OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [ISN] Linux: Testing, Security Concerns Raised (fwd)

From: William Knowles (wkC4I.ORG)
Date: Thu May 04 2000 - 03:37:19 CDT

[Forwarded by: Darren Reed <darrenrreed.wattle.id.au>]

[Moderators note: I'll forward a few more of these before
this turns ugly, then later into a OS holy war. :) -WK]

This should maybe go offline from ISN as I can see flames building here,
if I haven't started it myself :>

FWIW, when I talk about Linux, I mean just the kernel, not Red Hat or
SuSe, etc.

In some email I received from William Knowles, sie wrote:
[...]
> > The security opening came as a surprise to some Linux users, who have
> > considered the operating system (OS) either so well-designed or so
> > obscure that it didnt have the same security problems as Windows. Now
> > most parties agree that is not the case. The appearance of a security
> > issue at a time when users are still asking for more applications is
> > unlikely to bolster the fortunes of Linux stocks, which tumbled faster
> > and farther than general technology issues in April.
>
> While I agree with almost all of your columns, I really must take exception
> to your statements about Linux quality control. Besides 6 years of Linux
> experience, I have 25 years of Unix experience, including both working
> as a principal engineer in some. I was one of the four guys who did the
> Silicon Graphics port of Unix.
>
> Linux is far, FAR less buggy and more secure than ANY popular Unix platform.
> Where is your data to back up your claims of lack of quality control or
> testing of Linux? It certainly did not get to be less buggy than Unix
> by accident.

Does Linux yet have any formal bug tracking methodology in place ?

And if there was, who'd support it and where would the interface to
it be ? www.linux-kernel.org ? www.linux.org ? Do I need to goto
a commercial Linux vendor like Red Hat for this and if so why ? It
doesn't seem right to me to rely on them as the kernel is not their
product unless they code-fork.

Each of the BSD camps has had something in place for _years_ which
suggests the professionalism of the Linux camp leaves a lot to be
desired.

So how does this relate to quality control ?

How do you know what problems you have fixed, what ones you need to fix
or are being worked on by people without such a system in place ? The
use of some sort of bug tracking is a must so you can evaluate the real
progress in improving quality.

> Sure, Red Hat goofed with Piranha.

I think it is symbolic of many facets of Linux (and Microsoft!) - a
failure to learn from the past mistakes of others (Unix in general).d
Years ago I seem to remember default logins on SGI's, etc, and I'm
sure the excuses then are the same as Red Hat's now.

> Microsoft, with perhaps three orders
> of magnitude more financial resources for engineering and not even one
> order of magnitude more functionality has, perhaps, 50 times the rate of
> serious security bugs!

It was amusing that for a while, with the initial release of NT 4.0 how
Gates and Co. were saying it was more secure. As many pointed out, it
wasn't that they were more secure, just that at the time hacker attention
was elsewhere. Now hackers have M$ in their sights :) I wouldn't be
surprised if M$ had 50 times the number of lines of code Linux does and
it goes without saying that size of the code base is retaled to the
number of bugs.

> Silicon Graphics and Sun do not get high points
> in the "lack of security bugs department" either.

They've much improved in recent years, though. The story of hosts.equiv
and SunOS 4.3.1U1 is worth bearing in mind when considering these things.

> The quality assurance policy regarding Linux kernels is outstanding.

Where is that policy, on a web page ?
Whose mission statement is it a part of ?

> The
> level of testing of a new kernel before a major release is outstanding.

The monkeys at keyboards approach...?

My biggest real problem here is that much of the "teating" is more or
less because you either use a current Linux release or you're stuffed.

[...]
> > Users installing Red Hat 6.2 who selected the "install all" option
> > loaded Piranha onto their servers, giving an outsider with knowledge
> > of the default log-in and password on the server an automatic entry
> > point or "backdoor."
>
> That's a violation of the first rule of computer security:
>
> Enable only what you need and certainly only what you understand!
> After installation, disable what you will not configure and use
> immediately.

If that were the case, I'd never install Linux nor Windows anything as
I fail to understand how Windows/Linux could be so bad, nevermind getting
technical about it :-)

Darren

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".