Security & Open/Closed Source

Posted Jul 4, 2002 5:22 UTC (Thu) by wcooley (subscriber, #1233) [Link]

It's a fairly simple difference: Microsoft often takes months to release security updates and hardly communicates with people reporting problems. It seems often that it takes a full-disclosure vulnerability or a worm in the wild to motivate them to actually do something about the holes in the software. That is not, however, the case with the Apache project (and many other free software projects): its members are very responsive to reported vulnerabilities. People don't usually scoff because Microsoft whines about early-disclosure; people scoff because often the response from Microsoft is not satisfactory.

Software vendors, regardless of whether they are open source or proprietary, which have a reputation of being genuinely concerned about security and responsive to people reporting vulnerabilities usually get--and deserve--better treatment.

Wil Cooley <wcooley@nakedape.cc>
Naked Ape Consulting

Posted Jul 5, 2002 17:38 UTC (Fri) by gleef (guest, #1004) [Link]

People get angry when good security procedures are not followed, and ISS didn't follow good security procedures. Good security procedures isn't "rush to tell the world and hope the software maintainers read about the announcement before the exploit writers do".

There is a lot of debate as to the details of good vulnerability reporting procedures, but they basically all boil down to:

1. Tell the software vendor / project maintainer what the problem is
2. Wait a few days for them to respond
3. If they don't respond or don't seem to care: announce to the world
4. If they do seem to care: give them some more days (eg 14) to fix it
5. When the time is up, if they haven't announced it yet, announce it.

ISS skipped steps 1-4 and went straight to 5.

People get angry at Microsoft because they want unlimited time to ignore the problem, they don't want anything past step 1.

For further reading, one proposed formal procedure for the above is the IETF Draft Responsible Vulnerability Disclosure Process.

-Gleef

Posted Jul 6, 2002 19:39 UTC (Sat) by Strike (guest, #861) [Link]

Another big issue (I think), is that not only does it take time for the software vendors/developers to produce a patch/fix, but it also takes time for sysadmins to find a convenient time to perform the update necessary to avoid the vulnerability. I kinda like Theo's way of doing things with the OpenSSH deal - seems to be a good compromise between openness and level-headed pragmatism in a world where information is worth its bits in gold and a security problem can cost a lot of money. I say, alert people that an important fix is pending (without being so specific that an attack can be brewed immediately) and get the fix out the door as soon as possible. By this point, sysadmins will have been able to have scheduled appropriate maintenance/down time.