Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
I never got RHEL 4.2 crashed or infected, even when I expose it to the internet at DMZ (Demiliterized Zone) of my router. While Windows get paralyzed within 10 minutes under the same conditions. I even become unable to switch users. So, Yes CERT is another lie we used to from US goverment like IRAQ weapons of mass destruction.
CERT and WMDs? How can you even compare the two?
Yes, it is and next time THINK before you put such powerful words and figures about. Like in all media, the damage is already done once reported.
I really do wonder sometimes if these people know anything about Linux, but just use there Windows background as a front.
“the damage is already done once reported. “
True, but CERT wasn’t the first to bend the truth malevolently against Linux. I’d call it outright lies, but the data CERT used could have been legit, the distorting of truth was in the way they chose to report that data. I do recall several Microsoft funded “benchmarks” and “studies” that did very much the same, while they probably did run tests, the machines they were testing that ran Linux were intentionally set up very poorly as compared to the expertly set up Windows boxes in the tests.
I don’t think I’d really care to see what the results of a fair comparisson would be though, I know what works for me and when it comes to Gaming that’s Windows since it has more games right now and supports my logitech game pad. I preffer Linux for everything else though, and I’d love to see hardware and software companies pay more positive attention to it.
Not only it could have been legit, it could have been used to underly the point of linux/unix being more secure. If you look at the numbers, they are more unfavourable to windows than linux/unix. I don’t want to repeat myself, wrote about this here:
http://slashdot.org/comments.pl?sid=173016&cid=14397409
This is also interesting:
http://slashdot.org/comments.pl?sid=173016&cid=14398027
I’m not usually one to hop on the Linux fanboy bandwagon, but (from the article) it does seem like US-CERT was pretty clueless when compiling this list; clueless in the fact that they took a bunch of vuln sources from here and there and made some sort of grotesque list out of it.
Well…I agree with hraq…just look at the real world. And wasn’t this week a joke with the whole Windows world blowing up over this stupid WMF thing? So, no matter what is said in some article, it’s in the real world where it counts…and like hraq…none of my Red Hat based system, nor Novell SUSE based systems seem to have any problems…and I hook them into some pretty strange networks sometimes that I wouldn’t even THINK of hooking an Windows thing into…
There is a lot of FUD out there, and it’s all financed….
wasn’t this week a joke with the whole Windows world blowing up over this stupid WMF thing?
What about it? The Linux world also has had its share of embarassing vulnerabilities (remember the gzip hole?).
Paradoxically, the OSS world often seems to react to such problems in a much more professional manner though.
“For example, Firefox is categorised as a Unix/Linux operating system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics,” Cox claimed.
This is correct, but you won’t see neither IE and IIS bundled in RHEL, nor Apache and PHP on WS2K3, at least not on 99% computers out there.
The statistics serve it’s purpose – to compare the relative security in the most common scenarios.
Generally, many of the vulnerabilities in Linux/Unix based products are classified as local vulnerabilities, including privilege escalation, local denial of service and local exposure of sensitive data. These kind of vulnerabilities are not regarded as particularly critical, but Linux/Unix researchers tend to focus quite a lot on this category, probably because of Unix’s long history of proper privilege separation. This has only recently become more relevant in Windows (NT, 2000, and XP), but many Windows researchers still focus more on remote issues.”
This is utter crap, NT kernel has privilege separation mechanisms built in from day one. Google for terms: “Security Reference Monitor”, “Object Manager”, “access token”, “TCSEC C2 (aka Orange Book”. So the “recently” means what, 15 years? LOL
“The two figures are not representative of today’s two major operating system platforms. One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux.”
How can it be non-representative when the first figure represents Win32, .NET and other proprietary APIs/frameworks, and the other one represents POSIX, and open-source frameworks typically found on modern UNIXen?
“You should look at the number of critical vulnerabilities. It’s a better comparison to look at the critical vulnerabilities that affect customers due to the platform they use. There are fewer critical vulnerabilities, and they are fixed faster in Red Hat Linux,” said Cox
Secunia seems to disagree
(comparing the OSes released in similar timeframe):
http://secunia.com/product/1173/
http://secunia.com/product/1044/
WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006
Geez, I wonder if that can be classified as “miscategorised” or “confusing and misleading”.
“There is also the issue of timing. With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days.”
LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don’t we?
http://www.eweek.com/article2/0,1759,1814056,00.asp
http://www.frsirt.com/exploits/20050507.firefox0day.php
open-source = eldorado for blackhat hackers and 0day exploits.
Well that’s what i call arguments!
Secunia seems to disagree
(comparing the OSes released in similar timeframe):
http://secunia.com/product/1173/
http://secunia.com/product/1044/
WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006
Geez, I wonder if that can be classified as “miscategorised” or “confusing and misleading”.
Those statistics are misleading the very same way CERT’s statistics are misleading. The first thing I noticed on the RHEL list was “lynx”. What kind of statistics would Windows run up if we counted every little web browser that ran on that platform. Vulnerabilites in applications that are not installed on a computer are not vulnerabilities at all.
This is utter crap, NT kernel has privilege separation mechanisms built in from day one. Google for terms: “Security Reference Monitor”, “Object Manager”, “access token”, “TCSEC C2 (aka Orange Book”. So the “recently” means what, 15 years? LOL
Those don’t make a lot of difference when you: 1.) Only have one user. Or 2.) Have everyone as an administrator. Or my favorite 3.) Everyone uses the same account.
Unix has focused on seperate users since, well, probably day 1. I’m not too familiar with everything before System V, but I’m just guessing they did as they were competing, initially, with things like ITS and CTSS.
So, that’s 35 years now. The first desktop OS for Windows to include NT was in 2001. A lot of business desktops, and the few servers, were NT for a long time before of course. But people weren’t logging into the servers as users, they used server programs on them. VNC and remote terminals just aren’t nearly as popular with Windows users as Unix users. And RDP is pretty recent as well.
And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.
Want an example of people who care about local exploits? Web hosts. If they’re nice and give you ssh access they worry about local user exploits. How many Windows webhosting companies give you RDP access? Seriously, how many do?
How can it be non-representative when the first figure represents Win32, .NET and other proprietary APIs/frameworks, and the other one represents POSIX, and open-source frameworks typically found on modern UNIXen?
I was going to agree, until you mentioned Posix. Let’s look at some of these vulnerabilities…
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS ‘Cvsbug.In’ Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail ‘fetchmailconf’ Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR’s world, but it’s not in this one
.
Acrobat is not included in many distributions of Linux, including the most prolific: RedHat.
CVS is rarely a default install item.
And fetchmail usually isn’t either.
They’re all common, but I know I don’t have any of them installed 2-3 times; and that’s how many times each was counted.
WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006
Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones. Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).
LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don’t we?
Firefox is not remote exploitable. Seeing as how Firefox doesn’t accept incoming connections, or even watch for them, I don’t see how it can be remotely exploited.
Firefox has been slow, at times, to respond to security issues. And believe me, they’ve gotten flamed for it a lot too. You’re not the first.
I’m not sure why people vote on this forum. They obviously don’t think their votes through. The other day I got voted up to 5 for the dumbest comment, and anytime I post something relevant and factual (like this) I get voted down. This paragraph isn’t directed at you Ivans, just at the 2 people who thought you were enlightened in your post.
FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it’s cause Firefox went mainstream? We’ve lost our punk edge and sold out I guess
.
Edited 2006-01-07 00:13
huh I didn’t vote
I just didn’t have any arguments against that.
But you seemed to have those arguments…
“I’m not sure why people vote on this forum. They obviously don’t think their votes through.”
Should have put that in caps so more people get the message. This score system is pointless.
Not completely. It shuts up the worst trolls. I think it’s a good start and there are some things they can do to make it better. I actually liked it better before they got into the whole “only vote down for these reasons” thing. The trouble was they didn’t put an accompanying “only vote up for these reasons”.
And now you see that almost everyone has a positive vote average because there’s so much unmatched up voting. You’re thinking, I wanna vote him down cause I disagree; but it’s also cause he’s totally offbase and some idiots voted him up to 5!
“Not completely. It shuts up the worst trolls.”
It’s almost shut me up for good a couple of times, and I’m no troll. I’ve been moderated down for good comments before because people didn’t agree with them. The sad thing is that the likelyness of that happening has incresed very sharply in my observations. From what I’m seeing there’s a good number of people who don’t give a damn about the rules for moderating, they just click plus or minus based on how much they like what they’re hearing. When the time comes to choose a reason for voting down comments, they simply choose one of the working reasons, knowing full well that honesty won’t achieve their goals of sensorship.
The most aggravating thing though is that I try my best not to vote comments down, and when I do I am very careful not to go against the site rules. I’ve even gone around voting comments I couldn’t possibly agree with back up to 0 just because several other people voted them down against the rules.
