Linked by Thom Holwerda on Fri 6th Jan 2006 22:56 UTC
Privacy, Security, Encryption Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
Order by: Score:
This is absolutely right
by hraq on Fri 6th Jan 2006 23:12 UTC
hraq
Member since:
2005-07-06

I never got RHEL 4.2 crashed or infected, even when I expose it to the internet at DMZ (Demiliterized Zone) of my router. While Windows get paralyzed within 10 minutes under the same conditions. I even become unable to switch users. So, Yes CERT is another lie we used to from US goverment like IRAQ weapons of mass destruction.

Reply Score: 5

RE: This is absolutely right
by klynch on Sat 7th Jan 2006 17:54 UTC in reply to "This is absolutely right"
klynch Member since:
2005-07-06

CERT and WMDs? How can you even compare the two?

Reply Score: 2

About time
by SlackerJack on Fri 6th Jan 2006 23:13 UTC
SlackerJack
Member since:
2005-11-12

Yes, it is and next time THINK before you put such powerful words and figures about. Like in all media, the damage is already done once reported.

I really do wonder sometimes if these people know anything about Linux, but just use there Windows background as a front.

Reply Score: 2

RE: About time
by Celerate on Fri 6th Jan 2006 23:26 UTC in reply to "About time"
Celerate Member since:
2005-06-29

"the damage is already done once reported. "

True, but CERT wasn't the first to bend the truth malevolently against Linux. I'd call it outright lies, but the data CERT used could have been legit, the distorting of truth was in the way they chose to report that data. I do recall several Microsoft funded "benchmarks" and "studies" that did very much the same, while they probably did run tests, the machines they were testing that ran Linux were intentionally set up very poorly as compared to the expertly set up Windows boxes in the tests.

I don't think I'd really care to see what the results of a fair comparisson would be though, I know what works for me and when it comes to Gaming that's Windows since it has more games right now and supports my logitech game pad. I preffer Linux for everything else though, and I'd love to see hardware and software companies pay more positive attention to it.

Reply Score: 3

RE[2]: About time
by molnarcs on Sat 7th Jan 2006 00:26 UTC in reply to "RE: About time"
molnarcs Member since:
2005-09-10

Not only it could have been legit, it could have been used to underly the point of linux/unix being more secure. If you look at the numbers, they are more unfavourable to windows than linux/unix. I don't want to repeat myself, wrote about this here:
http://slashdot.org/comments.pl?sid=173016&cid=14397409

This is also interesting:
http://slashdot.org/comments.pl?sid=173016&cid=14398027

Reply Score: 4

FUD
by Resolution on Fri 6th Jan 2006 23:22 UTC
Resolution
Member since:
2005-11-14

I'm not usually one to hop on the Linux fanboy bandwagon, but (from the article) it does seem like US-CERT was pretty clueless when compiling this list; clueless in the fact that they took a bunch of vuln sources from here and there and made some sort of grotesque list out of it.

Reply Score: 4

Real World vs. bull...
by Bobmeister on Fri 6th Jan 2006 23:31 UTC
Bobmeister
Member since:
2005-07-06

Well...I agree with hraq...just look at the real world. And wasn't this week a joke with the whole Windows world blowing up over this stupid WMF thing? So, no matter what is said in some article, it's in the real world where it counts...and like hraq...none of my Red Hat based system, nor Novell SUSE based systems seem to have any problems...and I hook them into some pretty strange networks sometimes that I wouldn't even THINK of hooking an Windows thing into...

There is a lot of FUD out there, and it's all financed....

Reply Score: 4

WMF - 'it happens'
by raboof on Sat 7th Jan 2006 09:04 UTC in reply to "Real World vs. bull..."
raboof Member since:
2005-07-24

wasn't this week a joke with the whole Windows world blowing up over this stupid WMF thing?

What about it? The Linux world also has had its share of embarassing vulnerabilities (remember the gzip hole?).

Paradoxically, the OSS world often seems to react to such problems in a much more professional manner though.

Reply Score: 1

this is ridiculous
by ivans on Fri 6th Jan 2006 23:40 UTC
ivans
Member since:
2005-12-03

"For example, Firefox is categorised as a Unix/Linux operating system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics," Cox claimed.

This is correct, but you won't see neither IE and IIS bundled in RHEL, nor Apache and PHP on WS2K3, at least not on 99% computers out there.

The statistics serve it's purpose - to compare the relative security in the most common scenarios.

Generally, many of the vulnerabilities in Linux/Unix based products are classified as local vulnerabilities, including privilege escalation, local denial of service and local exposure of sensitive data. These kind of vulnerabilities are not regarded as particularly critical, but Linux/Unix researchers tend to focus quite a lot on this category, probably because of Unix's long history of proper privilege separation. This has only recently become more relevant in Windows (NT, 2000, and XP), but many Windows researchers still focus more on remote issues."

This is utter crap, NT kernel has privilege separation mechanisms built in from day one. Google for terms: "Security Reference Monitor", "Object Manager", "access token", "TCSEC C2 (aka Orange Book". So the "recently" means what, 15 years? LOL

"The two figures are not representative of today's two major operating system platforms. One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux."

How can it be non-representative when the first figure represents Win32, .NET and other proprietary APIs/frameworks, and the other one represents POSIX, and open-source frameworks typically found on modern UNIXen?

"You should look at the number of critical vulnerabilities. It's a better comparison to look at the critical vulnerabilities that affect customers due to the platform they use. There are fewer critical vulnerabilities, and they are fixed faster in Red Hat Linux," said Cox

Secunia seems to disagree
(comparing the OSes released in similar timeframe):
http://secunia.com/product/1173/
http://secunia.com/product/1044/

WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006

Geez, I wonder if that can be classified as "miscategorised" or "confusing and misleading".

"There is also the issue of timing. With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days."

LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don't we?

http://www.eweek.com/article2/0,1759,1814056,00.asp
http://www.frsirt.com/exploits/20050507.firefox0day.php

open-source = eldorado for blackhat hackers and 0day exploits.

Reply Score: 3

RE: this is ridiculous
by dikatlon on Fri 6th Jan 2006 23:49 UTC in reply to "this is ridiculous"
dikatlon Member since:
2005-07-08

Well that's what i call arguments!

Reply Score: 1

RE: this is ridiculous
by abraxas on Sat 7th Jan 2006 00:00 UTC in reply to "this is ridiculous"
abraxas Member since:
2005-07-07


Secunia seems to disagree
(comparing the OSes released in similar timeframe):
http://secunia.com/product/1173/
http://secunia.com/product/1044/

WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006

Geez, I wonder if that can be classified as "miscategorised" or "confusing and misleading".


Those statistics are misleading the very same way CERT's statistics are misleading. The first thing I noticed on the RHEL list was "lynx". What kind of statistics would Windows run up if we counted every little web browser that ran on that platform. Vulnerabilites in applications that are not installed on a computer are not vulnerabilities at all.

Reply Score: 5

RE: this is ridiculous
by ma_d on Sat 7th Jan 2006 00:07 UTC in reply to "this is ridiculous"
ma_d Member since:
2005-06-29

This is utter crap, NT kernel has privilege separation mechanisms built in from day one. Google for terms: "Security Reference Monitor", "Object Manager", "access token", "TCSEC C2 (aka Orange Book". So the "recently" means what, 15 years? LOL
Those don't make a lot of difference when you: 1.) Only have one user. Or 2.) Have everyone as an administrator. Or my favorite 3.) Everyone uses the same account.
Unix has focused on seperate users since, well, probably day 1. I'm not too familiar with everything before System V, but I'm just guessing they did as they were competing, initially, with things like ITS and CTSS.
So, that's 35 years now. The first desktop OS for Windows to include NT was in 2001. A lot of business desktops, and the few servers, were NT for a long time before of course. But people weren't logging into the servers as users, they used server programs on them. VNC and remote terminals just aren't nearly as popular with Windows users as Unix users. And RDP is pretty recent as well.
And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.
Want an example of people who care about local exploits? Web hosts. If they're nice and give you ssh access they worry about local user exploits. How many Windows webhosting companies give you RDP access? Seriously, how many do?


How can it be non-representative when the first figure represents Win32, .NET and other proprietary APIs/frameworks, and the other one represents POSIX, and open-source frameworks typically found on modern UNIXen?
I was going to agree, until you mentioned Posix. Let's look at some of these vulnerabilities...
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR's world, but it's not in this one ;) .

Acrobat is not included in many distributions of Linux, including the most prolific: RedHat.
CVS is rarely a default install item.
And fetchmail usually isn't either.
They're all common, but I know I don't have any of them installed 2-3 times; and that's how many times each was counted.


WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006

Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones. Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).

LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don't we?
Firefox is not remote exploitable. Seeing as how Firefox doesn't accept incoming connections, or even watch for them, I don't see how it can be remotely exploited.
Firefox has been slow, at times, to respond to security issues. And believe me, they've gotten flamed for it a lot too. You're not the first.


I'm not sure why people vote on this forum. They obviously don't think their votes through. The other day I got voted up to 5 for the dumbest comment, and anytime I post something relevant and factual (like this) I get voted down. This paragraph isn't directed at you Ivans, just at the 2 people who thought you were enlightened in your post.
FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it's cause Firefox went mainstream? We've lost our punk edge and sold out I guess ;) .

Edited 2006-01-07 00:13

Reply Score: 5

RE[2]: this is ridiculous
by dikatlon on Sat 7th Jan 2006 00:19 UTC in reply to "RE: this is ridiculous"
dikatlon Member since:
2005-07-08

huh I didn't vote ;)
I just didn't have any arguments against that.
But you seemed to have those arguments...

Reply Score: 1

RE[2]: this is ridiculous
by microshag on Sat 7th Jan 2006 00:39 UTC in reply to "RE: this is ridiculous"
microshag Member since:
2005-11-30

"I'm not sure why people vote on this forum. They obviously don't think their votes through."

Should have put that in caps so more people get the message. This score system is pointless.

Reply Score: 2

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 00:42 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

Not completely. It shuts up the worst trolls. I think it's a good start and there are some things they can do to make it better. I actually liked it better before they got into the whole "only vote down for these reasons" thing. The trouble was they didn't put an accompanying "only vote up for these reasons".
And now you see that almost everyone has a positive vote average because there's so much unmatched up voting. You're thinking, I wanna vote him down cause I disagree; but it's also cause he's totally offbase and some idiots voted him up to 5!

Reply Score: 1

RE[4]: this is ridiculous
by Celerate on Sat 7th Jan 2006 01:13 UTC in reply to "RE[3]: this is ridiculous"
Celerate Member since:
2005-06-29

"Not completely. It shuts up the worst trolls."

It's almost shut me up for good a couple of times, and I'm no troll. I've been moderated down for good comments before because people didn't agree with them. The sad thing is that the likelyness of that happening has incresed very sharply in my observations. From what I'm seeing there's a good number of people who don't give a damn about the rules for moderating, they just click plus or minus based on how much they like what they're hearing. When the time comes to choose a reason for voting down comments, they simply choose one of the working reasons, knowing full well that honesty won't achieve their goals of sensorship.

The most aggravating thing though is that I try my best not to vote comments down, and when I do I am very careful not to go against the site rules. I've even gone around voting comments I couldn't possibly agree with back up to 0 just because several other people voted them down against the rules.

What worries me the most though is the apparent lack of response from other OSNews readers, for the most part the majority seem perfectly Ok with comments being moderated down based on whether people like them or not, and people like me who try and set things strait aren't numerous enough to fix the problem as a result.

Reply Score: 1

RE[5]: this is ridiculous
by raver31 on Sat 7th Jan 2006 09:25 UTC in reply to "RE[4]: this is ridiculous"
raver31 Member since:
2005-07-06

I agree with you, there should also be a tick box for if you agree/disagree with the comment.

however, just because someone mods you down for disagreeing, it is not to stop someone else coming along and modding you up again, if you had made a good point in the first place.

Reply Score: 2

RE[6]: this is ridiculous
by Celerate on Sat 7th Jan 2006 17:31 UTC in reply to "RE[5]: this is ridiculous"
Celerate Member since:
2005-06-29

"however, just because someone mods you down for disagreeing, it is not to stop someone else coming along and modding you up again, if you had made a good point in the first place."

That's true if a comment isn't too low to be seen, but once it gets to -2 or lower most people will skip over it. I've had good comments get moderated to -2 or lower and then people never saw them to moderate them back up.

Reply Score: 1

RE[2]: this is ridiculous
by ivans on Sat 7th Jan 2006 00:50 UTC in reply to "RE: this is ridiculous"
ivans Member since:
2005-12-03

And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.


I don't really care if Windows have "smaller focus on user separation", the original claim in the article was that it was something that "became relevant only recently". Privilege separation is something built inside the OS from the very beginning, and every Windows Logo certified app works perfectly under LUA: writes configuration to CSIDL_COMMON_DOCUMENTS/CSIDL_PROFILE directories and HKCU etc. You can use RunAs tool for launching processes under different credentials.

In corporate environment EVERY app pretty much has to be LUA-friendly, else it won't work. So someone please tell me how privilege escalation bugs are "not relevant". Google on "shatter attacks", "windows kernel privilege escalation"..

was going to agree, until you mentioned Posix. Let's look at some of these vulnerabilities...
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR's world, but it's not in this one ;) .


But! Besides POSIX, i also mentioned "other open-source frameworks" ;) It really doesn't matter which one is used, is it Qt, GTK, wxWidgets, FLKT...you won't se much commercial Windows apps built on open-source frameworks or POSIX subsystem for Windows (SFU), as much as you won't see Linux apps built on closed-source frameworks.

It doesn't really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it's by default packaged with most popular distros. And this is what matters - common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn't matter!

Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones.

The percantage deviation on criticality doesn't compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself ;)

Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).

Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).

Firefox is not remote exploitable. Seeing as how Firefox doesn't accept incoming connections, or even watch for them, I don't see how it can be remotely exploited.

Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php

"If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file."

Just like the WMF flaw. But it really depends on what you describe as "remotely exploitable". For me it means that bad guys can break into my computer remotely, without my interaction. In this context, both the FF and WMF flaw are NOT remotely exploitable.

But it could also mean that it could be exploited simply by visiting a malicious web site. In this sense the WMF flaw was designated as "remotely exploitable", and so is this FF flaw.

Edited 2006-01-07 00:58

Reply Score: 3

RE[3]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 01:23 UTC in reply to "RE[2]: this is ridiculous"
molnarcs Member since:
2005-09-10

Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).

That's where you are wrong. A bug in ServU is a ServU bug, not a win3k bug, so it won't show up in win3k vulnerabilities, while every single bug found in all ftp servers, databases, languages (java, php, etc..) supported by RH will show up.

Regardless, I think these pictures sum it up rather well why win3k is less secure than RHEL:

Win3K: http://secunia.com/graph/?type=sol&period=all&prod=1173

RHEL: http://secunia.com/graph/?type=sol&period=all&prod=1044

Reply Score: 2

RE[4]: this is ridiculous
by ivans on Sat 7th Jan 2006 02:58 UTC in reply to "RE[3]: this is ridiculous"
ivans Member since:
2005-12-03

That's where you are wrong. A bug in ServU is a ServU bug, not a win3k bug, so it won't show up in win3k vulnerabilities, while every single bug found in all ftp servers, databases, languages (java, php, etc..) supported by RH will show up.

Welcome to open-source model of services.

Microsoft doesn't support 3rd party ServU, where RH does support it's RPMs, that's the crucial difference.

Regardless, I think these pictures sum it up rather well why win3k is less secure than RHEL:

Win3K: http://secunia.com/graph/?type=sol&period=all&prod=1173

RHEL: http://secunia.com/graph/?type=sol&period=all&prod=1044


Most unpatched secunia "flaws" on WS2K3 are just vapour. There are not real flaws, but the product of someone's imagination, unspecified sources and have no real-life damage potential.

http://secunia.com/advisories/16210/

Unspecified vulnerability, advisory published as a "eweek article" based on rumors of an unsigned security researcher? Where is the flaw, what instruction, where is the PoC code? Nowhere, because this is a vapour bug.

http://secunia.com/advisories/14061/

So, if trusted user is logged in on TS server, if opening several hundred thousand handles on a specified key, you could prevent other users from logging in. Dispite the fact that it would consume large amount of resources immediately noticed by admin or killed by quota, despite the fact that there are dozens of other ways of raping system resources..

http://secunia.com/advisories/13645/

It says it is "partially fixed", althoug MS issued all the patches necessary, and secunia doesn't specify which parts were left unpatched. In fact, the original bug test page: http://www.xfocus.net/flashsky/icoExp/ on my full-patched XP SP2 produces exactly ZERO postive tests. Vapour.

http://secunia.com/advisories/9720/

This is my favorite. 2 years old "flaw" in a proactive buffer-overflow prevention mechanism, that could be bypassed with "specially crafted shellcode". Geez, I thought that EVERY buffer/heap/integer.. overflow prevention mechanism leaves a small attack window, even PaX with ASLR!

Actually this /GS compiler flag "bug" has been fixed with /SAFESEH switch, XP SP2 and WS2K3 SP1 were compiled with both swithches "on" and they are enabled by default in Visual Stdio 2005.

