Do we need another CERT?

Do we need another CERT?

Summary: While open source doesn't suffer as many vulnerabilities, its dispersed nature makes fixing them more like herding cats than cows.

SHARE:
5

Window of VulnerabilityYes.

Google's backing of oCERT is a major milestone in the history of open source.

It's not that I have anything against the Computer Emergency Response TeamCERT at Carnegie-Mellon. They do important work, not only in identifying risks but in educating people on them.

UPDATE: A CERT spokesman notes they've licensed the term, dropped the longer form of the name (like IBM did back in the day) and licensed it to oCERT.

What makes oCERT important is here, in the famous 2000 essay by Bruce Schneier on the "window of vulnerability."

As Schneier noted, vulnerabilities, like fame, have five distinct phases.* A vulnerability is discovered, announced, becomes popular, gets patched, and then the patch is disseminated.

It's the last bit where the differences lie in open source. Windows machines are patched centrally, and that patch is distributed widely, quickly, sometimes forcefully.

Whether you get your patches directly from Microsoft or from a security vendor, the process is the same.

We have a well-established protocol for distributing fixes, so that curve downward, from distribution of a patch to fixing it, is sharp. It's like herding cows.

While open source doesn't suffer as many vulnerabilities, its dispersed nature makes fixing them more like herding cats than cows.

A central system like oCERT is needed so that, as open source gains market share, and malware writers target Linux, we can keep that last curve sharp.

* The five stages of fame. Who's Dana? Get me Dana! Get me someone like Dana! Get me a young Dana! Who's Dana? Insert your name for mine.

Topics: Security, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • what linux/unix taking a queue from MS

    hell hath frozen over!

    btw, doesnt red hat have an live update like system?
    Been_Done_Before
    • Huh???

      How is this a page from MS? And by looking at the second question I'd have to wonder why you're even making comments about Linux.
      storm14k
      • First part was a joke.. and linux had it before MS along with lots of other

        software.

        As far as my linux comment, i dont use red hat, i have messed with it and have seen an update feature.

        I run two slackware servers and one AIX server, so yes i know linux and i also know unix, but i dont know every aspect of both, do you?
        Been_Done_Before
    • best practices are still best practices......

      so, I don't think hell has frozen over at all...

      and I actually would call this article FUD.

      after all, all of the major distributions have their own central set of repositories... which they update with patches, and then people get updates from those "central" repositories (or the mirrors there-of)...

      Linux is harder to patch, mostly because it's so diverse... but no individual is concerned with fully patching everything... everything is streamed...

      the people at the top of a program's code patch it, and everyone down the line ends up updating and patching their packages in their repositories to reflect the patch(es)... and then it gets to the consumer.
      shryko
  • THIS IS FUD!!!

    while I think another CERT would be helpful, I still classify this article as a bit of fud...

    each distribution is tailored to a seperate set of needs...

    each program development team needs to watch their own program.


    almost all distributions provide their customers with a single set of repositories to draw from, and for consumers, that setup means that as long as the distribution has patches applied, it's pushed out like windows update does.

    Program teams should update the core of their code as soon as a vulnerability is fixed, and each distribution would then update their repositories for the program.

    It's basically the same sort of layout as the Windows Update environment... It's just more clearly laid out... and since there's multiple distributions, it's like having multiple windows update sets...

    with the exception of the people that use cross-distribution repositories, the setup is basically the same. For those that use cross distribution repositories? well... That's a whole new kettle of fish I'm not gonna touch on... mostly since that situation needs to be dealt with on a case-by-case basis...
    shryko