What worries me the most though is the apparent lack of response from other OSNews readers, for the most part the majority seem perfectly Ok with comments being moderated down based on whether people like them or not, and people like me who try and set things strait aren’t numerous enough to fix the problem as a result.
I agree with you, there should also be a tick box for if you agree/disagree with the comment.
however, just because someone mods you down for disagreeing, it is not to stop someone else coming along and modding you up again, if you had made a good point in the first place.
“however, just because someone mods you down for disagreeing, it is not to stop someone else coming along and modding you up again, if you had made a good point in the first place.”
That’s true if a comment isn’t too low to be seen, but once it gets to -2 or lower most people will skip over it. I’ve had good comments get moderated to -2 or lower and then people never saw them to moderate them back up.
And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.
I don’t really care if Windows have “smaller focus on user separation”, the original claim in the article was that it was something that “became relevant only recently”. Privilege separation is something built inside the OS from the very beginning, and every Windows Logo certified app works perfectly under LUA: writes configuration to CSIDL_COMMON_DOCUMENTS/CSIDL_PROFILE directories and HKCU etc. You can use RunAs tool for launching processes under different credentials.
In corporate environment EVERY app pretty much has to be LUA-friendly, else it won’t work. So someone please tell me how privilege escalation bugs are “not relevant”. Google on “shatter attacks”, “windows kernel privilege escalation”..
was going to agree, until you mentioned Posix. Let’s look at some of these vulnerabilities…
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS ‘Cvsbug.In’ Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail ‘fetchmailconf’ Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR’s world, but it’s not in this one
.
But! Besides POSIX, i also mentioned “other open-source frameworks”
It really doesn’t matter which one is used, is it Qt, GTK, wxWidgets, FLKT…you won’t se much commercial Windows apps built on open-source frameworks or POSIX subsystem for Windows (SFU), as much as you won’t see Linux apps built on closed-source frameworks.
It doesn’t really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it’s by default packaged with most popular distros. And this is what matters – common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn’t matter!
Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones.
The percantage deviation on criticality doesn’t compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself
Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).
Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).
Firefox is not remote exploitable. Seeing as how Firefox doesn’t accept incoming connections, or even watch for them, I don’t see how it can be remotely exploited.
Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php
“If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file.”
Just like the WMF flaw. But it really depends on what you describe as “remotely exploitable”. For me it means that bad guys can break into my computer remotely, without my interaction. In this context, both the FF and WMF flaw are NOT remotely exploitable.
But it could also mean that it could be exploited simply by visiting a malicious web site. In this sense the WMF flaw was designated as “remotely exploitable”, and so is this FF flaw.
Edited 2006-01-07 00:58
Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).
That’s where you are wrong. A bug in ServU is a ServU bug, not a win3k bug, so it won’t show up in win3k vulnerabilities, while every single bug found in all ftp servers, databases, languages (java, php, etc..) supported by RH will show up.
Regardless, I think these pictures sum it up rather well why win3k is less secure than RHEL:
Win3K: http://secunia.com/graph/?type=sol&period=all&prod=1173
RHEL: http://secunia.com/graph/?type=sol&period=all&prod=1044
That’s where you are wrong. A bug in ServU is a ServU bug, not a win3k bug, so it won’t show up in win3k vulnerabilities, while every single bug found in all ftp servers, databases, languages (java, php, etc..) supported by RH will show up.
Welcome to open-source model of services.
Microsoft doesn’t support 3rd party ServU, where RH does support it’s RPMs, that’s the crucial difference.
Regardless, I think these pictures sum it up rather well why win3k is less secure than RHEL:
Win3K: http://secunia.com/graph/?type=sol&period=all&prod=1173
RHEL: http://secunia.com/advisories/16210/
Unspecified vulnerability, advisory published as a “eweek article” based on rumors of an unsigned security researcher? Where is the flaw, what instruction, where is the PoC code? Nowhere, because this is a vapour bug.
http://secunia.com/advisories/14061/
So, if trusted user is logged in on TS server, if opening several hundred thousand handles on a specified key, you could prevent other users from logging in. Dispite the fact that it would consume large amount of resources immediately noticed by admin or killed by quota, despite the fact that there are dozens of other ways of raping system resources..
http://secunia.com/advisories/13645/
It says it is “partially fixed”, althoug MS issued all the patches necessary, and secunia doesn’t specify which parts were left unpatched. In fact, the original bug test page: http://www.xfocus.net/flashsky/icoExp/ on my full-patched XP SP2 produces exactly ZERO postive tests. Vapour.
http://secunia.com/advisories/9720/
This is my favorite. 2 years old “flaw” in a proactive buffer-overflow prevention mechanism, that could be bypassed with “specially crafted shellcode”. Geez, I thought that EVERY buffer/heap/integer.. overflow prevention mechanism leaves a small attack window, even PaX with ASLR!
Actually this /GS compiler flag “bug” has been fixed with /SAFESEH switch, XP SP2 and WS2K3 SP1 were compiled with both swithches “on” and they are enabled by default in Visual Stdio 2005.
So this is black on white proof that some of secunia “bugs” are pure vapour.
http://secunia.com/advisories/9921/
Actually the recommended way for software running with higher privileges on LUA desktop is to run inside a JOB with JOB_OBJECT_UILIMIT_HANDLE flag set “on”, which will disable any kind of WM_* messsages sent from processes outside the job, including the LUA created ones. This is no Windows bug, it’s a potential bug for badly written 3rd party software.
So most of this secunia stuff is pure BS, I guess they put it there so that linux cowboys can have mental orgasms quoting “xy unpatched window flaws”.
Oh well, have fun, I go to sleep now
Most unpatched secunia “flaws” on WS2K3 are just vapour. There are not real flaws, but the product of someone’s imagination, unspecified sources and have no real-life damage potential.
It is amazing how you use secunia info at one point to prove your diatribe against floss, and next, when a secunia information becomes unconfortable, you discard it like this.
It is amazing how you use secunia info at one point to prove your diatribe against floss, and next, when a secunia information becomes unconfortable, you discard it like this.
Good observation, that’s a key propaganda indicator.
Why isn’t there a self-contradictory flag for modding people down? He’s been modded up to 3 for quoting secunia and at the same time attempting to destroy secunia’s reputation.
“I did not have sex with that woman, she’s lying.”
“She says you didn’t smoke the pot.”
“Oh, yea, she’s right about that; I have a witness!”
“Is the witness her?”
“Yes.”
So someone please tell me how privilege escalation bugs are “not relevant”. Google on “shatter attacks”, “windows kernel privilege escalation”..
Because there are few multi-user Windows machines. I already told you this. Microsoft does listen to its customers, and few of them have multi-user machines. They may have reduced privilidges, but they’re probably the only user on their computer. Their domain has thousands of users, and domain priv escalation would be a bad thing; but their computer has them.
It doesn’t really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it’s by default packaged with most popular distros. And this is what matters – common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn’t matter!
Fetchmail isn’t available for Windows
.
The percantage deviation on criticality doesn’t compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself
Ah, but RHEL ships how much software, and Windows ships how much software? Where’s that Windows PDF viewer again?
I know Secunia doesn’t include acrobat holes as Windows holes.
Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php
“If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file.”
Remote exploits do not involve user interaction. As you said, and I said, but for some reason you’re still arguing.
The nice thing about Javascript flaws is that you can shut Javascript off
. I have it off, and turn it on for certain pages. Of course, you can shut off WMF; not that anyone knew what it was before last week.
Because there are few multi-user Windows machines.
It’s just 5000 of them in my college
And every corporate desktop is ran in LUA, and you certainly cannot dismiss them so easily.
Also you seem to confuse the “privilege escalation” with “multiuser” – it’s not the point to have hundreds of different accounts on the machine, two (Administrator and LUA) is just enough.
Fetchmail isn’t available for Windows
That’s what you think
http://www.interopsystems.com/tools/warehouse.htm
Ah, but RHEL ships how much software, and Windows ships how much software? Where’s that Windows PDF viewer again?
But it DOESN’T MATTER, if the package is a part of RHEL installation, it has to be counted! That’s the bad thing of popular linux distros – thousand different programs, each having their own holes, most of them are a part of default install and most users WILL install them all.
Remote exploits do not involve user interaction. As you said, and I said, but for some reason you’re still arguing.
It’s because WMF fits into the same category as this FF flaw (user has to visit a malicious web page), and yet you see that bugtraq, secunia, frsirt..all marked this WMF and FF flaw as “remotely exploitable”. You need to check on your terminology usage
With 5,000 machines your college is almost certainly using a domain system. That’s a bit different from straight multi-user machines.
Priviledge Escalations only matter when you have untrusted users, which means you have more than 2. No one is going to hack their own machine with mal intent. You’re not worried about the programs you run doing it, that’s really not something people on *nix platforms think about. Instead they just don’t run random code from anywhere. That’s one reason for distributions, if you only use your distributions packages you know someone else has tested the code you’re running.