So this is black on white proof that some of secunia "bugs" are pure vapour.

http://secunia.com/advisories/9921/

Actually the recommended way for software running with higher privileges on LUA desktop is to run inside a JOB with JOB_OBJECT_UILIMIT_HANDLE flag set "on", which will disable any kind of WM_* messsages sent from processes outside the job, including the LUA created ones. This is no Windows bug, it's a potential bug for badly written 3rd party software.

So most of this secunia stuff is pure BS, I guess they put it there so that linux cowboys can have mental orgasms quoting "xy unpatched window flaws".

Oh well, have fun, I go to sleep now ;)

Reply Score: 3

RE[5]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 15:34 UTC in reply to "RE[4]: this is ridiculous"
molnarcs Member since:
2005-09-10

Most unpatched secunia "flaws" on WS2K3 are just vapour. There are not real flaws, but the product of someone's imagination, unspecified sources and have no real-life damage potential.

It is amazing how you use secunia info at one point to prove your diatribe against floss, and next, when a secunia information becomes unconfortable, you discard it like this.

Reply Score: 1

RE[6]: this is ridiculous
by Sphinx on Sat 7th Jan 2006 17:39 UTC in reply to "RE[5]: this is ridiculous"
Sphinx Member since:
2005-07-09

It is amazing how you use secunia info at one point to prove your diatribe against floss, and next, when a secunia information becomes unconfortable, you discard it like this.

Good observation, that's a key propaganda indicator.

Reply Score: 2

RE[6]: this is ridiculous
by ma_d on Sat 7th Jan 2006 17:44 UTC in reply to "RE[5]: this is ridiculous"
ma_d Member since:
2005-06-29

Why isn't there a self-contradictory flag for modding people down? He's been modded up to 3 for quoting secunia and at the same time attempting to destroy secunia's reputation.
"I did not have sex with that woman, she's lying."
"She says you didn't smoke the pot."
"Oh, yea, she's right about that; I have a witness!"
"Is the witness her?"
"Yes."

Reply Score: 1

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:04 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

So someone please tell me how privilege escalation bugs are "not relevant". Google on "shatter attacks", "windows kernel privilege escalation"..
Because there are few multi-user Windows machines. I already told you this. Microsoft does listen to its customers, and few of them have multi-user machines. They may have reduced privilidges, but they're probably the only user on their computer. Their domain has thousands of users, and domain priv escalation would be a bad thing; but their computer has them.


It doesn't really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it's by default packaged with most popular distros. And this is what matters - common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn't matter!
Fetchmail isn't available for Windows ;) .

The percantage deviation on criticality doesn't compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself ;)
Ah, but RHEL ships how much software, and Windows ships how much software? Where's that Windows PDF viewer again?
I know Secunia doesn't include acrobat holes as Windows holes.

Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php

"If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file."

Remote exploits do not involve user interaction. As you said, and I said, but for some reason you're still arguing.

The nice thing about Javascript flaws is that you can shut Javascript off ;) . I have it off, and turn it on for certain pages. Of course, you can shut off WMF; not that anyone knew what it was before last week.

Reply Score: 4

RE[4]: this is ridiculous
by ivans on Sat 7th Jan 2006 02:21 UTC in reply to "RE[3]: this is ridiculous"
ivans Member since:
2005-12-03

Because there are few multi-user Windows machines.

It's just 5000 of them in my college ;) And every corporate desktop is ran in LUA, and you certainly cannot dismiss them so easily.

Also you seem to confuse the "privilege escalation" with "multiuser" - it's not the point to have hundreds of different accounts on the machine, two (Administrator and LUA) is just enough.

Fetchmail isn't available for Windows ;)

That's what you think ;)
http://www.interopsystems.com/tools/warehouse.htm

Ah, but RHEL ships how much software, and Windows ships how much software? Where's that Windows PDF viewer again?

But it DOESN'T MATTER, if the package is a part of RHEL installation, it has to be counted! That's the bad thing of popular linux distros - thousand different programs, each having their own holes, most of them are a part of default install and most users WILL install them all.

Remote exploits do not involve user interaction. As you said, and I said, but for some reason you're still arguing.

It's because WMF fits into the same category as this FF flaw (user has to visit a malicious web page), and yet you see that bugtraq, secunia, frsirt..all marked this WMF and FF flaw as "remotely exploitable". You need to check on your terminology usage ;)

Reply Score: 2

RE[5]: this is ridiculous
by ma_d on Sat 7th Jan 2006 04:18 UTC in reply to "RE[4]: this is ridiculous"
ma_d Member since:
2005-06-29

With 5,000 machines your college is almost certainly using a domain system. That's a bit different from straight multi-user machines.

Priviledge Escalations only matter when you have untrusted users, which means you have more than 2. No one is going to hack their own machine with mal intent. You're not worried about the programs you run doing it, that's really not something people on *nix platforms think about. Instead they just don't run random code from anywhere. That's one reason for distributions, if you only use your distributions packages you know someone else has tested the code you're running.


But it DOESN'T MATTER, if the package is a part of RHEL installation, it has to be counted! That's the bad thing of popular linux distros - thousand different programs, each having their own holes, most of them are a part of default install and most users WILL install them all.
No, default installs are almost always under 2.5GB. That's not a lot of software. Most systems default to one desktop, one app for each common task, and no servers.
And still, the default install doesn't start all your programs for you. You have to do that yourself (this changed about 3 years or so ago with daemons). Programs on a hard disk are no more dangerous than word documents; you have to start them to be in danger.

Reply Score: 1

RE[5]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 19:07 UTC in reply to "RE[4]: this is ridiculous"
molnarcs Member since:
2005-09-10

It's because WMF fits into the same category as this FF flaw (user has to visit a malicious web page),

Oh yes, here we go again, with deliberately distorting the facts to prove your point. Or ironically, you are right, actually it fits the the same category as the FF flaw. Problem is (and you ignore it conveniently) that the WMF flaw has multiple attack vectors. Visiting a page is just one of them - and even if it were the only one, it would still be more serious than the FF flaw, for you can put up wmf images masked as jpgeg or png almost on any page or popup windows. You can upload it to a blog, attach to a post on a random forum, etc. But the WMF exploit is a single payload multi vector attack that you can get almost via any means - email, msn, media, etc. When you claimed that the WMF vuln. is in the same category as the FF vuln. you lost any remaining credibility here.

Reply Score: 1

RE[2]: this is ridiculous
by chemical_scum on Sat 7th Jan 2006 01:02 UTC in reply to "RE: this is ridiculous"
chemical_scum Member since:
2005-11-02

FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it's cause Firefox went mainstream? We've lost our punk edge and sold out I guess ;) .

I think that is only partly true at most. It seems to me that there is a organized campaign of anti-FOSS posting and astroturfing by MS employees and MS partner employees that appeared to come into effect a few months ago. The other factor is, as GNU/LINUX gets more widely used in in the corporate area, then people with only a Windows background in IT start to feel a little scared and let of steam against FOSS.

Reply Score: 1

RE[3]: this is ridiculous
by raver31 on Sat 7th Jan 2006 09:35 UTC in reply to "RE[2]: this is ridiculous"
raver31 Member since:
2005-07-06

I noticed that on this site. There are a lot of anti-foss people around since august 2005.

They jump on Linux/BSD and FF on every opportunity, in fact, they have been saying things like;

"calm down eh, calm down, there is no danger. this exploit will only affect stupid people who click on porn sites.."

yeah right.

I have read the microsoft reports, and I have used Windows from version 3.0 up. I know wmf files are ubiquitous in ALL versions of Windows.

Microsoft should be forced by a court of law to fix ALL versions of Windows and btw, all versions of Office, Publisher, Works etc which have wmf support built in.

AND... Another thing.

When I am looking for new support staff, I do not even give interviews to MCSEs anymore. I took one on once, and he did not have a clue about any system other than Windows. I have no time or money to train them type up properly.

Reply Score: 3

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 17:48 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

This is an interesting theory I've heard stated before. I've been writing it off as conspiracy conjecture.
But, I have noticed that the pro-Microsoft factor on this site has gotten about 5,000x more knowledgable than they used to be!
Microsoft does let its people waste infinite amounts of time taking videos and blogging (scobleizer), so maybe they encourage some people to go argue in the larger internet forums.
But I'm just making a theory: I'm not subscribing to it!

Reply Score: 2

RE[2]: this is ridiculous
by gonzo on Sat 7th Jan 2006 01:02 UTC in reply to "RE: this is ridiculous"
gonzo Member since:
2005-11-10

Unix has focused on seperate users since, well, probably day 1
...
So, that's 35 years now.

Well, this is both true and false and here's why:

What about GNU/Linux.. is not Unix? Yes? No?

RH Linux was available 35 years ago?

The first desktop OS for Windows to include NT was in 2001.

So Windows NT Workstation was server OS?

Besides, we're in 2006.. right?

