[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

[Kevin W. Wall]

On Fri, Mar 18, 2016 at 12:10 PM, Andrew Donoho <awd at ddg.com> wrote:
>
>> On Mar 17, 2016, at 19:10 , ianG <iang at iang.org> wrote:
>>
>> Yes, significant learning there.  Has anyone any notion of the time between
>> discovery, announcement, and say 80% patch rate for the modern generation of
>> issues such as Heartbleed?
>
> While I cannot speak to the rate of change in servers, I can speak to the rate
> at which iOS devices are updated. It is a rule of thumb in the iOS developer
> community that 50% of iOS devices update in at least 3 months post OS release.
> Apple frequently brags on faster uptakes. As a software developer, you plan on
> supporting the last two versions of the OS, i.e. 24 months of support.

Servers in F500 companies at least--especially those that are Internet facing
in the company DMZ or part of mission critical applications--generally get
patched within 60-90 days after the patch released in my experience. Of
course that is an average. At the extreme end, some systems never get patched,
even at the OS level. In my long career, I recall seeing at least one server
running Red Hat Enterprise Linux that had not been patched for about 10+ years.
It was running RHEL 2.1 and all the rest were running RHEL 6.x. Fortunately,
it was an server that was in an internal data center, but it was running
some vendor software and the vendor went out of business so they were
scared to upgrade the OS.

> Hence, I think a good estimate of maximum time to repair of security problems
> in the iOS installed base is 24 months post release of the fix. I believe the
> 80% coverage threshold is reached well before 12 months post-release. Of
> course, I cannot speak to the pre-release delays. My colleagues inside Apple
> though tell me that they try to turn fixes around ASAP.
>
> The Android community has a very different update process.

If that isn't an understatement.

> If there is an
> Android developer on the list, please speak up and correct the following
> assessment: Some might say, due to carrier incentive structures, the Android
> device update process is totally broken. If you look at the distribution of
> Android OS versions,
> <http://developer.android.com/about/dashboards/index.html>, it is easy to
> observe significant upgrade lag. IMO, you cannot depend upon security fixes to
> migrate throughout the Android installed base.

That's been my experience as an Android user. At some point, your mobile
carrier just stops offering Android OS upgrades. So to keep up-to-date with
Android OS patches, you either have to install something like Cyanogenmod
yourself or buy a new phone every 2 years or so.

While we're on the topic of mobile security issues, I wanted to get the
thoughts of others on something. Unlike most Android users, I actually
look at the permissions that an app requests and if I think those permissions
is out of line with what the main intent of the application are, then I'll
look for an alternate app for that. For example, when I was looking at for
an Android flashlight app, I was surpised how many of them wanted acess
to course or fine (GPS) tracking or to be able to connect to the Internet.
I finally found one (Telemarks XPERIA flashlight) that only has 2 permissions:
one to keep the phone from sleeping and one to turn on the (camera) light.
It ain't fancy, but it isn't spying on me either.

But this is where I wanted to get the observations of others--especially
iPhone users. What I've noticed over time, is that I get notified that many
of these apps need updated (no surprise there), but when I check them, it
seems as though at least half of them are request new permissions that
designed to track me or do other dubious things like look at my contacts
or accounts or turn on the microphone, etc.  Of course, in those situations,
I make a judgement call: it is better to take the update (which _might_
include security fixes as well as more mundane fixes like application
crashes, etc.) or is it better to uninstall it and if that app niche
was important enough, to try to find an alternative.  For the personal
desktop/laptop/servers that I maintain, that's never been an issue
(at least that I know of; but then again, the requested permissions are
not as apparent). But for Android-based phones and tablets it seems to
be a huge problem. Overall, I think that has the effect of making some
like myself hesitant to upgrade to a newer version. So does the same
problem exist on iOS apps for iPhone and iPad, or is this just an
Android device phenomena?

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.