[wellylug] Re: Microsoft FUD at work (Linux fud too?)

Don Jones don.jones at linuxmail.org
Fri Jan 24 23:29:42 NZDT 2003


> 1) Open source is not more secure than microsoft. Take away the worms
> that caused major havoc because certain MCSE +I's failing to run a
> simple patch (flipside, apache / openssl worms anyone?), more linux /
> UNIX boxes are hacked / cracked / DOS'd each day than any other OS.
> Open source does have a down side. Bugs are found, exploited and NOT
> disclosed as much as people would like to think. A couple of prime
> examples of this are the SSHD and Apache bugs discovered during 2002.

In my experience working in an environment where I personally support and work with others supporting windows and unix/linux boxes. I have seen multiple virus/worm related rebuilds of NT/2000 servers (mostly nimda but others aswell) but have yet to have a unix server compromised. Ive heard stories of default installs of Red Hat 5x and 6x being very insecure but havent had to deal with them. While the sshd and apache/openssl issues you mention are serious there were extreamly minor reports of compromises of these issues , compare this with the thousands/millions of affected hosts with code red and nimda (check your apache logs I bet you can find 20 nimda/code red affected hosts from the last month - look for strings like "203.218.177.21 - - [20/Apr/2002:15:33:16 +1200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 727" whereas I will be surprised if you can find a signature from an infected unix webserver.)

Microsoft like to talk about a software ecosystem - they of course refer to their monoculture and a few parasites and epiphytes, its very easy to cause huge devestation in a monoculture (think rabits and calici virus). Its intresting that even in areas where OSS has a total monopoly position in the case of DNS servers (BIND) which have some serious vulnerabilities, there havent been widespread compromises. 

My point is, while I agree with you that OSS is by no means immune to vulnerabilities, I havent seen any evidence that "more linux /
> UNIX boxes are hacked / cracked / DOS'd each day than any other OS" but the opposite, Ive only seen major system rebuilds due to security issues by my windows admin (half/step) brothers, I think this is partly due to the diversity present in OSS and perhaps the fact I dont admin any older Red Hat boxes.

> However, linux and open source allows more flexability within your
> business. You are not bound to 'dirty' license agreements, but more
> flexable agreements for your business. You have the ability to
> customise software to fit your companies needs. And naturally, there
> are steps one can take as with any platform for improved security.  
> 
> 2) If its "0day" and public, chances are it's been known to private
> individuals for at least a year.

For most admins 0day sploits and the like are not the primary issue, many compromises have no human sitting at the other end of the keyboard and the majority of the rest are kiddies (often windows based 137-139 types). After worms and kiddies your cracker is less than 1%, very bad if he picks on you but rather insignificant as a whole

> 
> 3) Most banking servers (talking web / exposed servers not AIX boxes
> in the background) still run on NT4 / NT2000. Why? Patched microsoft,
> and properly maintained microsoft is solid and secure.

Hmm - the netcraft survys from last year pointed out that may banking servers (running SSL where vulnerable see
http://www.netcraft.com/Survey/index-200207.html and other months in the netcraft archives) were vulnerable - i think its mor a case of  noone targeting them rather then some inherent security
> 
> 4) GNU is not UNIX. You would have to hire a linux geek, not a UNIX
> geek ;)

Youd be a pretty poor unix geek these days if you didnt have good working knowledge of common OSS apps, the knowledge of which makes moving to linux a piece of cake, eg perl bind apache sendmail bash vi.
 
> 
> 5) Support. We need to point out to people asking the question of
> linux in business different support options. This is a companies
> infrastructure they are playing with, not a home desktop machine.

ibm, dell, hp, red hat, oracle claim to be doing this now amongst many medium and small local companies and other 'enterprise' software vendors seem to be supportive (ca sap etc.). Granted perception may be an issue but the supports there if you want it. 
 
> 
> If you read this and think "My Lord! He's a windows advicate" please
> reread and rethink the above content, however, a certain reality that
> many Linux users / groups / companies around the world are looking
> past, is that not all businesses are in a postition to take the plunge
> into open source. Not to mentain, Linux itself is only just touching
> on being a solid, reliable business tool.

Hmm - I like to think of it like an exponential curve, linux has reached the ramp up point and is poised to take off, true linux has only recently become a solid, reliable business tool, but its now past the early adopter stage and is ready to provides some serious savings to small medium and large buisnesses the world over so they can start to get the IT they actual need rather than pay the M$ tax  or subisdise the profits of propriety unix vendors

 
> 
> My $1.25 worth.

My 2c

Don
-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze

  .-.   Wellington
  /V\   Linux
 // \\  Users       
/(   )\ Group
 ^^-^^
        http://wlug.paradise.net.nz/

To unsubscribe from this group, send an email to:
wellylug-unsubscribe at egroups.com
  

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 





More information about the wellylug mailing list