News: Open-Source Security Comes Under Fire

  1. Open-Source Security Comes Under Fire (17 messages)

    A recent research note from two analysts at the Aberdeen Group calls open-source software and Linux distributions the "2002 poster children for security problems." Of the 29 advisories issued through October by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, 16 of them addressed vulnerabilities in open-source or Linux products.

    Read Open-Source Security Comes Under Fire.

    "However, many security experts find fault with that argument. The fact is, they say, neither one is inherently more secure than the other; it all comes down to the skill with which the code is written and audited."

    Threaded Messages (17)

  2. I'd also be interested in seeing a comparison on how quickly fixes to known bugs are issued. Phrased differently, which camp is more reliable in fixing security problems?
  3. I'd also be interested in seeing a comparison on how quickly fixes to known bugs are issued. Phrased differently, which camp is more reliable in fixing security problems?

    I would argue providing a quick fix for security problems is no solution. Even if so called 'camp' provides a fix, how often would a sys admin at any organization use the fix?
  4. Open-Source Security Comes Under Fire[ Go to top ]

    What would be more telling is the number of product updates / security fixes. Of course a product would have less flaws if it takes 1 year to update.
  5. This seems like a flawed comparison to me, I mean I don't really care, not really siding iwth either camp, but it seems like by the sheer number of open source products, I mean how many flavors of Linux are out there, not to mention the number of desktops, there must be 100,000 projects on sourceforge. With taht number of programs you are bound to find 16 security flaws. Microsoft doesn't even have 1/10th of the apps open source does. Yet they have 1/3 the errors. How is this a good comparison? how about vulnerabilities/app ratio? Whats that?
  6. You have to compare it in terms of how complex the softwared is. There are lots of open source projects out there, but do they compare in terms complexity to that of ms.So it is simply not an inssue of ratio but one of complexity. Ms builds complex sotware.
  7. I agree to some extent. And if you READ the article fine, its not comparing MS vs. any other o/s , its just saying MS has these many holes, linux has these many holes. Its not taking any side.
      And how much ever we like open source, we got to accept it that untill there is one "STANDARD BASE" in the Open source, we will always have issues like compatibility, version mismatch, security holes. Practically every open source user can have his/her own version.
        With MS, it owns everything of WINDOWS, and we can go to their site to look for any patches. With linux, first thing i do is to go on google, linux forums etc ..There is no single place to find answer to a problem. Open source has to live with it.
       And one more point, I would agree to a large extent is that MS is still used a hell lottt more than any other OS. So its obvious that it will be tested a lot more than any other OS and naturally people will find more problems in MS. Linux hasnt come to that level of usuage yet. Once it is , we may find many more problems in Linux than we see now.
       I guess what we need is a "STANDARD OPEN SOURCE".
  8. <quote>
    With linux, first thing i do is to go on google, linux forums etc ..There is no single place to find answer to a problem. Open source has to live with it.

    This is completely wrong if you're using a distribution like SuSE Linux. Security issues are solved much faster compared to Microsoft and there's a single access point and installation is more safe and convenient.
  9. Thanks for the info. I had different experience with Suse.
     In anycase Suse linux is not the only linux we use .. rather its just one part of open source universe and my view wasnt pointing to one particular flavor of unix or linux, i m talking abt non MS O/S in general and other oepn source systems in general.
  10. I also consider another aspect of security - how many people would want to break your security?
    Given how a number of people hate MS, I would say that for every hacker/tool/etc. that is intended to break into Linux/Solars/AIX etc. there's 10 or more that are aimed at MS.
    It's actually sometimes quite funny - for a hole in MS software, a tool that allows everyone with half a brain to wreak havoc is created almost immediately, while the same people have "moral barriers" to create a similar tool if say they find the newset hole in SendMail.
  11. Since most of the Open source is not owned by a single RESPONSIBLE company, its bound to have problems like several users have several different versions, some have patches -some dont, some thing works on 1 version - the same thing doesnt on the other version. This is the downside of open source. and the article is stating just the same.
      My 4 cents :)
  12. Aberdeen Group is no different than other for-profit "research groups". Their findings are, not surprisingly, often reflective of what they were paid to find.

    Coincidentally, about the time of the publication of this new Aberdeen report, pages like this one ("Last Updated: November 13, 2002") have removed the references to Aberdeen reports written for Microsoft. Of course, you can still find them in Google's cache:

    "ISA Server: A Versatile "Swiss Army Knife" Security Solution. See why the Aberdeen Group finds ISA Server to be a flexible security solution in this report comparing the active electronic infrastructure management features of various enterprise firewalls. Register to obtain a copy at no charge.... (Last Updated: September 04, 2002)"

    As anyone who has worked in PR for a software company knows, the ideas for these "research notes" typically come from the company that the research note would help, and they typically come with a payment. That is not always true, and I have no facts that would lead me to believe that the same is true in this case, however I highly doubt that Aberdeen could have switched to being an objective non-profit without the rest of us finding out.

