[KLUG Members] Link on OS security problems

[Adam Williams]

On Mon, 2004-01-05 at 23:48, Sanjay Chigurupati wrote:
> Hi,
> 
> http://www.theinquirer.net/?article=13420
> 
> ( from this link, it looks like Linux distributions seem to have more
> security holes than MS)
> 
> Could somebody help me interpret this?

His fundamental reasoning is deeply flawed, as indicated by statements
like - 

"The other operating system that had very few vulnerabilities is Apple's
OS 9, with the Secunia database showing just one in 2003 and none in
2002. Again this is a proprietary operating system and the decisions and
integration of security rest with one organisation which does not have
to concern itself with compatibility with other vendors."

Exactly because the process of "integration" and development are NOT
open is the reason that exploit/bug counts for this product are
meanningless.

How many security exploits to AIX did IBM fix in 2003, that were
included in updates but NOT on BugTrack?  A whole heck of alot more than
14 I can tell you that.  There had to have been hundreds,   and I don't
even usually read the complete lists, some are as REALLY long.

Basing any kind of analysis of anything on bugtraq numbers is just so
spurious you'd slap a high school student for trying it.

Then statements like - "In the forthcoming Windows XP SP2, Microsoft is
finally making the security enhancements that should have been in place
more than five years ago." - makes me smell a propagandist.  Security
analysis now based on software not even released yet?  Oh yea, this is
serious intellectual stuff here.

"Microsoft is also tweaking the protection on dynamically created code,
something that I regard as a quick, dirty and terribly dangerous
practice. If Dijkstra was opposed to GOTO statements because they made
it difficult to determine the exact state of processing, just imagine
what he would have thought of code that is dynamically created and
executed.'

Can we tell the difference between dynamically loadable code and
dynamicly "created" (huh?) code?

"The recent release of Linux 2.6 has also introduced some security
enhancements, again rather overdue if Linux ever hopes to be a serious
alternative."

Linux isn't currently a serious alternative?  Thats why Linux is
stomping the server market.

"In particular the new release includes the ability to define privileges
in finer detail rather than the simple grouping of "user" and "root",
but this is something that most proprietary forms of Unix have had for
many years."

Uhm, this is called "mandatory access control".  And it ain't new in
2.6.x, just better, like many other things.