[LINK] OSS means slower patches

[Glen Turner]

Con Zymaris wrote:

> And it's not as if Symantec hasn't got a vested interest.

Hi Con,

It seems worse than that.  The last few conferences I've been
to Symantec have participated in the "network security" sessions,
pretty much hijaaking them and push polling to increase IT
management's fear of security issues (as opposed to increasing
IT management's understanding of security issues).


OSS does bring some interesting security issues of its own.
For example, I find the lack of a timebomb in Linux distributions
with a limited supported life to be very frustrating (yes,
Fedora Core, I mean you).

And lots of distributions seem to think that SSH is secure,
allowing anyone on the Internet to door-knock and try
obvious userids and passwords (including the superuser
account!).

What I find really encouraging about Linux is that it's getting
beyond patching as the primary security mechanism.  In the
long run that's a losing side: one unpatched machine or one
same-day exploit and you've lost.  Red Hat in particular have
done a lot to improve the resilience of Linux to attack and
the amount of work they've put into making SELinux (a role-based
authorisation mechanism) work for a real world operating system
is astonishing.

Cheers,
Glen