Business Wire: CynApps, the methodology
leader in C/C++ based design and verification, added to the EDA community’s open-source toolbox
today by making its Cyn++ macro preprocessor available under an open-source license at
(www.cynapps.com).

The site, for and by Web developers building sites on
Sun network computing platforms, reports PRNewswire, focuses on infrastructure, system design and
server-side technology used to build reliable, scalable and secure systems
which is critical for doing business on the Web.

The Indrema Developer Network (IDN) will allow today’s independent
game developers to access Software Development Kit tools and additional
information about the Indrema console — L600.
All Linux Devices reports,
in the near future, you will be able to create a game using our project
hosting facility through gameXchange. This project hosting environment will
provide you with tools that will smooth the collaborative game
development process.

Apache Today’s interview with Peter Cranstone about mod_gzip, an open
source server module that acts as an Internet content accelerator and seamlessly speeds up your site.

Linux PR: LinuxFreeSupport will be authoring ShowMeLinux’s ‘Support Line’. The
Support Line is a column offering answers to questions posed by readers
regarding such topics as installations, networking, administration,
applications, and the desktop.

A very early drop of the Ute-Linux base release has posted at
vger.timpanogas.org, reports Linux Weekly News. This release is free if accessed from the FTP
server and can be downloaded and redistributed under the terms of the
GPL for any purpose.

If you are interested in what will be in the next release of slashcode and live in (or will be around Seattle), there will be a talk tonight, October 17th, for the Seattle Perl Users group. Directions can be found here. Topics: new architecture, how to support multiple databases, how to expand your slashsite via modules, use of templates and give an outline about where we are going in the future.

On Oct. 13, the Electronic Frontier Foundation and
Public Citizen filed a brief on behalf of an individual,
known as “Jane Doe,” who posted comments to a
Yahoo! Inc. message board that an AK Steel Corp.
(formerly Armco Steel) executive said were disparaging,
threatening, and defamatory, reports ZDNet News.

TurboLinux, Inc., the high-performance Linux company, today announced the release of its new TurboLinux
Workstation Pro 6.1 that includes the first commercial version of Linux for Intel’s forthcoming Itanium processor
systems (IA-64), from NewsAlert.

By Grant Gross
Managing Editor

Open Source systems aren’t inherently more secure than propriety systems — unless the designers make security a priority, according to several security experts speaking at a conference Monday.

Panel moderator Peter G. Neumann, from SRI International, argued that Open Source development, which he called “open box,” presents both opportunities of “many eyes” finding software bugs that compromise security, and a challenge when some of those eyes aren’t friendly.

“By itself, the open box paradigm is not a solution, but my contention is it affords us enormously more opportunity that the closed-source model,” said Neumann, speaking at a panel during the 23rd National Information Systems Security Conference in Baltimore, Md. “The problem with [the many eyeballs concept] is if your system is lousy to begin with, the bad guys have a lot of eyeballs.”

Open Source advocate Eric S. Raymond, a scheduled panelist, wasn’t able to attend the session and defend the many eyeballs concept. But the message from the panel, including three people working on making Open Source systems more secure, was that Open Source developers shouldn’t trick themselves into thinking that their systems are more secure just because they don’t come from the company noted for its blue screen of death.

“I don’t think that the many eyes will do the right thing, so I want to apply some tools to make sure the system is secure,” said Crispin Cowan, CTO for WireX Communications and chief research scientist for Immunix Technologies, which is working security solutions for Open Source operating systems.

Many developers sacrifice security for functionality when they’re building a program, the panelists said, and Cowan contended that if security is your top priority, you need to design for security first. It’s a tradeoff depending on a developer’s priorities.

“Does Open Source make a difference? No. If you’re going to build an unsecure system, you’re going to build an unsecure system,” added Rick Smith, senior principal engineer for Secure Computing Corp. “You have to make money, and you take risks to make money, and sometimes the risks are in information security.”

Jay Beale, lead developer for the Bastille Linux security project, said education of system administrators and users is part of the solution to the problem of system security. One audience member, a system administrator in a university setting, said, “All the secure operating systems in the world aren’t going to stop these idiots who give away their passwords.”

Beale suggested system administrators take active roles by warning users who do unsecure things such as use the outdated FTP to exchange files on the Internet. Back in the early, low-user days of the Internet, FTP worked fine, he said, but “the Internet’s become a lot bigger neighborhood, and it’s a lot more rough.”

One advantage for users of Open Source products, Beale said, is they don’t have to pierce a corporate bureaucracy to find someone to respond to bug-fix requests. “If you are the end user who’s depending on your distribution to give you a fix you can easily install, then you’ve got to push them to do it,” he said. “We’ve got to get the end users to start demanding it, and if we don’t, then it’s not going to be a priority for someone trying to get more features in.”

One audience member questioned the commitment many Open Source vendors have to security. “I look at the Open Source environment, and there are people who are very concerned about security, and they’re very vocal, but they don’t seem to be the majority,” he said. “Unfortunately, there doesn’t seem to be a correlation between how security conscience the distribution makers are with how successful their products are.”

Cowen and Beale argued that because users can see the source with Open Source products, they can fix the bugs instead of just relying on the documentation from proprietary vendors. “Documentation lies — read the source,” Beale said.

Open Source projects also have a community of programmers eager to provide solutions. Beale quoted a study saying the average time it took Red Hat Linux 11 days to fix a security problem, while it took Microsoft an average of over three months.

Added Brian Witten, program manager for information assurance at the U.S. Defense Advanced Research Projects Agency: “All Open Source does is it levels the playing field without the good guys having to haggle for the source code.”

Witten announced at the discussion that DARPA was ready to make a substantial investment in Open Source development. No additional information was immediately available.