Thread Tools
Old June 10, 2003, 09:04   #31
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Urban Ranger
Interestingly, an analysis of 2003 CERT advisories shows a different picture, yet Glonkie banish the new analysis with a wave of hand, but quotes the Aberdeen Group report to support his argument.

Talking about selective.
Where is a summary of the 2003 CERT advisories?

I clicked the June 3rd summary just for fun:
http://www.cert.org/summaries/CS-2003-02.html

Quote:
1. Integer overflow in Sun RPC XDR library routines
2. Multiple Vulnerabilities in Lotus Notes and Domino
3. Buffer Overflow in Sendmail
4. Multiple Vulnerabilities in Snort Preprocessors


Also, a list of the current advisories (http://www.cert.org/advisories/), reveals that out of a total of 13 avisories, only 4 are for Windows, whereas 7 for *nix...
Asher is offline  
Old June 10, 2003, 10:05   #32
Yog-Sothoth
Prince
 
Local Time: 04:18
Local Date: November 2, 2010
Join Date: Sep 2000
Location: Trondheim, Norway
Posts: 431
All software has, and will always have, security vulnerbilities, so IMO the number of vulnerbilities for a given system is not that interesting to look at. However, what I think is important is how quickly a vulnerability is found and fixed in a proper way, and I belive that open source software is better than closed source software in this regard.

As to the number of security breaches, this has as much to do with the competence of the SysAdm as with the system that is running.
__________________
We are the apt, you will be packaged.
Yog-Sothoth is offline  
Old June 10, 2003, 10:09   #33
chequita guevara
ACDG The Human HiveDiplomacyApolytoners Hall of Fame
Emperor
 
chequita guevara's Avatar
 
Local Time: 23:18
Local Date: November 1, 2010
Join Date: Jun 2000
Location: Fort LOLderdale, FL Communist Party of Apolyton
Posts: 9,091
What's the diff between FreeBSD, OpenBSD, and GNU/Linux?
__________________
Christianity: The belief that a cosmic Jewish Zombie who was his own father can make you live forever if you symbolically eat his flesh and telepathically tell him you accept him as your master, so he can remove an evil force from your soul that is present in humanity because a rib-woman was convinced by a talking snake to eat from a magical tree...
chequita guevara is offline  
Old June 10, 2003, 11:32   #34
Rasbelin
Emperor
 
Rasbelin's Avatar
 
Local Time: 05:18
Local Date: November 2, 2010
Join Date: Nov 1999
Posts: 3,801
FreeBSD and OpenBSD are BSD distros, which is a Unix OS. GNU/Linux = GNU/Linux, which mostly refered to as Linux. As for differencies, it all lies in the kernel. GNU/Linux uses Linux, while BSD distros use their own BSD kernels.
__________________
"Kids, don't listen to uncle Solver unless you want your parents to spank you." - Solver
Rasbelin is offline  
Old June 10, 2003, 17:54   #35
Thue
Freeciv Developer
 
Local Time: 05:18
Local Date: November 2, 2010
Join Date: Dec 1969
Location: Copenhagen, Denmark
Posts: 2,580
Quote:
Originally posted by Asuka
As for differencies, it all lies in the kernel. GNU/Linux uses Linux, while BSD distros use their own BSD kernels.
It is not just the kernel. Some of the lowlevel userspace programs are also OS-specific.

Linux uses the set of utilities developed by the GNU project, hence some people call the total GNU/linux. When people are referring only to the linux kernel it is always called just linux.
The BSDs have their own versions of the lowlevel userspace programs, though they do borrow some from GNU, like the compiler gcc.

However, everybody uses the X11 program for graphical interface, so from there everything looks the same no matter what OS you are using.
__________________
http://www.hardware-wiki.com - A wiki about computers, with focus on Linux support.
Thue is offline  
Old June 11, 2003, 00:06   #36
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 11:18
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by Asher
Where is a summary of the 2003 CERT advisories?
That was my link in a previous post. It was interesting how you just ignore that. Right here on the Current Activity page:

Quote:
W32/BugBear.B
W32/Sobig variants
Buffer Overflow Vulnerability in Core Windows DLL
Increased Activity Targeting Windows Shares
All 4 are Windows security breaches.
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old June 11, 2003, 00:09   #37
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
I think you're confused -- do you understand the difference between advisories and activities? I ignored it because it wasn't relevant, do you realize how informal the "activities" are? Do you realize they cover desktops and servers both? Do you realize they don't necessarily cover vulnerabilities or code problems, but social engineering problems (see the fourth entry)? I ignored them because they're irrelevant to the discussion.

