Linux and security

Just thought that some of your would find this to be of interest.

People can say what they want.  Carnegie Mellon University studied
operating systems for 4 years and arrived at the results as shown on
this web site:

http://news.zdnet.com/2100-1009_22-5489804.html

This certainly confirms in my mind that Linux is probably one of the
safest server-based operating systems available.  Possibly one of the
safest all-around operating systems available.  Despite "conventional
wisdom" Linux is not going to go away...particulary now that IBM has
embraced it.



Bob Wolfe
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~
When replying by e-mail, make sure that you correct the e-mail address.
Check out The Flexus COBOL Page at http://www.flexus.com

On Tue, 14 Dec 2004 16:54:04 GMT, Bob Wolfe <rtwolfe@flexus.com>
wrote:

>Just thought that some of your would find this to be of interest.
>
>People can say what they want.  Carnegie Mellon University studied
>operating systems for 4 years and arrived at the results as shown on
>this web site:
>
>http://news.zdnet.com/2100-1009_22-5489804.html
>
>This certainly confirms in my mind that Linux is probably one of the
>safest server-based operating systems available.  Possibly one of the
>safest all-around operating systems available.  Despite "conventional
>wisdom" Linux is not going to go away...particulary now that IBM has
>embraced it.

And they said the day for 'one guy in a garage' was over.

> IBM shed it's PC business.

IBM has formed a partnership for its desktop systems. It hasn't been
profitable and it has tied contracts with both Intel and Microsoft
which it wants to dump.

It is most likely that it will be coming out with a 'Business Desktop'
that is Power5 based, or even Cell based, and will be manufactured
entirely within IBM rather than being assembled from bought in parts,
and will run Linux.  The PC is a 23 year old design now, it is about
time that it was replaced with something modern.

> I'll bet, if you run the pro-rata numbers, there are vastly more
security
> breaches on Linux systems than on Windows.

You may bet that, but I doubt you would win.  There are vastly more
Linux servers running the Internet than Windows servers.  Yet it is
Windows servers that are breached and taken over by virus worms.

It is estimated that 60% of the spam comes from 'pwn3d' Windows
machines with the user completely unaware what his machine is doing
(except it runs slow).

A recent test put several new machines on the Internet.  Within 4.5
minutes the Windows XP (SP1 admitedly) was 'pwn3d' and started
outputting spam.

[url]http://it.slashdot.org/article.pl?sid=04/11/30/1932245&tid=220&tid=172&tid=201[/ur
l]

> You must believe that free software is the spawn of the devil, ...

'Free' is as in 'Freedom'.  It is Free Software because you are allowed
to do with it what _you_ wish to do.  In many cases it also without
cost, but you can sell the software, or your own added value, or
support, as you wish (that is why it is called Free).

It is the Microsoft EULA that is the 'spawn of the devil'.

> ""Linux is a knock-off of a 40-year-old operating system ...

One that was designed from the ground up to be secure, unlike Windows
which simply has security thinly added as yet another layer of bloat.

On Tue, 14 Dec 2004 16:54:04 GMT, Bob Wolfe <rtwolfe@flexus.com> wrote:

>Just thought that some of your would find this to be of interest.
>
>People can say what they want.  Carnegie Mellon University studied
>operating systems for 4 years and arrived at the results as shown on
>this web site:
>
>http://news.zdnet.com/2100-1009_22-5489804.html
>
>This certainly confirms in my mind that Linux is probably one of the
>safest server-based operating systems available.  Possibly one of the
>safest all-around operating systems available.  Despite "conventional
>wisdom" Linux is not going to go away...particulary now that IBM has
>embraced it.
>
>
>
>Bob Wolfe

Bob, does this mean Microsoft is lying?  I'm shocked, _shocked_!!


--
tim boyer
tim@denmantire.com

In article <10rutk12o9huta7@news.supernews.com>,
"JerryMouse" <nospam@bisusa.com> wrote:

> Bob Wolfe wrote: 
>
> And IBM shed it's PC business.
>
> I'll bet, if you run the pro-rata numbers, there are vastly more security
> breaches on Linux systems than on Windows.

Utterly silly.

Linux security breaches tend to be of the "there might be a possible DOS
attack if you don't apply patch X".

Windows security breaches tend to be of the "half of the worlds
computers shut down today as traffic from the infected IIS servers
flooded everything with pictures of hot strippers".

Can you name one, just one, Linux security breach that was even close to
the impact of ILOVYOU, MELISSA or CODERED?

Didn't think so.

> Repeat after me:
>
> "Linux is a knock-off of a 40-year-old operating system developed by a
> money-losing division of your local telephone company, promoted by those w
ho
> can't get a date (perhaps because of the genital wart thing), and used by
> people who think DOS commands are not complicated enough."
>
> And I'm not saying this because I own a bunch of Micros~1 stock, either.

Windows is a 32-bit shell around a 16-bit extension to an 8-bit
operating system written for a 4-bit processor by a 2-bit company that
can't stand 1-bit of competition.

