Subject: CERT complaints about freely available software
From: John Gilmore <gnu@toad.com>
Date: Sun, 28 Jul 1996 17:43:47 -0700

CERT just released a summary (ftp://info.cert.org/pub/cert_summaries/
CS-96.04) that suggests that users review their choice of operating
systems, referring to a "tech tip" on the subject that slams free
software.

I think FSB businesses should complain that CERT is blaming the wrong
factor.  Unsupported or poorly supported software clearly exacerbates
security problems.  But such software can be proprietary or free.
Well-supported software, whether proprietary or free, alleviates this
concern.  This is true whether the high quality support is provided by
commercial contracts or by responsible volunteers.

	John

------- Forwarded Message

From: Unix mailing list recipient <unixlist@season.com>
Subject: [linux-security] CERT says.
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 23 Jul 1996 12:19:55 -0700 (PDT)

Gotta wonder if that growing market share is causing commercial
ripples.  BTW, did anyone else get that marketing survey from
CERT a while back?  Followup off the list. ;)

-------- trimmed advisory --------

CERT(sm) Summary CS-96.04
July 23, 1996

worthwhile to make a few observations about choosing an operating
system. For information on this subject, see

  ftp://info.cert.org/pub/tech_tips/choose_operating_sys

Recent Activity and Trends
1. Linux root compromises
2. Telnetd in Linux systems

-------- choose_operating_sys --------

July 23, 1996

                    Choosing an Operating System 

We receive reports of incidents from sites that use a wide variety of
operating systems (OS). Because of operating-system-related difficulties these
sites have experienced, we are recommending some things to consider before
choosing an operating system.


In-House vs. Outside Tech Support

Consider these things:

  - Do you have in-house expertise to do necessary software maintenance if
    you're using freely available software?
  - Can you buy a product with vendor-supplied customer support? 
  - Do you need to pay a third party for customer support?


Freely-Available vs. Commercial Software

If you have knowledgeable staff, you may choose to use freely available OS
versions so that you can maintain or fine tune the product to meet specific
requirements. You might have more confidence in the modified OS because you
were responsible for making changes or closely involved in the implementation
of patches or workarounds. If you know about a vulnerability and understand
the problem, you may want to apply fixes immediately to the source code rather
than wait for an upgrade or patch to be released through other channels.

If you select freely available OS versions and don't have the resources to
maintain software in-house, it's important to know that you could be placing
your site at a high risk of compromise. This risk can exist because your site
will not be receiving security patches on a regular basis from a vendor (or
third party). In cases where intruders are exploiting a vulnerability,
operating system vendors may have analyzed the vulnerability and released
security patches for their operating systems. On the other hand, sites with
freely available OS versions but without the expertise to develop and install
patches may remain at risk from the vulnerability.

If you do not have the time or expertise to modify and maintain an operating
system in-house, you might choose a commercial vendor product. When you buy a
commercial operating system, you can purchase a service contract to provide
you with patches, upgrades, and other customer assistance. Alternatively, you
could buy third-party service or select products from vendors who implement
fixes and make patches publicly available.


Understand Your Needs

When choosing an operating system, there are many things you need to consider.
Among these are

  - Availability of source code vs. binaries 
  - Availability of technical expertise (internal and external)
  - Maintenance and/or customer support 
  - Customer requirements and usability 
  - Cost of software, hardware, and technical support staff

Regardless of the choice you make, you should first carefully review and
understand the needs of your organization or customer base in terms of
resources, cost, and security risk, as well as any site-specific constraints;
compare the available products and services to your needs; and then determine
what product best matches your needs.



Copyright 1996 Carnegie Mellon University 

This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

The CERT Coordination Center is sponsored by the Defense Advanced Research
Projects Agency (DARPA). The Software Engineering Institute is sponsored by
the U.S. Department of Defense.

[REW: At the university we've been paying for software support for years.
Of course you then have access to the patches, but that doesn't put you
on a mailing list that tells you about them. Moreover you are still 
responsible for installing the pathes yourself. IMHO not better than
with a "freely available OS".]