Re: CRIME Study: Open, closed source equally secure

From: Crispin Cowan (crispin@private)
Date: Fri Jun 21 2002 - 15:03:57 PDT

  • Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"

    Andrew Plato wrote:
    
    >>And remember, there's a lot more to security theories than 
    >>mathemetical
    >>models.  His model does nothing to talk about the time it 
    >>takes to _fix_
    >>a problem once found.  For that, nothing beats open source 
    >>programs, and
    >>that has been proven (sorry, can't remember the actual citations, but
    >>I'm sure Crispin has them somewhere...)
    >>    
    >>
    >I'd be interested in seeing a  study like that. I wonder what the mean time between discovery of a problem and a widely acceptable fix being available is for open-source vs. closed source?
    >
    Reavis paper directly addressed that question: open source was a *great 
    deal* faster. 
    http://web.archive.org/web/20000302111852/http://securityportal.com/cover/coverstory20000117.html
    
    >My intuition tells me that close-source may take longer to acknowledge and come up with a fix, but it can spread that repair out quicker because it has a more organized notification channel. 
    >
    Time to apply a widely available patch will be dominated by the 
    organization running the system, not the kind of software they are running.
    
    >Where as open-source might repair the problem faster, but spreading it out to users would be slower because there is a lack of centralized coordination.
    >
    On the contrary, there is a very efficient centralized distribution 
    system: Bugtraq, and similar mailing lists. If you want to see all 
    advisories for any given product, open source or proprietary, it is 
    trivial to get that kind of feed.
    
    >I could cite an example...when IIS has a bug we hear about it all over the news which would prompt people to get the update. But when a new version of Snort comes out that repairs some bug, people don't know about it until they happen to stop by the Snort site and notice that there has been a version update. 
    >
    The Snort "vulnerability" was no vulnerability at all: that is nothing 
    more than the obvious consequence of using signature-based intrusion 
    detection. If all you do is look for patterns, it is guaranteed that 
    someone can find a way to send what they need to send, obscured in such 
    a way that your pattern matcher will not see it. While Dug Song did good 
    work in coming up with his fragmentation software, the subsequent press 
    feeding frenzy was entirely overblown.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 16:06:06 PDT