Hi

Please stick to the point

On Sat, Feb 19, 2005 at 02:20:19AM +0200, Alex Behar wrote:
> The comments are inline.
> 
> On Friday 18 February 2005 23:19, Tzafrir Cohen wrote:
> | Hi
> |
> | Could anybody give a direct reference to the lecture notes or something
> | similar? I have only read the report in the link above
> |
> | On Fri, Feb 18, 2005 at 05:58:34PM +0200, Alex Behar wrote:
> | > Well, it all depends on how he defines security in Linux. RedHat
> | > 6.2-secure or Adamantix/Hardened Gentoo-secure?
> | > These last two beat Windows-based solutions out of the box any time, and
> | > they have a pretty good chance surviving zero-day threats.
> |
> | This research did not check the level of security. It checked one of its
> | parts: response to advisories.
> |
> | And it specifically checked a certain high-profile linux distribution.
> |
> | > All that, when Microsoft "advertise" that they are more secure compared
> | > to RedHat, because they have less unpatched holes for the same period of
> | > time, before releasing a patch. That is a complete joke! We all know
> | > Redhat (not Fedora) is junk.
> |
> | I don't consider RedHat's level of security to be "joke". It certainly
> | has sane defaults generally.
> |
> | > It worked its way down during the years to become the most
> | > windows-like distribution out there and it is probably worsened since the
> | > last time I checked. Although Fedora do surprise me, in a good way of
> | > course, they still have a lot of work to do until they get to the level
> | > of Gentoo-hardened or Adamantix - both from a security point of view, and
> | > from ease of maintenance.
> |
> | Please check again. The defaults have become much better than in the
> | days of RH62. It will now turn off most unnecessary services, install a
> | simple iptables firewall by default etc.
> 
> Firewalling and "sane defaults" cannot protect you against zero day attacks, 
> just like windows update can't - especially with the current publically 
> available techniques. That's where security really matters, defending agains 
> real world threats, not some automated publically-known attack by a tool like 
> Core Impact, CANVAS or just a script kiddie with an exploit at his disposal.
> 
> |
> | But this is not the issue here.
> 
> Ofcourse it is. There is no secure code and we all know that. There are 
> simply 
> too many things that can go wrong, thats why we need to approach the same 
> problem from a few different angles in order to better protect ourselves. 
> Coder make mistakes, they we are only human. Some make more then others...

The article was not about this. It was about responsiveness. My
knowledge of Windows is not good enough for that. 

It normally takes a while for exploits to be generated and propagate,
just like updates. The holes shouldn't have been there in the first
place, but they are. 

Workarounds such as non-executable stack which you seem to admire only
make it more difficult to write expliots. But then again, as such
techniques become more common then so will working aaround them become
faster.

The question that study tries to check is "how big is the window of
exposure?". 

I have no idea where it has the data of windows holes from. e.g: how
does he know exactly since when these holes were known. Only recently we
were told about major security holes that were reported to MS and not
published for monthes. 

RedHat simply cannot afford to delay fixes for too long, because others
will patch the same problem soon and this will look quite bad for RH.
However does it have resources to issue relible fixes fast enough?

There is also the bias regarding the quantity: RHEL (or any linux distro) 
is basically the equivalent of not only the base windows 2003 but of
windows2003 with quite a few extra softwares. Such a research should
also include MS-Office, exchange, etc.

And then, as someone already mentioned, there is the issue of sevirity.
If there is a buffer-overflow in apahe, sshd or whatever you need a fast
fix for it. Some other issues can wait a bit longer (to get better QA).
There is no guarantee that MS actually issues fixes to such holes. Or
that it doesn't bundel several of those together to reduce the number of
"known problems problems" with the OS.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
[EMAIL PROTECTED] |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend

=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to