In short: Open source development produces more secure, less flawed code. Linux has no more flaws than Windows, and probably a lot less. Linux has managed to achieve these results without intensive vetting by analysis tools that Microsoft has been using on Windows for years. Coverity is now going to grant the benefit of its expertise to the Linux community by making the results of its analysis available, thus providing the information necessary to fix the discovered source code flaws. Linux, already a leader in code quality, will become better.
Heh. I'm glad I'm running Linux.
Discussion on:
View:
Show:
Reality states that if you believe any operating system is "secure" then either you are very misguided, or totally fail to understand the nature of your work-tools.
Within the past week I have received over 30 vulnerabilities for Linux based systems ... this within a corporate environment is totally unacceptable. Whilst Microsoft do not claim to have issued the perfect OS they will issue updates, and patches as required, without making a song and dance about it ... in fact the only people who seem to be shouting about holes found within MS are those who use Linux, and the very same people who become very quiet when a vulnerability is identified within their OS - and instigate a new version of "code wars" - One does tend to wonder why ?
The added advantage of operating "Licensed Software" within a corporate environment is that you have an avenue open for support with the relevant vendor who will issue a tested update should the requirement be proven; Sadly this is not the case with "Open Source Freeware" where you need to wait for a script-junkie to issue a "fix" against the GNU license agreement - and then certify that the script released is associated with the release notes & the "published code", and that is also does not contain any back-doors ...
Sadly I find it necessary to question the loyalties of the team who have published the "findings" of this research ... not too mention the lack of responses ...
Arthur
Within the past week I have received over 30 vulnerabilities for Linux based systems ... this within a corporate environment is totally unacceptable. Whilst Microsoft do not claim to have issued the perfect OS they will issue updates, and patches as required, without making a song and dance about it ... in fact the only people who seem to be shouting about holes found within MS are those who use Linux, and the very same people who become very quiet when a vulnerability is identified within their OS - and instigate a new version of "code wars" - One does tend to wonder why ?
The added advantage of operating "Licensed Software" within a corporate environment is that you have an avenue open for support with the relevant vendor who will issue a tested update should the requirement be proven; Sadly this is not the case with "Open Source Freeware" where you need to wait for a script-junkie to issue a "fix" against the GNU license agreement - and then certify that the script released is associated with the release notes & the "published code", and that is also does not contain any back-doors ...
Sadly I find it necessary to question the loyalties of the team who have published the "findings" of this research ... not too mention the lack of responses ...
Arthur
I think in fact talking about Linux in general may be unfair. Every distribution is different.
I know, for instance that Debian will fix a security problem in their OS within 24 hours.
All you have to do the day after to get them is type 2 lines of command "apt-get upgrade " and
"apt-get update".
Other facts that leads me to say that Linux is a more secure and well written system: the OS will stay up for years without leaking buckets into RAM. How come Microsoft still doesn't offer a
better multi-tasking system than Linux.
Oh! Yes I can say that in general the Linux code is much better written by many factors than the Microsoft code.
Just a simple example: Since Windows95 the dial-up
window will not retain the password even if you check the associated box(remember the password) ; the flaw still was present in Windows98 ; Windows2000 I didn't try it in Windows XP.
So why do they let code go out like that half way tested. Did you guys forgot about ME with all the deadly crashes.
Oh, It is a small thing will you tell me, but this gives you the idea that if they don't care about small thing they probably have the same attitude about the rest, we just see the tip of the icebergs.
I believe that if Windows would be compared to a piece of Gruyere there would be no cheese left...
and it doesn't mean the Microsoft mouse eated it.
I know, for instance that Debian will fix a security problem in their OS within 24 hours.
All you have to do the day after to get them is type 2 lines of command "apt-get upgrade " and
"apt-get update".
Other facts that leads me to say that Linux is a more secure and well written system: the OS will stay up for years without leaking buckets into RAM. How come Microsoft still doesn't offer a
better multi-tasking system than Linux.
Oh! Yes I can say that in general the Linux code is much better written by many factors than the Microsoft code.
Just a simple example: Since Windows95 the dial-up
window will not retain the password even if you check the associated box(remember the password) ; the flaw still was present in Windows98 ; Windows2000 I didn't try it in Windows XP.
So why do they let code go out like that half way tested. Did you guys forgot about ME with all the deadly crashes.
Oh, It is a small thing will you tell me, but this gives you the idea that if they don't care about small thing they probably have the same attitude about the rest, we just see the tip of the icebergs.
I believe that if Windows would be compared to a piece of Gruyere there would be no cheese left...
and it doesn't mean the Microsoft mouse eated it.
Who said that Linux systems were absolutely "secure"? The point here isn't that Linux isn't impenetrable (that depends on the way the system is managed), but that Linux code isn't as flawed and doesn't present as many security vulnerabilities as Windows code. It's a matter of degrees, not of absolutes.
Room temperature and boiling temperature is also not a matter of absolutes, but I'd rather live in room temperature, personally. By the same token, Linux isn't "absolutely" secure, but I'd rather use the relative protection of Linux than the comparative open door and welcome mat of Windows, for security purposes.
