Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
It's hard to imagine a less inflammatory or more obvious assertion--that all operating systems have bugs and security issues--but I won my bet: Linux and open-source fans thought I was attacking them or their preferred operating system. They deluged me with E-mails, many irate, claiming that CERT (and I) were dead wrong."
Posted Jan 27, 2003 23:57 UTC (Mon)
by ncm (guest, #165)
[Link]
He identified two bugs pulled from the CERT list as comparable,
a ptrace bug in RH's kernel, and the WM_TIMER bug in the w32 API.
It is true that they are of comparable severity. However, the
ptrace bug was fixed immediately, but the WM_TIMER bug not only
hasn't been, but (according to reports) can't be, and (according
to MS) won't be.
Posted Jan 28, 2003 4:25 UTC (Tue)
by cajal (guest, #4167)
[Link] (4 responses)
But that's hard to do. WinXP "itself" only has 22. RedHat has 150-some. But RedHat includes a lot more software that just "plain" WinXP does. When you factor in IE, Outlook Express, MSN Messenger, NetMeeting, IIS, MSDAC, Office XP, Windows Media Player, SQL Server 2000, the .NET Framework, etc -- well, then the # of bugs in a typical install of WinXP jumps (to roughly 64, by my count). But the problems don't just end there. To get a count of the toal # of bugs that have affected WinXP you need to do more. MS releases new versions of Windows "components" (IE, Outlook, WMP) while WinXP itself it out. So you also have to factor in all the bugs from both WMP 8 (which shipped with WinXP when it was first released) and WMP 9 (which was just released a few weeks ago). That will also elevate the # of bugs. So, it's really hard to say how many bugs have affected your typical WinXP install. He also ignores that RedHat has many installation profiles: desktop, db server, web server, etc. Dependingon your profile, different software gets installed. So it's really hard to say how many bugs a RedHat user will see vs a WinXP user. And he didn't really try, either.
Posted Jan 28, 2003 5:42 UTC (Tue)
by schutz (subscriber, #3760)
[Link]
He also ignores that RedHat has many installation profiles: desktop, db server, web server, etc. Dependingon your profile, different software gets installed.
... and it's even worse than that: a typical Linux distribution provides
several software with the same functionality (eg sendmail, postfix,
qmail, exim, etc), and you expect only one of these to be installed
on a system at a given time. So if these 4 programs have 1 bug each,
this will be counted as 4 bugs for RedHat (or whichever distribtion),
while a normal system can only be bitten by one of them.
Conclusion: there is no way you can prove anything just by comparing the
number of security alerts for two given pieces of software (especially if one of them is a collection of several independant pieces). You _may_ be
able to do it if you compare the security alerts for two _installed_ systems , but it doesn't mean that the result will be a good indicator of the
security of each system.
Frédéric
Posted Jan 28, 2003 9:10 UTC (Tue)
by skellba (guest, #8043)
[Link]
Later on Fred Langa wrote: > So here's what it does mean: Linux is a normal operating system; so is I don't know about "much less buggy" but it is simply not true that XP is as secure as Linux or any other UNIX-System. If you ever tried to secure a Windows installation say in an office environment than you know how difficult this is. And in XP you don't have real control about the operations in the background: some processes try to contact the internet for updates, others want to synchronize the time with Microsoft servers and so on. And it is difficult to stop this. Another point is that most Microsoft programs are probably written in C or C++. Since these programming languages are really not helpful in writing error free code I am wondering how Microsoft is able to have only 21 bugs in Windows XP according to Mr. Langa. This is an inredible low number and depends heavily on the fact that you cannnot inspect the source code. So the bughunting is done on a trial-and-error basis.
Posted Jan 28, 2003 18:07 UTC (Tue)
by cpeterso (guest, #305)
[Link] (1 responses)
Categorized List of Fixes in Windows XP Service Pack 1
Posted Jan 29, 2003 10:55 UTC (Wed)
by mly (guest, #2171)
[Link]
On the other hand, several of the RH updates probably include a number of bug fixes as well. But they are certainly much smaller than the MS patches, since they are issued more frequently, and since there aren't any bundles that update more than one product in the distribution.
Posted Jan 28, 2003 9:47 UTC (Tue)
by mwilck (subscriber, #1966)
[Link] (1 responses)
I think this statement is essentially true, even if his arguments and the numbers he states are ill-chosen (151 RedHat patches vs. 24 for XP seems suggest that RedHat is 6 times more buggy, which is of course nonsense). I think we Linux advocates are ill-advised to fight against statements like this. The 2.4 series of the kernel had major maturity problems as we all know. The ever-increasing size of user space libraries and the growing number of drivers offer far more corners for bugs to hide than Linux in the good old days. At the same time, Microsoft products have improved a lot in terms of stability - the "bluescreen every day" times are over. We must face these facts, and focus on Linux' real advantages. Most importantly: it's free. A Linux admin, faced with a security hole, can wait until his vendor issues a patch - or fetch the source, apply the patch, rebuild and reinstall himself. Hiw Windows counterpart can do nothing but wait until Microsoft delivers a patch.
