|FROM ||Ruben I Safir
|SUBJECT ||Re: [hangout] [Fwd: Joint Statement about GNU/Linux Security]
This should go on the FSCC list and site.
On 2004.04.06 18:17 Ron Guerin wrote:
> -----Forwarded Message-----
> From: Martin Schulze
> To: Debian News Channel
> Subject: Joint Statement about GNU/Linux Security
> Date: Tue, 06 Apr 2004 22:30:37 +0200
> The Debian Project http://www.debian.org/
> Joint Statement about GNU/Linux Security press-at-debian.org
> April 6th, 2004 http://www.debian.org/News/2004/20040406
> Joint Statement about GNU/Linux Security
> Executive Summary:
> GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together
> to give a common statement about the Forrester report entitled "Is Linux
> more Secure than Windows?". Despite the report's claim to incorporate a
> qualitative assessment of vendor reactions to serious vulnerabilities, it
> treats all vulnerabilities as equal, regardless of their risk to users.
> As a result, the conclusions drawn by Forrester have extremely limited
> real-world value for customers assessing the practical issue of how
> quickly serious vulnerabilities get fixed.
> Full Statement:
> The security response teams of GNU/Linux distributors Debian,
> Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and
> correcting data about vulnerabilities in their products. The gathered
> data was used at Forrester for a report that became titled "Is Linux more
> secure than Windows?". While the vulnerability data regarding GNU/Linux
> which is the basis for the report is considered to be sufficiently
> accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on
> referred to as "We", are concerned about the correctness of the
> conclusions made in the report.
> We believe that it is in the interest of our usership and the Free
> Software community to respond to the Forrester report in the form of a
> common statement:
> We were approached by Forrester in February 2004 to help them refine their
> raw data. Forrester collected data about the vulnerabilities that
> affected GNU/Linux during a one year period (June 2002 - May 2003) and
> looked at how many days it took us to provide corrections to our users.
> Significant efforts have been put in not only making sure that the
> underlying dataset for the vulnerabilities was correct, but also to
> articulate the special technical and organizational care taken in the
> response processes in the professional Free Software security field. This
> expertise is greatly appreciated by our usership since it adds a high
> value to our products, but we see that most of this value has been ignored
> in the methods used for the analysis of the vulnerability data, leading to
> erroneous conclusions.
> Our Security Response Teams and security specialized organizations of
> respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange
> information about vulnerabilities and cooperate on the measures and
> procedures to react to them. Each vulnerability gets individually
> investigated and evaluated; the severity of the vulnerability is then
> determined by each of the individual teams based on the risk and impact as
> well as other, mostly technical, properties of the weakness and the
> software affected. This severity is then used to determine the priority
> at which a fix for a vulnerability is being worked on weighed against
> other vulnerabilities in our current queues. Our users will know that for
> critical flaws we can respond within hours. This prioritization means
> that lower severity issues will often be delayed to let the more important
> issues get resolved first.
> Even though the Forrester report claims so, it does not make that
> distinction when it measures the time elapsed between the public knowledge
> of a security flaw and the availiability of a vendor's fix. For each
> vendor the report gives just a simple average, the "All/Distribution days
> of risk", which gives an inconclusive picture of the reality that users
> experience. The average erroneously treats all vulnerabilities as equal,
> regardless of the risk they pose. Not all vulnerabilities have an equal
> impact on all users. An attempt has been made to allocate a severity to
> vulnerabilities using data from a third party, however the classification
> of "high-severity" vulnerabilities is not sufficient: The mere
> announcement of a vulnerability by a particular security organization does
> not necessarily make the vulnerability severe - similarly, the ability to
> exploit a weakness over the network (remote) is often irrelevant to the
> vulnerability's severity.
> We believe the report does not treat vendors of Free Software and the
> single closed source vendor in the same way. Free Software is known for
> its variety and its freedom of choice amongst the standards it defines.
> Multiple implementations of these standards are typically offered for both
> desktop and server use, which gives users the freedom to select software
> based on their own criteria rather than those of the vendor. The
> openness, transparency and traceability of the source code is added value
> in addition to the larger variety of software packages available.
> Finally, the claim that one software vendor had fixed 100% of their flaws
> during the period of the report should be incentive for a closer
> investigation of the conclusions the report presents.
> Noah Meyerhans, Debian
> Vincent Danen, Mandrakesoft
> Mark J Cox, Red Hat
> Roman DrahtmÃ¼ller, SUSE
> Additional Information:
> Javier FernÃ¡ndez-Sanguino PeÃ±a composed a survey in 2001[*] and discovered
> that it has taken the Debian security team an average of 35 days to fix
> vulnerbilities posted to the Bugtraq list. However, over 50% of the
> vulnerabilities where fixed in a 10-days time frame, and over 15% of them
> where fixed the same day the advisory was released! For this analysis,
> all vulnerabilities were treated the same, though.
> He has rerun the survey based on vulnerabilities discovered between June
> 1st 2002 and May 31st 2003 and found out that the median value of delays
> between the disclosure and releasing an advisory including a correction
> was 10 days (average is 13.5 days). Again, for this analysis advisories
> were not classified with different priorities.
> * http://lists.debian.org/debian-security-0112/msg00257.html
> NYLXS: New Yorker Free Software Users Scene
> Fair Use -
> because it's either fair use or useless....
> NYLXS is a trademark of NYLXS, Inc
Brooklyn Linux Solutions
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.mrbrklyn.com - Consulting
http://www.inns.net <-- Happy Clients
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from around the net
http://www2.mrbrklyn.com/downtown.html - See the New Downtown Brooklyn....
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc