[inbox] Re: [Full-Disclosure] RE: Linux (in)security
arcturus at secrev.net
Fri Oct 24 02:30:36 BST 2003
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Paul Schmehl
Sent: Thursday, October 23, 2003 6:15 PM
To: full-disclosure at lists.netsys.com
Subject: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy
<purdy at tecman.com> wrote:
> I hardily disagree. When you have inherently more secure code in OS's
> like *NIX and Netware, as evidenced by the paltry number of patches
> required by those OS's (1 in Netware vs. 38 for Windows in the same
This is an apples to oranges comparison. Netware is a network OS.
"Windows" includes all the applications that come with Windows, whether they
are part of the base OS, part of the networking functions or addons.
(IE, OE, etc.)
> it doesn't matter how well you configure Windows, it will still be
> vulnerable, waiting for a compromise of the next discovered hole. The
> reason for this is fundamental in the design. From the use of a
> registry (which corrupts with time, finally requiring re-installation)
I have never experienced this in 20 years of using and supporting Microsoft
products. I guess I'm unique.
> to the fact
> that no single human being knows all the source code for Windows, much
> less audits it, is the difference between MS and the rest.
I assume you can name a single human being who knows all the source code for
Unix? Including the apps? (I really want to meet this person.)
> This is the reason open-source is inherently more secure. First,
> people can actually audit it for security (you think IBM recommended
> Linux without going over every single line of code?)
Which is why they release security advisories for things like kernel
vulnerabilities, right? Because they vetted the code and *knew* it was OK?
They certainly wouldn't audit the code and miss a vulnerability in the linux
kernel, right? Oh, and BTW, where exactly *is* IBM's security site where
you can quickly view all the advisories they've released?
Your arguments are nothing short of silly.
In 2003 there have been 43 security advisories for SUSE Linux according to
RedHat has had 53 during the same time period:
Debian has had 176 during the same time period:
(Makes me wonder if the other vendors are really being honest. Is Debian
that bad? Or just much more thorough, forthright and conscientious than the
During the same time period, Microsoft has had 47. And those 47 include
things like Exchange Server and SQL Server, not *just* the Windows OS. I'd
say *everyone* has a poor record, and instead of OS bigotry we *all* ought
to be concentrating on getting *all* vendors to release more secure code.
Imagine how much fun it is for an enterprise with 10,000 computers, each of
which has to be patched 40 or 50 times a year, *regardless* of the OS. We
ought to be disgusted with *all* the vendors.
Then you have some blaming the "monoculture" for our security problems.
Yeah, what we really need is to do maintenance on ten different platforms,
*all* of which have to be patched 40 or 50 times a year. Yeah, that's my
idea of fun alright. But we'd be more secure because of the diversity,
right? Sure. And I've got some swampland I'm looking to get rid of.
> Second, everyone can see
> the code and contribute fixes when they see a potential problem, not
> after a vulnerability has developed and been discovered.
Sure. This is why buffer overflows have been missed in the code for years,
right? This is why wu-ftpd keeps having new vulns discovered every year,
right? Why sendmail keeps having new vulns discovered over and over again?
Why KDE is constantly being patched for the latest security weakness, right?
Cause people have pored over that code, every line, and they *know* it's
True Netware is
> closed-source but the engineering is superb and it does only what it
> needs to do, be a network OS.
And you know this because you've audited the code, right? Oh wait, you
can't do that. So this is just an opinion based on observation, familiarity
with the product and trust of the vendor.
However, Novell has released 24 security advisories this year:
So it appears your faith in them might be misplaced. It looks like their
programmers are struggling just like everyone else's to write secure code.
> People have the wrong idea when they say "Windows vulns are more
> researched and discovered because it so prevalent. Without a total
> re-architecture and re-write of Windows code, if and when (hopefully)
> Windows OS's become a minority, they will still be getting the vast
> majority of discovered and exploited holes. Lay a dollar to a dime on
When Windows becomes a minority OS, the hackers and script kiddies will have
moved on to whatever is the most popular and weakest platform. I can't name
an OS that hasn't been hacked, can you? I can't name a widely used
application that hasn't had at least *one* patch released for a security
problem, can you? (Even Postfix had a remote DoS recently, which really
Don't get me wrong. My favorite OS right now is FreeBSD. And I believe
that open source is superior to closed, proprietary source, for a number of
But they all have problems, and they all need to be fixed from time to time
and they *all* need to improve their security procedures and code auditing
and programming practices. Every one of them.
What we need is a sea change in the way OS vendors do business. Not OS
bigotry and constant sniping about who's worst and who's best.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.