Re: Notes Domino Server Platform for e-commerce?

[wozz+exploit-dev () WOOKIE NET (Wozz)]

On Wed, Feb 09, 2000 at 09:29:42PM -0800, Mark L. Jackson wrote:
> As opposed to your faith in Apache, I presume? If NOTES fails IBM takes the
> blame, if Apache fails who takes the blame? A small cadre of 'open source'
> devs with little to lose?

me and X thousand other developers can fix the bugs in Apache when they come
up.  What if IBM decides that the bug isn't a real bug.  What do you do
then?

> Blue Boar said:
> ...I agree that code review is one of the bigger factors for how secure
> something should be considered. We don't know how much Notes has had, it's
> not published.
>
> Code Review is one of the bigger blah blah blah. Oh please. The only thing
> that matters is how it performs. I have seen 'open source' code that did not
> work nor would it ever work. Yet it is openly available for code review!

There's a difference between Open Source and code thats been reviewed for
security holes.  OpenBSD vs Linux is a prime example of this.

> Code review does not guarantee anything. Any idiot can read the code, does
> not meant they can find a bug.

But the Apache folks aren't "any idiot".  Do you know who wrote Domino?  How
do you know they're not drooling feeble nimrods?

> The biggest problem with 'open source' software is that there is very little
> (if any) accountability. 'Code review is not substitute. Who cares if I can
> see the source code. If you can compile it, you can corrupt it. Yes I know a
> lot of you will not agree, but then you probably are not 'on the hook' for a
> companies performance.

I'm on the hook.  I'm the security admin for a BIG cable modem provider, and
I use only Open Source (or Open Source derived) stuff for my security boxes.
> Blue Boar said:
> Another indicator for how secure something might be is past bugs:
>
> Again the only way to measure security is whether you can break into a
> system or not. Number of past bugs has no bearing on security. The only
> thing that matters is whether you can exploit a bug to get into the system.
> That depends on the current status of the system that you would be
> attempting to breach. Number of past bugs *might* be an indicator of whether
> their will be future bugs,  then again bugs are a naturally occurring
> incident.

So, if they're naturally occuring, there's no reason to assume Domino is
secure.
> Blue Boar said:
> These things would *seem* to indicate that IBM/Lotus is still stuck in the
> wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive
> auditing.
>
> How would they seem to indicate anything other than it is software.
>
> If you were to apply this statement to Apache then you would have to
> conclude the same thing. Isn't 'open source' about finding and fixing bugs
> 'after the fact'. You seemed to labor under the assumption that you can have
> it both ways; code review for open source to search for bugs, but not for
> proprietary apps. All the while hailing the find it and fix it mentality as
> good for 'open source' but not for proprietary.

Code Review is about finding and fixing the bugs BEFORE the fact.
Fixing a bug after its been found is not a code review. Open Source
has nothing to do with it.  Open Source is not a development model,
its a theory for how software should be developed.  Again, OpenBSD
vs Linux is a prime example.  Two different development models, two
different results as regards security.

> I use IBM tools, work on an AS/400, and deal extensively with IBM. I can say
> from experience that IBM *DOES* extensive debugging. Why you would make such
> a ludicrous statement shows an incredible ignorance and arrogance.

In general, open software is better software.  Debugging != code review

> By the way how do you know they ever coded this way.
>
> Blue Boar said:
> In addition, Notes (the whole collection of things called Notes) is pretty
> large and complex, and includes it's own databases and access-lists. This
> does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely.
>
> So what you are saying is big almost always equals bugs. Then I would have
> to say that UNIX (and the clones) are full of bugs. *BUT* you said that code
> review (as most UNIX, Linux go through) is one of the best ways to get rid
> of bugs. Quite a conundrum wouldn't you say. Does that also mean that 'open
> sauce' is stuck in the wait-for-bugs-then-fix-them mode. First it is bad
> then it is good which is it?

I don't think you understand what a code review is.  Open Source is not
inherently code reviewed.  Open Source provides the capability for anyone to
do a code review, but that doesn't means its been done.  As far as I know,
Linux has never gone through an extensive security code review (partly
because there are so many different flavors of Linux it would be sort of
pointless).  OpenBSD on the other hand, has.  Once again, Code Review !=
wait-for-bugs-then-fix-them.
> You also seem to say that a cadre of developers without any contact, coming
> from disparate points on the globe, all with differing ideas and directions
> can create a better piece of software than a group of developers working for
> the same company, with the same agenda, and reliant on that companies
> success. THAT IS BIZARRE. FOCUS always wins.

Bzzt, best code wins.  And to imply that Open Source developers have no
contact is even more BIZARRE.  Most open source projects I've been involved
with have a lot more communication going on than your typical corporate
development group.  Someone's been to a few too many "team-building"
exercises.

> Blue Boar said:
> In addition, there's lots of room for misconfiguration.
>
> You of course are speaking of 'open source' products like Linux, Apache
> etc....

Anyone can misconfigure something.  The nice thing about open source, is if
you are confused about how something is configured, you can read the code
and find out.  If you are confused about how to configure a closed source
product, you have to rely on the support folks for the product knowing what
they're doing

> Blue Boar said:
> In short, I think calling Notes "secure" as a blanket statement is
> at best generous.
>
> and I find your rebuttals lacking in any in substance.

And I, yours.

> In conclusion:
> No software is totally secure. Most apps are at the mercy of users, and
> other apps, and especially the O/S. One app that is not secure on NT might
> well be on OS/400 or eS/390 or Solaris etc... Number of bugs indicate little
> when taken out of context. UNIX for years was riddled with bugs, that does
> not in and of itself make it insecure.
>
> Blanket statements like 'big is buggy', 'open source' is good, are nonsense
> and are of no use to anyone. If you are unwilling to consider the current
> situation and how the software will be used within that situation then you
> will only cause more problems.
>
> There is no one best platform, O/S, app. There is a current best for each
> time and place. That is what has to be considered.

Surprisingly, I agree completely with these last three paragraphs.  And
increasingly, folks are finding the current best to be Open Sourced ;)