[PLUG] Windows versus Linux security

Anthony Schlemmer aschlemm at attbi.com
Sun Jul 21 22:03:17 UTC 2002


And don't they count security problems differently between Windows and 
Linux? For Windows there's only one count per problem but don't they 
count each vulnerability separately for each Linux distro out there? I 
seem to recall seeing some numbers like that. I guess counting by 
distro is OK if a give version of a distro has a problem that no other 
distros have.

Tony 
 
On Sunday 21 July 2002 14:27 pm, Ed Sawicki wrote:
> I'm on an author-oriented mailing list, where most people on the
> list are authors, publishers, and agents. Recently, an author
> pointed out an article that says that Windows is more secure than
> Linux because Linux has more security issues than Windows. People
> on the mailing list then discussed the issues from the point
> of view that the underlying premise was largely correct. I
> responded like this:
>
>
> I'm surprised that this thread has gone so far without someone
> pointing out that this is simply a numbers game that is far
> from useful. There's a fundamental difference between Microsoft
> and Open Source/Linux security issues. The majority of Windows
> security issues are holes that have have already been exploited
> by the bad guys - there were real victims who reported the
> problem. The majority of Open Source/Linux security issues were
> discovered by the Open Source community and reported before they
> were exploited and before there were victims.
>
> Simply comparing the number of security issues between the two
> is unfair and counterproductive. You're punishing the people
> who are concerned about security and who are making an effort
> to fix problems before they affect the user population. The Open
> Source community operates in plain view of everyone and acts
> responsibly by warning us when potential security problems exist.
> This numbers game may drive some of these people to covert
> channels of communications to improve the numbers for "their
> side".
>
> I think it's fair to say that there are far more serious
> security holes in Microsoft software than in Open Source
> software. I know of no Apache security hole that will produce
> Code Red or Nimda-like results. I've never received email from
> a Linux user who fell victim to an email-borne attack that
> resulted in personal or confidential documents sent to everyone
> in the user's address book. One Nimda does not equal one
> Open Source "potential security hole".
>
> When certain Open Source software gains a reputation for security
> problems, more secure replacements are developed and released.
> If, for example, you're running sendmail and you want better
> security, you can easily switch to Postfix, Exim, or qmail (they're
> drop-in replacements). If you're weary of keeping BIND 9 updated,
> you can switch to Tinydns. In the Microsoft world, you frequently
> have no alternatives - security solutions must come from Microsoft
> - a company whose own web site was taken down twice by elementary
> external attacks and once by their own incompetence (all of
> their DNS servers on the same subnet).
>
> If you're going to play a silly numbers game, at least make it
> fair. Either don't count security issues where there were no
> victims or assign a weight to each. For example, a Nimda would
> be a 10 but a "potential security hole" that was reported before
> real users fell victim would be a one. Also, give more points to
> those problems where no secure alternative exists.
>
> Better yet, let's not play the game at all.
>
> Ed Sawicki
>
>
>
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

-- 
Anthony Schlemmer
aschlemm at attbi.com
>>>>This machine was last rebooted:  26 days 17:49 hours ago<<





More information about the PLUG mailing list