lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200310232130268.SM02320@lt001010254>
From: arcturus at secrev.net (Arcturus)
Subject: [inbox] Re: RE: Linux (in)security

AMEN!!! 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Paul Schmehl
Sent: Thursday, October 23, 2003 6:15 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security

--On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy
<purdy@...man.com> wrote:
>
> I hardily disagree.  When you have inherently more secure code in OS's 
> like *NIX and Netware, as evidenced by the paltry number of patches 
> required by those OS's (1 in Netware vs. 38 for Windows in the same
> period)

This is an apples to oranges comparison.  Netware is a network OS. 
"Windows" includes all the applications that come with Windows, whether they
are part of the base OS, part of the networking functions or addons. 
(IE, OE, etc.)

> it doesn't matter how well you configure Windows, it will still be 
> vulnerable, waiting for a compromise of the next discovered hole.  The 
> reason for this is fundamental in the design.  From the use of a 
> registry (which corrupts with time, finally requiring re-installation)

I have never experienced this in 20 years of using and supporting Microsoft
products.  I guess I'm unique.

> to the fact
> that no single human being knows all the source code for Windows, much 
> less audits it, is the difference between MS and the rest.
>
I assume you can name a single human being who knows all the source code for
Unix?  Including the apps?  (I really want to meet this person.)

> This is the reason open-source is inherently more secure.  First, 
> people can actually audit it for security (you think IBM recommended 
> Linux without going over every single line of code?)

Which is why they release security advisories for things like kernel
vulnerabilities, right?  Because they vetted the code and *knew* it was OK? 
They certainly wouldn't audit the code and miss a vulnerability in the linux
kernel, right?  Oh, and BTW, where exactly *is* IBM's security site where
you can quickly view all the advisories they've released?

Your arguments are nothing short of silly.

In 2003 there have been 43 security advisories for SUSE Linux according to
SUSE's website:
http://www.suse.com/de/security/announcements/index.html

RedHat has had 53 during the same time period:
https://rhn.redhat.com/errata/rh9-errata-security.html

Debian has had 176 during the same time period:
http://www.debian.org/security/2003/

(Makes me wonder if the other vendors are really being honest.  Is Debian
that bad?  Or just much more thorough, forthright and conscientious than the
others?)

During the same time period, Microsoft has had 47.  And those 47 include
things like Exchange Server and SQL Server, not *just* the Windows OS.  I'd
say *everyone* has a poor record, and instead of OS bigotry we *all* ought
to be concentrating on getting *all* vendors to release more secure code. 
Imagine how much fun it is for an enterprise with 10,000 computers, each of
which has to be patched 40 or 50 times a year, *regardless* of the OS.  We
ought to be disgusted with *all* the vendors.

Then you have some blaming the "monoculture" for our security problems. 
Yeah, what we really need is to do maintenance on ten different platforms,
*all* of which have to be patched 40 or 50 times a year.  Yeah, that's my
idea of fun alright.  But we'd be more secure because of the diversity,
right?  Sure.  And I've got some swampland I'm looking to get rid of.

>  Second, everyone can see
> the code and contribute fixes when they see a potential problem, not 
> after a vulnerability has developed and been discovered.

Sure.  This is why buffer overflows have been missed in the code for years,
right?  This is why wu-ftpd keeps having new vulns discovered every year,
right?  Why sendmail keeps having new vulns discovered over and over again? 
Why KDE is constantly being patched for the latest security weakness, right?
Cause people have pored over that code, every line, and they *know* it's
secure, right?

  True Netware is
> closed-source but the engineering is superb and it does only what it 
> needs to do, be a network OS.

And you know this because you've audited the code, right?  Oh wait, you
can't do that.  So this is just an opinion based on observation, familiarity
with the product and trust of the vendor.

However, Novell has released 24 security advisories this year:
http://support.novell.com/filefinder/security/index.html

So it appears your faith in them might be misplaced.  It looks like their
programmers are struggling just like everyone else's to write secure code.
>
> People have the wrong idea when they say "Windows vulns are more 
> researched and discovered because it so prevalent.  Without a total 
> re-architecture and re-write of Windows code, if and when (hopefully) 
> Windows OS's become a minority, they will still be getting the vast 
> majority of discovered and exploited holes. Lay a dollar to a dime on 
> that.
>
When Windows becomes a minority OS, the hackers and script kiddies will have
moved on to whatever is the most popular and weakest platform.  I can't name
an OS that hasn't been hacked, can you?  I can't name a widely used
application that hasn't had at least *one* patch released for a security
problem, can you?  (Even Postfix had a remote DoS recently, which really
depressed me.)

Don't get me wrong.  My favorite OS right now is FreeBSD.  And I believe
that open source is superior to closed, proprietary source, for a number of
reasons.

But they all have problems, and they all need to be fixed from time to time
and they *all* need to improve their security procedures and code auditing
and programming practices.  Every one of them.

What we need is a sea change in the way OS vendors do business.  Not OS
bigotry and constant sniping about who's worst and who's best.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