RE: CRIME Study: Open, closed source equally secure

From: Brent Tucker (brentt@private)
Date: Fri Jun 21 2002 - 16:31:39 PDT

  • Next message: Jordan Gackowski: "CRIME Apology/Introduction"

    BTW: Here's a link to the actual paper:
    http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/.temp/toulouse.pdf
    
    Judging from the ".temp" part of the URL, this link may not work long term.
    
    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@private]
    Sent: Friday, June 21, 2002 2:56 PM
    To: Greg KH
    Cc: Andrew Plato; C.R.I.M.E.
    Subject: Re: CRIME Study: Open, closed source equally secure
    
    
    Greg KH wrote:
    
    >On Thu, Jun 20, 2002 at 07:14:00PM -0700, Andrew Plato wrote:
    >  
    >
    >>Just stumbled across this interesting story...I am sure it will fan some
    flames. 
    >>
    >>Proprietary programs should mathematically be as secure as those
    >>developed under the open-source model, a Cambridge University
    >>researcher argued in a paper presented Thursday at a technical
    >>conference in Toulouse, France. 
    >>  
    >>In his paper, computer scientist Ross Anderson used an analysis
    >>equating finding software bugs to testing programs for the mean time
    >>before failure, a measure of quality frequently used by manufacturers.
    >>Under the analysis, Anderson found that his ideal "open-source"
    >>programs were as secure as the "closed-source" programs. 
    >>
    >>http://story.news.yahoo.com/news?tmpl=story&ncid=70&e=1&cid=70&u=/cn/20020
    621/tc_cn/938124
    >>
    >>Now what will really bake your noodle is: do we consider that a
    >>set-back for open-source or a triumph for closed source? 
    >>
    Ross circulated that paper to a private list of pals for review, so I 
    have actually seen the paper. It is a theoretical treatment of the 
    relative advantages that full source disclosure give to the attacker and 
    the defender, in terms of the impact on the difficulty of their work. 
    NONE of the issues that have been discussed here in this thread are 
    covered in Anderson's paper.
    
    My main feedback to Ross was that I feel that open source drastically 
    increases the NUMBER of defenders (ESR's "many eyes" effect) more than 
    it increases the number of attackers, and that this effect dominates all 
    others. IMHO, this makes Anderson's paper interesting to software 
    engineers, but not really relevant to the big open source/proprietary 
    security debate.
    
    >I live in the real world, not the theoretical world :)
    >
    >And remember, there's a lot more to security theories than mathemetical
    >models.  His model does nothing to talk about the time it takes to _fix_
    >a problem once found.  For that, nothing beats open source programs, and
    >that has been proven (sorry, can't remember the actual citations, but
    >I'm sure Crispin has them somewhere...)
    >
    Indeed. My favorite works in this area:
    
        *  Jim Reavis.    Linux vs. Microsoft: Who Solves Security Problems
          Faster?, January 2000.
          http://securityportal.com/cover/coverstory20000117.html  
          Unfortunately, securityportal.com is dead, so you can access the
          article here
     
    http://web.archive.org/web/20000302111852/http://securityportal.com/cover/co
    verstory20000117.html
        * Brown, Arbaugh & McHugh's study of intrusions
          <http://www.cs.umd.edu/%7Ewaa/pubs/Windows_of_Vulnerability.pdf>.
          They surveyed CERT incident data, and discovered that nearly all
          intrusion events were exploits of known vulnerabilities that had
          not been patched yet.
        * A paper that the Immunix team has written, in cooperation with
          Adam Shostack (Zero Knowledge Systems) studying the quality of
          patches. Some patches, uh, have to be rushed into place
          <http://www.theregister.co.uk/content/4/25766.html> :) and thus
          are not always of the highest quality
          <http://www.internetnews.com/dev-news/article.php/10_908671>. This
          causes admins to delay applying patches. On the other hand, if you
          don't patch, then you can get hacked. Our paper surveyes CVE
          entries for security advisories, and attempts to optimize the time
          at which to apply a security patch. Our paper will appear at
          USENIX LISA <http://www.usenix.org/events/lisa02/> in November.
           Empirically, the sweet spot in the curve is either 10 days or 30
          days after initial release.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 17:02:05 PDT