Linux, Open Source have 'more security problems than Windows'

According to a report published November 12 by Aberdeen Group^, "Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories - about one of every two advisories - published for the first 10 months of 2002 by Cert (www.cert.org^, Computer Emergency Response Team)."

Aberdeen says Microsoft products have had no new virus or trojan horse advisories in the first 10 months of 2002, while Unix, Linux, and Open Source software went from one in 2001 to two in the first 10 months of 2002, that in the same 2002 time period "networking equipment" (operating system unspecified) had six advisories, and Mac OSX had four.

In other words, all except Microsoft had increases in reported vulnerabilities this year.

"Contrary to popular misperception," the report says, "Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms. Furthermore, Apple's products are now just as vulnerable, now that it is fielding an operating system with embedded Internet protocols and Unix utilities. Lastly, the incorporation of open source software in routers, Web server software, firewalls, databases, Internet chat software, and security software is turning most Internet-aware computing devices and applications into possible infectious carriers."

The report lauds Microsoft for having overhauled its development process in an attempt to fix security problems, and says, "Perhaps it is time for some of the suppliers of open source and Linux software to take similar measures."

(You'll need to register with Aberdeen to read the rest of the report -- it's one of their free ones -- but I believe I've covered the Linux-relevant high points here.)

And yet, here I sit with my virus-free, trojan-free Linux box, receiving tons of viruses and trojans from Windows users (that don't affect me), watching news item after news item about sites run on Windows servers getting defaced and broken into.

According to what I've heard from my many sysadmin and network security specialist friends, no OS or network-connected software is secure unless it's administered properly and security patches are applied as soon as they are available.

And then, after I started writing this story, a ZDNet article with the headline Linux utility site hacked, infected^ came across my monitor, and I started wondering, "What if these Aberdeen people are right? What if this isn't just Microsoft-sponsored nonsense?"

A look at CERT's 2002 Advisories^ and Incident Notes^ pages was not overly reassuring. Yes, I saw some Microsoft vulnerabilities there that Aberdeen apparently missed, and one for Oracle.

I also think we have enough Microsoft viruses left over from last year that we don't need any new ones this year.

But the real issue is that we all need to be more security-conscious. The Aberdeen report points out that the system with the most reported vulnerabilities can change from year to year, but that the overall vulnerability and incident trend is up. Way up. In other words, whatever operating systems we use, we all need to watch out more for security flaws than we have in the past, and work harder to protect ourselves from them.

Simple. Microsoft shut down all new development for a window of time (I think it was 45 days) on all applications early this year. They proceeded to commit the entire technical workforce (no sales, support, upper management, etc.) to hacking their stuff. Every line of code had a complete review. They did a securty sweep. They found literally hundreds (maybe thousands) of bugs. They in turn took all code that was vunerable and started re-working it. Everything. Not because they were bowing to pressure. MS doesn't do that. It was because they wanted to make sure they could use the marketing of opportunities like this one to ensure a top position. ("Hey, we haven't had ANY new code issues from the outside world since we did our review...") Yes, it's marketing, yes it's customer service, yes it's sales. Sometimes good things come (including all the found errors in the last 6 months) from non-altruistic reasons. Much to the Demonrats dismay. Business does things for the utmost in profits.

If they only look at CERT releases, of course the sample will be flawed. Maybe they should take a look at bugtraq and nt-bugtraq as a more representative sample. That sample will also be flawed, but it will be a wider sample.

"Counting bugs" isn't useful IMO.

Perhaps if the bugs were weighted by total systems vulnerable as well as ease of exploiting the bug, you
might get a useful metric. Useful for what I'm not
sure, but it's better than counting the number of
bugs.

Like it or not Windows 2000 Professional is all-around the hands down best operating system in existance

Cant wait to reconfigure my Windoze 2000 laptop with a dual boot 2000 / Linux configuration so I can get some work done.

Why won't Joe Linux vote to stop homeless people urinating in our streets? Voter testimonial: "Public urination? That's disgusting!"

Joe Linux. Public urination.

(No kidding, this was a real ad in NYC this month, against state senator Liz Kreuger.)

Yes, I saw some Microsoft vulnerabilities there that Aberdeen apparently missed, and one for Oracle.

From the above article.

The Aberdeen report "missed" some MS vulns.

This is funny stuff! :(|)

And some people wonder why MS has such a bad rep.

Here is what happens in the REAL WORLD, not in the world of "theoretical vulnerabilities", particularly those which require an inside job to trigger:

From SANS Institute newsletter #046

--6 November 2002 Bermudan Bank Site Defaced

Hackers may have exploited a Microsoft operating system
to deface two Bermudan websites, including that of the Bank
of Butterfield. Bank officials say no customer data was compromised.
The site hosts are recommending that their clients who work with data
that needs to be protected switch to their Unix based hosting platform. [Here is the article]

[Editor's Note Schultz]: The recommendation in this news item should add a considerable amount of fuel to the "whose operating system is most secure" debate.]

