More FUD about LINUX security

The rest of the article deals with statistics (I thought we didn't believe in those!) and they're some fun ones because they're pretty simple to disprove in any argument where it's OS vs CS.

And what was the market share of those two operating system at the time? I think Vista was probably somewhere around 5% lol of course more vulnerabilities were found in XP. By sheer nature of XP having 15-20x as many users and being a near-decade old operating system.

Also silly. Linux is open source, the process in which vulnerabilities are found and patched is entirely different from Microsoft's system, which is entirely behind closed doors. An exploit in Microsoft could have been around for weeks before it was patched but it only got discovered a few days before the patch. Microsofts bug tracking is not public - the only knowledge we have of bugs is the CVE information. There are other issues with this that have been highlighted time and time again showing that vulnerabilty time disclosure/ count means very very little. It is worth noting but barely.

Also worth noting - while there are loose standards for deciding how critical an exploit is there are tons of grey situations [https://access.redhat.com/security/updates/classification/]

The source provided for those statistics (not DoR) also doesn't seem to provide a whole lot of information (such as the specific bugs/ vulns) and is provided by a MS employee, which in and of itself does not refute anything said but it's nice to see facts.

So, what does all of this mean?

Well, while I think it's wonderful that Microsoft is making great strides towards a secure development cycle (which is incredibly important) the graphs they show as facts and the language they use to imply that they're mroe secure than Linux really takes away from their accomplishments.

Linux is not anti secure-coding. You can have security audits of the linux kernel, in fact open source software truly lends itself to this (I've talked about V&V in the past) and in fact there are security audits and a secure coding system.

The implication that secure coding and open source are mutually exclusive isn't even implied in the article (just a lot of other crap) and that's what I was telling you earlier. There is no reason to believe this. The article doesn't say it.

What it does say is that linux doesn't have proper procedure (not that it can't) and taht Windows does.

fin

 

As for open vs closed, closed has very very few advantages if any... a strong business model? RedHat has proved OSS works great for a business. Arguably, I suppose, closed source provides a stronger hierarchy... whereas Linux delegates that duty to the community ie: it's redhats job to say how they commit code, it's google's job to say how they commit code. With MS it's just MS's job. Whether that's an advantage or not... idk.

What you do get with open source is endless choice. I'm recompiling my kernel right now so that ASLR is supported within the kernel with greater entropy (as in the kernel will be randomized) with new access control policies that stack with AppArmor and various other exploit mitigation techniques.

I'm also compiling it to be optimized for i5 64bit CPUs with SSE4.2 instruction sets.

Can't do any of that with Windows and purely because it's closed.

I can reduce my attack surface to the absolute minimum by compiling out unneeded drivers/ services.

I can lock my system down an insane amount purely because it's open source.

I could go into great detail about why Linux is more secure or even why Open Source in general is more secure but I think we both know that neither one of us is changing our minds and any reader of this topic now has a fair and balanced view on both sides.

 

They didn't say the case was a "standard": they were clear adding words, "at the extreme" and "anecdotes".

Yeah, but can't your own recompilation or whatever introduce new bugs?

And there are those who may look at the source, find security vulnerabilities and never report them.

Can we compare how much those companies invested/are investing in Linux in terms of MONEY?

I think it will be less than the money Microsoft actually invested/is investing in Windows.

The money they invest in the project (which translates in working hours by their own programmers, etc etc): that's what matters when we talk about big companies' support.

I don't know, and the quality of the revisions matters too.

Of course, but Microsoft's auditing is probably better.

The implication is simply that those improving Linux may be skipping too much bugs.

And that may not be happening on Windows thanks to better process.

Plus, that SDL can make Windows better.

And in proving that it can be superior to Linux.

These companies may not be investing like Microsoft is, they don't have as much resources.

DoD? Governments have access to Microsoft's source code. Remember, it's under a shared source model.

Not that he is more motivated, but that he usually has more time to dedicate (because he is being paid to use his time with that).

Daveski =!= guest

They are comparing the first six months after release.

And you definitely know nothing about XP adoption rate: www.crn.com/it-channel/18829228

Are you assuming that crackers will always report the vulnerabilities they find in Linux / exploits they make privately - ony because it's "open source"?

I didn't say they were.

 

I think Hungry's doing a good job explaining about Linux in a Linux thread. Kudos!

 

I was trying to say that SELinux is a standard, as in it was the first LSM iirc.

Absolutely. That's why it's not supported - the operating system isn't designed to run on that kernel.

Sure... and there are people who find bugs in Windows and don't report them.

Why would it matter in terms of money? And I doubt you can really count volunteerwork as monatary idk how youd manage that conversion.

But Redhat is a billion dollar company. So are Linux and IBM. The DOD has also invested.

Based on what?

edit: You're basing this off of completely flawed stats and MS's word. With Linux you know exactly where you stand because it's all out in the open.

Neither of which are proven, they're erroneous.

SDL is a title given to a process. That process is essentially safe coding and audits. Any developer can do this.

Hardly.

Shared source lol a fun buzz word for microsoft. Very little of their code is open. DoD uses open.

The problem with this being that Linux devs are paid... and that community devs absolutely work hard. Look at the people writin ghte Dolphin and PCSX2 emulators - 0 financial backing whatsoever. They've made these insanely complex and beautiful programs that are constantly updated by dozens of developers - and hta't sjust a niche product!

Ctrl F vista not found.

When Vista was released XP was by far the dominant OS.

Of course not. I woulnd't make that assumption about Windows either.

But when a vulnerability is found EVERYONE knows. Not the case with Windows, only MS knows.

ME: Process is plenty important. Having a conversation on process vs open source is ridiculous. It is not one or the other.

You: We are discussing realities, not theories.

EDIT: PS. About the chroot issues from a page ago, pax completely fixes these and creates a full BSD jail without the need for LSM.

 

So one takes high risks going that route. Maybe higher than the theoretical payoff. Therefore, the ability to take such route has little or no meaning at all for consumers.

But at least Microsoft offers them money to report security vulnerabilities.

Oh money matters so much. As IBM puts it (describing where their investments in Linux are applied): support to its programs, Channel/partner initiatives, research and development, marketing and various technology and integration centers.

I agree. Red Hat is probably investing everything it can in Linux, but it's so much smaller than Microsoft as a company that the comparison is laughable.

Linux - ?

IBM - what matters isn't if its billionaire or not. What matters is if IBM's investment in Linux is bigger than the Microsoft's investment in Windows. By researching some financial figures, I highly doubt it. For example I found a source stating that during a period of three years starting after 2005, IBM invested $100 million dollars in Linux. I guess that's laughable if we compare what Microsoft invested in Windows during the same period.

Government agencies all around the world are actively reviewing Microsoft's source code, because Microsoft make it available to them - shared source initiative.

Several stats. Some logical conclusions.

" When comparing security across different products, a common measure of vulnerability is Days of Risk (DoR). DoR measures the time from when a vulnerability has been publically disclosed until a vendor update is available to close the vulnerability. "

No you don't. For example, some people may refuse to report the vulnerabilities they find in Linux because there are no financial rewards.

Now try to argue that financial rewards count little to those looking for security vulnerabilities. Try to tell me that there are many (maybe more) very dedicated people looking for security vulnerabilities just because they love volunteer work.

It may not be proved as 1+1=2, but we were/are able to see indications coming from sources inside the Linux kernel development (like the one provided on that article).

Of course they can. But, from being able to do something and actually doing that, there is a long distance.

I don't think so.

As I said before, shared source is relevant. For example, government agencies all around the world are actively reviewing Microsoft's source code, because Microsoft make it available to them.

Yeah, great things can come from volunteer work. But, it's definitely not synonym of guaranteed success, even the paid work in the case of Linux isn't synonym of guaranteed success:

The stats were comparing Vista six-months old with XP six-months old, along with some other contenders (also six-months old). So, your assertions were totally out of place.

Good.

No, it's not everyone that know. When a vulnerability is found, only the one that found it knows - initially. He may decide or not to report. Microsoft gives financial rewards to those reporting - so it increases the chances he will decide to report. I don't see the Linux foundation or something else giving financial rewards to those reporting security vulnerabilities in Linux.

That's it.

 

Eh, was going to reply but I'll stick with:

You're making a lot of statements as if they were facts when they're not. The stats are bogus and there have been papers that are made directly for the purpose for why stats like that don't matter. Making sweeping statements like "bounty programs mean more vulnerabilities will be found" is silly especially in light of other sweeping statements such as "more eyes on source code doesn't mean more vulnerabilities will be found."

 

Prove that those stats are bogus.

I don't see the correlation between one statement and the other. Let alone a correlation that would justify calling any of them silly.

Do yourself a favor and reread what was stated about the "many eyes" mantra for Linux security:

 

Almost like religion arguments
Mrk

 

I'm not going to prove anything to you so why would I possibly bother? lol

I've already made the point about those stats making no sense. Comparing vulnerability disclosure -> patch times across Linux to Windows is inane. It makes no sense.

I agree (and have agreed already) that their statement about "many eyes" is fairly accurate. But they're making sweeping statements and it's silly

The statements are unrelated. The point is that they're making statements like that at all, which are simply not proven.

You're picking and choosing what to believe, which is fine and I'm not going to try to change your mind. Calling something a fact because it's got a source attached is silly.

edit: Again, I'm not going to change your mind. You've formed an opinion and now you're finding facts for that opinion - no useful argument can happen here.

@MrKvonic, about as useless as a religious debate, yes.

 

Why stats comparing these aspects do not make sense?

I sincerely don't understand your point.

Several security analysts from several different sources are behind stats like those.

 

Did you actually read the sources? lol One of them was just some guy who was curious and the other was a microsoft employee who didn't source his own work with individual bugs.

