I saw an interesting comment that sums up what the article was REALLY about.

"No, it should read ... Ross Anderson just released a very interesting paper about the Trusted Computing Platform Alliance (TCPA) - the digital rights reduction technology that Intel, Microsoft and the main PC manufacturers (Compaq, Hewlett-Packard, IBM) want to have built in to every PC in order to keep Disney, RIAA, MPAA, etc. happy.

Seriously. The supposed result about "open vs. closed source software" is almost just an interesting aside. Start at page 6, read about the TCPA, and be afraid. Some quotes:

"For simplicity, I'll call the chip `Fritz' for brevity, in honour of Senator Hollings, who is working tirelessly in Congress to make TCPA a mandatory part of all consumer electronics. When you boot up your PC, Fritz takes charge. He checks that the boot ROM is as expected, executes it, measures the state of the machine; then checks the first part of the operating system, loads and executes it, checks the state of the machine; and so on.

TCPA is not vapourware. The first specification was published in 2000, IBM sells laptops that are claimed to be TCPA compliant, and some of the features in Windows XP and the X-Box are TCPA features.

Suppose you are developing a new speech recognition product. If you TCPA-enable it, then on suitable platforms you can cause its output to be TCPA-protected, and you can remotely decide what applications will be able to read these files, and under what conditions. Thus if your application becomes popular, you can control the complementary products and either spawn off a series of monopolies for add-ons, or rent out access to the interfaces, as you wish.

Although TCPA is presented as a means of improving PC security and helping users protect themselves, it is anything but. The open systems community had better start thinking seriously about its implications, and policymakers should too. .."

To which I add.. it is not about Open Source vs Propriatary. It is about keeping the general PC 'general'.


Then there is this gem of a comment:
" There is also another good article on secure coding at Security Focus [securityfocus.com]
_____________________
Several months ago, Bill Gates announced that security would be the number one priority at Microsoft. Several groups at Microsoft, such as the Trusted Computing Group and the Secure Windows Initiative strive to improve security in Microsoft products and ultimately improve security for individuals and corporations worldwide. These initiatives are not surprising, considering the major vulnerabilities found recently in Windows XP, Internet Information Server, Internet Explorer, and Outlook. Due to the popularity of Microsoft products and their market share, the vulnerabilities have caused havoc all across the Internet. If Microsoft, with it’s billions of dollars of resources and talent, has all these security issues, how do you handle the problem of building trusted systems.

As any seasoned security professional will tell you, it’s impossible to build bug-free, vulnerability free software. The resources required to create such software will be infinite, and financial analysts don’t like seeing that on a balance sheet. The name of the game in the security industry is risk mitigation. That is, reducing the risk to an acceptable level. This article will provide a brief overview of some of the key issues of secure coding. It will identify some common mistakes made when developing software that lead to security vulnerabilities. This is followed by a list of best practices that, if followed religiously, will help you avoid 90% of all security vulnerabilities. The article concludes with a list of resources that will aid in your quest to build more secure software."

Generally speaking, bugs that are visible in the code are easily seen and fixed. But, the majority of bugs that make it out into the workd are not so easily seen in the code. They can only be identified by careful analysis of program and data interaction. This is not a problem of Open Source vs Closed Source. Recently, some special conditions gave rise to security problems in Apache 2.x that were present in 1.x from several years ago! No one saw it, even after many eyes poured over the code, or if they saw it they didn't advertise the fact, until now, when test conditions revealed it. That same is true with a nearly identical IIS bug that showed up at the same time!

I've been running Linux for 5 years. I have never been compromised, nor has a virus done any damamge, even when I played with them and 'set them off'. At work, I've been using WinXX for the last 5 years. I don't play with viri there, the IT folks would skin me alive! ;-) I have a T1 internet connection and frequently download and install software, but never have encountered any creatures. We've had about 1 or 2 virus infections per year during that time, mainly via Lotus Notes, but none of them were major due to quick action by the IT staff and deployment of LN viri cleaning software. So, the problem at work reamins, as always it seems, stability/reliability, not security. Security is handled by IT.