But it DOESN’T MATTER, if the package is a part of RHEL installation, it has to be counted! That’s the bad thing of popular linux distros – thousand different programs, each having their own holes, most of them are a part of default install and most users WILL install them all.
No, default installs are almost always under 2.5GB. That’s not a lot of software. Most systems default to one desktop, one app for each common task, and no servers.
And still, the default install doesn’t start all your programs for you. You have to do that yourself (this changed about 3 years or so ago with daemons). Programs on a hard disk are no more dangerous than word documents; you have to start them to be in danger.
It’s because WMF fits into the same category as this FF flaw (user has to visit a malicious web page),
Oh yes, here we go again, with deliberately distorting the facts to prove your point. Or ironically, you are right, actually it fits the the same category as the FF flaw. Problem is (and you ignore it conveniently) that the WMF flaw has multiple attack vectors. Visiting a page is just one of them – and even if it were the only one, it would still be more serious than the FF flaw, for you can put up wmf images masked as jpgeg or png almost on any page or popup windows. You can upload it to a blog, attach to a post on a random forum, etc. But the WMF exploit is a single payload multi vector attack that you can get almost via any means – email, msn, media, etc. When you claimed that the WMF vuln. is in the same category as the FF vuln. you lost any remaining credibility here.
FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it’s cause Firefox went mainstream? We’ve lost our punk edge and sold out I guess
.
I think that is only partly true at most. It seems to me that there is a organized campaign of anti-FOSS posting and astroturfing by MS employees and MS partner employees that appeared to come into effect a few months ago. The other factor is, as GNU/LINUX gets more widely used in in the corporate area, then people with only a Windows background in IT start to feel a little scared and let of steam against FOSS.
I noticed that on this site. There are a lot of anti-foss people around since august 2005.
They jump on Linux/BSD and FF on every opportunity, in fact, they have been saying things like;
“calm down eh, calm down, there is no danger. this exploit will only affect stupid people who click on porn sites..”
yeah right.
I have read the microsoft reports, and I have used Windows from version 3.0 up. I know wmf files are ubiquitous in ALL versions of Windows.
Microsoft should be forced by a court of law to fix ALL versions of Windows and btw, all versions of Office, Publisher, Works etc which have wmf support built in.
AND… Another thing.
When I am looking for new support staff, I do not even give interviews to MCSEs anymore. I took one on once, and he did not have a clue about any system other than Windows. I have no time or money to train them type up properly.
This is an interesting theory I’ve heard stated before. I’ve been writing it off as conspiracy conjecture.
But, I have noticed that the pro-Microsoft factor on this site has gotten about 5,000x more knowledgable than they used to be!
Microsoft does let its people waste infinite amounts of time taking videos and blogging (scobleizer), so maybe they encourage some people to go argue in the larger internet forums.
But I’m just making a theory: I’m not subscribing to it!
Unix has focused on seperate users since, well, probably day 1
…
So, that’s 35 years now.
Well, this is both true and false and here’s why:
What about GNU/Linux.. is not Unix? Yes? No?
RH Linux was available 35 years ago?
The first desktop OS for Windows to include NT was in 2001.
So Windows NT Workstation was server OS?
Besides, we’re in 2006.. right?
I don’t know if I mentioned it in that post or not but: Linux runs Unix programs.
That means its designed a LOT like Unix.
See how that makes the statement work?
I don’t know if I mentioned it in that post or not but: Linux runs Unix programs.
That means its designed a LOT like Unix.
See how that makes the statement work?
I see how it works for Unix, but not for Linux.
However, Linux was not available 35 years ago.
That is why I said “..true and false.”
Linux is designed like Unix.
I was talking about Linux’ design.
Unix is 35 years old.
This implies Linux design is 35 years old.
It’s not perfect, but it definitely makes a lot of sense to say that Linux’ design benefits from 35 years of work as it’s compatible with a system that is that old.
Linux is designed like Unix.
I was talking about Linux’ design.
Unix is 35 years old.
This implies Linux design is 35 years old.
This implies Linux is cheap Unix clone. Yet, poor one.
Here’s what Ken Thompson said about Linux and Windows:
Thompson: I view Linux as something that’s not Microsoft — a backlash against Microsoft, no more and no less.
..
A whole bunch of random people have contributed to this source, and the quality varies drastically.
..
My experience and some of my friends’ experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse.
…
I believe everyone knows who Ken Thompson is. Also, check Dave Cutler and then check Linus Torvalds. Then compare all three of them.
Please, be open minded.
Bye.
My experience and some of my friends’ experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse.
How is Linux unreliable?,When Windows are infected with worms. virus , spyware,etc, each
day and cost companies and home users alot of money to fix those problems, and those are serious problems, if i mention the rest of the windows problems i would convience myself to format C:. those kind of problems are unheard off with linux. maybe that’s why i don’t trust banks.
It was 1999.
Version 2.2 may or may not have been out when he said these things.
To give you some idea. Ext3 came out in 2001. So, Linux didn’t have a journaled file system. Have you ever recovered an ext2 partition? It’s boring.
It was 1999.
Version 2.2 may or may not have been out when he said these things.
To give you some idea. Ext3 came out in 2001. So, Linux didn’t have a journaled file system. Have you ever recovered an ext2 partition? It’s boring.
Yeah, and other systems haven’t improved since then.
Nope. Just Linux. LOL
Even though its market share is the same
Strange.
You guys are way too funny.
And now really – good night
Did you use NT 3.5-4.0? I don’t think you’d consider them useful for anything but a few server oriented tasks and a few desktop tasks.
We all know Win9x was useless.
Mac didn’t even have proper memory management.
And then there was Unix.
Anyway, my point was more that Linux has grown enormously in the last 6 years. I doubt Ken would make the same comment today.
Did you use NT 3.5-4.0? I don’t think you’d consider them useful for anything but a few server oriented tasks and a few desktop tasks.
I did use NT. Server was not state of the art and Unices were much better back then. That shouldn’t be a surpise because Windows server was just released.
Desktop? I was quite happy with NT.
NT was able to run practically all Win applications without any problems. What the hell are you talking about?
Can you please compare Linux from that period with NT?
What did you do with Linux back then in late 90’s? As Ken Thomspon pointed – Linux was a joke back then.
We all know Win9x was useless.
No, it was not. Win 9x was there to provide easy MIGRATION path from DOS to NT. Once migration was over, MS killed it.
So, you see, Win 9x had its purpose and it serverd it well.
Anyway, my point was more that Linux has grown enormously in the last 6 years. I doubt Ken would make the same comment today.
Yes, but then Windows 2003 Server R2 is also MUCH different from old NT server. Windows has also advanced enormously in the last 6-7 years.
Because they couldn’t build a DOS emulator into NT?
Windows 9x was there because Microsoft believed consumer desktops were too slow to handle NT properly.
And it was a grave mistake. People still think Microsoft can do nothing right because Windows 9x was so unreliable.
Windows has also advanced enormously in the last 6-7 years.
For example…
Because they couldn’t build a DOS emulator into NT?
Windows 9x was there because Microsoft believed consumer desktops were too slow to handle NT properly.
And it was a grave mistake. People still think Microsoft can do nothing right because Windows 9x was so unreliable.
Look, I used NT back then and it was just fine.
Many people used 9x because of the legacy DOS application or because they wanted to run DOS games.
Sorry to disappoint you, but NT was just fine. Believe whatever you want, but I think you never actually used NT on a day-to-day basis.
It is only your ignorance if you used Win 9x and didn’t use NT.
However, back to the point: MS did provide migration path from DOS to NT and that was why we were offered Windows 9x.
If Windows 9x was not available, then Windows NT/2000/XP would have never been this successfull.
And that is one of the BIGGEST challenges Linux faces: no easy migration path from Windows.
Windows has also advanced enormously in the last 6-7 years.
For example…
Hahaha. Well, it’s more reliable, more secure, scales much better. IIS is really improved (IIS had, what, 2 patches in like 2 1/2 years). IIS6 was moved closer to the kernel and is for that reason much faster than IIS5 or IIS4.
There’s Active Directory that is just awesome.. AD was also improved in 2003 compared to Windows 2000. Terminal services are now part of Windows (not in NT server). I could go on and on..
Are you joking?
Well, it’s more reliable, more secure, scales much better. IIS is really improved (IIS had, what, 2 patches in like 2 1/2 years). IIS6 was moved closer to the kernel and is for that reason much faster than IIS5 or IIS4.
There’s Active Directory that is just awesome.. AD was also improved in 2003 compared to Windows 2000. Terminal services are now part of Windows (not in NT server). I could go on and on..
I wasn’t joking, you’re right that I didn’t run NT back in the day :-p. I’d seen it employed by the federal government once, but I’ve never used it.
Wasn’t Active Directory in NT 4? Or was it introduced in Win2K?
