0
PhillyKev

Linux surpasses MS as most insecure OS

By PhillyKev, in The Bonfire

Recommended Posts

narcimund    0

narcimund
How much did Microsoft pay for this article?

Seriously, JDF is right. open source software is just as likely to have unintentional security holes at first, but the more developers there are scrutinizing them, the more likely it is to be well secured over time.

Closed source software has the benefit of secrecy. This means the holes that exist will only be found by the black hats. The general public won't ever find out, but you can bet the IRC channels run by crackers will be full of the news.

It's like the cliche, "If you outlaw guns, only outlaws will have guns."


First Class Citizen Twice Over

Share this post

Link to post
Share on other sites

happythoughts    0

happythoughts
"open source software is just as likely to have unintentional security holes at first, but the more developers there are scrutinizing them, the more likely it is to be well secured over time. "

Open Network Architecture is based on the idea that it is open to everyone unless you say so. Some operating systems base their security on the reverse. I have worked on mainframes and UNIX servers for years. Never had a data security problem with the mainframes. UNIX was a revolving nightmare.

Share this post

Link to post
Share on other sites

PhillyKev    0

PhillyKev
I don't disagree. Just thought it was interesting. Although I do think open source makes it easier for the black hats to find the flaws in the first place. With open source you have to hope the good guys find the flaws first, just like you do with closed source. I'm still unsure as to which is the better method though. MS security bug checking has lacked in the past but it is getting better. I think that's the major reason it's been so insecure, not because it's closed source.

Closed source = less people checking the code for errors + less people with access to the code to find the holes

Opn source = more people checking the cod for errors + the source is available for anyone no matter what color hat they wear.

If MS continues to take a serious approach to security and release the code to partners that have the ability and resources to find the security holes I think the pendulum will continue to swing in this direction.

Share this post

Link to post
Share on other sites

SudsyFist    0

SudsyFist

pique my curiosity, i dig!

after reading the article, i went thru the advisories at the cert web site one by one, noting to which of the two os's in question (windows or linux) the advisory applied. here's what i came up with:

CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service N/A
CA-2002-02: Buffer Overflow in AOL ICQ Windows
CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) Linux Windows
CA-2002-04: Buffer Overflow in Microsoft Internet Explorer Windows
CA-2002-05: Multiple Vulnerabilities in PHP fileupload Linux
CA-2002-06: Vulnerabilities in Various Implementations of the RADIUS Protocol Linux
CA-2002-07: Double Free Bug in zlib Compression Library Linux
CA-2002-08: Multiple Vulnerabilities in Oracle Servers N/A
CA-2002-09: Multiple Vulnerabilities in Microsoft IIS Windows
CA-2002-10: Format String Vulnerability in rpc.rwalld N/A
CA-2002-11: Heap Overflow in Cachefs Daemon (cachefsd) N/A
CA-2002-12: Format String Vulnerability in ISC DHCPD Linux
CA-2002-13: Buffer Overflow in Microsoft's MSN Chat ActiveX Control Windows
CA-2002-14: Buffer Overflow in Macromedia JRun Windows
CA-2002-15: Denial-of-Service Vulnerability in ISC BIND 9 Linux
CA-2002-16: Multiple Vulnerabilities in Yahoo! Messenger Windows
CA-2002-17: Apache Web Server Chunk Handling Vulnerability Linux
CA-2002-18: OpenSSH Vulnerabilities in Challenge Response Handling Linux
CA-2002-19: Buffer Overflows in Multiple DNS Resolver Libraries Linux
CA-2002-20: Multiple Vulnerabilities in CDE ToolTalk N/A
CA-2002-21: Vulnerability in PHP N/A
CA-2002-22: Multiple Vulnerabilities in Microsoft SQL Server Windows
CA-2002-23: Multiple Vulnerabilities in OpenSSL Linux
CA-2002-24: Trojan Horse OpenSSH Distribution N/A
CA-2002-25: Integer Overflow In XDR Library Linux Windows(investigating)
CA-2002-26: Buffer Overflow in CDE ToolTalk N/A
CA-2002-27: Apache/mod_ssl Worm Linux
CA-2002-28: Trojan Horse Sendmail Distribution N/A
CA-2002-29: Buffer Overflow in Kerberos Administration Daemon Linux
CA-2002-30: Trojan Horse tcpdump and libpcap Distributions N/A
CA-2002-31: Multiple Vulnerabilities in BIND Linux
CA-2002-32: Backdoor in Alcatel OmniSwitch AOS N/A
CA-2002-33: Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) Windows

