Posted on 03/26/2005 7:41:12 AM PST by ShadowAce
... that's the thing about Life.
This somewhat stark view is what usually gets me by on a trying and troubling day. It's extremely pragmatic, and very likely cynical, but it helps me put things into proper perspective. At the end of it all, did it really matter that I forgot to take out the trash?
This personal philosophy can also be applied to flaws, bugs, and holes that people find in software. All software, I would stipulate, has at least one bug. And, since it only takes one flaw to exploit software, you could make the case that all software is equally insecure.
[Enter dark grey clouds of doom, fire, and destruction]
But Brian, you say, didn't you just get back from vacation? Didn't you have a good time? Why are you being all Frank Miller?
Well, the answers are yes, yes, and because when I got back it was time for another round of Security Wars, with Linux and Firefox as the targets. And, frankly, having been away from the fray for a week, the arguments seemed all that much more silly.
In the oft-cited Security Innovations report, the number of bugs found in Red Hat vs. Windows 2003 was specified as more problematic for Red Hat. More bugs is a bad thing, according to the logic of a five-year-old or the context of the report, however you want to label it.
Context is always a tricky, tricky thing. I could write here that I honestly walked the Appalachian Trail this past week, and it would not be a lie. If you dug a little deeper, however, you would realize that no one could walk the entire 2,000+ mile trail in just under a week. (Few people have actually made the entire trail walk at all.) So, if you kept digging, I would clarify the context: that I was on the trail for a little more than 25 yards as it wound from the parking lot at Newfound Gap to the bathroom shelter. Not so glamorous, but it does not belie my original statement, either.
So, there are more reported bugs in Red Hat than Windows. This, I don't doubt. Because if you step back for a moment and think, you would realize that Red Hat's (and, indeed, all of Linux') known bugs are a good thing--because we know about them. How many bugs are in Windows 2003 that don't get reported? Or, when they are found, actually get repaired?
Some would say this is a specious argument, that I am claiming flaws based on zero evidence. Ah, but is it zero? After all, it isn't Linux zombies or OS X zombies that are out there throwing spam at my computer. So there's one piece of evidence. Another is the very arguments proprietary vendors have used this week when Firefox 1.0.2 came out. "Firefox is being patched!" they cry, "It must therefore be insecure!"
So, a product (open source or otherwise) finds a hole and then when it fixes it, it is somehow admitting some kind of weakness. Kind of a glass half-empty sort of argument, isn't it? But let's look at that a little harder. If that is the true thought of a proprietary vendor, it would be very safe to say that they would apply that own mentality to their own software's flaws. Admitting a flaw is weak, and patching a flaw is admitting a flaw. Better, they seem to think, if we just keep it quiet and hope no one finds it. Boy, talk about insecurity.
Of course, there is the other side of the argument that says these vendors are just being hypocritical in their statements about open source flaws. When they patch a flaw, it seems, they are making their product stronger. When open source patches a flaw, OSS developers are admitting weakness. I've seen that attitude before, too. This sort of hypocracy, however, tends to get exposed more often than vendors would like and my sense is they stick with the "let's-keep-it-quiet" mindset until the flaw is exposed.
Then along comes my next favorite argument--that Linux is not cracked more often because it has such a pittance of a market share compared the almighty Windows. Again, on the surface, that seems like a workable argument. But cracking is something that people do, and people are not always logical in their targets. I would think that given the sheer number of people the Linux community has ticked off in the past, someone with malicious intent would have come along and devised a real virus/malware/spyware attack just to shut us up.
This last argument stems from a statement from someone who hates dealing with the Linux community, calling us "smug a**holes." I'll keep this person's identity to myself, because the attitude is a bit pervasive across the IT community. Linux users, it has long been understood, are very, very strong in their advocacy. It drives others outside of the community a little batty and makes still others mad as hell.
Given this, I am finding it difficult to believe that no one has been angry enough to try to knock this chip off the community's shoulder. This may seem like schoolyard logic, but those with criminal intent in their hearts have never struck me as the most mature. The recent phpBB site hacks were the closest thing I have seen to such an attack, so we know the desire for malicious vandalism is there. Yet, for the most part, Linux/Apache servers remain largely untouched, Linux machines are not zombified en masses, and to date no one has figured out a Linux virus that works.
I should be fair and mention that some of these cracks happen regardless of OS. User error (not patching, not firewalling, etc.) leads to problems on any operating system. Here, the solution is at once both technical (don't make it so easy out of the box to get oWn3d) and educational (train users which practices are Good and which are Bad). I think Linux users typically have always had an advantage over Windows users in this education, because using Linux makes a person more savvy right out of the gate.
I will not get into the argument on how sponsorship of a study automatically infers a bias. Other writers have covered that in this past week, and I see no need to rehash. Just once, though, I would love to see a review from Consumer Reports or some other truly independent organization. But even then, a system can be made more or less secure depending on the user's actions, so such tests are debatable.
