LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

FUD, FUD, FUD, let's see some facts

FUD, FUD, FUD, let's see some facts

Posted May 4, 2004 15:56 UTC (Tue) by jfs (subscriber, #7140)
Parent article: Green Hills Software strikes again

The article fails to acknowledge the fact that, if people believe in "security by obscurity" (I don't, YMMV) the GPL introduces provisions for code modifications that do not need to be leaked (if used internally), from the FSF GPL's FAQ):

Does the GPL require that source code of modified versions be posted to the public?

The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you."

And that's for the most restrictive free software license out there, for BSD-license software, for example, you could even redistribute your changes without ever releasing your changes to it.

It's funny than after saying this the article goes on and bashes "Security through Obscurity", just after saying it should be enforced in software!

I still see a lot of FUD: "The Common Criteria Says Linux Security Problems Can’t be Fixed " when there has not been such a statement. Linux companies just are "behind" regarding Common Criteria certification, SuSE and RedHat are pushing for EAL 4 and they have not failed to obtain it (yet)

Also, he compares apples to oranges when he sums up the vulnerabilities in the ICAT database (in "Open Source Doesn’t Makes Linux More Secure than Windows") and says that "Linux" has had more high-severity vulnerabilities than "Windows". Let's see...

[downloading a new copy of the database, my latest version was from december] .... [opening the database, preparing to do a search ...]

  • Search with "Microsoft" in vulnerability references and "High" rating: 221
  • Search with "RedHat" in vulnerability references and "High" rating: 110

    [ ... hey! less! maybe he meant another distro ...]

  • Search with "Debian" in vulnerability references and "High" rating: 199

    [ ... hmm understandable ... Debian does provide more software than Red Hat and it does include much more than Microsoft does... ]

    [ ... oh, but that includes also applications in the user space. The proponent said Linux, not GNU/Linux, maybe we get more vulnerabilities if ... ]

  • Search with "Linux kernel" in vulnerable software and "High" rating: 14

    [ .. yeah right ... ]

    [... hmm ... but what if we look up for the highest risk: i.e. High severity and remote? .. maybe the proponent meant those ...]

  • Search with "Microsoft" in vulnerability references, "High" rating and "Remote" in attacker requirements: 192
  • Search with "RedHat" in vulnerability references, "High" rating and "Remote" in attacker requirements: 115
  • Search with "Debian" in vulnerability references, "High" rating and "Remote" in attacker requirements: 139

    [ ... hmmm .. well this count again includes user space in the Linux distributions, maybe he meant the linux kernel... ]

  • Search with "Linux Kernel" in vulnerable software, "High" rating and "Remote" in attacker requirements: 5

Now, if we do this again but limiting it to "remote code execution" which are the vulnerabilities that worms use (remember Blaster? Sasser sounds familiar?) we get 146 for Microsoft, 112 for Red Hat, 138 for Debian (kernel+user space) and 4 if we only look at the kernel (and those are related to the firewalling code which might be bypassed in some circumstantes to pierce a firewall, but not get access to it)

The only way you get a higher count is if you search for "Linux" in the Vulnerable Software references which is plain wrong since that will include software that is _written_ for Linux (such as RealOne player). That's why you have to make the search in "vulnerability references" to locate advisories (granted, that will not include vulnerabilities which have not been fixed, but the ICAT mapping is not fully up-to-date with CVE, the data from May 2004 only gets up to CAN-2003-1565, which is dated 01/12/2003)

Surprisingly, however you count it, Microsoft has more (reported) security vulnerabilities in ICAT database. Notice those are CVE references, that's the reason I've selected Red Hat and Debian because they are the only distributions that are CVE-compatible (since March 3 2004). Funny that Microsoft isn't because that can only mean that the CVE references are missing vulnerabilities which might have been fixed by Microsoft and the count would only be higher.

(Log in to post comments)

FUD, FUD, FUD, let's see some facts

Posted May 4, 2004 16:08 UTC (Tue) by LogicG8 (guest, #11076) [Link]

The linux kernel has already been used in an OS
that has been given EAL4

SuSe did it and RH isn't far behind
http://lwn.net/Articles/42766/

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds