RE: bill gates' claim about security vulnerabilities per LOC inUn ix versus Windows

From: Henao, Johann (JHenao_at_noven.com)
Date: 11/05/03

  • Next message: Michael Howard: "RE: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows"
    To: "'alexandre.sieira@ciphertech.com.br'" <alexandre.sieira@ciphertech.com.br>, secprog@securityfocus.com
    Date: Wed, 5 Nov 2003 14:07:53 -0500 
    
    

    Here is my 2 cents.

    From my experience every piece of software has bugs, IBM AS/400 has just the
    same issues. Their OS software needs to be constantly updated with PTFs
    (program temporary fixes). And the Same goes for JD Edwards and Oracle
    etc... which are enterprise software.

    I think that what is important here is, how fast can those bugs be fixed by
    the Software Companies and what level of support the manufacturer is
    committed to provide.

    Also it is true what Bill Gates says, that the OS does not necessarily need
    to be bullet proof, because that's not what is intended to do. The OS still
    should be developed using a security conscious attitude. But to secure your
    business you cannot rely on just the OS. You need Firewall, Antivirus,
    Intrusion Detection Systems and they need to be up to date. In that sense I
    agree that he is correct. Still he should provide a high level of quality
    in his products.

    -----Original Message-----
    From: Alexandre Sieira [mailto:alexandre.sieira@ciphertech.com.br]
    Sent: Wednesday, November 05, 2003 12:24 PM
    To: secprog@securityfocus.com
    Subject: RE: bill gates' claim about security vulnerabilities per LOC
    inUnix versus Windows

            A few comments on the message below.

    --
    Alexandre Sieira, CISSP
    Cipher - Segurança da Informação
    +55-21-2529-2629
    www.ciphertech.com.br
     
    > -----Original Message-----
    > From: Cobus Neethling [mailto:cobus@cknet.co.za] 
    > Sent: quarta-feira, 5 de novembro de 2003 04:41
    > To: secprog@securityfocus.com
    > Subject: RE: bill gates' claim about security vulnerabilities 
    > per LOC inUnix versus Windows
    > 
    > 
    > In stead of raising my own oppinion I am quoting a news item 
    > from viruslist.com run by Kaspersky Labs. You can find the 
    > article online at 
    > http://www.viruslist.com/eng/index.html?tnews=1008&id=56937
    > 
    > Here goes...
    > 
    > 
    > VirusList.com Virus Alerts & Virus News. Thursday, October 03, 2002
    > ******************************************************************
    > 
    > 1. Linux Gets A Reality Check
    > 2. How to subscribe/unsubscribe
    > 
    > ****
    > 
    > 1. Linux Gets A Reality Check
    > It may not be a surprise that as Linux diligently plods 
    > forward with a 30% annual increase in usage it is being 
    > targeted more and more by hackers, however, what may be a 
    > surprise is that Linux is proving to be at least as 
    > vulnerable as Windows products. While Linux has long basked 
    > in its reputation as a secure and stable platform, 
    > Microsoft's Windows is famously maligned for its bugs (what 
    > Microsoft terms "issues") and security vulnerabilities. It 
    > now appears that more than a few, especially virtually every 
    > proponent of the Linux open source revolution, may owe an 
    > apology to the Redmond, Washington software "monster", though 
    > presumably Bill Gates and his team are not holding their 
    > collective breath. Seemingly Microsoft's biggest crime was 
    > its popularity. 
    > 
    > Attacks: 
    > MI2G reports attacks on Linux is on the rise -
    > 5,736 attacks in the whole of 2001, but the first half of 
    > 2002 already shows 7,630. While attacks on Windows systems 
    > running Microsoft's IIS Web server fell by 20 percent, from 
    > 11,828 during the first six months of 2001 to 9,404 over the 
    > same period this year. These figures do not include viruses and worms.
    	Interesting choice of words here: "attacks" mean "intrusion
    attempts" or "successful attacks"?
    	I believe the number of attacks is directly proportional to the
    number of servers and/or to the value of the information stored in them. So,
    it makes perfect sense for Linux to be more of a target if it is becoming
    more popular.
    	This paragraph need further clarification.
    > 
    > Bugs and Vulnerabilities: 
    > The firm, Internet Security Systems last year, 2001, 
    > identified 149 bugs in Microsoft software and a surprising 
    > 309 for Linux. This year, 2002, continues this trend with a 
    > whopping 485 bugs attributed to Linux and a more sober, but 
    > still "way-too-high" 202 for Microsoft. More recent Microsoft 
    > offerings, such as Windows XP are indeed harder to crack than 
    > previous Windows products and may also offer a partial reason 
    > why Linux is now more often a target.
    	Again, we must be very careful with this statistic. I have seen
    figures before that compare the number of bugs in the Microsoft Windows
    product (operating system and built-in functionalities) against the number
    of bugs in all Linux distributions. 
    	The problem here is that we are comparing apples and oranges. Most
    Linux distributions include hundreds or thousand of optional packages that
    provide a lot more functionality than your average Windows buit-in
    accessories. And, it might be possible that a bug in a single component
    (OpenSLL, for instance) may be counted as a "Linux bug" more than once,
    since it will appear on most distributions.
    	Again, I would like to understand exactly how this measurement was
    made before jumping to any conclusions.
    > 
    > Notes: 
    > XP may indeed be more secure than older Windows products, 
    > however, it should be noted that many networks run older 
    > Windows versions as well, thus mitigating the security 
    > improvement brought by XP.
    > 
    > Another notable trend is the emergence of hybrid viruses that 
    > attack multiple platforms. One such example is Nimda, which, 
    > besides its preferred victim Windows, also managed to infect 
    > AS/400 and Solaris machines.
    	Interestingly enough, this paragraph was included in a discussing of
    Linux versus Windows security even when it becomes clear that no mention to
    Linux whatsoever is made. This seems like a covert attempt to convey the
    idea that there is a trend that will ultimately result in worms and viruses
    that target Linux systems.
    	In all, this paper seems very Microsoft-biased, and lacking in depth
    for its arguments.
    > 
    > Statistics and trends aside, the most important thing is that 
    > users follow a sound security policy and regularly update 
    > anti-virus and other security software.
    > 
    > 
    > 
    > **
    > 
    > 2. How to subscribe/unsubscribe
    > 
    > If you would like to subscribe to other news blocks or to 
    > unsubscribe from this news block, you can do so by visiting 
    > http://www.viruslist.com/eng/maillist.html
    > 
    > If you experience 
    > any problems with this procedure, please contact us at: 
    > news@kaspersky.com
    > 
    > ****
    > 
    > Best of Luck,
    > 
    > Kaspersky Lab News Agent
    > 
    > -----
    > 10 Geroyev Panfilovtcev St., Moscow, 123363, Russia
    > Telephone./Facsimile: +7 (095) 948 43 31
    > WWW: http://www.kaspersky.com, http://www.viruslist.com
    > FTP: ftp://ftp.kasperskylab.ru
    > E-mail: info@avp.ru
    > 
    > 
    > Cobus Neethling
    > Web Developer
    > CKNet Internet Services (PTY) LTD
    > Tel: +27 11 314 0171
    > 
    > 
    > 
    

  • Next message: Michael Howard: "RE: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows"

    Relevant Pages