As was pointed out by others on the "review this by readers" postings,
this server software was compaired against Windoze. But what about
OS/400, or z/VSE, or z/OS?

It is interesting that before z/OS is released, it goes through
regression testing, and then cert testing. I don't know that Linus is
going to that level when he releases a kernel. From the number of bugs
(security exploits) reported, M/S sure doesn't appear to.

And then, lines of code, means what? If I develop in ALC and you
develop in C++, while another company develops in FORTRAN, and still
another company uses VBS, how does the debugged lines of code stack up
against each other? After all, a line of code is not necessarily a line
of code (FOR, DO, PERFORM, translates into how many machine commands?
And doesn't that vary depending on the optimizer?) once you get down to
what is actually done.

And again, all of this varies depending on the CPU architecture the
language is targetted toward. An MVCL may need a loop in MASM, and may
need a subroutine in C++.

Comparison of apples to apples is very difficult in this world we live
in.

Later,
Steve.T

Richard wrote:
> 
> security 
>
> You may bet that, but I doubt you would win.  There are vastly more
> Linux servers running the Internet than Windows servers.  Yet it is
> Windows servers that are breached and taken over by virus worms.

Apples and oranges. Servers are a piddly percentage of boxes. Properly
configured boxes, either Windows or that other one (can't think of its name)
don't get compromised. Further:

"The CERT results for "Microsoft" returned 250 entries, with the top two
entries containing the severity metric of 94.5...." and "The CERT results
for "Red Hat" returned 46 entries. The top entry has a severity metric of
108.16...."

Within a few percent of each other.

>
> It is estimated that 60% of the spam comes from 'pwn3d' Windows
> machines with the user completely unaware what his machine is doing
> (except it runs slow).

I'd bet the percentage is even higher. But, again, most car wrecks are
caused by drunk drivers, not the cars themselves.

>
> A recent test put several new machines on the Internet.  Within 4.5
> minutes the Windows XP (SP1 admitedly) was 'pwn3d' and started
> outputting spam.
>
> [url]http://it.slashdot.org/article.pl?sid=04/11/30/1932245&tid=220&tid=172&tid=201[/
url]
> 
>
> 'Free' is as in 'Freedom'.  It is Free Software because you are
> allowed
> to do with it what _you_ wish to do.  In many cases it also without
> cost, but you can sell the software, or your own added value, or
> support, as you wish (that is why it is called Free).
>
> It is the Microsoft EULA that is the 'spawn of the devil'.

You're free to do whatever you wish with the software you write. If you use
something I wrote, you'll do it on mutually agreeable terms.

On 15-Dec-2004, "JerryMouse" <nospam@bisusa.com> wrote:

> Apples and oranges. Servers are a piddly percentage of boxes. Properly
> configured boxes, either Windows or that other one (can't think of its nam
e)
> don't get compromised. Further:

Which is meaningless if boxes aren't properly configured.   Or when this
definition keeps changing as new security breaches are discovered.

> Properly configured boxes, either Windows or that other one (can't
think of its name)
> don't get compromised. Further:

The vast majority of Windows boxes are not 'properly configured'. Most
home users for example don't know what SP2 is or are still running
Windows 98 or ME.  Many still run Outlook and IE because it is there.
With Outlook you can get a security breach merely by selecting an EMail
message unless the user has done something deliberate to stop that
happening, such as getting an update.  With IE you can get a security
breach merely by visting a site and using the scroll bar.

> But, again, most car wrecks are caused by drunk drivers, not the cars
themselves.

That comparison is entirely spurious.  With Windows one can buy a
machine at a retail store, connect it to the internet and, with no
action at all from the user, it could be breached within a few minutes.

This is equivalent to buying a car and putting it in the driveway and
having a tree fall on it.

Actually, these days, it is _not_ like a tree falling on it, it is like
someone attaches a trailer and gets a free ride. A recent survey of
several thousand machines found an average of 29 spyware and adware
items per Windows machine.

Yes, with Linux a direct attack can cause the system to crash if it
isn't configured properly, but it doesn't get silently 'pwn3d' (owned
in text speak).

> You're free to do whatever you wish with the software you write.

Yes, I can.  Writers using proprietry software may find that they are
restricted in what they do with their software.  The EULA is a contract
not a licence and this may impose restrictions. For example it may say
that I may not use this product to develop a product that competes with
any product from the suppier.  When a market succeeds, MS announces a
products and then prevents developers from 'competing' with theirs:

""" ---------------
First Microsoft encourages fleet tracking companies to grow the market.

Second they add confusing language to the EULA which seems to restrict
use for Tracking. (But they don't seem to enforce it. Hmmm, I wonder
why?)

Third, they come out with a product that is directed right at business
users, which is the core business of the fleet tracking companies.

Finally the coupe de grace, (this is my guess) Microsoft targets Fleet
Tracking companies clients. (They even know who the MapPoint users
are.) They starts enforcing the EULA and within 1-2 yrs, they are the
only company left providing fleet tracking with MapPoint.

Ever feel like you've been taken?
---------------------- """
'Freedom' means not having to put up with that sort of crap.