RE: bill gates' claim about security vulnerabilities per LOC inUn ix versus Windows
From: Henao, Johann (JHenao_at_noven.com)
To: "'firstname.lastname@example.org'" <email@example.com>, firstname.lastname@example.org Date: Wed, 5 Nov 2003 14:07:53 -0500
Here is my 2 cents.
From my experience every piece of software has bugs, IBM AS/400 has just the
same issues. Their OS software needs to be constantly updated with PTFs
(program temporary fixes). And the Same goes for JD Edwards and Oracle
etc... which are enterprise software.
I think that what is important here is, how fast can those bugs be fixed by
the Software Companies and what level of support the manufacturer is
committed to provide.
Also it is true what Bill Gates says, that the OS does not necessarily need
to be bullet proof, because that's not what is intended to do. The OS still
should be developed using a security conscious attitude. But to secure your
business you cannot rely on just the OS. You need Firewall, Antivirus,
Intrusion Detection Systems and they need to be up to date. In that sense I
agree that he is correct. Still he should provide a high level of quality
in his products.
From: Alexandre Sieira [mailto:email@example.com]
Sent: Wednesday, November 05, 2003 12:24 PM
Subject: RE: bill gates' claim about security vulnerabilities per LOC
inUnix versus Windows
A few comments on the message below.
-- Alexandre Sieira, CISSP Cipher - Segurança da Informação +55-21-2529-2629 www.ciphertech.com.br > -----Original Message----- > From: Cobus Neethling [mailto:firstname.lastname@example.org] > Sent: quarta-feira, 5 de novembro de 2003 04:41 > To: email@example.com > Subject: RE: bill gates' claim about security vulnerabilities > per LOC inUnix versus Windows > > > In stead of raising my own oppinion I am quoting a news item > from viruslist.com run by Kaspersky Labs. You can find the > article online at > http://www.viruslist.com/eng/index.html?tnews=1008&id=56937 > > Here goes... > > > VirusList.com Virus Alerts & Virus News. Thursday, October 03, 2002 > ****************************************************************** > > 1. Linux Gets A Reality Check > 2. How to subscribe/unsubscribe > > **** > > 1. Linux Gets A Reality Check > It may not be a surprise that as Linux diligently plods > forward with a 30% annual increase in usage it is being > targeted more and more by hackers, however, what may be a > surprise is that Linux is proving to be at least as > vulnerable as Windows products. While Linux has long basked > in its reputation as a secure and stable platform, > Microsoft's Windows is famously maligned for its bugs (what > Microsoft terms "issues") and security vulnerabilities. It > now appears that more than a few, especially virtually every > proponent of the Linux open source revolution, may owe an > apology to the Redmond, Washington software "monster", though > presumably Bill Gates and his team are not holding their > collective breath. Seemingly Microsoft's biggest crime was > its popularity. > > Attacks: > MI2G reports attacks on Linux is on the rise - > 5,736 attacks in the whole of 2001, but the first half of > 2002 already shows 7,630. While attacks on Windows systems > running Microsoft's IIS Web server fell by 20 percent, from > 11,828 during the first six months of 2001 to 9,404 over the > same period this year. These figures do not include viruses and worms. Interesting choice of words here: "attacks" mean "intrusion attempts" or "successful attacks"? I believe the number of attacks is directly proportional to the number of servers and/or to the value of the information stored in them. So, it makes perfect sense for Linux to be more of a target if it is becoming more popular. This paragraph need further clarification. > > Bugs and Vulnerabilities: > The firm, Internet Security Systems last year, 2001, > identified 149 bugs in Microsoft software and a surprising > 309 for Linux. This year, 2002, continues this trend with a > whopping 485 bugs attributed to Linux and a more sober, but > still "way-too-high" 202 for Microsoft. More recent Microsoft > offerings, such as Windows XP are indeed harder to crack than > previous Windows products and may also offer a partial reason > why Linux is now more often a target. Again, we must be very careful with this statistic. I have seen figures before that compare the number of bugs in the Microsoft Windows product (operating system and built-in functionalities) against the number of bugs in all Linux distributions. The problem here is that we are comparing apples and oranges. Most Linux distributions include hundreds or thousand of optional packages that provide a lot more functionality than your average Windows buit-in accessories. And, it might be possible that a bug in a single component (OpenSLL, for instance) may be counted as a "Linux bug" more than once, since it will appear on most distributions. Again, I would like to understand exactly how this measurement was made before jumping to any conclusions. > > Notes: > XP may indeed be more secure than older Windows products, > however, it should be noted that many networks run older > Windows versions as well, thus mitigating the security > improvement brought by XP. > > Another notable trend is the emergence of hybrid viruses that > attack multiple platforms. One such example is Nimda, which, > besides its preferred victim Windows, also managed to infect > AS/400 and Solaris machines. Interestingly enough, this paragraph was included in a discussing of Linux versus Windows security even when it becomes clear that no mention to Linux whatsoever is made. This seems like a covert attempt to convey the idea that there is a trend that will ultimately result in worms and viruses that target Linux systems. In all, this paper seems very Microsoft-biased, and lacking in depth for its arguments. > > Statistics and trends aside, the most important thing is that > users follow a sound security policy and regularly update > anti-virus and other security software. > > > > ** > > 2. How to subscribe/unsubscribe > > If you would like to subscribe to other news blocks or to > unsubscribe from this news block, you can do so by visiting > http://www.viruslist.com/eng/maillist.html > > If you experience > any problems with this procedure, please contact us at: > firstname.lastname@example.org > > **** > > Best of Luck, > > Kaspersky Lab News Agent > > ----- > 10 Geroyev Panfilovtcev St., Moscow, 123363, Russia > Telephone./Facsimile: +7 (095) 948 43 31 > WWW: http://www.kaspersky.com, http://www.viruslist.com > FTP: ftp://ftp.kasperskylab.ru > E-mail: email@example.com > > > Cobus Neethling > Web Developer > CKNet Internet Services (PTY) LTD > Tel: +27 11 314 0171 > > >