Reply Score: 1

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:07 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

I don't know if I mentioned it in that post or not but: Linux runs Unix programs.
That means its designed a LOT like Unix.

See how that makes the statement work?

Reply Score: 1

RE[4]: this is ridiculous
by gonzo on Sat 7th Jan 2006 02:31 UTC in reply to "RE[3]: this is ridiculous"
gonzo Member since:
2005-11-10

I don't know if I mentioned it in that post or not but: Linux runs Unix programs.
That means its designed a LOT like Unix.

See how that makes the statement work?


I see how it works for Unix, but not for Linux.

However, Linux was not available 35 years ago.

That is why I said "..true and false."

Reply Score: 1

RE[5]: this is ridiculous
by ma_d on Sat 7th Jan 2006 04:05 UTC in reply to "RE[4]: this is ridiculous"
ma_d Member since:
2005-06-29

Linux is designed like Unix.
I was talking about Linux' design.
Unix is 35 years old.
This implies Linux design is 35 years old.

It's not perfect, but it definitely makes a lot of sense to say that Linux' design benefits from 35 years of work as it's compatible with a system that is that old.

Reply Score: 1

RE[6]: this is ridiculous
by gonzo on Sat 7th Jan 2006 04:55 UTC in reply to "RE[5]: this is ridiculous"
gonzo Member since:
2005-11-10

Linux is designed like Unix.
I was talking about Linux' design.
Unix is 35 years old.
This implies Linux design is 35 years old.


This implies Linux is cheap Unix clone. Yet, poor one.

Here's what Ken Thompson said about Linux and Windows:

Thompson: I view Linux as something that's not Microsoft -- a backlash against Microsoft, no more and no less.
..
A whole bunch of random people have contributed to this source, and the quality varies drastically.
..
My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse.
...


I believe everyone knows who Ken Thompson is. Also, check Dave Cutler and then check Linus Torvalds. Then compare all three of them.

Please, be open minded.

Bye.

Reply Score: 1

RE[7]: this is ridiculous
by happycamper on Sat 7th Jan 2006 05:43 UTC in reply to "RE[6]: this is ridiculous"
happycamper Member since:
2006-01-01

My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse.


How is Linux unreliable?,When Windows are infected with worms. virus , spyware,etc, each
day and cost companies and home users alot of money to fix those problems, and those are serious problems, if i mention the rest of the windows problems i would convience myself to format C:. those kind of problems are unheard off with linux. maybe that's why i don't trust banks.

Reply Score: 1

RE[7]: this is ridiculous
by ma_d on Sat 7th Jan 2006 06:26 UTC in reply to "RE[6]: this is ridiculous"
ma_d Member since:
2005-06-29

Linux runs Unix codes. It implements 99% of its standards. Ken Thompson is entitled to his opinion, but he does not determine if GNU/Linux is a breed of Unix.

Let me finish the quote for you though, since you left it unfinished:
I view Linux as something that's not Microsoft—a backlash against Microsoft, no more and no less. I don't think it will be very successful in the long run. I've looked at the source and there are pieces that are good and pieces that are not. A whole bunch of random people have contributed to this source, and the quality varies drastically.

My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse. In a non-PC environment, it just won't hold up. If you're using it on a single box, that's one thing. But if you want to use Linux in firewalls, gateways, embedded systems, and so on, it has a long way to go.

Let me repeat the last sentence for you.
But if you want to use Linux in firewalls, gateways, embedded systems, and so on, it has a long way to go.
It's there.

These quotes are from 1999. That was around 6-7 years ago. He was working on Plan 9 at the time...


I'm sorry that you have to quote and name drop; but I'm completely able to come to my own conclusions without the help of historic figures, celebrities, or anyone else with a status that warrants their involvement in name dropping.

It appears that your thesis is. Dave Cutler is a better programmer than Linus. Ken Thompson is God and has ridiculed Linus' code. Linus wrote Linux, therefore Linux sucks. Dave Cutler wrote NT, therefore NT rocks.
That sum it up pretty well?

Guess what. I don't care who wrote it. This isn't politics.

Ok. I'll bite. Here's Ken's follow up, as quoted by ESR (know who he is, that's right, not one to worship ;) ): http://www.linuxtoday.com/news_story.php3?ltsn=1999-05-07-016-05-NW...

Some excerpts:
``i very much appreciate the chance to look at available code when i am faced with the task of interfacing to some nightmare piece of hardware'' and that ``i think the open software movement (and linux in particular) is laudable.''

Ken further adds ``i dont see eye-to-eye with microsoft's business practices.'' His original language was rather stronger and more entertaining, but he asked me not to quote that in order to avoid giving Lucent's lawyers heart failure.

The bad news is that Ken still thinks Linux is flaky. I offered to have VA Linux Labs ship him a machine so he could see what a properly tuned modern Linux looks like, but he said he couldn't accept. He adds ``i do believe that in a race, it is naive to think linux has a hope of making a dent against microsoft starting from way behind with a fraction of the resources and amateur labor. (i feel the same about unix.)''


Huh. He said he doesn't think Unix could succeed against Microsoft either. I remind you this was a time when Unix was king of the server world.

And finally, the biggest reason I like Linux:
Ken did finish by saying ``i must say the linux community is a lot nicer than the unix community. a negative comment on unix would warrent death threats. with linux, it is like stirring up a nest of butterflies.'' (Hm. Butterfly T-shirts, anyone?)

Quit name dropping, quoting, and try making your own arguments.

Reply Score: 1

RE: this is ridiculous
by dylansmrjones on Sat 7th Jan 2006 01:01 UTC in reply to "this is ridiculous"
dylansmrjones Member since:
2005-10-02

Security company Secunia agreed with Christey that the various vulnerability collection sources made comparison of Windows and Linux/Unix hard.

"I think Steve has got some good points on why comparing vulnerability numbers is difficult," said Thomas Kristensen, chief technical officer at Secunia.


Secunia agrees, as I expected them to.

Besides that, numbers of flaws are less important than the critical level of said flaws. Low security risk combined with low numbers of flaws is best, High security risk combined with high numbers of flaws are bad.

When you look at it that way, Secunias statistics clearly show Windows (in general) to be much more insecure than Redhats distributions (or other mainstream linux distributions).

The same goes for IE vs. FireFox.
As a dane I'm happy to see Secunia staying straight on their line of information of high fidelity.

Reply Score: 2

RE: this is ridiculous
by dylansmrjones on Sat 7th Jan 2006 01:10 UTC in reply to "this is ridiculous"
dylansmrjones Member since:
2005-10-02

open-source = eldorado for blackhat hackers and 0day exploits.

A fantastic example of an astroturfer spreading FUD about open source.

At least it proves you have zero credibility.
The same would go if you claimed Windows was an eldorado for blackhat hackers and 0day exploits. It's no longer true. It has serious issues, but not as many as 6 years ago. Microsoft has become better. But open source software is still generally more secure.

Reply Score: 5

RE: this is ridiculous
by molnarcs on Sat 7th Jan 2006 01:13 UTC in reply to "this is ridiculous"
molnarcs Member since:
2005-09-10

No it is not ridiculous, although I'm not happy about the way they put it, because they should emphasize the fact that you have (deliberately?) overlooked: the application stack. They should draw attention to the difference, because FUD based on this "oversight" is very common - in fact, all the "independent" studies build upon it, the same way you do.

When you assess the relative security of two platforms you have take a look at functionalities they provide. Since you like bold it seems, I'll emphasize it to you.

Forget about all the vulnerabilities that are counted for every conceivable FTP server RHEL supports, because win3k supports none, and vulnerabilites in Kerio are not counted for win3k, are they? Forget every single graphical shell RHEL supports, because win3k supports just one. Forget about thtpd bugs, because non-IIS webservers are not counted, are they?

In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies - I'm generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won't be running IIS 4 or 5 on win3k) - apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.

NOW DO THE MATH AGAIN.


You, just like most of these comparisons, forget that RHEL supports 100x more apps than win3k by default (I mean RHEL takes responsibility for all the apps it ships, while Microsoft doesn't take responsibility for bugs in other vendor's products). And when I say 100x more, I'm not exaggerating. Count it. I'll just give you one example - IIS and mod_rewrite (or clean URLs, url rewrite). IIS does not support it - so you have to buy it actually from a 3rd party vendor (I'm not joking - IIS does not support such a basic functionality). Now when a bug is found in this module, it won't be counted as a win3k bug. Apache supports it by default (mod_rewrite is now part of apache2 core I think - and so are many many more modules). There is a whole support industry (just think of FTP - what professional grade FTP server does win3k ship?) around the windows platform, and none of the bugs found in those apps will be counted as win3k bugs per se by secunia. They are Kerio bugs, ServU bugs, etc.