I’m not really arguing here, more probing for information :-p. You’re probably right about NT improving (of course it has, there’s only what, 3,000 Windows developers?).
It is only your ignorance if you used Win 9x and didn’t use NT.
No need to attack my credibility, I haven’t attacked yours.
I still think they could have offered the same migration path on NT as they did on 9x though. And I think it would have been a lot better for them.
No need to attack my credibility, I haven’t attacked yours.
You’re right. Sorry.
I still think they could have offered the same migration path on NT as they did on 9x though. And I think it would have been a lot better for them.
Look.. they haven’t failed, have they? I mean, Windows has desktop market share of approx. 95%. Not bad, huh?
I wish there was the same migration path from Windows to Linux. I’d be using Linux today.
What do you need migrated?
What do you need migrated?
I need Linux to integrate well into EXISTING Active Directory so that we can apply Group Policies to Linux boxes. I guess this is why EU wants MS to fully open its protocols?
I need SQL Server on Linux. Yes, I do know there are other excellent DBs for Linux, however I need SQL Server because I use it at work and other branches use it too.
My wife needs AutoCAD. No, some other similar application is just not good enough. She is trained to use AutoCAD, they use it at work.
I need .NET on Linux because I do some .NET development at work. I am looking these days into mono, however it is incomplete. I know, one can use Java to develop web services, however at work it was decided that we’ll go with .NET with some parts of the system. I therefore need .NET on Linux. I don’t have it.
Etc.
Honestly, I don’t care much about OS. If I had all these apps available on Linux today, hell – why not?
And that is only me. How do you think a company that has dozens of custom in-house Windows apps would switch to Linux? Who’s gonna rewrite all those Windows apps? Who’s gonna pay for that task? Hell, even Munich, that is using taxpayers’ money to switch to Linux, is having difficulties with the transition. In fact, what I heard is that they are using Windows on VMWare on Linux until they get apps ported to Linux. Can you imagine any company doing that?
And why would anyone switch given that they already paid for Windows and custom apps?
Well, your wife is stuck unless she learns Pro-E. But let’s just say rewriting professional CAD programs is not similar to providing a migration path for old DOS programs… It’s a bit more work.
.Net 1.1 exists under the Mono project. Many parts of 2.0 are written and more are being written. Windows Forms isn’t there yet though, but I expect it within a year.
I don’t think SQL server is going to get ported, you’re kind of stuck there.
Getting active directory to apply properly to a Linux box would be a nightmare. But you can login to active directory. It takes some work (Microsoft did some modifying to their kerberos, like everyone else). I’m not sure what would happen on the group policies, I guess I don’t really know what you mean by them.
How do you think a company that has dozens of custom in-house Windows apps would switch to Linux? Who’s gonna rewrite all those Windows apps? Who’s gonna pay for that task? Hell, even Munich, that is using taxpayers’ money to switch to Linux, is having difficulties with the transition. In fact, what I heard is that they are using Windows on VMWare on Linux until they get apps ported to Linux. Can you imagine any company doing that?
And why would anyone switch given that they already paid for Windows and custom apps?
I don’t expect them to. Have I said no one should use Windows? I don’t think I have, at least not outside of small circles which would never quote me
.
It’s not plausible for everyone, and that’s fine. But most people don’t have in-house programs; many of them don’t even own a house (ha ha, ok not funny).
Most companies do have in-house programs. And I don’t think they should port this minute. However, they will eventually. And I hope that the people graduating college today that will be writing those new programs (at some point in the next 40 years) will have some idea of how to write cross-platform code to avoid rewriting it yet again.
Many of them migrated from old DOS programs. Fewer had migrated from old Unix programs. Some may have even migrated from old VMS programs. These programs do eventually get rewritten.
Most companies do have in-house programs. And I don’t think they should port this minute. However, they will eventually. And I hope that the people graduating college today that will be writing those new programs (at some point in the next 40 years) will have some idea of how to write cross-platform code to avoid rewriting it yet again.
At some point in the next 40 years? Look, in 40 years from now I will be retired for sure and, who knows, maybe even six feet under
Now, look, as you know, you can already use Java today (and it is not like Java is with us since last year) to achieve cross-platform thing YET a lot of NEW apps gets developed in VC++/.NET and developers are, in fact, targeting Windows only. Don’t ask me why, but I can assure you it is the case.
And one more thing that could happen in next 40 years
— What is going to happen with “let’s switch to Linux because it is cheaper” argument if MS is forced (by Linux, Mac, etc) to lower the price of Windows? And then they do it again and again? Who’s gonna switch to Linux? Well.. I don’t think many people/companies would. Yes, no?
Yes, but now many of those developers are writing C#/.Net. And you’ll see those programs porting to mono a lot easier than VC++/com/etc would port to *nix.
The reason I said 40 years was that a graduate today is 22, and 40 years later he’ll be at a typical retirement age of 62. I was trying to clarify that I didn’t mean people graduating today would instantly be out rewriting all in-house software.
There was no grand meaning to 40 years.
Linux runs Unix codes. It implements 99% of its standards. Ken Thompson is entitled to his opinion, but he does not determine if GNU/Linux is a breed of Unix.
Let me finish the quote for you though, since you left it unfinished:
I view Linux as something that’s not Microsoft—a backlash against Microsoft, no more and no less. I don’t think it will be very successful in the long run. I’ve looked at the source and there are pieces that are good and pieces that are not. A whole bunch of random people have contributed to this source, and the quality varies drastically.
My experience and some of my friends’ experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse. In a non-PC environment, it just won’t hold up. If you’re using it on a single box, that’s one thing. But if you want to use Linux in firewalls, gateways, embedded systems, and so on, it has a long way to go.
Let me repeat the last sentence for you.
But if you want to use Linux in firewalls, gateways, embedded systems, and so on, it has a long way to go.
It’s there.
These quotes are from 1999. That was around 6-7 years ago. He was working on Plan 9 at the time…
I’m sorry that you have to quote and name drop; but I’m completely able to come to my own conclusions without the help of historic figures, celebrities, or anyone else with a status that warrants their involvement in name dropping.
It appears that your thesis is. Dave Cutler is a better programmer than Linus. Ken Thompson is God and has ridiculed Linus’ code. Linus wrote Linux, therefore Linux sucks. Dave Cutler wrote NT, therefore NT rocks.
That sum it up pretty well?
Guess what. I don’t care who wrote it. This isn’t politics.
Ok. I’ll bite. Here’s Ken’s follow up, as quoted by ESR (know who he is, that’s right, not one to worship
): http://www.linuxtoday.com/news_story.php3?ltsn=1999-05-07-016-05-NW…
Some excerpts:
“i very much appreciate the chance to look at available code when i am faced with the task of interfacing to some nightmare piece of hardware” and that “i think the open software movement (and linux in particular) is laudable.”
Ken further adds “i dont see eye-to-eye with microsoft’s business practices.” His original language was rather stronger and more entertaining, but he asked me not to quote that in order to avoid giving Lucent’s lawyers heart failure.
The bad news is that Ken still thinks Linux is flaky. I offered to have VA Linux Labs ship him a machine so he could see what a properly tuned modern Linux looks like, but he said he couldn’t accept. He adds “i do believe that in a race, it is naive to think linux has a hope of making a dent against microsoft starting from way behind with a fraction of the resources and amateur labor. (i feel the same about unix.)”
Huh. He said he doesn’t think Unix could succeed against Microsoft either. I remind you this was a time when Unix was king of the server world.
And finally, the biggest reason I like Linux:
Ken did finish by saying “i must say the linux community is a lot nicer than the unix community. a negative comment on unix would warrent death threats. with linux, it is like stirring up a nest of butterflies.” (Hm. Butterfly T-shirts, anyone?)
Quit name dropping, quoting, and try making your own arguments.
Quit name dropping, quoting, and try making your own arguments.
I don’t have to make my own arguments. Why should I?
CERT has given us some good arguments. Securia has given us some, Port80 has given us some, Zone-h has given us some arguments, etc.
But none of those are acceptable to you, so I should stop quoting them? I should care more about your comment that Ken Thompson’s? LOL
Guess what? Linux is not good enough.
And then everything fits OK. Then all those arguments are just fine.
Your argument: Every study that proves Linux sucks more than Windows must be false
All of those guys are either stupid or paid by MS 
You know better, riiiight.
None of those groups have said that. There is no argument present on CERT’s site, only a listing of data.
Ken’s quote is the clostest thing to an argument you’ve presented yet (it presents a thesis and some form of evidence).
By saying I have only one argument you show, quite clearly, that you haven’t comprehended anything I’ve said to date in this thread.
I never implied anyone was paid off. I simply told you to do some thinking for yourself and not let Ken Thompson make up your mind for you. If you come to the conclusion, from data like CERT’s or Secunia’s, that Linux is not a good program that’s fine: That’s your problem. But please, tell us about how you came to this conclusion. A statement of “it’s obvious” or “secunia says so” is not going to convince me.
