Full Disclosure mailing list archives
RE: [inbox] Re: RE: Linux (in)security
From: "Andy Wood" <andy () digitalindustry org>
Date: Thu, 23 Oct 2003 19:10:16 -0400
Paul should know better than most. He sits on his ass all day reading/replying to posts instead of fixing the almost insurmountable # of vulns in his domain. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Paul Schmehl Sent: Thursday, October 23, 2003 6:15 PM To: full-disclosure () lists netsys com --On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy <purdy () tecman com> wrote:
I hardily disagree. When you have inherently more secure code in OS's like *NIX and Netware, as evidenced by the paltry number of patches required by those OS's (1 in Netware vs. 38 for Windows in the same period)
This is an apples to oranges comparison. Netware is a network OS. "Windows" includes all the applications that come with Windows, whether they are part of the base OS, part of the networking functions or addons. (IE, OE, etc.)
it doesn't matter how well you configure Windows, it will still be vulnerable, waiting for a compromise of the next discovered hole. The reason for this is fundamental in the design. From the use of a registry (which corrupts with time, finally requiring re-installation)
I have never experienced this in 20 years of using and supporting Microsoft products. I guess I'm unique.
to the fact that no single human being knows all the source code for Windows, much less audits it, is the difference between MS and the rest.
I assume you can name a single human being who knows all the source code for Unix? Including the apps? (I really want to meet this person.)
This is the reason open-source is inherently more secure. First, people can actually audit it for security (you think IBM recommended Linux without going over every single line of code?)
Which is why they release security advisories for things like kernel vulnerabilities, right? Because they vetted the code and *knew* it was OK? They certainly wouldn't audit the code and miss a vulnerability in the linux kernel, right? Oh, and BTW, where exactly *is* IBM's security site where you can quickly view all the advisories they've released? Your arguments are nothing short of silly. In 2003 there have been 43 security advisories for SUSE Linux according to SUSE's website: http://www.suse.com/de/security/announcements/index.html RedHat has had 53 during the same time period: https://rhn.redhat.com/errata/rh9-errata-security.html Debian has had 176 during the same time period: http://www.debian.org/security/2003/ (Makes me wonder if the other vendors are really being honest. Is Debian that bad? Or just much more thorough, forthright and conscientious than the others?) During the same time period, Microsoft has had 47. And those 47 include things like Exchange Server and SQL Server, not *just* the Windows OS. I'd say *everyone* has a poor record, and instead of OS bigotry we *all* ought to be concentrating on getting *all* vendors to release more secure code. Imagine how much fun it is for an enterprise with 10,000 computers, each of which has to be patched 40 or 50 times a year, *regardless* of the OS. We ought to be disgusted with *all* the vendors. Then you have some blaming the "monoculture" for our security problems. Yeah, what we really need is to do maintenance on ten different platforms, *all* of which have to be patched 40 or 50 times a year. Yeah, that's my idea of fun alright. But we'd be more secure because of the diversity, right? Sure. And I've got some swampland I'm looking to get rid of.
Second, everyone can see the code and contribute fixes when they see a potential problem, not after a vulnerability has developed and been discovered.
Sure. This is why buffer overflows have been missed in the code for years, right? This is why wu-ftpd keeps having new vulns discovered every year, right? Why sendmail keeps having new vulns discovered over and over again? Why KDE is constantly being patched for the latest security weakness, right? Cause people have pored over that code, every line, and they *know* it's secure, right? True Netware is
closed-source but the engineering is superb and it does only what it needs to do, be a network OS.
And you know this because you've audited the code, right? Oh wait, you can't do that. So this is just an opinion based on observation, familiarity with the product and trust of the vendor. However, Novell has released 24 security advisories this year: http://support.novell.com/filefinder/security/index.html So it appears your faith in them might be misplaced. It looks like their programmers are struggling just like everyone else's to write secure code.
People have the wrong idea when they say "Windows vulns are more researched and discovered because it so prevalent. Without a total re-architecture and re-write of Windows code, if and when (hopefully) Windows OS's become a minority, they will still be getting the vast majority of discovered and exploited holes. Lay a dollar to a dime on that.
When Windows becomes a minority OS, the hackers and script kiddies will have moved on to whatever is the most popular and weakest platform. I can't name an OS that hasn't been hacked, can you? I can't name a widely used application that hasn't had at least *one* patch released for a security problem, can you? (Even Postfix had a remote DoS recently, which really depressed me.) Don't get me wrong. My favorite OS right now is FreeBSD. And I believe that open source is superior to closed, proprietary source, for a number of reasons. But they all have problems, and they all need to be fixed from time to time and they *all* need to improve their security procedures and code auditing and programming practices. Every one of them. What we need is a sea change in the way OS vendors do business. Not OS bigotry and constant sniping about who's worst and who's best. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.529 / Virus Database: 324 - Release Date: 10/16/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.529 / Virus Database: 324 - Release Date: 10/16/2003 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: RE: Linux (in)security, (continued)
- RE: [inbox] Re: RE: Linux (in)security Curt Purdy (Oct 22)
- RE: [inbox] Re: RE: Linux (in)security Michal Zalewski (Oct 22)
- RE: [inbox] Re: RE: Linux (in)security Ron DuFresne (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Curt Purdy (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Michal Zalewski (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Ron DuFresne (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security William Warren (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Ron DuFresne (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Jeremiah Cornelius (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Andy Wood (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Dan Wilder (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Peter Busser (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Shawn McMahon (Oct 24)
- RE: [inbox] Re: RE: Linux (in)security Arcturus (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Peter Busser (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Shawn McMahon (Oct 24)
- Re: [inbox] Re: Linux (in)security Chris Ruvolo (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Valdis . Kletnieks (Oct 24)