*nix advisories are still roughly double that of Windows in 2003, you're grasping at straws.

The reasons the first two (W32) activities are on there is from desktop machines, not servers (and therefore out of the scope of this thread), and is entirely dependent on the ignorance of the consumer since they've been patched ages ago, and patches made easily available through auto-updates.

The third one is a legit vulnerability, but also been patched for a while.

The fourth one isn't a vulnerability or a virus at all, it just takes advantage of weak passwords by inept admin.

And again, those are simply informal "activities" -- what we were discussing before was "advisories", which you said have changed this year, and they have not.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old June 11, 2003, 00:16   #38
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
BTW, if you actually check out the latest 4 advisories from the latest CERT summary, you'll notice all 4 are for *nix, not Windows.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old June 11, 2003, 00:23   #39
Ted Striker
Apolytoners Hall of Fame
Emperor
 
Ted Striker's Avatar
 
Local Time: 19:18
Local Date: November 1, 2010
Join Date: Dec 1969
Location: Batallón de San Patricio, United States of America
Posts: 3,696
Quote:
Originally posted by MichaeltheGreat


Yeah. Like those times when you figure out you're in business to make money, not to make some political statement out of choosing an obscure OS.


UNIX

Windows

Linux

By the way, Red Hat, the only company that makes any real money or supports any real applications, is very rapidly becoming the equivalent of the Sun/HP/IBM UNIX distributions that dominated 5 years ago.
__________________
"Let the People know the facts and the country will be saved." Abraham Lincoln

Mis Novias
Ted Striker is offline  
Old June 11, 2003, 06:14   #40
Yog-Sothoth
Prince
 
Local Time: 04:18
Local Date: November 2, 2010
Join Date: Sep 2000
Location: Trondheim, Norway
Posts: 431
Quote:
Originally posted by Ted Striker




UNIX

Windows

Linux

By the way, Red Hat, the only company that makes any real money or supports any real applications, is very rapidly becoming the equivalent of the Sun/HP/IBM UNIX distributions that dominated 5 years ago.
You are starting to sound like a broken record
__________________
We are the apt, you will be packaged.
Yog-Sothoth is offline  
Old June 11, 2003, 06:49   #41
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 11:18
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by Asher
BTW, if you actually check out the latest 4 advisories from the latest CERT summary, you'll notice all 4 are for *nix, not Windows.
That's on the page called "Current Activity."

As I said, it's all Windows.
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old June 11, 2003, 06:50   #42
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 11:18
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by Ted Striker
By the way, Red Hat, the only company that makes any real money or supports any real applications, is very rapidly becoming the equivalent of the Sun/HP/IBM UNIX distributions that dominated 5 years ago.
Why would an OS company want to support applications?
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old June 11, 2003, 09:03   #43
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Urban Ranger
That's on the page called "Current Activity."

As I said, it's all Windows.
Did you intentionally ignore my post or is your browser not capable of rendering it?
Asher is offline  
Old June 11, 2003, 09:19   #44
ottok
Prince
 
ottok's Avatar
 
Local Time: 03:18
Local Date: November 2, 2010
Join Date: Oct 1999
Location: tampere,FINLAND
Posts: 550
Hmm... i canot say... i newer use Linux... but desinger is FACT at Swedish in Finland...
and
ottok is offline  
Old June 11, 2003, 09:44   #45
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 20:18
Local Date: November 1, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
ottok! ottok! ottok!
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old June 11, 2003, 11:13   #46
Rasbelin
Emperor
 
Rasbelin's Avatar
 
Local Time: 05:18
Local Date: November 2, 2010
Join Date: Nov 1999
Posts: 3,801
Our Linux expert.
__________________
"Kids, don't listen to uncle Solver unless you want your parents to spank you." - Solver
Rasbelin is offline  
Old June 11, 2003, 11:40   #47
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 11:18
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by Asher
Did you intentionally ignore my post or is your browser not capable of rendering it?
I am ignoring you, since the "Current Activity" page is right in the section of "Advisories."
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old June 11, 2003, 11:47   #48
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Urban Ranger
I am ignoring you, since the "Current Activity" page is right in the section of "Advisories."
No, it's not.

