The Langa Letter - an opposing view

Fred's comment about "severity" is, as he points out, inherently
subjective. His numerical analysis is also subject to more issues that
he's simply ignoring.
 
For example the 157+ bug count for RH 7.2 or 7.3 includes fixes for many
overlapping products and many which are rarely installed by Linux users --
RH simply includes a lot of optional stuff. Meanwhile the count for
Micrsoft may still be artificially low, since MS is known to deliberately
minimize the number and severity of their bug reports. Many of their 30+
reported patches might include multiple fixes and descriptions which
downplay their signficance.
 
Fred also, inexcusably, argues that "first availability" of a fix (in
source form, sometimes in focused, though public, mailing lists and venues)
"doesn't count" as faster. That is simply jury rigging the semantics to
support a prejudiced hypothesis.
 
Another approach to looking at the severity of bugs is to view the effect
of exploits on the 'net as a whole.
 
In the history of Linux there have only been a couple of widespread worms
(episodes where a bug's exploit was automated in a self-propagating
fashion). Ramen, Lion and Adore are the three which come to mind.
 
Subjectively the impact of these were minimal. The aggregate traffic
generated by them was imperceptable on the global Internet scale. Note
that the number of Linux web, DNS and mail servers had already surpassed MS
Windows servers by this time --- so the comparison is not numerically
outrageous.
 
Compare these to Code Red, Nimba, and the most recent MS SQL injection
worms. The number of hosts compromised, and the effect on the global
Internet have been significant.
 
I simply don't have the raw data available to make any quantitative
assertions about this. However, the qualitative evidence is obvious and
irrefutable. The bugs in MS systems seem to be more severe than
comparable bugs on Linux systems.
 
If a researcher were really interested in a rigorous comparison, one could
gather the statistics from various perspectives --- concurrently trying to
support and refute this hypothesis.
 
Fred is right, of course, that Linux has many bugs --- far too many.
However, he then extends this argument too far. He uses some fairly shoddy
anecdotal numbers, performs trivial arithmetic on them and tries to pass
this off as analysis to conclude that there is no difference between MS XP
security (and that of their other OSes) and Linux' (Red Hat).
 
I won't pass my comments off as anything but anecdotal. I won't look up
some "Google" numbers to assign to them and try to pass them off as
statistical analysis.
 
I will assert that Linux is different. That bugs in core Linux system
components are fewer, less severe, fixed faster, and are (for the skilled
professional) easier to apply across an enterprise (and more robust) than
security issues in Microsoft based systems.
 
The fact that numerous differences in these to OSes make statistical
comparison non-trivial doesn't justify the claim that there is no
difference.
 
Further anecdotal observations show that the various Linux distributions
and open source programming teams have done more than simply patch bugs as
they were found. Many of the CERT advisories in Linux and elsewhere (on
the LWN pages, for example: http://www.lwn.net/ ) are the result of
proactive code auditing by Connectiva, Gentoo, S.u.S.E., IBM and The MetaL
group at Stanford, among many others. In addition many of these projects
are signficantly restructuring their code, their whole subsystems, in order
to eliminate whole classes of bugs and to minimize the impact of many
others. For instance the classic problems of BIND (named, the DNS server)
running as root and having access to the server's whole filesystem used to
be mitigated by gurus by patching and reconfiguring it to run "chroot"
(locked into a subdirectory tree) and with root privileges dropped after
initial TCP/port binding (before interacting with foreign data). These
mitigations are now part of the default design and installation of BIND
9.x. Linux and other UNIX installations used to enable a large number of
services (including rsh/rlogin and telnet) by default. These services are
now deprecated, and mainstream distributions disable most or all network
services by default and present dire warnings in their various
enabling dialog boxes and UI's). before allowing users to enable them.
 
These changes are not panacea. However, they are significant in that they
hold out the promise of reducing the number and severity of future bugs,
and they artificially inflate recent statistics (since the majority of this
work as been over the last two or three years).
 
Fred will undoubtedly dismiss these comments as being more "rabid
advocation" by a self-admitted Linux enthusiast. He may even point to MS'
own widely touted "trustworthy computing" PR campaign as evidence of a
parallel effort on "the other side of the Gates." However this message
isn't really written to him.
 
It's written to those who want to make things better.
 
The real difference between security in MS and in Linux is qualitative
rather than quantitative. With Linux every user and administrator is
empowered to help themselves. Every one of us can, and many more of us
should, accept a greater responsibility for our systems and their integrity
and security. Linux users (including corporations, governments and other
organizations) can find and fix bugs and can participate in a global
community effort to eliminate them and improve these systems for everyone.
 
Let's not get wrapped up in blind enthusiasm and open source patriotism.
But let us not fall prey the the claim that there is no difference. There
is a difference and each one of us can be a part of making that difference.
 
JimD