Oranges of course. This was an easy one. ;-) Tal > -----Original Message----- > From: pic microcontroller discussion list > [mailto:PICLIST@MITVMA.MIT.EDU] On Behalf Of M. Adam Davis > Sent: Thursday, May 29, 2003 1:37 AM > To: PICLIST@MITVMA.MIT.EDU > Subject: Re: [OT]: Which Is Tastier - Apples or Oranges? > (was: Which Is Buggier - Windows or Linux?) > > > One of the nice things about NT is that if you are hacked, > quite a bit of the time you'll never know unless the attacker > wants you to know (or perhaps you are watching the detailed > logs very carefully for strange patterns, if they are even turned on.) > > But to rebut your point about RH 7.2 having 158 security > vulnerabilities... Those listed include issues from the very > beginning with squid (Windows includes nothing comparable) > OpenSSH (Windows includes nothing comparable) mod_auth_pgsql > (comparable to a plugin for IIS) Webalizer software iptables > Two are fairly similar updates (kernel 2.4), one for early > adopters, and one for easier config > > So of the first ten listed, perhaps only 3 would have been > easily compared to windows security vuilnerabilities: New > util-linux for a specific type of login program (not used by > default) Update kernel (2.4) Updated Comprehensive Printing > > Now if you extrapolate that out through the 158 > vulnerabilities, then you have 47 security vulnerabilites > which could possibly have parallels to windows XP. > > Of course these aren't comparable to windows XP even after > removing those which would have no parallel to the windows > software. The reason for this is simple: Linux is > multi-user, and is used more frequently in multuser > environments than windows is. > > /Most/ of the security vulnerabilities you'll see in linux > have to do with preventing a user -which already has access > to the system- from gaining any greater access. > > This would be akin to me having a basic account on one of > your windows NT or XP servers, and trying to crash it, gain > greater access, run my own services, etc. > > You probably realize that windows was not designed to prevent > attacks from within the computer, and this is almost a > trivial task. Microsoft has made little effort to prevent > these types of attacks with anywhere near the ferocity of > those maintaining the hundreds of commonly used open source > packages/applications/kernels/systems/etc. > > If you /really/ want to compare apples and oranges, then > let's count the number of security vulnerabilities which > allow an external attacker to gain /complete/ access to your > computer for windows XP with its standard configuration, and > redhat -whatever- loaded with its standard configuration. Of > all the security vulnerabilities listed I've seen none (I'm > sure there are some that I haven't seen) from the linux camp > which say "Exploit may allow remote code execution" whereas a > ton of the security updates from MS have that exact warning > > In fact, you rarely ever see MS put any affort into a patch > unless it's /really bad/. I suspect you could probably even > take out outlook express and IE as a source and windows would > still have a greater list of 'bad' vulnerabilities. > > Microsoft has built a nice, single user system (finally!) in > windows XP. 2K server is a decent server, and the newly > released (or soon to be > released) advanced server (XP or 2003, or whatever the name > is) is going to be even better. I use windows XP exclusively > for the desktop, because I have to use applications available > for it that are not available for FreeBSD (or Linux, or, or, > or) and dual booting simply takes too long, and I don't see > any reason (other than having less disk > space) to have two operating systems on my computers when one > will do all I need. I use Novell for the servers at work, > and linux for internet services because there are so few > problems with them - maintenance is extremely low. > > You have a valid point however - to those who don't > understand the differences between linux and windows and the > differering views of what is a security vulnerability it can > certianly seem like linux is worse than windows. This is a > PR problem, and MS has much more PR power than linux, so I > doubt we'll ever be rid of this particular disparity. As far > as your anecdotal reference to being hacked, I think it would > be instructive to request information from several hosting > companies with both types of servers about succesful hacking > attempts. Given the larger percentage of linux/unix-like > servers hosted out there I would expect more hacking on them > than on windows (just as one expects more windows viruses for > desktop windows because it's used more on the desktop). > > Anyway... > > -Adam > > James Newton, webmaster wrote: > > >Please note, before you cry "...off with his head!", that I fully > >support and hope for the best from all open source software. Richard > >Stallman is probably my #1 hero in the computer world. All hail > >GNU/Linix and so on... BUT, My experience has shown that there is > >another side to it. Just about every Linux box I have worked on has > >been hacked and I've never lost an NT server. I have long > wondered if > >the general opinions about Linux being more stable / secure were > >wishfull thinking or if they are born out by numbers. > > > >http://story.news.yahoo.com/news?tmpl=story&u=/nf/20030523/bs > _nf/21583 > > > >A count of the problems reported for XP Professional is available on > >the Microsoft Web page that lists all of its security bulletins. Use > >the pull-down menu to find the bulletins for Windows XP > Professional. > >The list starts in November 2001. In the 18 months since then, 27 > >bulletins about security flaws or other bugs have been posted for > >Professional XP. > > > >To count the fixes and bugs for Red Hat Linux 7.2, go to the > company's > >errata page and begin counting from November 2001. From > November 2001 > >until now, the company has issued 158 security bulletins or > bug fixes > >(not counting the enhancements listed on that page). > > > >Also, the Linux-Unix OS is largely in the server > environment, where the > >vast majority of Windows installations are in the client > environment, > >The difference in technical skills in those two user bases could > >greatly influence perceptions of OS stability. {i.e. Linux has smart > >people running it and Windows has to do its best with idiots > like me! > >} > > > >...with Windows, there's a rather aggressive community > trying to find > >bugs to denigrate Microsoft and Windows. > > > >http://story.news.yahoo.com/news?tmpl=story&cid=1093&ncid=120 9&e=1&u=/p >cworld/20030528/tc_pcworld/110906 > >For the second time in as many months, the Apache Software Foundation >released an updated version of the popular open-source Web server >software, only to warn users of a critical security hole in previous >versions of the software that the update patches. > >Among those fixes is a patch for a security hole in the mod_dav module >that could be exploited remotely, causing an Apache Web server process >to crash, according to the bulletin. > >A second fix is for a denial-of-service vulnerability affecting >Apache's authentication module. By exploiting a bug in configuration >scripts used for password validation, attackers could launch remote >denial-of-service attacks that would cause valid user names and >passwords to be rejected, the bulletin said. > >James Newton (webmaster, former admin #3) http://www.piclist.com >jamesnewton@piclist.com >1-619-652-0593 VM >1-208-279-8767 FAX > >-- >http://www.piclist.com hint: The list server can filter out subtopics >(like ads or off topics) for you. See http://www.piclist.com/#topics > > > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details. -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.