[kwlug-disc] Security arguments
unsolicited at swiz.ca
Tue Sep 22 12:39:46 EDT 2009
Raul Suarez wrote, On 09/22/2009 10:26 AM:
> The question is clear and open:
> What are the facts, hopefully statistically based, that prove that
> Linux Web servers are safer than Windows Web servers? Or even that
> Apache is more secure than IIS?
> I think it's a valid question and one that may help us better
> position our arguments in favour of Linux. Raul Suarez
I disagree, I don't believe it is a valid question. In fact, I take
'offense' at it. I think the very question provokes FUD, and
contributes to the whole MS / bashing irrelevant nonsense that just
sucks too much energy and life out of all of us.
I think more valid questions start with:
- is it safe? (Period, end of story. Not safer than, just, 'Is it safe?')
- Does it do what you want?
- (perhaps) Is it safe enough? Or, 'Is it sufficiently safe?'
- these lay the security bugaboo to rest. Use a safe product. Period.
Other considerations than security, are far more important. (Don't go
down the pointless road of 'nothing is safe', 'how safe is safe
enough', and other mindlessly useless drivel of minutiae.)
I do think it probably reasonable to say that any FOSS app will have
any vulnerability addressed more quickly than non-FOSS. And really,
that's all that matters.
'More safe' just leads to 'than what' and 'as of when.'
I'm tired of the bs argument that Linux/FOSS is not being exploited
the way proprietary stuff is due to its obscurity. Either it's safe,
or it isn't. And 5 years, 10 years, 2 months, from now, when obscurity
is no longer relevant ... what, are we all going to re-do our content
efforts and switch to the most obscure app available then?
Obscurity is not a defence - the attempt to use it (particularly with
arguments that non-on-the-fly clamav use is sufficient) I find
particularly snake oil'ish. [When does obscurity cease? How will you
know? Will you take the time, then, to address it? Or will you be busy
with other fires?]
As has been mentioned, good practices are required, regardless of the
platform. Keep up with security updates, and so on and so forth. We
need to stop the 'just drop this in and get on with your day' false
sense of security. Anything you install you must maintain. Anything
you install will suck up your time for ever more. Deal with it. Or, if
you do install it, suck up the consequences of not keeping up to date
with security patches, when, if, and should, something bad actually
happen. Definitely, no whining or whimpering.
The very act of using 'which is more safe' adds to the
self-perpetuating FUD and insidious waste of time and energy.
Is it safe (enough)? Will you keep up with patches? Does it do what
you want? Does it satisfy other criteria, such as cost, (local)
support, or available (local) development resources and knowledge base?
Two FOSS arguments I find particularly compelling:
- However, one must first get over the hump of: assuming you have or
are willing to appropriately invest in establishing a functional point
(paying $ and running MS setup, or not paying $ and acquiring or being
prepared to purchase local expertise) ...
1. FOSS lets you do more for the same investment amount. e.g. Install
Apache and Drupal, then hire Khalid to get not just a web site, but a
customized web site that actually effects the desired functionality.
2. FOSS lets you accomplish more for the same amount spent. e.g.
Install FOSS, and donate some $ to the Kitchener-Waterloo Humane
Society. <hint> <hint>
FOSS, MS, irrelevant. DOES IT SUIT?
If confronted with some version of "Is it safer?", deny the validity
of the question with "The real question is, is it safe?" If pressed,
ask "By what criteria?" Regardless of the answer to that, the response
is "I don't know." (Nobody can remember all the statistics to answer
all possible permutations.) Follow up with "But I believe it to be
safe. I don't, and I don't think you should, have any concerns in that
area." The credibility of the speaker will outweigh any stats.
The question is irrelevant or of no consequence. The only question is,
Does it suit?
More information about the kwlug-disc_kwlug.org