RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 10/24/03

  • Next message: William Warren: "Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 23 Oct 2003 17:15:07 -0500

    --On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy
    <purdy@tecman.com> wrote:
    >
    > I hardily disagree. When you have inherently more secure code in OS's
    > like *NIX and Netware, as evidenced by the paltry number of patches
    > required by those OS's (1 in Netware vs. 38 for Windows in the same
    > period)

    This is an apples to oranges comparison. Netware is a network OS.
    "Windows" includes all the applications that come with Windows, whether
    they are part of the base OS, part of the networking functions or addons.
    (IE, OE, etc.)

    > it doesn't matter how well you configure Windows, it will still be
    > vulnerable, waiting for a compromise of the next discovered hole. The
    > reason for this is fundamental in the design. From the use of a registry
    > (which corrupts with time, finally requiring re-installation)

    I have never experienced this in 20 years of using and supporting Microsoft
    products. I guess I'm unique.

    > to the fact
    > that no single human being knows all the source code for Windows, much
    > less audits it, is the difference between MS and the rest.
    >
    I assume you can name a single human being who knows all the source code
    for Unix? Including the apps? (I really want to meet this person.)

    > This is the reason open-source is inherently more secure. First, people
    > can actually audit it for security (you think IBM recommended Linux
    > without going over every single line of code?)

    Which is why they release security advisories for things like kernel
    vulnerabilities, right? Because they vetted the code and *knew* it was OK?
    They certainly wouldn't audit the code and miss a vulnerability in the
    linux kernel, right? Oh, and BTW, where exactly *is* IBM's security site
    where you can quickly view all the advisories they've released?

    Your arguments are nothing short of silly.

    In 2003 there have been 43 security advisories for SUSE Linux according to
    SUSE's website:
    http://www.suse.com/de/security/announcements/index.html

    RedHat has had 53 during the same time period:
    https://rhn.redhat.com/errata/rh9-errata-security.html

    Debian has had 176 during the same time period:
    http://www.debian.org/security/2003/

    (Makes me wonder if the other vendors are really being honest. Is Debian
    that bad? Or just much more thorough, forthright and conscientious than
    the others?)

    During the same time period, Microsoft has had 47. And those 47 include
    things like Exchange Server and SQL Server, not *just* the Windows OS. I'd
    say *everyone* has a poor record, and instead of OS bigotry we *all* ought
    to be concentrating on getting *all* vendors to release more secure code.
    Imagine how much fun it is for an enterprise with 10,000 computers, each of
    which has to be patched 40 or 50 times a year, *regardless* of the OS. We
    ought to be disgusted with *all* the vendors.

    Then you have some blaming the "monoculture" for our security problems.
    Yeah, what we really need is to do maintenance on ten different platforms,
    *all* of which have to be patched 40 or 50 times a year. Yeah, that's my
    idea of fun alright. But we'd be more secure because of the diversity,
    right? Sure. And I've got some swampland I'm looking to get rid of.

    > Second, everyone can see
    > the code and contribute fixes when they see a potential problem, not
    > after a vulnerability has developed and been discovered.

    Sure. This is why buffer overflows have been missed in the code for years,
    right? This is why wu-ftpd keeps having new vulns discovered every year,
    right? Why sendmail keeps having new vulns discovered over and over again?
    Why KDE is constantly being patched for the latest security weakness,
    right? Cause people have pored over that code, every line, and they *know*
    it's secure, right?

      True Netware is
    > closed-source but the engineering is superb and it does only what it needs
    > to do, be a network OS.

    And you know this because you've audited the code, right? Oh wait, you
    can't do that. So this is just an opinion based on observation,
    familiarity with the product and trust of the vendor.

    However, Novell has released 24 security advisories this year:
    http://support.novell.com/filefinder/security/index.html

    So it appears your faith in them might be misplaced. It looks like their
    programmers are struggling just like everyone else's to write secure code.
    >
    > People have the wrong idea when they say "Windows vulns are more
    > researched and discovered because it so prevalent. Without a total
    > re-architecture and re-write of Windows code, if and when (hopefully)
    > Windows OS's become a minority, they will still be getting the vast
    > majority of discovered and exploited holes. Lay a dollar to a dime on
    > that.
    >
    When Windows becomes a minority OS, the hackers and script kiddies will
    have moved on to whatever is the most popular and weakest platform. I
    can't name an OS that hasn't been hacked, can you? I can't name a widely
    used application that hasn't had at least *one* patch released for a
    security problem, can you? (Even Postfix had a remote DoS recently, which
    really depressed me.)

    Don't get me wrong. My favorite OS right now is FreeBSD. And I believe
    that open source is superior to closed, proprietary source, for a number of
    reasons.

    But they all have problems, and they all need to be fixed from time to time
    and they *all* need to improve their security procedures and code auditing
    and programming practices. Every one of them.

    What we need is a sea change in the way OS vendors do business. Not OS
    bigotry and constant sniping about who's worst and who's best.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: William Warren: "Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security"

    Relevant Pages

    • RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
      ... Subject: Re: RE: Linux security ... When you have inherently more secure code in OS's ... "Windows" includes all the applications that come with Windows, ... Which is why they release security advisories for things like kernel ...
      (Full-Disclosure)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)