RE: Ten least secure programs

From: Brad Bemis (
Date: 07/09/03

  • Next message: David Gillett: "RE: Mail relay"
    Date: Wed, 9 Jul 2003 10:14:43 -0700
    To: N407ER <>

    Hash: SHA1

    I will refer back to a previous statement made along these same lines.
    Note however that I am not interested in any kind of religious debate over
    who's systems are better or more secure. I maintain a firm belief in "the
    right tool for the right job". While I have not conducted a statistical
    analysis (nor am I interested in doing so), my own personal experiences
    with the continual flood of security vulnerability alerts leads me to
    believe that the statement made below is true. However, I do agree with
    you that it is indeed more realistic to look at individual vendor
    implementations to determine the true nature of a vulnerability statistics
    in relation to Linux distributions.

    - From prior post:
    While it is true that many Linux vulnerabilities stem from applications and
    services that are not considered 'core' to the OS, the fact that these
    applications are provided as part of a distribution, and are often
    installed by default (depending on the installation process) should be
    kept in mind. Also note that many Linux security holes in 'non-core'
    applications or services generally tend to impact or affect a great
    number of the distributions that are out there.

    - - Brad Bemis

    - -----Original Message-----
    From: N407ER []
    Sent: Tuesday, July 08, 2003 6:17 PM
    To: Brad Bemis
    Cc: Dan Bartley;
    Subject: Re: Ten least secure programs

    How were the statistics gathered? RedHat may very well be as quick as
    Microsoft at releasing security patches, while Linux From Scratch, by
    definition, relies on the user to patch individual code from individual
    authors. I don't see any way to comprehensively lump *all* Linux-based
    OS'es together in this regard; taking one distribution the way FreeBSD
    is taken independently of NetBSD, OpenBSD, OSX, BSDi, and the various
    BSD spinoffs seems far more accurate.

    This raises one of the key points about how meaningful software update
    speed really is; Microsoft tends to release updates very quickly but
    this has less relevence, in my opinion, to the security of a Microsoft
    product than it may seem at first. How, for example, would you rate the
    speed of updates versus the quantity? Is an OS with many bugs (compared
    to, say FreeBSD) but which updates faster better or worse? With a closed
    commercial product, it is difficult to fix problems yourself, as well,
    so again the speed of the updates is critical, while with something like
    Linux, some vulnerabilities can be fixed with a patch from a third party
    or with a recompile with a certain option. I think I've made the point.

    Comparing as a whole just doesn't make sense; comparing one distro to
    another makes only slightly more. Evaluating the security of the product
    depends on the admin, the environment, and the use. Windows can be far
    more secure than Linux, as can the opposite be true. Let's avoid
    religious debates.

    Brad Bemis wrote:
    > That is a great observation. Many people appear to forget this when the
    > Microsoft bashing begins...
    > - Brad Bemis
    > -----Original Message-----
    > From: Dan Bartley []
    > Sent: Thursday, July 03, 2003 12:40 PM
    > To:
    > Subject: RE: Ten least secure programs
    > You might want to study the statistics for the past year before making
    > "my favorite OS" statements. Linux actually came out on top of the pile
    > for number of security holes, number left unfixed, number of actual
    > compromises and slowness in dissemination of information and fixes.
    > FreeBSD came out among the best, or near, I believe. Windows was in the
    > middle.
    > Best Regards,
    > Dan Bartley

    Comment: KeyID: 0xB8F26ADD
    Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD

    -----END PGP SIGNATURE-----

    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
    Visit us at:

  • Next message: David Gillett: "RE: Mail relay"

    Relevant Pages

    • <>
      ... > Microsoft Security Bulletin Advance Notification issued: ... > Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. ...
    • Re: XP has no significant bugs that any significant number of users want fixed
      ... > Similarly people like to criticize the government. ... > isn't caused by Microsoft. ... And when Linux becomes as popular, the virus writers will go after that OS ... > Microsoft are bound to have security issues. ...
    • Re: Someone got into my system
      ... Mac OS and Linux comprise something like ... If you think that Microsoft should make Windows 100% bug-free before ... just released an update that fixed a number of security issues. ...
    • Re: Does Microsoft take Security Seriously? - Internet Bank hacked - it could happen to you!
      ... take security seriously. ... I have used Microsoft products for year without ... while downloading those updates. ... As soon as I connected to the Internet, I did a Windows Update - I ...
    • Re: Microsoft Security Bulletins for December 2007
      ... Microsoft released today the following security bulletins. ... high-priority updates and 2007 ... Microsoft Office Service Pack 1 on Microsoft Update and Windows ...