On Fri, Feb 11, 2005 at 03:36:42PM -0800, Andrew P. Lentvorski, Jr. wrote: > > On Feb 11, 2005, at 1:21 PM, Lan Barnes wrote: > > >-snip of a mudslide of FUD- > > His fundamental assumption of "risk begins with patch posting" is just > completely flawed. The only saving grace is that black hats are often > so stupid that they give themselves away by beating on the machines of > white hats. The downside is that the black hats are getting smarter > about this. > > However, while I'm far from being a Microsoft apologist, his numbers > point out deficiencies in open source. There are some issues. > > There is a time lag between external package maintainers and > distributions. This is right on and needs to be improved. >
He's comparing apples to unicorns, and he cheats, too. What is the problem? Too much choice? Knowledgeable users know what to use. Ignorant users? Linux has far fewer of those. Too many services by default? All of the above and also, which boxes get hacked by default? > The distributions *do* come with an insane pile of software with no > choice which eliminates most of them. This is spot on. One of the > reasons why I run FreeBSD on my servers is that I don't have to hunt > down and turn off a whole bunch of stuff that I have never heard of. > Linux has gotten *much* better about this in the last year or so, > though. > > In addition, most people who suddenly find themselves in need of a > database are already likely to be running Microsoft to begin with. SQL > server then becomes the logical quick fix. > No, "most people" use Access or <gag> Excel for their data. Professionals buy and work with SQL Server, and _they_ can't keep it clean. OK, not fair, because my understanding is that most of the security problems in m$ are not in the apps (well, maybe IE and Word) but in the underlying architecture. > His comments about MySQL are spot on, but MySQL *is* often good enough. > However, if "good enough" isn't, there is PostgreSQL. Otherwise, step > up to the big boys. > MySQL on what? M$? A bastard mutant. I don't use MySQL, but tons of sharp pros do, and they do fine with it within the constraints of their applications. And as you point out, PostgreSQL (which I do use) is always there (part of the "insane choice"?). Neither MySQL nor PostgreSQL are, AFAIK, considered exploit vectors, which was what this was about in the first place. > >We use SAP at my work. My conclusion: Anyone brain dead enough to > >select > >SAP as an enterprise SW solution would naturally conclude that M$ was > >the safest, least expensive, most nutritious and best tasting SW in the > >whole world, Auntie Em. > > Well, okay, I won't argue with you much here. Let's just say that SAP > is aptly named considering A) what it does to a company and B) how well > it describes the people who buy it. > > -a Except in industries like ISPs and telecom where *nix dominates, "professionals" run M$ because they haven't any clue on there being a better way. It's not particularly rational, and emails like the one we're commenting on are theological in nature. They are by the faithful for the comfort of the faithful. I might add that in my experience in the US business world, the actual techies who make the wheels turn mock the decision makers who choose M$ while they go about their business of making the systems work (and cleaning off the viruses etc etc). There is no sentiment inside IT below the level that charts direction that wiser heads are doing everything necessary to attend to system security. We laugh at the bozos who sign the checks. There are real for-profit companies that have largely or completely converted to Linux or FreeBSD, and their people never write long letters about how they pine to go back to the good old days of M$ in their companies. I've never seen one, anyway. "Boy, those were the times ... we _never_ had security problems when we ran Windoze!" Ha! I realize that I'm hardly the most technically astute person on this list, but I can tell the difference between convincing argument and ponderous bull-pucky. And I don't care to waste the time being "fair and balanced" if it means pretending that someone who flies in the face of reality should be listened to because he wraps his arguments in some irrelevant numbers and sounds erudite. So, can a bad admin make a Linux box insecure? Sure. Lots of ways. Is there a bunch of SW on a SuSE or RH distro that no sane person would install? Probably -- there's a lot there. Does this mean M$ is a more secure operating system? Ha ha ha ha ha ha ha ...... Get real. -- Lan Barnes [EMAIL PROTECTED] Linux Guy, SCM Specialist 858-354-0616 -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
