On Wed, Aug 04, 2004 at 09:23:15PM -0700, Jacob Meuser wrote: > > But where open source is different from proprietary code is that > > open source encourages honest people to access source code, and > > find security holes and patch them fast. The large open-source > > community can find and patch security holes faster than teams of > > proprietary developers - even when those developers work for > > Microsoft - simply because the proprietary developers are hobbled > > by their need to keep secrets. > > This is horse hockey. Bad code is bad code. Yes, they _can_ find > the problems, but all too often it's after an incident.
This is true enough, but it's true for any code. You usually don't know it's broken until someone reports the vulnerability. The issue is, what is the frequency and severity of these vulnerabilities? What is the average time to a workaround? To a proper fix? How often does a proper fix actually fix the underlying problem? Linux, UNIX, and most any resonably modern vaguely POSIX platform is going to tend to earn higher marks here than non-POSIX platforms. Anything is going to rate higher than Windows, where the same vulnerability is "fixed" again and again, yet continues to see new exploits. Oh yes, you wanted proof: - teardrop Took down basically any BSDish TCP stack, usually locking the machine solid in the process. Affected ... EVERYTHING. Linux patch: 4 hours Windows patch: 4 weeks Windows re-exploit: newtear, released about a month after the patch Other OSes had patches in various timeframes, but none took a month to release the patch. And again, only Windows was affected by newtear, which depended upon the Windows patch being a bandaid rather than a real fix. - Outlook MIME type vs file contents/extension Things attached to email such as "images" and "midi files" (based on MIME type) would be automatically executed when you opened HTML email which embedded these things. Executed, as in, compiled code. While this affects only Windows systems, similar bugs have been found in other programs. Of course, this bug was left UNPATCHED for about three months, and was trivially re-exploited using vbscript in the HTML email once a patch was issued. Microsoft declared VBScript's ability to do this kind of thing a FEATURE and left it unpatched for about more than a year. > > Another reason for Linux's inherent security is its user model. > > End-users run with limited privileges; only systems > > administrators have access to the all-powerful root account. > > Mostly even systems administrators run as limited-privilege > > users, unless they absolutely need root access. By limiting > > users' access to systems, Linux limits the amount of damage a > > user can do. > > Whatever. That has been part of UNIX for ages. It's not something > invented in linux land. This is a straw man. The article did not claim Linux invented this feature, only that having it gives Linux an advantage over lesser operating systems which don't. > > Linux's lower vulnerability, compared with Windows, isn't just a > > function of its smaller popularity. Linux is breached less often > > because it's more secure. Microsoft has a lot of catching up to do. > > You know, I agree that generally linux land is more secure than MS > products, but please, where is the hard evidence? The author says > "Linux is breached less often because it's more secure." "Linux > is inherently more secure." But he never mentions anything about the > code itself, not to mention coding practices. He merely speculates. There's a long list of evidence, most of it anecdotal naturally, that Linux does not have the type or severity of exploits reported in the windows world at anywhere near the same frequency. Certainly Linux developers do not take the cavalier attitude toward a known exploit witnessed of Microsoft. > I'm sorry but as long as there are GNU developers who don't want > strlcat to be part of glibc, I'm going to have to agree that linux > is more secure than MS products because it comes from a UNIX > background (and I'd say it's the least secure of modern UNIX-likes), > and is less targeted than MS. Fair enough, the glibc people won't touch strl* because they didn't think of it first. It's stupid, and I have my own private copy of these functions in any project where it would make sense to have them, When I don't have them, I carefully audit each strn* function call to make sure that the string gets terminated properly. Others do the same. Still, the lack of a couple of functions in glibc does not make Linux inherently insecure, just as BSD's lack of getline doesn't make BSD incapible of handling interactive input in any safe manner. The simple truth is that for most practical purposes, Linux IS UNIX. It runs the exact same software you get with BSD or Solaris, and has the exact same flaws these others do. No, there is no Linux counterpart to Theo de Raadt to make the claim that Linux has not seen an exploit in four years, but Theo can't make that claim about OpenBSD either. (It's funny, every year the claims about OpenBSD's spotless record become more qualified to omit the spots.. All nontrivial software is buggy by definition and all buggy software must be assumed to have some security flaw somewhere..) _______________________________________________ EUGLUG mailing list [EMAIL PROTECTED] http://www.euglug.org/mailman/listinfo/euglug
