[LINK] Open source just as insecure as Windows
Tue Nov 12 10:03:06 EST 2002
At 2:21 PM +1100 12/11/2002, Dearne, Karen wrote:
>Wow, u guys are just like a bunch of Apple fanatics. No one ever allowed to
>diss Linux? Good luck.
>For the record, the story today was supposed to appear with one I wrote last
>week about ISS's new virtual patching technology. Chris Klaus couldnt give a
>s*** whether he sells stuff to patch Linux or Windows, it's immaterial. But
>it's well worth pointing out that Linux does have flaws, and there are
>questions of legal liability etc that real companies worry about. The
>suggestion that these should be discussed copped a caning here last week.
>Why? Against your religion or something?
I was a journalist too until 12 months back ... when I got a tad
bored with what I was doing ... and no, I don't push a LINUX,
Windows, MacOS or UNIX barrow. Yes, LINUX has flaws ... and lots of
them. So does Windows, and the MacOS and the different variants of
I think what people are bitching about here relates to a couple of things:
1. Your illustration of the vulnerabilities. A Trojan will execute on
most platforms in pretty much the same way ... hey, it is an
application (not a virus or more subtle hack) so any OS that gives
you the necessary permissions to run a program is susceptible to
Trojans. (Ooops ... that's pretty well every OS isn't it?)
2. How much damage that Trojan will do is another thing entirely. For
example in any UNIX variant (assuming the user isn't stupid enough to
run in administrator mode) there are a heap of files that Trojan
won't be allowed to over-write, and directories it won't be allowed
to mess with and operations and daemons it won't be allowed to
interfere with). Damage is limited. LINUX limits damage (but not as
well as UNIX) and the MacOS probably does a better job than UNIX ...
but not because of any intent or design of Apple's.
3. Trojans don't rank high on most people in the Lists's scheme of
things - basically because they're not stupid enough to run
executable attached to emails or auto-downloaded as a JS'd Web link
or whatever. Trojans basically rely on the inherent stupidity of the
recipient to do their stuff.
People are also a tad miffed that you obviously didn't ask
intelligent questions or do the background work. Little numbers like:
a. "You say that Windows vulnerabilities are largely a function of
statistical likelihood? If so, and if you accept that Windows has say
90% of the market share, why does it have 99.9% of the viruses,
Trojans and other security vulnerabilities." (Here Mr Klaus would no
doubt say that the statistical variance is not significant.)
b. "Well I'll put it another way then. If we take the MacOS or LINUX
... we know that has about 5% of the market at most, but we know they
has only 40 odd viruses, and Windows has 66000 (if Symatec's latest
figures are to be believed), if you reverse your methodology and look
at it from that perspective then Windows has about a 150 times
greater chance of being hit by a virus than a Macintosh or LINUX box
does ... purely on virus incidence. That isn't significant?"
c. "Isn't it true that the LINUX platform generally could be said to
harbour more programming and hacking expertise that the Windows
platform?" (And I think he'd agree with that.) If so, then why is
there such an incidence of viruses on the Windows platform and a
positive dearth of them on the LINUX platform (script kiddies and
virus kits, ActiveX and various MS technologies that place no
controls or apply few privileges restrictions to code passed between
applications, default setups that are inherently insecure etc etc.)
NB. If he said the situation is getting better with Windows.NET he
would be correct ... that should be an order of magnitude more secure
than the current COM based product line-up
... and the like may have elicited a more admiring response from List members.
>Sorry, but we write stuff that we think is a) interesting, b) likely to get
>a reaction, and c) maybe useful/important. Also, I might point out that in
>general I am a reporter, the old-fashioned sort, that is I talk to people
>and report what they say. When I write opinion pieces or analysis they are
>usually labelled as such. I'm a bit surprised to find that some people on
>the List seem to think journalists should be/always are experts on every
>subject they write about and that they only write what they think, not what
>the subject says. Doesn't work like that guys.
'Interesting' and 'likely to get a reaction'? I note that veracity,
checked sources, facts, background research and a number of other
little numbers didn't make it into your criteria for journalistic
success there. So, what's the difference between a journalist and a
PR hack then?
No, we don't think journalists should be experts ... that's what they
have experts for. We do think however they they should have done the
leg work and research. We do believe that they should approach any
situation in which they are writing a story with the idea that
substance and veracity are desirable things to shoot for.
>Also for the record, young Chris Klaus is a seriously bright guy who is well
>respected in IT and security. His bio on their website follows, and it's
>pretty easy to check out his credentials:
>Christopher W. Klaus, Founder & Chief Technology Officer. Klaus is regarded
>as one of the world's foremost security experts. In 1992, Klaus developed
>the company's first software program and flagship product, Internet Scanner,
>while attending the Georgia Institute of Technology. He also developed the
>four-quadrant strategy for focusing on intrusion protection with security
>assessment and intrusion detection for both network and host. Additionally,
>Klaus developed the name, concept and design of RealSecure. He was also
>honored as one of the top 100 young innovators for 1999 by MIT's magazine of
>innovation, Technology Review
Ahhhh ... Let's see, What an impressive CV.
Hell ... I've won two OECD research awards, I've been published in
Harvard Review, The University of Tokyo's Business Journal and The
University of Bath Economics Journal ... but Karen, that doesn't make
me an expert on dog crap.
And it would give you no reason not to approach any interview with me
without having done the leg work and research, and it definitely
wouldn't entitle you to lose valuable journalistic skepticism, to
approach other sources with comments on your interviewees comments
and to generally show a bit of the journalistic rigor that I think
your reading public has a right to expect.
>Anyone out there who can match this guy for talent and acumen please forward
>details, I'll be happy to interview u for the section.
Karen ,,, I doubt any one of us would be happy to be interviewed by
you - unless of course we had something to hide. :)
Right now you're probably categorised in a lot of List members minds
as Psuedo Journalist 1, Credibility Limited.
More information about the Link