Linux configuration so I can get some work done.

As a desktop OS Linux is nothing but an poor knock-off of the Winodws paradigm. It is great for firewalls, routing, file serving, web serving and imbedded applications. As a desktop it is nothing but a toy.

Every line of code had a complete review.
Every line of code? There's about 30 million lines of code in Win2k/XP. Not to mention the ones in Office. They'll have to do 1-2 million lines of code a day in 45 days to go through it all.

Ed Windows wants you to think he is a normal person like everybody else. But does everybody else WORSHIP SATAN? Ed Windows has been a Satanist his whole life. But you would expect that from someone who eats babies.

Ed Windows; Satan Worshiper, Baby Eater. The choice is yours.

And you think with 30000 people working on this they weren't able to pull it off? I read that they needed to go over a tremendous amount of code, but they reviewed Win ME, Win 2000, Win XP, Win .NET, Office 97, Office 2000, Office XP, Office MAC (last three flavors), SQL, SMS, Exchange, IIS, and many other applications. Supposedly everything on the books as currently "supported". It's a HUGE list.

As a desktop it is nothing but a toy.

At $99 for an XP Home upgrade and $199 or so for a Pro upgrade, WinXP is an excellent product and excellent value as a desktop OS. It installs easily and crashes rarely. The only reason to reccomend against it is if you have a client, like a law firm, that is worried about security - not due to vulns, but due to spyware.

But this will change overnight the first time a high school kid cannot freely rip and burn media on Windows XP. THEN you will see motivated customers and motivated Linux distro vendors come together on home media.

There are not 30,000 developers working on Windows OSs at MS. Maybe 10,000 IF you count all the associated utilities that come in the box with the OS, and not all - not even most - of those work on code where bugs would cause vulns. XP kernel coders probably number less than 1000.

One of the good things about MS is they never expanded their engineering as quockly as they could afford, and never bulked up. Instead they attack new product areas.

Windows now has an XML-based distributed object paradigm that is truly easy to use. (OK, VS.NET is still in beta, but it is a very usable beta.) .NET rocks.

The equivalent in Java is not as well-integrated with the OS, and Linux should probably use a lighter-weight technology like Python and an Apache-based app server. This is about 2 years behind Windows in maturity, and the developer tools will always be harder to learn and use. But the deployment licensing costs are quite compelling.

Well, I do concede that all OS's are vulnerable to illicite activity, not matter how well built and designed (ie no lock is perfect). My own personal experience of running networked machines for the past decade do not agree at all that Unix is less secure in any way that windows. I personally have had to deal with 1 act of vandalism against a unix machine that was not allowed (honey pot) in nature, and that was due to a failed firewall that let traffic through a port it should not have, and even then the script kiddie who tried to do it, was so unbelievably stupid and careless that it was obvious within 1 minute the system had been compromised.

I have had to spend more time keeping my networks from being overrun by code red packets, and perpetually updating IIS for security flaw after security flaw, than I have successful unix/linux attacks. I commend MS if they did pass this test, I just hope that they start shipping their software configured in such a way that joe public can expect reasonable security out of the box.

No new advisories in the first 10 months? I must of been dreaming when I go to windowsupdate every month and see new updates for some security problem.

Read the article again. They're talking about new viruses and trojans, not hacks to IE.

Well, I look at this as an overlay or addition to Windows - not Windows. Besides, writting XML code does not fall into the typical user activity.

The orginal statement by AdA$tra was "As a desktop OS Linux is nothing but an poor knock-off of the Winodws paradigm"

So I have to ask the question. Are we talking about "paradigm" which I assume means the entire spectrum of user / application / server / coder space -or- are we talking about the desktops. Not the same thing as it is an apples to oranges comparison.

My use is as a desktop. So once again I'll ask "can you show me what I can do in Windows (lets be specific) desktop that I can't do in the Linux desktop? Not that I ask it specificly to you - rather the Windows advocates in general.

Please enlighten me on what the Windows "paradigm" offers that I cant get in Linux?

Adobe Photoshop
Adobe AfterEffects
Adobe Premiere
3D Studio Max
Visual Studio.NET
Quicken
Microsoft Office
My firewire and digital camera drivers
My smartcard reader drivers
The vast majority of Windows applications and games (don't even bother with WINE, I'm not that naive)

Please enlighten me on what the Windows "paradigm" offers that I cant get in Linux?

You can get it "all" in Linux. Don't get me wrong. I just think it is a clunky imitation of Windows at the desktop level. I just don't see anyone getting more done with a Linux desktop as you implied. You will spend most of your time trying to convert and edit MS office formatted documents using the far less robust tools vailable to Linux users. Then conversely getting others to deal with the stuff you send them.

I think the Windows paradigm can be improved upon, we just haven't even imagined what its replacement will be. It won't be what I've seen so far from the Linux desktops.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.