RE: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows

From: Michael Howard (mikehow_at_microsoft.com)
Date: 11/05/03

  • Next message: Kurt Seifried: "Re: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows"
    Date: Wed, 5 Nov 2003 12:12:56 -0800
    To: "Henao, Johann" <JHenao@noven.com>, <alexandre.sieira@ciphertech.com.br>, <secprog@securityfocus.com>
    
    

    I think y'all are missing important point - the goal, overtime, should be to reduce the incidence of such bugs appearing in the code... To do that you have to train people, because let's be frank, this stuff isn't taught in school, and you need to build a process that fosters building secure code...

    It really doesn't matter how fast a bug is found, the person that wrote the code shouldn't have made the mistake in the first place.

    Cheers, Michael

    [Writing Secure Code 2nd Edition] http://www.microsoft.com/mspress/books/5957.asp
    [Protect Your PC] http://www.microsoft.com/protect
    [Blog] http://blogs.gotdotnet.com/mikehow

    -----Original Message-----
    From: Henao, Johann [mailto:JHenao@noven.com]
    Sent: Wednesday, November 05, 2003 11:08 AM
    To: 'alexandre.sieira@ciphertech.com.br'; secprog@securityfocus.com
    Subject: RE: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows

    Here is my 2 cents.

    From my experience every piece of software has bugs, IBM AS/400 has just the same issues. Their OS software needs to be constantly updated with PTFs (program temporary fixes). And the Same goes for JD Edwards and Oracle etc... which are enterprise software.

    I think that what is important here is, how fast can those bugs be fixed by the Software Companies and what level of support the manufacturer is committed to provide.

    Also it is true what Bill Gates says, that the OS does not necessarily need to be bullet proof, because that's not what is intended to do. The OS still should be developed using a security conscious attitude. But to secure your business you cannot rely on just the OS. You need Firewall, Antivirus, Intrusion Detection Systems and they need to be up to date. In that sense I agree that he is correct. Still he should provide a high level of quality in his products.

    -----Original Message-----
    From: Alexandre Sieira [mailto:alexandre.sieira@ciphertech.com.br]
    Sent: Wednesday, November 05, 2003 12:24 PM
    To: secprog@securityfocus.com
    Subject: RE: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows

            A few comments on the message below.

    --
    Alexandre Sieira, CISSP
    Cipher - Segurança da Informação
    +55-21-2529-2629
    www.ciphertech.com.br
     
    > -----Original Message-----
    > From: Cobus Neethling [mailto:cobus@cknet.co.za]
    > Sent: quarta-feira, 5 de novembro de 2003 04:41
    > To: secprog@securityfocus.com
    > Subject: RE: bill gates' claim about security vulnerabilities per LOC 
    > inUnix versus Windows
    > 
    > 
    > In stead of raising my own oppinion I am quoting a news item from 
    > viruslist.com run by Kaspersky Labs. You can find the article online 
    > at
    > http://www.viruslist.com/eng/index.html?tnews=1008&id=56937
    > 
    > Here goes...
    > 
    > 
    > VirusList.com Virus Alerts & Virus News. Thursday, October 03, 2002
    > ******************************************************************
    > 
    > 1. Linux Gets A Reality Check
    > 2. How to subscribe/unsubscribe
    > 
    > ****
    > 
    > 1. Linux Gets A Reality Check
    > It may not be a surprise that as Linux diligently plods forward with a 
    > 30% annual increase in usage it is being targeted more and more by 
    > hackers, however, what may be a surprise is that Linux is proving to 
    > be at least as vulnerable as Windows products. While Linux has long 
    > basked in its reputation as a secure and stable platform, Microsoft's 
    > Windows is famously maligned for its bugs (what Microsoft terms 
    > "issues") and security vulnerabilities. It now appears that more than 
    > a few, especially virtually every proponent of the Linux open source 
    > revolution, may owe an apology to the Redmond, Washington software 
    > "monster", though presumably Bill Gates and his team are not holding 
    > their collective breath. Seemingly Microsoft's biggest crime was its 
    > popularity.
    > 
    > Attacks: 
    > MI2G reports attacks on Linux is on the rise -
    > 5,736 attacks in the whole of 2001, but the first half of
    > 2002 already shows 7,630. While attacks on Windows systems running 
    > Microsoft's IIS Web server fell by 20 percent, from
    > 11,828 during the first six months of 2001 to 9,404 over the same 
    > period this year. These figures do not include viruses and worms.
    	Interesting choice of words here: "attacks" mean "intrusion attempts" or "successful attacks"?
    	I believe the number of attacks is directly proportional to the number of servers and/or to the value of the information stored in them. So, it makes perfect sense for Linux to be more of a target if it is becoming more popular.
    	This paragraph need further clarification.
    > 
    > Bugs and Vulnerabilities: 
    > The firm, Internet Security Systems last year, 2001, identified 149 
    > bugs in Microsoft software and a surprising
    > 309 for Linux. This year, 2002, continues this trend with a whopping 
    > 485 bugs attributed to Linux and a more sober, but still 
    > "way-too-high" 202 for Microsoft. More recent Microsoft offerings, 
    > such as Windows XP are indeed harder to crack than previous Windows 
    > products and may also offer a partial reason why Linux is now more 
    > often a target.
    	Again, we must be very careful with this statistic. I have seen figures before that compare the number of bugs in the Microsoft Windows product (operating system and built-in functionalities) against the number of bugs in all Linux distributions. 
    	The problem here is that we are comparing apples and oranges. Most Linux distributions include hundreds or thousand of optional packages that provide a lot more functionality than your average Windows buit-in accessories. And, it might be possible that a bug in a single component (OpenSLL, for instance) may be counted as a "Linux bug" more than once, since it will appear on most distributions.
    	Again, I would like to understand exactly how this measurement was made before jumping to any conclusions.
    > 
    > Notes: 
    > XP may indeed be more secure than older Windows products, however, it 
    > should be noted that many networks run older Windows versions as well, 
    > thus mitigating the security improvement brought by XP.
    > 
    > Another notable trend is the emergence of hybrid viruses that attack 
    > multiple platforms. One such example is Nimda, which, besides its 
    > preferred victim Windows, also managed to infect AS/400 and Solaris 
    > machines.
    	Interestingly enough, this paragraph was included in a discussing of Linux versus Windows security even when it becomes clear that no mention to Linux whatsoever is made. This seems like a covert attempt to convey the idea that there is a trend that will ultimately result in worms and viruses that target Linux systems.
    	In all, this paper seems very Microsoft-biased, and lacking in depth for its arguments.
    > 
    > Statistics and trends aside, the most important thing is that users 
    > follow a sound security policy and regularly update anti-virus and 
    > other security software.
    > 
    > 
    > 
    > **
    > 
    > 2. How to subscribe/unsubscribe
    > 
    > If you would like to subscribe to other news blocks or to unsubscribe 
    > from this news block, you can do so by visiting 
    > http://www.viruslist.com/eng/maillist.html
    > 
    > If you experience
    > any problems with this procedure, please contact us at: 
    > news@kaspersky.com
    > 
    > ****
    > 
    > Best of Luck,
    > 
    > Kaspersky Lab News Agent
    > 
    > -----
    > 10 Geroyev Panfilovtcev St., Moscow, 123363, Russia
    > Telephone./Facsimile: +7 (095) 948 43 31
    > WWW: http://www.kaspersky.com, http://www.viruslist.com
    > FTP: ftp://ftp.kasperskylab.ru
    > E-mail: info@avp.ru
    > 
    > 
    > Cobus Neethling
    > Web Developer
    > CKNet Internet Services (PTY) LTD
    > Tel: +27 11 314 0171
    > 
    > 
    > 
    

  • Next message: Kurt Seifried: "Re: bill gates' claim about security vulnerabilities per LOC inUnix versus Windows"

    Relevant Pages