There are security analysts on both sides (though I think in general just about everyone who doesn't work for MS realizes that open is better because of the ability to actually audit the code.)

Comparing disclosure time against an open source/ closed source product is idiotic. It literally makes no sense because the process of disclosure is completely different. This has been said in plenty of papers in the past.

It's the same issue with counting vulnerabilities. It means almost nothing.

If this is a conversation about open vs closed and not ms vs the world its' very simple - open source provides the potential for a ton of advantages and closed source only provides a simpler business model.

If this is a conversation about MS vs Linux it's less simple but in the end you're saying that what matters is the business model (pouring money into a product = better product) when that's never been shown to be true. Community projects have consistently produced incredible code.

Microsoft's article boils down to "we have a more secure process and a secure process is what matters", which is incorrect on both ends. Both BSD and Linux have very formal developer assignments and tasks with security auditing etc. all happening right there, just like what MS has.

If you can't see this there is no discussion to have. edit: And again you're acting as if opinion = fact just because you can point to an article/ paper where someone said it.

 

http://www.whitehouse.gov/files/doc..._Software_and_Cyber_Defense_01_April_2009.pdf

There's a fun paper by the government. IT uses some silly stats just like your article so I guess maybe it'll be more convincing.

I think that these charts are slightly less stupid because they're at least audits from a 3rd party. But security isn't about things like this - it's about understanding the need to verify software and understanding what a good policy and a bad policy is. Development cycles are important, MS is correct when they say that, they're just wrong when they say that Linux doesn't have proper procedure.

 

Nah. We all know how real malware works on linux:

Source

 

Well, if the NSA has confidence in linux...

http://www.nsa.gov/research/selinux/index.shtml

 

http://www.nsa.gov/research/selinux/faqs.shtml#I23

Hungry Man, I'll get to you later.

 

I really think there are better ways for using your talents even at Wilders.

 

To save you some trouble, I'm not really interested. If you feel like replying, understand that you'll be posing it to someone else if they feel the need to take part in the conversation.

edit:

lol not really sure what you're saying here...

 

No problem, I'll be posting anyway.

 

What are you talking about?

So what is the consequence of your statement? Are you saying that Microsoft's code isn't audited? Actually, Windows' code is *probably* being better audited than Linux'.

Yes it makes sense. You can say that Microsoft may hide the reported vulnerability until it has an available and tested fix (paying the one who reported to keep it privately too), and that the Linux Foundation can't do that because they can't control the information once they have it.

Which is one more bonus point for Microsoft, because such process makes it harder for other crackers to make exploits for the hidden vulnerability they don't have any info about.

While in Linux once a vulnerability is discovered and reported, every cracker in the world can access the info immediately, even if no fix is available.

Of course it means. Secunia (for example) lists all vulnerabilities it finds in Microsoft's software, no matter if the company admit them or not. It's true that Secunia may give some time for the company to fix them, before exposing them to public (partially of fully).

Money is important and relevant. All successful community projects need money to survive. The ones that receive more money tend to be more successful and popular.

Why are you bringing BSD to the table? And I doubt the Linux's process is as good and comprehensive as Microsoft's one. Stats are a strong indication to the contrary.

I'm not, I know the difference between opinions and facts.

 

You're still not getting it.

It is really really clear that this isn't true and I think anyone reading this will likely agree. That's why I'm not interested in further discussion.

 

Facts x Opinions? This is getting boring.

Certain facts can disprove certain opinions only when they are presented.

I'm not posting here for the public acclamation or whatever. I know pretty well that most posters (readers?) hate me or see me as some kind of MS fanboy (devil's advocate? LOL).

I'm posting here only to expose/learn different POVs, there is no other point to this discussion.

 

I don't know why anyone would hate someone over internet posts lol but I just don't think the discussion is productive. My point was not to say "Oh I hate you" or something llke that I was only trying to point out that it seems, at least to me, very clear that you have your opinion and you're only understanding the facts that back that opinion up. Maybe that's some fanboy thing, maybe it's a devil's advocate thing, maybe I'm just insane and seeing things that don't exist.

As for further discussion on the statistics and points in the article, as I said earlier, I'm not really interested in trying to convince anyone. I put it out there that I don't think those statistics are meaningful in any way and I explained why tracking CVE's doesn't make sense (this has been brought up in a number of whitepapers that I've read.)

I agree that it's boring.

 

Neither do I, but I still can sense that sometimes. Maybe I'm just hyper-sensitive, lol. It doesn't matter if I'm correct on this "sensing" or not, such things are not going to change my behavior/opinions.

I don't think so. POVs are being stated, no flaming, no trolling.

Never said your point was that. You just tried to tell me that anyone reading this would agree with you, and I told you that public acclamation really doesn't matter here IMO.

Or maybe I just didn't understand your opinion/facts/whatever because I'm dumb or because you didn't present them very well.

That's one part of the discussion where I really didn't understand your point.