[Gllug] Re: [Fsf-friends] security- a discussion

Satish Babu sb at inapp.com
Mon Jan 13 08:28:20 UTC 2003 

This is a somewhat dated example of 'sponsored research'. Check out the public
responses at the link below:

http://www.newsfactor.com/perl/story/19996.html

Right at the bottom of this page there are several links to users' comments.
Click on any one of them and you can see all the comments in one page (takes
awhile to load).

Especially note that Aberdeen has cleverly taken  "Linux" to mean Linux
applications and not only the operating system (it would be like including
Adobe Photoshop's bugs as Windows bugs)...

Cheers

satish


On Mon, 13 Jan 2003 11:48:40 +0530, Manjush G. Menon wrote
> hi guys,
> 
> Check out the forwarded message,
> which originated from the following groups.
> 
> ------------------------------------------------------------------------
> To: linux-middleeast at yahoogroups.com, arab-linux at yahoogroups.com
> From: Peters A P <peters1968 at yahoo.com>
> Date: Wed, 8 Jan 2003 03:38:36 -0800 (PST)
> Subject: [arab-linux] I found this and thought this might be of interest
> 
> Aberdeen Group says Linux/UNIX is as vulnerable as Windows
> 
> Turning up the heat up another notch on a
> long-simmering debate, the Aberdeen Group has
> published a study comparing the security of Linux/UNIX
> systems with that of the Microsoft Windows family of
> products
> 
> "Contrary to popular misperception, Microsoft does not
> have the worst track record when it comes to security
> vulnerabilities. Also contrary to popular wisdom,
> UNIX- and Linux-based systems are just as vulnerable
> to viruses, Trojan horses, and worms," Aberdeen's
> report states.
> 
> Based on CERT advisories for 2001 and 2002, Aberdeen
> reached the following conclusions:
> 
> "Virus and Trojan horse advisories affecting Microsoft
> products peaked at six in 2001, which then bottomed
> out at zero for the first 10 months of 2002
> Virus and Trojan horse advisories affecting UNIX,
> Linux, and open source software products went from one
> in 2001 to two for the first 10 months of 2002
> Advisories affecting network equipment products jumped
> from two in 2001 to six for the first 10 months of
> 2002
> Firewalls and other security products were affected by
> just two advisories in 2001, but have been linked to
> seven advisories for the first 10 months of 2002."
> 
> The report also points out that Apple is becoming
> vulnerable, "now that it is fielding an operating
> system [OS X] with embedded Internet protocols and
> UNIX utilities."
> 
> Windows vs. Linux/UNIX vulnerabilities
> Aberdeen Group report, vol. 1, no. 35, is dated Nov
> 12, 2002, and it's a brief but interesting read. I
> can't post a direct link since you have to subscribe
> to see the report. But it doesn't cost anything, so I
> recommend that you go to the Aberdeen site, register,
> and then take a look at the entire report
> 
> Some people will dismiss the report as
> Microsoft-sponsored hot air, but the raw data is there
> for everyone to see in CERT's Advisories and Incident
> Notes, giving legitimacy to The Aberdeen Group's
> conclusion that open source operating systems in
> general, the new Mac OS X, and critical security
> programs themselves, aren't as safe as many proponents
> suggest
> 
> The underlying data is worth a close look. No new
> Windows platform virus or Trojan CERT advisories were
> issued in the period of January 2002 through October
> 2002. CERT's confirmed vulnerabilities list shows that
> the threat level is growing faster for Linux/UNIX
> platforms than for Windows. This could be a
> statistical anomaly due to the much larger number of
> Linux/UNIX versions (although there are actually fewer
> versions available now, as there has been
> consolidation in both the Linux and UNIX markets in
> recent years). So the number of threats is growing
> while the number of Linux/UNIX versions is shrinking
> 
> Perhaps this is an indication that UNIX is becoming
> less genetically diverse and therefore is more
> vulnerable to attack because the market isn't so
> fragmented. One Microsoft virus would attack a lot of
> systems, but it used to take a slightly different
> virus for every version of Linux/UNIX. That's not
> always the case anymore
> 
> Rating vulnerabilities
> The open source community sometimes claims that
> vulnerabilities are "more serious" in Windows, but I
> don't know of an objective way to measure that. And
> lacking a generally accepted method, all we are left
> with are the raw numbers. Microsoft rates
> vulnerabilities when it publishes a patch, but we need
> a comparable way to rate Linux/UNIX bugs if we're
> going to compare the seriousness of the patches
> released for these platforms
> 
> It's useful to look at incidents as well as confirmed
> vulnerabilities (advisories). Although this isn't
> exactly the same as measuring how serious a
> vulnerability is, it provides a good way for those in
> the security business to judge how many attacks are
> taking place, or at least how many are being reported
> 
> According to the Aberdeen report, "In 1995 the
> incidents reported by CERT numbered 2,412. However,
> incidents tracked by CERT skyrocketed from 21,756 in
> 2000 to 52,658 in 2001, and then to 73,359 for the
> first nine months of 2002. Clearly, the trend in
> incidents and advisories is going up, and at an
> alarming rate."
> 
> However, we should always take incident statistics
> with a grain of salt. After all, vulnerabilities are
> easy to count, but who knows how many attacks go
> unreported
> 
> Microsoft has recently announced a new policy for
> rating vulnerabilities. The company says this was due
> to customer complaints about far too many "critical"
> warnings, which compelled administrators to patch
> vulnerabilities even when the critical rating was not
> warranted by the actual risk
> 
> According to Microsoft's director of security
> assistance, Steve Lipner, the new rating system will
> expand the old Critical-Moderate-Low reporting scale
> to include Important, which will fall between Critical
> and Moderate
> 
> Most of the old Critical vulnerabilities will now be
> labeled Important, including threats that could lead
> to system penetration and file compromise. The
> Critical rating will be reserved for Internet threats
> (e.g., major disasters of the Code Red variety)
> 
> A new two-tier security bulletin system with a less
> technical bulletin service will also be hosted at
> http://www.microsoft.com/security/ to supplement the
> current one, which many users found simply too
> technical
> 
> A recent eWeek report brings yet another aspect of
> this subject to the forefront by pointing out that
> White House Cybersecurity Tsar, Richard Clark, has
> called for mandatory vulnerability reporting to a
> central federal government office. This would require
> any security firm discovering a new vulnerability to
> report it with the goal of forcing vendors to respond
> more quickly to new threats
> 
> Others feel this may lead to premature disclosure of
> vulnerabilities, which happened in the past when the
> FBI's National Infrastructure Protection Center
> attempted to coordinate reports with various vendors
> 
> The newly organized (Sept. 26, 2002) Organization for
> Internet Safety is also developing a proposed set of
> guidelines for timely and safe reporting of
> vulnerabilities. OIS founders include Microsoft,
> @stake, Symantec, Caldera, Network Associates,
> BindView, and Oracle, so there may be some muscle
> behind these guidelines
> 
> Final word
> We will probably always be comparing apples and
> oranges when we try to see how the number and severity
> of vulnerabilities found in the major competing
> platforms match up. But this really doesn't matter in
> the real world. The bottom line is that if a
> vulnerability leads to intrusions on your network,
> it's a problem, and it doesn't matter whether the
> vulnerability was a "high" risk or a "low" risk, only
> whether it cost you time and money to deal with it
> 
> Most of us are supporting legacy systems and always
> will be. Only new companies have the luxury of
> selecting a platform based only on security,
> performance, and initial cost. That's further limited
> to only new companies that have an expert IT staff in
> place to advise the company founders before they buy a
> single computer. It's far more likely that a platform
> decision will be based on the experience of the
> founders, the vendor who gets there first with the
> best proposal, or, most likely of all, which platform
> runs a line-of-business application that the company
> needs
> 
> The Aberdeen Report concludes that the reduction in
> Microsoft vulnerabilities is the result of the
> company's much-touted new security initiative. It may
> be too early to determine that, but it is a relief to
> see that no major viruses have besieged Windows in
> 2002
> 
> As for Microsoft's new security labeling system, I
> think it is useful. It makes sense to reserve the
> Critical rating for those dangerous global threats
> that can spread around the world quickly and
> temporarily threaten the integrity of corporate
> systems
> ------------------------------------------------------------------------
> 
> Have a great day
> 
> ~~Manjush
> 
> _______________________________________________
> Fsf-friends mailing list
> Fsf-friends at mm.gnu.org.in
> http://mm.gnu.org.in/mailman/listinfo/fsf-friends


--
sb at inapp.com


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list