The Ransbotham FUD attack on open source fisks itself

Ransbotham's Corollary shows that vulnerability does not drop as quickly as Schneier first surmised, but remains as a product of knowledge.

You don't expect misleading FUD about open source from MIT's Technology Review. But here it is.

The story is about a Boston College professor (and Georgia Tech grad -- go Jackets) named Sam Ransbotham (right, from his blog).

The misleading bit is the idea that open source vulnerabilities spread faster, and are exploited both sooner and with more force, than bugs in proprietary software.

It's true, but it's wrong to draw large conclusions from that.

In his work Ransbotham looked at a list of 883 known vulnerabilities and found 97 exploited over two years, 30 of them in open source. Attacks on open source were broader and moved faster than those on closed source.

The real story is a bit nastier. The biggest correlation Ransbotham found was not between open source and attack, but between the existence of a security signature and attacks.

In other words, when an anti-viral company creates a virus signature and pushes this to users, criminals gain enormous value from knowing where to aim their attacks. It's a variation of the famous Bruce Schneier graph on vulnerability, showing it to be at its maximum between announcement of an exploit and delivery of a patch.

Riskpundit is already all over this. Protecting against specific exploits (which a virus signature offers) is less important than insulating systems from vulnerabilities, they wrote in March.

What I might term "Ransbotham's Corollary" shows that vulnerability does not drop as quickly as Schneier first surmised, but remains as a product of knowledge.

The people who really need to worry here, in other words, aren't open source projects but security companies. Their creation and distribution of patches and signatures is extending the life of exploits indefinitely.

For open source, there is obviously a lesson. Rapid patching of systems and secure sharing of exploit knowledge is vital.

But most vulnerabilities aren't attacked.

When they are, they're attacked in waves, and a process of rapid patching aimed at insulating against the problem, not just catching a specific exploit, can catch the wave.

Just remember that signatures are open source code too.