contrary to the article's claim, nine or ten (versus seven) of the advisories relate to microsoft products (i.e., occur on the windows platform). fourteen of them, however, actually do relate to linux in one way or another, but this number is skewed a bit by a few factors, such as different linux providers implementing different software in their distributions -- if you were rating red hat (or insert-linux-distro-guy-here) directly against windows, the results will surely be different.

does this actually mean that linux surpasses windows as the most insecure os? if your determining criterion is the number of applicable cert advisories, then i suppose so. then again, looking at the sixty-six security bulletins microsoft has put out on their products so far this year... :S

steve

Share this post

Link to post
Share on other sites

AggieDave    6

AggieDave
MacOS, who cares, its not a good platform to run network services off of, unless you format the bitch and put linux on it.


Out of the box Linux isn't very secure, BUT it can become very very secure with some doing. Same with FreeBSD or any other *nix distro. It all depends on who is doing security for you/your business. With that said, I ran Linux for all of the firewalls I built, more then a dozen different servers and for my personal machine for a long time. FreeBSD ran our 3 mission critical servers and we had WinNT running a lot of our network services.
--"When I die, may I be surrounded by scattered chrome and burning gasoline."

Share this post

Link to post
Share on other sites

narcimund    0

narcimund
Quote

MacOS, who cares, its not a good platform to run network services off of



That's cute and all, but I thought I might mention that the world contains other reasons for computers than network services. Don't feel bad; sometimes I have to remind my admin about this too.


First Class Citizen Twice Over

Share this post

Link to post
Share on other sites

AggieDave    6

AggieDave
Yeah, macs are cool for doing audio/video stuff and surfing the web, but beyond that I'm not a fan of them. With that said, at the same place I was a security admin (and part time assist sysadmin) I was also the Mac guy (I was the only one willing to learn the platform so we could support our users)...
--"When I die, may I be surrounded by scattered chrome and burning gasoline."

Share this post

Link to post
Share on other sites

Kris    0

Kris
Quote

MacOS, who cares, its not a good platform to run network services off of, unless you format the bitch and put linux on it.



Geez, as a Linux zealot I hate to correct you on this, but...

http://www.apple.com/xserve/
http://www.apple.com/server/

Apple has come a long way lately.

Kris
(Wow, it hurts to say that...)
Sky, Muff Bro, Rodriguez Bro, and
Bastion of Purity and Innocence!™

Share this post

Link to post
Share on other sites

indyz    1

indyz
What do you mean MacOS is a crappy server platform? We have an OS 9 box running a 1999 vintage copy of WebSTAR to serve FileMaker documents. The whole thing is actually composed of a rickety combination of three Macs (file server, database server, web/database server) that, as far as I can tell, only two people in the entire world completely understand.

OK, so that's a bad example. As it turns out, the only other platform the database software runs on is Windows, and moving it over would still require three computers and be no less complicated or prone to fucking up randomly.

As much as I love Macs (bonus points if you can identify my avatar), I have to admit that although the xserves are nice, a Linux box or a Win2k box will still get you far more bang for the buck.

Share this post

Link to post
Share on other sites

riddler    0

riddler
My opinion: Aberdeen is bought and paid for by M$. I've sat in on too many M$ sales pitches when they used Aberdeen as a source for statistics. Do a search on Aberdeen and Microsoft and see how many glowing things they have to say about them, and how many bad things they say about their competitors.
Trapped on the surface of a sphere. XKCD

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing