'Think Tank' Issues Microsoft-Funded Troll

dlur (among many others) writes: "According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure. This same institute backed destabilizing, unworkable '80s missile defense and thinks Alexis de Tocqueville would have wanted the V-22 Osprey deathplane. Also, see what their coin-operated policy dispenser spat out for internet privacy (eat what you're fed) and antitrust (advantage of Microsoft monopoly: "manufacturers of computer hardware need to provide only one driver"). We weren't going to run this, but there were a lot of submissions, so ...

Loudest

[inflex]

What I do not understand is why there aren't any similar groups for the OpenSource / non-Darkside avocations.

If MS can fund groups such as these to spill forth what is obviously [then again, not much is obvious it seems to the 90% of the population] utter trash, surely we [ non-MS ] can do the same.

If this group spills out such toxic waste words as these, why does it gain so much attention in the general public?

Is there any reason why we cannot write an article stating "Microsoft Closed source enables Terrorists to easially render 90% of the information market paralized"... (after all, there is far more 'hard' evidence in the form of email-worms etc than there is behind what has been written in this article).

And they're running...

[coats]

Rapidsite/Apa/1.3.20 (Unix), FrontPage/4.0.4.3, mod_ssl/2.8.4, and OpenSSL/0.9.6 on an IRIX machine, according to NetCraft's "What's that site running?" at http://uptime.netcraft.com/up/graph

They're not running their touted monoculture on their own web servers!

Re:Slashdot==idiots

[DNS-and-BIND]

In a remarkable tete-a-tete with a US journalist and former arms control official, Marshal Nikolai Ogarkov, First Deputy Defense Minister and Chief of the General Staff, interpreted the real meaning of SDI: "We cannot equal the quality of U.S. arms for a generation or two. Modern military power is based on technology, and technology is based on computers. In the US, small children play with computers.... Here, we don't even have computers in every office of the Defense Ministry. And for reasons you know well, we cannot make computers widely available in our society. We will never be able to catch up with you in modern arms until we have an economic revolution. And the question is whether we can have an economic revolution without a political revolution."

Read that last sentence again - it's a thousand-pound gorilla.

Where's the Evidence?

[waldoj]

I'm sorry to be a party-pooper, but where's the evidence that they take money from Microsoft? The ZDNet article says nothing about that, and the talkback comments (at least the few dozen that I read) provide no evidence along those lines, either. The Register says that Richard Smith says that they take money from Microsoft, though they present no evidence along those lines. Smith's a cool guy and all, and he's got a good track record, but I'm going to need a little more than a second-hand non-credited reference to believe this.

I did a little poking around and a little Googling, but was unable to come up with any evidence on my own.

So, please, could somebody enlighten me?

-Waldo Jaquith

Re:Where's the Evidence?

[interiot]

Check out their job application form. Applicants are asked to rate from 0 to 10 how interested they are in doing a list tasks. A few of them are:

• Make fund raising calls
• Put together a list of organizations interested in an issue
• Find organizations and individuals that might support a particular AdTI program

So they're a research-for-hire house, and they're going to send out a press-release that says Open Source is insecure. Now put yourself in a new-hire's shoes... Name a company that has deep pockets and might be interested in funding anti-OSS "research"...

Open source helps terrorists?

[The+FooMiester]

Google search for al qaeda and microsoft

Google search for al qaeda and linux

Those search results speak for themselves on who helps terrorists.

They Also Backed the Tobacco Companies

[elfdump]

This group also claimed, during Congressional probes into tobacco company fraud, that cigarettes and tobacco products were not harmful to your health. From this memo by a director of the World Health Organization:

"In addition to creating front groups and contributing funds to groups that have a mission broad enough to carry some of the tobacco industry's goals, the tobacco companies also use publications by allegedly independent think tanks, such as the Virginia-based Alexis De Tocqueville Institution. This group's 1994 report "Science, Economics, and Environmental Policy: A Critical Examination" criticizes the US Environmental Protection Agency's risk assessment methods in 4 areas: environmental tobacco smoke, radon, pesticides, and hazardous cleanup. It dismisses in its first chapter the agency's risk assessment of environmental tobacco smoke, using arguments similar to the tobacco industry's "junk science" arguments described by Ong and Glantz. "

It seems Microsoft is making some strange bedfellows.

Sources:
http://www.smokefreeforhealth.org/studies/YachBial ous.htm

ZDNet Post

My Rant on this topic...

[tweakt]

"The white paper, Opening the Open Source Debate, from the Alexis de
Tocqueville Institution (ADTI) will suggest that open source opens the
gates to hackers and terrorists."

My $0.02:

... First of all, there ARE NO GATES! All software contains bugs,
sometimes exploitable. .. closed source is NOT a "Gate" that blocks
hacking... yes, exactly: nimda, codeRed, klez, iloveyou, and just about
every other "virus" reported in the last two years... blah blah blah...
...shitty analogy...

See: Publications and Accomplishments
http://www.adti.net/pubsaccomps.h tml

They don't exactly seem to be experts in any field of computers,
networks, or security that I can tell. They did some reports for more
traditional defense related topics several years ago, but thats it. They
are however, very good at reporting on controversial issues, mainly
politcal in nature. Hmmm..

Here's a question. Of the total number of security problems reported
regarding closed vs. open source products, what percentage were
pre-emptive fixes reported by whitehats, v.s. those exploited and thus
forced to be officially reported?

My point is... a bug is a bug, but it's a hell of a lot better if it's
patched before it's ever exploited. So it's totally wrong to look purely
at # of reported security problems in product XYZ. I would expect an
open source product to have a significantly higher # of reported
problems. That's a good thing IMO, since that means there's less of them
lurking.

The bottom line: Everything has bugs. More eyes, less bugs. More secure.
Simple. Now would someone try and explain that to these anti-open-source
nitwits?

Oh, and may I point out: (already reported)
http://www.washingtonpost.com/wp-dyn/ar ticles/A600 50-2002May22.html
http://www.nsa.gov/selinux/

It seems like our .gov likes it just fine ;-)

-Mark Renouf

Some inconveniant questions

[Veteran]

Suppose we ask ZDnet some inconvenient questions, and see how much they start squirming:

• Who is ZDnet's source on the story?
  
• Did the think tank leak the results of their own study?
  
• Did the information for this story come from Microsoft - who already knew the results before they were published because they bought and paid for them?
• What exactly qualifies the people at the think tank to have an opinion on computer security?
  
• Does the think tank have a history of expertise in the field of computer security?
  
• Are any of the people involved in the report even computer programmers?
  

This story just might wind up biting Microsoft in the ass; if the rest of the sharks in the press start smelling blood in the water.

Light'em if ya got'em

[ozric2k1]

These are the same people who say smoking is good for you.

"In addition to creating front groups and contributing funds to groups that have a mission broad enough to carry some of the tobacco industry's goals, THE TOBACCO COMPANIES ALSO USE PUBLICATIONS BY ALLEGEDLY INDEPENDENT THINK TANKS, SUCH AS THE VIRGINIA-BASED ALEXIS DE TOCQUEVILLE INSTITUTION. This group's 1994 report "Science, Economics, and Environmental Policy: A Critical Examination"35 criticizes the US Environmental Protection Agency's risk assessment methods in 4 areas: environmental tobacco smoke, radon, pesticides, and hazardous cleanup. It dismisses in its first chapter the agency's risk assessment of environmental tobacco smoke, using arguments similar to the tobacco industry's "junk science" arguments described by Ong and Glantz. "

The three biggest lies redux,
smoking is good for you, windoze is secure, the check is in the mail

Here's my take

[Henry+V+.009]

This is more than just script kiddies. Open source is good against script kiddies. That may simply be its low radar profile more than anything, but it could be the open source community finding bugs as well.

But when people are interested in more than general vandalism, it becomes a different story. If I need to hack something that is open source, I check out the source, and look for buffer overruns and what not. It's hard for the very popular stuff, but for most programs, a bug is easy to find. And even for the more popular stuff, there are always holes to be found if you expend enough effort looking.

For very popular closed source programs, the first thing to try is the online community. Someone somewhere has something. For companies like Microsoft with poor security reputations, and lots of people trying to hack them, there is actually a lot.

But if you have to figure out a bug yourself, it's time for buffer overflow testing, reverse engineering with a hex editor, and what not.

So which is harder?

I'd say hacking into popular open source programs is the hardest. However, hacking into unpopular open source programs is the easiest. There is a range of security considerations, and it is always possible for evil people to find your vulnerabilities if they have enough resources.

Makes me sick

[Sean+Clifford]

This just makes me sick. I've read Alexis de Toqueville's Democracy in America several times, it's one of my favorite books. He considered unchecked capitalism a serious threat to participatory democracy. How vile for an organization to sully his name with drivel like this report.

From a MS "Engineer" standpoint

[tshak]

I'm no MCSD, MCSE, or MCDBA (yet!), but I'm very involved in the MS developer community - in particular the .NET community. I go to the Redmond campus at least once a month and know quite a few people that work there. What's interesting is most "MS Tech Geeks" aren't generally anti-OSS and many actually have experience with Linux and other OS's. Sure, there's also a large group that's feeds off of MS dogma but the rest aren't really all that bad. There really are a lot of smart people that either work for MS or primarily work with MS technology that get quite frustrated atMS's marketing FUD. We're all educated (in theory) enough to make our own decisions based on the MERIT OF THE TECHNOLOGY. We don't need restrictive licenses, stupid marketing FUD, or silly gimicks like 100 page color brochures sent to our houses every day. Marketing and PR types can make the image of a company, however, they generally break the image of a company in the eyes of techies which employ simple FUD avoidance algorithms.

I have certain critiques about OSS, moreso GPL's based licenses and less so BSD based licenses, but I'm not about to agree to this "OSS will increase terrorism" BS. Come on MS (et all), STOP TREATING US LIKE IDIOTS!