|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
16:34 EST/21:34 GMT | News Source:
WinInformant |
Posted By: Julien Jay |
For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site.
|
|
#1 By
3339 (65.198.47.10)
at
2/5/2002 5:17:40 PM
|
Yeah, I'm sure Paul got a lot of moronic crap, but when you factor in that (1) Linux distros generally contain hundreds of apps which get included while MS's numbers doesn't include IE, Outlook, Messenger, IIS, and Exchange; the (2) the number of vulnerabilities reported is inappropriate because if they are discovered quickly (because of a transparent environment) and patched quickly--well, i'd prefer that to one or two big flaws hidden from the public until they're fixed or exploited; and (3) that the severity of the flaw and the carelessness of its existence factor more heavily than how many... if you consider these points, I think everyone has to admit that counting up the flaws posted on a site which doesn't track individual software platforms the same way is not an appropriate assessment of which system is less secure. Not only is this an inadequate argument... but statements like, "What I am trying to say is that Linux is not more secure than Windows. It's impossible." are ridiculous; in no way has PT backed up or explained why Linux could or could not be more or less secure than Windows.
|
#3 By
3339 (65.198.47.10)
at
2/5/2002 6:55:44 PM
|
#8, you talk about the different mentalities, and that is exactly the point: someone deploying a Linux distro knows that that CD will contain a few thousand apps, 5 or 6 apps for each purpose. No one who is deploying Linux with the right mentality is going to install all of these apps, nevermind be left insecure from them. But since they are distributed in one package, all of the flaws that are packed on to the CD are included as if a system flaw. Which is why I mentioned IE not being counted; should it be counted when judging the security of a server? probably not, but it is just as irrelevent as half of the flaws mentioned for each Linux distro.
Of course, PT doesn't mention that since these are free apps, the distributor is motivated to include as many installs as is physically possible; hence, the most insecure Linux distro is probably not that at all; it's just the distro which includes the most applications.
That in and of itself negates the Flaw Count argument for system security, but above and beyond that, can you judge an Open Source OS the same way? Can't it be a good sign that a large number of flaws have been identified because a lot of developers are closely reviewing the potential for flaws? I'm not saying this is necessarily the case; I'm saying that a count doesn't prove otherwise.
I prefer to look at the whole picture: what was the response from the source company, how long did it take to patch, was the info about the flaw understandable and appropriate, did the patch introduce new problems, did an exploit appear before the patch, was it an existing or known problem, did new, bleeding edge features cause the flaw, did an upgrade reintroduce the flaw, id it have real world impact and affect corporations and consumers, etc...
I do not except arguments about marketshare and public opinion: everyone hates MS (yes, that's the point), MS is just used more therefore attacked more and the effect is bigger (isn't that MS's problem, didn't they want to own the market?), if other OSes were as popular they'd be attacked too (i wouldn't be sure of this--if you went back to a time when Apple had 20% of the market (I know--I'm talking waaay back), it was the preferred, even reverred, platform of choice for hackers--remember Hackintosh?--they wouldn't dare try attack the MacOS of the time), if other OSes, particularly Open Source OSes, were attacked, would hackers be able to find flaws not known to the community? etc....
|
#4 By
2332 (129.21.145.80)
at
2/5/2002 7:18:19 PM
|
Guys... enough. The only thing this article really shows is that open source is in no way "more secure" than close source. The open source projects seem to have just as many after-the-fact holes (if not more) as Windows.
This in no way reflects how secure (or not) the machine running the particular OS really is.
It, imho, still speaks quite strongly for Microsoft and Windows, however, since it directly contradicts the idea that open source is inherently a better way to program because it helps fix more bugs before the software is released.
Now, why Windows has fewer bugs than Linux is another thing all together. It *could* be that Microsoft writes better code to begin with. It *could* also be that because the software is closed, fewer bugs are every discovered.
At any rate, both are good for Microsoft me thinks.
By the way, SecurityFocus does not say exactly what applications were included in the bug count and what weren't. They say something about "Explorer" being an example of a "package" which could be one such seperate application, but they don't actually specify an applications list. They also don't specify exactly what software on Linux was included.
I think that people should refrain from jumping to conclusions about the "real numbers" until they have the specifics of what was measured. After all, it could be just IE/OE that they didn't include for Windows, but hundreds of common applications that they didn't include for Linux.
This just shows that the line between OS and Application is very, very blurred.
|
#5 By
2332 (129.21.145.80)
at
2/5/2002 7:24:16 PM
|
#11 - Everybody does *not* hate MS. In fact, public opinion polls almost always show that MS is favored the 70%+ of people surveyed.
It is a small, but very vocal minority (and competitors, of course) who hate MS.
