login
Search
Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju
Nice, let's all now switch our servers to Windows!!! Oh but it doesn't run on ultrasparc... -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Microsoft is doing better overall than its leading commercial competitors.
^^^^^^^^^^
---
Ben Calvert
Flying Walrus Communications
doesn't this mean that they now have more coders on payroll to fix stuff than they do to write the os? kinda scary.
As I see it they compared: Microsoft: 12 serious vulnerabilities in the OS Red Hat: 2 serious vulnerabilities in the kernel + packages Mac OS X: 1 serious vulnerability in the OS HP-UX: ?? _serious_ out of 98 total Solaris: ?? _serious_ out of 36 total for OS + third-party apps The article seems to rank by the number of patches. If a vendor waits and sends out a mega-patch even monthly, to fix more bugs than anyone else, then that's only two patches over a 6 month period. Its a poorly constructed survey. Doug.
IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software.
If you read the article past the summary, they mention that. While Windows had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208) considered high/severe. Windows had a very high percentage of its bugs labelled as high or severe (12 out of 39). Similarly, I'm sure if you looked at the time-to-fix for just the high and severe bugs from each side, you'd see that the Microsoft ones were slower to get patched. I'm just betting that the 200+ less unimportant bugs included many that really just didn't warrant any priority to fix. Unfortunately, the article doesn't really show this in the light that suggests the findings of Windows being the most secure commercial OS might be false, but it's not too hard to read between the lines. 78% of statistics are made up and 103% of statistics can say the exact opposite of what you think they should mean. -- Regards, Neil Schelly Senior Systems Administrator W: 978-667-5115 x213 M: 508-410-4776 OASIS Open http://www.oasis-open.org "Advancing E-Business Standards Since 1993"
And *anyway*, measuring security by number of patches for bugs and time it takes to patch is silly. Every OS, even OpenBSD as we just saw, is probably full of undetected exploits that are constantly getting fixed indirectly as overall code quality is improved. -Nick
It's even more bullshit than that. Among other things, it compares the number of 'patches', which for non-MS systems tend to be 1:1 or close to it whereas MS has be making a point of rolling as many vulnerabilities into a single patch as possible. The metrics are not described. Terms like 'patch', 'vulnerability', 'advisory' are intermingled in a most unclear manner. Patch 'development time' seems undefined as well. Symantic makes its living selling paper bailing cups in a leaky boat. The media actively participates in obfuscating the issues, the causes and the solutions by publicizing such crap from Symantic and MS. -Lars Lars NoodC)n (larsnooden@openoffice.org) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Yes. Symantec make their money from a long-term open wound. Symantec then provides creative "research" that makes that open wound look best. Talk about a conflict of interest. Symantec have been trying to demonise OS X for a long while. Shane J Pearson shanejp netspace net au
> Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. But can we get back to OpenBSD discussions?
Who says they don't have that all in their sleeves? Like OpenBSD OS X has a pretty clean and well maintained setup. I believe they can copy most of the defences without any problem from well tested OpenBSD and they would be pretty stupid if they didn't have done so already for testing. I presume they haven't put on those defenses to avoid problems with Although misc carried quite some fluff lately, the implementation of more OpenBSD features in OS X is an interesting thought. +++chefren p.s. Maybe I was too harsh against Karel?
