RE: CRIME Study: Open, closed source equally secure

From: Brent Tucker (brentt@private)
Date: Fri Jun 21 2002 - 10:47:05 PDT

  • Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"

    The problem with using web servers (IIS) and security tools (Snort) in these
    examples is that fundamentally they appeal to a very specific audience: IT
    professionals.  IT people/system administrators fundamentally have an
    obligation to be up to date on the most recent patches, so whether or not
    the notification model for a specific piece of software is good or bad,
    chances are a qualified IT person is going to know about the existence of a
    recent problem and the corresponding patch. (As well as what they should
    have been doing to guard against a problem while waiting for the patch.)
    
    So, I think the real question should be oriented toward the typical end
    user.  Which category of software (open source v. closed source) is more
    likely (on the whole) to be disseminated faster to the end user?  In a
    corporate setting, the IT department tends to be responsible for making this
    happen, but in the home market my guess is that most patches never get
    installed because people don't know or don't care that they exist.  Which
    category of software is more likely to overcome this issue?  I personally
    don't know the answer, but I bet that many people have educated guesses.
    
    Incidentally, I was not certain whether the question about patches for Word
    and Excel was rhetorical or not, but Office XP and Excel (individually) have
    both been recently patched ("updated"), and Microsoft made the available of
    each patch known pretty publicly.  Just like IIS and Snort, if you want to
    know that they have been updated the key is knowing how to register an
    interest in being told. 
    
    Excel 2002 update:
    http://office.microsoft.com/downloads/2002/exc1002.aspx?FinishURL=%2Fdownloa
    ds%2Frelease%2Easp%3Freleaseid%3D39538%26redirect%3Dno
    
    Office XP clip organizer update:
    http://office.microsoft.com/downloads/2002/cag1001.aspx?FinishURL=%2Fdownloa
    ds%2Frelease%2Easp%3FReleaseID%3D39481%26area%3Dsearch%26ordinal%3D7%26redir
    ect%3Dno
    
    -----Original Message-----
    From: brvarin@private [mailto:brvarin@private]
    Sent: Friday, June 21, 2002 7:44 AM
    To: Crime List
    Subject: RE: CRIME Study: Open, closed source equally secure
    
    
    I dunno, I heard about the supposed Snort bug from quite a few sources
    including the ISS X-Force advisories. I've also been getting alerts galore
    on the Apache vulnerability. Security alerts get distributed fairly well in
    my opinion.  Bottom line....if you are running  a system/application, it's
    your job to check for updates/patches/bugfixes, don't expect them to always
    come to you.
    
    I think one of the reasons you hear about the IIS bugs so much is because
    they aren't fixes for obscure problems. They tend to be fixes that
    otherwise would result in a complete compromise of the machine. Anyone hear
    about the latest patches to Excel and Word?
    
    
    
    
    From: "Andrew Plato" <aplato@private>@cs.pdx.edu on 06/20/2002 09:57 PM
    
    Sent by:  owner-crime@private
    
    
    
    To:   "C.R.I.M.E." <crime@private>
    cc:   "Greg KH" <greg@private>
    bcc:
    
    
    Subject:  RE: CRIME Study: Open, closed source equally secure
    
    
    
    
    > And remember, there's a lot more to security theories than
    > mathemetical
    > models.  His model does nothing to talk about the time it
    > takes to _fix_
    > a problem once found.  For that, nothing beats open source
    > programs, and
    > that has been proven (sorry, can't remember the actual citations, but
    > I'm sure Crispin has them somewhere...)
    
    I'd be interested in seeing a  study like that. I wonder what the mean time
    between discovery of a problem and a widely acceptable fix being available
    is for open-source vs. closed source? My intuition tells me that
    close-source may take longer to acknowledge and come up with a fix, but it
    can spread that repair out quicker because it has a more organized
    notification channel. Where as open-source might repair the problem faster,
    but spreading it out to users would be slower because there is a lack of
    centralized coordination. I would speculate then, that the same conclusion
    would result...open and closed source would have about the same real-world
    response time.
    
    I could cite an example...when IIS has a bug we hear about it all over the
    news which would prompt people to get the update. But when a new version of
    Snort comes out that repairs some bug, people don't know about it until
    they happen to stop by the Snort site and notice that there has been a
    version update.
    
    Andrew Plato
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 11:57:11 PDT