Anyway, the point is that your comparison is still flawed at this point. Compare an average win3k server (define it's role first btw) with an average RHEL server (that has the same role) - and count the vulnerabilities of both - that would be a correct and relevant comparison, because that would tell you about the relative security of these platforms in specific roles. Not a single independent (coucg... sponsored cough) study does that... guess why? Because the results would be rather embarrassing for a certain company that touts "secure computing" for over 2 (3?) years now.

Edit: edited some typos (probably not all) ... English is not my native language, but I try ...

Edited 2006-01-07 01:29

Reply Score: 5

RE[2]: this is ridiculous
by ivans on Sat 7th Jan 2006 01:41 UTC in reply to "RE: this is ridiculous"
ivans Member since:
2005-12-03

In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies - I'm generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won't be running IIS 4 or 5 on win3k) - apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.

Okie, let's compare a typical scenario: LAMP vs Windows Server 2003 + IIS 6.0 + MS SQL Server 2000 + ASP.NET


http://secunia.com
RHEL: 256
WS2K3: 76

Apache 2.0.x: 28
IIS 6.0: 2

MySql 4.x 13
MS SQL Server 2000: 6

http://www.securityfocus.com/bid/

ASP.NET (1.0 & 2.0): 6
PHP: 62

We could also manually count linux kernel-mode bugs vs. NT kernel-mode bugs, but I don't think your gonna like the results either, you're just gonna fit them in your favorite conspiracy theory.

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does, and how it could be used to exploit security vulnerabilites inside the drivers/kernel because of it's undocumented nature, and several brilliant researchers (Barnaby Jack from eEye, valerino from rootkit.com, ey4s from xfocus.org) managed to get some lame PoC that only worked on specifics SPs and builds.

I'll just quote the comment of PaX team, whom I don't think need to be particularily introduced (http://en.wikipedia.org/wiki/PaX), and you decide what you think for yourself:

http://lwn.net/Articles/118251/

Using 'advanced static analysis': "cd drivers; grep copy_from_user -r ./* |grep -v sizeof", I discovered 4 exploitable vulnerabilities in a matter
of 15 minutes. More vulnerabilities were found in 2.6 than in 2.4.
It's a pretty sad state of affairs for Linux security when someone can
find 4 exploitable vulnerabilities in a matter of minutes. Since there
was no point in sending more vulnerability reports when the first hadn't
even been responded to,
I'm including all four of them in this mail, as
well as a POC for the poolsize bug. The other bugs can have POCs
written
for just as trivially. The poolsize bug requires uid 0, but not any
root capabilities. The scsi and serial bugs depend on the permissions
of their respective devices, and thus can possibly be exploited as
non-root. The scsi bug in particular has a couple different attack
vectors that I haven't even bothered to investigate. Some of these bugs
have gone unfixed for several years.

So please explain me how open source is not bugs eldorado, when detecting similar flaws in windows kernel would require manual disassembling and understanding of asm code which is extremely complex and documented absolutely nowhere. On open-source linux kernel, all you need to do is "grep". Secure my arse.

Edited 2006-01-07 01:44

Reply Score: 4

RE[3]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 02:06 UTC in reply to "RE[2]: this is ridiculous"
molnarcs Member since:
2005-09-10

Hmmm... I'm not into conspiracy theories ;)

You forgot the timeframes - this time. Regardless, which php version did you have in mind? In the past two years I've been running php5 - and seen very few security advisories. How many of these advisories were platform specific btw? Oh, and about php5: http://secunia.com/product/3919/

You say: "Okie, let's compare a typical scenario" and you do the comparison the same way that I was complaing about.

Where do yo get your numbers from btw? I'm referring to "MS SQL Server 2000: 6". Because http://secunia.com/product/7/

But we can engage in a war of numbers - it still remains pointless, as long as we don't specify all the details and to a fair comparison.

I won't say anything about the second part of your comment, because it is irrelevant to this discussion, and although I heard about it, it was one of those longish discussions where I could not decide by a quick glance who is "right"

Reply Score: 2

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:06 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

I'll explain with your own words:

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.

Reply Score: 1

RE[4]: this is ridiculous
by ivans on Sat 7th Jan 2006 02:24 UTC in reply to "RE[3]: this is ridiculous"
ivans Member since:
2005-12-03

I'll explain with your own words:

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.


And how is it that this invalidates my claim that open-source software is more prone to finding security flaws?

Reply Score: 1

RE[5]: this is ridiculous
by ma_d on Sat 7th Jan 2006 03:57 UTC in reply to "RE[4]: this is ridiculous"
ma_d Member since:
2005-06-29

The point is that it's not the software, it's the fact that it has available documentation.
The software is not more prone, there's just more information on how to exploit it.

Reply Score: 1

RE[4]: this is ridiculous
by gonzo on Sat 7th Jan 2006 02:40 UTC in reply to "RE[3]: this is ridiculous"
gonzo Member since:
2005-11-10

<i?And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.[/i]

Well, you didn't quote the part where he said "..because of it's undocumented nature". Makes a difference doesn't it?

Or could it be that you're trying to say that Dave Cuttler doesn't understand NT kernel?

You DO know who Dave Cutler is, don't you?

INFO: http://en.wikipedia.org/wiki/Dave_Cutler

David Neil Cutler, Sr. (born March 13, 1942) is a noted software engineer, designer and developer of several operating systems including the RSX-11, VMS and VAXELN systems of Digital Equipment Corporation and Windows NT from Microsoft.

Reply Score: 1

RE[5]: this is ridiculous
by ma_d on Sat 7th Jan 2006 04:03 UTC in reply to "RE[4]: this is ridiculous"
ma_d Member since:
2005-06-29

No I'm not insulting Dave Cutler. I'm pointing out that cracking his stuff is harder as he hasn't explained how it works in intimate detail.
Yes, I probably should have quoted the documentation part as well, but what I quoted was enough.

However, I'd like to point out that David Cutler didn't write all of the NT Kernel. The design is probably entirely his, as he was the lead in the beginning. But, the actual code is probably mostly not his.
So, acting as if one genius can carry the whole project to perfection is a bit silly. Linus is hardly responsible for every line written in the Linux kernel (more like 2% of it according to him). RMS doesn't write all of gcc, etc ad infinitum.
So, I'm sure he understands it, but I guarantee he can't prove the kernel. Not that anyone could prove a project of that size.

Reply Score: 1

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:17 UTC in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

I believe he already touched on why Apache != IIS. From the little I know of Apache, it supports a lot of modules which aren't all recommended for common use (some of them are just swiss cheese). But they document these things (I assume, I've never had trouble finding Apache related docs on their site).
IIS is a big commercial product from a "respected" vendor. They've got complete idiots clicking their way through setups. They're not gonna put in random swiss cheese plugins for people to screw themselves with.

FOSS is definitely a different bear than closed software.

You seem to be very clear that you loathe FOSS. Is there a reason for this?

Reply Score: 2

RE[4]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 02:57 UTC in reply to "RE[3]: this is ridiculous"
molnarcs Member since:
2005-09-10

FOSS is definitely a different bear than closed software.

Exactly, and I'm beginning to regret that I have involved myself in this debate. It's pointless, because we can throw numbers all around, and still be very very far from a relevant comparison of the security of the two platforms.

URL_REWRITE is a good example. While I have it enabled for my own site in apache, it's not in IIS. In fact: http://www.google.com/search?hs=nbi&hl=en&lr=&client=opera&rls=en&q...
So a fair comparison would be my apache 2 install + IIS 6 + 3rd party modules (which are trusted how much?) The same goes for PHP. The list of available modules is too long to include here, but just a quick search in my ports dir yields this results: ftp://hatvani.unideb.hu/pub/personal/vegyes/php4.txt Now a flaw in mysql_connect() will be counted by secunia, even though I might have postgresql as a database backend. So you can't compare asp.net vulnerabilities with php vulnerabilities in such a generic way like ivoras does.

Indeed floss is a very different beast, and one would need a very rigid comparison that matches every single function present on a setup in a specific role on both platforms. What server X does exactly running on the windows platforms, what server Y does exactly running on RHEL (or FreeBSD for instance), and what software is needed exactly to provide those services on each platform. For instance, with linux you have the ability to compile your own kernel. When Pat Volkering was asked how he achieved a ridiculously high uptime on slackware.org while there were known vulnerabilities in the linux kernel, he just said that he ripped out everything from the kernel that was not needed... and those remote vulns. were found in modules that were not included in his setup. That's what (good) admins do - configure the system to be secure (that's what win3k admins do as well). It is just you can do a lot more with free software than with win3k.

