Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software Linux

Reflecting on Linux Security in 2003 167

LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
This discussion has been archived. No new comments can be posted.

Reflecting on Linux Security in 2003

Comments Filter:
  • by qewl ( 671495 )
    It's better than Microsofts! Sorry, I do not mean to troll..
    • "It's better than Microsofts! Sorry, I do not mean to troll.. "

      Ah. Little low on karma then?
    • by Elektroschock ( 659467 ) on Friday December 26, 2003 @07:44AM (#7811963)
      Listen what Ms say in its advertisements about Linux Server security:

      Take a look at the german MS advertisement [indymedia.org]

      - no GUI for linux server on old hardware
      - authentification with uncrypthed text as default
      - no Kerberos support
      - no smartcart authentification support
      - no public key infrastructure with directory service
      - no default cryptho file system

      translated "the protection of sensitive business data can only partiell be done with Linux"

      - bug fixes by "free will" contributors (may be okay for hobby applications, not for sensitive business data)
      - few professional trained specialists

      - Linux as a problem and cost trap

      --- don't tell me this is FUD :-)

      • Rebuttal to MS (Score:3, Insightful)

        by bhtooefr ( 649901 )
        - XFree86 will run on a lot of stuff. However, why do you need a GUI? Last I checked, you were developing a better CLI...
        - SSH?
        - No Microsoft proprietary Kerberos support. There's Kerberos, just not MS Kerberos.
        - I'm pretty sure it's there, and if not, someone can whip it up quickly.
        - Hmm... Samba, anyone?
        - I thought most of them WERE crypto...
        - The "free will" contributors do a better job and go through more of a review process than your patches, thank you very much
        - That's just pure BS
        - No. Initial cost i
        • Your're right. We know it. I guess Microsoft knows it too. I just wanted to show their Propaganda.
          • Please compare this [securitytracker.com] and this [securitytracker.com]. To be blunt, neither of them appear to be the apex of computer security; people need to stop kidding themselves about how secure Linux is, or it will never get better.
            • Most of those seem to be optional software on both sides. Also, more of it seems to be optional on the Linux side. I'm not saying that Linux is "t3h s3kur3 05!", I'm saying it's better than Windows. If you want so-damn-secure-it'll-survive-every-cracker-in-the- world, get OpenBSD. If you want a decent OS that's better than Windows, get Linux.
              • Im sorry, but I dont buy that. If you want to say "better", you need to quantify it.

                Looking at the Windows page, most of it is likewise optional. However, poke around Security Tracker's site- you have a greater chance of getting r00ted with Linux (assuming all other things are equal), IMO.

                Thats why, of course, computers need full-network security. Having a computer connecting to the internet without a firewall is lunacy, even for home users.

                My point isnt to get into some OS penis-size arguement. It's to

                • By better, I mean that Linux is more stable in certain applications, more secure from the desktop, not necessarily through the ethernet cable, and has less draconian licensing. I don't deny that Windows has it's uses - this laptop dual boots between Win2K and SuSE 8.2 (except the registry is chkdsked on the 2K partition, so it won't boot, and attempts to repair or reload it just lock the computer up - I'm tempted to blow out the partition, and resize the SuSE partition).

                  BTW, it looked like those were servi
                  • No, I know what YOU are saying, but Im asking you to quantify it with something other that 'dude states something as fact on an Internet forum'. My favorite reference is security tracker, but there is a whole world wide web of information out there for you to cite.

                    For example, there has to be somebody who did a side by side comparison of Windows 2000 (or XP) and Linux. Maybe they even have pretty bar charts showing operating speeds, Quake3 framerates, etc.

                    Much, much more credible and informative than the

    • ...the security breaches of GNU/FSF (twice), Debian, GNOME, and Gentoo. All within six months!

      Don't troll if Linux has its flaws like any other operating system does.
  • I've heard about vulnerabilities in a timely manner, and been able to patch them similiarly.

    I haven't been r00t3d.

    Sweet.

    • Re:It's been great (Score:3, Insightful)

      by danidude ( 672839 )
      I haven't been r00t3d.

