Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Think Tank' Issues Microsoft-Funded Troll

Posted by ryuzaki0 on from the institute-and-prostitute-share-a-lot-of-letters dept.

dlur (among many others) writes: "According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure. This same institute backed destabilizing, unworkable '80s missile defense and thinks Alexis de Tocqueville would have wanted the V-22 Osprey deathplane. Also, see what their coin-operated policy dispenser spat out for internet privacy (eat what you're fed) and antitrust (advantage of Microsoft monopoly: "manufacturers of computer hardware need to provide only one driver"). We weren't going to run this, but there were a lot of submissions, so ...

15 of 598 comments (clear)

  1. Here's the solution.... by i_want_you_to_throw_ · · Score: 5, Informative

    I am a lone out post of open source in the military agency where I work. My solution, just show them the NSA funded SE Linux information.

    Who are the green suiters going to trust? A bunch of paid "think tank" lackeys or the good ole spooks behind the triple fence?

    So far NSA's advocacy has been used to let me get away with all kinds of open source implementation.

    Of course, NSA has an agenda too I'm sure but that's between the military and NSA.

  2. Still no reply to the email I sent Ken by NZheretic · · Score: 5, Informative
    To: kenbrown@adti.net

    Subject: "Opening the Open Source Debate"

    Date: 31 May 2002 15:45:59 +1200

    Some references you might wish to consider before publishing your article "Opening the Open Source Debate"

    http://www.businesswire.com/cgi-bin/f_headline.cgi ?bw.053002/221502375

    Bruce Schneier, one of the recognized leading expert on computer security on Kerckhoffs' Principle and Secrecy, Security, and Obscurity of software.

    http://www.counterpane.com/crypto-gram-0205.html#1

    Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA), gives an keynote speech overview of current encryption and security technologies and outlines possible strategies for future defense.

    http://technetcast.ddj.com/tnc_play_stream.html?st ream_id=411

    Also you might wish to address the issue of Microsoft's disproportionately high number of open vulnerabilities in its Internet Explorer components. All of which where discovered without access to the source code.

    http://jscript.dk/unpatched/

    Richard Purcell, Microsoft's director of corporate privacy, has recently stated that any major improvement in regard to the security of it's products may be at least "5, 10 years, maybe".

    http://www.businessweek.com/technology/content/may 2002/tc20020523_6029.htm

    As for the issue of Trojan horse injection into open source code, it is far from being an open source only issue.

    http://www.eeggs.com/

    Or were all the "Easter Eggs" currently found in Microsoft's products officially authorized?

    If you are looking for a methodology for providing a suitably secure and hardened solution, start with a real world example.

    http://www.openbsd.org/security.html

    I welcome any open debate.

  3. Re:Open Source Easier to Hack by yobbo · · Score: 4, Informative

    Well, open source software is by far the easiest to hack, because the source code is actually available to you to hack with.

    If you're talking about open source software being easier to crack, that's a whole different story...

  4. Bruce Shneier said it best: by evilpaul13 · · Score: 5, Informative

    "And don't forget Kerckhoff's assumption: If the strength of your new cryptosystem relies on the fact that the attacker does not know the algorithm's inner workings, you're sunk. If you believe that keeping the algorithm's insides secret improves the security of your cryptosystem more than letting the academic community analyze it, you're wrong. And if you think that someone won't disassemble your code and reverse-engineer your algorithm, you're naive. The best algorithms we have are ones that have been made public, have been attacked by the world's best cryptographers for years, and are still unbreakable."
    --Bruce Scheier; Applied Cryptography (Second Edition); page 7

    This seems to apply perfectly to this latest FUD about open source software.

  5. Re:Open Source Easier to Hack by Bastian · · Score: 3, Informative

    Thankfully, a lot of the notorious hacker groups who are known for finding security holes (l0pht and cDc come to mind) are also known for publishing information about those security holes, not with the interest of telling script kiddies and black hat hackers how to get into the system, but for the purpose of calling attention to the holes so they are closed.

    I'm not hacking expert, but I have a feeling that finding security holes by reading the source code of software isn't much easier than prodding at it until a hole is found.

