[Eug-lug] EDITOR'S NOTE:

[Jacob Meuser]

On Thu, Aug 05, 2004 at 02:02:44AM -0700, T. Joseph CARTER wrote:
> On Wed, Aug 04, 2004 at 09:23:15PM -0700, Jacob Meuser wrote:
> > > But where open source is different from proprietary code is that
> > > open source encourages honest people to access source code, and
> > > find security holes and patch them fast. The large open-source
> > > community can find and patch security holes faster than teams of
> > > proprietary developers - even when those developers work for
> > > Microsoft - simply because the proprietary developers are hobbled
> > > by their need to keep secrets.
> > 
> > This is horse hockey.  Bad code is bad code.  Yes, they _can_ find
> > the problems, but all too often it's after an incident.
> 
> This is true enough, but it's true for any code.  You usually don't know
> it's broken until someone reports the vulnerability.  The issue is, what
> is the frequency and severity of these vulnerabilities?  What is the
> average time to a workaround?  To a proper fix?  How often does a proper
> fix actually fix the underlying problem?

True, but the author was implying that fixes come before incidents.

> Linux, UNIX, and most any resonably modern vaguely POSIX platform is going
> to tend to earn higher marks here than non-POSIX platforms.  Anything is
> going to rate higher than Windows, where the same vulnerability is "fixed"
> again and again, yet continues to see new exploits.
> 
> Oh yes, you wanted proof:
> 
>  - teardrop
>    Took down basically any BSDish TCP stack, usually locking the machine
>    solid in the process.  Affected ... EVERYTHING.
> 
>    Linux patch: 4 hours
>    Windows patch: 4 weeks
>    Windows re-exploit: newtear, released about a month after the patch
>    
>    Other OSes had patches in various timeframes, but none took a month to
>    release the patch.  And again, only Windows was affected by newtear,
>    which depended upon the Windows patch being a bandaid rather than a
>    real fix.
> 
> 
>  - Outlook MIME type vs file contents/extension
>    Things attached to email such as "images" and "midi files" (based on
>    MIME type) would be automatically executed when you opened HTML email
>    which embedded these things.  Executed, as in, compiled code.
> 
>    While this affects only Windows systems, similar bugs have been found
>    in other programs.  Of course, this bug was left UNPATCHED for about
>    three months, and was trivially re-exploited using vbscript in the HTML
>    email once a patch was issued.  Microsoft declared VBScript's ability
>    to do this kind of thing a FEATURE and left it unpatched for about more
>    than a year.

I agree, but that's not what the author said.

> > > Another reason for Linux's inherent security is its user model.
> > > End-users run with limited privileges; only systems
> > > administrators have access to the all-powerful root account.
> > > Mostly even systems administrators run as limited-privilege
> > > users, unless they absolutely need root access. By limiting
> > > users' access to systems, Linux limits the amount of damage a
> > > user can do.
> > 
> > Whatever.  That has been part of UNIX for ages.  It's not something
> > invented in linux land.
> 
> This is a straw man.  The article did not claim Linux invented this
> feature, only that having it gives Linux an advantage over lesser
> operating systems which don't.

I do believe that newer windows systems have at least a little
bit of privilege separation in accounts.

And, as we saw recently on this list, people do still want to log in
as root.

> > > Linux's lower vulnerability, compared with Windows, isn't just a
> > > function of its smaller popularity. Linux is breached less often
> > > because it's more secure. Microsoft has a lot of catching up to do.
> > 
> > You know, I agree that generally linux land is more secure than MS
> > products, but please, where is the hard evidence?  The author says
> > "Linux is breached less often because it's more secure."  "Linux
> > is inherently more secure."  But he never mentions anything about the
> > code itself, not to mention coding practices.  He merely speculates.
> 
> There's a long list of evidence, most of it anecdotal naturally, that
> Linux does not have the type or severity of exploits reported in the
> windows world at anywhere near the same frequency.  Certainly Linux
> developers do not take the cavalier attitude toward a known exploit
> witnessed of Microsoft.

Again, I agree.  I was complaining about this particular editorial
making weak anecdotal arguments while trying to disprove other
weak anecdotal arguments.

> > I'm sorry but as long as there are GNU developers who don't want
> > strlcat to be part of glibc, I'm going to have to agree that linux
> > is more secure than MS products because it comes from a UNIX
> > background (and I'd say it's the least secure of modern UNIX-likes),
> > and is less targeted than MS.
> 
> Fair enough, the glibc people won't touch strl* because they didn't think
> of it first.  It's stupid, and I have my own private copy of these
> functions in any project where it would make sense to have them,  When I
> don't have them, I carefully audit each strn* function call to make sure
> that the string gets terminated properly.  Others do the same.
> 
> Still, the lack of a couple of functions in glibc does not make Linux
> inherently insecure, just as BSD's lack of getline doesn't make BSD
> incapible of handling interactive input in any safe manner.  The simple
> truth is that for most practical purposes, Linux IS UNIX.  It runs the
> exact same software you get with BSD or Solaris, and has the exact same
> flaws these others do.

But it does show that the linux developers could do more, fairly
simple things, to improve security.

> No, there is no Linux counterpart to Theo de Raadt to make the claim that
> Linux has not seen an exploit in four years, but Theo can't make that
> claim about OpenBSD either.  (It's funny, every year the claims about
> OpenBSD's spotless record become more qualified to omit the spots..

Huh?  Show me a quote from Theo where he qualifies (rather than explains)
the claim.  The claim has always been about remote holes in a default
installation.  Its' not, "No security problems whatsoever."  And the
claim now is, "Only one remote hole in the default install, in more
than 8 years!"  That doesn't sound like qualifying a spotless record
to me, and I challenge you to prove the claim is not accurate.

>  All
> nontrivial software is buggy by definition and all buggy software must be
> assumed to have some security flaw somewhere..)

Yes, of course.  Theo and others still do security audits of code that's
been read many times before.

But then again, using safer functions, W^X, randomized memory allocation
and mapping, privilege separation, propolice, etc, minimize the risk
of bugs becoming serious security problems.  Some of these things are
available for linux, but in OpenBSD they are there by default.

-- 
<jakemsr at jakemsr.com>