published.

Bruce Perens, an open-source evangelist and creator of the open-source
definition, said that Microsoft does seem to be contradicting its
prior statements.

"I think what Microsoft is admitting is that it can disclose the
source code to the whole world, and not necessarily hurt the security
of the program," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list