ZDNet UK / News and Analysis / Application Development

Diffie defends open-source security

By Peter Judge, ZDNet.co.uk, 9 October, 2002 09:02

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, Cryptography, rsa conference 2002, security of open source, Whitfield Diffie

NEWS
Whitfield Diffie, the inventor of public key cryptography, and now chief security officer at Sun Microsystems, spoke out in defence of the security of open-source software at the RSA Conference in Paris on Tuesday. Diffie was defending open-source software against an attack made earlier at the same conference by Microsoft chief security officer Craig Mundie. During his keynote, Mundie had labelled as a "myth" the idea that open-source software can be more secure than closed, proprietary software. "Just because people can look at software, it doesn't mean they will," said Mundie. "You need trained people looking, not just arbitrary people." Open-source products have steady streams of vulnerabilities, Mundie continued, arguing that closed-source proprietary software gives users a clear point of responsibility where problems will be fixed (the software vendor). "People need an incentive to do the grungy work (of checking security aspects of code)." "Craig's right," said Diffie. "But there is an asymmetry here. Who is the most important person who should look at the code? You -- the enterprise -- have a moral responsibility to audit that code." Since Microsoft has pointed out that it is unlikely to take legal responsibility for the security of its code, Diffie's suggestion may gain credibility. Diffie denied that there was any trade-off between security and usability, saying that if the security risks are properly understood, then security measures become a prerequisite of usability. Car keys make it more complex to lock and leave your car, he said, but they allow you to park your car anywhere in town. Diffie also said that security cannot be delegated, nor can a user rely on one company for security. "Openness is essential for trust," he said, referring to open-source code, as well as compatibility. In future we will have to rely more heavily on software for security, he added: "As security migrates further from human intervention, it migrates further from natural human methods of security." Sun's involvement in security goes back to its foundation as the company that made servers for university Unix sites, he said, pointing out that the secure version of Solaris was created in 1990, and the mainstream version is now very close to it, with features like compartmentalisation built in. Other Sun achievements in security included Java, with its sandbox and byte code verification. Peter Judge reported from the RSA Conference in Paris.
For all your GNU/Linux and open source news, from the latest kernel releases to the newest distributions, see ZDNet UK's Linux News Section. Have your say instantly, and see what others have said. Go to the Linux forum. Let the editors know what you think in the Mailroom.

Related stories

Perens: Linux could learn from Apple

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

subhorup

It simultaneously worries me and uplifts me that a self-proclaimed group of internet activists name themselves after Indian mythical figures....

2 hours ago by subhorup on Anonymous activists release PCAnywhere source code
naviathan

It's actually far easier to work anonymously on the internet than you think. With tools like Tor bouncing your traffic around the world before...

5 hours ago by naviathan on Anonymous activists release PCAnywhere source code
Agnostic_OS

1000272134 and bluedalmatian with you both there but then I'm still in 10.04 land (and happy with it)

5 hours ago by Agnostic_OS on Ten factors that make Ubuntu 11.10 a hit
apexwm

Interesting article and definitely see your points on the products mentioned. One of the top products for our Help Desk (approximately 20% of all...

12 hours ago by apexwm on Ten flawed products that derail productivity
Paul Hutchinson

Absolutely - this should obviously not be handled my isp - but handled by their hosting operator. What's been suggested here is that my isp police...

12 hours ago by Paul Hutchinson via Facebook on MPs urge ISPs to take down terrorist material
Techs UK

Looks like a great phone. I don't notice any deficiencies in WP7. used IOS before, that's pretty good. I don't spend much time in Apps, all i need...

15 hours ago by Techs UK on Nokia pins US 're-entry' hopes on Lumia 900
Larry Bloggy

Now with the help of these apps you are always synced with MS outlook while on the move. Just download apps like xobni or outlookreflex and get...

