[plug] (Crossposted for your amusement) Insecurity

Leon Brooks leon at brooks.fdns.net
Wed Jan 29 10:52:59 WST 2003 

Hi, Fred [Langa]; with regard to your recent pontifications on security:

Quoting http://www.informationweek.com/story/IWK20030124S0013/1
> the article said: "...more than 50% of all [CERT] security advisories ...
> in the first 10 months of 2002 were for Linux and other open-source
> software solutions."

The implication is that Linux has more bugs than everything else combined. You 
also implied an acceptance of WinInformant's wildly errant conclusions 
evidently founded on the same implication.

Quoting http://www.langa.com/newsletters/2003/2003-01-13.htm#4
> None of this excuses or lessens the seriousness of Windows' own problems,
> of course, but it does show that as Linux grows in popularity, it will
> have its own full share of bugs and security problems, too.

This assertion is independent of WinInformat's, and it is wrong too. Bugs have 
nothing to do with popularity; if anything, more participants in a given 
development process implies less bugs. In real life, the bug reporting 
process extends to more decorative issues that a project with fewer 
developers wouldn't have the resources to worry about.

Quoting InformationWeek again:
> It's hard to imagine a less inflammatory or more obvious assertion - that
> all operating systems have bugs and security issues

Unfortunately, you did not limit yourself to this assertion. If you had, you'd 
be clear. You tried to be borrow some of WinInformat's facade of cleverness 
and bend CERT's reports to support your statement in such a way that you 
appeared to be conservative. That was damn silly, and you deserved to be 
flamed for it.

You then go on to raise and knock down a straw man by putting up a few mild 
objections to your point, namely that there aren't really that many bugs, and 
they can be fixed faster. Let's look at those.

> We can avoid CERT's problem of counting the same bug more than once if
> we compare the security patch/update counts for one popular distribution
> and version of Linux to one popular version of Microsoft Windows.

First off, the problem lies not with CERT, but with careless or zealotrous 
researchers interpreting the raw CERT data wrongly.

Second off, you do avoid that problem, but you smack face-first into another, 
one which is actually worse ("out of the frying pan, into the fire").

Slammer/Sapphire, currently the bane of MS-SQL servers the world over (still 
one probe every 2 minutes or better in a Class C subnet as I write) is not 
counted as a Windows bug, but a similar problem in PostgreSQL would be 
counted as a bug in, say, the SuSE, Slackware or Caldera Linux distributions.

There is no direct Windows equivalent for a Linux distribution. No Windows 
version ships with anything like Mandrake's 4000 or Debian's 11000 or so 
(slightly more granular) packages. Or, for that matter, with anything like 
the same amount of control over them. Microsoft's "157 products" aren't a 
drop in a bucket compared to that.

You also do not correctly address the issue of bug severity. A typical 
Microsoft bug results in, as the mythical CERT CA-96.13 says, "the total 
destruction of your entire invasion fleet and [...] unauthorized access to 
files" by remote control. A typical Linux bug results in remote access as an 
ordinary or even crippled (chrooted and/or owns no files) user, or the 
possibility of local escalation to superuser. Your "quick example" is 
exceptional, not typical.

Perhaps more terrifying are the Windows bugs that _cannot_ be fixed. Because 
of the way Windows is designed, in all known versions, it will _always_ be 
possible to push a stick through the spokes of the Windows message-passing 
system and escalate privs. IE's MIME handling under Windows is still badly 
broken, and as far as I can tell, always will be.

Just to labour the point, conside this list of known, unpatched Internet 
Explorer vulnerabilities - http://www.pivx.com/larholm/unpatched/ - including 
"Silent delivery and installation of an executable on a target computer", and 
contrast that with the Open Source competition (Mozilla, Konqueror and 
derivatives) which patched and tested the most recent SSL vulnerability in 
under a day (95 minutes from notification to fix-release for Konqueror).

> The open source community has fragmented into myriad competing segments,
> each with its own different, and increasingly quasi-proprietary,
> distributions of software.

Using a few prominent examples to speak for all Linux distributions is grossly 
careless. In general, Linux distributions include little if any proprietary 
software, and most have downloadable distributions which are both libre and 
gratis. Many, notably Debian and Mandrake, make a point of GPLing all of 
their specialised tools, and many distributions borrow chunks from each 
other. In the case of Sun's "Mad Hatter" distribution, they borrowed RedHat's 
entire distribution en bloc.

Fragmentation is - from a security perspective - good. A software monoculture 
is vulnerable. _Any_ monoculture is vulnerable. Linux runs on 13 hardware 
architectures, Windows on 2 (really only 1), a typical Linux distribution 
provides a sheaf of different window managers, web browsers, mail clients, 
office suites, databases, webservers, scripting lanugages and so on.

>From a user perspective, the choice represented by fragmentation is good. For 
a current example, a parochial Australian girls' school installed Linux and 
defaulted the girls' desktops to KDE. Within days, a significant number of 
the students had discovered and settled on GNOME and lighter window managers 
like IceWM and BlackBox. The helldesk didn't explode as a result (choice of 
WM is part of the user context), in fact the support crew do much less 
running around than they used to with Windows and no such choices.

Is Linux ready for the desktop? The 20,000 (soon to be 200,000) users in Rio 
Grande do Sul's State schools think so too.

There's a lot more which could be said about your article, but it hardly seems 
worthwhile. Do more research, come at the issues with more hard facts and 
less fancy theories. Don't try to justify mistakes, it's much more useful to 
learn from them.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://slpwa.asn.au/            Member, Linux Professionals WestOz
http://plug.linux.org.au/       Member, Perth Linux User Group
http://linux.org.au/            Committee Member, Linux Australia
http://linux.org.au/~leonb/lca2003/  THE Oz Linux Technical Conf:
                                excellent event, photos here!

More information about the plug mailing list