You'll notice "Advisories" and "Activities" are both under "Options" on the lefthand side, not under the same section.

Also on the frontpage:
Quote:
Advisories & Incident Notes
CA-2003-13
Multiple Vulnerabilities in Snort Preprocessors
CA-2003-12
Buffer Overflow in Sendmail
CA-2003-11
Multiple Vulnerabilities in Lotus Notes and Domino
(all of which are *nix)

Quote:
New and Notable Vulnerabilities:
Vulnerability in OpenSSH
SSL/TLS Bad Version Oracle Attack
Multiple Buffer Overflows in Samba
Brumley-Boneh RSA timing attack
(all of which are *nix, again)

Give it up, UR.
Asher is offline  
Old June 11, 2003, 11:54   #49
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 11:18
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Are you telling me that CERT will bother to post something they don't consider to be a serious threat on the website?



If you actually bothered to read, you will find this note:

Quote:
The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the CERT/CC.
Read and weep.
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old June 11, 2003, 11:57   #50
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
No, I'm telling you that you're being silly.

You obviously mistook activities for advisories, because upon being shown the report of *nix advisories outnumbering Windows by a good margin, you insisted that I "ignored" the fact that "an analysis of 2003 CERT advisories shows a different picture", yet the 2003 CERT advisories show the exact same picture as last year.

You're not fooling anyone with these silly games, you know.

It is pretty amazing how you manage to deny the obvious and deflect the facts to maintain your own illusions.

Quote:
Read and weep.
Which still has absolutely nothing to do with CERT advisories, like you said. Which still takes into account desktop and server, and which still take into account aspects such as social engineering rather than vulnerabilities specifically.

This thread is about server hacking. The simple fact is Linux breaches are far more numerous, even though the Linux machines are far less numerous. The simple fact is Linux gets more CERT advisories than Windows with far less Linux machines.

Showing me a page of "activities" after you told everyone (misleadingly) that they're advisories, most of which are email worms which have been patched a year ago, or taking advantage of weak passwords, doesn't prove anything aside from your desperation.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer

Last edited by Asher; June 11, 2003 at 12:04.
Asher is offline  
Old June 11, 2003, 12:16   #51
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 20:18
Local Date: November 1, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
Quote:
Originally posted by Asher
It is pretty amazing how you manage to deny the obvious and deflect the facts to maintain your own illusions.
See the Tiannanmen Square thread if you really want to be amazed.
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old June 11, 2003, 14:18   #52
Harry Seldon
GalCiv Apolyton EmpireNationStates
King
 
Harry Seldon's Avatar
 
Local Time: 03:18
Local Date: November 2, 2010
Join Date: Oct 2002
Location: Birmingham, AL
Posts: 1,595
I'm convinced that Asher is a DL for Bill Gates...
Harry Seldon is offline  
Old June 11, 2003, 14:34   #53
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Was it my sig in the first post that gave it away?

Gosh darn-it!
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old June 11, 2003, 14:36   #54
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
I think it would be more interesting to be Steve Ballmer's DL.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old June 11, 2003, 16:00   #55
MichaeltheGreat
Apolytoners Hall of Fame
Apolyton Grand Executioner
 
MichaeltheGreat's Avatar
 
Local Time: 19:18
Local Date: November 1, 2010
Join Date: Oct 1999
Location: Fenway Pahk
Posts: 1,755
I'm Larry Ellison's DL.
__________________
Bush-Cheney 2008. What's another amendment between friends?
*******
When all else fails, blame brown people. | Hire a teen, while they still know it all.
MichaeltheGreat is offline  
Old June 11, 2003, 16:11   #56
Whaleboy
NationStatesAlpha Centauri Democracy GameACDG The Cybernetic ConsciousnessMac
Prince
 
Whaleboy's Avatar
 
Local Time: 03:18
Local Date: November 2, 2010
Join Date: Jan 2003
Location: Please make all cheques payable to Whaleboy
Posts: 853
wininformant.com?

