[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........

On Wed, Apr 10, 2002 at 10:16:50AM -0600, Kirk Rheinlander wrote:
> From NTBUGTRAQ, about a year ago.......does not include the approximately 
> "1 major MS product security hole per day" data that IDC and others have 
> been quoting....

> How Many Vulnerabilities Per Operating System?

> You may all be aware that much used commercial software can be like
> Swiss cheese when you look at security vulnerabilities. Some OS-es
> are worse than others, but what are the numbers, and which one
> is best? Perhaps you have heard of NTBUGTRAQ. They have a database
> that tracks holes and this gives a good indication. Here goes, and
> you'll be surprised.

> - Commercial Unix : 271 (AIX, IRIX, Solaris, HP-UX and BSD/OS)
> - Linux : 147 (aggregate)
> - Windows NT/2000 : 146 (This is NT and IE together)
> - Windows 3.1/9x : 61
> - FreeBSD, OpenBSD: 42
> - MAC OS : 6
> - Novell Netware : 5

There are three kinds of lies: lies, damn lies, and statistics.
Correcting for market share (which influences both how often crackers look
for vulnerabilities in an OS, and how much damage exploits do once 
released), the only true measure of the security of an operating system is 
how easy your vendor makes it to apply security patches quickly and 
without interrupting critical operations.  If you run a server and you 
*don't* apply security updates, it's only a matter of time before someone 
breaks in, no matter what OS you run; and the more popular (i.e., 
'successful') an OS is, the shorter that time will be.  If you want to 
choose a secure OS, familiarize yourself with the *update* process, so 
you're comfortable both with the quality of the OS patches you'll be 
applying to your running system, and the availability of those patches 
when exploits appear.

> However, the big deal with OpenSource is that you can find and apply 
> patches to the source, or even fix it yourself, and a huge community is 
> working to fix these things as soon as they are identified.

Exactly, which feeds back into my second point (availability of fixes for
a vulnerability).  For the first point (quality of OS patches), I
recommend shopping around for a Linux vendor by asking other users of your 
target distro how much time they spend on applying security updates.  
Personally, I just run 'apt-get update && apt-get upgrade' after every 
security advisory; Debian may not have the prettiest GUI update tools 
around, but I certainly prefer not having to worry about what every new 
"fix" is going to break on my system. :)

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]