|| ||Leon Brooks <email@example.com>|
|| ||Wed, 29 Jan 2003 09:33:04 +0800|
Hi, Fred; with regard to your recent pontifications on security:
> the article said: "...more than 50% of all [CERT] security advisories ...
> in the first 10 months of 2002 were for Linux and other open-source
> software solutions."
The implication is that Linux has more bugs than everything else combined. You
also implied an acceptance of WinInformant's wildly errant conclusions
evidently founded on the same implication.
> None of this excuses or lessens the seriousness of Windows' own problems,
> of course, but it does show that as Linux grows in popularity, it will
> have its own full share of bugs and security problems, too.
This assertion is independent of WinInformat's, and it is wrong too. Bugs have
nothing to do with popularity; if anything, more participants in a given
development process implies less bugs. In real life, the bug reporting
process extends to more decorative issues that a project with fewer
developers wouldn't have the resources to worry about.
Quoting InformationWeek again:
> It's hard to imagine a less inflammatory or more obvious assertion - that
> all operating systems have bugs and security issues
Unfortunately, you did not limit yourself to this assertion. If you had, you'd
be clear. You tried to be borrow some of WinInformat's facade of cleverness
and bend CERT's reports to support your statement in such a way that you
appeared to be conservative. That was damn silly, and you deserved to be
flamed for it.
You then go on to raise and knock down a straw man by putting up a few mild
objections to your point, namely that there aren't really that many bugs, and
they can be fixed faster. Let's look at those.
> We can avoid CERT's problem of counting the same bug more than once if
> we compare the security patch/update counts for one popular distribution
> and version of Linux to one popular version of Microsoft Windows.
First off, the problem lies not with CERT, but with careless or zealotrous
researchers interpreting the raw CERT data wrongly.
Second off, you do avoid that problem, but you smack face-first into another,
one which is actually worse ("out of the frying pan, into the fire").
Slammer/Sapphire, currently the bane of MS-SQL servers the world over (still
one probe every 2 minutes or better in a Class C subnet as I write) is not
counted as a Windows bug, but a similar problem in PostgreSQL would be
counted as a bug in, say, the SuSE, Slackware or Caldera Linux distributions.
There is no direct Windows equivalent for a Linux distribution. No Windows
version ships with anything like Mandrake's 4000 or Debian's 11000 or so
(slightly more granular) packages. Or, for that matter, with anything like
the same amount of control over them. Microsoft's "157 products" aren't a
drop in a bucket compared to that.
You also do not correctly address the issue of bug severity. A typical
Microsoft bug results in, as the mythical CERT CA-96.13 says, "the total
destruction of your entire invasion fleet and [...] unauthorized access to
files" by remote control. A typical Linux bug results in remote access as an
ordinary or even crippled (chrooted and/or owns no files) user, or the
possibility of local escalation to superuser. Your "quick example" is
exceptional, not typical.
Perhaps more terrifying are the Windows bugs that _cannot_ be fixed. Because
of the way Windows is designed, in all known versions, it will _always_ be
possible to push a stick through the spokes of the Windows message-passing
system and escalate privs. IE's MIME handling under Windows is still badly
broken, and as far as I can tell, always will be.
Just to labour the point, conside this list of known, unpatched Internet
Explorer vulnerabilities - http://www.pivx.com/larholm/unpatched/ - including
"Silent delivery and installation of an executable on a target computer", and
contrast that with the Open Source competition (Mozilla, Konqueror and
derivatives) which patched and tested the most recent SSL vulnerability in
under a day (95 minutes from notification to fix-release for Konqueror).
> The open source community has fragmented into myriad competing segments,
> each with its own different, and increasingly quasi-proprietary,
> distributions of software.
Using a few prominent examples to speak for all Linux distributions is grossly
careless. In general, Linux distributions include little if any proprietary
software, and most have downloadable distributions which are both libre and
gratis. Many, notably Debian and Mandrake, make a point of GPLing all of
their specialised tools, and many distributions borrow chunks from each
other. In the case of Sun's "Mad Hatter" distribution, they borrowed RedHat's
entire distribution en bloc.
Fragmentation is - from a security perspective - good. A software monoculture
is vulnerable. _Any_ monoculture is vulnerable. Linux runs on 13 hardware
architectures, Windows on 2 (really only 1), a typical Linux distribution
provides a sheaf of different window managers, web browsers, mail clients,
office suites, databases, webservers, scripting lanugages and so on.
From a user perspective, the choice represented by fragmentation is good. For
a current example, a parochial Australian girls' school installed Linux and
defaulted the girls' desktops to KDE. Within days, a significant number of
the students had discovered and settled on GNOME and lighter window managers
like IceWM and BlackBox. The helldesk didn't explode as a result (choice of
WM is part of the user context), in fact the support crew do much less
running around than they used to with Windows and no such choices.
Is Linux ready for the desktop? The 20,000 (soon to be 200,000) users in Rio
Grande do Sul's State schools think so too.
There's a lot more which could be said about your article, but it hardly seems
worthwhile. Do more research, come at the issues with more hard facts and
less fancy theories. Don't try to justify mistakes, it's much more useful to
learn from them.
http://cyberknights.com.au/ Modern tools; traditional dedication
http://slpwa.asn.au/ Member, Linux Professionals WestOz
http://linux.org.au/ Committee Member, Linux Australia
http://linux.org.au/~leonb/lca2003/ THE Oz Linux Technical Conf:
excellent event, photos here!
to post comments)