[LINK] Open source just as insecure as Windows

Frank O'Connor foconno1@bigpond.net.au
Tue Nov 12 10:03:06 EST 2002 

Yo Karen,

At 2:21 PM +1100 12/11/2002, Dearne, Karen wrote:
>Wow, u guys are just like a bunch of Apple fanatics. No one ever allowed to
>diss Linux? Good luck.
>For the record, the story today was supposed to appear with one I wrote last
>week about ISS's new virtual patching technology. Chris Klaus couldnt give a
>s*** whether he sells stuff to patch Linux or Windows, it's immaterial. But
>it's well worth pointing out that Linux does have flaws, and there are
>questions of legal liability etc that real companies worry about. The
>suggestion that these should be discussed copped a caning here last week.
>Why? Against your religion or something?

I was a journalist too until 12 months back ... when I got a tad 
bored with what I was doing ... and no, I don't push a LINUX, 
Windows, MacOS or UNIX barrow. Yes, LINUX has flaws ... and lots of 
them. So does Windows, and the MacOS and the different variants of 
UNIX.

I think what people are bitching about here relates to a couple of things:

1. Your illustration of the vulnerabilities. A Trojan will execute on 
most platforms in pretty much the same way ... hey, it is an 
application (not a virus or more subtle hack) so any OS that gives 
you the necessary permissions to run a program is susceptible to 
Trojans. (Ooops ... that's pretty well every OS isn't it?)

2. How much damage that Trojan will do is another thing entirely. For 
example in any UNIX variant (assuming the user isn't stupid enough to 
run in administrator mode) there are a heap of files that Trojan 
won't be allowed to over-write, and directories it won't be allowed 
to mess with and operations and daemons it won't be allowed to 
interfere with). Damage is limited. LINUX limits damage (but not as 
well as UNIX) and the MacOS probably does a better job than UNIX ... 
but not because of any intent or design of Apple's.

3. Trojans don't rank high on most people in the Lists's scheme of 
things - basically because they're not stupid enough to run 
executable attached to emails or auto-downloaded as a JS'd Web link 
or whatever. Trojans basically rely on the inherent stupidity of the 
recipient to do their stuff.

People are also a tad miffed that you obviously didn't ask 
intelligent questions or do the background work. Little numbers like:

a. "You say that Windows vulnerabilities are largely a function of 
statistical likelihood? If so, and if you accept that Windows has say 
90% of the market share, why does it have 99.9% of the viruses, 
Trojans and other security vulnerabilities." (Here Mr Klaus would no 
doubt say that the statistical variance is not significant.)

b. "Well I'll put it another way then. If we take the MacOS or LINUX 
... we know that has about 5% of the market at most, but we know they 
has only 40 odd viruses, and Windows has 66000 (if Symatec's latest 
figures are to be believed), if you reverse your methodology and look 
at it from that perspective then Windows has about a 150 times 
greater chance of being hit by a virus than a Macintosh or LINUX box 
does ... purely on virus incidence. That isn't significant?"

c. "Isn't it true that the LINUX platform generally could be said to 
harbour more programming and hacking expertise that the Windows 
platform?" (And I think he'd agree with that.) If so, then why is 
there such an incidence of viruses on the Windows platform and a 
positive dearth of them on the LINUX platform (script kiddies and 
virus kits, ActiveX and various MS technologies that place no 
controls or apply few privileges restrictions to code passed between 
applications, default setups that are inherently insecure etc etc.) 
NB. If he said the situation is getting better with Windows.NET he 
would be correct ... that should be an order of magnitude more secure 
than the current COM based product line-up

... and the like may have elicited a more admiring response from List members.

>
>Sorry, but we write stuff that we think is a) interesting, b) likely to get
>a reaction, and c) maybe useful/important. Also, I might point out that in
>general I am a reporter, the old-fashioned sort, that is I talk to people
>and report what they say.  When I write opinion pieces or analysis they are
>usually labelled as such. I'm a bit surprised to find that some people on
>the List seem to think journalists should be/always are experts on every
>subject they write about and that they only write what they think, not what
>the subject says. Doesn't work like that guys.

'Interesting' and 'likely to get a reaction'? I note that veracity, 
checked sources, facts, background research and a number of other 
little numbers didn't make it into your criteria for journalistic 
success there. So, what's the difference between a journalist and a 
PR hack then?

No, we don't think journalists should be experts ... that's what they 
have experts for. We do think however they they should have done the 
leg work and research. We do believe that they should approach any 
situation in which they are writing a story with the idea that 
substance and veracity are desirable things to shoot for.

>
>Also for the record, young Chris Klaus is a seriously bright guy who is well
>respected in IT and security. His bio on their website follows, and it's
>pretty easy to check out his credentials:
>
>Christopher W. Klaus, Founder & Chief Technology Officer. Klaus is regarded
>as one of the world's foremost security experts. In 1992, Klaus developed
>the company's first software program and flagship product, Internet Scanner,
>while attending the Georgia Institute of Technology. He also developed the
>four-quadrant strategy for focusing on intrusion protection with security
>assessment and intrusion detection for both network and host. Additionally,
>Klaus developed the name, concept and design of RealSecure. He was also
>honored as one of the top 100 young innovators for 1999 by MIT's magazine of
>innovation, Technology Review

Ahhhh ... Let's see, What an impressive CV.

Hell ... I've won two OECD research awards, I've been published in 
Harvard Review, The University of Tokyo's Business Journal and The 
University of Bath Economics Journal ... but Karen, that doesn't make 
me an expert on dog crap.

And it would give you no reason not to approach any interview with me 
without having done the leg work and research, and it definitely 
wouldn't entitle you to lose valuable journalistic skepticism, to 
approach other sources with comments on your interviewees comments 
and to generally show a bit of the journalistic rigor that I think 
your reading public has a right to expect.

>
>Anyone out there who can match this guy for talent and acumen please forward
>details, I'll be happy to interview u for the section.

Karen ,,, I doubt any one of us would be happy to be interviewed by 
you - unless of course we had something to hide.          :)

Right now you're probably categorised in a lot of List members minds 
as Psuedo Journalist 1, Credibility Limited.

					Regards,

More information about the Link mailing list