Linux also makes breaches easier to detect than windows, including "passive" breaches that would not be detectable in windows. Also, slightly unrelated, but with regards to bugs, the figure for windows would be less because they CAN keep them under wraps, whereas with linux/bsd, they are published and fixed faster, for all to see. Because of this, one also gets the added advantage of no spyware, which is one major reason I prefer linux: civil liberties.

Im starting not to take you seriously on account of very pro-microsoft bias, without fundamental explanation of that actual position, it tends to turn these threads into flame-fests.
__________________
"I work in IT so I'd be buggered without a computer" - Words of wisdom from Provost Harrison
"You can be wrong AND jewish" - Wiglaf :love:
Whaleboy is offline  
Old June 11, 2003, 16:13   #57
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by elijah
Linux also makes breaches easier to detect than windows, including "passive" breaches that would not be detectable in windows.
And what exactly is that?

Quote:
Also, slightly unrelated, but with regards to bugs, the figure for windows would be less because they CAN keep them under wraps
No, they can't -- the people who discovered it always want credit, and always go get credit under MS' policy.

I dunno, you make take issue with my "pro-MS" bias, but at least I've got facts, figures, and statistics to back my position up rather than rhetoric and bullshit about "passive" breaches that Linux can detect and Windows can't.
Asher is offline  
Old June 11, 2003, 16:16   #58
Whaleboy
NationStatesAlpha Centauri Democracy GameACDG The Cybernetic ConsciousnessMac
Prince
 
Whaleboy's Avatar
 
Local Time: 03:18
Local Date: November 2, 2010
Join Date: Jan 2003
Location: Please make all cheques payable to Whaleboy
Posts: 853
Passive breaches, no damage, breaches of firewalls, but then, cracker does nothing, or even buffer overruns that go undetected. Simple stuff like proactive md5sum checking of binaries and more complex stuff checks for that in Linux, so can actually account for breaches.

Quote:
No, they can't -- the people who discovered it always want credit, and always go get credit under MS' policy
Not as effectively if they cannot read and amend the source code, as well as the same binary testing as one gets with windows.
__________________
"I work in IT so I'd be buggered without a computer" - Words of wisdom from Provost Harrison
"You can be wrong AND jewish" - Wiglaf :love:
Whaleboy is offline  
Old June 11, 2003, 16:18   #59
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by elijah
Passive breaches, no damage, breaches of firewalls, but then, cracker does nothing, or even buffer overruns that go undetected. Simple stuff like proactive md5sum checking of binaries and more complex stuff checks for that in Linux, so can actually account for breaches.
But you can do that in Windows, too.

Quote:
Not as effectively if they cannot read and amend the source code, as well as the same binary testing as one gets with windows.
This is another fallacy of the OpenSource=secure crap that people spew. Very, very rarely does someone read and amend the source code when they find a bug. In 99.999% of the occasions, they report it via something like Bugzilla and let the developers handle it.

That concept has been debunked numerous times, and it's actually widely considered a crutch for Linux now since many developers rely on the fact that theoretically everyone can examine your code and find security bugs, when no one ever does.

Even if they manage to patch it, it needs to go through approval process before a commit. And then, you've got some weird developer doing parts of your code, and everything starts getting convoluted and unmanageable (see: Mozilla).
Asher is offline  
Old June 11, 2003, 16:26   #60
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 21:18
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
http://www.developer.com/open/article.php/990711

Quote:
The Myth of Open Source Security Revisited v2.0
By Dare Obasanjo


This article is a followup to an article entitled The Myth of Open Source Security Revisited. The original article tackled the common misconception amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of the discovery of security vulnerabilities.