      Too bad Debain can't say the same thing :)
      Sorry, couldn't resist. I'm a Debain user myself, and I think the wayt they handled the thing was very brave and honest.
  • Nice idea (?) (Score:5, Interesting)

    by Elie De Brauwer ( 656349 ) <elie@de-brauwer.be> on Friday December 26, 2003 @05:06AM (#7811773) Homepage
    Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.
    • Re:Nice idea (?) (Score:5, Insightful)

      by The One KEA ( 707661 ) on Friday December 26, 2003 @05:08AM (#7811779) Journal
      Forcing people to pay for security updates would be so incredibly stupid that it would guarantee the insecurity of even more Internet-connected machines than right now. I think that security updates for ANY OS or application, irregardless of the status of its source code, should be free and available for everyone.
      • Indeed in fact it is the fault of the author, and if someone does something wrong, the only sane thing to do is to try to correct the mistake as quickly as possible.
      • Re:Nice idea (?) (Score:5, Interesting)

        by Mostly a lurker ( 634878 ) on Friday December 26, 2003 @05:41AM (#7811831)
        I think that security updates for ANY OS or application, irregardless of the status of its source code, should be free and available for everyone.

        I am not disagreeing, but there is an implied assumption in your post: that fixes are always available. A serious security issue will rapidly be fixed in any widely used open source product. With closed source products, provision of a fix is at the whim of the vendor, and serious security exposures can sometimes go months without a fix.

        • And it's even more in the vendor's best interest to get security holes patched as quickly as they can, as too much negative press about such things will lose them sales to competing products.
        • Re:Nice idea (?) (Score:3, Interesting)

          by The One KEA ( 707661 )
          I think you just agreed with me....

          What I was trying to say was that irregardless of whether or not the OS or application in question has source available or not, when a security problem is discovered involving one of those items, the fix should be written, tested and made freely available without expectation of renumeration. Especially in the case of OSS security fixes.

          I don't mean to beat a dead horse here, but that's another advantage of open source: when security problems appear, the fixes for tho
      • Re:Nice idea (?) (Score:5, Interesting)

        by Cody Hatch ( 136430 ) <cody@@@chaos...net...nz> on Friday December 26, 2003 @07:35AM (#7811953) Homepage
        Mmm, your close. More correct would be:

        Forcing people to pay for security updates would be stupid IF it guaranteed the insecurity of a greater number of Internet-connected machines.

        You are, of course, assuming that a smaller percentage of people will install the available patches if they have to pay - which is obviously true. You are also assuming that nobody will be lured to write a patch for an unsolved vulnerability by the thought of large piles of cash, which is obviously incorrect.

        To put it another way, by limiting the price to zero, you will cause a shift in both the quantity demanded and the quantity supplied. When there is a shift in both, you can make no conclusions about the net effect on the equilibrium point. :-)

        In *general*, it would be quite silly to charge for a patch to Apache - but its easy to imagine a specific case (maybe a remote root exploit) where volunteers might be able to deliver a patch in 36 hours, but someone might be willing to pay for a patch delivered in 12 hours[1], even knowing that another 24 hours would give them a comparable patch for free.

        In that situation, how could you possibly argue that banning payment (meaning there won't be any patch for the full 36 hours) possibly do any good? Or for an even better example, what about for a program so old and/or obscure it simply won't BE patched if someone doesn't pay?

        [1]: Feel free to substitute your own times if it makes the example seem more realistic to you. Hours, days, weeks, minutes.
    • Re:Nice idea (?) (Score:1, Insightful)

      by Anonymous Coward
      Hal Flynn has apparently never read the GNU GPL.
      Any patch on a GPLed software has to be under the GPL itself, and thus charging for it will be quite pointless: once someone has payed for it, he can redistribute it freely, including for free.
      And since the patcher has to distribute the patch source, the patch can readily be included into the original source code...

      So Hal Flynn's idea is not only discutable rearding the responsibility of the vendor, it is also legally incompatible with the free software licen
    • Well I don't understand why a software vendor might think it reasonable to charge to correct inherent design flaws in their product.

      We're not talking upgrades here, more like a recall.

      There are aspects of the software industry that would be considered just plain daft, or even criminal, in any other.

      KFG
    • by Crypto Gnome ( 651401 ) on Friday December 26, 2003 @09:14AM (#7812126) Homepage Journal
      Terry Pratchett (in his many and various Discworld novels) overed this quite clearly.

