From: Tim Haynes (
Date: 12/23/01

From: Tim Haynes <>
Date: 23 Dec 2001 20:55:40 +0000

"Felmon John Davis" <> writes:

> Here's what I don't yet understand. I know this hole for a potential in
> XP is quite serious. But aren't there equally serious holes for potential
> exploits in Linux? I was just reading of (another) vulnerability in
> wu_ftpd. (I know the definition of 'linux' can be as narrow as the kernel
> and as broad as 'everything in a distribution'; the 'only the kernel'
> definiton seems too narrow to me.)

Linux *is* only the kernel. Without it you wouldn't have a linux-anything,
let alone an OS. Anything else in a distribution has come from the
compilers of the distro; the majority of that is GNU tools, as well. There
is nothing more correct than to say that Linux is the kernel, and a distro
may well be GNU/Linux.

> I'm not interested in a flamefest. This is an earnest question. Is the
> present uproar over XP because this is a gaffe without parallel in other
> operating systems (so 'technically inferior'), or is it because Microsoft
> has put their foot in their mouth (so (also) 'political' or PR), or some
> other reason?

If M$loth one the one hand say that XP is the most secure windoze ever, and
on the other that it has the world's biggest cockup ever in it too, judge
their consistency for yourself.
If your (GNU/)Linux distro claims to be secure, first shoot the messenger,
then look for the corresponding world's-biggest-cockup in it too, and judge
the consistency for yourself.

> What I'm gathering is:
> (a) it's partly 'technical inferior' in the way that a distribution of
> Linux would be 'technically inferior' if it included an easily
> exploitable service such as 'wu-ftpd' turned on and set up by default

Yes. If you have remote-root vulnerabilities out of the box, you're
shipping <excrement>.

> (b) it's largely 'political' or PR since MS crowed about his security
> superiority and criticized Linux, et al., on this score.

Comes from M$loth => is more PR & politics than substantive.

> I do think their including a 'service' like this turned on by default is
> irresponsible and then when it's buggy to boot it's almost criminal.

See `consistency' above; it wouldn't be so bad if it wasn't crowed from the

For bonus points, consider the approach that says "but a *competant* admin
would turn that off", and contemplate what proportion of *windoze* people
are likely to be competant, versus the proportion of linux folks.
While there are still far too many linux-idiots out & about who don't give
a fig for security and are therefore responsible for adore/ramen et al
being able to spread, I think things still err in linux's favour.


Newton and Adam, lost and found,            |
The apple must fall to the ground           |

Relevant Pages