[Eug-lug] EDITOR'S NOTE:

T. Joseph CARTER knghtbrd at bluecherry.net
Thu Aug 5 02:02:44 PDT 2004 

On Wed, Aug 04, 2004 at 09:23:15PM -0700, Jacob Meuser wrote:
> > But where open source is different from proprietary code is that
> > open source encourages honest people to access source code, and
> > find security holes and patch them fast. The large open-source
> > community can find and patch security holes faster than teams of
> > proprietary developers - even when those developers work for
> > Microsoft - simply because the proprietary developers are hobbled
> > by their need to keep secrets.
> 
> This is horse hockey.  Bad code is bad code.  Yes, they _can_ find
> the problems, but all too often it's after an incident.

This is true enough, but it's true for any code.  You usually don't know
it's broken until someone reports the vulnerability.  The issue is, what
is the frequency and severity of these vulnerabilities?  What is the
average time to a workaround?  To a proper fix?  How often does a proper
fix actually fix the underlying problem?

Linux, UNIX, and most any resonably modern vaguely POSIX platform is going
to tend to earn higher marks here than non-POSIX platforms.  Anything is
going to rate higher than Windows, where the same vulnerability is "fixed"
again and again, yet continues to see new exploits.

Oh yes, you wanted proof:

 - teardrop
   Took down basically any BSDish TCP stack, usually locking the machine
   solid in the process.  Affected ... EVERYTHING.

   Linux patch: 4 hours
   Windows patch: 4 weeks
   Windows re-exploit: newtear, released about a month after the patch
   
   Other OSes had patches in various timeframes, but none took a month to
   release the patch.  And again, only Windows was affected by newtear,
   which depended upon the Windows patch being a bandaid rather than a
   real fix.


 - Outlook MIME type vs file contents/extension
   Things attached to email such as "images" and "midi files" (based on
   MIME type) would be automatically executed when you opened HTML email
   which embedded these things.  Executed, as in, compiled code.

   While this affects only Windows systems, similar bugs have been found
   in other programs.  Of course, this bug was left UNPATCHED for about
   three months, and was trivially re-exploited using vbscript in the HTML
   email once a patch was issued.  Microsoft declared VBScript's ability
   to do this kind of thing a FEATURE and left it unpatched for about more
   than a year.


> > Another reason for Linux's inherent security is its user model.
> > End-users run with limited privileges; only systems
> > administrators have access to the all-powerful root account.
> > Mostly even systems administrators run as limited-privilege
> > users, unless they absolutely need root access. By limiting
> > users' access to systems, Linux limits the amount of damage a
> > user can do.
> 
> Whatever.  That has been part of UNIX for ages.  It's not something
> invented in linux land.

This is a straw man.  The article did not claim Linux invented this
feature, only that having it gives Linux an advantage over lesser
operating systems which don't.


> > Linux's lower vulnerability, compared with Windows, isn't just a
> > function of its smaller popularity. Linux is breached less often
> > because it's more secure. Microsoft has a lot of catching up to do.
> 
> You know, I agree that generally linux land is more secure than MS
> products, but please, where is the hard evidence?  The author says
> "Linux is breached less often because it's more secure."  "Linux
> is inherently more secure."  But he never mentions anything about the
> code itself, not to mention coding practices.  He merely speculates.

There's a long list of evidence, most of it anecdotal naturally, that
Linux does not have the type or severity of exploits reported in the
windows world at anywhere near the same frequency.  Certainly Linux
developers do not take the cavalier attitude toward a known exploit
witnessed of Microsoft.


> I'm sorry but as long as there are GNU developers who don't want
> strlcat to be part of glibc, I'm going to have to agree that linux
> is more secure than MS products because it comes from a UNIX
> background (and I'd say it's the least secure of modern UNIX-likes),
> and is less targeted than MS.

Fair enough, the glibc people won't touch strl* because they didn't think
of it first.  It's stupid, and I have my own private copy of these
functions in any project where it would make sense to have them,  When I
don't have them, I carefully audit each strn* function call to make sure
that the string gets terminated properly.  Others do the same.

Still, the lack of a couple of functions in glibc does not make Linux
inherently insecure, just as BSD's lack of getline doesn't make BSD
incapible of handling interactive input in any safe manner.  The simple
truth is that for most practical purposes, Linux IS UNIX.  It runs the
exact same software you get with BSD or Solaris, and has the exact same
flaws these others do.

No, there is no Linux counterpart to Theo de Raadt to make the claim that
Linux has not seen an exploit in four years, but Theo can't make that
claim about OpenBSD either.  (It's funny, every year the claims about
OpenBSD's spotless record become more qualified to omit the spots..  All
nontrivial software is buggy by definition and all buggy software must be
assumed to have some security flaw somewhere..)

More information about the EUGLUG mailing list