Elliott C. Back: Technology FTW!

“We are so Secure,” they cry, hacked full of holes

Posted in Computers & Technology, Humour, Spread IE by Elliott Back on May 20th, 2005.

Lockergnome just posted a little editorial piece that suggests that Linux and open source is “so secure” because when one product breaks, they can switch to a different one, until I guess, it breaks too and they need to switch to a better one, until … :

But with Linux, the user can always go to something other …. That my friends, is what makes Linux so secure.

Does this sound like something a rational person would say? Security is an intrinsic property of software, not a side-effect of availability. An equivalent statement using the reductio ad absurdum style of logic would argue that:

But with Computers, the users can always use pen and paper or some other method of getting things done …. That my friends, is what makes Computing so secure.

Sigh. I hate zealots, especially overly zealous Linux and open-source zealots who spout absolute nonsense about their platform’s apparent security. In this case, do you think that a KDE-loving user is really going to go to the trouble of switching his window manager because of some yet-unfixed security bug? Yeah right. And, even if he does, this is not a viable model for security. Secure software needs to be written right the first time, layers need to protect themselves from tampering against other layers, and everything needs to be as paranoid as possible about everything else. The solution to buggy, popular software isn’t just switching to other software–not at this level, not at any.

This entry was posted on Friday, May 20th, 2005 at 2:14 am and is tagged with absolute nonsense, editorial piece, viable model, intrinsic property, security bug, rational person, secure software, popular software, pen and paper, buggy, holes, zealots, open source, logic, linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

Viewing 13 Comments

    • ^
    • v
    Just because a Lockergnome writer gave a bad example of Open Source security doesn't mean it doesn't exist.

    Rather than listening to either side whine about how wonderful their security is, numbers speak louder than words. How good is Microsoft at responding to security problems vs. Firefox? I can compare IE to Firefox because it's a good one-to-one comparison. The Secunia vulnerability database shows the following:

    Internet Explorer:
    Most critical unpatched vulnerability: Highly critical
    Unpatched since: April 26 2004 (yes, 2004)
    Type: Remote system compromise.
    Total number of highly critical vulnerabilities patched and unpatched: 33
    Oldest remaining unpatched vulnerability: Sept 9 2002. Moderately critical.
    Percentage of vulnerabilities that are unpatched: 30%
    Percentage of vulnerabilities that are fully patched: 55%
    Criticality breakdown:
    Extremely - 14%
    Highly - 28%
    Moderately - 22%
    Less - 14%
    Not - 22%

    Firefox
    Most critical unpatched vulnerability: Less critical
    Unpatched since: Multiple: oldest since August 30 2004
    Type: Multiple: Spoofing and session highjacking.
    Total number of highly critical vulnerabilities patched and unpatched: 3
    Oldest remaining unpatched vulnerability: August 30 2004. Less critical.
    Percentage of vulnerabilities that are unpatched: 24%
    Percentage of vulnerabilities that are fully patched: 71%
    Criticality breakdown:
    Extremely - 0%
    Highly - 18%
    Moderately - 35%
    Less - 35%
    Not - 12%

    While clearly Firefox is nowhere near perfect, they have so far been doing a much better job at patching their problems than Microsoft has. Does this translate into similar numbers for other closed vs. Open Source software? I'm sure it does for some, but not all. What it does prove is that having huge money behind your product doesn't make a bit of difference if you aren't ready to take responsibility for fixing security problems. Rather than saying Firefox (or any other Open Source project) handles security very well, I'm more apt to say that they both need to improve, but Microsoft has much further to go before it's acceptable... right now it's downright embarrasing.
    • ^
    • v
    Regardless, you have to admit open source, or any opposition to Microsoft, is a good thing. It's causing them to become more standard's compliant, and making them work on making their products better. Something that, I assure you, would not be happening if they still had a total monopoly on web browsers.

    One of the main appeals of open source is that anyone can look at the code. Now, while this does help crackers ("Hey, look! There's a hole right here I can exploit!"), it also helps everyone else. Not only can you change FireFox into something you like better, if something is exploited, you can go in and fix it (if you know how). Furthormore, you can release your own patches, and help others. Bugs are pointed out sooner, and thus can be fixed quicker in the next patch.
    • ^
    • v
    Only a doucheclown would take someone as Matt Hartley serious.
    • ^
    • v
    You make a good point about the argument, but it doesn't seem to justify the title of your post. You didn't explain anything about the phrase "hacked full of holes".

    Doesn't it seem oversimplistic to say that the wide variety of Linux software projects all have the same level of security?
    • ^
    • v
    Elliot, I don`t know if you realise but you DO USE an open source product right now. Not to say that it`s based entirely on PHP and MySQL.

    As a personal thingie I laugh my ass off when I hear someone talking about a server which is running a non-unix based operating system. Maybe you should too try to see behind the "I'm so good I'm better than myself" attitude most software companies mumble about.

    Every alternative for a solution has it's very own characteristics, be them good or bad, the important thing is that they have them and your work depends on them. Being able to make a choice is great. Would you be happier to have only Microsoft Word around? How about only PostgreSQL for a database solution? Or maybe Paintbrush would be great for image editing? I believe not.

    The fact that some exaggerate when they talk about their software it's no damn secret. But to take a defensive stance when someone is talking about an already shown to be totally flawed (felt, experienced, you name it) software production model, that's just strange hombre, just strange.

    I'd advise you to leave your pre-teenager ambitions aside and grow up, take a real look on the software market and then come around trolling about an effort which was claimed to be futile 15 years ago.

    Pax
    • ^
    • v
    A viable model of security would be: "Let's just stick with the unreliable system indefinately waiting for fixes that wont even start to appear and hope we don't get burned."

    Viable indeed.
    • ^
    • v
    Until MS stops allowing write access to normal users to the system folders and stops along with their software partners writing programs that MUST be ran in Administrator mode. Then thay will NEVER be secure. The biggest problem is not the holes but the fact that once through the hole under a users account the malware or virsus can write to the system files. MS use also reteach their users to NEVER RUN UNDER ADMINISTRATOR for normal use and lock the %system% files to read - write only for users. They must also learn that when a firewall is turned on and all ports are blocked this doesn't mean that there is still over 200 UDP ports still LEFT OPENED! Yes their SP2 firewall is suppose to keep you safe when why all the ports opened? Nmap doesn't lie. Obsecurtiy from the users is not security

    Microsoft hasn't realized we don have PCs anymore. They are networked workstations now and must use a network style security policy.

    Full of holes??? ONLY in Microsoft.

    And you should be ashamed to pick comments from posts from people that not know what they are talking about to prove your point. It only makes you look as stupid as them.

    No I am not a Linux zealot I am an engineer that know both systems. I know what is secure and what is not. I know what it takes to break into a system and I know how to close them up IF the OS and the software that must be ran to do business will allow it.

    Read what Dave said. These are hard numbers and yes if you check the numbers against MS and say RedHat, IBM, or Novell you will find that patches are sent out quicker from them. You can't argue with facts and figures they don't lie MS does!
    • ^
    • v
    I followed a link to this site, could not beieive anyone would have a site *promoting* IE. You must take a lot of crack!

    Look guys, use what browser you want, say what you wat, that's democracy, but please don't try to spread more MS trotted out crap.
    Figures speak for themselves. IE is badly written and insecure even a casual glance show us all that.
    The only reason a IE7 even talked about is because of competition. If firefox never existed, neither would IE7 you would all be stuck with IE6

    Maybe they will improve it, lets face it it would be hard *not* to.
    Time will tell....
    • ^
    • v
    Heh, you are bashing OpenSource and using WordPress for you website? How do you explain that?
    • ^
    • v
    Since Clau directly addresses me and tells me to grow up, and Jon wonders how I explain using Wordpress, I tell them both: this post, if you actually read it, is anti-zealotry post, not an anti-open-source post. In this case, the zeolots I'm slamming are open-source zeolots, but if they were microsofties, they would get the same treatment. The argument that software availability leads to better throwaway security is ridiculous.

    That's all. There's good open source and closed source software, but neither model is more secure because of abundance.
    • ^
    • v
    KDE: I'm a desktop environment, damn it!
    • ^
    • v
    Can we slam you for being a Microsoft zealot? Or would that be in bad taste? ;-)

    *ducks*
    • ^
    • v
    This is a line from the link you provided:

    "Linux users who patched their systems for a serious security vulnerability in KDE last month will have to patch once again, due to errors in the original patch, according to the KDE project."

    Was there not patches for system pack 2? I rest my case.
 

Trackbacks

(Trackback URL)

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus