"... get kicked off DARPA funding too?" Sardonix was not "kicked off DARPA funding." The contract spent its alloted budget and ended. IMHO, the most interesting result to come out of Sardonix, apart from there being more talk than action in security auditing:-/ was this paper:
"Timing the Application of Security Patches for Optimal Uptime". Steve
Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam
Shostack. Presented at the USENIX 16th
Systems Administration Conference (LISA2002), Philadelphia,
PA, December 2002. Postscript.
or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
The/. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Since when is "push technology" a failure? After renaming it to "pop up ads", it has been a rousing success:-)
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Re:Sadly, universities have the least free speech.
on
What You Can't Say
·
· Score: 1
I was going primarily for a a sarcastic funny: that it is hardly surprising that people accuse him of being a fascist.
Then, in light of the subject of this story, and aware of the irony involved, I added the caveat about the bogosity of ad homenim attacks.
Beyond that, you're taking it far too literally. It wasn't that serious a post.
Crispin
Re:Sadly, universities have the least free speech.
on
What You Can't Say
·
· Score: 1
Anyone who speaks up is labeled a "racist conservative Nazi facist".
Nah. You're likely being labeled a "racist conservative Nazi facist" because you are a racist conservative Nazi facist:) Granted, that is an invalid ad homenim attack, and your arguments should be addressed on their merits without reference to how detestible your opinions are, but that's reality in politics.
Personally, I am a die-hard freedom of expressing guy, and believe that you should be allowed to express whatever you want. Just be prepared for the firestorm of response, or worse, the deafening silence. A right to speak is not a right to be listened to.
I ran out of moderator points yesterday, so I just have to second this. Saltzer and Schroeder is the seminal paper on computer security. Every major idea in computer security is represented here, with the exception of public key cryptography which hadn't been invented yet, but even so they discuss some issues of how you might use PK.
The paper, having been written in the 1970s, is full of archaic references to irrelevant technologies, such a memory control registers and segmentation hardware that is no longer used. However, the concepts still apply: the authors are discussing models of controlled interaction among users. In the early 1970s, that was with shared memory. In the 1980s, it was time share file systems. In the 21st century, it is networks of interacting computers, but the concepts still apply.
I taught security for several years. Saltzer and Schroeder was always the first topic covered. 28 years later, it is still a seminal work.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
How to patch intelligently was the subject of a research paper that we
did, which is still applicable, and offers ways to make better
decisions than "now" or "later:"
"Timing the Application of Security Patches for Optimal Uptime". Steve
Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and
Adam Shostack. Presented at the USENIX 16th Systems Administration
Conference (LISA 2002), Philadelphia, PA, December
2002. Postscript. or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Well, ok actually I did, but he's quoting me out of context. Where I said it was in response to a complaint that Reavis' study only covered three operating systems. Apparently if you don't cram all pertinent facts & caveats into the same sentence, you get whacked for mis-representation:)
While many in the security community continue to berate Microsoft and demand they do better, I am not aware of a single person who would claim Microsoft has not improved dramatically since 1999 in the speed and quality of their patch releases.
Don't you think Linux has also improved over that time period? I've certainly seen it.
Why yes, I do think both Microsoft and Linux have improved their response times. What makes you believe I don't?
The computing world is a moving target. 4 years is at least two generations. Get some updated facts.
I brought the only facts I have seen in this debate. If you don't think my facts are good enough, the onus is on you to do better. I would love to see more current data, but I haven't had the time to conduct the study since the story hit Slashdot this afternoon:)
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc. Immunix: Security Hardened Linux Distribution
What you're saying here boils down to this: Bill Gates is lying or wrong, because what he says his company does today wasn't the case four years ago.
Except that I did not say that. I presented it as the only relevant hard data that I know of, and explicitly pointed out the date issue. What Gates is claiming clearly was not true 4 years ago; this begs the question of whether something has changed recently.
Past behavior does not necessarily predict future behavior, but it often does. This old data draws Gates' claim into serious doubt, and motivates a repeat of this study using current data. Students looking for a term project might want to consider doing it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc. Immunix: Security Hardened Linux Distribution
True, but its the data we have, unless you know of a more recent study.
