Re: New IP based security hole in Windows 2000 (yet again)
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Fri, 05 Aug 2005 14:27:28 -0500
In the Usenet newsgroup alt.computer.security, in article
<kYadnTmN5-eUlm7fRVnemail@example.com>, Jbob wrote:
>"Imhotep" <Imhotep@nospam.com> wrote:
>> Time for Linux/BSD everyone...
>You say that like Linux has no flaws(for a better word).
*BSD* is not Linux. The four (BSD386, FreeBSD, NetBSD, OpenBSD) are
similar in that they are like UNIX, but they are as different from one
another (and Linux) as cars from different manufacturers.
>If I'm not mistaken Linux has had more security patches over the last
>6 months than MS has.
Microsoft is trying to advertise that - yes, but oranges and tomatoes are
different. Most Linux distributions come with hundreds of applications,
but the applications are not part of the operating system. If the 200+
Linux distributors each release a patch for the same problem in a web
browser like Mozilla (one of many browsers that come with each distribution;
the one I'm using at home has seven different browsers) is that one patch
by your count, or two hundred? Or none, because it's a separate application.
Then to, most Linux distributors release patches and errata immediately,
instead of waiting to release one massive "Urgent Security Update" each
month that contain an unknown number of patches that may or may not fix
problems that have been around for a month to a year or more.
>I actually don't see most of this stuff as flaws but more as exploits.
>Crackers in a dark hole somewhere can crack anything if they hit it enough.
-rw-rw-r-- 1 admin admin 46713120 Jul 15 21:57 linux-126.96.36.199.tar.gz
That's a recent kernel source file - 46.7 Megabyte compressed, about
four million lines of C code. The applications are separate. The average
distribution includes another 2,500 Megabytes compressed of the source
code for the applications. So the crackers have something like 250
million lines of the sources - and they can't find stuff to crack in
that? Microsoft has never released the entire source for the O/S or any
application, and we have this huge business in anti-virus, anti-worm,
anti-trojan, anti-spyware programs for windoze - why?
>Even the precious Linux Kernel.
It's been tried. The advantage is that everyone can see the source, and
anyone seeing a problem can either fix it themselves, or tell the world
about it, so that someone else can fix it. Looking at the ChangeLog file
for the 2.6.12 kernel, I see 423 different people from around the world who
supplied changes. Most bug fixes are available in hours, though the Intel
'F00F' bug in 1997 took seven days (and microsoft has never bothered to fix
because it was a hardware bug - google for it).
>FWIW, I wish I new Linux better! :-) I'm trying though.
But as noted above, Linux isn't the only game in town, though the "popular"
distributions like Fedora, Mandriva and SuSE try to make it a lot more
newbie friendly than the *BSDs.