16 hours ago by Larry Bloggy via Facebook on Outlook Social Connector beta 2 and the LinkedIn connector
mike40g123

Your details are wrong. The version currently being made is the one with 2 USB ports, 256MB RAM and a network port. This is the Model B. The...

18 hours ago by mike40g123 on Raspberry Pi boards set to go on sale
Moley

The thing that has been puzzling me for quite a while is how Anonymous can remain anonymous whilst not only being active on the Internet but also...

1 day ago by Moley on Anonymous activists release PCAnywhere source code
Don Dilly

If what Semantec is saying is rue, that is even worse and shows a complete disregard for thier users. If what Anonymous claims is true and the...

1 day ago by Don Dilly via Facebook on Anonymous activists release PCAnywhere source code
MattChurchy

Didn't seem particularly biased to me either. Oh though you might have mentioned some other competitors with free search and email services...

2 days ago by MattChurchy on Time for an evil umpire: Google, Microsoft & privacy
Simon Bisson and Mary Branscombe

James - exactly as much as anyone paid you for your comment; I don't feel that I need to say that I'm independant and unbiased, but just for you...

2 days ago by Simon Bisson and Mary Branscombe on Time for an evil umpire: Google, Microsoft & privacy
Carl White

Once they realise symantec are willing to pay real money, they will simply keep extorting, unless of course symantec/authorities can use the...

2 days ago by Carl White via Facebook on Symantec offered hackers $50k in source code sting
Jonathan Hassell

You can find more information on BS 8878 by Jonathan Hassell its lead-author at http://www.hassellinclusion.com/bs8878/ The page includes a...

2 days ago by Jonathan Hassell on BSI publishes first British web accessibility standard
servermanagement

Thanks for this list. Now I know, what to include on my system to make it more functional.

2 days ago by servermanagement on Ten flawed products that derail productivity
1000092626

What if it's a 4 car household? The point is, more bandwidth = more things you can do simultaneously, like streaming HD video in one room of the...

2 days ago by 1000092626 on Virgin Media beats 100Mbps schedule, hikes prices
Gary Burton

No point whatsoever increasing broadband download speed. unless ever server on the net has access to massively up rated throughput. The worlds...

2 days ago by Gary Burton via Facebook on Virgin Media beats 100Mbps schedule, hikes prices
Random_Error

They're also increasing their TV package prices, whether to help fund this or not.

2 days ago by Random_Error on Virgin Media beats 100Mbps schedule, hikes prices
Techs UK

How can you set it up wrong to intermittently connect? Should I be asking for more pay? Outlook/Exchange is a breeze.

2 days ago by Techs UK on Ten flawed products that derail productivity
JamesCheese

And how much did Microsoft pay you for that article?

2 days ago by JamesCheese on Time for an evil umpire: Google, Microsoft & privacy

Latest in Application Development

Perens: Linux could learn from Apple

Featured white papers

How enterprises can achieve cloud computing benefits

Citrix

How enterprises can achieve cloud computing benefits

Is your load balancer cloud-ready? A key to the cloud's success is having an IT infrastructure that can deliver a robust set of cloud-oriented capabilities and can support all cloud computing use... Read more

Deliver easy email search, storage and retrieval systems

Symantec.cloud

Deliver easy email search, storage and retrieval systems

Are you storing up trouble? There is a better way to manage corporate email storage on every level, for every size and type of... Read more

Testing: NetScaler 2048-bit SSL performance

Citrix

Testing: NetScaler 2048-bit SSL performance

This paper details the SSL performance on current shipping MPX... Read more

Inside ZDNet UK

Heat promises to speed up hard-disk data storage

Heat promises to speed up hard-disk data storage

Sponsor a Colossus valve to help Museum of Computing

Sponsor a Colossus valve to help Museum of Computing

BlackBerry Bold 9790

BlackBerry Bold 9790

Webcast - Managing Mobility and Network Expansion

Webcast - Managing Mobility and Network Expansion

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault