OSNews

[i]And some people aren't good at math.

The chance of being hit by a car is much greater in NY than in whichever desert in a remote area.

So what do these numbers say other than there are possibly more *nix based webservers. [i]

What? i read that Linux and Unix experience three times as many reported security vulnerabilities than Windows. Doesnt have anyting to do with web servers.

- Vulnerabilities 2004-2005

Windows and Windows Applications: 812
Unix/Linux and Unix/Linux Applications: 2328

* http://www.us-cert.gov/cas/bulletins/SB2005.html

however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

What? i read that Linux and Unix experience three times as many reported security vulnerabilities than Windows. Doesnt have anyting to do with web servers.

This has been debunked many, many times. Vulnerabilities are counted more than once for Linux/Unix (i.e. the same vulnerability on RedHat will also be counted for Debian if it happens on both distros).

Also the severity of bugs is usually higher for Windows/Windows applications bugs.

When you factor all of these in, it's clear that Linux/Unix has a much better security record than Windows.

It's sad that people can take the truth, yet the truth is ignored by so many people who are religious about their OS. It's really a shame.

A lot of people think that an Open source Operating system is more secure because people can fix things right away, but that opinion is really decieving in so many ways.

I am not against the idea of Open Source, but using it as an OS and even with passing the code around there are still huge possiblities for security issues.

A lot of people think that an Open source Operating system is more secure because people can fix things right away, but that opinion is really decieving in so many ways.

Would you care to elaborate on that, or is this the extent of your FUD?

"Security through obscurity" has not helped Microsoft, whose security record is abysmal. Linux, an open source OS, is slightly more secure, while OpenBSD, another open source OS, is a LOT more secure.

You might have missed this in the other thread, but the Department of Homeland Security seems to disagree with you:

http://www.theregister.co.uk/2006/03/03/open_source_safety_report/

Yes, there are possibilities for security issues, but at the end of the day, I'd much rather hook a Linux box directly to the internet than a Windows box. The last time my Windows machine strayed from behind a *NIX firewall, my computer was infected by MSBlaster in the space of two hours.

Security is not a bullet-point on a feature list, and trust is not a first-impression. People do not assume a product is secure just because the marketing material says so, and people do not trust a product until time has shown that product to be worthy of trust. Vista may very well be as secure as a *NIX, but it will be years before it can prove that security and earn peoples' trust.

What kind of dumb person siad befor "windows need a backdoor"?

The law might enforce it. You see, file system encryption enables you to 'hide' your files. The law might demand that Microsoft put a 'backdoor' in the encryption, so that criminal investigators *always* have access to files on suspects' computers, even if its encrypted.

The law might enforce it. You see, file system encryption enables you to 'hide' your files. The law might demand that Microsoft put a 'backdoor' in the encryption, so that criminal investigators *always* have access to files on suspects' computers, even if its encrypted.


This will not work. Criminals have a tendency of not following the law. Strong encryption software will always be available to criminals regardless if it is legal or not. Of course they could make it illegal to possess encrypted files, but then how do they prove that you have an encryted file and not just a set of random data, or that your nice desktop background is asteganograpic crypto.

The people that get hurt by such legislation are ordinary law obiding citizens with legitimate needs to protect their sensitive datea. If the police can get your data, sooner or later it will leak.

The more sensitive and valuable the information is the greater the risk. E.g. how much would would it take to bribe or coerce a low salery police officer to get information about the latest car model your company is designing.

there is no such thing (ie: in current usage) as "freedom of privacy"

encryption doesn't imply security, in fact it only affects it in a significant way under the current broken windows security model of running as admin by default.

To a degree, in the USA, yes we are entitled to a level of privacy:

"Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

While yes, one could argue a backdoor could be legal if the police required a warrant to 'use' this backdoor. I'd guess, though, that this has also been addressed by years of precedent etc.

Even the Supreme Court's decision to strike down i.e. sodomy laws held that people are entitled to privacy, period...

"Liberty protects the person from unwarranted govern-ment intrusions into a dwelling or other private places. In our tradition the State is not omnipresent in the home. And there are other spheres of our lives and existence, outside the home, where the State should not be a domi-nant presence. Freedom extends beyond spatial bounds. Liberty presumes an autonomy of self that includes free-dom of thought, belief, expression, and certain intimate conduct. The instant case involves liberty of the person both in its spatial and more transcendent dimensions." - Justice Kennedy, Supreme Court Lawrence V. Texas.

Yes, indeed, a backdoor would be viewed as highly illegal to the court. Yes, the highest interpreters of the US constitution DO in fact deem that citizens have a right to privacy.

Wherever you read that was wrong.

"Wherever you read that was wrong."
Really?
Key escrow isn't a fantasy.
http://www.schneier.com/paper-key-escrow.html

I'm sorry, where does does it say there that...

"I remember reading once that by law any and all software products that use encryption (like encryption programs) must give a key to the U.S government, especially when such information is to be transmitted to and fro the states. "

? Yeah. No where.

Put in some effort and search in google.. you'll find tonns of material. I didn't put any references or links here coz i thought everyone either already did or would.

Oh I've seen it all. Look at the links n4cer provided. They pretty much debunk it all.

Everything I've read on the net is all pure speculation and proof is NEVER provided.

and your proof is where?

Just Google for "Windows NSA key".

