> At 12:02 PM 3/5/00 -0500, Phillip Hallam-Baker wrote:
>
> >>Source, or "a proof" please, since I don't recognize your name as being
> >>authoritative regarding what M$ does and/or does not contain.
> >
> >It was announced at RSA in the Microsoft keynote speach.
>
> Was it? I wasn't in attendence. A confirmation is now required.
To ask for a source is perhaps understandable, to demand confirmation
is simply an insult, you arrogant git. How dare you call me a liar in
public?
This is information you should know if you are going to pontificate on
the relative security of software solutions.
To admit that you don't know a significant announcement two months
after it was made hardly lends credibility to your other positions.
> Then, "peers" is left to the interpretation of who? If it isn't open,
then
> it wasn't a true peer reviewal, was it?
You clearly don't understand the term peer review, go ask an academic
publisher. The term has been in use for a century. Peer review in
MSFT's case would mean taking the code to a top rank independent
consultant such as Paul Kocher, Eric Rescorla or whoever.
Practically all peer reviews are performed under an NDA, sad but
that is the way it is. The only review I have ever done that was not
under NDA was for Netscape when they sent round their random
number generating code for checking (and there hangs a tale which
some of this list already know).
> yes, it is arguable - this is not germaine to declarations of what is/is
> not contained in a commercial product.
On the contrary, it is the crux of the matter. Commercial products
that ship as assembly code alone must be examined in the same manner.
Otherwise you haven't examined the product the customer uses.
> >The biggest threat to security in my view is dogma. An idea
> >that is correct in one circumstance is promoted to the status
> >of holy doctrine and applied in circumstances where it is
> >ridiculous.
>
> The biggest threat to security in my view, is sheeple meets big sister.
This is just political blather that has nothing to do with security. Why
don't you go sell newspapers outside a subway somewhere, there
are always openings at the Socialist Workers Party I believe.
What you are doing is promoting INSECURITY by applying dogma
you read in some Internet email and clearly don't understand.
I think we should call this 'Security through dogma' and list it next
to 'Security through Obscurity" as another fallacy.
There are very few absolutes in security, and issues such as open source
code review are at best secondary, if not tertiary concerns. Yes I would
prefer to have code that is open source reviewed over code that has
not, ALL OTHER THINGS BEING EQUAL. But on the other hand
I would much rather have code that I know has been reviewed by
an expert under non disclosure to code that I happen to have the source
code for but I don't know has actually been examined.
In either case I would prefer code that implements an architecture that
can meet the security needs of an application than code which does not.
To take one single aspect of an application and raise it to the
deffinitional
level is simply absurd. Sendmail had extensive open source review for over
a decade and was still being named as the cause in 25% of CERT alerts
back in 1995.
> Now you've gone off the deep end. We weren't discussing efficacy of
S/MIME
> but rather what is/is not contained in M$ products and whether it has
> received proper peer review or not.
Read the thread, we were actually discussing the security of S/MIME.
Phill