I'll bottom post just this once to add to this list of agreement. danno
Thought you might be interested in this: http://www.omninerd.com/2007/03/26/articles/74 More or less a follow up to the Windows award... This time with FreeBSD in the comparison... -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
I think it's a very fair comparison. Hmm. let's see, An OS that ships with a big pile of stinking garbage written quickly to dangle the prettiest shiny things in front of users little brains before anyone else does. Linux distros do the first to market and damn the consequences game just as well as Microsoft ever has. "Third party software" - in linux? fuck in Linux distributions everything in userland is third party software. Linux is a kernel. The operating system is then a collection of things put together by bundlers. Do I think either vendor does a good job, no, but is Microsoft doing a better job of it than say, Red Hat? Yep. You betcha. If you right now took a magic fairy wand and replaced windows in all the broadband connected machines out there with a full featured (and that means all the bells and whistles, not spending half a day turning all the shit off and un-setuiding all the inane shit that is setuid root) Red Hat install with similar tools, I'm pretty sure you'd have a virus and worm shitstorm that would make what we see now hitting our mailservers from windows machines look like a tiny little unoffensive fart - from a vegetarian at that. And yes a big chunk of the problem is the knuckle dragging mouth breather in front of the keyboard - thank god that's not OpenBSD's targeted userbase, although some days reading misc@ I wonder. -Bob
Damn, I wonder how I stumbled onto OpenBSD then. Greg
I'm a babe in the BSD woods but I've spent 8 years with Linux. I started with RH, din't like the philosophy and switched to Debian Potato, then Sarge. My big new box is on Etch, my small box will probably OpenBSD. Please don't tar (so to speak) all linux with the RH brush. I don't know what happens if one chooses to install Debian and select 'desktop' task. I don't choose any tasks and get a base install, then add one thing at a time as I need it. After reading the securing-debian book (harden-doc.deb) I found that there wasn't much that applied to a base install. Their challenge is that they need to provide choice so they have what they call reasonable defaults. They also have several different packages to do the same thing, each of which has to work on being installed. I think they do a good job, given their mandate. My current frustration is that the copyleft licences (such as GPL) are being moved to the right for some things (like the GFDL) and conflicting with debian policy. That means, for example, that the tar(1) man page is a summary that points you to GNU's web page. Not very helpful. This is another reason I'm looking at OpenBSD. There are only two reasons why I haven't tried OpenBSD yet: 1. My Athlon box is on Etch (testing) and until Etch is stable, I don't want to mess with my tool box (486, Sarge). 2. When I try OpenBSD, it will be on the 486. I'm working out in my own mind how the patches work given an old slow box. In any event, I _will_ try OpenBSD on the 486 once the Athlon is runing Debian stable. I will try to breathe through my nose and keep my fingers on the home keys. Doug.
No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Okay, it's a losing battle. I'm an old grumpy fart. Okay, a lot of IT people are just earning their wages by managing the incredibly too complex setups we face nowadays (and not screwing too badly in front of a multitude of stupide innane choices). Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window managers. Never decide which one you want to install, never give you a default installation that just works. Cater to the techy, nerdy culture of people who want to spend *days* just making choices. We try not to be as bad, to provide default configs that work, and not so many choices.
I agree with you that secure/sane defaults are very important, they are a big pro for OpenBSD. Featurism violates KISS and we all know that KISS is the only way to handle ever growing complexity. BUT choices are important as well, everything else is "world domination tour" aka dictatorship (and not the good kind). Imagine not having a choice in hardware, wait don't just imagine look at the high-end graphics card market. Sorry, but I just couldn't leave the "one size HAS TO fit all" alone without any restraints. Regards, ahb
That's exactly why I switched long ago. Poking around at 1000 different little apps all doing the same thing was fun for awhile on Linux but I eventually realized that all the choices actually reduced my productivity. A second reason I switched was because of OS cohesion. Greg
Multiple user accounts and a journalling facility on a filesystem == Wrong. Unix is the "culture of choice", and that includes Linux and OpenBSD. It's been the same ever since Berkely includled csh. That, by the way, is why YOU have the option to run OpenBSD, and others have I was happy with the choices in Linux ten years ago. Some still aren't happy with it. That's the nature of people these days. If you want to try to change their behaviour you have to provide for them in the meantime. Jeff -- Q: What will happen in the Aftermath? A: Impossible to tell, since we're still in the Beforemath. http://latedeveloper.org.uk
How many MTAs, MUAs, http servers, text editors, DNS servers, FTP servers, etc. are included with OpenBSD? Greg
Security comes from this. As Bruce Schneier and Niels Ferguson write in ``Practical Cryptography'', on page 12, ``There are no complex systems that are secure. Complexity is the worst enemy of security, and it almost always comes Again, from the same book, ``One of the things we have tried to do in this book is to define simple interfaces for cryptographic primitives. No features, no options, no special cases, no extra things to remember.'' The fact that an OpenBSD system is secure out of the box is the main reason I started using it.
On 3/22/07, Bob Beck <beck@bofh.cns.ualberta.ca> wrote: The fallacy that is this clause undermines your broader argument. Promise yourself not to spread such falsity again, and you will be well served. -Todd
First, these types of articles (generally) have nothing to do with making a fair compairison. They are made up by marketing guys for marketing reasons. Second, It just goes to show that an OS that doesn't ship with a bunch of extra fluff that most people aren't going to need anyway is always the best choice. That was one of the first things that attracted me to OpenBSD. I remember saying to myself "What? You have to enable the web server? It isn't on right out of the box? WOW! What a concept!" Needless to say, I threw away my Red Hat CDs and haven't looked back.
I think I'll print out this article for use any time my boss gets a wild hair up his ass and wants to convert to windows. The stats for number of vulnerabilities and turn around time have always been abysmal for windows and this article just proves that nothing has changed. Maybe I could admit that this is marginally better than previous windows versions (maybe) but it is still very sloppy when compared to OpenBSD. A special thanks to Theo and the OpenBSD team for making me look so good all these years. stuart