The purpose of this article is to expose the fallacy of the belief in the "inherent security" of Open Source software and instead point to a truer means of ensuring the quality of the security of a piece software is high.

Apples, Oranges, Penguins and Daemons

When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.

A number of articles have been written that compare the security of Open Source development to proprietary development by comparing security vulnerabilities in Microsoft products to those in Open Source products. Noted Open Source pundit, Eric Raymond wrote an article on NewsForge where he compares Microsoft Windows and IIS to Linux, BSD and Apache. In the article, Eric Raymond states that Open Source development implies that "security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed.". However, upon investigation it is disputable that Linux distributions have less frequent or more minor security vulnerabilities when compared to recent versions of Windows. In fact the belief in the inherent security of Open Source software over proprietary software seems to be the product of a single comparison, Apache versus Microsoft IIS.

There are a number of variables involved when one compares the security of software such as Microsoft Windows operating systems to Open Source UNIX-like operating systems including the disparity in their market share, the requirements and dispensations of their user base, and the differences in system design. To better compare the impact of source code licensing on the security of the software, it is wise to reduce the number of variables that will skew the conclusion. To this effect it is best to compare software with similar system design and user base than comparing software applications that are significantly distinct. The following section analyzes the frequency of the discovery of security vulnerabilities in UNIX-like operating systems including HP-UX, FreeBSD, RedHat Linux, OpenBSD, Solaris, Mandrake Linux, AIX and Debian GNU/Linux.

Security Vulnerability Face-Off

Below is a listing of UNIX and UNIX-like operating systems with the number of security vulnerabilities that were discovered in them in 2001 according to the Security Focus Vulnerability Archive.

AIX
10 vulnerabilities[6 remote, 3 local, 1 both]
Debian GNU/Linux
13 vulnerabilities[1 remote, 12 local] + 1 Linux kernel vulnerability[1 local]
FreeBSD
24 vulnerabilities[12 remote, 9 local, 3 both]
HP-UX
25 vulnerabilities[12 remote, 12 local, 1 both]
Mandrake Linux
17 vulnerabilities[5 remote, 12 local] + 12 Linux kernel vulnerabilities[5 remote, 7 local]
OpenBSD
13 vulnerabilities[7 remote, 5 local, 1 both]
Red Hat Linux
28 vulnerabilities[5 remote, 22 local, 1 unknown] + 12 Linux kernel vulnerabilities[6 remote, 6 local]
Solaris
38 vulnerabilities[14 remote, 22 local, 2 both]
From the above listing one can infer that source licensing is not a primary factor in determining how prone to security flaws a software application will be. Specifically proprietary and Open Source UNIX family operating systems are represented on both the high and low ends of the frequency distribution.

Factors that have been known to influence the security and quality of a software application are practices such as code auditing (peer review), security-minded architecture design, strict software development practices that restrict certain dangerous programming constructs (e.g. using the str* or scanf* family of functions in C) and validation & verification of the design and implementation of the software. Also reducing the focus on deadlines and only shipping when the system the system is in a satisfactory state is important.

Both the Debian and OpenBSD projects exhibit many of the aforementioned characteristics which help explain why they are the Open Source UNIX operating systems with the best security record. Debian's track record is particularly impressive when one realizes that the Debian Potato consists of over 55 million lines of code (compared to RedHat's 30,000,000 million lines of code).

The Road To Secure Software

Exploitable security vulnerabilities in a software application are typically evidence of bugs in the design or implementation of the application. Thus the process of writing secure software is an extension of the process behind writing robust, high quality software. Over the years a number of methodolgies have been developed to tackle the problem of producing high quality software in a repeatable manner within time and budgetary constraints. The most successful methodologies have typically involved using the following software quality assurance, validation and verification techniques; formal methods, code audits, design reviews, extensive testing and codified best practices.
Formal Methods: One can use formal proofs based on mathematical methods and rigor to verify the correctness of software algorithms. Tools for specifying software using formal techniques exist such as VDM and Z. Z (pronounced 'zed') is a formal specification notation based on set theory and first order predicate logic. VDM stands for "The Vienna Development Method" which consists of a specification language called VDM-SL, rules for data and operation refinement which allow one to establish links between abstract requirements specifications and detailed design specifications down to the level of code, and a proof theory in which rigorous arguments can be conducted about the properties of specified systems and the correctness of design decisions.The previous descriptions were taken from the Z FAQ and the VDM FAQ respectively. A comparison of both specification languages is available in the paper, Understanding the differences between VDM and Z by I.J. Hayes et al.