You also need to learn some respect for the people you discuss things with. I’ve tried my hardest to be polite and avoid insulting you but you’ve consistently insulted me by implying that I think I know everything or that I’m some sort of conspiracy theorist (all of those can be found in your last sentence).
I’m a person with my own thoughts and opinions too. Respect them, I respect yours.
Security company Secunia agreed with Christey that the various vulnerability collection sources made comparison of Windows and Linux/Unix hard.
“I think Steve has got some good points on why comparing vulnerability numbers is difficult,” said Thomas Kristensen, chief technical officer at Secunia.
Secunia agrees, as I expected them to.
Besides that, numbers of flaws are less important than the critical level of said flaws. Low security risk combined with low numbers of flaws is best, High security risk combined with high numbers of flaws are bad.
When you look at it that way, Secunias statistics clearly show Windows (in general) to be much more insecure than Redhats distributions (or other mainstream linux distributions).
The same goes for IE vs. FireFox.
As a dane I’m happy to see Secunia staying straight on their line of information of high fidelity.
open-source = eldorado for blackhat hackers and 0day exploits.
A fantastic example of an astroturfer spreading FUD about open source.
At least it proves you have zero credibility.
The same would go if you claimed Windows was an eldorado for blackhat hackers and 0day exploits. It’s no longer true. It has serious issues, but not as many as 6 years ago. Microsoft has become better. But open source software is still generally more secure.
No it is not ridiculous, although I’m not happy about the way they put it, because they should emphasize the fact that you have (deliberately?) overlooked: the application stack. They should draw attention to the difference, because FUD based on this “oversight” is very common – in fact, all the “independent” studies build upon it, the same way you do.
When you assess the relative security of two platforms you have take a look at functionalities they provide. Since you like bold it seems, I’ll emphasize it to you.
Forget about all the vulnerabilities that are counted for every conceivable FTP server RHEL supports, because win3k supports none, and vulnerabilites in Kerio are not counted for win3k, are they? Forget every single graphical shell RHEL supports, because win3k supports just one. Forget about thtpd bugs, because non-IIS webservers are not counted, are they?
In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies – I’m generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won’t be running IIS 4 or 5 on win3k) – apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.
NOW DO THE MATH AGAIN.
You, just like most of these comparisons, forget that RHEL supports 100x more apps than win3k by default (I mean RHEL takes responsibility for all the apps it ships, while Microsoft doesn’t take responsibility for bugs in other vendor’s products). And when I say 100x more, I’m not exaggerating. Count it. I’ll just give you one example – IIS and mod_rewrite (or clean URLs, url rewrite). IIS does not support it – so you have to buy it actually from a 3rd party vendor (I’m not joking – IIS does not support such a basic functionality). Now when a bug is found in this module, it won’t be counted as a win3k bug. Apache supports it by default (mod_rewrite is now part of apache2 core I think – and so are many many more modules). There is a whole support industry (just think of FTP – what professional grade FTP server does win3k ship?) around the windows platform, and none of the bugs found in those apps will be counted as win3k bugs per se by secunia. They are Kerio bugs, ServU bugs, etc.
Anyway, the point is that your comparison is still flawed at this point. Compare an average win3k server (define it’s role first btw) with an average RHEL server (that has the same role) – and count the vulnerabilities of both – that would be a correct and relevant comparison, because that would tell you about the relative security of these platforms in specific roles. Not a single independent (coucg… sponsored cough) study does that… guess why? Because the results would be rather embarrassing for a certain company that touts “secure computing” for over 2 (3?) years now.
Edit: edited some typos (probably not all) … English is not my native language, but I try …
Edited 2006-01-07 01:29
In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies – I’m generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won’t be running IIS 4 or 5 on win3k) – apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.
Okie, let’s compare a typical scenario: LAMP vs Windows Server 2003 + IIS 6.0 + MS SQL Server 2000 + ASP.NET
http://secunia.com
RHEL: 256
WS2K3: 76
Apache 2.0.x: 28
IIS 6.0: 2
MySql 4.x 13
MS SQL Server 2000: 6
http://www.securityfocus.com/bid/
ASP.NET (1.0 & 2.0): 6
PHP: 62
We could also manually count linux kernel-mode bugs vs. NT kernel-mode bugs, but I don’t think your gonna like the results either, you’re just gonna fit them in your favorite conspiracy theory.
I’ll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does, and how it could be used to exploit security vulnerabilites inside the drivers/kernel because of it’s undocumented nature, and several brilliant researchers (Barnaby Jack from eEye, valerino from rootkit.com, ey4s from xfocus.org) managed to get some lame PoC that only worked on specifics SPs and builds.
I’ll just quote the comment of PaX team, whom I don’t think need to be particularily introduced (http://en.wikipedia.org/wiki/PaX), and you decide what you think for yourself:
http://lwn.net/Articles/118251/
Using ‘advanced static analysis’: “cd drivers; grep copy_from_user -r ./* |grep -v sizeof”, I discovered 4 exploitable vulnerabilities in a matter
of 15 minutes. More vulnerabilities were found in 2.6 than in 2.4.
It’s a pretty sad state of affairs for Linux security when someone can
find 4 exploitable vulnerabilities in a matter of minutes. Since there
was no point in sending more vulnerability reports when the first hadn’t
even been responded to, I’m including all four of them in this mail, as
well as a POC for the poolsize bug. The other bugs can have POCs
written
for just as trivially. The poolsize bug requires uid 0, but not any
root capabilities. The scsi and serial bugs depend on the permissions
of their respective devices, and thus can possibly be exploited as
non-root. The scsi bug in particular has a couple different attack
vectors that I haven’t even bothered to investigate. Some of these bugs
have gone unfixed for several years.
So please explain me how open source is not bugs eldorado, when detecting similar flaws in windows kernel would require manual disassembling and understanding of asm code which is extremely complex and documented absolutely nowhere. On open-source linux kernel, all you need to do is “grep”. Secure my arse.
Edited 2006-01-07 01:44
Hmmm… I’m not into conspiracy theories
You forgot the timeframes – this time. Regardless, which php version did you have in mind? In the past two years I’ve been running php5 – and seen very few security advisories. How many of these advisories were platform specific btw? Oh, and about php5: http://secunia.com/product/3919/
You say: “Okie, let’s compare a typical scenario” and you do the comparison the same way that I was complaing about.
Where do yo get your numbers from btw? I’m referring to “MS SQL Server 2000: 6”. Because http://secunia.com/product/7/
But we can engage in a war of numbers – it still remains pointless, as long as we don’t specify all the details and to a fair comparison.
I won’t say anything about the second part of your comment, because it is irrelevant to this discussion, and although I heard about it, it was one of those longish discussions where I could not decide by a quick glance who is “right”
I’ll explain with your own words:
I’ll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does
Class dissmissed.
I’ll explain with your own words:
I’ll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does
Class dissmissed.
And how is it that this invalidates my claim that open-source software is more prone to finding security flaws?
The point is that it’s not the software, it’s the fact that it has available documentation.
The software is not more prone, there’s just more information on how to exploit it.
<i?And wanna know why? Because noone understood properly what windows kernel does
Class dissmissed.[/i]
Well, you didn’t quote the part where he said “..because of it’s undocumented nature“. Makes a difference doesn’t it?
Or could it be that you’re trying to say that Dave Cuttler doesn’t understand NT kernel?
You DO know who Dave Cutler is, don’t you?
INFO: http://en.wikipedia.org/wiki/Dave_Cutler
David Neil Cutler, Sr. (born March 13, 1942) is a noted software engineer, designer and developer of several operating systems including the RSX-11, VMS and VAXELN systems of Digital Equipment Corporation and Windows NT from Microsoft.
No I’m not insulting Dave Cutler. I’m pointing out that cracking his stuff is harder as he hasn’t explained how it works in intimate detail.
Yes, I probably should have quoted the documentation part as well, but what I quoted was enough.
However, I’d like to point out that David Cutler didn’t write all of the NT Kernel. The design is probably entirely his, as he was the lead in the beginning. But, the actual code is probably mostly not his.
So, acting as if one genius can carry the whole project to perfection is a bit silly. Linus is hardly responsible for every line written in the Linux kernel (more like 2% of it according to him). RMS doesn’t write all of gcc, etc ad infinitum.
So, I’m sure he understands it, but I guarantee he can’t prove the kernel. Not that anyone could prove a project of that size.
I believe he already touched on why Apache != IIS. From the little I know of Apache, it supports a lot of modules which aren’t all recommended for common use (some of them are just swiss cheese). But they document these things (I assume, I’ve never had trouble finding Apache related docs on their site).
IIS is a big commercial product from a “respected” vendor. They’ve got complete idiots clicking their way through setups. They’re not gonna put in random swiss cheese plugins for people to screw themselves with.
FOSS is definitely a different bear than closed software.
You seem to be very clear that you loathe FOSS. Is there a reason for this?
FOSS is definitely a different bear than closed software.
Exactly, and I’m beginning to regret that I have involved myself in this debate. It’s pointless, because we can throw numbers all around, and still be very very far from a relevant comparison of the security of the two platforms.
URL_REWRITE is a good example. While I have it enabled for my own site in apache, it’s not in IIS. In fact: http://www.google.com/search?hs=nbi&hl=en&lr=&client=opera&rls=en&q…
So a fair comparison would be my apache 2 install + IIS 6 + 3rd party modules (which are trusted how much?) The same goes for PHP. The list of available modules is too long to include here, but just a quick search in my ports dir yields this results: ftp://hatvani.unideb.hu/pub/personal/vegyes/php4.txt Now a flaw in mysql_connect() will be counted by secunia, even though I might have postgresql as a database backend. So you can’t compare asp.net vulnerabilities with php vulnerabilities in such a generic way like ivoras does.
Indeed floss is a very different beast, and one would need a very rigid comparison that matches every single function present on a setup in a specific role on both platforms. What server X does exactly running on the windows platforms, what server Y does exactly running on RHEL (or FreeBSD for instance), and what software is needed exactly to provide those services on each platform. For instance, with linux you have the ability to compile your own kernel. When Pat Volkering was asked how he achieved a ridiculously high uptime on slackware.org while there were known vulnerabilities in the linux kernel, he just said that he ripped out everything from the kernel that was not needed… and those remote vulns. were found in modules that were not included in his setup. That’s what (good) admins do – configure the system to be secure (that’s what win3k admins do as well). It is just you can do a lot more with free software than with win3k.
As I said, I almost regret engaging in this debate – my first response was not very well thought out anyway, but a well thought out reply would be as long as book, because you have to begin to explain how floss works (and why it is or can be more secure than win3k) from the ground up. But seeing how ivans like meaningless numbers, I doubt he would be convinced anyhow
The nice thing about *nix is that it makes itself available to remove parts here and there.
While Microsoft has somewhat improved in this respect they still have a very long way to go. I was watching a channel 9 video which had a guy talking about removing dll interdependencies in Windows. So, they’re on the right path; but they’re not there.
A good Windows admin can do really similar things. But you won’t see them recompiling the stuff out of their kernel which they never use. And you won’t see them removing these as modules either!
I think the marketing engine at Microsoft would like to make Windows into the “fire your IT staff and run it yourself” OS. (in the server realm). This will bite them in the long term if people listen. The people writing exploits don’t use wizards
.
Is it really fair comparing firefox beta/1.x to IE 6.x?
laughed at.
Seriously though, the problem isn’t that CERT is about deceiving people; it’s just that Unix/Linux security and Windows security are two different beasts.
You have to have 4 brain cells and a clue to know that the number of vulnerabilities CERT records is no indication of actual security problems.
I just have to say, last I heard Apache is officially unsupported on Windows. Has this changed, did I hear wrong, or am I correct? Anybody? Not that this matters, people do run Apache on Windows.
Microsoft can fund studies Cert can report this and that. These numbers do not matter they are meningless. Everybody i meet is talking about the big wmf leak. A big ovesight like this is a bigger problem for securety than a bug here or there.Even the biggest geek can not put that in numbers.
“”There is also the issue of timing. With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days.”
LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don’t we? ”
Actually I think this is pretty clear. He’s talking about Linux bugs, and you’re talking about Firefox bugs. Does Red Hat get to decide when the Mozilla foundation releases patches? You’re accusing him of grasping at straws, but you’re doing the same thing.
For example, Firefox is categorised as a Unix/Linux operating system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics,
well, the difference is that microsoft doesn’t bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.
You should look at the number of critical vulnerabilities. It’s a better comparison to look at the critical vulnerabilities that affect customers due to the platform they use. There are fewer critical vulnerabilities, and they are fixed faster in Red Hat Linux
iirc there was such a comparison between rhel and win 2k3 about a year ago. the “problem” was that windows won…
Actually not.
Take a look at Secunias website.
Windows loses big time.
Windows 2003 Server is shipped with IIS6 and many other services, and of course the big security risk known as ‘Internet Explorer’.
The major problem with CERTs list is the fact that flaws are counted several times. E.g. they are duplicates. This is true for Windows as well as for *nixes and other OS’es.
So the list is unusable for comparison for any platform in the list.
Take a look at Secunias website.
Windows loses big time.
please tell me where i have to look.
when i compare win 2k3 Enterprise-edition with RHEL 4 windows “wins” with 75:138 over the period of 2003-2006
if you only look at 2005-2006 (RHEL 4 was released in march 05, so it still has an advantage of 3 month) windows “wins” 36:138
DOH!
You’re still counting them.
I’ve already stated that the amount of flaws is virtually irrelevant. What DOES matter is the security threat posed by these flaws.
So we need an weighted result of these flaws on both platforms, before the numbers will make any sense.
Windows 2003 Server has many more highly critical flaws than RHEL does. If we can agree on a formula then I’m willing to do some math. But using the number of flaws alone are pure ignorance.
“well, the difference is that microsoft doesn’t bundle windows with php or apache. but red hat does. so every bug found in a package included with rhel is a bug in rhel.”
RedHat makes Apache/PHP (along with many other packages) optionally available, not part of a base install. IE, Outlook Express, Media Player, are all installed by default on a Windows OS (Even on Windows SERVER!!!!! WHY THE HECK DO I WANT MEDIA PLAYER ON MY SERVER!?!?!?!), and there is no way to remove them. Even if RedHat *did* decide that Apache should be part of a base install, a quick rpm -e could remove it.
I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL). Heck — I’d even like to see a comparison of Apache & MySQL (etc) on Windows vs *nix, since they are cross platform!
I would love to see a security comparison of a *minimal* windows install to a *minimal* linux
Why minimal? That is not REAL world.
This IS REAL world, 90% of the time Linux is on the top:
http://www.zone-h.org/
65 single IP
54 mass defacements
Linux (51.3%)
FreeBSD (16.0%)
Win 2000 (16.0%)
Win 2003 (10.9%)
SolarisSunOS (3.4%)
Win NT9x (1.7%)
Win XP (0.8%)
(0.0%)
REAL world pal, real world..
In the real world, people take into acount market share. Perhaps apache+linux/freebsd has a much much larger market share than win2/3k …
Also, in the real world, people laugh at people linking to statistics on a website (who is zone-h?) without reading the DISCLAIMER at the bottom of the page
(so how representative are their numbers?)
Perhaps apache+linux/freebsd has a much much larger market share than win2/3k …
Do they?
And please, don’t give me Netcraft’s statistics if you don’t really understand what those numbers represent.
On the other hand, plain and simple – Port80 survey:
http://www.port80software.com/surveys/top1000webservers/
Yeah,
no statistic is good statistic if Linux is not better than Windows.
The whole world has been paid by MS.
Yep. Right.
I just made fun of you, and here you go doing it again. You link to a site to prove your about IIS dominance – a site which has Microsoft Certified Partner sticker at the bottom, and it sells IIS products.
How can you not notice that you are making a fool of yourself? BTW: thanks for the excellent examples for the point I made earlier about the necessity to download 3rd party addons for IIS to make it functional… addons that won’t be counted as w3k bugs, because MS does not take responsibility for them. Ironically, the second product on their list, quote:
Confuse & misdirect potential hackers! Hide your Windows Web server header & other fingerprints.
more info… I was aware that IIS is pretty crippled (what?! buy something that provides clean URLs??) – I just didn’t realize that you have to buy a module that would mask your server ID – for 99$/server! Is this some kind of joke?
Anyway, stop being ridiculous. Next you’ll link to one of the MS sponsored “independent” studies to prove that linux sux and costs more
))
I just made fun of you, and here you go doing it again. You link to a site to prove your about IIS dominance – a site which has Microsoft Certified Partner sticker at the bottom, and it sells IIS products.
So WHAT?
They have PROVIDED a LIST of those Fortune 1000 companies on that same page. So go ahead and check it for yourself.
As I said, with people like you no study is good if Windows beats Linux. Yeah, right.
The fact that they sell IIS products does make them biased. See, US-CERT would be unbiased because they don’t sell anything.
Sysinternals may even qualify as unbiased (those guys are just brilliant anyway).
I wouldn’t take a RedHat study as proof that Linux is better than Windows… Nor would I take a Microsoft study… I’d read both through very carefully before I’d consider any of their conclusions.
But if they came to an absolute conclusion I doubt I’d read either; it’d seem too far fetched to spend my time on it.
The fact that they sell IIS products does make them biased. See, US-CERT would be unbiased because they don’t sell anything.
Hahahaha.
There is a list with every company in that study (Fortune 1000).
