RE: [inbox] Re: RE: Linux (in)security

[Paul Schmehl <pauls () utdallas edu>]

--On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy 
<purdy () tecman com> wrote:
> I hardily disagree.  When you have inherently more secure code in OS's
> like *NIX and Netware, as evidenced by the paltry number of patches
> required by those OS's (1 in Netware vs. 38 for Windows in the same
> period)

This is an apples to oranges comparison.  Netware is a network OS. 
"Windows" includes all the applications that come with Windows, whether 
they are part of the base OS, part of the networking functions or addons. 
(IE, OE, etc.)

> it doesn't matter how well you configure Windows, it will still be
> vulnerable, waiting for a compromise of the next discovered hole.  The
> reason for this is fundamental in the design.  From the use of a registry
> (which corrupts with time, finally requiring re-installation)

I have never experienced this in 20 years of using and supporting Microsoft 
products.  I guess I'm unique.

> to the fact
> that no single human being knows all the source code for Windows, much
> less audits it, is the difference between MS and the rest.
I assume you can name a single human being who knows all the source code 
for Unix?  Including the apps?  (I really want to meet this person.)

> This is the reason open-source is inherently more secure.  First, people
> can actually audit it for security (you think IBM recommended Linux
> without going over every single line of code?)

Which is why they release security advisories for things like kernel 
vulnerabilities, right?  Because they vetted the code and *knew* it was OK? 
They certainly wouldn't audit the code and miss a vulnerability in the 
linux kernel, right?  Oh, and BTW, where exactly *is* IBM's security site 
where you can quickly view all the advisories they've released?

Your arguments are nothing short of silly.

In 2003 there have been 43 security advisories for SUSE Linux according to 
SUSE's website:
http://www.suse.com/de/security/announcements/index.html

RedHat has had 53 during the same time period:
https://rhn.redhat.com/errata/rh9-errata-security.html

Debian has had 176 during the same time period:
http://www.debian.org/security/2003/

(Makes me wonder if the other vendors are really being honest.  Is Debian 
that bad?  Or just much more thorough, forthright and conscientious than 
the others?)

During the same time period, Microsoft has had 47.  And those 47 include 
things like Exchange Server and SQL Server, not *just* the Windows OS.  I'd 
say *everyone* has a poor record, and instead of OS bigotry we *all* ought 
to be concentrating on getting *all* vendors to release more secure code. 
Imagine how much fun it is for an enterprise with 10,000 computers, each of 
which has to be patched 40 or 50 times a year, *regardless* of the OS.  We 
ought to be disgusted with *all* the vendors.

Then you have some blaming the "monoculture" for our security problems. 
Yeah, what we really need is to do maintenance on ten different platforms, 
*all* of which have to be patched 40 or 50 times a year.  Yeah, that's my 
idea of fun alright.  But we'd be more secure because of the diversity, 
right?  Sure.  And I've got some swampland I'm looking to get rid of.

>  Second, everyone can see
> the code and contribute fixes when they see a potential problem, not
> after a vulnerability has developed and been discovered.

Sure.  This is why buffer overflows have been missed in the code for years, 
right?  This is why wu-ftpd keeps having new vulns discovered every year, 
right?  Why sendmail keeps having new vulns discovered over and over again? 
Why KDE is constantly being patched for the latest security weakness, 
right?  Cause people have pored over that code, every line, and they *know* 
it's secure, right?

 True Netware is
> closed-source but the engineering is superb and it does only what it needs
> to do, be a network OS.

And you know this because you've audited the code, right?  Oh wait, you 
can't do that.  So this is just an opinion based on observation, 
familiarity with the product and trust of the vendor.

However, Novell has released 24 security advisories this year:
http://support.novell.com/filefinder/security/index.html

So it appears your faith in them might be misplaced.  It looks like their 
programmers are struggling just like everyone else's to write secure code.
> People have the wrong idea when they say "Windows vulns are more
> researched and discovered because it so prevalent.  Without a total
> re-architecture and re-write of Windows code, if and when (hopefully)
> Windows OS's become a minority, they will still be getting the vast
> majority of discovered and exploited holes. Lay a dollar to a dime on
> that.
When Windows becomes a minority OS, the hackers and script kiddies will 
have moved on to whatever is the most popular and weakest platform.  I 
can't name an OS that hasn't been hacked, can you?  I can't name a widely 
used application that hasn't had at least *one* patch released for a 
security problem, can you?  (Even Postfix had a remote DoS recently, which 
really depressed me.)

Don't get me wrong.  My favorite OS right now is FreeBSD.  And I believe 
that open source is superior to closed, proprietary source, for a number of 
reasons.

But they all have problems, and they all need to be fixed from time to time 
and they *all* need to improve their security procedures and code auditing 
and programming practices.  Every one of them.

What we need is a sea change in the way OS vendors do business.  Not OS 
bigotry and constant sniping about who's worst and who's best.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html