Well, it all depends on how he defines security in Linux. RedHat 6.2-secure or Adamantix/Hardened Gentoo-secure? These last two beat Windows-based solutions out of the box any time, and they have a pretty good chance surviving zero-day threats. All that, when Microsoft "advertise" that they are more secure compared to RedHat, because they have less unpatched holes for the same period of time, before releasing a patch. That is a complete joke! We all know Redhat (not Fedora) is junk. It worked its way down during the years to become the most windows-like distribution out there and it is probably worsened since the last time I checked. Although Fedora do surprise me, in a good way of course, they still have a lot of work to do until they get to the level of Gentoo-hardened or Adamantix - both from a security point of view, and from ease of maintenance.
The security technology in the open source world is generations ahead from Microsoft on the x86 platform. Period. The problem of the corporations and small businesses is that they do not always have well enough trained staff to deploy advanced opensource solutions. Microsoft sales managers go straight up to the CEOs or CTOs and try to sell them their solutions, because they are likely to not actually understand what exactly are they buying, but they will anyway, because Microsoft puts effort in business development, while most of the opensource products sell themselves. These two factors combined, give you the most likely scenario of getting Windows into every bigger business. Long story short, the guy who that bold statement belongs to is probably either a corporate insect Powered by Microsoft (tm), or an undercover MCSE. Another thing that really made me angry was the "many attacks these days are aimed at Linux servers rather than Windows systems." -- WHAT!? Did he count the IIS vulnerability exploitation attempts sweeping my Actcom range every few minutes or the zombie bot nets built from up to 20 thousand Windows machines? Right. I'd leave the judging to you this time. In all cases, he made a fool out of himself. Kind regards, Alex On Friday 18 February 2005 16:45, Danny Lieberman wrote: | Shachar, Dorom - | | Indeed an interesting story and totally meaningless - I expected more | from a lecture at RSA. I had a high regard for the conference until now. | | Vulnerabilities mean NOTHING without context of threats, agents, | economic "value" of asset damage and cost of mitigation.. | | Lets propose a simple counter example. Assume a vulnerability in a X11 | that enables an attacker to gain root access. | In W2003 server you cannot remove the Windowing subsystem whereas in | Linux - unless your'e dumb and/or lazy - a Linux server doesnt even run X. | The cost of mitigation in Linux is zero (just remove X11 or dont check | it during installation) whereas the cost of mitigation in W2003 is well | - your guess is as good as mine | | I think the FOSS community should have zero-tolerance for trade-show | bandstanding and tomfoolery. | | Shabat shalom | danny | | Shachar Shemesh wrote: | > Doron Shikmoni wrote: | >> Haven't read this yet, but I figured the title is interesting | >> and provocative enough for this list... | >> | >> http://www.vnunet.com/news/1161323 | >> | >> A Linux enthusiast at the RSA Conference in San Francisco | >> has reluctantly concluded that Microsoft produces more secure | >> code than its open source rivals. | > | > I think the question remains - what did they test? | > | > They did not test a live system, they counted vulnerabilities. The | > question is - which? Did they count the overall amount of | > vulnerabilities, or just those that had to do with the specific system | > they set up? | > | > But, yes, I think this is an interesting one. | > | > Shachar -- The difference between theory and practice, is that in theory, there is no difference between theory and practice.
pgpGAuNims79Z.pgp
Description: PGP signature