As for your 30 vulnerabilities for Linux systems, I have a couple of questions:
Have you checked on whether some of those might be duplicated warnings?
How many of those are actually Linux problems, as opposed to vulnerabilities discovered in software that runs on Linux?
How many of those application vulnerabilities even apply to anything you're using?
Don't bother telling me the answers. I think I already know them. My point is in trying to make you actually read the alerts and pay attention to them. If Microsoft got blamed for every vulnerability in Symantec, Adobe, Macromedia, and other vendors' software offerings, the Windows security advisories would likely number in the hundreds every week. If you think 30 is unacceptable, you should try that on for size. Besides, if you're not using a2ps and htget (the last two apps to get security advisories today for Debian users), those vulnerabilities don't apply to you. They certainly don't apply to me.
I think you're jumping to some conclusions here when you discuss who is complaining about what. I, for one, have a lot of complaints about security holes in Microsoft software. You're right: I'm a Linux user. What you're missing is that I'm also a Windows user. In fact, most of my job centers around Windows. It's my familiarity with both that allows me the perspective to compare the relative security characteristics of the two, and that prompts me to point out where Microsoft is falling down on the job. I don't have any complaints with Linux security, generally speaking, because there are less vulnerabilities in Linux than Windows, and less in Linux-based applications than in Windows-based applications, and because Linux developer teams regularly ant typically fix vulnerabilities within 24 hours (especially the Debian guys) while Microsoft operates on a monthly patch cycle and regularly lets vulnerabilities stagnate for several months before addressing them. Yes, Linux users complain about Microsoft problems, but they tend to be Linux users that still are, or at least were, regular users of Windows. Yes, Linux users tend to be less vocal about Linux flaws, but Linux flaws are typically recognized, announced, and fixed with admirable speed, while Microsoft likes to sit on information, pretend flaws don't exist, or lie about how critical various vulnerabilities are: Linux vulnerabilities don't need much vocalizing about because they get fixed.
As for a lack of responses, you should probably keept his in mind:
This just adds credence to what habitual Linux users already know about comparative security issues with Linux and Windows. Those who only use Windows, and don't know much about Linux, don't have any knowledge they can use to counter the findings. Somehow, you seem to see this as a sign of a conspiracy, and yet you probably accept Microsoft-funded TCO studies as holy writ. I think you probably lack perspective.
Room temperature and boiling temperature is also not a matter of absolutes, but I'd rather live in room temperature, personally. By the same token, Linux isn't "absolutely" secure, but I'd rather use the relative protection of Linux than the comparative open door and welcome mat of Windows, for security purposes.
As for your 30 vulnerabilities for Linux systems, I have a couple of questions:
Have you checked on whether some of those might be duplicated warnings?
How many of those are actually Linux problems, as opposed to vulnerabilities discovered in software that runs on Linux?
How many of those application vulnerabilities even apply to anything you're using?
Don't bother telling me the answers. I think I already know them. My point is in trying to make you actually read the alerts and pay attention to them. If Microsoft got blamed for every vulnerability in Symantec, Adobe, Macromedia, and other vendors' software offerings, the Windows security advisories would likely number in the hundreds every week. If you think 30 is unacceptable, you should try that on for size. Besides, if you're not using a2ps and htget (the last two apps to get security advisories today for Debian users), those vulnerabilities don't apply to you. They certainly don't apply to me.
I think you're jumping to some conclusions here when you discuss who is complaining about what. I, for one, have a lot of complaints about security holes in Microsoft software. You're right: I'm a Linux user. What you're missing is that I'm also a Windows user. In fact, most of my job centers around Windows. It's my familiarity with both that allows me the perspective to compare the relative security characteristics of the two, and that prompts me to point out where Microsoft is falling down on the job. I don't have any complaints with Linux security, generally speaking, because there are less vulnerabilities in Linux than Windows, and less in Linux-based applications than in Windows-based applications, and because Linux developer teams regularly ant typically fix vulnerabilities within 24 hours (especially the Debian guys) while Microsoft operates on a monthly patch cycle and regularly lets vulnerabilities stagnate for several months before addressing them. Yes, Linux users complain about Microsoft problems, but they tend to be Linux users that still are, or at least were, regular users of Windows. Yes, Linux users tend to be less vocal about Linux flaws, but Linux flaws are typically recognized, announced, and fixed with admirable speed, while Microsoft likes to sit on information, pretend flaws don't exist, or lie about how critical various vulnerabilities are: Linux vulnerabilities don't need much vocalizing about because they get fixed.
As for a lack of responses, you should probably keept his in mind:
This just adds credence to what habitual Linux users already know about comparative security issues with Linux and Windows. Those who only use Windows, and don't know much about Linux, don't have any knowledge they can use to counter the findings. Somehow, you seem to see this as a sign of a conspiracy, and yet you probably accept Microsoft-funded TCO studies as holy writ. I think you probably lack perspective.