As I said, I almost regret engaging in this debate - my first response was not very well thought out anyway, but a well thought out reply would be as long as book, because you have to begin to explain how floss works (and why it is or can be more secure than win3k) from the ground up. But seeing how ivans like meaningless numbers, I doubt he would be convinced anyhow ;)

Reply Score: 5

RE[5]: this is ridiculous
by ma_d on Sat 7th Jan 2006 04:09 UTC in reply to "RE[4]: this is ridiculous"
ma_d Member since:
2005-06-29

The nice thing about *nix is that it makes itself available to remove parts here and there.
While Microsoft has somewhat improved in this respect they still have a very long way to go. I was watching a channel 9 video which had a guy talking about removing dll interdependencies in Windows. So, they're on the right path; but they're not there.

A good Windows admin can do really similar things. But you won't see them recompiling the stuff out of their kernel which they never use. And you won't see them removing these as modules either!

I think the marketing engine at Microsoft would like to make Windows into the "fire your IT staff and run it yourself" OS. (in the server realm). This will bite them in the long term if people listen. The people writing exploits don't use wizards ;) .

Reply Score: 1

RE: this is ridiculous
by Sphinx on Sat 7th Jan 2006 17:03 UTC in reply to "this is ridiculous"
Sphinx Member since:
2005-07-09

Is it really fair comparing firefox beta/1.x to IE 6.x?

Reply Score: 1

ma_d
Member since:
2005-06-29

laughed at.
Seriously though, the problem isn't that CERT is about deceiving people; it's just that Unix/Linux security and Windows security are two different beasts.
You have to have 4 brain cells and a clue to know that the number of vulnerabilities CERT records is no indication of actual security problems.

I just have to say, last I heard Apache is officially unsupported on Windows. Has this changed, did I hear wrong, or am I correct? Anybody? Not that this matters, people do run Apache on Windows.

Reply Score: 1

i does not matter
by grrr on Sat 7th Jan 2006 00:00 UTC
grrr
Member since:
2005-09-03

Microsoft can fund studies Cert can report this and that. These numbers do not matter they are meningless. Everybody i meet is talking about the big wmf leak. A big ovesight like this is a bigger problem for securety than a bug here or there.Even the biggest geek can not put that in numbers.

Reply Score: 1

re: this is ridiculous
by microshag on Sat 7th Jan 2006 00:04 UTC
microshag
Member since:
2005-11-30

""There is also the issue of timing. With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days."

LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don't we? "

Actually I think this is pretty clear. He's talking about Linux bugs, and you're talking about Firefox bugs. Does Red Hat get to decide when the Mozilla foundation releases patches? You're accusing him of grasping at straws, but you're doing the same thing.

Reply Score: 5

do you know windows mr. cox?
by smashIt on Sat 7th Jan 2006 00:37 UTC
smashIt
Member since:
2005-07-06

For example, Firefox is categorised as a Unix/Linux operating system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics,

well, the difference is that microsoft doesn't bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.

You should look at the number of critical vulnerabilities. It's a better comparison to look at the critical vulnerabilities that affect customers due to the platform they use. There are fewer critical vulnerabilities, and they are fixed faster in Red Hat Linux

iirc there was such a comparison between rhel and win 2k3 about a year ago. the "problem" was that windows won...

Reply Score: 3

dylansmrjones Member since:
2005-10-02

Actually not.

Take a look at Secunias website.
Windows loses big time.

Windows 2003 Server is shipped with IIS6 and many other services, and of course the big security risk known as 'Internet Explorer'.

The major problem with CERTs list is the fact that flaws are counted several times. E.g. they are duplicates. This is true for Windows as well as for *nixes and other OS'es.

So the list is unusable for comparison for any platform in the list.

Reply Score: 2

smashIt Member since:
2005-07-06

Take a look at Secunias website.
Windows loses big time.


please tell me where i have to look.
when i compare win 2k3 Enterprise-edition with RHEL 4 windows "wins" with 75:138 over the period of 2003-2006

if you only look at 2005-2006 (RHEL 4 was released in march 05, so it still has an advantage of 3 month) windows "wins" 36:138

Reply Score: 1

dylansmrjones Member since:
2005-10-02

DOH!

You're still counting them.

I've already stated that the amount of flaws is virtually irrelevant. What DOES matter is the security threat posed by these flaws.

So we need an weighted result of these flaws on both platforms, before the numbers will make any sense.

Windows 2003 Server has many more highly critical flaws than RHEL does. If we can agree on a formula then I'm willing to do some math. But using the number of flaws alone are pure ignorance.

Reply Score: 1

RE: do you know windows mr. cox?
by dotMatt on Sat 7th Jan 2006 02:42 UTC in reply to "do you know windows mr. cox?"
dotMatt Member since:
2005-07-29

"well, the difference is that microsoft doesn't bundle windows with php or apache. but red hat does. so every bug found in a package included with rhel is a bug in rhel."

RedHat makes Apache/PHP (along with many other packages) optionally available, not part of a base install. IE, Outlook Express, Media Player, are all installed by default on a Windows OS (Even on Windows SERVER!!!!! WHY THE HECK DO I WANT MEDIA PLAYER ON MY SERVER!?!?!?!), and there is no way to remove them. Even if RedHat *did* decide that Apache should be part of a base install, a quick rpm -e could remove it.

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL). Heck -- I'd even like to see a comparison of Apache & MySQL (etc) on Windows vs *nix, since they are cross platform!

Reply Score: 1

gonzo Member since:
2005-11-10

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux

Why minimal? That is not REAL world.

This IS REAL world, 90% of the time Linux is on the top:

http://www.zone-h.org/

65 single IP
54 mass defacements

Linux (51.3%)
FreeBSD (16.0%)
Win 2000 (16.0%)
Win 2003 (10.9%)
SolarisSunOS (3.4%)
Win NT9x (1.7%)
Win XP (0.8%)
(0.0%)

REAL world pal, real world..

Reply Score: 1

molnarcs Member since:
2005-09-10

In the real world, people take into acount market share. Perhaps apache+linux/freebsd has a much much larger market share than win2/3k ...

Also, in the real world, people laugh at people linking to statistics on a website (who is zone-h?) without reading the DISCLAIMER at the bottom of the page ;) (so how representative are their numbers?)

Reply Score: 1

gonzo Member since:
2005-11-10

Perhaps apache+linux/freebsd has a much much larger market share than win2/3k ...

Do they?

And please, don't give me Netcraft's statistics if you don't really understand what those numbers represent.

On the other hand, plain and simple - Port80 survey:
http://www.port80software.com/surveys/top1000webservers/


Yeah,
no statistic is good statistic if Linux is not better than Windows.

The whole world has been paid by MS.

Yep. Right.

Reply Score: 1

molnarcs Member since:
2005-09-10

I just made fun of you, and here you go doing it again. You link to a site to prove your about IIS dominance - a site which has Microsoft Certified Partner sticker at the bottom, and it sells IIS products.

How can you not notice that you are making a fool of yourself? BTW: thanks for the excellent examples for the point I made earlier about the necessity to download 3rd party addons for IIS to make it functional... addons that won't be counted as w3k bugs, because MS does not take responsibility for them. Ironically, the second product on their list, quote:
Confuse & misdirect potential hackers! Hide your Windows Web server header & other fingerprints.
more info...
I was aware that IIS is pretty crippled (what?! buy something that provides clean URLs??) - I just didn't realize that you have to buy a module that would mask your server ID - for 99$/server! Is this some kind of joke?

Anyway, stop being ridiculous. Next you'll link to one of the MS sponsored "independent" studies to prove that linux sux and costs more ;) ))

Reply Score: 1

gonzo Member since:
2005-11-10

I just made fun of you, and here you go doing it again. You link to a site to prove your about IIS dominance - a site which has Microsoft Certified Partner sticker at the bottom, and it sells IIS products.

So WHAT?

They have PROVIDED a LIST of those Fortune 1000 companies on that same page. So go ahead and check it for yourself.

As I said, with people like you no study is good if Windows beats Linux. Yeah, right.

Reply Score: 1

ma_d Member since:
2005-06-29

The fact that they sell IIS products does make them biased. See, US-CERT would be unbiased because they don't sell anything.
Sysinternals may even qualify as unbiased (those guys are just brilliant anyway).

I wouldn't take a RedHat study as proof that Linux is better than Windows... Nor would I take a Microsoft study... I'd read both through very carefully before I'd consider any of their conclusions.
But if they came to an absolute conclusion I doubt I'd read either; it'd seem too far fetched to spend my time on it.

Reply Score: 1

smashIt Member since:
2005-07-06

In the real world, people take into acount market share. Perhaps apache+linux/freebsd has a much much larger market share than win2/3k ...

are you realy sure about this argument?
please be warned that the next time a win vs. linux security flamewar brakes lose in desktop-land it will be used against the non-flying bird ;)

Edited 2006-01-07 03:36

Reply Score: 1

dotMatt Member since:
2005-07-29

Minimal will help display the difference between applications that are insecure by configuration, and applications that are insecure by design. Whether real world or not, this distinction is important, as it is much easier to fix configuration errors than design errors.

