[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Funny article

To: bugtraq@securityfocus.com, full-disclosure people <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Re: Funny article
From: "Ryan Johnson" <rjohnson@espgroup.net>
Date: Thu, 13 Nov 2003 12:46:36 -0500

I think it is unfair to categorize linux or windows as having a vulnerability 
just because an application like apache has a vulnerability. I mean as someone 
stated earlier, the linux and windows developers have no control over 
third-party apps. If IIS has bug, that should look bad on microsoft, but not on 
windows.

Ballmer is banking that the people he is talking to do not understand the 
difference between linux, its distro and windows, this truly comparing apples 
and oranges. You know what, he is going to get away with it, because most 
people don't understand.
If you were to compare a full redhat 9 install against a full win2k server 
install, redhat9 would most likely lose, because Redhat9 has  many more apps, 
therefore it is more likely to have bugs. Even if you compared linux, which 
would be just the kernel and maybe some of the the gnu tools to interact with 
the kernel vs windows, it is still not fair. Windows has a kernel, gui, 
everyone's favorite user space app that can not be uninstalled, IE. In this 
case windows has greater chance of having bugs.

Then you have cases with distro specific bugs, which often are categorized as a 
linux bug. An example of this was the apache config file bug on redhat from 
last week. That is a redhat bug, not a linux bug, nor is it an apache bug. 
Slackware did not put that configuration in their apache server configuration.

Another comparison that I abhor, is the stability issue. "Linux is more stable 
than windows". Are you talking about linux with the gui, or without. Running 
linux without the gui is incredibly stable. Linux with a gui, well stability 
defintely decreases (but in reality it is not linux's stability in question 
rather that of the gui). 

What about openbsd (dont get me wrong I love openbsd), they claim "Only one 
remote hole in the default install, in more than 7 years!". Well of course, 
have you ever installed openbsd using the default? The only remotely accessible 
service is openssh, vs multiple services in a redhat default vs multiple 
services in a windows default install. I could make my own linux distro with no 
remote services enabled by default and it would never have a remote hole in the 
default install.

My point being is that it is very hard to compare the bsds, the distros and 
windows. Bsds and linux are easier to compare, but then you have the distro 
aspect.

As far as patches getting out, I am very happy with the response from the open 
source community, I think they do an excellent job. I very rarely have a 
problem with an opensource patch, if the author does not come out with a patch, 
more than likely someone who has reviewed the code will.

Ryan

> On Thu, Nov 13, 2003 at 03:20:14AM +0100, Mikael Olsson wrote:
> > I'm sorry to disappoint you, but the script kiddies don't care
> > about zealotry. I have yet to hear one say "Oh, this is a Linux
> > box, so I can't use this Apache bug to own it. That'd be rong."
> > 
> I don't think anybody said a linux box can't be owned with an apache
> flaw. My arugemnt for count of bugs is the should be counted against the
> people who actually WROTE the code. In Microsofts case it is becasue
> they wrote IIS, 2000/XP/2003, and Exchange. In contrast the Linux kernel
> projecn that just wrote the kernel. It sounds like you want a list of
> opensource bugs vs. Microsoft Bugs.
> 
> > Saying "the linux kernel has only foo bugs while every microsoft
> > app combined has foo^3 bugs" makes no sense in a security 
> > discussion. You don't read mail or serve web pages with a kernel.
> > 
> No one is saying this. To be truely useful a list of bugs should be done
> by developer, not by instance of software. This will help establish
> trends in my software development practices.
> 
> > Publishing an _unbiased_ report of total vulnerability counts 
> > for two or more OSes, with common apps installed, is a service
> > to admins everywhere.  (And no, I _really_ don't think comparing 
> > RH6 with W2K3 is "unbiased". I think it stinks.)
> > 
> I think blaming OS developers for code they didn't write nor have any
> control over isn't unbiased. It would be a diffrent story if it was a
> flaw in something like redhat-update. That is clearly a Redhat bug, but
> that is still not a Linux bug.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Ryan Johnson
Security Architect
ESP Group
703-418-6317

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Re: Funny article
Next by Date: Re: [Full-Disclosure] SSH Exploit Request
Previous by thread: Re: [Full-Disclosure] Re: Funny article
Next by thread: [Full-Disclosure] new worm - "warm-pussy.jpg".
Index(es):
- Date
- Thread