| Seeing the security forest for the trees |
Jan. 06, 2006
Thank you, Joe Brockmeier and Joe Barr.
Over at NewsForge, the two writers point out that if you take US-CERT's annual summary of vulnerabilities at face value, you're likely to get the impression that Linux is lousy at security while Windows is great at it.
That's so wrong it would be funny, except some people -- including some journalists -- actually believe that Linux is less safe than Windows.
As the Joes point out: "Sheer number of vulnerabilities means little when compared with other factors, such as the severity of the vulnerability, how easy it is to exploit the vulnerability, and how long it takes a vendor to respond to the vulnerability."
Exactly.
I might add that since Linux is open source, its developers talk about its problems all the time -- usually while fixing them!
Windows is a black box. When something goes wrong, no one, except the cracker who's making use of the hole, may know about it.
In addition, proprietary software problems can go unpatched for months.
That's not pro-Linux talk, that's just the way it is.
For example, my security journalist friend, Ryan Naraine, recently reported that "according to security alerts aggregator Secunia Inc., there have been 70 advisories posted for IE flaws since 2003. Almost 30 percent of those remain unpatched."
That's 21 unpatched holes in Microsoft's browser alone -- and some of those have been around, not for weeks or months, but for years!
The Joes go on to observe that if you look at US-CERT's Technical Cyber Security Alerts, e.g. the serious security problems, you'll find that there were 22 issued in 2005. Of those, 11 were for Windows. None -- I repeat, none -- were for Linux.
As I've written many times before, Windows is, at heart, a single-user system that's been retrofitted for a networked computer world. It's filled with inherent security problems. A perfect example is the recent WMF (Windows Metafile Format) problem.
Microsoft just issued an emergency patch for it, but it took a lot of doing.
Naraine once more reported on Microsoft's folly at eWEEK: "Johannes Ullrich, chief technology officer at the SANS ISC (Internet Storm Center), remained critical of Microsoft's handling of the issue. 'We've been working with them all week, feeding them exploits, trying to convince them that this is a very high-risk threat that was growing worse everyday, but they just weren't getting it,' Ullrich said in an interview with eWEEK."
Amazing, isn't it? And to think people actually trust Microsoft products, even now.
Can you imagine in the open source world, Linux developers trying to stonewall its users like Microsoft has been? It simply can't happen.
They see the code, we see the code, and we're all in this together. In the proprietary software world, it's them, the vendors, vs. us, the users.
If you believe that the sheer number alone of security problems openly found and fixed tells you the whole story, you really can't see the forests from the trees.
--Steven J. Vaughan-Nichols
Do you have comments on this story?
Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed