BTW: Here's a link to the actual paper: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/.temp/toulouse.pdf Judging from the ".temp" part of the URL, this link may not work long term. -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Sent: Friday, June 21, 2002 2:56 PM To: Greg KH Cc: Andrew Plato; C.R.I.M.E. Subject: Re: CRIME Study: Open, closed source equally secure Greg KH wrote: >On Thu, Jun 20, 2002 at 07:14:00PM -0700, Andrew Plato wrote: > > >>Just stumbled across this interesting story...I am sure it will fan some flames. >> >>Proprietary programs should mathematically be as secure as those >>developed under the open-source model, a Cambridge University >>researcher argued in a paper presented Thursday at a technical >>conference in Toulouse, France. >> >>In his paper, computer scientist Ross Anderson used an analysis >>equating finding software bugs to testing programs for the mean time >>before failure, a measure of quality frequently used by manufacturers. >>Under the analysis, Anderson found that his ideal "open-source" >>programs were as secure as the "closed-source" programs. >> >>http://story.news.yahoo.com/news?tmpl=story&ncid=70&e=1&cid=70&u=/cn/20020 621/tc_cn/938124 >> >>Now what will really bake your noodle is: do we consider that a >>set-back for open-source or a triumph for closed source? >> Ross circulated that paper to a private list of pals for review, so I have actually seen the paper. It is a theoretical treatment of the relative advantages that full source disclosure give to the attacker and the defender, in terms of the impact on the difficulty of their work. NONE of the issues that have been discussed here in this thread are covered in Anderson's paper. My main feedback to Ross was that I feel that open source drastically increases the NUMBER of defenders (ESR's "many eyes" effect) more than it increases the number of attackers, and that this effect dominates all others. IMHO, this makes Anderson's paper interesting to software engineers, but not really relevant to the big open source/proprietary security debate. >I live in the real world, not the theoretical world :) > >And remember, there's a lot more to security theories than mathemetical >models. His model does nothing to talk about the time it takes to _fix_ >a problem once found. For that, nothing beats open source programs, and >that has been proven (sorry, can't remember the actual citations, but >I'm sure Crispin has them somewhere...) > Indeed. My favorite works in this area: * Jim Reavis. Linux vs. Microsoft: Who Solves Security Problems Faster?, January 2000. http://securityportal.com/cover/coverstory20000117.html Unfortunately, securityportal.com is dead, so you can access the article here http://web.archive.org/web/20000302111852/http://securityportal.com/cover/co verstory20000117.html * Brown, Arbaugh & McHugh's study of intrusions <http://www.cs.umd.edu/%7Ewaa/pubs/Windows_of_Vulnerability.pdf>. They surveyed CERT incident data, and discovered that nearly all intrusion events were exploits of known vulnerabilities that had not been patched yet. * A paper that the Immunix team has written, in cooperation with Adam Shostack (Zero Knowledge Systems) studying the quality of patches. Some patches, uh, have to be rushed into place <http://www.theregister.co.uk/content/4/25766.html> :) and thus are not always of the highest quality <http://www.internetnews.com/dev-news/article.php/10_908671>. This causes admins to delay applying patches. On the other hand, if you don't patch, then you can get hacked. Our paper surveyes CVE entries for security advisories, and attempts to optimize the time at which to apply a security patch. Our paper will appear at USENIX LISA <http://www.usenix.org/events/lisa02/> in November. Empirically, the sweet spot in the curve is either 10 days or 30 days after initial release. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 17:02:05 PDT