LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Two security articles

[Posted August 18, 2004 by corbet]

vnunet has interviewed Robert Clyde, CTO at Symantec. "With open source, if an individual cares about a code flaw they'll fix it fast; if it's an obscure piece of code it could languish for years untouched. Commercial companies will try and fix all problems within a fixed timescale. Most commercial vendors are really behind reporting problems honestly and trying to fix them. I don't know of a single vendor who will sit on a vulnerability - maybe five years ago but not now."

Compare that with this eWeek article on Oracle's security performance. "It's been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be 'as quickly as possible.' For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards."

(Log in to post comments)

Two security articles

Posted Aug 18, 2004 18:41 UTC (Wed) by ccchips (subscriber, #3222) [Link]

I have 2 words for Robert Clyde, regarding his delightful opinion, in particular, regarding proprietary software:

Orphaned programs.

Two security articles

Posted Aug 18, 2004 18:48 UTC (Wed) by gvy (guest, #11981) [Link]

Oh no, Mr. Clyde must be joking or is horribly uninformed.

If he'd study Code Red's story (it wasn't 5 years ago, right?) he'd probably either dump this funny opinion or lie in more arcane manner.

Do they publicly call themselves a security company?

You missed this part:

Posted Aug 18, 2004 20:31 UTC (Wed) by southey (subscriber, #9466) [Link]

"... fix all problems within a fixed timescale." He just did not say what the fixed timescale was.

Re: You missed this part

Posted Aug 18, 2004 21:06 UTC (Wed) by and (subscriber, #2883) [Link]

> He just did not say what the fixed timescale was.

Probably half a billion years ;-)

Proprietary software companies don't fix all problems

Posted Aug 18, 2004 22:41 UTC (Wed) by JoeBuck (subscriber, #2330) [Link]

Of course they don't, and they shouldn't. They fix problems encountered in their internal testing, and they fix problems that the customers scream about, but any program of significant size ships with known defects. This is true whether it is open source or proprietary. In the case of proprietary software, sometimes the customer must buy the new version to get a known defect corrected (especially if the fix is non-trivial), though security bugs are not treated this way by any responsible company.

Not so hidden agenda

Posted Aug 18, 2004 21:03 UTC (Wed) by leandro (subscriber, #1460) [Link]

His motivation is clear. If there weren’t proprietary programs, there wouldn’t be virii, and the incidence of spam, zombies and the like would be much lesser. Script kiddies would get much less luck, and while real crackers would still have a field, dealing with them would be for real specialists, not for Symantec with its ‘let’s tape these MS holes’ line of business.

Not so hidden agenda

Posted Aug 19, 2004 14:48 UTC (Thu) by robochan (guest, #18434) [Link]

Exactly. The very first line of this 'article':
"With over 25 years' experience in the security business, almost exclusively in Fortune 500 companies"
tells it all. He's trying to be "proactive" in the sense that he's trying to avoid the apparent inevitability of more and more business moving towards open source software - a system in which his products have no market.
Symantec's Vincent Steckler recently said "If 90 percent [of software] was open source there would be just as many attacks, only worse. Imagine smart hackers with [access to] source code"
More and more cogs in their FUD machine show up every day.

Not so hidden agenda

Posted Aug 19, 2004 19:57 UTC (Thu) by crouchet (guest, #1084) [Link]

I think there is another, more direct motivation there as well. Open source virus control software such as ClamAV is becoming more mature and more popular. He is trying to tell us why we should continue to buy his product rather than use an open source alternative, but without directly saying that.

A lot of users have not realized that open source AV software exists but you can bet the people at Norton are well aware of it.

JC

Two security articles

Posted Aug 19, 2004 1:58 UTC (Thu) by dkite (guest, #4577) [Link]

Robert Clyde misses the whole point.

He, or someone he pays, could fix the problem. If there isn't a fix, it
usually means that no-one cares enough to put the necessary resources in
place.

With proprietary stuff, everyone is at the mercy of the vendor. The only
reason why vendors fix things quickly is due to the nasty pressure tactic
of releasing exploits with notification. If this hadn't been done, we
still would be waiting years for fixes.

Derek

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds