Re: Security followup

Subject: Re: Security followup
From: Bruce Byfield <bbyfield -at- axionet -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Fri, 17 Jan 2003 18:39:31 -0800


Peter Lucas wrote:

I was tasked with setting up Red Hat Linux 7.3, Apache, MySQL, and then
configuring the FTP server. As I scoured the Internet and also Red Hat's web
site, I was just blown away by all the security warnings and patches that
were available for the OS and each product.
You're making a very common error here. The number of security warnings and patches for Linux are not a sign of security weaknesses, but of intense consciousness of security issue among Linux users and developers.

To start with, one reason that there are so many security warnings and patches for Linux is that,often, many warnings are issued not only for the program, but also for each distribution that includes the program. That means that the same warning may be issued several times from several different sources, giving the appearance of many more warnings than there actually are.

Secondly, you can't judge security simply by the number of warnings. If you read the notices, you'll notice that the vast majority of them are trivial and unlikely to affect most users. Vulnerabilities of the severity of those that regularly plague Internet Explorer, for example, are relatively rare. However, because of the degree of security consciousness among Linux developers, even trivial ones are patched and announced as quickly as possible. It's a matter of pride for them.

Naturally, a program with no vulnerabilities would be the ideal but you'll never see it. Given all the possible combinations of hardware, software, and users, no software on any platform can be tested until it's guaranteed 100% safe. The best that can be done is to patch them as quickly as possible.

Which brings up my third point: one of the things that Linux developers are very good at is issuing warnings and patches quickly.The Linux community announces warnings as soon as they're known; by contrast, Microsoft has taken months to admit to a problem after it was already widely known. And whereas Microsoft patches take weeks to be released, patches for Linux software are released in days, and often hours of the announcement.

This quick response increases security. Once a vulnerability is known word tends to spread quickly among the crackers, so, the faster a patch can be released, the safer users will be. By contrast, Microsoft tries to minimize damage by saying nothing about the vulnerability, but that does nothing to warn users, or to prevent crackers from exploiting it. Word gets out anyway. Far better, I think, to let people know and get a solution out, the way the Linux community does.

Yes, you sometimes get a faulty patch that way, as you apparently did (although I wonder: was it faulty, or did it disable a feature for security reasons?). But Microsoft's patches are no better, for all the extra time they take to be released. Last year, for example, Microsoft took over two months to acknowledge widely known problems with Internet Explorer, and then released a patch that only addressed 9 out of 14 known vulnerabilities.

Far from being a sign of weakness, the number of security warnings and patches that you can find for Linux is a sign of greater security, not less.

--
Bruce Byfield bbyfield -at- axionet -dot- com 604.421.7177
http://members.axion.net/~bbyfield

"Fairy tales are more than true: not because they tell us that dragons exist, but because they tell us that dragons can be beaten."
-G. K. Chesterton.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



References:
RE: Security followup: From: Peter Lucas

Previous by Author: Re: using a slogan on a resume
Next by Author: Re: Security followup
Previous by Thread: Re: Security followup
Next by Thread: RE: Security followup


What this post helpful? Share it with friends and colleagues:


Sponsored Ads