Cargo Cult Security - Windows Live Update

It is like saying that "our roads are safer now that we have much faster ambulances". Microsoft have obviously looked at effective security products and effectively secure operating systems and decided that in order to give the impression that their systems are secure they need to exhibit the same features as those systems.
Richard Feynman describes this 'form' as the cargo cult, put into a software engineering context here. In the security context the cult of good security exhibits:

  • Full Disclosure

  • Open Source Audit

  • Built in Cryptography

  • Active Patching

The OpenBSD model of "proactive" auditing of software and "security by default" distributions, leads to good security. The fact that they have all the exhibited form is incidental. The OpenBSD patch mechanism is very basic, because there are not that many security holes to patch, most potential exploits were designed out from an early stage.

I suppose when you have a 'runaway train' of security issues then you would need a 256Mb brake. I hope it works.

1 comment:

straun said...

Microsoft publish this research document from Forrester.

I cannot argue with the details of the research. But I question the types of disclosure used in the study of the number of days of vulnerability. Open source, has open issues and therefore open disclosure - and so responsible disclosure with open source libraries is hard to do. Most serious Windows flaws, discovered under white hat conditions, are responsibly disclosed and there is typically some 60 days before public disclosure is made.

You can see how long it takes from the day to disclosure to the day of a distribution fix but subtracting the distro from the all days figure. For Windows this comes out a 0, i.e. responsible disclosure must be in operation, and for RedHat 10 days, i.e. public disclosure (or slow). This also brings into question to total number. If Windows disclosure is based mostly on responsible disclosure then how many fixes are still being worked on?