Corporation after corporation are moving to Linux, so much so that a shift in news coverage is starting to happen. Linux migration stories are becoming old hat these days. The new cutting-edge stories are the Linux-to-Windows migration stories. Think about that for a second. When was the last time Microsoft put any real publicity out about someone implementing one of their solutions? When OS/2 was up and coming? When they were moving out onto the PC? Now, it's news again when Windows gets a win.
I think this voting with dollars will be the final determinant of which OS is more appealing, more secure, and most cost-effective. And, in any campaign where the lead seems to be slipping, the real or imagined flaws of the up and coming opponent are always good fodder. But eventually, the truth will out.
[Enter bright sunshine, chirping birds (or more fire and mayhem, if that's your bag)]
Tech ping
that is one way of looking at it....
Last guy who said it didn't matter that I forgot to take
out the trash shot himself in his kitchen-so his son said.
Forgetting to take the trash out leads to a very smelly and
disease ridden pigsty. That will have to be cleaned up by
somebody ususally at taxpayer expense. HAZMAT like Government regulation ain't cheap.
"Some would say this is a specious argument, that I am claiming flaws based on zero evidence. Ah, but is it zero? After all, it isn't Linux zombies or OS X zombies that are out there throwing spam at my computer."
That's because the overwhelming majority of desktop computers are running Windows. That means both a) hackers have a much larger pool of victim machines to choose from if they choose to specialize in hacking Windows; b) there's going to be a much larger number of Windows hackers than for any other platform, because they can work more easily with what they're familiar; and c) Hacking tools will generally target the Windows platform to the exclusion of others, because any given tool has a higher likelihood of exploiting a larger number of machines if it specifically targets Windows.
In other words, the amount of attack that any given OS will experience is roughly proportional to the cube of its popularity on the desktop market.
(Server markets don't really play into this calculation because server administrators take the responsibility of their system's security upon themselves, so the vulnerability of a server system is the fault or merit of the sysadmin, not the authors of the OS. It's specifically in the desktop arena that we defer security to the OS's out-of-the-box configuration.)
Furthermore, up to 23% of desktop computers worldwide are still running Windows '98 or ME or something else godawful like that. They've never bothered to upgrade or to patch. If you want to compare apples to apples, you have to compare these machines to the state of Linux at the time (I believe Slackware was on kernel 1.7 at the time? Somewhere thereabouts). And when you do that, Linux's high bug visibility becomes not an asset, but a major problem.
A strange title, considering this week....
A very strange title!
Well, at least he got one thing right. But I'm not sure the voting will go the way he thinks it will.
Rephrase that as "successful attack" and we're talking. It's very easy to attack any system: "Look at me, I'm sending malformed packets to your server, I'm attacking you, blah blah".
Careful now.
Don't forget your history. You will rarely squash a majolrity of bugs in the first year of deployment anyway. Aren't bugs still being found in XP? How long has that been out? In 2K? How long has that been out?
Because it can't be denied. The record is clear. All you have to do is add them up, which is what this study did.
I think this is a good time to point out that nobody here is saying that Windows (or any other OS) is blameless or superior, compared to Linux. But Microsoft does deserve a little credit for working hard to make W2K3 a solid product. I know for a fact that neither Microsoft nor Red Hat wants to ship insecure code.
Agreed. W2K3 is (I think) their best product to date.
I know for a fact that neither Microsoft nor Red Hat wants to ship insecure code.
I can't imagine otherwise, even with the argument that insecurity breeds upgrades (and sales).
I'm just sick of all the lies from these Linux fanatics. You saw the claim a couple of weeks ago by Ernest that Linux doesn't have any viruses at all, which is complete bunk. Then a couple days ago Rifleman was claiming that you could put a completely patched Windows box on the internet, and it would be automatically compromised in a just a few hours.
Then when you catch them in their lies, they argue, or try to say the same lie again in a different way, basically anything except admit they've been caught lying, even when it's obvious.
ShadowAce, to his credit, doesn't really seem to have this problem, he endorses Linux, but I don't know of him lying about it. But I have serious issues with those that do.
For once I agree with you, what I have seen of 2k3 has been pretty solid, almost enough for me to get over my distaste of having a gui embedded in a server os.. Moving over to straight DNS, and completely ditching many of the broken protocols they were using in NT have done a tone for not only its stability but its ability to interact with other operating systems..
I think it's time for all of us to move past blame and recrimination. I don't really dislike Linux. I use it practically every day for some of my dev work.
I have been quick to point out windows flaws, but I have also been pretty quick to pan Linux when the OS has it coming...
Youre last few post have been far less about us commie opensource guys than you have historically done, and that appreciated. In that spirit ill have to knock off hte ms shilling post I have a tendency to throw around..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.