[kwlug-disc] Security arguments

unsolicited unsolicited at swiz.ca
Tue Sep 22 12:39:46 EDT 2009

Raul Suarez wrote, On 09/22/2009 10:26 AM:
> The question is clear and open:
> What are the facts, hopefully statistically based, that prove that
> Linux Web servers are safer than Windows Web servers? Or even that
> Apache is more secure than IIS?
> I think it's a valid question and one that may help us better
> position our arguments in favour of Linux. Raul Suarez


I disagree, I don't believe it is a valid question. In fact, I take 
'offense' at it. I think the very question provokes FUD, and 
contributes to the whole MS / bashing irrelevant nonsense that just 
sucks too much energy and life out of all of us.

I think more valid questions start with:

- is it safe? (Period, end of story. Not safer than, just, 'Is it safe?')

- Does it do what you want?

- (perhaps) Is it safe enough? Or, 'Is it sufficiently safe?'

- these lay the security bugaboo to rest. Use a safe product. Period. 
Other considerations than security, are far more important. (Don't go 
down the pointless road of 'nothing is safe', 'how safe is safe 
enough', and other mindlessly useless drivel of minutiae.)

I do think it probably reasonable to say that any FOSS app will have 
any vulnerability addressed more quickly than non-FOSS. And really, 
that's all that matters.

	'More safe' just leads to 'than what' and 'as of when.'

I'm tired of the bs argument that Linux/FOSS is not being exploited 
the way proprietary stuff is due to its obscurity. Either it's safe, 
or it isn't. And 5 years, 10 years, 2 months, from now, when obscurity 
is no longer relevant ... what, are we all going to re-do our content 
efforts and switch to the most obscure app available then?

Obscurity is not a defence - the attempt to use it (particularly with 
arguments that non-on-the-fly clamav use is sufficient) I find 
particularly snake oil'ish. [When does obscurity cease? How will you 
know? Will you take the time, then, to address it? Or will you be busy 
with other fires?]

As has been mentioned, good practices are required, regardless of the 
platform. Keep up with security updates, and so on and so forth. We 
need to stop the 'just drop this in and get on with your day' false 
sense of security. Anything you install you must maintain. Anything 
you install will suck up your time for ever more. Deal with it. Or, if 
you do install it, suck up the consequences of not keeping up to date 
with security patches, when, if, and should, something bad actually 
happen. Definitely, no whining or whimpering.

The very act of using 'which is more safe' adds to the 
self-perpetuating FUD and insidious waste of time and energy.

Is it safe (enough)? Will you keep up with patches? Does it do what 
you want? Does it satisfy other criteria, such as cost, (local) 
support, or available (local) development resources and knowledge base?

	Two FOSS arguments I find particularly compelling:
	- However, one must first get over the hump of: assuming you have or 
are willing to appropriately invest in establishing a functional point 
(paying $ and running MS setup, or not paying $ and acquiring or being 
prepared to purchase local expertise) ...

	1. FOSS lets you do more for the same investment amount. e.g. Install 
Apache and Drupal, then hire Khalid to get not just a web site, but a 
customized web site that actually effects the desired functionality.
	2. FOSS lets you accomplish more for the same amount spent. e.g. 
Install FOSS, and donate some $ to the Kitchener-Waterloo Humane 
Society. <hint> <hint>

FOSS, MS, irrelevant. DOES IT SUIT?

If confronted with some version of "Is it safer?", deny the validity 
of the question with "The real question is, is it safe?" If pressed, 
ask "By what criteria?" Regardless of the answer to that, the response 
is "I don't know." (Nobody can remember all the statistics to answer 
all possible permutations.) Follow up with "But I believe it to be 
safe. I don't, and I don't think you should, have any concerns in that 
area." The credibility of the speaker will outweigh any stats.

The question is irrelevant or of no consequence. The only question is, 
Does it suit?


More information about the kwlug-disc mailing list