Linux data is from Red Hat only
True. But talking about response time for patches to the Linux kernel is pretty meaningless, so you end up talking about distro vendors. Red Hat seems like a pretty reasonable vendor to look at.
You neglected to mention Sun
The original article also did not mention Sun, so I considered it irrelevant to comment on Sun. That Reavis studied Sun is a bonus. Enjoy:)
Only three operating systems were included
So what's your point? I'm just refuting Gates' claims that MS patches faster than "Linux".
Evaluation criteria were not explicitly stated
I don't get your point. The evaluation criteria was "how many days does the vendor leave you exposed to a published vulnerability?"
It's as if a well fed westerner telling a poor hungry 3rd world citizen to stay away from the truffles because they will give him a bad case of indigestion. Hypocritical at best...
hypocrisy: The practice of professing beliefs, feelings, or virtues that one does not hold or possess; falseness.
So, are you saying that I don't believe that Monster.com is a scumbag organization? That I have some sekrit plan to keep the joyous motherlode of high-quality opportunities at Monster.com all for my eviil self?
Perhaps you might consider that I am an employer, and that therefore my views on where I will and won't look for candidates might be of some use to job seekers.
So for those who might actually care, when I am recruiting I post & read in these kinds of forums:
local Linux user group mailing lists (we are a Linux vendor)
local system administration mailing lists (I have high respect for admins as potential developers)
Two months ago, I posted some job ads (open position) to various forums, noting clearly that I did not want to work with recruiters or third parties. Then I started getting candidate applications responding to a post on flipdog.com (a Monster subsidiary). But I could not access this ad describing my own position unless I paid flipdog.com for the privilege.
Advice to job seekers: never, ever, ever deal with Monster.com or their subsidiaries. I have monster.com and flipdog.com in my spam filters.
Keen: there was an original film that "12 Monkeys" was based on called "La Jetee". Anyone seen it? I'm not generally a fan of French film, but there have been a few brilliant exceptions (Nikita, Diva, City of Lost Children, Delicatessin). Hmmm... perhaps I am a fan of French film after all:-)
Slashdot Mirror
"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Then, in light of the subject of this story, and aware of the irony involved, I added the caveat about the bogosity of ad homenim attacks.
Beyond that, you're taking it far too literally. It wasn't that serious a post.
Crispin
Personally, I am a die-hard freedom of expressing guy, and believe that you should be allowed to express whatever you want. Just be prepared for the firestorm of response, or worse, the deafening silence. A right to speak is not a right to be listened to.
Crispin
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
The paper, having been written in the 1970s, is full of archaic references to irrelevant technologies, such a memory control registers and segmentation hardware that is no longer used. However, the concepts still apply: the authors are discussing models of controlled interaction among users. In the early 1970s, that was with shared memory. In the 1980s, it was time share file systems. In the 21st century, it is networks of interacting computers, but the concepts still apply.
I taught security for several years. Saltzer and Schroeder was always the first topic covered. 28 years later, it is still a seminal work.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Crispin
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
Past behavior does not necessarily predict future behavior, but it often does. This old data draws Gates' claim into serious doubt, and motivates a repeat of this study using current data. Students looking for a term project might want to consider doing it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
So, are you saying that I don't believe that Monster.com is a scumbag organization? That I have some sekrit plan to keep the joyous motherlode of high-quality opportunities at Monster.com all for my eviil self?
Perhaps you might consider that I am an employer, and that therefore my views on where I will and won't look for candidates might be of some use to job seekers.
So for those who might actually care, when I am recruiting I post & read in these kinds of forums:
- local Linux user group mailing lists (we are a Linux vendor)
- local system administration mailing lists (I have high respect for admins as potential developers)
- Craig's List
- Security Jobs
- "networking", i.e. friends of friends
Caveat: we have no open positions at this time. We filled several positions last month.Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Crispin
Advice to job seekers: never, ever, ever deal with Monster.com or their subsidiaries. I have monster.com and flipdog.com in my spam filters.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Crispin
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
- The Blair Witch Project: made $140M on a budget of $35K
- My Big Fat Greek Wedding: made $240M in the US alone on a budget of $5M
Crispin----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Similar, but less pronounced effect for "The Fifth Element". Also for "Sunset". Hmmm ... maybe it's just people don't get Bruce Willis :-)
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase