"Obviously many Microsoft software products are less secure than comparable systems, any objective look at the figures and history shows this clearly."

And just as obviously many non MS software products are less secure than comparable MS systems.

"People who count Bugtraq vulnerabilities and then shout "see Linux is worse" just missed the point entirely. The issues are severity, and diversity."

While I agree that severity is the main issue, I'm not sure I can give Linux the advantage here. Many of these Linux vulnerabilities allow you to be "rooted", how much more severe can you get?

"For example some of those vulnerabilities still concern sendmail, and no one with concerns about security uses sendmail."

Couldn't the MS user do the same thing? For example if MS Internet Explorer is considered insecure the MS user can use any one of dozens of other available browsers.

"The specific low quality of MS products is presumably the result of low quality control at Microsoft, which itself is probably a result of a monopoly position."

My bet is on the fact that security wasn't such a huge issue until recently. Go back five years and look at the number of virii/hacks and compare them to today. As such the programmers didn't concentrate on security issues.

"To hear people say "just run an AV system", misses the point. First most other systems don't and have no virus problem. Second AV system suffer from an obvious race condition. Third viruses are only a small part of the real problem. Fourth they are a big performance hit."

First, this arguement only works _IF_ this article is completely accurate and Linux won't suffer the same fate if/when it becomes popular. Second switching to Linux to avoid virii is completely pointless if the software you want to run isn't available on Linux. In other words, security isn't the only concern when choosing an OS. In fact, as far as the typical user goes it's probably near the bottom of the list.

"I think the numbers clearly demonstrate that many Microsoft products are below par when it comes to security."

I think the numbers clearly demostrate that many "Linux" products are below par when it comes to security.

"Running as root.... yes if you hand out Linux systems to joe public some will run as root, although some distros will refuse to start X, or display hideous warning messages. So I don't think this is a big issue, except where vendors have failed to discourage."

When talking about home users, running as root or not is rather meaningless. The average home PC uses a single login. So if that user is attacked by a virii/worm/hacker etc. all the user data is at risk. Who cares about the system files, they're easily reinstalled.

Second, with the number of root exploits out there it doesn't really matter if the user is running as root does it?

"With millions of Linux boxes out there, not all of them are being run by people as talented as Linus. Which is the picture the Microsoft apologists seem to want to paint, but a sensible choice of default services by most modern distro's has avoided anything like the XP DCOM farce."

I think you're missing the big picture. XP is geared towards home PC users. Such users are typically not that computer savvy and want convience over security. As such XP tends to have everything "turned on" where Linux has things "turned off". Certainly the Linux model is more secure but it also less convient. If Linux wants to go mainstream it's going to have to be convient. The trick is becoming secure and convient at the same time.






[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/188/23032#23032