halos and security holism

A nice article about Fidelity and open source has two things that I find especially nice, in this one paragraph alone:

The Mozilla Firefox browser was an eye-opener, added Mike Askew, who also works in the technology center. A head-to-head comparison of Firefox and Internet Explorer showed that both had about the same level of security vulnerability, but ”the time needed to fix vulnerabilities in Firefox was much less,” Askew said. That experience led Fidelity to look at open source more intently.

First, I do quite like to hear that our success is making people look at other open source offerings more seriously. It’s not a primary goal for the project, but it’s one of the nice unintended consequences that we get as a bonus.

Second, I like to see people evaluating security characteristics of software in a more nuanced way than simple advisory or vulnerability count. Not all bugs are equal (as is perhaps obvious now, in the throes of the WMF vulnerability, though that’s not an IE bug), and even with severity weighting you are still faced with what are likely even more important questions. Chief among them might well be “how long am I likely to be exposed once a bug is found, or publicized?” If you believe that history is a useful, if imperfect, guide, then something like this vulnerability-window study might be of interest. If not, then you’ll have to do more research, which I very much hope you’ll publish.

or maybe not paranoid enough

In 1996, I watch Peter Gutmann present a paper about how extremely difficult it is to delete data from hard drives such that it is deleted for keepsies. I remember the discussions with Marcus and others afterwards that centered around how incredibly doomed we were, as security professionals.

It might be that time again. I sort of hope I only have one of these doomed moments once a decade.

« previous page