And, as to whether it is real world or not -- minimal configuration *is* real world, for good server admins. It really grinds my jojos when I cannot remove IE, Media Player, etc from my Windows servers. OTOH my Linux servers have no firefox, X11, gcc ... only what is absolutely minimally necessary for the desired functionality. And so, those vulns affecting firefox, X11, gcc, etc will not impact my Linux servers, but those impacting IE, Media Player, OE, etc *will* affect my Windows servers, and there is nothing I can do about that.

Reply Score: 1

gonzo Member since:
2005-11-10

but those impacting IE, Media Player, OE, etc *will* affect my Windows servers

Last time I checked nobody is using IE, Media Play or OE on servers.

What the hell are you talking about? Users log on to Windows server to.. run OE? To play music with Media Player? To browse the net with IE?

Yeah, right.

Reply Score: 1

ma_d Member since:
2005-06-29

It's possible. It's called a RDP server.

My school runs a few.

*nix users are used to that sort of thing. We have three Digital Unix 4 servers for this use, and a lot of Linux machines for it.

Reply Score: 1

dotMatt Member since:
2005-07-29

Even outside the direct attack via RDP/TS/Citrix, simply having those applications (and associated libraries) available makes the possibility of a two-tier "blended threat" much higher. Perhaps (for example) a malicious file (WMF, WMV) could be uploaded to an IIS hosted app, where a vulnerable library that is part of IE or Media Player would be triggered to process the image.

The point is -- simply having the vulnerable libraries installed raises the probability of a compromise. Having unnecessary applications raises the probability of having vulnerable libraries. Why even have those apps installed, if I do not need them? These apps have no business being installed on any server!!!

Reply Score: 1

gonzo Member since:
2005-11-10

Patch for WMF was released. Done.

I didn't notice that Windows based networks have collapsed because of anything you said (IE, WMP, etc, installed on Windows servers).

You sound like ORANGE-PURPLE-YELLOW-WHATEVER-WE'RE-ALL-GOING-TO-DIE-SOON alerts on Fox TV.

IE and WMP on Windows server are the root of all evil! Yeah ;)

Stop spreading the FUD.

Reply Score: 1

dotMatt Member since:
2005-07-29

You haven't seen windows networks collapse because of IE? (While WMP may not have been used, yet, it is an example of something that does not belong on a server. MSDE is another vector of attack installed on many machines that don't really need it.) Many many times IE has been the point of entry to corporate networks. How many hours of IT support have been spent around the world cleaning infected workstations (from IE) which are launching attacks against both internal and external systems? Why allow this same historically vulnerable software on your supposedly secure servers?

But -- even if this were not the case -- why take the chance? IT security is a game of probability, and it is important to hedge your bets by reducing your potential vulnerability exposure. Why have applications and libraries that are not necessary installed? Are you willing to sacrifice potential security for the convenience of having Outlook Express installed *in case you need it* on your server?

And the only thing I watch on Fox is The Simpsons ;-)

Reply Score: 1

smashIt Member since:
2005-07-06

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL).

i already wrote in my first post that such a study was made one year ago

http://www.osnews.com/story.php?news_id=9750

Reply Score: 1

dylansmrjones Member since:
2005-10-02

Yup, the bogus one ;)

Reply Score: 1

dotMatt Member since:
2005-07-29

I would hardly call a comparison by a "Linux Fan" and a "Microsoft Enthusiast" a "study".

Reply Score: 1

ma_d Member since:
2005-06-29

google.com
msn.com

Good enough?

Let's throw in freebsd: yahoo.com.

Reply Score: 1

unoengborg Member since:
2005-07-06

well, the difference is that microsoft doesn't bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.


True, but the only way to get a fair comparison would be to compares systems with equal functionality.

You could do that by exclude a lot of packages from Red Hat, or to add packages like MS-Exchange, MS-SQL Server, MS-Office to the Windows install.

Or you could compare number of bugs/program on Windows v.s. Red Hat. To get an even better value multiply with the average number of days a bug goes unpatched on each system.

Reply Score: 2

UNIX
by DigitalAxis on Sat 7th Jan 2006 02:04 UTC
DigitalAxis
Member since:
2005-08-28

UNIX was not multiuser from day one... its name is a kind of pun on Multics, which was the multi-user system the UNIX designers worked with before deciding to write their own simple single-user OS to run on the PDP they had lying around.

Anyway, didn't CERT also supposedly count flaws in each version of *NIX each time it appeared versus only the one time it appeared in Windows? Or are we backing off of that claim now, because that seems pretty ridiculous.

Edited 2006-01-07 02:08

Reply Score: 1

Does Anyone
by Richard James on Sat 7th Jan 2006 03:03 UTC
Richard James
Member since:
2005-07-07

who asserts that by looking at any list of vulnerabilities, that you can judge a systems security in the real world, actually work with security in the real world?

Frankly I would rather read about articles and their comments like "A Naive User's Guide to Running Windows More Securely" or similar than listen to people who don't actually care about security and are more interested in twisting statistics to make their OS look secure.

I secure my OS's because I know they are insecure. I am not blind.

Reply Score: 1

v you're and asshat
by bentman78 on Sat 7th Jan 2006 04:24 UTC
RE: you're and asshat
by hraq on Sat 7th Jan 2006 04:36 UTC in reply to "you're and asshat"
hraq Member since:
2005-07-06

"members of that team are much more knowledgeable than you will ever be..."
This shows how arrogant you are. You people spead claims, lies and inaccurecies and you never show real proofs that will help users or companies do their daily life computing with less problems. Windows is insecure to any linux/Unix once pushed to a certain limit.

Please, next time give evidence not claims... Thanks for understanding.

Reply Score: 1

maybe the unthinkable is happening
by happycamper on Sat 7th Jan 2006 04:36 UTC
happycamper
Member since:
2006-01-01

United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005


yup, it's true, USCERT, says is true, it's offical, can't argue with that. linux is becoming a more ill os than windows. gates is smiling, oh shoot.

Reply Score: 1

Obviously
by jessta on Sat 7th Jan 2006 04:39 UTC
jessta
Member since:
2005-08-17

Wow, when you combined the bugs in multiple code bases and compare them to the bugs in a single code base you get a big difference in the number of bugs.

They included, FreeBSD,OpenBSD, HP-UX, IBM AIX, IRIX, Gentoo Linux, Debian Linux, Solaris and all associated software and then compared it to Windows XP.
Insanely stupid list.

- Jesse McNelis

Reply Score: 3

not good
by happycamper on Sat 7th Jan 2006 04:43 UTC
happycamper
Member since:
2006-01-01

I think red hat is foolish for trying to dispute this becaue they don't control the other open source progects. if the other open source projects are getting careless at writing code and developing software that is bundle with the linux kernel. maybe this a start of a future problem.

Reply Score: 1

POS DATABASE SERVER!!!!!!!!!!!!!!!!!!!
by kaiwai on Sat 7th Jan 2006 13:19 UTC
kaiwai
Member since:
2005-07-06

But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.

If you're going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system - if companies don't wish to take responsibility for what is included in their box products, they bloody well shouldn't include it with their boxed product!

For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else - the day of reconing will occur, and customers will start to say, "you fix the hole! you bundled it with your product, YOU fix the hole in the software" and if they say, "Its now our problem" the customer will say, "yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!".

Reply Score: 1

ma_d Member since:
2005-06-29

TMK RedHat is the only Linux distributor which will fix holes if they aren't being fixed by the group who develops the package.

Have you had problems with RedHat not fixing security issues?

Reply Score: 1

POS DATABASE SERVER!!!!!!!!!!!!!!!!!!!
by kaiwai on Sat 7th Jan 2006 13:19 UTC
kaiwai
Member since:
2005-07-06

But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.

If you're going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system - if companies don't wish to take responsibility for what is included in their box products, they bloody well shouldn't include it with their boxed product!

For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else - the day of reconing will occur, and customers will start to say, "you fix the hole! you bundled it with your product, YOU fix the hole in the software" and if they say, "Its now our problem" the customer will say, "yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!".

Reply Score: 0

POS DATABASE SERVER!!!!!!!!!!!!!!!!!!!
by kaiwai on Sat 7th Jan 2006 13:20 UTC
kaiwai
Member since:
2005-07-06

But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.

If you're going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system - if companies don't wish to take responsibility for what is included in their box products, they bloody well shouldn't include it with their boxed product!

For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else - the day of reconing will occur, and customers will start to say, "you fix the hole! you bundled it with your product, YOU fix the hole in the software" and if they say, "Its now our problem" the customer will say, "yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!".

