Re: Time-to-patch vs Disclosure method

["J. J. Horner" <jhorner () 2jnetworks com>]

* Jay D. Dyson (jdyson () treachery net) [011017 22:08]:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Wed, 17 Oct 2001, Mark Kennedy wrote:
>
> > I disagree that all Microsoft is doing is diverting attention.  They
> > raise some legitimate questions and concerns.
>
>       I could not possibly disagree more.  They are blaming the
> discoverers of their flaws for their security problems.  That's not only
> poor judgment, it's deceptive to the consumer.
>
>       Rather than admit the glaring flaws in their own product, they
> decide to publicly bash the firms that are helping people defend their own
> networks.
>
> > Their problems are another topic.  But just because they are the source
> > of the vulnerability does not undermine their valid concerns on how that
> > vulnerability is disclosed.
>
>       Sure does.  Do note that Microsoft only endorses thos products and
> services in which they can make a buck.  All the while, they go out of
> their way to demonize every open source and security-related product and
> firm that is given out for free.
>
>       That's not just stupid, it's just another shining example of their
> anti-competitive tactics. 

M$ has a neat way of making claims with enough truth to make them sound 
viable.  I manage a collection of about 55 webservers with an even mix
of Apache and IIS.  I KNOW how much work is involved in patching and securing
IIS servers, and I KNOW how much work is involved in securing Apache.  

We've never had a remote compromise of a webserver (other than internal 
audits).  We got hit on a few poorly configured shares with Nimbda, but
that is the extent of our vulnerability on our IIS servers.  We patch hard,
we patch fast, we patch often.  (There you go, Chesty Puller, 
wherever you are.)

My personal opinion is that IIS is crap.  My personal opinion is that M$
couldn't program without buffer-overflows if their corporate life depended
on it.  My personal opinion is that M$ seems incapable of fixing a unicode
exploit in one try.  My professional opinion is "I recommend Apache, but
I'll administer whatever you want".

The reason I wanted the stats is so that I can know for myself whether
full-disclosure speeds up the process or not.  I get the impression that
most software firms would rather hush up a bug rather than patch it.  It
takes less work and less knowledge to start a media campaign than it does
to fix a buffer overflow.

I also want to know whether Open Source companies patch faster than 
closed source.  I think they do, but I don't have numbers to back it up.

I'll soon start the movement here to move to Apache.  I'm just picking
up some ammo.

Thanks,

JJ

-- 
J. J. Horner
"H*","6a686f726e657240326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"

Freedom is an all-or-nothing proposition:  either we 
are completely free, or we are subjects of a
tyrannical system.  If we lose one freedom in a
thousand, we become completely subjugated.

Attachment: _bin
Description: