General discussion


Security Solutions: Open source risk

By discussion ·
In this week's Security Solutions TechMails column, Mike Mullins highlights some of the security issues regarding open source software deployment. Are your servers running Linux? Are you satisfied with the security that they provide to your network?Do you modify your own source code or depend on patches?

If you're interested in the Security Solutions TechMail, but would like to learn more about it before signing up, point to this link and then click Security Solutions to see a sample:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Who asks the questions in the article

by J.Vajda In reply to Security Solutions: Open ...

Dear colleagues,
I had a bad feeling of "deja vu" reading the article, as it sounded very much of "MS senior executive talk".
In theory the report is sound, but the practical side of it is far from reassuring, I think MS is very unresponsive, very quick to drop products, and absolutely unwilling to provide help, if it is "no longer supported".
With open source you always have the possibility to create the correction for a flaw, as the source is open.
I find the article significantly biased, and in line with MS policy which aims to discourage migration away from closed source development, at certain stages even implying that open source is "un American" and contrary to "free enterprise".
I think that the MS way of indicating things is more "un American" and contrary to "free enterprise".

Collapse -

on Deja Vu

by sean? In reply to Who asks the questions in ...

I agree with J Vadja. There are security issues with any software - MS sent out three security notifications on Wednesday.

The author states that security is not the vendor's responsibility; it is arguable that this may be the case with open source as we all 'own' it, but if I pay a large sum of money for a complete software package then security is the responsibility of the software house.

It's no different then buying a car in this respect. If I buy a Ford I expect it to work without mehaving to constantly test the brakes etc.

If I put in an OS or any system, I expect it to work; the fact that it has security holes in it is to do with its design and build. Why am I responsible for the failure of other people to get those right?

It's this kind of attitude that allows companies to sell shoddy software.

Collapse -

FUD tactics in TechRepublic?

by vladimir.simek In reply to Who asks the questions in ...

Until I've red this article, I've considered TechRepublic as an objective source of information for IT pros.
But, this artice looks like one of that marketing bull-shits, which uses MS to make Fear, Uncertainty and Doubt about some uneducated usersand executives, who know nothing about the differences in Open Source and proprietary systems.
It looks to me, this article was completed paid by Microsoft and I am very angry, that TechRepublic published it. Either you want to announce flame war between Linux and MS fans, or you have been paid by marketing from Redmont.
Ok, now to arguments:
- SuSE and RedHat issued 56 soft updates. How many (critical) updates issued MS? Now, I'm downloading all patches for Win2K/XP,IE5.0-6.0, JVM, IIS intoSoftware Update Services, and it is more than 199 updates!
- Vendor support. Yes, you can find basic advices in But if you want phone support, you must a) pay for it to MS, or b)you speak to idiots who didn't see computer in their whole live. If you want to have Linux support, you can pay to RedHat or SuSE, or you can find many informations in internet, manual pages or Linux Documentation Project.
- Time from discovering security flaw to issue the patch. Patches for Open Source system come in a shorter time (days), than for MS products (months).
- Quality Assurance. Does for you the MS Quality Labs certificate be enough? For me, not. I've never seen the "blue screen of death" in my Linux installation. In a companywith cca 200 computers with Win2k Professional I see it sever times in a week.
- Final Thought. Linux is not secure system, but Windows too. It depends on network (or security) administrator. But no one who can click with mouse, says "I'm Linux administrator". But how many people, who know nothing about security and networks say "I'm good Windows admin"???
TechRepublic, I'm really disappointed with this article.

Collapse -

Excellent response

by dennis.smith In reply to Who asks the questions in ...

This guy is definitely biased. Has he even tried setting up and using a Linux system. When a flaw is discovered in Linux, it gets fixed fast. You could even fix it yourself if you want. Just try calling MS with a bug and see how fast it gets fixed. Let's not look at the number of flaws, but the number of time a MS system gets comprised compared to a Linux/Unix system. Not even close.

Collapse -

Can anyone say "bias"!

by paulsenj In reply to Who asks the questions in ...

I agree with the posts so far, the article said RedHat and SuSE released 56 security updates but it didn't point out the 200 MS updates ytd. The article also says who do you go to for tech support. Well I know RedHat sells support sollutions and I'm sure SuSE does to. As for network security that has allways been the SysAdmins job. For example If you set up a server and install all the security updates the manufacture has, and then lets say install telnet. If some unauthorized person telnets in and deletes all of you inportant info, whos fault is that. Yours, the SysAdmin! Its not the manufactures fault you didn't set a telnet password, or if you set one that was so simple a 3 year old could figure it out.

The person who wrote the article says he uses an open source software and perhaps he thinks that 56 security patches ytd is a lot, and if he hasn't used windows yet this year he probubly didn't realise the 200 MS has released. But that would mean he got fed up with windows and went to Linux. :)

Collapse -


by jrmint In reply to Who asks the questions in ...

I can't believe what I just read. I had to sit back and relax before posting. I missed the banner that said 'Paid for by Microsoft'.

If you have ever dealt with 'vendor support' you would know that you would rather poke your own eyes out with redhot pokers then deal with most of the morons on the phone. Every experience I have had with email/phone support usually ends a few days later with me telling the 'support engineer' what is wrong and how to fix it. That fix may take many months to come out ... am i supposed to shut the machine down and wait for it. If you have ever applied a patch to a production server without first applying it to a test instance because the vendor certified it then you are suicidal.

There is no perfect O/S.You have to decide what is acceptable for your organization. Would you rather wait 3 months for a vendor patch that may even be the old "the next version addresses that why don't you upgrade" OR would you like to have the option available to you to fix it yourself or even ask the larger community to fix it. You have to decide where do you want to invest your time and money?

Collapse -

Agree! Comments of objetiveness

by romeroGT In reply to Who asks the questions in ...

Is it objetive to compare the sum of updates of 3 operating systems, against anything else ? Is it fair to compare un updates without comparing mitigation factors, likehood of ocurrence and versions affected ?. I think it is not.

Product maturityis not equal to time in market. How many times has linux been compiled and a release tested in the Open Source community ?

Vendor support is a mith. I use very little of open source products, but my experience tells me the flaw are fixed faster on some open source products that they are on the ones my company paid for. I will no go in details, but Apache has been quite a good experience for me, will other paid webservers have not been as good as it.

Focus on support and security on open source products is real, four years ago I would have share your opinion, but since I've been researching on different open source products this has change, and I think that from a marketing point of view companies have a bigger banner stating "Security", doesn's always mean it is backed up with real work.

Using open source, does not mean you must code and compile your version, it is up to you, I don't see an issue of security, rather than personal likes and capacity.

Keep your mind open, we do not have to migrate to open source, but we do not have to keep on payed software. We must evaluate, compare, make decisions; options have changed, we are not on 1998 when "Open Source at enterprise" was a bad word.

Collapse -

Who is responsible?

by trichart In reply to Who asks the questions in ...

I will remember this article every time I read a MS Kb article that ends with "first fixed in Service Pack 2" or some thing along those lines.
The fact is, in my opinion that support is fairly spotty everywhere (ever try to get a straight answer for the many programatic errors in Outlook 2003?).
The answer is a combination of open source, direct source and your own tuning.
As for the idea that the more popular an application (or OS) is, the more it will be attacked is partially true, but itdoes not explain why IIS is so much more vulnerable than Apache or iPlanet. Perhaps is is better explained this way: What you need from any application is performance, security and stability. You can pick any two.

Collapse -

Software Packages or OS updates?

by ManIT In reply to Security Solutions: Open ...

How many of the 56 updates put out by RedHat dealt with their version of Linux, and how many dealt with open source software distributed with RedHat? If you include the sendmail alert, then all Unix distros were vulnerable. Some major unix vendorsalso distribute samba, another recent piece of software that was found to be vulnerable. QA is done by the whole community in the open, look at bugtraq as an example.

I agree with the author that security is the ultimate responsibility of the admin (all must work as a team ? security, network, unix, linux, microsoft, db, etc.) whatever the OS.

Collapse -

Common FUD Tactic

by aaube In reply to Software Packages or OS u ...

A common FUD tactic among the anti-Linux crowd is to add up all Linux vendor updates and use that as a measure of security.

What happens is that, if RedHat, SuSE, and Mandrake each release an update to cover the same flaw in the same software (such as Sendmail), that gets counted as 3 vulnerabilties.

Tell me, do these same Linux critics count the same vulnerability in Windows 2000, Windows XP, and Windows NT as 3 vulnerabilities? I think not.

Related Discussions

Related Forums