Full Disclosure mailing list archives

Re: Re: Funny article

From: "Ryan Johnson" <rjohnson () espgroup net>
Date: Thu, 13 Nov 2003 12:46:36 -0500

I think it is unfair to categorize linux or windows as having a vulnerability just because an application like apache
has a vulnerability. I mean as someone stated earlier, the linux and windows developers have no control over
third-party apps. If IIS has bug, that should look bad on microsoft, but not on windows.

Ballmer is banking that the people he is talking to do not understand the difference between linux, its distro and
windows, this truly comparing apples and oranges. You know what, he is going to get away with it, because most people
don't understand.
If you were to compare a full redhat 9 install against a full win2k server install, redhat9 would most likely lose,
because Redhat9 has many more apps, therefore it is more likely to have bugs. Even if you compared linux, which would
be just the kernel and maybe some of the the gnu tools to interact with the kernel vs windows, it is still not fair.
Windows has a kernel, gui, everyone's favorite user space app that can not be uninstalled, IE. In this case windows has
greater chance of having bugs.

Then you have cases with distro specific bugs, which often are categorized as a linux bug. An example of this was the
apache config file bug on redhat from last week. That is a redhat bug, not a linux bug, nor is it an apache bug.
Slackware did not put that configuration in their apache server configuration.

Another comparison that I abhor, is the stability issue. "Linux is more stable than windows". Are you talking about
linux with the gui, or without. Running linux without the gui is incredibly stable. Linux with a gui, well stability
defintely decreases (but in reality it is not linux's stability in question rather that of the gui).

What about openbsd (dont get me wrong I love openbsd), they claim "Only one remote hole in the default install, in more
than 7 years!". Well of course, have you ever installed openbsd using the default? The only remotely accessible service
is openssh, vs multiple services in a redhat default vs multiple services in a windows default install. I could make my
own linux distro with no remote services enabled by default and it would never have a remote hole in the default
install.

My point being is that it is very hard to compare the bsds, the distros and windows. Bsds and linux are easier to
compare, but then you have the distro aspect.

As far as patches getting out, I am very happy with the response from the open source community, I think they do an
excellent job. I very rarely have a problem with an opensource patch, if the author does not come out with a patch,
more than likely someone who has reviewed the code will.

Ryan

On Thu, Nov 13, 2003 at 03:20:14AM +0100, Mikael Olsson wrote:

I'm sorry to disappoint you, but the script kiddies don't care
about zealotry. I have yet to hear one say "Oh, this is a Linux
box, so I can't use this Apache bug to own it. That'd be rong."

I don't think anybody said a linux box can't be owned with an apache
flaw. My arugemnt for count of bugs is the should be counted against the
people who actually WROTE the code. In Microsofts case it is becasue
they wrote IIS, 2000/XP/2003, and Exchange. In contrast the Linux kernel
projecn that just wrote the kernel. It sounds like you want a list of
opensource bugs vs. Microsoft Bugs.

Saying "the linux kernel has only foo bugs while every microsoft
app combined has foo^3 bugs" makes no sense in a security 
discussion. You don't read mail or serve web pages with a kernel.

No one is saying this. To be truely useful a list of bugs should be done
by developer, not by instance of software. This will help establish
trends in my software development practices.

Publishing an _unbiased_ report of total vulnerability counts 
for two or more OSes, with common apps installed, is a service
to admins everywhere.  (And no, I _really_ don't think comparing 
RH6 with W2K3 is "unbiased". I think it stinks.)

I think blaming OS developers for code they didn't write nor have any
control over isn't unbiased. It would be a diffrent story if it was a
flaw in something like redhat-update. That is clearly a Redhat bug, but
that is still not a Linux bug.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Ryan Johnson
Security Architect
ESP Group
703-418-6317

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Funny article, (continued)
- - - Re: Re: Funny article Volker Tanger (Nov 13)
    - Re: Re: Funny article vb (Nov 13)
    - Re: Re: Funny article Valdis . Kletnieks (Nov 13)
    - Re: Re: Funny article martin f krafft (Nov 13)
    - Re: Re: Funny article Ron DuFresne (Nov 13)
  - Re: Funny article netcat (Nov 13)
- Re: Funny article Bruce Ediger (Nov 13)
- Message not available
  - Re: Funny article martin f krafft (Nov 14)
    - Re: Re: Funny article vb (Nov 14)
    - Re: Re: Funny article Ron DuFresne (Nov 14)
- Re: Re: Funny article Ryan Johnson (Nov 13)