Security

General discussion

Locked

Security Solutions: Open source risk

By discussion ·
In this week's Security Solutions TechMails column, Mike Mullins highlights some of the security issues regarding open source software deployment. Are your servers running Linux? Are you satisfied with the security that they provide to your network?Do you modify your own source code or depend on patches?

----
If you're interested in the Security Solutions TechMail, but would like to learn more about it before signing up, point to this link and then click Security Solutions to see a sample:
http://www.techrepublic.com/techmails.jhtml?repID=r001

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

** Excellent response **

by Prana7 In reply to Security Solutions: Open ...

I agree with this post. Linux have alot of update security and front of people who created linux redhat unix etc program. Open source who will help them to fix and what they see big leak or bug etc,. I think Open source is wondeful and FREE.

I agree with person who wrote "For example If you set up a server and install all the security updates the manufacture has, and then lets say install telnet. If some unauthorized person telnets in and deletes all of you inportant info, whos fault is that. Yours, the SysAdmin! Its not the manufactures fault you didn't set a telnet password, or if you set one that was so simple a 3 year old could figure it out."
That s totally true. It s system or newtork adminstrator/engineer s fault not your or user or so.

They have to be careful to configure and manuel without default.

:)

Collapse -

What Quality Control

by Eagle77 In reply to ** Excellent response **

Mike, you talk about quality control. Where is the quality control that permits the extraneous programs within the OS like MS does. I have yet to see a Linux OS install with the games and Eater eggs unless they are selected for install. There areliterally tens of thousands of lines of dormant code within the MS OS's. Compare that to open source. The Open source community reviews prevent those occurences and perform a much more through quality control than with many of the closed source software houses. No software is perfert but when I pay hard earned cash for a product I expect a level of quality. I get that level of quality from open source software but I have yet to receive it from MS. The lack of quality on the patches is notorious. "Nuff said.

Collapse -

What's real and What's not

by Mishap In reply to Security Solutions: Open ...

I have mixed emotions about this article. It sounds like something from Redmond, but not quite.

I am far more concerned with the number of EXPLOITS then the number of vulnerabilities! And I am far more concerned with the time from discovery to time of repair when a vulnerability is found.

Based on all of the indicators that I have seen, Open Source is FAR ahead in the discovery to repair cycle. And FAR behind in the exploitation area. I have far more CERT notifications of exploits forMS products than for Open Source. Most of the Open Source issues seem to end up being 'possible' vulnerabilities instead of real ones.

As for support, companies like Red Hat and SuSE, and most of the other distros are responsive and have good support. I can not same the same for MS.

Security is two issues: Vulnerabilities that the administrator can not address (software bugs and etcetera) and Vulnerabilities that administrator can address (bad passwords, un-ncecssary services, and etcetera). The vendor IS responsible for the former. The vendor needs to be responsive and plug vulnerabilities quickly, The vendor also needs to supply a secure system rather then seeing how many bells and whistles can be added to the next distro. The Administrator needs to verify that only services needed are run, and that the security on those services is properly maintainted.

Collapse -

Open source risk

by mikatrob In reply to Security Solutions: Open ...

Any system needs to be updated, patches tested before installed on production boxes.
Vendors can only be so responsible, but not for ignorance on SysAdmins behalves.

Follow this link and here is MS responce to customer questions about
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/policy/rateFAQ.asp
Why have you made these improvements to the severity rating system?

"Customers provided us with feedback about the former system, and we believe that, after ayear, the time has come to respond to this feedback:"

After a YEAR no one know what they were talking about.
Not to bash but get real!
Patches for open source normally have heres the work around, we do this on production boxes, then test patch on test servers.
Paid for products we patch, our tummy's gurgle as the system re-boots and we pray to God the system comes back up witout errors.
Yes we test the "Paid" products patches but even if broke we cannot patch our selves.
We would have far less problems if the SysAdmins had to "understand" what they were doing and involve thier selves a little more than to leave auto update on.

Collapse -

Who uses Open Source???? MS Maybe

by mikatrob In reply to Security Solutions: Open ...

By learning how Hotmail.com have implemented their webemail service, we can gain extra information/insight on how to build a similar system using @Mail. Scalability is the key , it is important to choose a reliable and fast platform to host the service under.

See http://www.unix-vs-nt.org/kirch/hotmail.html for reference

?The software giant has attempted to exchange the Sun/Solaris infrastructure of Hotmail with NT since buying it in December 1997. However, the demands of supporting 10 million users reportedly proved too great for NT, and Solaris was reinstated. In a leaked report, sources close to Hotmail said: "... its whole mail server infrastructure is Solaris. NT couldn't handle it. On the web server, they're running MP Pentiums and Apache on FreeBSD. They're moving to Solaris for threads. The engineering team did its best to run NT - and failed. The issue's being escalated." Hotmail is running Apache's /1.2.1 web server which is not available for NT due to technical difficulties. A statement on Apache's website states: "The road to Windows NT has not been a pretty one. Several attempts have been made, both by Apache Group members and outside folks, but due to a lack of stability and a clear consensus on how to managea true cross-platform development project, NT is not yet a standard platform supported by Apache. ?