There is a LINK for each company, so click it and see the info yourself.
If they are biased, the list and links are not. How can a list with links be biased?
What are you talking about?
You just can’t accept it guys, that’s it. As I said earlier: if Windows beats Linux & friends, you can’t accept it. That is your problem.
http://www.port80software.com/products/servermask/
That link is on the page, that’s probably what the page is built for. Also, the unknown category in their list indicates that they didn’t call these companies (they just asked each server what it is).
Guess their software isn’t very popular
. Or it’s not very good!
So?
Because they sell something for IIS, the list is invalid?
They provided the list, they provided the links.
LOL
Or.. could it be that Fortune 1000 don’t care if Windows is more expansive than Linux. Maybe they care about quality and not the price
Oh, no! The list is biased! LOL Fortune1000 are paid by MS to use Windows/IIS
LOL Yeah, right!
I am leaving now, you just confirmed what I said: any study where Windows beats compatition is not good for you guys.
Bye.
They have something for IIS which would invalidate their results if it were in major use
.
I was more discrediting them. Mostly to pull your strings.
In the real world, people take into acount market share. Perhaps apache+linux/freebsd has a much much larger market share than win2/3k …
are you realy sure about this argument?
please be warned that the next time a win vs. linux security flamewar brakes lose in desktop-land it will be used against the non-flying bird
Edited 2006-01-07 03:36
Minimal will help display the difference between applications that are insecure by configuration, and applications that are insecure by design. Whether real world or not, this distinction is important, as it is much easier to fix configuration errors than design errors.
And, as to whether it is real world or not — minimal configuration *is* real world, for good server admins. It really grinds my jojos when I cannot remove IE, Media Player, etc from my Windows servers. OTOH my Linux servers have no firefox, X11, gcc … only what is absolutely minimally necessary for the desired functionality. And so, those vulns affecting firefox, X11, gcc, etc will not impact my Linux servers, but those impacting IE, Media Player, OE, etc *will* affect my Windows servers, and there is nothing I can do about that.
but those impacting IE, Media Player, OE, etc *will* affect my Windows servers
Last time I checked nobody is using IE, Media Play or OE on servers.
What the hell are you talking about? Users log on to Windows server to.. run OE? To play music with Media Player? To browse the net with IE?
Yeah, right.
It’s possible. It’s called a RDP server.
My school runs a few.
*nix users are used to that sort of thing. We have three Digital Unix 4 servers for this use, and a lot of Linux machines for it.
Even outside the direct attack via RDP/TS/Citrix, simply having those applications (and associated libraries) available makes the possibility of a two-tier “blended threat” much higher. Perhaps (for example) a malicious file (WMF, WMV) could be uploaded to an IIS hosted app, where a vulnerable library that is part of IE or Media Player would be triggered to process the image.
The point is — simply having the vulnerable libraries installed raises the probability of a compromise. Having unnecessary applications raises the probability of having vulnerable libraries. Why even have those apps installed, if I do not need them? These apps have no business being installed on any server!!!
Patch for WMF was released. Done.
I didn’t notice that Windows based networks have collapsed because of anything you said (IE, WMP, etc, installed on Windows servers).
You sound like ORANGE-PURPLE-YELLOW-WHATEVER-WE’RE-ALL-GOING-TO-DIE-SOON alerts on Fox TV.
IE and WMP on Windows server are the root of all evil! Yeah
Stop spreading the FUD.
You haven’t seen windows networks collapse because of IE? (While WMP may not have been used, yet, it is an example of something that does not belong on a server. MSDE is another vector of attack installed on many machines that don’t really need it.) Many many times IE has been the point of entry to corporate networks. How many hours of IT support have been spent around the world cleaning infected workstations (from IE) which are launching attacks against both internal and external systems? Why allow this same historically vulnerable software on your supposedly secure servers?
But — even if this were not the case — why take the chance? IT security is a game of probability, and it is important to hedge your bets by reducing your potential vulnerability exposure. Why have applications and libraries that are not necessary installed? Are you willing to sacrifice potential security for the convenience of having Outlook Express installed *in case you need it* on your server?
And the only thing I watch on Fox is The Simpsons 😉
You haven’t seen windows networks collapse because of IE?
You’re twisting my words now.
I said ‘.. because of IE/WMP/OE on Windows servers‘
We were talking about that “problem”, weren’t we?
I apologize for changing the context of your words, but allow me to clarify the point I am trying to make:
*IE has a history of vulnerabilities. The same IE is installed on both workstations and servers (there is no server-hardened version of IE). I will admit that most IE related vulnerabilities occur at the workstation, however IE is more than just the browser, supplying libraries that are available to other applications (html/xml/png/jpg/gif processing) whether or not that application needs that function to meet *your* need.
*Security is a game of probability, requiring system admins to hedge their bets, trying to bend the odds in their favor. There is no mechanism to secure your system %100: authenticators (like passwords) can always be compromised or forged, encryption can be decrypted,etc, but the probabilities are low.
*If I know that there is a vulnerable piece of software on my server, then I cannot in good faith say that my server is secure. Yes, I can make sure that I do not open that browser and go surfing potentially malicious sites — but points of entry often involve vulnerable software used outside of how it was anticipated. I want to remove IE completely, to ensure that it is not part of a two-tier “blended threat”, and that its libraries cannot be used to compromise another application (like Lotus Notes being vulnerable to WMF).
I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL).
i already wrote in my first post that such a study was made one year ago
http://www.osnews.com/story.php?news_id=9750
Yup, the bogus one
I would hardly call a comparison by a “Linux Fan” and a “Microsoft Enthusiast” a “study”.
google.com
msn.com
Good enough?
Let’s throw in freebsd: yahoo.com.
well, the difference is that microsoft doesn’t bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.
True, but the only way to get a fair comparison would be to compares systems with equal functionality.
You could do that by exclude a lot of packages from Red Hat, or to add packages like MS-Exchange, MS-SQL Server, MS-Office to the Windows install.
Or you could compare number of bugs/program on Windows v.s. Red Hat. To get an even better value multiply with the average number of days a bug goes unpatched on each system.
UNIX was not multiuser from day one… its name is a kind of pun on Multics, which was the multi-user system the UNIX designers worked with before deciding to write their own simple single-user OS to run on the PDP they had lying around.
Anyway, didn’t CERT also supposedly count flaws in each version of *NIX each time it appeared versus only the one time it appeared in Windows? Or are we backing off of that claim now, because that seems pretty ridiculous.
Edited 2006-01-07 02:08
who asserts that by looking at any list of vulnerabilities, that you can judge a systems security in the real world, actually work with security in the real world?
Frankly I would rather read about articles and their comments like “A Naive User’s Guide to Running Windows More Securely” or similar than listen to people who don’t actually care about security and are more interested in twisting statistics to make their OS look secure.
I secure my OS’s because I know they are insecure. I am not blind.
” never got RHEL 4.2 crashed or infected, even when I expose it to the internet at DMZ (Demiliterized Zone) of my router. While Windows get paralyzed within 10 minutes under the same conditions. I even become unable to switch users. So, Yes CERT is another lie we used to from US goverment like IRAQ weapons of mass destruction.”
This is about CERT’s list and alleged inaccuracy…not your moonbat political views…..
As someone who has worked with CERT many times I can attest to their knowledge and skillset and most members of that team are much more knowledgeable than you will ever be…
Edited 2006-01-07 04:28
“members of that team are much more knowledgeable than you will ever be…”
This shows how arrogant you are. You people spead claims, lies and inaccurecies and you never show real proofs that will help users or companies do their daily life computing with less problems. Windows is insecure to any linux/Unix once pushed to a certain limit.
Please, next time give evidence not claims… Thanks for understanding.
United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005
yup, it’s true, USCERT, says is true, it’s offical, can’t argue with that. linux is becoming a more ill os than windows. gates is smiling, oh shoot.
Wow, when you combined the bugs in multiple code bases and compare them to the bugs in a single code base you get a big difference in the number of bugs.
They included, FreeBSD,OpenBSD, HP-UX, IBM AIX, IRIX, Gentoo Linux, Debian Linux, Solaris and all associated software and then compared it to Windows XP.
Insanely stupid list.
– Jesse McNelis
I think red hat is foolish for trying to dispute this becaue they don’t control the other open source progects. if the other open source projects are getting careless at writing code and developing software that is bundle with the linux kernel. maybe this a start of a future problem.
But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.
If you’re going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system – if companies don’t wish to take responsibility for what is included in their box products, they bloody well shouldn’t include it with their boxed product!
For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else – the day of reconing will occur, and customers will start to say, “you fix the hole! you bundled it with your product, YOU fix the hole in the software” and if they say, “Its now our problem” the customer will say, “yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!”.
TMK RedHat is the only Linux distributor which will fix holes if they aren’t being fixed by the group who develops the package.
Have you had problems with RedHat not fixing security issues?
