1) "a source-code leak generates a huge amount of discussion about why source code on the Internet is a bad thing."
Actually, the discussion is about why a _source code leak_ is a bad thing, not whether or not source code _on the 'net_ is a bad thing. The danger is in whether or not your trade secrets, methods or code can be stolen or used by competitors as much as it is about your code getting exploited by unscrupulous crackers. For the Open Source community, those 'trade secrets', 'methods' and 'code' are explicitly allowed to be used (although not stolen), so the only danger is having it exploited. This brings us to where your opinion falls flat;
2) "Remember that the open-source community uses the thousands-of-monkeys method to ensure security".
Ignor the inferred insult in this statement and take it at face value, and let us see if it works. You stated "…a small amount of Microsoft source code was leaked to the web", yet less than 24 hours later one of those 'thousands-of-monkeys' found a vunerability. It would seem, Rob, that a single monkey banged his keyboard for a few hours, and helped Microsoft find a mal-formed sentence that creates a vulnerability (I guess Shakespear they are not).
3) "If there is even a chance that someone who has not been properly qualified touched a financial application or the platform on which that application resides, IT will fail the audit."
Really, the entire audit argument is fallacious, but I'll play along - You'll of course fail if someone is not qualified to touch a financial application or platform, because you've failed the physical or network security requirements for the audit - NOT because the person who _wrote_ the application is suspect. Furthermore, a financial audit is not a software audit - the methods may be the same, but the requirements are not.
4) "You had to ensure that no one who wasn't approved at the proper level touched anything that impacted a critical piece of corporate IP or had even a glancing relationship with financial reporting."
Interesting point, but deeply flawed and puts Microsoft in a poor position - if you were a financial services company and ran your application on Windows software, would your audit include checks on everyone who ever had access to the Microsoft campus or servers, whether they be employees or not? Even so, since Microsofts code has been leaked, wouldn't you fail any audit by default for using Microsoft software that has now been 'touched' by people not 'approved at the proper level'? How would this be different from RedHat? IBM? Anyone else using Linux?
5) "I would have had a field day with open-source software, where patches are often received or discussed with outside entities who actually could work for foreign governments or competitors, where collaboration could easily be reinterpreted as collusion, and where the very mention of the thousands of people looking at a product would result in a front-page comment in an unsatisfactory audit."
I'm sure you would, but you'd still be wrong, and biased. Patches are audited by the 'thousand-monkeys' as they come in, even by Americans, and if that patch doesn't have a name on it it will likely be discarded before it's even considered. You could suggest that it might hint at collusion, but since collusion by definition is a "secret agreement between two or more parties for a fraudulent, illegal or deceitful purpose", and Open Source is done in public, that would seem to be a pretty stupid suggestion. How would one 'collude' on a patch if a thousand monkeys were watching?
In short Rob, this was a fine bit of "'coulda' woulda' shoulda'", but your suggestions and conclusions are based entirely on personal bias, not personal experience. And what I find ammusing is that you've entirely avoided the comments made by analysts like yourself, who addressed the leaked code instead of the 'advocacy group' you fingered as having made a monumental blunder by scoffing at that leaked code;
"It's sad that it was released, and it's sad it was written so [badly] from a security standpoint" -- Forrester Research's Director Michael Rasmussen.
|
Headline Feeds
