RE: CRIME Study: Open, closed source equally secure

From: brvarin@private
Date: Fri Jun 21 2002 - 07:44:22 PDT

Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME Study: Open, closed source equally secure"

Previous message: brvarin@private: "Re: CRIME Netcraft Ethics"
Maybe in reply to: Andrew Plato: "CRIME Study: Open, closed source equally secure"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME Study: Open, closed source equally secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I dunno, I heard about the supposed Snort bug from quite a few sources
including the ISS X-Force advisories. I've also been getting alerts galore
on the Apache vulnerability. Security alerts get distributed fairly well in
my opinion.  Bottom line....if you are running  a system/application, it's
your job to check for updates/patches/bugfixes, don't expect them to always
come to you.

I think one of the reasons you hear about the IIS bugs so much is because
they aren't fixes for obscure problems. They tend to be fixes that
otherwise would result in a complete compromise of the machine. Anyone hear
about the latest patches to Excel and Word?




From: "Andrew Plato" <aplato@private>@cs.pdx.edu on 06/20/2002 09:57 PM

Sent by:  owner-crime@private



To:   "C.R.I.M.E." <crime@private>
cc:   "Greg KH" <greg@private>
bcc:


Subject:  RE: CRIME Study: Open, closed source equally secure




> And remember, there's a lot more to security theories than
> mathemetical
> models.  His model does nothing to talk about the time it
> takes to _fix_
> a problem once found.  For that, nothing beats open source
> programs, and
> that has been proven (sorry, can't remember the actual citations, but
> I'm sure Crispin has them somewhere...)

I'd be interested in seeing a  study like that. I wonder what the mean time
between discovery of a problem and a widely acceptable fix being available
is for open-source vs. closed source? My intuition tells me that
close-source may take longer to acknowledge and come up with a fix, but it
can spread that repair out quicker because it has a more organized
notification channel. Where as open-source might repair the problem faster,
but spreading it out to users would be slower because there is a lack of
centralized coordination. I would speculate then, that the same conclusion
would result...open and closed source would have about the same real-world
response time.

I could cite an example...when IIS has a bug we hear about it all over the
news which would prompt people to get the update. But when a new version of
Snort comes out that repairs some bug, people don't know about it until
they happen to stop by the Snort site and notice that there has been a
version update.

Andrew Plato

Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME Study: Open, closed source equally secure"
Previous message: brvarin@private: "Re: CRIME Netcraft Ethics"
Maybe in reply to: Andrew Plato: "CRIME Study: Open, closed source equally secure"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME Study: Open, closed source equally secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:03:54 PDT