Code Audits: Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a "moderator", the source code is read by a "reader" and issues are documented by a "scribe".


Testing: The purpose of testing is to find failures. Unfortunately, no known software testing method can discover all possible failures that may occur in a faulty application and metrics to establish such details have not been forthcoming. Thus a correlation between the quality of a software application and the amount of testing it has endured is practically non-existent.

There are various categories of tests including unit, component, system, integration, regression, black-box, and white-box tests. There is some overlap in the aforementioned mentioned testing categories.

Unit testing involves testing small pieces of functionality of the application such as methods, functions or subroutines. In unit testing it is usual for other components that the software unit interacts with to be replaced with stubs or dummy methods. Component tests are similar to unit tests with the exception that dummmy and stub methods are replaced with the actual working versions. Integration testing involves testing related components that communicate with each other while system tests involve testing the entire system after it has been built. System testing is necessary even if extensive unit or component testing has occured because it is possible for seperate subroutines to work individually but fail when invoked sequentialy due to side effects or some error in programmer logic. Regression testing involves the process of ensuring that modifications to a software module, component or system have not introduced errors into the software. A lack of sufficient regression testing is one of the reasons why certain software patches break components that worked prior to installation of the patch.

Black-box testing also called functional testing or specification testing test the behavior of the component or system without requiring knowledge of the internal structure of the software. Black-box testing is typically used to test that software meets its functional requirements. White-box testing also called structural or clear-box testing involves tests that utilize knowledge of the internal structure of the software. White-box testing is useful in ensuring that certain statements in the program are excercised and errors discovered. The existence of code coverage tools aid in discovering what percentages of a system are being excercised by the tests.

More information on testing can be found at the comp.software.testing FAQ .


Design Reviews: The architecture of a software application can be reviewed in a formal process called a design review. In design reviews the developers, domain experts and users examine that the design of the system meets the requirements and that it contains no significant flaws of omission or commission before implementation occurs.


Codified Best Practices: Some programming languages have libraries or language features that are prone to abuse and are thus prohibited in certain disciplined software projects. Functions like strcpy, gets, and scanf in C are examples of library functions that are poorly designed and allow malicious individuals to use buffer overflows or format string attacks to exploit the security vulnerabilities exposed by using these functions. A number of platforms explicitly disallow gets especially since alternatives exist. Programming guidelines for such as those written by Peter Galvin in a Unix Insider article on designing secure software are used by development teams to reduce the likelihood of security vulnerabilities in software applications.
Projects such as the OpenBSD project that utilize most of the aforementioned techniques in developing software typically have a low incidence of security vulnerabilities.

Issues Preventing Development of Secure Open Source Software

One of the assumptions that is typically made about Open Source software is that the availability of source code translates to "peer review" of the software application. However, the anecdotal experience of a number of Open Source developers including John Viega belies this assumption.

The term "peer review" implies an extensive review of the source code of an application by competent parties. Many Open Source projects do not get peer reviewed for a number of reasons including
complexity of code in addition to a lack of documentation makes it difficult for casual users to understand the code enough to give a proper review


developers making improvements to the application typically focus only on the parts of the application that will affect the feature to be added instead of the whole system.


ignorance of developers to security concerns.


complacency in the belief that since the source is available that it is being reviewed by others.


Also the lack of interest in unglamorous tasks like documentation and testing amongst Open Source contributors adversely affects quality of the software. However, all of these issues can and are solved in projects with a disciplined software development process, clearly defined roles for the contributers and a semi-structured leadership hierarchy.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
 

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 23:18.


Design by Vjacheslav Trushkin, color scheme by ColorizeIt!.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Apolyton Civilization Site | Copyright © The Apolyton Team