Linux v Windows, who's more secure?

Post #149,443 by Steve Lowe 3/30/04 10:23:51 PM Reply	Linux v Windows, who's more secure? [link\|http://www.eweek.com/article2/0,3959,1557459,00.asp?kc=EWYH104059TX1B0100580\|http://www.eweek.com...104059TX1B0100580] Wow. ..both Windows and Linux can be deployed securely. Microsoft Corp., however, fixes security problems the quickest\ufffdwhich is a good thing, since it also has the most major security holes. Uhm. Yeah.... To get quantitative answers to these questions, Forrester used two metrics. The first is the number of days between when a problem is publicly disclosed and when the operating system vendor releases its fix. In Linux's case, a component maintainer\ufffdsuch as The Apache Software Foundation for the Apache Web server\ufffdcan patch security holes, but then there may be a delay before the Linux distributor releases the component creator's patch. Forrester calls this period the "distribution days of risk." The second metric is the United States' National Institutes for Standards and Technology's ICAT project standard for high-severity vulnerabilities. According to ICAT, high-severity vulnerabilities can be used for exploits that enable any of the following: 1) a remote attacker to violate the security of a system (i.e., gain an account), 2) a local attacker to gain complete control of a system or 3) the Computer Emergency Response Team Coordination Center to issue an advisory I'll let y'all rip apart those metrics and their relevance, especially the first one with regard to private v public exposure of a fault and the ignorance of the fact that most are wary of M$ updates until they've been field tested for breaking other stuff. Where's THAT metric in this mix? If your business has relatively unsophisticated administrators, Forrester recommends MandrakeSoft, Microsoft and SuSE, since all three of these companies "hang their hats on the ease with which relatively unskilled users and administrators can install, configure, and patch their platforms," according to the report. If your staff is a step above that, Forrester recommends Red Hat and Microsoft. ----- Steve
Post #149,450 by drewk 3/31/04 12:45:32 AM Reply	Love to see the full report (and methodology) ICAT classified 67 percent of Microsoft's vulnerabilities as high-severity, placing Microsoft "dead last among the platform maintainers by this metric," the report noted. Red Hat fixed 99.6 percent\ufffdall but one\ufffdof the 229 applicable Linux vulnerabilities. Red Hat and The Debian Project\ufffdwhich is run by Software in the Public Interest Inc., a non-profit group that runs a number of similar projects\ufffdwere the fastest of the Linux distributors, taking 57 days to fix these problems. Debian had the least number of distribution days of risk for the Linux vendors but only fixed 96.2 percent of the vulnerabilities. 1: As Steve's quote pointed out they count "days of risk" starting from the public release. Most Microsoft bug announcements seem to be accompanied by the fact that the bug was pointed out to them privately months earlier. With Debian, there is no such thing as a non-public bug notice. 2: I find it hard to believe Debian wouldn't have patched bugs. If RedHat released it, then it is most likely GPL, and the Debian maintainer would have it. (2a: They don't say if they were looking at Stable, Testing, Unstable or Experimental.) 3: I also don't see any mention of how many of the MS bugs were never fixed, or were fixed by forcing an upgrade. Nor how many times this forced upgrade introduced one or more new bugs. Nor how many times this upgrade required accepting a new EULA. === Implicitly condoning stupidity since 2001.
Post #149,460 by folkert 3/31/04 8:13:20 AM Reply	They are talking about the Mozilla Bugs that has... About 55 bugs attached to it. Specifically the version in Woody. There is no way to fix the bugs without completely re-writing the the whole area it is in. Unless you upgrade the version. This really irks me, when they want Debian to UPGRADE a Stable release with a NEWER version (1.0.3 I think in woody) to 1.5.something to get the vulnerability fixed. Do people understand what STABLE is all about? And people that are really interested in that security, know about backports.org -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* 'In view of the fact that Microsoft is a condemned monopolist and on the other hand the internal messages and financial transactions of SCO look ever doubtful, Microsoft should be really anxious that to the own company something does not remain sticking from the Gestank of the SCO.' --Plagarized from [link\|http://www.groklaw.net/article.php?story=20040322133607169\|GROKLAW]
Post #150,326 by Steve Lowe 4/6/04 6:41:53 PM Reply	Linux community follow-up [link\|http://www.debian.org/News/2004/20040406\|http://www.debian.org/News/2004/20040406] While the vulnerability data regarding GNU/Linux which is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report. We believe that it is in the interest of our usership and the Free Software community to respond to the Forrester report in the form of a common statement: ... Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. ... We believe the report does not treat vendors of Free Software and the single closed source vendor in the same way. Free Software is known for its variety and its freedom of choice amongst the standards it defines. Multiple implementations of these standards are typically offered for both desktop and server use, which gives users the freedom to select software based on their own criteria rather than those of the vendor. The openness, transparency and traceability of the source code is added value in addition to the larger variety of software packages available. Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents. :) ----- Steve

Welcome to IWETHEY!