    On the subject of security, Microsoft has done a good job patching security holes in its product. Say what you will about the huge number of holes found (not surprising for such a huge amount of software built around a desktop ease-of-use model), it still has a very long ways to go before reaching parity with "boring" server products like Unix and Linux, which have relatively little complexity for hiding holes in. (Unix, anyway. Linux is trying to gain install-size parity with Windows ;-)

    There have been a few major vulnerabilities reported this last year that have applied to several of the Unix servers and Linux, and those are pretty disturbing. At least one made it possible for root access to a server to be gained. So while the report may have been paid for by Microsoft, that doesn't make even one Unix or Linux vulnerability acceptable. Similarly, we should continue to demand higher levels of security quality from Microsoft, and applaud their efforts when they do deliver. Even if Windows is not fully accepted today in the datacenter, it may very well be in several years time, and wishing for Microsoft products to be buggy and easily compromisable won't help anyone (but their competitors) in the end.


    Cameron Purdy
    Tangosol, Inc.
    Coherence: Easily share live data across a cluster!
  13. It surprises me that we still take reports from these so-called-analyst firms seriously. What makes these firms analysts ? Their analysis is nothing more than a subjective interpretation based on insufficient expertise and always greased by big corporations with an agenda to sell.

    We have standards to rate the the analyst firms on the wall street. (WSJ does an annual rating of all analyst firms)Why don't we have the same for these firms? Without quantitative benchmarks, these guys are just expensive and exclusive PR firms and nothing more.
    Open source does not just threaten Microsoft; it also threatens the bread-and-butter of these parasites. The cost of making a wrong product choice when going with open source is less -- you dont need to buy the software and pay a dozen consultants to find out if the product will work for you; in most cases administrators working( with overtime pay hopefully ) can make that call easily , thereby mitigating the need to buy a expensive analyst report. No wonder these analysts are working hard to kill open source initiatives.

    Try finding the analysts postion on open source softwares such as Jboss, Sendmail , PostGre or SAPDB ? You wont cause none of these groups have any reason to fund such a study. So naturally, they push the most expensive products for each class on the gullible CIOs.

    This is not to say the there may not be security vulnerabilities with open source software. But this report clearly is an attempt to secure their livelihood than disseminate any meaningful information.

    Just my $.02
  14. The article ignores a few important facts:

    - The "security vulnerability count" for open source includes vulnerabilities that also effect closed-source software.
    - Some advisories cover multiple vulnerabilities, but are ranked as one.
    - Some advisories simply cover the fact that an older vulnerability is now commonly being exploited.
    - Some advisories are entirely unrelated to security flaws, but instead take note of the fact that a particular distribution resource (FTP server) was cracked and trojaned copies are circulating.
    - Advisory count contains no information as to the severity of a vulnerability: a remote root exploit is typically worse than a privilege elevation, which is worse than a denial of service attack, etc.
    - There is no single Linux vendor which suffered all of the open-source vulnerabilities.

    Regardless of whose security you believe to be superior, this article does nothing to substantiate its claim that "open-source software has taken over Microsoft Corp.'s position at the bottom of the security heap." If one desires to analyze security purely from a "vulnerability count" perspective, they should do so by comparing multiple products in specific configurations.

    While were on the subject of "vulnerability count" security analysis, anybody remember this gem: :)

  15. Open-Source Security Comes Under Fire[ Go to top ]

    My question is when are we going to find out that MS funded this study?
  16. This is such a stupid argument. I mean, if you analyze anything - and I mean anything - you make it come under fire. It's just how big the flame is. In this case, the flame is fairly small. I don't see why the article has make it appear to be much worse than it is compared to competiting environments.
  17. I think we can mostly conclude that open source is
    starting to get more popular.


    If more white hats start using open source systems,
    then more black hats will start attacking them.

    It would be stupid to assume that open source software
    does not have security problems. Ofcourse it has. Not
    all programmers are equally good. And I doubt that many
    are actually reviewing the code.

    But you can still argue that there are no reason to
    pay XXXX $ for getting commercial software that has
    as many bugs as the free alternatives.
  18. What This Report Ignores[ Go to top ]

    This report ignores the primary security advantage of Linux (and Unix) over Windows, which is that a production system can be "hardened" by disabling the various vulnerable services. This just isn't possible with Windows, due to lack of information about what the multitude of processes do and how they inter-relate.

    The article does mention that the CERT statistics tend to "focus on the high-risk issues that are likely to affect a broad base of users". However, I'm much more concerned about the security of my production environment than anything else. Although, obviously a security breach on any system is costly.