      The Patrician privatised everything.
      I mean everything
      All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).

      Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.

      This ended up with them having such pleasant conversations (amongst themselves) while walking down the main business streets.

      My My. Such lovely Old Buildings. Wonderful WoodWork. Would be such a shame if one of them should catch fire. Would prolly burn most of the city down. Oh Dear! What a disgrace that would be.

      Basically, in our world, most people recognise that such a situation (ie charging to fix something that you should not have broken in the first place) would very rapidly lead to (essentially) rampant wholesale uncontrolled extortion.

      If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.

      Product quality would decrease, and administration overhead would increase.

      It's the same issue with charging for software subscriptions. What is their incentive to produce another updated version with new features? After all they've already got your money.

      A Software Subscription (with ALL updates FREE for 5 YEARS !!!!) does nothing more than make software updates come out once every 5 years.
    • Re:Nice idea (?) (Score:3, Informative)

      Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.
      • Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.

        That's not even a good troll. Actually, SecurityFocus is owned by Symantec Corporation [securityfocus.com]:

        SecurityFocus was acquired by Symantec Corporation in the fall of 2002, and Symantec has since incorporated the SecurityFocus commercial products DeepSight Threat Management System and Alert Services into its product line. Part of the purchase agreement was to keep SecurityFocus as an independent Website t

  • by jkrise ( 535370 ) on Friday December 26, 2003 @05:33AM (#7811810) Journal
    A simple backup-restore utility that allows users to backup all their filesystems, and restore them in the event of a crash. A separate unnmounted filesystem to store the 'image' - no worm can get past this simple strategy. A major security breach? Simple:

    1. Remove network cable (OR) Internet connection.
    2. Boot from tomsrtbt
    3. Mount backup partition(s)
    4. Run simple restore script.
    5. Reboot and enjoy!

    Can any other OS do this, with off-the-OS tools?

    -
    • by puffing_billy69 ( 569754 ) on Friday December 26, 2003 @05:43AM (#7811833) Homepage
      Unless you've been 0wnz3d for weeks, and simply restore the trojans and rootkits with a restore, unless you're using some md5ing on your /etc and other things, or tripwire or whatever.

      • surprisingly tripwire was ripped out of RedHat Enterprise.

        In addition it can compile the rh9 src.rpm fine, but won't execute!

        Arg, I think RHEL is a piece of junk. For anyone who runs a LAMP it's actually a better bet to use one of the rebuilds, unless you want to be in charge of building a whole slew of rpm's when errata comes out for mysql, etc.
    • Yes, I can.

      And what's the big deal with that?
      ANY flavor of UNIX and many more os'es can do that.

      By the way, it's very impractical - for example, I have fast enough changing information, multi-Gig sized and important on my box. It changes near fully in term of week.

      PS. best solution for ANY PROBLEMS - 'universal Belkin patch' :

      sudo
      cd ../
      rm -R -P -f -v

      PPS. It also checks your system for true UNIX compatibility!
      Enjoy! ;)
    • no worm can get past this simple strategy.

      I hope you don't keep those unmounted disks physically attached to the system. People have been lucky, because all worm writers to date have been kind-hearted enough not to zero out all of the systems' hard drives or flash their BIOSes. You have no guarantee that the next worm won't be written by a real asshole.

      Probably even worse: a worm that quietly opens a back door to your system without you even knowing it. You could go run for months with your system tota

    • The problem with this approach is that most compromises are not detected immediately. Most are found days, weeks or months after the actual breakin. Meanwhile, the compromised files are faithfully backed up. This means that restoring from backup will most likely place the same compromised files in place.

      You could set up your backup script to md5sum or a similar mechanism to check files, but it still requires "situational awareness" to know what the differences are and why these diffs occurred. Most diffs a
    • by utahjazz ( 177190 ) on Friday December 26, 2003 @12:31PM (#7813171)
      The breaches that do real damage are ones where private info is stolen, like all the custmers' credit card numbers.

      Tar your way out of that.
    • Sure, give me physical access to the machine, as you require, and I can do as much damage as I want - even install Windows!
  • by bmajik ( 96670 ) <matt@mattevans.org> on Friday December 26, 2003 @05:35AM (#7811821) Homepage Journal

    Oh boy! An article which takes 1 authors clearly subjective feelings, piles on the anecdotes, and pronounces evidentiary conclusions!

    From reading this, it would appear that Gagne is pretty much what happens when you give a linux zealot some airtime. I'll comment on just a few things i got a kick out of:

    At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."

    but then we have

    The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.

    So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

    "Frankly, it seems incredible that this is even open to debate.

    There's that objective analysis shining through. Definitely not the words of someone pushing a beleif as opposed to an argument :)

    One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used

    Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

    has nothing to do with Microsoft's market penetration.

    riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.

    It doesn't hurt that at its very core, Linux is designed with security in mind.

    What do the original UNIX authors have to say about designing UNIX from the ground up with security in mind ? A history of linux will show a few things, I think.

    • UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
    • linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix). secutiy is about trying to get perfect code out of imperfect people, and moreover, trying to get perfect designs out of imperfect people. NT _Was_ designed from the ground up with security in mind. The security training happening recently at MS had a lot more to do with sloppy coding and thinking about security at every layer of the platform then it did with redesigning NT's security features (which are actually quite advanced)
    • remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?

    No need here for launching a security initiative after years of neglect."

    Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"

    Despite the fact that I do not run a Microsoft computer in this office,

    why am i listening to your opinion of MS software again ?

    costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact

    Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?

    This article is pretty much a non-article.

    • by Space cowboy ( 13680 ) on Friday December 26, 2003 @06:32AM (#7811891) Journal
      Agreed, the "article" was horribly biased, and you rightly cast aspersions on the author's integrity, but normally when critiquing someone in this way, you might also point out the glaring errors in *what* (s)he says, as well as showing *why* what (s)he says is wrong. I'm not sure anything he says is *wrong* per-se (at least on the linux front - I don't know enough about the win32 side to comment). I do think it needed to be couched in a more balanced article though...

      As for your points about ssh, yep they're security products, that's why the instant someone finds something wrong, it's important to broadcast that info far and wide. No-one (should, at least) expects the code to be perfect because it has an extra 'S' in the name. We do expect a careful approach to security, and an open one too. I don't believe you do yourself much credit with this argument - it's about ssh anyway, not Linux.

      I doubt WU has been owned by anyone, but if it had been, the sensible approach to take would be for the perpetrator to contact MS and tell them they've just distributed X million 'delete-the-system' virii to their customers, and it'll cost 100 million dollars to get the 'undo' key... It would then all be dealt with quietly. Open source is ... unlikely ... to follow this route :-)

      Simon.
    • by warmcat ( 3545 ) * on Friday December 26, 2003 @07:22AM (#7811942)
      I was trying to decide whether to mod you as Flamebait when I went back and looked at your posting history to look for troll footprints.

      '' I agree with you completely, and i work for microsoft :) [slashdot.org]''

      You could have mentioned that you are a MSFT employee in your impassioned defense of MSFT here. I have Box Toxen's ''Linux Security'' book, its pretty interesting. But your post seems to be a big ''we're all as bad as each other so ignore the fact I am evil'' astroturf.

      Something you might want to chew on is the different value proposition of being given control of sources for software for free, vs being trained into a dependent monkey for whatever MSFT give you. Merry Christmas!
      • Oh, you've got to be kidding me. You really think that this quote from his post:

        "Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)"

        Is an "impassioned defense of MSFT"? Do you honestly think just because someone works for a company that they have no rights to opinions anymore?

        The fact of the matter is, he is right. The article is *NOT* what it claims to be. It's not any kind of a
    • So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

      I don't see a contradiction. Gagne is implying that most users will upgrade and manage patching there own systems. However, if you decide to stay with an older version (for whatever reason) you have access to the full source code and can either patch it yourself or hire someone to do so. How can you do that with MS w

    • At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."

      but then we have

      The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go

    • First

      costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
      Really ? which documents ?

      From 2001 - CNN Survey: Costs of computer security breaches soar

      • http://www.cnn.com/2001/TECH/internet/03/12/csi. fbi.hacking.report/">

      Second

      With every year since the birth of Linux we've only seen improvements so I think there's only a bright future ahead.
      I'd argue that with each year of Windows, we've only seen

    • by Anonymous Coward
      [qoute]
      * UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
      [/qoute]

      Yes. Unix was created for the specific purpose of multiusering operating system. It was designed in a era were you had big mainframes with lots of little terminals and you shared everything.

      The main difference between it and other OS designed in that era (and why it is still around) is that it is designed to be completely portable OS, thru the extensive use of C. Meaning tha
    • UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!

      I believe that the answer to this is, yes, it was multi-user from the beginning. Remember, UNIX was initially developed in an era when computers were physically large and so expensive that it was a basic assumption that more than one person would use the machine. It was also intended to be a time-sharing system, so was designed with the idea that more than one person would be using it at the

    • Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

      Uhh, no they didn't. At least in Gentoo's case it was a single independent mirror that got owned. The root servers were not compromised. Pay attention to the phrase independent mirror.

      In the Debian incident there were 4 servers compromised but none were "root file distribution servers" in the sense of main/contrib/non-free. From the newsp

  • Security (Score:5, Insightful)

    by dexterpexter ( 733748 ) on Friday December 26, 2003 @05:36AM (#7811822) Journal
    In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user. Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on. My mother, who would "never try an operating system like 'Linus'" is just as oblivious to the necessity of a good firewall on her machine. In fact, before I intervened, she nor any of her friends even had one. Worse, they were under the opinion that you can not retrieve email without Outlook, and that Internet Explorer was the internet. That might sound preposterous to you or I, but I have found this to be true of many casual PC owners. So, beyond security problems inherent in code are problems inherent in the user as well.

    Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success. Now, I do not subscribe to the idea of thousands of users pouring over the source code and fixing security holes, but I will assert that the small number of users who actually contribute to the community do a fine job of it, and are extremely dedicated. What Open Source offers is the ability to pour over the code, even if most of us don't take advantage of this. M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard. You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)

    If I had to put my money down on which one was more secure, my money would go on Linux.

    -dexterpexter
    • Re:Security (Score:5, Insightful)

      by bmajik ( 96670 ) <matt@mattevans.org> on Friday December 26, 2003 @06:00AM (#7811849) Homepage Journal
      M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it

      do you have any substantiation of this ?

      You may have heard something about software engineering, but if not, i'll tell you. The later you discover a bug, the more expensive it is.

      Lets take some examples.

      • Developer writes code with bug. Next day, tester finds bug and tells developers. Cost to fix ? - low, because code is fresh in developers mind, and the impact is roughly 1 tester and 1 developer.
      • Developer writes code with bug. Bug isn't found because tests dont cover it yet. Developers code lives on for weeks. Other code is written which uses that code. Dependant behaviors make their way into other parts of system. Finally, test is written and run which finds bug. Now we've got a problem. Developer has to figure out where the hell the bug is. Then developer has to figure out what the cause is. Then developer has to consider the impact to any code which has been written since the bug was introduced. Developer has to come up with a fix that fixes the original bug but doesn't introduce a new bug.
      • developer writes a bug. This but isn't caught until Beta 1. Bug prevents product from installing on 1/8th of real-world customer machines. 1/8th of most important customers have worst possible product experience - they cant install product. All existing CD's with this build need to be destroyed (they're garbage). developer needs to drop everything they're doing (the're working on beta 2 by now), crack open the beta 1 code (it was forked off for stabilization and may already have been removed from beta 2 tree), and propose a fix. developer thinks about everything that might possibly depend on code with bug. developer has to come up with a fix that unbreaks 1/8th of users, but doesn't break any other users.
      • bug makes it into shipping product. userbase is now entire planet. bug prevents product from installing on 1/8th of computers. sales expectations are missed by at least 12.5%. Customer satisfaction is down by at least 12.5%. Developer stops working on version n+1, cracks open the code for the shipped product, and begins investigating a fix for SP1. Customers with support contracts are going insane because their business is down. single-customer fixes (QFEs) must be prepared on 24hr schedule to unblock customers. these patches are customer specific and are separate from what gets rolled into SP (the minimum amount of code change to unblock a customer is what we're talking about - not generally suitable for wide deployment). The developer may need to do one QFE for each major customer (they may have slightly different failure modes ?)

      I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.

      So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?

      • Re:Security (Score:5, Interesting)

        by dexterpexter ( 733748 ) on Friday December 26, 2003 @06:11AM (#7811863) Journal
        I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.

        Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?

        Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.

        • Re:Security (Score:5, Insightful)

          by evilquaker ( 35963 ) on Friday December 26, 2003 @09:08AM (#7812119)
          When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic...

          There most certainly is logic. I know because I've been in that situation. While I'm not a CEO and I'm not in the software industry, I have released a product with "bugs" which we'll try to work around or fix eventually. So I think I understand the desire to ship things before they're "ready".

          It comes down to two simple words: market share. Every day, people are making decisions and buying products that serve their needs. If they're not buying your product, then they're buying your competitor's product. Moreover, if you don't have a relatively recent product, you start to lose mindshare. It's very possible to release a product so late that even though it's the best, no one cares anymore: they all bought a competitor's product and are locked in to it. So in a very real sense, every day you delay the release date is costing you money.

          Thus, you need to balance the desire to ship a product with no bugs with the desire to have a product in the market now. And the way to choose when to do that is to balance the monetary costs and try to release the product when the cost is minimized.

        • The fact of the matter is, as humans we're alwasy going to miss problems. Until software verification becomes so completely automated this will continue.

          One can say the same about many products, including Linux. We shouldn't have seen the kinds of problems we saw in the early 2.4 kernels. We shouldn't be seeing the kinds of problems from Sendmail, OpenSSH, wu-ftpd, and a host of other "usual suspects" either, but we do.

          Open source tends to ship early and often just as much as closed source. We just hi
      • Re:Security (Score:5, Insightful)

        by John_Sauter ( 595980 ) <John_Sauter@systemeyescomputerstore.com> on Friday December 26, 2003 @08:30AM (#7812036) Homepage
        So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?
        The parent has an eloquent description of the software development process from the point of view of fixing bugs. The conclusion is obvious: it costs less to fix bugs sooner rather than later, and every software development manager agrees with this. However, the reality is that software is coded quickly, without regard for quality or testing, and shipped as soon as possible.

        Why? There is an unvoiced feeling among software managers that they had better get the product on the shelves by Christmas or their careers will suffer. In the extreme, they become yes-men, telling their bosses only what is pleasing, with no regard for the truth. Too many yes-men and the company crashes because top management is not aware of problems until it is too late to fix them.

        The solution? Software product managers must have the intelligence to recognize when their product needs more time, and the courage to tell their superiors the bad news. To encourage that behavior, top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.
        John Sauter (J_Sauter@Empire.Net)
        • top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.

          Even more importantly, management needs to recognize bad news as input variables and nothing more. A lower manager shouldn't be making the decision whether to ship now or later; they should be able to openly pass accurate information upward to more appropriate decision makers.

          A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date

          • A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date. A junior team leader shouldn't be the one making that call, although a culture of fear tends to make that exactly what happens all too often.

            Who makes the decision on whether to slip a product for quality reasons depends heavily on the size of the company. When I worked for Digital Equipment Corporation, we did not expect Ken Olsen to make those decisions. Generally, the tension was

      • Re:Security (Score:3, Insightful)

        by man_of_mr_e ( 217855 )
        What you say is true, but the person you are responding to also has a point. Products of all kinds (not just software) are often shipped with known defects (and many unknown ones) for a variety of reasons. Ed Yourdon in one of his books (either "Deathmarh" or Rise and Resurection of the American Programmer, I don't remember which) advocates that there's such a thing as "good enough" software. This is software that isn't perfect, but is cheaper and faster to market than a competitors that strives for perf
    • Re:Security (Score:5, Insightful)

      by azaris ( 699901 ) on Friday December 26, 2003 @06:30AM (#7811889) Journal

      In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user.

      This is a simple result of the law of large numbers. If we assume "technological savvy" is normally distributed within the population then very small samples can have on average very high "savviness" rates. Once the sample size grows the average "savviness" goes down and approaches the mean (which in today's world is still quite low) asymptotically.

      Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on.

      And herein lies the problem of making blanket statements: yes, most people who are not experienced with computers do run Windows at home. Of course they're going to get infected with something! They lack the experience to mitigate risks and to know what they should never do. DOS didn't have one tenth of the complexity of the latest versions of Windows and stupid DOS users still got viruses all the time.

      Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success.

      I'm pretty sure a bunch of CS majors deriding SCO on /. won't help Linux kernel development all that much or attribute to any possible success.