    With buffer overflows, for example, I'd imagine it's much easier to find the overflows by setting up a computer running whatever software you are trying to exploit and letting a program designed to keep trying to exploit overflows until it finds the overflow. If you can figure out where in memory that buffer is with some sort of debugger, the job is probably even easier.
    There's also the good old OpenBSD poster child.

  6. Re:In fact, Open Source is SO insecure... by tweakt · · Score: 3, Informative
    For Example:

    Rapidsite/Apa/1.3.20 could be some bastardized version of Apache which is closed source...

    Though mod-ssl is open source.
    As well as OpenSSL... (duh)..

  7. Re:Loudest by ninewands · · Score: 4, Informative
    What I do not understand is why there aren't any similar groups for the OpenSource / non-Darkside avocations.

    You mean like This Article??

    Just in case CRN gets slashdotted, an excerpt speaking on the subject of Linux in the federal government:

    The software appears to be winning friends among military and intelligence agencies.

    A study completed for the Pentagon by the Mitre last week identified 249 U.S. government uses of open-source computer systems and tools, with Linux running on several Air Force computers, along with systems run by the Marine Corps, the Naval Research Laboratory and others.

    The report recommended further use of open-source computing systems, on the grounds that they were less vulnerable to cyberattacks and far cheaper.


    'Nuff said. I think I would believe a federally-funded study by Mitre Corp. (a scientific research organization that, among other things, hosts the CVE database) before I would buy into a study by a think tank 1) that lacks Mitre's technical muscle and, 2) has a history of whoring for inter alia Microsoft, the tobacco industry, and various egregious polluters. Remember Mindcraft?

    --
    utter rubbish
  8. Re:Off-topic: missile defense by Zeinfeld · · Score: 3, Informative
    You are aware, are you not, that the Reagan administration's emphasis on missile defense technology forced the Soviets to spend billions on research into their own missile defense systems? And that that level of unsustainable spending contributed directly to the collapse of the Soviet economy, and the eventual dissolution of the USSR as a political entity?

    A theory that was only advanced as a strategy after the fact. There is no reason to believe that we were being lied to in the 1980s when we were told that NATO believed that it could only hold off a USSR invasion of Western Europe for 4 days before being forced to resort to nuclear weapons. The generals who I discussed the strategy with in the 1980s believed that they were acting to defend against a real threat, not to break an already beaten enemy.

    The theory is in any case bunk if you happen to look at Soviet economic history. To first order the Soviet economy never really recovered from the second world war. The economy was already stagnant when Breshniev took over. By the time start wars was proposed Gorbachev was already redirecting resources from the military economy to the civilian economy. The USSR never responded to star wars, therefore the theory that proposing star wars brought down the USSR is false.

    As for anyone having disolving the USSR as a political objective, I don't think that was ever a US policy objective of any kind (with the exception of the Baltic states). Better to have all those missiles under control rather than have a Balkan situation with nuclear weapons.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  9. Re:Now, from the people who brought you Sendmail by ninewands · · Score: 3, Informative

    Actually, sendmail is used to ... errrr ... SEND mail. My ISP does not relay, so I HAVE to run my own MTA because I don't connect to one of their IP blocks. I use exim at home rather than sendmail, but I administer about 100 Unix boxen at work that use sendmail for, among other things, remote security logging, availability monitoring (the hostwatcher e-mails my pager when a monitored host goes down), and just GOBS of other admin tasks. E-mail really IS the killer app of the internet.

    All that being said, if all you need is a client sendmail mailserver, DO NOT generate your sendmail.cf from the nullclient.mc file distributed with sendmail. It WILL create an open relay. I can't get to the m4 file I created to do the trick right now, but I will be happy to provide it to any sendmail admin who wants it if they e-mail me at cwilkin3-AT-egr-DOT-uh-DOT-edu. The file generates a sendmail.cf equivalent to what nullclient.mc creates, but without the relay enabled.

    --
    utter rubbish
  10. Re:Security through Obscurity isn't all bad... by tupps · · Score: 3, Informative

    The NSA does disclose there systems. If I remember correctly the NSA had a helping hand in many of the publicly available crypto routines.

    They also released Secure Linux

    Also the NSA is also about *breaking* systems, which they thankfully don't release the source to.