Windows having backdoors for CIA and NSA is one of the main reason why EU and China (among others) are trying to leave Windows for Open Source.

My take is Windows is not very credible about this. They did in the past and we cannot be sure they won't do again. The Shared Source Initiative is aimed to wipe out such clouds but is not proving itself successfull.

There are fewer chances that they could win Govts trust again. And I'm a Windows user. ;-)

There is no backdoor. If there was, it would have been found and exposed already.

Try again troll.

In September 1999, leading European investigative reporter Duncan Campbell revealed that NSA had arranged with Microsoft to insert special "keys" into Windows software, in all versions from 95-OSR2 onwards. An American computer scientist, Andrew Fernandez of Cryptonym in North Carolina, had disassembled parts of the Windows instruction code and found the smoking gun—Microsoft's developers had failed to remove the debugging symbols used to test this software before they released it. Inside the code were the labels for two keys. One was called "KEY". The other was called "NSAKEY". Fernandez presented his finding at a conference at which WIndows developers were also in attendance. The developers did not deny that the NSA key was built into their software, but refused to talk about what the key did, or why it had been put there without users knowledge.

http://www.techweb.com/wire/story/TWB19990903S0014

In February 2000, it was disclosed that the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defense Ministry, had prepared a report in 1999 which also asserted that NSA had helped to install secret programs in Microsoft software. According to the DAS report, "it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the MS-DOS operating system by the same administration." The report stated that there had been a "strong suspicion of a lack of security fed by insistent rumours about the existence of spy programmes on Microsoft, and by the presence of NSA personnel in Bill Gates' development teams." The Pentagon, said the report, was Microsoft's biggest client in the world. (Agence France Presse, February 18 and 21, 2000)

Actually the only "proof" ever found that a string called _NSAKEY. There was no backdoor ever found.

A single string is hardly proof to support this retarded conspiracy.

By the way n4cer, do you work for Microsoft or any U.S. government agency?

No to both questions (unless you count beta testing).

As for the NSA key nonesense:

http://www.microsoft.com/technet/archive/security/news/backdoor.msp...

By the way, everyone should stay away from any Linux incorporating source from SELinux if they count any contact with NSA as being colusion.

http://www.nsa.gov/selinux/index.cfm

Edited 2006-03-04 21:17

Haha, what the hell do you think MS are going to say? "Buy our product and we'll help fascists spy on you!"?

By the way, everyone should stay away from any Linux incorporating source from SELinux if they count any contact with NSA as being colusion.

It's opensource. It doesn't matter what they NSA does with SELinux because we have the world to audit it and in fact the NSA does very little/nothing with SELinux anymore. It is developed outside the NSA now. It just happened to be started by the NSA.

do you have any sort of clue ????

linux is OPEN... people can look for backdoors

people here say Microsoft is fine and can be trusted on their word that there is no backdoors....

but Windows is closed, people cannot check for themselves.

Your computer could be being logged right under your nose

As I stated, governments (among others) have source access.

Linux may be open, but not everyone who uses it looks at the source.

Your computer could be being logged right under your nose.

Never heard of a packet sniffer?

raver31: "linux is OPEN... people can look for backdoors ... but Windows is closed, people cannot check for themselves"

Actually an very large number of people have access to the windows source code.

Most of them specifically requested access (like the Chinese government, MVP's, and the entire EU) to make sure there their were no back-doors in the software.

China: http://english.people.com.cn/200303/17/eng20030317_113428.shtml

MVPs: http://www.eweek.com/article2/0,1759,1624933,00.asp

>do you have any sort of clue ????
>linux is OPEN... people can look for backdoors

So if someone takes linux, adds a backdoor and sells it and doesn't give the full source away they can't add backdoors?

You are kidding right?

Open source software can have the same problems.

The main problem that I see is that trusting in open source just because it says open source is just stupid.

It's really a false security and that is the problem with it.

Why do you think we have the US government monitoring open source software as well as closed source.

So if someone takes linux, adds a backdoor and sells it and doesn't give the full source away they can't add backdoors?

If someone does that they'll be sued for copyright infringement.

Seriously, you should learn more about open-source before criticizing it.

>Seriously, you should learn more about open-source before criticizing it.

You should learn about life before understanding it.
If someone violates the GPL who is going to sue?

These are people without that much money.

rtfa: "They're not allowed to compile to check so the code is unverifiable making it a nonsense that they can truely check for backdoors or whatever they wish to check for."

The ability to compile/or not compile source code is not as important as is the ability understand code and intentions. And by code I mean high-level (C/C++) and low-level languages (Assembly) - Machine Code.

Therefore anyone examining the source code would have to have deep understanding of assembler – actually it would be a prerequisite given those significant parts of windows is written in assembly.

To such a person, talented enough, the high-level language code is just good reference material - [b]as a matter of fact anyone with a debugger and time can walk through the assembly code and figure out whats going on now

Being able to compile the code IS important, though... if you can't compile the code yourself, how do you know the code you've been given is actually the code used to produce the binary you were given? I mean, outside of an ability to spot inconsistencies between the code and the binary itself...

http://www.microsoft.com/resources/sharedsource/Licensing/OEM.mspx : The OEM shared shource license states: "Licensees may modify, assemble, compile or link the source code and execute the resulting derivative binary code on a temporary basis to assist in debugging its hardware for the Microsoft Windows operating system"