Posted Jan 29, 2003 11:47 UTC (Wed)
by mly (guest, #2171)
[Link]
Apart from the obvious difference in available tools, faster updates, no vendor lock-in, and ability to fix your own problems, there are a number of remaining security and stability problems in Windows. A few examples... Most Windows patches can't be applied without rebooting the computer. This means that servers have to be taken off line to be fixed. I guess less that one percent of Linux updates have this problem. This will mean that the most important mission critical servers will often have updates delayed. If the computer needs to be up until late at night, and the technician wants to get some rest, so that he will be able to work effectively the next day as well, updates might well be delayed even further, since both remote operation and automated / timed operations are much more difficult to do in Windows. The Linux admin can update his application during the day, and give a simple command to restart the affected service in the middle of the night, while he is sleeping. Then he can log in from home in the morning as soon as he wakes up, and make sure that things work as they should. The poor windows admin must sit by the console, click on buttons with his mouse, and watch his machine reboot. Having to do such work in the middle of the night to avoid disturbing production is a security risk in itself. Another problem is virii and anti-virus programs. I've tried about twenty anti-virus programs on Windows 2000, and very few can do a good job in finding virii without either causing instability or slowing down the system considerably. And some that worked well for months start to misbehave after some update, and update you must... My experiences can be found at http://www.thinkware.se/cgi-bin/thinki.cgi/AntiVirusPrograms A third problem is that installing individual Windows applications will still mess with the system in a way that is difficult to control. Files in the winnt/system32 directory will be replaced on installation, and sometimes the installation program asks you if you want to keep a different language version, or a newer version that is to be overwritten by an older. There is really no way for the admin / user to know for sure what to choose here, or whether the choices the OS makes on its own will cause problems in some existing application. Even if RPM-based Linux systems aren't as sophisticated as Debian, they handle this a lot better than Windows does.
Posted Jan 28, 2003 17:57 UTC (Tue)
by hazelsct (guest, #3659)
[Link]
Most patches take much longer to appear, and longer still to become generally available to all affected users, in finished, tested, easily installable form--even if, technically speaking, the initial instance of the bug was stomped out very quickly. Given the growing fragmentation of the open source community and the increasingly quasi-proprietary distributions of Linux, how could it be otherwise? It has to take time to get patches out.
Balderdash. The Debian security team gets patches out within hours to days, Microsoft's weeks or months are inconcievable. And Debian does this for the current stable (3.0, "woody") and old stable as well (2.2, "potato") which is still supported two and a half years after release [no better than Microsoft here, but contrast to RedHat's recent announcement]; for six different processor architectures in potato and eleven in woody!
As for "finished, tested, easily installable form", how's:
Of course, other distros have followed Debian's lead, so it's similarly easy to upgrade other systems. [Though AFAIK, nobody else has the debconf system which preserves package-by-package configuration options through upgrades.] And other distros have made other innovations, which spread around the community.
So Mr. Langa, show me the multiple Windows distributors who rush to get out the fastest and most thorough patch solutions -- with the longest maintenance periods! Show me the competing distributions of Windows which have innovated system management tools at anywhere near the rate of the Linux distros! The ability of multiple vendors to compete highlights an advantage of freedom with direct benefits for aggregate security -- and should illustrate the more "capitalist" (or more properly, "libertarian") nature of F/OSS cf. the Redmond Bolsheviks who preach "the one true solution".
Speaking of competition, show me the alternative processor architectures Windows runs on which are immune to IA-32 exploits run by all the script kiddies! Not only are F/OSS users free to choose CPUs according to merit and not "which one runs Windows", but our diversity improves our security, e.g. my group's alpha and PowerPC boxes are inherently less vulnerable to overflow-type attack than the Wintel monoculture; adding a (Debian?) *BSD firewall would improve things even further. And of course, others have mentioned the multitude of mail transport agents, name servers and web servers (Debian stable has nine packages providing httpd, vs. one from Microsoft).
No, I'm afraid there is no comparison, F/OSS is more secure: Get over it.
