Information Security News mailing list archives
Re: Regarding Article "Is Linux a net security risk?"
From: kw <tattooma () ADRIC GENOCIDE2600 COM>
Date: Thu, 8 Jun 2000 19:25:42 -0600
Hello David, Before starting, I would like to note that I never sent any email to anybody at idg.com.au. I posted a message to a security mailing list, and somebody on that list apparently replied to my message and CC'ed some of the idg.com.au staff. I will reply inline to your email, on a point by point basis, and will then include my thoughts on the article at the end of this email, also inline. On Fri, 9 Jun 2000 David_Hutchins () idg com au wrote:
Thank you for feed back on Helen's Linux article. I have noted your
Although I never sent "feed back" to you, I appreciate your amiability.
concerns and will ensure that I raise them with Helen. Its currently not our policy to have author's emails contained within the emails, merely because we post people 's names as primary points of contact for the email service, we haven't published author's emails, but will consider doing so. I can understand that occasionally articles which don't perhaps cover all the angles, may appear biased, but in reality nothing can be further from the truth...There is no deliberate attempt to cover any issue, vendor, product, or trend, with any bias. The reality is that our journalists do
This is not an issue of "bias". The problem is that numerous statements in the article are just plain completely wrong. I'll address them on a point-by-point basis at the end of this email.
straight reporting. In this case it happened to be a report that said "XYZ". I am sure you can understand the challenges of getting the news and publishing the news, ie what has happened, has to be done within a very narrow window. Often there is simply not the time, nor the space, to talk to every person or source that may have an alternate view. Often the stories that are published are not going to accord with the view of every reader.
I hope you can come up with better excuses than those. "Time" and "space" constraints is no excuse for publishing B.S. The issues that I have are not with matters of opinion, they involve matters of fact, and the glaring, reprehensible errors in your article. Some of the sheeple might actually believe things you print. You have a responsibility to at least try ... never mind. I gave up on the media a long time ago, and I now even find myself occasionally questioning the editorial motives of Rob Malda. There are only three decent IT journalists left in the world now: Declan McCullagh, Bob Sullivan, and Laura Taylor. The end must be near.
In each case we do as much as we can as thoroughly and professionally as we can in the time given.
If you can't do it right, or at least almost right, then don't do it at all.
Perhaps you would like to forward your contact details, so in future our team might contact you or a colleague to present additional information so relevant stories are more comprehensive.
You've got my email address.
Thank you for your feedback though, its one of the best ways we have in improving what we do.
Yes, I agree. You still have plenty of time to publish a corrected article, or better yet, to just pull that article off the site completely.
In future though I will not tolerate emails that contain abusive language, normally such emails, are immediately trashed, without any further reading,
See my initial comments at the top - I never sent any email to you, and I certainly would not send you abusive email. I reserve my abuse for my true friends.
if the matter persists we look at taking it further by ensuring the sender receives none of our material. Your tone and the language you use can add or detract from your credibility
Good point. Thanks for the advice.
David Hutchins Editor The Wire (Online News Service For IDG)
And now, a couple of comments on the original article ... [Note: Chris Brenton addressed many of the issues that I raise in an email he sent subsequent to my first email]
http://www.idg.net/ic_186624_1794_9-10000.html Is Linux a net security risk? By Helen Han SYDNEY, 7 June, 2000 - A SANS Institute of America report has named Linux and Unix operated sites as more vulnerable to internet attacks than Windows and Mac powered sites.
No. SANS neither said nor implied any such thing.
Compiled by US industry, government, and academics, the June 1 paper, titled How to Eliminate the Ten Most Critical Internet Security Threats: The Experts' Consensus, names versions of Unix and Linux systems in nine out of a "top ten" list of security vulnerabilities for operating systems that engineers "need to eliminate".
Helen seems to be missing the point completely, looking to blame Linux and UNIX operating systems when the real culprits are actually certain applications, misconfigurations, poor security policies, and not installing security patches in a timely fashion.
Dean Stockwell, director of sales and support, Network Associates Asia-Pacific, dismissed SANS's report as "skewed".
He was not even one of the SANS Top 10 List signatories. In fact, he's in sales, so his opinion doesn't even count. Why not ask one of the experts who signed the document? Their names were conveniently listed at the bottom of the document.
"Virus peddlers target the most popular system," said Stockwell. These happen to be Unix or Linux in the enterprise space, he believes.
Now, I *know* that this guy has no idea what he's saying when he states that "virus peddlers" target UNIX and Linux in enterprise environments. In the NAI/McAfee database of 50,000+ viruses, how many viruses are listed for UNIX/Linux? This statement was so absurd that I felt the need to use "colorful language" in my original email.
"Most hackers graduate from Unix and Linux platforms. They know them
Nope. I bet you mean "crackers", not "hackers", and they usually learn on Windows these days.
intimately. They don't try to exploit them," Stockwell said.
"They" try to exploit anything that is exploitable. Some of them even direct their attacks at certain networks or platforms ... but I am starting to generalize and stereotype, so let's move on.
Fifteen per cent of Australian organisations use a Linux system somewhere in their network server infrastructure, according to Rolf Jester, regional director of market services, Gartner Asia-Pacific. Moreover, Stockwell suggested that local "up and coming" IT administrators are being trained in Unix or Linux platforms.
Maybe so, but 80-90% of the world is still Windows.
Stockwell also observed an "anti-Microsoft camp growing in Australia. They're turning to more stable platforms," he said, declining to name alternative brands.
More irrelevant stuff.
A spokesperson from Sydney IT consultancy startup Working Technology begged to differ. "Unix and Linux are the geek operating systems," the representative said. "Windows NT is supported by 90 to 100 per cent of developers worldwide."
Wrong again.
So how does network security health rate in Australia? "Security is not a high enough priority for IT networks here," Stockwell said. "We're concerned about Y2K and GST problems. Security is priority two or three. It needs to be number one."
You're still worried about Y2K??? Maybe you should write an article about why we all need to keeping worrying about Y2K. GST keeps me awake at night too.
Stockwell attributes the perceived negligence to corporate Australia's "lack of best practices" and increasingly "busy" IT departments.
True, true.
"To apply a security patch to any software literally takes minutes," he said. "I've often had to do it myself."
"Internet Explorer" --> "Tools" --> "Windows Update" doesn't count as "often having to do it yourself". Code your own diffs while you wait for the vendor to release more hotfixes that intentionally break third party apps marketed by the vendor's competitors. Don't bother even waiting for Service Pack 7 either.
His advice to ensure Australian businesses are safe from network attack via the net is to enforce a policy of mandatory systems testing, particularly for file servers and mail servers, and committing to regular upgrading. Industry ignorance to IT security threats are dire to the economy, Stockwell warned. He pointed to the fallout from the notorious I Love You virus as an expensive example of a country unprepared for a "simple" security attack "written by a student in a matter of days". The Love Bug cost Australian business an estimated $1.5 billion in down-time over four days.
No! Not the random arbitrary dollar estimates for damages again! David, Thanks for taking the time to reply, and for reading my comments. Regards, kw ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: Regarding Article "Is Linux a net security risk?" kw (Jun 08)