User: Password:
|
|
Subscribe / Log in / New account

Toward healthy paranoia

Toward healthy paranoia

Posted Sep 13, 2013 11:42 UTC (Fri) by spender (subscriber, #23067)
In reply to: Toward healthy paranoia by hummassa
Parent article: Toward healthy paranoia

Since I've been summoned:

Say what you will about the intentions for fixing vulnerabilities in the proprietary world. I find it to be the same for the Linux kernel really.

What's undeniable though is the dramatic change Microsoft has made in their development processes (SDL) and entire approach to security (EMET, etc). In his now-famous memo (http://www.wired.com/techbiz/media/news/2002/01/49826) Bill Gates identified security as a systemic threat to his business.

Contrast this to the Linux kernel, which is still very much in an old mindset. Even the Linux kernel's security pride and joy, its ability to publish timely fixes in response to submitted reports, is rendered ineffective by upstream's inability and unwillingness to communicate the importance of those fixes. In the space of any other commercial product based on Linux (Android, NASes, etc), you also have the problem of those fixes just not getting out to the users at all.

-Brad


(Log in to post comments)

Toward healthy paranoia

Posted Sep 13, 2013 13:17 UTC (Fri) by anselm (subscriber, #2796) [Link]

Say what you will about the intentions for fixing vulnerabilities in the proprietary world. I find it to be the same for the Linux kernel really.

I agree that the Linux kernel development community could do a lot to improve their handling of security issues. That does not detract from the observation that most FOSS projects are much more open about security than most proprietary vendors. The Apache web server project, for example, seems to do a decent job of dealing with security issues and their fixes.

What's undeniable though is the dramatic change Microsoft has made in their development processes […]

Microsoft may be better than they used to be but they often still need extensive prodding before acknowledging, let alone fixing, security issues. In many cases it requires an active exploit out in the wild to get most vendors to do anything, mostly because the act of having to publish patches at all means bad PR (for having been vulnerable in the first place). It is also difficult to get customers to install the patches, and there is a chance of introducing new bugs when patching existing ones, which is why after-market upgrades are often viewed as a bad idea, and are restricted to the most egregious problems. For a vendor it often pays to sit on problems that are not being actively exploited, where in the FOSS community (with the possible exception of some projects like the Linux kernel) proactive fixing of even theoretical security issues is generally welcomed.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds