[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

Andrew Donoho awd at ddg.com
Fri Mar 18 12:10:49 EDT 2016


> On Mar 17, 2016, at 19:10 , ianG <iang at iang.org> wrote:
> 
> Yes, significant learning there.  Has anyone any notion of the time between discovery, announcement, and say 80% patch rate for the modern generation of issues such as Heartbleed?



While I cannot speak to the rate of change in servers, I can speak to the rate at which iOS devices are updated. It is a rule of thumb in the iOS developer community that 50% of iOS devices update in at least 3 months post OS release. Apple frequently brags on faster uptakes. As a software developer, you plan on supporting the last two versions of the OS, i.e. 24 months of support.

Hence, I think a good estimate of maximum time to repair of security problems in the iOS installed base is 24 months post release of the fix. I believe the 80% coverage threshold is reached well before 12 months post-release. Of course, I cannot speak to the pre-release delays. My colleagues inside Apple though tell me that they try to turn fixes around ASAP.

The Android community has a very different update process. If there is an Android developer on the list, please speak up and correct the following assessment: Some might say, due to carrier incentive structures, the Android device update process is totally broken. If you look at the distribution of Android OS versions, <http://developer.android.com/about/dashboards/index.html>, it is easy to observe significant upgrade lag. IMO, you cannot depend upon security fixes to migrate throughout the Android installed base. 



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho

Essentially, all models are wrong, but some are useful.
	— George E.P. Box





More information about the cryptography mailing list