Frontends for Windows

Ryan Malayter rmalayter@bai.org
Tue Nov 20 01:07:01 2001


From: Silviu Cojocaru [mailto:silviucj@yahoo.com] 
>Like I said in some other posting, prove to me that ZA 
>is faulty or that, like I said, Roger and ZoneLabs are 
>plotting to get your passwords.
>
>Geez!

Pick up a copy of _Secrets and Lies_ by Bruce Schneier - it will change your
attitude.

You're asking for proof that ZoneLabs is trying to attack you. That's not
possible, but it doesn't matter. The real issue is that its extremely easy
for ZoneLabs to attack you, because their software code isn't available for
public scrutiny. Nobody knows what it does, except the guys who coded it.
You can observe it's inputs and outputs, but that won't tell you the whole
story. You cannot prove the security of software by testing it's designed
functionality - only code review by experts is an effective test for
security.

Now, most of us have come to believe that most commercial software vendors
can be trusted to deliver software free of malicious code. (Note that this
is *not* the same thing as delivering secure software). You can be fairly
sure that MS word won't intentionally destroy your data or mail your tax
return to the mob. You're willing to trust the vendor - basically blindly -
because your security needs aren't great, and it's time consuming and
expensive to write, review, modify, and compile your own software.
Commercial software also has a generally better feature set and greater ease
of use than freely available software, since the programmers are paid to add
those nice touches. This is the main reason why I use mostly commercial
software.

People who are interested in really secure software have to have the code
reviewed by security experts for defects. If you're the military, you have
the NSA do this for you, and it takes a few years before you can field your
secure system.

As Mr. Schneier notes in his book, traditional software companies don't do
much security review at all, since it's not profitable. Maybe vendors have
one or two security gurus on the payroll, but they can't catch even a small
percentage of the security goofs that lie in millions of lines of code. So
vendors wait for the holes to be found, and plug them as best they can to
avoid bad press. Security is not an engineering problem for commercial
software companies, it's a public relations problem.

The regular-Joe alternative for security is open-source software that has
been rigorously reviewed by security experts. Stable versions of the Linux
kernel, Apache, etc. Holes are still found in open source software, but
they're found more quickly, and patched more quickly. Open-source software
gets better (security-wise) with age.

Seriously, check out Bruce's book - it's very interesting, the prose isn't
academic or encyclopedic, and it's a pretty quick read.

:::Ryan Malayter, MCSE
:::Bank Administration Institute
:::Chicago, Illinois, USA