Re: CRIME Study: Open, closed source equally secure

From: Greg KH (greg@private)
Date: Thu Jun 20 2002 - 22:38:35 PDT

  • Next message: brvarin@private: "Re: CRIME Netcraft Ethics"

    On Thu, Jun 20, 2002 at 09:57:43PM -0700, Andrew Plato wrote:
    > 
    > 
    > > And remember, there's a lot more to security theories than 
    > > mathemetical
    > > models.  His model does nothing to talk about the time it 
    > > takes to _fix_
    > > a problem once found.  For that, nothing beats open source 
    > > programs, and
    > > that has been proven (sorry, can't remember the actual citations, but
    > > I'm sure Crispin has them somewhere...)
    > 
    > I'd be interested in seeing a  study like that. I wonder what the mean
    > time between discovery of a problem and a widely acceptable fix being
    > available is for open-source vs. closed source? My intuition tells me
    > that close-source may take longer to acknowledge and come up with a
    > fix, but it can spread that repair out quicker because it has a more
    > organized notification channel. Where as open-source might repair the
    > problem faster, but spreading it out to users would be slower because
    > there is a lack of centralized coordination. I would speculate then,
    > that the same conclusion would result...open and closed source would
    > have about the same real-world response time. 
    
    Hah, I see you haven't been continuously getting emails from the last
    round of viruses that exploit problems in Outlook that have been fixed
    for over a year :)
    
    > I could cite an example...when IIS has a bug we hear about it all over
    > the news which would prompt people to get the update. But when a new
    > version of Snort comes out that repairs some bug, people don't know
    > about it until they happen to stop by the Snort site and notice that
    > there has been a version update. 
    
    As a good system admin, I would care more about time from when the
    problem is found, till when I can have a fix for it.  And open source
    wins that benchmark.  Ability to actually force all vulnerable people to
    use your patch is a totally different problem :)
    
    greg k-h
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 23:47:31 PDT