    --
    Go out and get sailing!
  11. Re:"Not going to post this..." by chrisd · · Score: 3, Informative
    Well, we thought it was a pretty hard core troll, for one. Also, I can't d/l the actual report yet, which was my initial reason for not linking to it. Also, I'm just speaking for me, the other authors may have deleted it for other reasons.

    I personally don't like posting microsoft stories much, and this one kind of qualified as that too. I mean, that's part of what slashdot is about, so I do post them, but I don't like to post the exchange bug of the week, or the outrageous steve ballmer comment of the month, whatever.

    So maybe that clears things up.

    chrisd

    --
    Co-Editor, Open Sources
    Open Source Program Manager, Google, Inc.
  12. [Very OT] Re:Your .sig by metallidrone · · Score: 2, Informative

    If I had to guess without consulting documentation, I'd say:
    :(){ #define function ':' which takes no arguments
    :|:& # call ':' and pipe its output into
    # another running copy of itself, running
    # this in the background
    }; #end of function
    : #call our function

    More readably: function destroy () { destroy | destroy & }; destroy

    Note that each call to : will recursively expand into no fewer than two calls, both which again invoke two new copies, so it expands very quickly. Since you probably have no shell restrictions by default, it did the same thing a fork bomb would: fill your process table instantly and consume all your memory and processor time.

    If you use bash (or probably any bash-like shell), you may have ulimit available. With ulimit's -u switch, you can set how many processes you may start and probably avoid the situation you described. I believe there are similar ways to achieve this in the kernel (probably by recompiling), but I'm not familiar enough to tell you how.

    As a general rule, don't run suspicious code (e.g., code found in .sigs on slashdot :) that has &'s in it. That function would be easier to stop (using Ctrl-Z or Ctrl-C) if it didn't use & (which disconnects the keyboard from the program's stdin/stdout).

    I hope this post has been informative enough to outweigh its off-topic nature.

  13. Wired Article sez... by Flamester · · Score: 2, Informative

    Did MS Pay for Open-Source Scare?

    Quote:

    A Microsoft spokesman confirmed that Microsoft provides funding to the Alexis de Tocqueville Institution.

    "We support a diverse array of public policy organizations with which we share a common interest or public policy agenda such as the de Tocqueville Institution," the spokesman wrote in an e-mail.

    --
    The surgeon general has determined that Windows may be hazardous to your wallet.
  14. Here's the Evidence by Col.+Klink+(retired) · · Score: 5, Informative

    "A Microsoft spokesman confirmed that Microsoft provides funding to the Alexis de Tocqueville Institution."

    --

    -- Don't Tase me, bro!

  15. Microsoft advocasy by magi · · Score: 3, Informative
    You might want to take a look at their technology pages, especially the Anti-trust & Internet Regulation Program and Intellectual Property Program sections.

    Many of the headlines are quite revealing about their intentions. Many are about the importance of MCSE:
    • Inc. 500 Shops Value Certification Most (MCSE vs college degrees)
    • Familiarity Breeds Respect
      "Recruiters tend to hire MCSEs just as often, if not more so, than those with a four-year college degree."
    • Technology Trends: Program Provides Information For New Age

      "Eighty-seven percent of human resource managers surveyed believed that MCSE's are equally or more successful than college students."
    • The Impact of Technology Training Programs Case Study: MCSE Training
    And then there are numerous anti-trust criticism articles:
    • Break up Microsoft? Rest of world pooh-poohs the notion
    • Press Release: Japan, Switzerland, and the EU do NOT insist on breakup of Microsoft, unlike the U.S.
    • Fine Microsoft, use funds for new competition (anti-breakup)
    • Fine Microsoft and use funds to catalize new competition (anti-breakup)
    • Break-up Remedy for Microsoft Not Supported by Key Democrats
    • Technology and The Congressional Black Caucus (Microsoft anti-trust)
    • Breaking Windows Over Antitrust Dogma
    • Pause the Microsoft Case and Examine U.S. Anti-trust Policy
    • Punishing Winners Hurts the Marketplace
    • Suit Threatens U.S. Computer Dominance
    • Taking a Byte Out of Microsoft

    Etc. Also lots of articles about the precious intellectual property rights, although not specifically in relation to Microsloth.