Keep in mind that Microsoft has repeatedly attempted to
obstruct the announcement of vulnerabilities - even through
authorized channels such as CERT, until, after several MONTHS,
they come up with a "Bandaid" Fix.
At least Symantic comes up with the updates and gets the word
out that there is a problem.
Red Hat, and other Linux vendors have both the advantage, and
the disadvantage, of having hundreds of thousands of developers
who can browse through the source code. As a result, security
fixes for attacks that would only happen on a system configured
by a bone-head administrator are exposed and fixed.
When you look at the nature of the fixes, you realized that
some of the security holes in Linux are almost rediculous. For
example, if you configure a public web server in the same way
that you would configure a beowulf node, you will have
vulnerability.
The catch is that you have to really know what you are doing to
remove the security required to configure a high-performance
beowulf node, and if you were reading the documentation, you
would completely understand the concept of gateway nodes and
working nodes.
On the other hand, Microsoft has actually installed strategic
holes in their systems. ActiveX controls, VBScript, and the
new .NET "invoke" tags all provide the wonderful capability to
pull applications from the web, install them on the hard drive
(implying the ability to write to the drive), and execute the
downloaded program).
The first rule of security on any system is "don't download
programs from unknown sources", and whatever you do, don't run
those programs in an unprotected environment (isolated from the
rest of the network).
Microsoft asserts that because the programs are "signed", that
the signatures imply that the provider is known, therefore
trustworthy.
If this were the case, we could have a "key server" pass out
keys to our house, and assume that everyone who was given a key
to our house is trustworthy, because they flashed the right
credentials to the key server.
Perhaps we should have our bank let anyone who flashes the
correct credentials give them, not only the amount of money
they request, but also the account balances and the ability to
return for second helpings.
When you run an unknown computer program in your workstation or
server, you are effectively giving the person who wrote the
program the free run of your computer, including access to any
file, or combination of files, and even the ability to download
additional files.
Sun's approach to the problem was to simply limit the ability
of external classes to access resources such as the hard drive.
An applet could access values or the server that originated
the applet, but not on any other server. Microsoft decided
that this encumbered them too much and punched holes in the
sandbox.
When Sun tried to point out the security risks, Microsoft opted
to come up with C# and .NET, which would be unfettered by those
puritanical notions of protecting the user's workstations from
preditor companies.
In the ideal world, every merchant, even the porno vendors,
would be perfectly ethical. No one would pass your proprietary
information to a competitor, and your competitors would always
play fair. Your customers would always have more than enough
to cover any thing they ordered on your web site, and vendors
would never process your credit card then send you a "rain check".
This is the real world, where Customers order things they can't
pay for, by using someone else's credit card numbers. In the
real world, that "hot teen" is actually a 70 year-old
grandmother who will drain your card to the limit before you
finish loading the first animation. That customer you are
courting has decided to use another vendor, but has agreed to
run a little "hunter virus" to get some of the key elements of
your proposal, including your suppliers. And that vendor you
have been ordering from, is just about to announce the merger
with your fiercest competitor.
In the real world, we have companies like Enron and Microsoft,
who mislead customers, creditors, investors, and employees into
thinking that they have everything they need to make you
healthy, happy, rich, and sexy. What they don't tell you is
that their biggest gambles aren't paying off, that their
competitors are about to cut into their profit margin, and that
the products they are shipping could have serious defects,
which may be harmful to your pocketbook.
Lester Devinson wrote:
> I stole this from a slashdot post
(
http://slashdot.org/comments.pl?sid=27444&cid=2951457)...
>
>
> Microsoft security bulletins (for ALL MS products combined)
> released in 2002: MS02-001
>
> Redhat security bulletins released in 2002: 2002-018 2002-015
>
> 2002-014 2002-012 2002-011 2002-009 2002-007 2002-004 2002-005
>
> 2002-003 2002-002 2001-171 2001-168 2001-165
>
> Off to a good start aren't we??
>
> RedHat had 160+ bulletins in 2001, MS had (for ALL it's
> products combined): <60 in 2001.
>
By the way, how many did Symantic announce? How many were
ignored for over 3 months before they were finally made public,
along with a "Fix" that either so completely crippled core
features as to render the software useless, or at least worse
than the Open Source equivalent, or merely put up a flimsy
"filter" that would block an easily changable pattern used to
identify the hack, such as the string of A's in Code Red, that
were changed to Z's in Code Blue.
