mjcox is currently certified at Master level.

Name: Mark Cox
Member since: 2000-05-23 13:08:50
Last Login: 2008-01-07 19:39:35

FOAF RDF Share This

Homepage: www.awe.com/mark/blog/

Notes: blog moved here

I work for Red Hat. I started developing for Apache a week after it was conceived and since then have got involved with various other open source projects to various degrees. I wrote the first version of Stronghold (for outside of the USA due to export reasons)

I write for and edit Apache Week

I'm on a mission to replace everything possible with an XML/XSLT solution

Projects

Recent blog entries by mjcox

Syndication: RSS 2.0

A while ago I switched my personal site to use Blosxom to statically render all the pages, and last night I finished moving my weblog to it. The big advantage is I get separate RSS feeds for each part of my diary, so the Red Hat folks can take a feed of my security stories without getting all my Home Automation stuff mixed in.

So this is my last post into Advogato, get the new complete feed of my blog here.

More Statistics

The Washington Post looked at how quickly Microsoft fix security issues rated as Critical in various years.

For 2005, Microsoft fixed 37 critical issues with an average of 46 days from the flaw being known to the public to them having a patch available.

For 2005, Red Hat (across all products) fixed 21 critical issues with an average of 1 day from the flaw being known to the public to having a patch available. (To get the list and a XML spreadsheet, grab the data set mentioned in my previous blog and run "perl daysofrisk.pl --distrib all --datestart 20050101 --dateend 20051231 --severity C").

(The blog also looks at the time between notification to the company and a patch, whilst daysofrisk.pl currently doesn't report that, the raw data is there and I just need to coax it out to see how we compare to the 133 days for Microsoft)

Statistics

Some quotes of mine have been picked up by various news sources today, talking about how critical vulnerabilities matter more than meaningless issue counts. Anyway, as they say 95% of statistics are meaningless, I wanted to actually explain where the numbers in my quote came from. The quote is about calendar year 2005 and looks just at Red Hat Enterprise Linux 3 (since 4 wasn't out until part way into 2005). In total we fixed 10 critical vulnerabilities (critical by the Microsoft definition, as in the flaw could possibly be exploited remotely by some worm). Our average "days of risk" (the date between an issue being known to the public and us having an update available on Red Hat Network for customers) is under a day, and actually 90% of them were the same day.

But don't take my word for it, a people.redhat.com/mjc download the raw data files and the perl script and run it yourself, in this case

perl daysofrisk.pl --datestart 20050101 --dateend 20051231 --severity C --distrib rhel3

Different distributions, dates, and so on will give you different results, so you might like to customize it to see how well we did fixing the vulnerabilities that you cared about. (Zero days of risk doesn't always mean we knew about issues in advance either, the reported= date in the cve_dates.txt file can help you see when we got advance notice of an issue).

20 Dec 2005 (updated 20 Dec 2005 at 22:28 UTC) »

We have another new opening for an engineer working in the Security Response Team at Red Hat, to be based in Brisbane Australia. If you like tracking, investigating, triaging, debugging, and writing about security vulnerabilities, and can deal with multiple interrupts and task switching, you'd be perfect for this fast-paced job. Interested? You can find out more and apply online

Responsibility

Last weekend a number of security issues (heap buffer overflows) were found in the Macromedia flash plugin, first reported as affecting Windows only. However we were able to verify yesterday that the issues do affect Linux too. Red Hat shipped the vulnerable flash plugin in an Extras channel (not part of the main distribution, used for such third-party software) for users of Enterprise Linux 3 and 4. Microsoft shipped the vulnerable flash plugin as part of Windows XP SP1 and SP2 (according to their blog.)

  • Red Hat Enterprise Linux customers who installed flash just use up2date or the Red Hat Network interface in the usual way and will get their flash update along with a email notification if they need it. Or with automatic updates they'd have it by now.

  • Microsoft customers are on their own. Maybe they read the MSRC blog or realise that they have Flash installed and go to the Macromedia site to get their update. Meanwhile being vulnerable to an issue where a malicious web site could run arbitrary code on their system.

One of the top reasons that machines fall foul to security exploits is when they are not kept up to date with security issues. So it follows that to protect users a vendor needs to make security updates as easy and painless as possible. At conferences I highlight that one of the important things a Linux distribution gives you are updates across your entire stack - you don't need to use one system to grab your OS updates, another to get updates to your office application, the built-in update system in your Money tool, a manual update for Flash, and so on.

144 older entries...

 

mjcox certified others as follows:

  • mjcox certified rse as Master
  • mjcox certified dirkx as Master
  • mjcox certified Bryce as Master
  • mjcox certified manoj as Master
  • mjcox certified lars as Master
  • mjcox certified rasmus as Master
  • mjcox certified okcrum as Master
  • mjcox certified fielding as Master
  • mjcox certified gstein as Master
  • mjcox certified mbp as Master
  • mjcox certified joe as Master
  • mjcox certified RoUS as Master
  • mjcox certified wsanchez as Master
  • mjcox certified gary as Journeyer
  • mjcox certified highgeek as Journeyer
  • mjcox certified DV as Master
  • mjcox certified daniels as Journeyer
  • mjcox certified mkraemer as Master
  • mjcox certified sascha as Master
  • mjcox certified tromey as Master
  • mjcox certified mharris as Master
  • mjcox certified theo as Journeyer
  • mjcox certified Melomel as Master
  • mjcox certified bhyde as Master
  • mjcox certified metaur as Master

Others have certified mjcox as follows:

  • jae certified mjcox as Master
  • jpc certified mjcox as Master
  • RoUS certified mjcox as Master
  • Bryce certified mjcox as Master
  • joe certified mjcox as Master
  • walken certified mjcox as Master
  • mbp certified mjcox as Master
  • ask certified mjcox as Journeyer
  • highgeek certified mjcox as Master
  • wsanchez certified mjcox as Master
  • okcrum certified mjcox as Master
  • suso certified mjcox as Master
  • abg certified mjcox as Master
  • Krelin certified mjcox as Master
  • lars certified mjcox as Master
  • fxn certified mjcox as Master
  • gary certified mjcox as Master
  • ignatz certified mjcox as Master
  • mrbook certified mjcox as Master
  • aeden certified mjcox as Master
  • mwk certified mjcox as Master
  • fuzzyping certified mjcox as Master
  • samj certified mjcox as Master
  • daniels certified mjcox as Master
  • neurogato certified mjcox as Master
  • mkraemer certified mjcox as Master
  • alan certified mjcox as Master
  • jameson certified mjcox as Master
  • sascha certified mjcox as Master
  • mharris certified mjcox as Master
  • jfs certified mjcox as Master
  • mascot certified mjcox as Master
  • theo certified mjcox as Master
  • Melomel certified mjcox as Master
  • lsdrocha certified mjcox as Master
  • helcio certified mjcox as Master
  • taw certified mjcox as Master
  • pasky certified mjcox as Master
  • ploppy certified mjcox as Master
  • iamsure certified mjcox as Master
  • lerdsuwa certified mjcox as Master
  • ebf certified mjcox as Master
  • bhyde certified mjcox as Master
  • mterry certified mjcox as Master
  • kjwoo certified mjcox as Master
  • berthu certified mjcox as Master
  • metaur certified mjcox as Master
  • lkundrak certified mjcox as Master
  • mark85 certified mjcox as Master
  • malone certified mjcox as Master

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page