| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: eballen1 at qwest.net (Bruce Ediger) Subject: Linux (in)security (Was: Re: Re: No Subject) On Wed, 22 Oct 2003, Peter Busser wrote: > Because Linux people in general seem to be more concerned about speed and > features than about security. For example, the only reason Linux Security > Modules (LSM) have been included in the kernel, is that they don't have a > performance impact on users who do not load any security modules. People have ... > In general people seem to believe that Linux is either secure or can be made > secure by removing packages and unused services. This believe that Linus is > already secure makes people uninterested in security. Why improve something ... > People apparently do not realise that a wooden house is not sufficient to > protect against the big bad wolf. And there is currently no brick house to flee > to when the wolf comes... OK. No quibble from me about the absolute security of any particular operating system. But arguments like "linux viruses are possible" or "NetBSD has security flaws, too" don't address real questions, and they approach being vacuous truisms. The real questions go something like: "Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have?" "Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem?" "The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda?" And I guess you can generalize and ask why the Windows "culture" generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. To extend your "wooden house" analogy a bit: In a city made entirely of wooden houses, a single house fire is way more likely to level the city than a in a city where a mix of wooden, brick and vinly-sided houses. Having the occasional brick house mixed in with the wooden houses provides a lot of resistance to a whole-city conflagration. It doesn't provide absolute immunity from fires for every house in the city.
Powered by blists - more mailing lists