Linux security sucks too?

[Xeen]

Someone pointed me to this, claiming that Linux is even more unsecure than Windows:

http://lwn.net/Alerts/

Not exactly sure how to respond.

[flap]

I don't understand what your point is. That unix software has bugs? Of course it does. Just not as many as Microsoft software.

[Calum]

what is their point?

open source software enables people to see and fix bugs and holes quickly. this happens time and again and is free for those who wish to take advantage of the freely donated fixes.

closed source software (we are talking windows, solaris, and so on) does not have this. they still have the holes and bugs but because nobody but the vendors can see the code, those holes never get plugged. the practical evidence shows that *BSD and  linux are a shitload more secure than other big but closed OSs, and this is the reason.

[jasonlane]

One of Open Sources strong points is that it can be judged (the product, code etc.) by your peers. Proprietary / closed source development does not have that advantage. This means that bugs ARE fewer in Open Source developments and bugs are usually fixed at a quicker pace. It makes sense to involve and engage the community at large, rather than to try and close as many people out as possible.

[mushrooomprince]

Heh ... Linux security sucks ... yeah  they would like that wouldn't they ?

[Faust]

woo old thread back to life scary...  like frankenstein!!!

a lot of those security alerts are "possible exploits."  Take these Debian bugs for example:

[21 Sep 2003] DSA-382 ssh - possible remote vulnerability (new revision)
[18 Sep 2003] DSA-386 libmailtools-perl - input validation bug
[17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability
[16 Sep 2003] DSA-382 ssh - possible remote vulnerability

Note the "possibles."  With open source or better possibles can be fixed *BEFORE* they are exploited.  With non free programs you dont know theres an exploit until some fucking bastard in a tiny country you've never heard of is using it to buy kiddy porn with your credit card, and that bug wont be fixed until the vendor sees a commercial benefit to doing so - think about it, Microsoft is a company, they are interested in money not software.  Software is only of use if it gets them money, which is nice to most people but not the be all and end all to those of us with ethics.  If an exploit is not popular enough to piss off enough customers why spend money on fixing it?  In fact why not just spend that money on a newer Office suite to make *MORE* money, because Windows users will not spend $$$ on a new upgrade cycle for "bug fixes."  (well not all of them are that stupid i guess...   although i guess windows 98 etc is a point.  )  In fact, why not just ban users from even publishing those bugs (whice the new EULAs are covering...  you cannot publish benchmarks of .NET code without MS approval.) and have a nice empty exploit report list to give consumers the opinion that you have none?

Also look at the "perl" exploit...  ah perl?  Unless your running cgis with it that bug is only exploitable to local users - not remotely.  With the massive amount of software in say Debian, also note that those exploits arent just "linux" exploits.  They also cover MySQL, Apache, sendmail, wu-ftpd etc.  How much bigger do you think the MS bug report database would be if they like GNU/Linux vendors covered all the bugs in all the software that most commonly runs on their platform?  If Windows like Debian was distribed with 9000+ seperate software packages all "made to work with Windows" by Microsoft how much longer would those MS bug reports be?

[M51DPS]

Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade? Are you aware that the MSBlaster Worm affected people who didn't upgrade months after the patch was released? Or what about how many people don't want to apply patches because it causes more problems? I have this theory that every OS has some bugs, and that maybe some OS are put into the spotlight because a certain evil corporation wants them to look bad. Anyone had a glimpse of a list of Mac OS X security updates? As long as it is, I'm not afraid to apply them and I do it as soon as possible.

[Stryker]

quote:Originally posted by M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade?

I have openssh active, i didn't upgrade it. I probably won't. I dont have anything important that isn't backed up, and i'm on dialup so people will probably use me alone. it's not like i go handing out my ip address to everyone.

[flap]

why bother running sshd if you're on dial-up? Or if it's only for your internal network why not block it (and everything else) at the firewall?

[mobrien_12]

I patched openssh within the same day as the flaw was announced.  OpenSSH is one of the few services that I leave open to a relatively large number of IP addresses, and I learned long ago that if you choose to have an open service you must commit to patching it regularly.  

I might have waited longer (within a week), but

1) My Linux boxes are in a "war zone" (numerous probes every day, systems other than mine on the subnet are compromised on a regular basis, and the network admins refuse to firewall the network).

2) The OpenSSH hole was one of the few OSS flaws that was being exploited before the programmers found it.

I patched MSRPC within a couple of days.

[solarismka]

quote:Originally posted by M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade? Are you aware that the MSBlaster Worm affected people who didn't upgrade months after the patch was released? Or what about how many people don't want to apply patches because it causes more problems? I have this theory that every OS has some bugs, and that maybe some OS are put into the spotlight because a certain evil corporation wants them to look bad. Anyone had a glimpse of a list of Mac OS X security updates? As long as it is, I'm not afraid to apply them and I do it as soon as possible.

Yup I've got openssh active, running a server.  Updated after a few minutes after the patch was posted.  

No curruption, loss, and/or downtime  

[Windows_SuX_@$$]

M$ IS YEARS BEHIND LINUX, But it supports gaming

Linux is more stable

[SAJChurchey]

Actually the first instance of the bug was found in OpenSSL on Sept. 29, and on Sept. 30 OpenSSL released the patch.  It was patched up fairly quickly.  It would have probably taken a week or two for M$ to patch a publicly announced security bug.

[mushrooomprince]

I don't see any articles on how million of dollars was lost due to a vulnerability in linux exploited by hackers.  Until i see one, I'm assuming linux security is good, and far better than windows.