RE: Ten least secure programs

• Previous message: chort: "Re: Firewall Comparisons"
• Maybe in reply to: Paul Kurczaba: "RE: Ten least secure programs"
• Next in thread: Yoo, Gene: "RE: Ten least secure programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Jul 2003 10:14:43 -0700
To: N407ER <n407er@myrealbox.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will refer back to a previous statement made along these same lines.
Note however that I am not interested in any kind of religious debate over
who's systems are better or more secure. I maintain a firm belief in "the
right tool for the right job". While I have not conducted a statistical
analysis (nor am I interested in doing so), my own personal experiences
with the continual flood of security vulnerability alerts leads me to
believe that the statement made below is true. However, I do agree with
you that it is indeed more realistic to look at individual vendor
implementations to determine the true nature of a vulnerability statistics
in relation to Linux distributions.

- From prior post:
While it is true that many Linux vulnerabilities stem from applications and
services that are not considered 'core' to the OS, the fact that these
applications are provided as part of a distribution, and are often
installed by default (depending on the installation process) should be
kept in mind. Also note that many Linux security holes in 'non-core'
applications or services generally tend to impact or affect a great
number of the distributions that are out there.

- - Brad Bemis

- -----Original Message-----
From: N407ER [mailto:n407er@myrealbox.com]
Sent: Tuesday, July 08, 2003 6:17 PM
To: Brad Bemis
Cc: Dan Bartley; security-basics@securityfocus.com
Subject: Re: Ten least secure programs

How were the statistics gathered? RedHat may very well be as quick as
Microsoft at releasing security patches, while Linux From Scratch, by
definition, relies on the user to patch individual code from individual
authors. I don't see any way to comprehensively lump *all* Linux-based
OS'es together in this regard; taking one distribution the way FreeBSD
is taken independently of NetBSD, OpenBSD, OSX, BSDi, and the various
BSD spinoffs seems far more accurate.

This raises one of the key points about how meaningful software update
speed really is; Microsoft tends to release updates very quickly but
this has less relevence, in my opinion, to the security of a Microsoft
product than it may seem at first. How, for example, would you rate the
speed of updates versus the quantity? Is an OS with many bugs (compared
to, say FreeBSD) but which updates faster better or worse? With a closed
commercial product, it is difficult to fix problems yourself, as well,
so again the speed of the updates is critical, while with something like
Linux, some vulnerabilities can be fixed with a patch from a third party
or with a recompile with a certain option. I think I've made the point.

Comparing as a whole just doesn't make sense; comparing one distro to
another makes only slightly more. Evaluating the security of the product
depends on the admin, the environment, and the use. Windows can be far
more secure than Linux, as can the opposite be true. Let's avoid
religious debates.
\

Brad Bemis wrote:
> That is a great observation. Many people appear to forget this when the
> Microsoft bashing begins...
>
> - Brad Bemis
>
>
>
>
> -----Original Message-----
> From: Dan Bartley [mailto:bartleyd@corp.netcarrier.com]
> Sent: Thursday, July 03, 2003 12:40 PM
> To: security-basics@securityfocus.com
> Subject: RE: Ten least secure programs
>
>
> You might want to study the statistics for the past year before making
> "my favorite OS" statements. Linux actually came out on top of the pile
> for number of security holes, number left unfixed, number of actual
> compromises and slowness in dissemination of information and fixes.
>
> FreeBSD came out among the best, or near, I believe. Windows was in the
> middle.
>
> Best Regards,
>
> Dan Bartley

-----BEGIN PGP SIGNATURE-----
Comment: KeyID: 0xB8F26ADD
Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD

iQA/AwUBPwxNg5DnOfS48mrdEQISUwCdHJCsGEQq93BH5DNjGyIgmx3CzREAoJPc
yFnpEpuPK5XWIHClZQPt7FF6
=VkH8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: chort: "Re: Firewall Comparisons"
• Maybe in reply to: Paul Kurczaba: "RE: Ten least secure programs"
• Next in thread: Yoo, Gene: "RE: Ten least secure programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]