[kwlug-disc] given enough eyeballs, all bugs are shallow?

unsolicited unsolicited at swiz.ca
Sat Jan 9 01:31:48 EST 2010


And along the same line ...

I get irritated when it is claimed Linux is more secure than Windows 
because it doesn't get viruses. When we cannot possibly know that.

Particularly when the reality is, if Linux were as popular as Windows, 
it would be a much greater target than it is today, and get a 
correspondingly larger level of viruses (which are essentially bugs / 
security holes).

I do, however, agree that there would be fewer viruses, or they would 
be less likely, because this different security model has been in 
place since early days, and grown up that way. As opposed to Windows 
which has had an attempt made to graft security on to it mostly after 
the fact.

Sorry, again, no hard numbers.

To Raul's point - distinguishing between software bug and 
implementation bug would be important. Apache opens a port, because 
that's what it's purpose is. Ping goes out. If Apache has not been 
appropriately secured, and I change my firewall so the big, bad, 
internet can get to it ... that's the sysadmin's fault. If bash 
scripting is so good I can ping of death a machine, who's fault is 
that? And will any such (statistical) numbers be pigeon-holed to 
sufficient granularity to not just lump sum them all as 'viruses.'

Raul Suarez wrote, On 01/08/2010 11:10 PM:
> --- On Fri, 1/8/10, Robert P. J. Day <rpjday at crashcourse.ca> wrote:
> 
>> i think the defense of OSS as being more secure needs more
>> explicit points as to *why* it should be inherently more secure.
> 
> I think you are shooting a sacred cow.
> 
> Not long ago (within last year) I was caught with my pants down
> when arguing that same point. Of course I could refer to anecdotal
> "evidence" and statistics. But "anecdotal" does not have much
> weight and statistics can be presented in many different ways.
> 
> I sent an S.O.S to this mailing list for supporting references. It
> started a good thread but I still received anecdotal and
> statistical references that could be refuted with other anecdotes
> and corresponding statistics.
> 
> What ended up being clear to me is that "security" has many
> interpretations starting with:
> 
> Is the software secure vs. is the installation secure.
> 
> One certainly depends on the code, the other depends mostly on the
> ability and care of the sysadmin.
> 
> I say "mostly" because another measure of security is how secure
> and sensible are the defaults and how easy it is to modify those
> defaults.
> 
> Ultimately, I came to the obvious realization that proprietary and
> Open source are concepts, not products. Making blanket
> generalizations is misleading and arguing to either being more
> secure is silly.
> 
> I think it makes more sense to compare as follows:
> 
> Is out of the box apache version xx under Red Hat version xx more
> secure than IIS version yy under Windows zz?
> 
> Or
> 
> Is it easier for an administrator to harden X than to harden Y?
> 
> We can argue with opinions until we are blue on the face but they
> will just be opinions.
> 
> I'd be very interested to see if you can find really compelling
> arguments



More information about the kwlug-disc_kwlug.org mailing list