On Tue, Jan 28, 2003 at 10:58:21AM -0500, alex wrote: > Has the Linux security bubble burst? > > http://www.informationweek.com/story/IWK20030124S0013/1
I would say "no", for five reasons: 1) Langa suggests that part of the reason behind the current rise in Linux security flaws being found is because more crackers are targeting it. If this is true, then they're probably finding a lot of problems that have been around for a while. If security problems are being fixed faster than new ones are being introduced, this will drop off instead of remaining at the current rate. It is too soon to say whether this will happen or not, but there's no strong reason to accept Langa's assumption that it will not. 2) To try and normalize for the existence of multiple Linux distributions, Langa does a straight comparison of the number of security fixes released by Red Hat 7.2 vs. Windows XP. He does not, however, take into account the number of issues addressed by each patch. In my experience, Linux tends towards 'one bug, one patch', while Microsoft waits around a bit, then issues a single mega-patch that fixes dozens of problems all in one shot. You cannot, therefore, expect a simple count of how many patches have been released to be a meaningful comparison. 3) Stating that "if it's unfair to lump all open source software together for bug-counting purposes, it's also unfair to do the same thing for all Microsoft software," Langa chooses to not include MSIE, MSOE, or any other Microsoft products in the XP bug count. It is unclear, however, whether the Red Hat bug count includes browsers, mail clients, etc. distributed as part of Red Hat Linux. If it does, then the MS bug count should include all 'standard' Windows apps. 4) Langa dismisses claims of quick bug fixes for open source software on the basis that they're taking longer to be packaged these days. He neglects to mention that updated OSS packages are typically available days to weeks after an exploit is discovered, while commercial software vendors (not just MS) tend to take weeks to months to produce an update, if they even bother to issue a patch at all instead of leaving it until the next version is released or denying that the problem exists. Plus, of course, it is possible to obtain the raw patches and apply them yourself without waiting for the official update. (Few people do this these days, but that's not the software's fault.) 5) A lot of Microsoft's problems look to me like design issues and their patches tend to just cover up specific ways of exploiting the design flaws - treating the symptoms while ignoring the underlying problem. OSS tends to be more likely to apply a band-aid today, to cover up the immediate problem, and then get to work on the underlying problem ASAP. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
