lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Nov 2003 12:46:36 -0500
From: "Ryan Johnson" <>
   full-disclosure people <>
Subject: Re: Re: Funny article

I think it is unfair to categorize linux or windows as having a vulnerability just because an application like apache has a vulnerability. I mean as someone stated earlier, the linux and windows developers have no control over third-party apps. If IIS has bug, that should look bad on microsoft, but not on windows.

Ballmer is banking that the people he is talking to do not understand the difference between linux, its distro and windows, this truly comparing apples and oranges. You know what, he is going to get away with it, because most people don't understand.
If you were to compare a full redhat 9 install against a full win2k server install, redhat9 would most likely lose, because Redhat9 has  many more apps, therefore it is more likely to have bugs. Even if you compared linux, which would be just the kernel and maybe some of the the gnu tools to interact with the kernel vs windows, it is still not fair. Windows has a kernel, gui, everyone's favorite user space app that can not be uninstalled, IE. In this case windows has greater chance of having bugs.

Then you have cases with distro specific bugs, which often are categorized as a linux bug. An example of this was the apache config file bug on redhat from last week. That is a redhat bug, not a linux bug, nor is it an apache bug. Slackware did not put that configuration in their apache server configuration.

Another comparison that I abhor, is the stability issue. "Linux is more stable than windows". Are you talking about linux with the gui, or without. Running linux without the gui is incredibly stable. Linux with a gui, well stability defintely decreases (but in reality it is not linux's stability in question rather that of the gui). 

What about openbsd (dont get me wrong I love openbsd), they claim "Only one remote hole in the default install, in more than 7 years!". Well of course, have you ever installed openbsd using the default? The only remotely accessible service is openssh, vs multiple services in a redhat default vs multiple services in a windows default install. I could make my own linux distro with no remote services enabled by default and it would never have a remote hole in the default install.

My point being is that it is very hard to compare the bsds, the distros and windows. Bsds and linux are easier to compare, but then you have the distro aspect.

As far as patches getting out, I am very happy with the response from the open source community, I think they do an excellent job. I very rarely have a problem with an opensource patch, if the author does not come out with a patch, more than likely someone who has reviewed the code will.


> On Thu, Nov 13, 2003 at 03:20:14AM +0100, Mikael Olsson wrote:
> > I'm sorry to disappoint you, but the script kiddies don't care
> > about zealotry. I have yet to hear one say "Oh, this is a Linux
> > box, so I can't use this Apache bug to own it. That'd be rong."
> > 
> I don't think anybody said a linux box can't be owned with an apache
> flaw. My arugemnt for count of bugs is the should be counted against the
> people who actually WROTE the code. In Microsofts case it is becasue
> they wrote IIS, 2000/XP/2003, and Exchange. In contrast the Linux kernel
> projecn that just wrote the kernel. It sounds like you want a list of
> opensource bugs vs. Microsoft Bugs.
> > Saying "the linux kernel has only foo bugs while every microsoft
> > app combined has foo^3 bugs" makes no sense in a security 
> > discussion. You don't read mail or serve web pages with a kernel.
> > 
> No one is saying this. To be truely useful a list of bugs should be done
> by developer, not by instance of software. This will help establish
> trends in my software development practices.
> > Publishing an _unbiased_ report of total vulnerability counts 
> > for two or more OSes, with common apps installed, is a service
> > to admins everywhere.  (And no, I _really_ don't think comparing 
> > RH6 with W2K3 is "unbiased". I think it stinks.)
> > 
> I think blaming OS developers for code they didn't write nor have any
> control over isn't unbiased. It would be a diffrent story if it was a
> flaw in something like redhat-update. That is clearly a Redhat bug, but
> that is still not a Linux bug.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Ryan Johnson
Security Architect
ESP Group

Full-Disclosure - We believe in it.

Powered by blists - more mailing lists