RE: CRIME Study: Open, closed source equally secure

From: SCRIMSHER,JOHN (HP-Corvallis,ex1) (john_scrimsher@private)
Date: Fri Jun 21 2002 - 07:53:41 PDT

  • Next message: George Heuston: "CRIME FW: NIPC Daily Report 21 June 2002"

    I would be interested to learn where these studies are as well... I have
    been tasked with developing a white paper on a similar subject (overall
    timelines of discovery of vulnerability -> publication -> exploit -> patch)
    and the only sources that I have found so far are the thesis work of Danial
    Bilar (Phd candidate at Dartmouth), who has been disappointed in the lack of
    information that he has been able to find so far, as well as the following
    papers from other researchers:
    
    http://www.securityfocus.com/intelligence/whitepaper.pdf
    http://www.ee.oulu.fi/research/ouspg/protos/sota/FIRST1999-process/paper.pdf
    
    If anyone else has other sources of information regarding scientific studies
    of the vulnerability lifecycle, I would appreciate it.
    
    Thanks,
    John
    ___________________________________________________________________________
                       
    ******    _/          ******  |  John Scrimsher
    *****    _/            *****  |  ISE Intrusion Detection
    ****    _/_/_/  _/_/_/  ****  |  Hewlett Packard Co.
    ****   _/  _/  _/  _/   ****  |  Phone : 541 715 4671
    ****  _/  _/  _/_/_/    ****  |  Telnet: 715 4671
    *****        _/        *****  |  Fax   : 541 715 6182
    ******      _/        ******  |  E-mail: john_scrimsher@private
                                  |  Postal: 1000 NE Circle Blvd
     i    n    v    e    n    t   |          Corvallis, Oregon 97330
    ____________________________________________________________________________
    
    
    
    > -----Original Message-----
    > From: Greg KH [mailto:greg@private] 
    > Sent: Thursday, June 20, 2002 9:47 PM
    > To: Andrew Plato
    > Cc: C.R.I.M.E.
    > Subject: Re: CRIME Study: Open, closed source equally secure
    > 
    > 
    > And remember, there's a lot more to security theories than 
    > mathemetical models.  His model does nothing to talk about 
    > the time it takes to _fix_ a problem once found.  For that, 
    > nothing beats open source programs, and that has been proven 
    > (sorry, can't remember the actual citations, but I'm sure 
    > Crispin has them somewhere...)
    > 
    > greg k-h
    > 
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:04:03 PDT