But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.
If you’re going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system – if companies don’t wish to take responsibility for what is included in their box products, they bloody well shouldn’t include it with their boxed product!
For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else – the day of reconing will occur, and customers will start to say, “you fix the hole! you bundled it with your product, YOU fix the hole in the software” and if they say, “Its now our problem” the customer will say, “yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!”.
But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.
If you’re going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system – if companies don’t wish to take responsibility for what is included in their box products, they bloody well shouldn’t include it with their boxed product!
For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else – the day of reconing will occur, and customers will start to say, “you fix the hole! you bundled it with your product, YOU fix the hole in the software” and if they say, “Its now our problem” the customer will say, “yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!”.
But risking getting hung upside down over a pit of spikes by only my well endowed member, this is a product to product comparison, and I see nothing wrong with them comparising Windows 2003 to RHEL.
If you’re going to benchmark security, you go and get two products off the shelf and give a real world assessment based on what is included in the box to be considered part of the operating system – if companies don’t wish to take responsibility for what is included in their box products, they bloody well shouldn’t include it with their boxed product!
For years RedHat has gotten away, scott free with fobbing the security responsibility onto everyone else – the day of reconing will occur, and customers will start to say, “you fix the hole! you bundled it with your product, YOU fix the hole in the software” and if they say, “Its now our problem” the customer will say, “yes, it IS your problem, YOU included it with your product, there fore it is YOUR responsibility to maintain it!”.
When the original story about the US-CERT vulnerability was posted, I remember thinking that it was really obvious that all it represented was a list of the reported vulnerabilities for the year. There was no commentary or statistics, and CERT made no claims about relative security of systems. It was just a pure, factual, list of what had been reported to them in the last year.
The original report even states that “Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported…”
So to see Red Hat complaining that “the study is confusing and misleading” seems really, really odd. It wasn’t a study, it was just a factual list of the reports CERT received.
The fact is that insinuations about relative OS security came only from commentators, not CERT. Surely anything else is just opinion that people have chosen to layer on top of it?
The problem is the way it’s been reported.
The list could have been assembled in a better way – especially when considering the standard ‘serious’ journalism (aka sensationalism – the most common form of ‘serious’ journalism).
The study _is_ confusing and misleading, unless you know how to handle it. The medias don’t or do not want to, and misinterpretes the list even when they know better.
Put it in the same league as “Ohh noooo another asteroid (or comet or whatever) is going close to the earth – perhaps this one will hit us, ohhhh nooooo” news items.
A certain part of the blame goes to CERT for putting out such a bad assembled list. The only good thing is it effects all OS’es in the list
I agree that there is always a danger that a list such as this one will be misinterpreted.
I’m just not sure how CERT could have done it differently. All they did was produce a factual list of vulnerabilities based on the information reported to them. It’s just something that CERT does. They did the same thing last year, and maintain a running list as well:
http://www.us-cert.gov/cas/bulletins/index.html
Lists like this are important. It would be kind of absurd if they couldn’t be produced just for fear them being badly misenterpreted by commentators!
Of course they should have a list. And release it.
But it doesn’t help that they lump *BSDs with Linux. Several flaws are duplicates, which is the result of nothing but poor assembling of the list. They could have done better.
But no doubt CERT should keep releasing these lists, no matter how stupid journalists and bloggers tend to be.
OK, fair enough, I’ll go with that!
As you say, the categorisation could well have been more refined, and duplicates could have been handled differently.
Clearly the list is not really suitable for drawing any immediate statistical conclusions.
The CERT report was obviously not written by a technophile and it shows by it’s gross miscategorization of vulnerabilities. Redhat needs to defend itsself against uninformed people who spread FUD. I’m not saying this because I am a so called zealot, I’m saying this because it’s the truth
Glad to see this travesty revealed.
First off, CERT and US-CERT are related but not the same. The implication that there is US-government tampering with the results to somehow favour MS is ludicrous. The data is very public and very visible.
Secondly, CERT stated that the results “should not be considered the result of a US-CERT analysis”, it contains outside information (it’s a collaborative database which probably explains all of the duplication). It’s simply a core dump of their database for 2005.
Third, if we are going to try and turn this into some sort of CERT / US-CERT oriented conspiracy, then let’s consider the US-CERT Security ALERTS (as opposed to the vulnerability notes). Vulnerabilities are measured on a metric comprised of a number of factors (taken from http://www.kb.cert.org/vuls/html/fieldhelp#metric):
o Is information about the vulnerability widely available or known?
o Is the vulnerability being exploited in the incidents reported to US-CERT?
o Is the Internet Infrastructure at risk because of this vulnerability?
o How many systems on the Internet are at risk from this vulnerability?
o What is the impact of exploiting the vulnerability?
o How easy is it to exploit the vulnerability?
o What are the preconditions required to exploit the vulnerability?
They further admit that the threat measurement is not perfectly scientific, some of the measurements being subjective and weighed more heavily, but they consider it as serving as a useful indicator for which threats need to be highlighted as critical.
On that basis, you can view the “serious” threats determined by US-CERT at http://www.us-cert.gov/cas/techalerts. Of the 22 issued last year, you’ll find a couple impacting OS X, some impacting Cisco IOS, applications like Oracle, but by far the bulk of the “holy cow this is serious”-measurement are Windows based. Not a single specifically linux-based threat was deemed worthy enough to be prioritized by US-CERT as critical. The closest you could come is to an advisory for Snort. Given that some of the factors govern threat to the internet, number of internet-connected systems etc. and given the prevalence of *nix in the net-server area, one cannot dismiss the vulnerability assesments by saying “linux just isn’t as widely deployed so doesn’t warrant as a big a threat”.
You’d have to go back to mid 2004 to the infamous libpng exploit that did admittedly impact a number of *nix systems, but as I recall the majority of distros had a patch available that day.
So if we’re going to take statistics and mutilate them to our own benefit, that’s ok. *nix can have 100,000 threats, Windows can have 1. The difference is that, in the real world, that one single Windows threat is statistically more likely to involve a critical vulnerability to your system than any of those 100,000 *nix threats. Hell, based on US-CERT’s crtical advisories, one can assume that an unsecured *nix system must still be safer than Windows, right?
How’s that for statistical interpretation?
Bah.
Thank you for that razor sharp analysis, wish I some points to mod that up. I still think the biggest and best yardstick is how long til it’s some hax0rs beehatch after you default install and plug it into the internet.
>I never got RHEL 4.2 crashed or infected, even when I expose it to the internet at DMZ (Demiliterized Zone) of my router. While Windows get paralyzed within 10 minutes under the same conditions. I even become unable to switch users. So, Yes CERT is another lie we used to from US goverment like IRAQ weapons of mass destruction.<
What the hell are you talking about? The US government has all sorts of Redhat contracts, how about you stop talking out of your ass and trying to spread your political agenda. How about we speak some facts.
All that having been said, anybody with an IQ over 30 could tell you that linux is generally far more secure then windows with the only excepting being a very very poor administrator.
I believe that when Gates is old and on his death bed he will admit his products were insecure, till then we’ll just have to live with these kinds of reviews
.
“The US government has all sorts of Redhat contracts, how about you stop talking out of your ass and trying to spread your political agenda.” “How about we speak some facts. ”
Yes, how about some facts, we have heard that US government choosed the most horrible OS (windows 2000) on at least one fleet of their Navy destroyers to command the weapons system; why didn’t they choose any other secure OS?!! Can I say BRIBES; As of this moment any other OS in this world is more secure than windows.
“spread your political agenda”
It’s not political agenda we talk here, It’s facts, and only facts that I judge. So you want us to listen to lies and then abosorb it. How democratic you are?
“stop talking out of your ass”
I don’t know why are you boiling, are you one of those govs to defend them, if so then this shows how disrespectful they and you are.
“The US government has all sorts of Redhat contracts”
US government refused to do this untill RHEL get certified to level 4 like Microsoft, how pathetic?! Even SUSE enterprise is level 4 certified and still they don’t want to use it.
okay I have worked for the US Government in IT for the past 8 years (contractor) trust me since 99 the USG has been using Linux. Secrurity requirements is a weird thing and some orgs have to follow some don’t. Trust me there is plenty of Linux use out there and it is exploding now. Just because DOD demands somthing it doesn’t mean suddenly dept. of education has to follow. The gvernment is so huge… you wouldn’t believe it…
As I recall it (been a while since I read the report in question) US-CERT stated that despite looking like it had less security holes, Windows was still the most insecure alternative.
The way i see it is that the problem is Always between the chair and the keyboard, whatever the OS is.
Windows can be problematic, so can be Linux.
Heck i can configure windows AND linux to be secure. The only diference would be that i would buy some 3rd party addons on windows and JUST install them, whether on Linux i would download them of the net compile and configure them properly.
The bottomline is:
Windows and Linux are secure if you know how to properly configure them.