[KLUG Members] Link on OS security problems

[Robert G. Brown]

On Tue, 06 Jan 2004 06:28:32 -0500, Adam Williams wrote:

>On Mon, 2004-01-05 at 23:48, Sanjay Chigurupati wrote:
>> http://www.theinquirer.net/?article=13420
>> ( from this link, it looks like Linux distributions seem to have more
>> security holes than MS)
>> Could somebody help me interpret this?

>His fundamental reasoning is deeply flawed, as indicated by statements
>like - ....

Yes, all that being true, I find that the article is indeed even more deeply 
flawed, logically. It reads like a set of statments, weakly researched, sort 
of strung together... outstanding FUD, but little else.

One topic the article never addresses is how many security problems were fixed
(not merely reported), and what the turnaround time for the fixes and updates 
were. For example, if a system has 100 defects reported, but 80 of them are 
still open 6 months later, that's bad, really bad. Another system, perhaps 
equally bad, that has 80 percent of the exploits FIXED is perhaps no better, 
but it is better overall.

Also, there is no analysis given to the severity of particular security 
problems. A lot of the exploits reported for UNIX system are predicated 
on gaining root access, sometimes without the means for that being given. 
Other exploits are purely local...the intruder has to gain physical access
to the host or a root login session. Many of these problems are resolved by
good physical security (you know, locks, keys, doors, fences, etc.).

Even the premise bothered me:
"we would not expect car manufacturers to have made little progress on the 
safety of their cars, would we?"

Um, it was over 60 years, and extensive government regulation (in the USA)
that finally got car makers to make really good safety features standard,
even though they knew these features were needed. Of course, many cars that 
were not mass marketed commercially had many of those features anyway.

Perhaps the authors analogy is stronger than he imaged?

						Regards,
						---> RGB <---