Re: Scary report on OSS/Linux security
From: !nospam!mussatto@acm.org.no.spam
Date: 12/04/02
- Next message: Kasper Dupont: "Re: SSH tunneling ports < 1024 for normal users"
- Previous message: Lee Grey: "Re: Have I been hacked?"
- In reply to: Bill Unruh: "Re: Scary report on OSS/Linux security"
- Next in thread: Andrew Yeomans: "Re: Scary report on OSS/Linux security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: !nospam!mussatto@acm.org.no.spam Date: Wed, 04 Dec 2002 06:01:16 GMT
2 comments:
- How long does it take to get fixes for the holes? The hole used by
Code Red Worm was known for several months. MS did nothing until
there was a public exploit. Even after the IP address of
www.whitehouse.gove as moved they did not publish a patch for IIS. I
was reseting my NT for months because of Code Red II (v4 just dies 2K
got infected) before they patched it.
- Under the millenium copywrite law, telling them there is a problem
may be (and has by some vendors) be construed as a violation with real
penalties. Lots of reason NOT to report it. With open source this is
not an issue.
On 2 Dec 2002 18:34:24 GMT, unruh@string.physics.ubc.ca (Bill Unruh)
wrote:
>bob@instantwhip.com (Bob Ceculski) writes:
>
>]Gerry Van Donkersgoed <gerry@ccomm.net> wrote in message news:<5pwC9.113561$oRV.11488@news04.bloor.is.net.cable.rogers.com>...
>]> Quote from the article
>]> "Study: Linux's Security Problems Outstrip Microsoft's"
>]> NewsFactor Network (11/15/02); Maguire, James
>]> at http://www.newsfactor.com/perl/story/19996.html
>]>
>]> "Open source software has more security holes than Microsoft software,
>]> according to an Aberdeen Group report. The report backs up its
>]> conclusions with findings from the Computer Emergency Response Team
>]> (CERT), in which 16 out of 29 advisories issued in the first 10 months
>]> of 2002 were related to open source and Linux software; in contrast,
>]> Microsoft software accounted for only seven reported problems. CERT
>]> also reports that the number of Trojan horse and virus advisories
>]> revolving around Microsoft applications fell from six in 2001 to zero
>]> in the first 10 months of 2002. Aberdeen Group research director Eric
>]> Hemmendinger, who co-authored the report, notes that the greater number
>]> of open source vulnerabilities runs counter to the assumption that
>]> Microsoft software has the weakest security. He attributes the rise in
>]> open source security flaws to a lack of a quality assurance testing
>]> entity. Meanwhile, Hemmendinger believes that the shrinkage of
>]> Microsoft security problems could demonstrate that the company's
>]> increased emphasis on security is having a noticeable effect. "[T]here
>]> have been a number of things that have gone on [in Microsoft] over the
>]> last couple years reflecting that they know security matters, and that
>]> they had to pay attention to it," he declares. Hemmendinger anticipates
>]> that Microsoft security problems will either continue to fall or
>]> plateau, while open source security advisories will continue to rise."
>]>
>]> That doesn't sound very good... Any comments ?
>
>To repeat, in the 80's Sun had far more cert reports than did HP. Did this mean that HP
>was more secure? Well, I submitted a report to CERT on an HP -Apollo hole which they
>agreed was a hole, but they never published anything because they demand the cooperation
>of the vendor and HP never responded.
>
>
- Next message: Kasper Dupont: "Re: SSH tunneling ports < 1024 for normal users"
- Previous message: Lee Grey: "Re: Have I been hacked?"
- In reply to: Bill Unruh: "Re: Scary report on OSS/Linux security"
- Next in thread: Andrew Yeomans: "Re: Scary report on OSS/Linux security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
