Is this true - Level Extreme

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Is this true

Message

From

06/02/2002 12:53:21

Jerry Kreps
Nebraska Dept of Revenue
Lincoln, Nebraska, United States

05/02/2002 19:03:42

Bob Lee
Wolf Gordon Inc
Long Island City, New York, United States

General information

Forum:

Linux

Category:

Other

Title:

Re: Is this true

Miscellaneous

Thread ID:

00614827

Message ID:

00616167

Views:

Your welcome!
And, I didn't mention the fact that they left out ALL the data after August 11, 2001 because they had 'server problems'. Ya, I bet... wait, if they were running WinXX that's a distinct possibility. What is really convenient is all those CodeRed, SirCam, and their variants that caused so much havoc with WinXX sites last fall being left out of the statistics, to say nothing of all the DOS that resulted because the rest of us kept getting hit by all that viral junk. During CodeRed I was getting 4 to 5 hits per minute. If I hadn't had some protection settings in my Cisco 675 dhcp server I would have had to cycle the power on that Ciso that many times each minute.

Here is an interesting comment posted on LinuxToday:
*************************************
bob niederman Feb 6, 2002, 14:46:12
My standard reply to this standard FUD tactic.
From the security focus site:
* These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.
[This means that the windows2000 numbers don't include the last half of 2001, the time frame in which W2K was attacked by at least a dozen viruses and worms]
* There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.
[This means that to total up the W2K vulnerabilites you have to add W2K, the web browser, office, the web server and the sql server. Whereas a Linux distribution with 6000 software packages is all added together, wheather most people even install a particular program or not.]
* This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.
[This means that you should actually go back into their database and look at what would have been installed and running at your site to support your needs and total the number of vulnerabilities that would have happened depending on what packages you would have had turned on to meet your needs. Then do a personalized report based on your site under various OS senarios.]
* The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.
[ This means, don't compare them like that guy did, or like I am about to do. :)]
33 MandrakeSoft Linux Mandrake 7.2
28 RedHat Linux 7.0
27 MandrakeSoft Linux Mandrake 7.1
24 Debian Linux 2.226 Sun Solaris 8.0
24 Sun Solaris 7.0
24 Microsoft Windows 2000
22 MandrakeSoft Linux Mandrake 7.0
21 SCO Open Server 5.0.6
20 RedHat Linux 6.2 i386
20 MandrakeSoft Linux Mandrake 6.1
20 MandrakeSoft Linux Mandrake 6.0
19 Wirex Immunix OS 7.0-Beta
19 Sun Solaris 2.6
18 RedHat Linux 6.2 sparc
18 RedHat Linux 6.2 alpha
18 Debian Linux 2.2 sparc
18 Debian Linux 2.2 arm
18 Debian Linux 2.2 alpha
18 Debian Linux 2.2 68k
Looking at the above numbers it appears that there are at least a half dozen linux distributions that have fewer vulnerabilties than Windows. And only 3 that have more.
And what about all the distributions that aren't even on list because this is a list of the worst offenders. Slackware only had about 10 vulnerabilities, and turbo linux only had 2.
Lets look at the last year for which they had complete statistics, 2000.
71 Microsoft Windows NT 4.0
29 Microsoft IIS 4.0
29 Microsoft BackOffice
--
129 total
52 Microsoft Windows 2000
29 Microsoft IIS 4.0
29 Microsoft BackOffice
--
110 total
65 RedHat Linux 6.2 i386
53 RedHat Linux 6.2 sparc
53 RedHat Linux 6.2 alpha
48 Debian Linux 2.2
47 RedHat Linux 6.1 i386
40 Microsoft Windows 98
39 RedHat Linux 6.1 sparc
39 RedHat Linux 6.1 alpha
37 MandrakeSoft Linux Mandrake 7.0
35 Microsoft Windows 95
33 RedHat Linux 6.0 i386
28 RedHat Linux 7.0
26 MandrakeSoft Linux Mandrake 7.1
25 RedHat Linux 6.0 alpha
25 Conectiva Linux 5.1
** Explorer and outlook had a few bugs too which aren't added to the totals.
If you could compare them this way, which security focus says not to, then windows has 2-3 times the number of security flaws than any single windows distribution. While containing at least an order of magnitude more software. Linux distributions come with at least 4 web server and a half dozen databases. Linux distributions come with at least a dozen different web browsers and 2 dozen email clients.
One last thing. If the standard ftp server that ships with most Linux distributions has 5 security holes, then that counts as 5 vulnerabilities each against those distributions. Even though the distributions don't install or turn on the ftp server by default.

*************************************
The whole purpose for that story was so that Microsoft sales and PR types could send clippings along to middle level managers and purchasing agents with 'proof' that WinXX is more secure than Linux. Follow the money and I'll bet you'll find a payoff in there somewhere.... Just like a similar 'poll' three years ago...
JLK

>Thanks Jerry Still reading that link n the bottom. !
>Bob Lee
>
>
>>>http://www.wininformant.com/Articles/Index.cfm?ArticleID=23958
>>>Rajesh
>>
>>If you believe that then I have some land in Florida I'd like to sell you. ;-)
>>
>>The "counting" method used in that 'news' was interesting....
>>Let's say you put a $100 bill in your left shirt pocket, then put that same bill in your right shirt pocket, then in your left pants pocket, then in your right pants pocket, then in your wallet and finally put that bill in your hat band. Now, total all the $100 bills you have by their counting method and it comes to $600.
>>
>>All of the linux distro's use the same source for their kernel and general utilities files. So, if they all encorporate the latest version of sendmail in their distro, but that version has a security hole, do you count it as one hole or as 12 holes, one for each distro?
>>
>>Here is the bugtoaster site, which tracks MS OS bugs live:
>>http://www.bugtoaster.com/DW15/Reports/OperatingSystems.asp
>>
>>Or, for Linux:
>>http://linux.oreillynet.com/pub/a/linux/2001/07/30/insecurities.html#lin
>>although this site is for bugs related to every app in Penquin land. To get kernel specific bugs http://www.tux.org/lkml/ has kernel maintainer's mailing address. (There is a maintainer for each area of the kernel).
>>
>>RedHat's bug list is at:
>>http://www.redhat.com/mailing-lists/redhat-watch-list/index.html
>>If you check out one of them, for example, you will see that a single bug affects 10 different apps: http://www.redhat.com/mailing-lists/redhat-watch-list/msg00275.html so that running one patch update fixes them all.
>>
>>BTW, The number of patches that need to be applied would be a better measure of how many bugs exist. If a single patch cleared up a bug that was on all the windows platforms then it was just one bug, not 10.
>>
>>
>>And, up until Microsoft created their 'security consortium' and got security companies to not post WinXX bugs 'until'..., most security sites kept lists of both WinXX and Linux bugs, which made count, frequency and repair time comparisons easy. Now, only Linux bugs seem to get public coverage. WinXX bugs aren't announced until MS publishes a patch to fix it, if ever. Sometimes they won't admit to bugs, other times they take a long time to fix them. Very serious bugs they seem to get right on, however. The longer they take to fix a bug the longer more sites are exposed to being compromised. Why? Crackers communicate among themselves on their IRC channels and through private emails. They don't wait to read about new exploits in security groups or tech papers. The news of a new exploit travels very fast through the cracker undergound, and they are quick to take advantage of them. The longer such bugs are kept secret from the consumer the longer they are ripe for exploit and
>>the greater the odds that they will get hacked. When exploits were posted on security groups so were the code examples that demonstrated the bug exploit. When the patch was released a consumer could test the effectiveness of the patch by running the published exploit against it. Now, that's no longer possible and consumers in WinXX land are taking Microsoft's word for it that the patch does what it is supposed to do, and not something else, like add another backdoor to secretly download more demographic data. (pardon the name of the website) http://www.fuckmicrosoft.com/content/ms-hidden-files.shtml
>>JLK

Nebraska Dept of Revenue

Map

View

Click here to load this message in the networking platform