-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I will refer back to a previous statement made along these same lines. Note however that I am not interested in any kind of religious debate over who's systems are better or more secure. I maintain a firm belief in "the right tool for the right job". While I have not conducted a statistical analysis (nor am I interested in doing so), my own personal experiences with the continual flood of security vulnerability alerts leads me to believe that the statement made below is true. However, I do agree with you that it is indeed more realistic to look at individual vendor implementations to determine the true nature of a vulnerability statistics in relation to Linux distributions.
- From prior post: While it is true that many Linux vulnerabilities stem from applications and services that are not considered 'core' to the OS, the fact that these applications are provided as part of a distribution, and are often installed by default (depending on the installation process) should be kept in mind. Also note that many Linux security holes in 'non-core' applications or services generally tend to impact or affect a great number of the distributions that are out there. - - Brad Bemis - -----Original Message----- From: N407ER [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 6:17 PM To: Brad Bemis Cc: Dan Bartley; [EMAIL PROTECTED] Subject: Re: Ten least secure programs How were the statistics gathered? RedHat may very well be as quick as Microsoft at releasing security patches, while Linux From Scratch, by definition, relies on the user to patch individual code from individual authors. I don't see any way to comprehensively lump *all* Linux-based OS'es together in this regard; taking one distribution the way FreeBSD is taken independently of NetBSD, OpenBSD, OSX, BSDi, and the various BSD spinoffs seems far more accurate. This raises one of the key points about how meaningful software update speed really is; Microsoft tends to release updates very quickly but this has less relevence, in my opinion, to the security of a Microsoft product than it may seem at first. How, for example, would you rate the speed of updates versus the quantity? Is an OS with many bugs (compared to, say FreeBSD) but which updates faster better or worse? With a closed commercial product, it is difficult to fix problems yourself, as well, so again the speed of the updates is critical, while with something like Linux, some vulnerabilities can be fixed with a patch from a third party or with a recompile with a certain option. I think I've made the point. Comparing as a whole just doesn't make sense; comparing one distro to another makes only slightly more. Evaluating the security of the product depends on the admin, the environment, and the use. Windows can be far more secure than Linux, as can the opposite be true. Let's avoid religious debates. \ Brad Bemis wrote: > That is a great observation. Many people appear to forget this when the > Microsoft bashing begins... > > - Brad Bemis > > > > > -----Original Message----- > From: Dan Bartley [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 12:40 PM > To: [EMAIL PROTECTED] > Subject: RE: Ten least secure programs > > > You might want to study the statistics for the past year before making > "my favorite OS" statements. Linux actually came out on top of the pile > for number of security holes, number left unfixed, number of actual > compromises and slowness in dissemination of information and fixes. > > FreeBSD came out among the best, or near, I believe. Windows was in the > middle. > > Best Regards, > > Dan Bartley -----BEGIN PGP SIGNATURE----- Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPwxNg5DnOfS48mrdEQISUwCdHJCsGEQq93BH5DNjGyIgmx3CzREAoJPc yFnpEpuPK5XWIHClZQPt7FF6 =VkH8 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
