Well, it all depends on how he defines security in Linux. RedHat 6.2-secure or 
Adamantix/Hardened Gentoo-secure?
These last two beat Windows-based solutions out of the box any time, and they 
have a pretty good chance surviving zero-day threats.
All that, when Microsoft "advertise" that they are more secure compared to 
RedHat, because they have less unpatched holes for the same period of time, 
before releasing a patch. That is a complete joke! We all know Redhat (not 
Fedora) is junk. It worked its way down during the years to become the most 
windows-like distribution out there and it is probably worsened since the 
last time I checked. Although Fedora do surprise me, in a good way of course, 
they still have a lot of work to do until they get to the level of 
Gentoo-hardened or Adamantix - both from a security point of view, and from 
ease of maintenance.

The security technology in the open source world is generations ahead from 
Microsoft on the x86 platform. Period.

The problem of the corporations and small businesses is that they do not 
always have well enough trained staff to deploy advanced opensource 
solutions. Microsoft sales managers go straight up to the CEOs or CTOs and 
try to sell them their solutions, because they are likely to not actually 
understand what exactly are they buying, but they will anyway, because 
Microsoft puts effort in business development, while most of the opensource 
products sell themselves.
These two factors combined, give you the most likely scenario of getting 
Windows into every bigger business.

Long story short,
the guy who that bold statement belongs to is probably either a corporate 
insect Powered by Microsoft (tm), or an undercover MCSE.

Another thing that really made me angry was the "many attacks these days are 
aimed at Linux servers rather than Windows systems." -- WHAT!?
Did he count the IIS vulnerability exploitation attempts sweeping my Actcom 
range every few minutes or the zombie bot nets built from up to 20 thousand 
Windows machines? Right. I'd leave the judging to you this time.

In all cases, he made a fool out of himself.

Kind regards,
Alex

On Friday 18 February 2005 16:45, Danny Lieberman wrote:
| Shachar, Dorom -
|
| Indeed an interesting story and totally meaningless - I expected more
| from a lecture at RSA.  I had a high regard for the conference until now.
|
| Vulnerabilities mean NOTHING without context of threats, agents,
| economic "value" of asset damage and cost of mitigation..
|
| Lets propose a simple counter example.  Assume a vulnerability in a X11
| that enables an attacker to gain root access.
| In W2003 server you cannot remove the  Windowing subsystem whereas in
| Linux - unless your'e dumb and/or lazy - a Linux server doesnt even run X.
| The cost of mitigation in Linux is zero (just remove X11 or dont check
| it during installation) whereas the cost of mitigation in W2003 is well
| - your guess is as good as mine
|
| I think the FOSS community should have zero-tolerance for trade-show
| bandstanding and tomfoolery.
|
| Shabat shalom
| danny
|
| Shachar Shemesh wrote:
| > Doron Shikmoni wrote:
| >> Haven't read this yet, but I figured the title is interesting
| >> and provocative enough for this list...
| >>
| >> http://www.vnunet.com/news/1161323
| >>
| >> A Linux enthusiast at the RSA Conference  in San Francisco
| >> has reluctantly concluded that Microsoft produces more secure
| >> code than its open source rivals.
| >
| > I think the question remains - what did they test?
| >
| > They did not test a live system, they counted vulnerabilities. The
| > question is - which? Did they count the overall amount of
| > vulnerabilities, or just those that had to do with the specific system
| > they set up?
| >
| > But, yes, I think this is an interesting one.
| >
| >             Shachar

-- 
The difference between theory and practice, is that in theory, 
there is no difference between theory and practice.

Attachment: pgpGAuNims79Z.pgp
Description: PGP signature

Reply via email to