Reply Score: 1

POS DATABASE SERVER!!!!!!!!!!!!!!!!!!!
by kaiwai on Sat 7th Jan 2006 13:22 UTC
kaiwai
Member since:
2005-07-06

But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.

If you're going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system - if companies don't wish to take responsibility for what is included in their box products, they bloody well shouldn't include it with their boxed product!

For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else - the day of reconing will occur, and customers will start to say, "you fix the hole! you bundled it with your product, YOU fix the hole in the software" and if they say, "Its now our problem" the customer will say, "yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!".

Reply Score: 1

flypig
Member since:
2005-07-13

When the original story about the US-CERT vulnerability was posted, I remember thinking that it was really obvious that all it represented was a list of the reported vulnerabilities for the year. There was no commentary or statistics, and CERT made no claims about relative security of systems. It was just a pure, factual, list of what had been reported to them in the last year.

The original report even states that "Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported..."

So to see Red Hat complaining that "the study is confusing and misleading" seems really, really odd. It wasn't a study, it was just a factual list of the reports CERT received.

The fact is that insinuations about relative OS security came only from commentators, not CERT. Surely anything else is just opinion that people have chosen to layer on top of it?

Reply Score: 1

dylansmrjones Member since:
2005-10-02

The problem is the way it's been reported.

The list could have been assembled in a better way - especially when considering the standard 'serious' journalism (aka sensationalism - the most common form of 'serious' journalism).

The study _is_ confusing and misleading, unless you know how to handle it. The medias don't or do not want to, and misinterpretes the list even when they know better.

Put it in the same league as "Ohh noooo another asteroid (or comet or whatever) is going close to the earth - perhaps this one will hit us, ohhhh nooooo" news items.

A certain part of the blame goes to CERT for putting out such a bad assembled list. The only good thing is it effects all OS'es in the list ;)

Reply Score: 1

flypig Member since:
2005-07-13

I agree that there is always a danger that a list such as this one will be misinterpreted.

I'm just not sure how CERT could have done it differently. All they did was produce a factual list of vulnerabilities based on the information reported to them. It's just something that CERT does. They did the same thing last year, and maintain a running list as well:

http://www.us-cert.gov/cas/bulletins/index.html

Lists like this are important. It would be kind of absurd if they couldn't be produced just for fear them being badly misenterpreted by commentators!

Reply Score: 1

dylansmrjones Member since:
2005-10-02

Of course they should have a list. And release it.

But it doesn't help that they lump *BSDs with Linux. Several flaws are duplicates, which is the result of nothing but poor assembling of the list. They could have done better.

But no doubt CERT should keep releasing these lists, no matter how stupid journalists and bloggers tend to be.

Reply Score: 1

flypig Member since:
2005-07-13

OK, fair enough, I'll go with that!

As you say, the categorisation could well have been more refined, and duplicates could have been handled differently.

Clearly the list is not really suitable for drawing any immediate statistical conclusions.

Reply Score: 1

go redhat go
by SEJeff on Sat 7th Jan 2006 16:10 UTC
SEJeff
Member since:
2005-11-05

The CERT report was obviously not written by a technophile and it shows by it's gross miscategorization of vulnerabilities. Redhat needs to defend itsself against uninformed people who spread FUD. I'm not saying this because I am a so called zealot, I'm saying this because it's the truth

Reply Score: 1

Joy
by Sphinx on Sat 7th Jan 2006 16:32 UTC
Sphinx
Member since:
2005-07-09

Glad to see this travesty revealed.

Reply Score: 1

Lies, Damned Lies, and Statistics
by elsewhere on Sat 7th Jan 2006 18:01 UTC
elsewhere
Member since:
2005-07-13

First off, CERT and US-CERT are related but not the same. The implication that there is US-government tampering with the results to somehow favour MS is ludicrous. The data is very public and very visible.

Secondly, CERT stated that the results "should not be considered the result of a US-CERT analysis", it contains outside information (it's a collaborative database which probably explains all of the duplication). It's simply a core dump of their database for 2005.

Third, if we are going to try and turn this into some sort of CERT / US-CERT oriented conspiracy, then let's consider the US-CERT Security ALERTS (as opposed to the vulnerability notes). Vulnerabilities are measured on a metric comprised of a number of factors (taken from http://www.kb.cert.org/vuls/html/fieldhelp#metric):

o Is information about the vulnerability widely available or known?
o Is the vulnerability being exploited in the incidents reported to US-CERT?
o Is the Internet Infrastructure at risk because of this vulnerability?
o How many systems on the Internet are at risk from this vulnerability?
o What is the impact of exploiting the vulnerability?
o How easy is it to exploit the vulnerability?
o What are the preconditions required to exploit the vulnerability?

They further admit that the threat measurement is not perfectly scientific, some of the measurements being subjective and weighed more heavily, but they consider it as serving as a useful indicator for which threats need to be highlighted as critical.

On that basis, you can view the "serious" threats determined by US-CERT at http://www.us-cert.gov/cas/techalerts. Of the 22 issued last year, you'll find a couple impacting OS X, some impacting Cisco IOS, applications like Oracle, but by far the bulk of the "holy cow this is serious"-measurement are Windows based. Not a single specifically linux-based threat was deemed worthy enough to be prioritized by US-CERT as critical. The closest you could come is to an advisory for Snort. Given that some of the factors govern threat to the internet, number of internet-connected systems etc. and given the prevalence of *nix in the net-server area, one cannot dismiss the vulnerability assesments by saying "linux just isn't as widely deployed so doesn't warrant as a big a threat".

You'd have to go back to mid 2004 to the infamous libpng exploit that did admittedly impact a number of *nix systems, but as I recall the majority of distros had a patch available that day.

So if we're going to take statistics and mutilate them to our own benefit, that's ok. *nix can have 100,000 threats, Windows can have 1. The difference is that, in the real world, that one single Windows threat is statistically more likely to involve a critical vulnerability to your system than any of those 100,000 *nix threats. Hell, based on US-CERT's crtical advisories, one can assume that an unsecured *nix system must still be safer than Windows, right?

How's that for statistical interpretation?

Bah.

Reply Score: 3

Sphinx Member since:
2005-07-09

Thank you for that razor sharp analysis, wish I some points to mod that up. I still think the biggest and best yardstick is how long til it's some hax0rs beehatch after you default install and plug it into the internet.

Reply Score: 1

v RE: This is absolutely right
by re_re on Sat 7th Jan 2006 18:23 UTC
RE[2]: This is absolutely right
by hraq on Sat 7th Jan 2006 22:10 UTC in reply to "RE: This is absolutely right"
hraq Member since:
2005-07-06

"The US government has all sorts of Redhat contracts, how about you stop talking out of your ass and trying to spread your political agenda." "How about we speak some facts. "
Yes, how about some facts, we have heard that US government choosed the most horrible OS (windows 2000) on at least one fleet of their Navy destroyers to command the weapons system; why didn't they choose any other secure OS?!! Can I say BRIBES; As of this moment any other OS in this world is more secure than windows.

"spread your political agenda"
It's not political agenda we talk here, It's facts, and only facts that I judge. So you want us to listen to lies and then abosorb it. How democratic you are?

"stop talking out of your ass"
I don't know why are you boiling, are you one of those govs to defend them, if so then this shows how disrespectful they and you are.

"The US government has all sorts of Redhat contracts"
US government refused to do this untill RHEL get certified to level 4 like Microsoft, how pathetic?! Even SUSE enterprise is level 4 certified and still they don't want to use it.

Reply Score: 1

RE[3]: This is absolutely right
by akro on Sun 8th Jan 2006 01:29 UTC in reply to "RE[2]: This is absolutely right"
akro Member since:
2005-07-06

okay I have worked for the US Government in IT for the past 8 years (contractor) trust me since 99 the USG has been using Linux. Secrurity requirements is a weird thing and some orgs have to follow some don't. Trust me there is plenty of Linux use out there and it is exploding now. Just because DOD demands somthing it doesn't mean suddenly dept. of education has to follow. The gvernment is so huge... you wouldn't believe it...

Reply Score: 1

Hmmm
by Tobbe on Sat 7th Jan 2006 18:25 UTC
Tobbe
Member since:
2005-07-06

As I recall it (been a while since I read the report in question) US-CERT stated that despite looking like it had less security holes, Windows was still the most insecure alternative.

Reply Score: 1

The way i see it.
by IceCubed on Sat 7th Jan 2006 22:49 UTC
IceCubed
Member since:
2005-07-01

The way i see it is that the problem is Always between the chair and the keyboard, whatever the OS is.

Windows can be problematic, so can be Linux.
Heck i can configure windows AND linux to be secure. The only diference would be that i would buy some 3rd party addons on windows and JUST install them, whether on Linux i would download them of the net compile and configure them properly.

The bottomline is:
Windows and Linux are secure if you know how to properly configure them.

Reply Score: 1