Hotmail use FreeBSD machines as the web servers, that communicate to a cluster of Sun machines that store user-emails/profiles in an Oracle Database. Using both Mod_Perl and CGI, hotmail.com was initially created. Since Microsoft purchased the service, they have attempted to port over the software to Windows with failure.

Make up your own mind!, and for those who play follow the leader, well follow your leader and use open source.

Sorry about the flames I couldn't help it.

Collapse -

Link not working heres new one

by mikatrob In reply to Who uses Open Source???? ...
Collapse -

The one thing that I found

by HAL 9000 Moderator In reply to Security Solutions: Open ...

Interesting here is not so much the bit about the number of soft fixes and no mention that MS has released far more but the implication that by using Open Source you are somehow putting your orginasition at risk from a hacker and if you use MS your safe. Well sorry but thats not the case. If the author actually took the time to read MS documation it is virtually impossible to instigate legal action against MS for any failure of one of their products and I'm only thinking Security flaws here nothe normal simply won't work bugs. This author seems to me to imply that you have some form of protection by using MS products and while I do have MS Servers at where I work and Linux Servers as well it's always the MS ones where the problems arise and touch wood so far I have never experienced a security flaw that comprimises a Linux Server it a pitty that I can't say the same for the MS alternative.

My only question on this artical is "Who actually pays the writer?" Microsoft or TechRepublic?

Collapse -

Authors Comments part 1

by Mike Mullins In reply to Security Solutions: Open ...

Thank you all for your comments. I read everything. Both good and bad, so if you?re having a bad day and need to unload, let it fly. I don?t offend easily, but sprinkle some constructive criticism in with the flames.

I?ll try to address all the above posts, in this single reply:

J.Vajda@omh.hu - You?re right MS does things when there?s a financial incentive. As for the bias, it?s the way I see it. I don?t have time to fix every flaw individually; I depend upon the engineers that sold me the poor product to fix it. Smart people don?t use MS because it?s secure. We use it because of convenience and time management. Re-read Final Thoughts

seang@blueyonder.co.uk - You can?t hold a vendor responsible for security (unless that?s what they?re selling). What I was talking about is quality assurance and I agree with you. However, no one can test for everything and immature products will consistently display new vulnerabilities. Re-read Final Thoughts

vladimir.simek@sk.pwcglobal.com- The Linux crowd does do an excellent job at addressing security related issues (I think I said that). However, they need a more centralized approach and focus. Windows is an immature OS and new flaws are discovered weekly. As for the quality lab certificate, if I have one, then I can blame vulnerabilities on the vendor and not my own poor installation (it?s job security, not bias).

dennis.smith@philps.com - Read my Final Thoughts. I?m a proud Linux user.

paulsenj ? You?re right. I have gotten fed up with MS. As for the number of flaws discovered, it?s significant because it means that more people are using the system ? therefore ? more people are discovering flaws.

--continued with Authors Comments part 2

Collapse -

Authors Comments part 2

by Mike Mullins In reply to Security Solutions: Open ...

Jrmint ? You?re correct. It?s up to you to decide where to invest your money and time. That was part of my Final Thoughts.

emromero@sat.gob.gt - Exactly! Migrate, but forget your preconceived notions and hated of MS and do it based on confidence in the OS to do the job it?s intended.

Trichart ? Thanks! However, I prefer all three (performance, security and stability) when it comes to a web server. That?s why I use Apache on Linux. Wouldn?t run an IIs machine for my dog.

ManIT ? It was 56 combined (RedHat and SUSE), they didn?t address the same issues. Thanks for getting my final point.

aaube ? see the above comments.

Prana7 ? I agree you. Open source is the way to go.

Don Smith ? Absolutely, the admin should have total control over what is installed and I applaud open source for giving us that flexibility. But quality control is more about testing and certification than application bloating.

larry@unicode.com - I agreed with you on open source leading in the time to discovery. Vendors (MS) need to do a better job of supplying a finished product not a work in production.

Final Thoughts ? First, If I offended anyone. I apologize. I write the way I see it (which might be myopic). Open source is definitely theway to go, and it will only get better as more time goes on. Finally, I use MS products when I don?t have voice in the decision. When I have a choice. I go with Linux every time! Sorry Microsoft.

Collapse -

the cause of issues with the article

by malexand In reply to Authors Comments part 2

Mike,

I think the main issue, is that while you may support opensource, your article looked like it was blasting opensource as being insecure and having many holes compared to MS products.

It is more about what you didn't say that causes concern. You didn't say that MS has flaws, and that it also isn't responsive to them. There are many security holes that MS has admitted to, and has also said will NOT be fixed because the OS it is part of is 2years old. for many closed source software, its upgrade or suffer. Once a new release is out you are own your own (actually less than on your own because you couldn't fix problems if you wanted to)
The open source vendors are very responsive. By the time I've read about a vunerablility in something, such as sendmail. RedHat already has a fix available to download, and their up2date utility is even better than Windows Update. It doesn't even attempt to send back data.

I also don't have to reboot after updates, nor do I have to go back again 5 times because the updates can only be installed seperately.

Even though you may support open source, your article did sound like MS rhetoric.

Related Discussions

Related Forums