RE: Worms, Air Gaps and Responsibility

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> The Windows v. Linux security debate isn't about inhernet 
> security issues, its about total attack surface. The per 
> capita attack surface on Windows OSs continues to decrease 
> while the Linux systems seem to stay about the same.  But 
> the aggregate attack surface for Windows systems is much
> higher because of their market penetration. I do expect
> the market penetration for Linux systems to increase in
> the next 5-10 years where its aggregate attack surface
> will be much larger than Microsoft's . 

So are you implying that Windows will get more secure as it loses market
share?  :-)  

Anyway, I reject the notion that any vendor or platform's visibility is
directly responsible for the number of vulnerabilities discovered
therein.  Specific to the Windows vs. Linux debate, this makes even less
sense considering that publicly available source code should make
discovering and exploiting vulnerabilities in Linux much easier than in
Windows.  However, this is clearly not what has happened over the last
several years.  Microsoft has topped the annual vulnerability-by-vendor
lists published by groups like SecurityTracker every year since the late
1990's.  It seems logical to me that inherent security issues *should*
be part of the debate, as they appear to be part of the problem.

When it comes to this issue, I am fairly mercenary and don't have much
loyalty either way.  But I also can't ignore the evidence.  I have a
theory that there is a larger paradigm issue at work here.  I further
believe that it trumps the issue of positive or negative growth in the
number of vulnerabilities present in a product over time.

The issue, simply put, is that Microsoft products make use of a large
amount of shared code both at build time and at run time.  Microsoft has
used this model to streamline the user interface and the result has been
products that appeal to end users and businesses for their flexibility
and ease of use.  Microsoft is not alone in this, and it is not an
inherently "bad" model of software development.  However, while it can
yield better performance and interoperability, historically, it has also
been linked to both stability and security problems.

Most Linux distributions (that's what we're talking about here is the
widely used distros, not just the kernel itself), use software that is
"compartmentalized" (for lack of a better term) for easy portability.
This is a result of the decentralized development paradigm present in
the GNU/OSS community.  Relative to monolithic vendors' products, Linux
distros share a relatively small amount of code during build time and
run time.  This has some inherent drawbacks in terms of support,
maintenance, compatibility, and interoperability.  For Linux to become a
competitive desktop OS, these shortcomings may need to be overcome,
perhaps using a more centralized development model.  Who knows?  Not I.

But what I do know is the end result appears to be that the shared code
paradigm used by Microsoft results in a vuln-to-vector ratio that is
geometrically greater than that of the compartmental development
paradigm.  We have seen first-hand over the past year how a single flaw
in Windows' code can yield several different attacks that can affect
entirely different subsystems of the OS and services that run on it.
The result is that if your systems are based on a shared code paradigm,
you are more likely to have exposed vulnerabilities simply because there
are likely to be more attack vectors that allow exploitation of the same
vulnerabilities.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards