Re: CRIME Study: Open, closed source equally secure

From: Crispin Cowan (crispin@private)
Date: Fri Jun 21 2002 - 15:03:57 PDT

Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"

Previous message: Crispin Cowan: "Re: CRIME Study: Open, closed source equally secure"
In reply to: Andrew Plato: "RE: CRIME Study: Open, closed source equally secure"
Next in thread: Zot O'Connor: "RE: CRIME Study: Open, closed source equally secure"
Next in thread: brvarin@private: "RE: CRIME Study: Open, closed source equally secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew Plato wrote:

>>And remember, there's a lot more to security theories than 
>>mathemetical
>>models.  His model does nothing to talk about the time it 
>>takes to _fix_
>>a problem once found.  For that, nothing beats open source 
>>programs, and
>>that has been proven (sorry, can't remember the actual citations, but
>>I'm sure Crispin has them somewhere...)
>>    
>>
>I'd be interested in seeing a  study like that. I wonder what the mean time between discovery of a problem and a widely acceptable fix being available is for open-source vs. closed source?
>
Reavis paper directly addressed that question: open source was a *great 
deal* faster. 
http://web.archive.org/web/20000302111852/http://securityportal.com/cover/coverstory20000117.html

>My intuition tells me that close-source may take longer to acknowledge and come up with a fix, but it can spread that repair out quicker because it has a more organized notification channel. 
>
Time to apply a widely available patch will be dominated by the 
organization running the system, not the kind of software they are running.

>Where as open-source might repair the problem faster, but spreading it out to users would be slower because there is a lack of centralized coordination.
>
On the contrary, there is a very efficient centralized distribution 
system: Bugtraq, and similar mailing lists. If you want to see all 
advisories for any given product, open source or proprietary, it is 
trivial to get that kind of feed.

>I could cite an example...when IIS has a bug we hear about it all over the news which would prompt people to get the update. But when a new version of Snort comes out that repairs some bug, people don't know about it until they happen to stop by the Snort site and notice that there has been a version update. 
>
The Snort "vulnerability" was no vulnerability at all: that is nothing 
more than the obvious consequence of using signature-based intrusion 
detection. If all you do is look for patterns, it is guaranteed that 
someone can find a way to send what they need to send, obscured in such 
a way that your pattern matcher will not see it. While Dug Song did good 
work in coming up with his fragmentation software, the subsequent press 
feeding frenzy was entirely overblown.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"
Previous message: Crispin Cowan: "Re: CRIME Study: Open, closed source equally secure"
In reply to: Andrew Plato: "RE: CRIME Study: Open, closed source equally secure"
Next in thread: Zot O'Connor: "RE: CRIME Study: Open, closed source equally secure"
Next in thread: brvarin@private: "RE: CRIME Study: Open, closed source equally secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 16:06:06 PDT