I tend to agree with you, I don't think any windows users would claim that windows is perfect but the linux community seems to push that about linux. There is no perfect OS to date.
this Thursday I received notification of a update required for redhat - 47 of them. If you were to not count bugs in the third party software there would be very few, linux is just a bundle of software, each part is by a separate vendor and a lot of things run in the background even if you don't use them (therefore update may apply to you anyway). A lot of the third party software in linux does things that are integrated into windows. (for example samba and I sopose you should also count the GUI(gnome?))
this Thursday I received notification of a update required for redhat - 47 of them. If you were to not count bugs in the third party software there would be very few, linux is just a bundle of software, each part is by a separate vendor and a lot of things run in the background even if you don't use them (therefore update may apply to you anyway). A lot of the third party software in linux does things that are integrated into windows. (for example samba and I sopose you should also count the GUI(gnome?))
All I ever here about is Windows and Linux. Like those are the only options out there. Lately they are starting to include OS X, but constantly ignore the best performing and most secure OS on the market. Is it just that the BSD based operating systems don't have marketing departments?
1. Linux is a single OS kernel across many different distributions. BSD is not. BSD is a set of different OS kernels, each with its own distribution. While BSDs are more alike than any other OSes are like them, they are more different than Linux distributions are from each other. As such, each BSD would need to be treated separately for accuracy. This makes reporting more difficult.
2. Linux has far more software natively available to it than BSD does. True, you can often recompile software available specificaly for Linux so that it will work in BSD, but for business purposes at least there is usually some reticence to commit to having to compile code every time a change in system capabilities must be made, or every time something must be updated.
3. The GPL is more conducive to popular adoption than the BSD license is. The BSD license is in some ways more ethical than the GPL, but not in others: there's something of a trade-off there. The GPL, though, tends to support social circumstances that drive people to the software to which it's applied, and the BSD license tends to support social circumstances that really sorta promote apathy, generally speaking. Thus, Linux gets more attention.
4. You're wrong about BSD being the "most secure OS on the market". OpenBSD may well be the most secure OS on the market, but BSD in general isn't. Even if you overlook for a moment the fact that BSD is actually several OSes, there's nothing to suggest to me that FreeBSD, for instance, is capable of better security than Debian GNU/Linux. If you'd said that OpenBSD is the most secure OS on the market, though, I don't think I'd have any arguments against that.
5. Even taking into account the fact that OpenBSD is possibly the most secure OS on the market, though, it's only a matter of degrees. The gap in security between OpenBSD and certain implementations of Linux (particularly with new secure Linux implementations in the works, like SELinux) is so slim that other concerns usually take center stage.
6. I'm curious as to how you arrived at the conclusion that BSD OSes are the "best performing" on the market. I have two problems with that. First, I think you're wrong; Linux seems far more capable of performance tuning than BSD, can take better advantage of high-performance hardware with drivers and kernel modules now available, and advances rather more quickly than BSD development tends to. Second, "performance" varies depending on your definitions and what tasks you're trying to accomplish.
7. For business purposes, you can get far better support for Linux than for BSD, generally speaking.
On the other hand, I agree that other Unices shouldn't be excluded from such things. Those of us who know better are simply going to have to tell others that there are options besides Linux and Windows for PC architecture systems.
2. Linux has far more software natively available to it than BSD does. True, you can often recompile software available specificaly for Linux so that it will work in BSD, but for business purposes at least there is usually some reticence to commit to having to compile code every time a change in system capabilities must be made, or every time something must be updated.
3. The GPL is more conducive to popular adoption than the BSD license is. The BSD license is in some ways more ethical than the GPL, but not in others: there's something of a trade-off there. The GPL, though, tends to support social circumstances that drive people to the software to which it's applied, and the BSD license tends to support social circumstances that really sorta promote apathy, generally speaking. Thus, Linux gets more attention.
4. You're wrong about BSD being the "most secure OS on the market". OpenBSD may well be the most secure OS on the market, but BSD in general isn't. Even if you overlook for a moment the fact that BSD is actually several OSes, there's nothing to suggest to me that FreeBSD, for instance, is capable of better security than Debian GNU/Linux. If you'd said that OpenBSD is the most secure OS on the market, though, I don't think I'd have any arguments against that.
5. Even taking into account the fact that OpenBSD is possibly the most secure OS on the market, though, it's only a matter of degrees. The gap in security between OpenBSD and certain implementations of Linux (particularly with new secure Linux implementations in the works, like SELinux) is so slim that other concerns usually take center stage.
6. I'm curious as to how you arrived at the conclusion that BSD OSes are the "best performing" on the market. I have two problems with that. First, I think you're wrong; Linux seems far more capable of performance tuning than BSD, can take better advantage of high-performance hardware with drivers and kernel modules now available, and advances rather more quickly than BSD development tends to. Second, "performance" varies depending on your definitions and what tasks you're trying to accomplish.
7. For business purposes, you can get far better support for Linux than for BSD, generally speaking.
On the other hand, I agree that other Unices shouldn't be excluded from such things. Those of us who know better are simply going to have to tell others that there are options besides Linux and Windows for PC architecture systems.
Very informative...again. How do you do it? I'm getting carpal tunnel just looking at the amount in the previous post.
Be assured that there are those reading them and learning, hopefully.
Be assured that there are those reading them and learning, hopefully.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