Posted Jan 28, 2003 21:12 UTC (Tue)
by dbreakey (guest, #1381)
[Link]
While he seems to have chosen to present this in a deliberately inflammatory form (not surprising—it's his job to promote discussion, and one of the best ways to do that is criticism), the essential core of his argument is something quite worth paying attention to. Linux is not, by any real-world definition "inherrantly" more secure or stable than Windows; much as I despise admitting it, Windows 2000 and XP have progressed to the point where random crashes are not the routine thing that they once were. This isn't to say that Windows no longer demonstrates any problems, but they are now, generally more to do with usability issues rather than stability. Linux, in my experience, has been consistently stable so long as the environment it runs in is configured correctly. An error in configuration can cause significant heartache, as I recently experienced with my GNOME2 desktop; while it didn't affect the stability of the system (I never experienced any system-wide crashes), it did render my desktop less usable as major components simply failed to work. It turned out that it was a simple name resolution error (my machines hostname was getting mapped to an incorrect IP address, causing ORBit2 to fail; since much of the GNOME2 infrastructure relies on ORBit2 in one way or another, this caused large portions of my desktop to fail). And this whole thing was due simply to the fact that I am using a domain that is administered by a remote host (yes, it is my domain; it's being hosted by another company, though). That and the fact that I use DHCP to allocate my IP address… It took me almost a month (mostly because of insufficient time) of fiddling around before I finally figured this out (since everything had been working properly before then, I had been assuming it was the fault of an incorrectly built package that I had installed, since nothing had been changed that I was aware of; it wasn't until I, finally, sat down and methodically tracked down the problem that I figured it out). And I consider myself an experienced user who has no fear of using the command line or editing configuration files. Imagine somebody who was Linux-illiterate trying to figure this one out… It is also quite true that script-kiddies have not been targeting Linux before now simply because it was a low-profile system; I think we can expect the number of exploits for Linux to grow from now on—although I fully expect that these exploits will be fixed nearly as quickly as they are discovered, if not quicker.
Posted Jan 29, 2003 0:46 UTC (Wed)
by mly (guest, #2171)
[Link]
The Linux / BSD world seems to manage this diversity fairly well. Most programs run fairly well on most platforms. In fact, I have run into many more compatibility problems between Windows versions than between Linux versions. The worries about lock-in and incompatibilities as with commercial Unix doesn't seem to come true in the Linux world. If security is your main concern--by all means, select OpenBSD. They have had ONE remote hole in the default install, in more than 7 years! There are also more security oriented Linux distributions, like NSA Security Enhanced Linux or Trustix. You can make a choice between features and stability. Between bleeding edge and conservative choices. A capable customer can harden the operating system, or a security-oriented vendor can pick up a Linux distro and secure it for its customers to an extent that would be impossible with Windows. With Windows you are always at the mercy of Microsoft. It surprises me that so many people in business are satisfied with that. I guess most risk concious companies make risk assessments, and if you are very much dependent on a single vendor in some area, or on a single customer, this is always a risk, something that one should try to avoid. For OS's I don't see any other way than Linux/BSD/Unix today, if we take this seriously.
He is still wrong. In fact, the bugs he chose as examples
demonstrate it.
Still wrong
He counts total # of bugs for RedHat 7.3. He then tries to count the total # of bugs in WinXP.Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
Main problem with this article is not the number of bugs count but the severity. Fred Langa cited the WM_TIMER problem wich is inherently not fixable so this bug is much more serious than the ptrace problem.Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
> XP. Both have bugs, some major, some minor. Anyone who tells you that
> Linux is "inherently more secure" or "much less buggy" than XP simply
> isn't working from current facts. The reality is that bugs happen,
> even in Linux: Get over it.
I don't think 22 is a fair number of Windows XP bugs. Sure that is the number of hot fixes, but the number 22 ignores found-but-unfixed bugs and the huge number of bugs fixed in the Windows XP Service Pack 1. Don't those bugs count? There are about 350 bugs fixed in Service Pack 1:
Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
> There are about 350 bugs fixed in Service Pack 1Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
If I get him right, he says that "Linux is not inherently more stable or bug-free" than Windows for mainstream commercial or home users.The essential statement is correct.
I agree that Windows 2000 or XP is much better as a desktop OS than Win 98 and ME, but I still think Windows has a long way to go. Particularly as a server.The essential statement is correct.
I'm afraid this is gonna be kinda long-winded, I've got several points to make... From page 4:Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
apt-get update && apt-get dist-upgrade
or if you prefer:
dselect -> u <enter> -> i <enter>
or even easier
aptitude -> u -> g
Far from requiring an expert, anyone who can't do that has no right to call him/herself a "sysadmin".Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
Another important issue with Microsoft vs free operating systems such as Linux and BSD is that you have a vendor choice in the free world. Sure, choice makes life more difficult sometimes, there are even a lot of people in Eastern Europe who want the old Soviet system back, where you knew exactly how little you would have. I still prefer to have a choice though.Langa Letter: Linux Has Bugs: Get Over It (TechWeb)