[kwlug-disc] given enough eyeballs, all bugs are shallow?
unsolicited at swiz.ca
Sat Jan 9 01:31:48 EST 2010
And along the same line ...
I get irritated when it is claimed Linux is more secure than Windows
because it doesn't get viruses. When we cannot possibly know that.
Particularly when the reality is, if Linux were as popular as Windows,
it would be a much greater target than it is today, and get a
correspondingly larger level of viruses (which are essentially bugs /
I do, however, agree that there would be fewer viruses, or they would
be less likely, because this different security model has been in
place since early days, and grown up that way. As opposed to Windows
which has had an attempt made to graft security on to it mostly after
Sorry, again, no hard numbers.
To Raul's point - distinguishing between software bug and
implementation bug would be important. Apache opens a port, because
that's what it's purpose is. Ping goes out. If Apache has not been
appropriately secured, and I change my firewall so the big, bad,
internet can get to it ... that's the sysadmin's fault. If bash
scripting is so good I can ping of death a machine, who's fault is
that? And will any such (statistical) numbers be pigeon-holed to
sufficient granularity to not just lump sum them all as 'viruses.'
Raul Suarez wrote, On 01/08/2010 11:10 PM:
> --- On Fri, 1/8/10, Robert P. J. Day <rpjday at crashcourse.ca> wrote:
>> i think the defense of OSS as being more secure needs more
>> explicit points as to *why* it should be inherently more secure.
> I think you are shooting a sacred cow.
> Not long ago (within last year) I was caught with my pants down
> when arguing that same point. Of course I could refer to anecdotal
> "evidence" and statistics. But "anecdotal" does not have much
> weight and statistics can be presented in many different ways.
> I sent an S.O.S to this mailing list for supporting references. It
> started a good thread but I still received anecdotal and
> statistical references that could be refuted with other anecdotes
> and corresponding statistics.
> What ended up being clear to me is that "security" has many
> interpretations starting with:
> Is the software secure vs. is the installation secure.
> One certainly depends on the code, the other depends mostly on the
> ability and care of the sysadmin.
> I say "mostly" because another measure of security is how secure
> and sensible are the defaults and how easy it is to modify those
> Ultimately, I came to the obvious realization that proprietary and
> Open source are concepts, not products. Making blanket
> generalizations is misleading and arguing to either being more
> secure is silly.
> I think it makes more sense to compare as follows:
> Is out of the box apache version xx under Red Hat version xx more
> secure than IIS version yy under Windows zz?
> Is it easier for an administrator to harden X than to harden Y?
> We can argue with opinions until we are blue on the face but they
> will just be opinions.
> I'd be very interested to see if you can find really compelling
More information about the kwlug-disc