At any rate, most "hackers" don't attack Microsoft because they hate them. Most attack Microsoft specifically because their hacks will have the widest reaching affect.
If I find a hole in a piece of software that 2 people in Montana use on the weekends, who the hell cares.
If I find a hole in a piece of software that 300 million people use everyday, software that is the infrastructure of countless businesses, then I get some serious "props."
|
#6 By
3339 (65.198.47.10)
at
2/5/2002 7:35:39 PM
|
RMD, where are you trying to go with this? First, you suggest little can be learned, and then you say that it PROVES open source is not more secure than closed source. Baloney, it does! how so?
Then you further say, this says nothing, but then start MS spinning. It's good for MS either way! Are you kidding? "It *could* also be that because the software is closed, fewer bugs are ever discovered." How is that good? Isn't quicker and faster better than slower or never. Just because they aren't reported doesn't mean that don't exist, or worse, being exploited.
By the way, SecurityFocus has been doing this for a while and they know that this in no way constitutes a security assessment, and they do pretty well explain what they are counting:
"The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."
"There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers."
"This just shows that the line between OS and Application is very, very blurred." No, it doesn't: it shows that in the Open Source world people will reuse components and packages and apps and they will fork them into little bits and these little bits either separate or part of the OS will be distributed easily and openly to the public such that it doesn't matter to them if it's an app, component, package, system, etc... In the propriety MS world, it shows that they treat IE and IIS as separate apps even though they want to sell you on the benefit of it being a part of the OS. In other words, market categories don't matter in an OS world whereas the MS world will use categorizations to serve their interests.
|
#7 By
3339 (65.198.47.10)
at
2/5/2002 7:43:44 PM
|
RMD, in some respects you are right, but hackers do "aim" what they are up to at things they don't like. In a theoretical model where everyone has the same marketshare, Windows (33 1/3 % of the market), MacOS (33 1/3 % of the market), and Linux (33 1/3 % of the market--I pick these 3 not out of any future projection just the idea that they represent different platforms and philosophies), do you think each platform would be targeted equally? There's no way they would; somebody always has to be the villain.
Anyway, are you suggesting that popularity is a valid defense? My point was this is not a valid defense. If you want to and accomplish grabbing 5x the market of your competitor, you better be prepared to be 5x more secure. If not, you've got a very popular but insecure system.
|
#8 By
2332 (129.21.145.80)
at
2/5/2002 7:57:04 PM
|
#13 - Sigh... I guess I have to hand feed this to you.
"First, you suggest little can be learned, and then you say that it PROVES open source is not more secure than closed source."
I never said the word "PROVES" anywhere. Who's spinning what now? You also don't seem to know how to read.
FIRST, I suggested that it "shows" that open source isn't more secure than closed source. I qualified that statement with the fact that both OS's seem to have plenty of after-the-fact holes.
I then further qualified by statement by saying that the security of the actual machine running the OS at hand can not be determined from the statistics.
"Then you further say, this says nothing, but then start MS spinning."
I certainly did not say this means nothing. I said it doesn't prove how secure the OPERATING SYSTEM is either way. I said that whether or not Windows has fewer bugs because it's closed or the possibility that Microsoft writes better code is good for Microsoft either way.
I then ended my post with one last qualifier, stating that conclusions really shouldn't be made until we find out exactly what software was included in the statistics. This statement doesn't contradict what I said at the beginning of my post because the vast majority (if not all) the software that is included with Linux that could have been counted in the results is open source.
"The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."
Exactly. I made the claim that open source was no more secure than closed source. That still stands, and is not affected by the above statement from SecurityFocus.
"it shows that in the Open Source world people will reuse components and packages and apps and they will fork them into little bits and these little bits either separate or part of the OS will be distributed easily and openly to the public such that it doesn't matter to them if it's an app, component, package, system, etc..."
LOL. And the "Windows World" doesn't do this? Come on. One of the biggest benefits of COM is that you can utilize programmatic functionality from one application in another application very easily. COM applications make up a HUGE percentage of Windows applications. Not to mention the ActiveX control market. And how the hell does a list of security bugs prove your statement?
"In the propriety MS world, it shows that they treat IE and IIS as separate apps even though they want to sell you on the benefit of it being a part of the OS."
IIS is a separate application. And it's free. IE isn't really a separate application anymore, although I would entertain arguments that it is. And it's free. Microsoft hasn't increased the price of Windows since the inclusion of either of these free components, so it's non sequitur.
You really should learn how to read.
|
#9 By
2332 (129.21.145.80)
at
2/5/2002 8:03:24 PM
|
#14 - I didn't claim there would be equal attack with equal market share; although if there was equal market share the chance people would hate Microsoft would be far less.
Any why does somebody always have to be the villan? Is there a rule book somewhere?
"Anyway, are you suggesting that popularity is a valid defense?"
There is a difference between a defense and an explanation. And security does not have to be proportional to market share. If you grab 5x the market share, and security is a real concern for those using your software, you must be equal or better than the competition.
I agree that Microsoft has to be especially careful about their software because they are under attack far more than most other companies thanks to their widespread adoption.
What I'm saying is that there is a definite direct relationship between the number of security holes found and the popularity of the software. Linux has very few users (compare to Windows), so one would expect fewer holes found even if the actual number of holes that existed was similar.
|
#10 By
3339 (65.198.47.10)
at
2/5/2002 8:15:05 PM
|
I know how to read RMD! My remarks were primarily focused at your "Guys...enough" comment. What did you state that is anyway different from anything prior, why is your smoke better than ours?
I put PROVES in Allcaps to demonstrate that you start by saying that results cannot be gathered from this, but then you say it SHOWS that... So what are you saying?
"This in no way reflects how secure (or not) the machine running the particular OS really is.
It, imho, still speaks quite strongly for Microsoft and Windows, however, since it directly contradicts the idea that open source is inherently a better way to program because it helps fix more bugs before the software is released."
How does this directly contradict any sort of argument? Do we know how many bugs MS finds before release? Do we even know how many flaws there are at all? No? Then I guess you need to learn the menaing of "directly contradicts" because without knowing the actual number of flaws in both systems and the number found prior to release I don't see any "direct contradiction."
As for the quotes from SF, I didn't suggest that they contravert your argument, I provide them to show that SF knows what its data is; it's the Reg and PT taking this out of context.
You seem to not get my point about distribution; when was the last time you got a new MS product that included every MS software title, every freeware app, a bunch of COM components, and a few competitor apps on the CD ready for installation? Sure, there are components and objects and controls in the MS world; my point is they do not get mass distributed with every piece of software as if there was no category of software to distinguish them from one another. Do you get it yet? Would you consider Linux without gcc Linux? Technically, yes, but it wouldn't be very useful; do you consider it a seprate app; technically, yes, but it's so fundamental to the idealogy, why bother?
"IIS is a separate application. And it's free. IE isn't really a separate application anymore, although I would entertain arguments that it is. And it's free. Microsoft hasn't increased the price of Windows since the inclusion of either of these free components, so it's non sequitur."
I don't see how cost gets involved in this argument at all; IIS is a fundamental part of Windows Server; web servers are particularly what we are interested in when discusssing security. If MS includes it for free and it's fundamental to the secure server argument, it should be included with Windows Server when discussing vulnerabilities, the same as Apache.
Learnt to read along time ago, buddy.
|
#11 By
3339 (65.198.47.10)
at
2/5/2002 8:39:31 PM
|
"I didn't claim there would be equal attack with equal market share"
but you did say...
"most "hackers" don't attack Microsoft because they hate them. Most attack Microsoft specifically because their hacks will have the widest reaching affect."
... which suggests that MS isn't a target because they are vilified. My point was: if market share is equal, eliminating the wider audience argument, would you find other motivations to attack one platform over another? Yes, you would, this is often motivated by personal idealogy so market share isn't the only reason that MS gets exploited all the time.
"There is a difference between a defense and an explanation."
I understand that there is a relationship between marketshare and exploits, but what I am saying that this doesn't explain or defend MS's problems. From the position of the party in question, you cannot explain away your problems. Are there explanations? Yes, but if you know those reasons, why don't you do something about it. You see--from the perspective of Microsoft or softies, an explanation extends into a defense. An explanation is passing blaim. Well, if you pass the blaim, then you pass it on to a new problem, attack the new problem. That is why I said security has to be better the bigger the market share; not necessarily, theoretically true, but from a market perspective, from a perspective where you can explain or defend yourself, it better be more secure if it's going to be the platform for 95% of the world's business.
|
#12 By
2332 (129.21.145.80)
at
2/5/2002 9:32:02 PM
|
#18 -
"I put PROVES in Allcaps to demonstrate that you start by saying that results cannot be gathered from this, but then you say it SHOWS that... So what are you saying?"
I am saying that those statistics suggest that Microsoft is no more likely to release software with bugs than open source projects. You are correct that it doesn't prove it, and I never said it did. Perhaps "shows" was too strong a word.
"How does this directly contradict any sort of argument? Do we know how many bugs MS finds before release? Do we even know how many flaws there are at all?"
Ok. You're suggesting that perhaps open source coders inherently write poor code to begin with, but through open source, that poor code is fixed.
