Full Disclosure mailing list archives
RE: [inbox] Re: RE: Linux (in)security
From: <Glenn_Everhart () bankone com>
Date: Thu, 23 Oct 2003 16:39:31 -0400
I agree that inherent OS features have much to do with their security, but must observe that OSs like VMS and OS/400 have very few security issues (even, in the first case, where heavily tested in wide networks) and are not open source (though again listings are published not too expensively for those interested at least in the first of these). Secure OS construction has been accomplished, to a pretty good approximation, by these OSs due I suspect to a culture of security paranoia in the engineering groups responsible. Any modest sized group with such a culture I would submit is likely to develop good solutions; the more talent in the group, the better they will be. I mention these two because they are to my way of thinking examples of OSs which have been built with relatively few mistakes or misfeatures in the security area, disproving claims that such OSs cannot be built. I would also submit that unless "properly configured" systems include "out of the box" systems, many fewer such will be found. VMS switched to such after V5 due to having been publically beaten up by worms that used some of the old wide-open defaults. Made a tremendous difference in the field. -----Original Message----- From: Curt Purdy [mailto:purdy () tecman com] Sent: Thursday, October 23, 2003 3:33 PM To: 'Michal Zalewski' Cc: full-disclosure () lists netsys com Subject: RE: [inbox] Re: [Full-disclosure] RE: Linux (in)security
http://www.linuxunlimited.com/why-linux.htm ``Properly configured and maintained, Linux is one of the most secure operating systems available today.''The key words here are "properly configured".Well, once "properly configured", pretty much _any_ operating system would make it to the top 0.01% of the most secure boxes in the world.
<snip> I hardily disagree. When you have inherently more secure code in OS's like *NIX and Netware, as evidenced by the paltry number of patches required by those OS's (1 in Netware vs. 38 for Windows in the same period)it doesn't matter how well you configure Windows, it will still be vulnerable, waiting for a compromise of the next discovered hole. The reason for this is fundamental in the design. From the use of a registry (which corrupts with time, finally requiring re-installation) to the fact that no single human being knows all the source code for Windows, much less audits it, is the difference between MS and the rest. This is the reason open-source is inherently more secure. First, people can actually audit it for security (you think IBM recommended Linux without going over every single line of code?) Second, everyone can see the code and contribute fixes when they see a potential problem, not after a vulnerability has developed and been discovered. True Netware is closed-source but the engineering is superb and it does only what it needs to do, be a network OS. People have the wrong idea when they say "Windows vulns are more researched and discovered because it so prevalent. Without a total re-architecture and re-write of Windows code, if and when (hopefully) Windows OS's become a minority, they will still be getting the vast majority of discovered and exploited holes. Lay a dollar to a dime on that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ********************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: RE: Linux (in)security Glenn_Everhart (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Curt Purdy (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Bill Royds (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Gregory A. Gilliss (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Valdis . Kletnieks (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Brett Hutley (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Ted Unangst (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Brett Hutley (Oct 26)
- Coding securely, was Linux (in)security Paul Schmehl (Oct 26)
- Re: Coding securely, was Linux (in)security coderman (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Gregory A. Gilliss (Oct 26)