      M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard.

      You are Eric S. Raymond and I claim my free-as-in-beer Tux merchandise.

      You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)

      Naturally, since you won't find the "Linux community" putting out any patches at all, ever. They're always put out by individuals or by companies/devteams that simply wish to produce the best possible product for their users.

      If I had to put my money down on which one was more secure, my money would go on Linux.

      The best way to keep you computer system secure is to make sure it's not run by idiots. How do you accomplish this? Make sure it's as complicated as possible[1]. For a long time Unix had this going for it, which means that Unix administrators had to have a lot experience coupled with knowledge and consequently would usually run a secure network.

      By comparison, since "any idiot can run a MS network", then idiots were hired to run MS networks, with predictable results.

      [1] The same principle actually works on a broader scale. Intrinsically hard topics tend to gather a more knowledgeable crowd while idiots flock to the easy topics like politics, religion and such. Which usually means that the level of discussion over political topics is far lower than that, say, for hard sciences.

      • Re:Security (Score:2, Insightful)

        I am not sure if you are attempting to argue with me or not, but it sounds like you are actually agreeing/clarifying points that I actually meant, but are better said by you.

        I am sure that the average Linux user was at some point technologically unsavvy, but you usually find that individuals who migrate from Windows to Linux are those users with at least some grasp on what they are doing. However, that does not change the end result, that being that the average Linux user probably has some idea of how to
  • SSH and SSL (Score:5, Funny)

    by PacoTaco ( 577292 ) on Friday December 26, 2003 @06:08AM (#7811860)
    I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL. What does that first 'S' stand for again?
    • by Anonymous Coward
      Encrypted.

      Your point?
    • What does that first 'S' stand for again?
      Shaky? Suspect? Speculative?
    • I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL. What does that first 'S' stand for again?

      SCO?

    • Re:SSH and SSL (Score:5, Interesting)

      by jc42 ( 318812 ) on Friday December 26, 2003 @10:59AM (#7812515) Homepage Journal
      I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL.

      Well, I'd think that this is a Good Sign. The term "secure" doesn't really mean that no holes exist. That's hardly likely. What it really means is that no holes are known. Or, a hole was just discovered, and we're working furiously to fix it.

      The fact that these patches came out really mean that the OpenSS[HL] crowd is 1) actively looking for problems, and 2) fixing them rapidly. In particular, they don't hide the problems behind a shield of secrecy, and they don't collect patches into sets to be released when the PR people decide it's appropriate.

      If their patches taper off, it will be time to take a skeptical look, to make sure that people are still actively attacking the OpenSS* code and trying to poke holes. If this process stops, we should worry. If people are still studying and attacking the code, but failing to find holes, we'll know we're in good shape.

      But we aren't quite there yet. So the patches are a Good Thing.

    • SSH and SSL are very attractive targets... breaking them is like breaking through a building's wall (the inside elements of the system are probably not as well protected). As a result of the high reward of breaking SSH or SSL, a lot of effort is going into attacking / checking the code.

      Also, any exploits that are found/patched are pretty serious, if for no other reason then that they are part of SSH or SSL. (The same exploit in Solitare would not rate near the same level of attention.) When the bad guy
    • Lucky you. I was busy patching my friends Win2k clients to get rid of blaster. *sigh*

  • by Anonymous Coward
    Now don't break your arm patting yourselves on the back. That article hasn't really stated ANYTHING new or anything of even mild interest. Yeah Steve Ballmer said windows was as secure as linux, did anyone actually BELIEVE the guy? Maybe the non-techies, but this article is really only going to be read by /.ers which is the epitome of geeky techs. What point did this article actually have other than calling the kettle black?
  • Short on facts (Score:2, Interesting)

    by iron_weasel ( 415177 )
    I found the article not very informative.
    It had a lot of verbiage but thats about all.
    'Someone said this, someone said that, yada yada.'

    Exactly how many holes were there? How many known of are still there? "Where's the beef?"
  • The open source development model insures that Linux code is open to scrutiny at the most basic level
    That should be "ensures" not "insures".
    Shame this advocate can't apply the principles himself - getting a peer review of the article should have picked up that simple mistake (assuming that his peers, at least, lernt gramer at skuwl)

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...