I was going under the assumption that the programmers at Microsoft and the programmers working on open source projects have approximately the same level of expertise, and that the only "advantage" or "disadvantage" (ie, a difference) between the two sets of code is that one has many "open" eyes looking at it, and one is closed and only viewable by a small subset of programmers.
If this is the case, then my point stands. If this is not the case, then it would suggest that open source coders are crappy programmers. I've done open source projects myself, and I hope (and know) this isn't indicative of open source.
The point is that in this case, RedHat had more total bugs in it *after* release than Windows NT/2k did for the year 2001. If bugs got through, then it either means that there were more to begin with (your suggestion), or a similar number to being with but fewer got caught by the open source guys. In either case, it seems to contradict what open source advocates often claim.
As far as applications distribution, I'm still not sure I see your point.
"Would you consider Linux without gcc Linux? Technically, yes, but it wouldn't be very useful; do you consider it a separate app; technically, yes, but it's so fundamental to the ideology, why bother?"
Ideology? I would certainly consider Linux Linux without gcc. Applications give OS's added functionality, nobody is questioning that. Are you saying that the fact that Linux distributions usually come with thousands of applications (most of which suck, but that's another topic) a defense for those applications having bugs that contribute to the totals for the OS? :-)
Again, we don't know where the numbers came from, but we do know that Linux comes with almost 100% open source applications. If a disproportionate amount came from those applications, and not the core set of apps that nearly every Linux user installs, then perhaps people that distribute those applications with Linux should keep their eyes a little more open.
"I don't see how cost gets involved in this argument at all; IIS is a fundamental part of Windows Server; web servers are particularly what we are interested in when discussing security. If MS includes it for free and it's fundamental to the secure server argument, it should be included with Windows Server when discussing vulnerabilities, the same as Apache."
Sorry, I misread your statement. I thought you sell "sell them to you" but you said "sell you on"... my apologies. At any rate, I would certainly consider IE part of Windows, but not IIS. IIS is an optional component, and while it is installed by default, it is certainly not "part" of windows. You can easily run any web server you choose on Windows 2k Server, and many server implementations have no IIS on them at all.
|
#13 By
2332 (129.21.145.80)
at
2/5/2002 9:41:42 PM
|
#20 -
""I didn't claim there would be equal attack with equal market share" but you did say... "most "hackers" don't attack Microsoft because they hate them. Most attack Microsoft specifically because their hacks will have the widest reaching affect.""
Yes. I qualified my statement with "most." And, again, in an equal market share situation, few would hate Microsoft. The *primary* reason people attack Microsoft is because of their widespread adoption. This is obvious.
"I understand that there is a relationship between market share and exploits, but what I am saying that this doesn't explain or defend MS's problems."
Again, I explicitly said it doesn't defend Microsoft. I said it is *why* Microsoft often *appears* to be writing poorer software than their much less used alternatives.
"Are there explanations? Yes, but if you know those reasons, why don't you do something about it."
If you accept my point, then you will also realize that Microsoft has been doing about as good a job as most of its competitors as far as security goes. You ask why they aren't doing anything without acknowledging that they aren't doing any worse a job than anybody else.
I completely agree that Microsoft needs to crack down on security, even if they are doing as good a job as most other people. What annoys me is that people use Microsoft's security problems to justify saying that Microsoft is somehow delivering a worse product than anybody else in the industry, and that's simply not true.
Thankfully, they appear to be changing some of their obviously stupid security practices which were blatantly *not* as good as many other companies. They are also pushing the new code-access extensible sandbox security model with .NET, which will be a HUGE improvment and an advance over pretty much everybody else in the industry.
Whatta ya know, Microsoft innovating on a security model. Ack.
This post was edited by RMD on Tuesday, February 05, 2002 at 21:42.
|
#14 By
135 (208.50.201.48)
at
2/6/2002 1:56:45 AM
|
#26 - Wininformant?
They reported this on friday. slashdot posted it on monday and it was was unreachable because of the mass slashdot viewing. Although it's also quite possible that they were subjected to a DoS attack for a period of time.
|
#15 By
2332 (129.21.145.80)
at
2/6/2002 2:03:49 AM
|
#27- Wininformant runs Cold Fusion (forced to... not Paul's choice, I e-mail him about it :-).
Cold Fusion doesn't exactly scale very well. There are plenty of people that will tell you otherwise, but they are, for the most part, full of hot air.
Cold Fusion is really great stuff, as long as you aren't planning on serving the kind of page hits that Slashdot articles might generate.
|
#16 By
135 (209.180.28.6)
at
2/6/2002 10:40:53 AM
|
#28 - Ahh, Cold Fusion. Yes that would explain it. You're right, it does not scale well at all.
|
|
|
|
|