RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security

• Previous message: Scott Phelps / Dreamwright Studios: "RE: [Full-Disclosure] Re: Gaim festival plugin exploit"
• In reply to: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Next in thread: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Paul Schmehl: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Henning Brauer: "Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Michal Zalewski'" <lcamtuf@ghettot.org>
Date: Thu, 23 Oct 2003 14:32:37 -0500

> >> http://www.linuxunlimited.com/why-linux.htm
> >> ``Properly configured and maintained, Linux is one of the
> >> most secure operating systems available today.''
> >
> > The key words here are "properly configured".
>
> Well, once "properly configured", pretty much _any_ operating
> system would
> make it to the top 0.01% of the most secure boxes in the
> world.
<snip>

I hardily disagree. When you have inherently more secure code in OS's like
*NIX and Netware, as evidenced by the paltry number of patches required by
those OS's (1 in Netware vs. 38 for Windows in the same period)it doesn't
matter how well you configure Windows, it will still be vulnerable, waiting
for a compromise of the next discovered hole. The reason for this is
fundamental in the design. From the use of a registry (which corrupts with
time, finally requiring re-installation) to the fact that no single human
being knows all the source code for Windows, much less audits it, is the
difference between MS and the rest.

This is the reason open-source is inherently more secure. First, people can
actually audit it for security (you think IBM recommended Linux without
going over every single line of code?) Second, everyone can see the code
and contribute fixes when they see a potential problem, not after a
vulnerability has developed and been discovered. True Netware is
closed-source but the engineering is superb and it does only what it needs
to do, be a network OS.

People have the wrong idea when they say "Windows vulns are more researched
and discovered because it so prevalent. Without a total re-architecture and
re-write of Windows code, if and when (hopefully) Windows OS's become a
minority, they will still be getting the vast majority of discovered and
exploited holes. Lay a dollar to a dime on that.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Scott Phelps / Dreamwright Studios: "RE: [Full-Disclosure] Re: Gaim festival plugin exploit"
• In reply to: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Next in thread: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Michal Zalewski: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Paul Schmehl: "RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Reply: Henning Brauer: "Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]