[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

[Christian Huitema]

On Thursday, March 10, 2016 3:29 AM, Jerry Leichter wrote:
> ...
> That's all open source.  On the closed source side, all the supply chains and
> testing and related processes are internalized.  There is, of course, never a
> source code patch.  But the closed source suppliers - pushed by their
> customers - are these days loath to push large numbers of small patches.
> Hence the "patch Tuesday" phenomenon.  This also puts more pressure on
> them to test - all the way down the supply chain - since "fixing the fix" if it
> goes wrong is also disruptive.

There is something more. Many of the fixes apply to previously undisclosed vulnerabilities. Pushing a fix allows users to patch their system, but it also discloses the vulnerability in unpatched systems. When a fix is out, you can expect a bunch of exploit writers to reverse engineer it, and add it to their toolkit. And then, whoever did not apply the patch is vulnerable.

One nice aspect of "patch Tuesday" is that it helps administrators. If system administrators know that a fix is coming at a specified data, they can plan ahead and make sure that there will be resource available to update systems and apply patches. So in practice, most systems get fixed shortly after the patch is out, and the risk of disclosing previously unknown bugs is somewhat mitigated.

The exception is if a bug is known and exploited in the wild. In that case, it is better to ship the fix quickly.

-- Christian Huitema