[Techtalk] the cost of security holes debate

Mon Jul 22 09:31:14 EST 2002

I thought this was worth sharing. Ever since some twit counted the number of 
problems listed on Bugtraq per platform a couple years ago, and decided that 
open source platforms were less secure, every alleged tech journalist has 
been parroting the same story. Well here is a sensible analysis, of course by 
a dumb layperson, and not an exalted Journalist. (I am a recovering former 
ZDNet employee and tech writer, I know this world. People become computer 
journalists to scam 'review' product, god forbid they should ever pay for 
anything, and to get paid for trashing people with real skills and ability.)

"I'm surprised that this thread has gone so far without someone
pointing out that this is simply a numbers game that is far
from useful. There's a fundamental difference between Microsoft
and Open Source/Linux security issues. The majority of Windows
security issues are holes that have have already been exploited
by the bad guys - there were real victims who reported the
problem. The majority of Open Source/Linux security issues were
discovered by the Open Source community and reported before they
were exploited and before there were victims.

"Simply comparing the number of security issues between the two
is unfair and counterproductive. You're punishing the people
who are concerned about security and who are making an effort
to fix problems before they affect the user population. The Open
Source community operates in plain view of everyone and acts
responsibly by warning us when potential security problems exist.
This numbers game may drive some of these people to covert
channels of communications to improve the numbers for "their
side".

"I think it's fair to say that there are far more serious
security holes in Microsoft software than in Open Source
software. I know of no Apache security hole that will produce
Code Red or Nimda-like results. I've never received email from
a Linux user who fell victim to an email-borne attack that
resulted in personal or confidential documents sent to everyone
in the user's address book. One Nimda does not equal one
Open Source "potential security hole".

"When certain Open Source software gains a reputation for security
problems, more secure replacements are developed and released.
If, for example, you're running sendmail and you want better
security, you can easily switch to Postfix, Exim, or qmail (they're
drop-in replacements). If you're weary of keeping BIND 9 updated,
you can switch to Tinydns. In the Microsoft world, you frequently
have no alternatives - security solutions must come from Microsoft
- a company whose own web site was taken down twice by elementary
external attacks and once by their own incompetence (all of
their DNS servers on the same subnet).

"If you're going to play a silly numbers game, at least make it
fair. Either don't count security issues where there were no
victims or assign a weight to each. For example, a Nimda would
be a 10 but a "potential security hole" that was reported before
real users fell victim would be a one. Also, give more points to
those problems where no secure alternative exists.

"Better yet, let's not play the game at all.

Thank you, Ed Sawicki.  http://www.alcpress.com

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder, Bratgrrl Computing
Plain English Spoken Here
www.bratgrrl.com
this message brought to you by Kmail,
on Red Hat Linux 7.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~