«

"Microsoft Corp. released eight security fixes Tuesday that carry its
highest threat rating and urged computer users to install them quickly
because all the vulnerabilities they address could let attackers take
complete control of systems."

http://story.news.yahoo.com/news?tmp...osoft_security

Michael J. Pelletier <> wrote:
> "Microsoft Corp. released eight security fixes Tuesday that carry its
> highest threat rating and urged computer users to install them quickly
> because all the vulnerabilities they address could let attackers take
> complete control of systems."
>
> http://story.news.yahoo.com/news?tmp...osoft_security

As much as I support Linux, though, there have been quite a few kernel
problems lately (cf. the author of GrSecurity posting six - I believe -
vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
the kernel maintainers have now created a special patch branch,
2.6.10-as2. Applying the patches in there really isn't optional).

Microsoft has a long-standing history of producing bad security, but
this time round, Linux hasn't performed much better. (Of course, this is
mitigated by the fact that a Linux kernel need not include all
vulnerable parts - for example, I don't need IGMP, 64-bit support or
SMP; solves a lot of bugs...)

Linux' open development model may have allowed for quicker fixes, though
- all my machines were patched within six hours of disclosure. (And this
'patch pack' fixes problems that had been known for quite a while,
though frankly, the patches have been around, albeit individually, for a
while too).

Oh well, let's wait for the OpenBSD supporters...

Joachim

"Joachim Schipper" <> wrote in message
news:420a1442$0$5207$...
> Michael J. Pelletier <> wrote:
>> "Microsoft Corp. released eight security fixes Tuesday that
>> carry its
>> highest threat rating and urged computer users to install them
>> quickly
>> because all the vulnerabilities they address could let
>> attackers take
>> complete control of systems."
>>
>> http://story.news.yahoo.com/news?tmp...osoft_security
>
> As much as I support Linux, though, there have been quite a few
> kernel
> problems lately (cf. the author of GrSecurity posting six - I
> believe -
> vulnerabilities to Bugtraq when the kernel guys didn't fix them
> in time;
> the kernel maintainers have now created a special patch branch,
> 2.6.10-as2. Applying the patches in there really isn't
> optional).
>
> Microsoft has a long-standing history of producing bad security,
> but
> this time round, Linux hasn't performed much better. (Of course,
> this is
> mitigated by the fact that a Linux kernel need not include all
> vulnerable parts - for example, I don't need IGMP, 64-bit
> support or
> SMP; solves a lot of bugs...)
>
> Linux' open development model may have allowed for quicker
> fixes, though
> - all my machines were patched within six hours of disclosure.
> (And this
> 'patch pack' fixes problems that had been known for quite a
> while,
> though frankly, the patches have been around, albeit
> individually, for a
> while too).
>

IIRC the linux kernel has around 1000 documented bugs, by
comparison Bill's kernel has an estimated 1.4 million bugs. I
administer both windows and gentoo linux boxes, I've had windows
updates that have virtually brought a system to it's knees -
repair installation required.

Updates to the gentoo boxes have never caused any serious problems
and as you say security fixes are usually much more timely with
open source software.

--
Ian

On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
> IIRC the linux kernel has around 1000 documented bugs, by comparison
> Bill's kernel has an estimated 1.4 million bugs.

How many lines of code in each - your stats mean nothing without knowing
the number of lines of code in each.

> I administer both
> windows and gentoo linux boxes, I've had windows updates that have
> virtually brought a system to it's knees - repair installation required.

I run hundreds of Windows workstations and servers, only 1 time has a
service pack trashed an installation (since the NT3.51 days).

I'm also running Fedora Core 3 and a kernel update trashed by install of
FC3 causing me to reinstall from scratch.

> Updates to the gentoo boxes have never caused any serious problems and
> as you say security fixes are usually much more timely with open source
> software.

Updates take about the same amount of time in both worlds, some are easy
to code others take longer. Neither side is perfect, it's knowing where
the holes are, how to eliminate exposure, and how to secure the box that
matters.


--

remove 999 in order to email me

Leythos wrote:
> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>
>>IIRC the linux kernel has around 1000 documented bugs, by comparison
>>Bill's kernel has an estimated 1.4 million bugs.
>
>
> How many lines of code in each - your stats mean nothing without knowing
> the number of lines of code in each.
>
>
>> I administer both
>>windows and gentoo linux boxes, I've had windows updates that have
>>virtually brought a system to it's knees - repair installation required.
>
>
> I run hundreds of Windows workstations and servers, only 1 time has a
> service pack trashed an installation (since the NT3.51 days).
>
> I'm also running Fedora Core 3 and a kernel update trashed by install of
> FC3 causing me to reinstall from scratch.
>
>
>>Updates to the gentoo boxes have never caused any serious problems and
>>as you say security fixes are usually much more timely with open source
>>software.
>
>
> Updates take about the same amount of time in both worlds, some are easy
> to code others take longer. Neither side is perfect, it's knowing where
> the holes are, how to eliminate exposure, and how to secure the box that
> matters.
>
>
Leythos,

I couldn't agree more with that last paragraph! The key is:

1. What meets the requirement best?
2. How you can fulfill your users desires without breeching the security
and policies of your network.

We have many OS flavors. If one can keep only authorized folks, doing
authorized things, in an authorized way, the OS is irrelevant. One can
easily centrally control most systems these days. We tend to run more
fedora than gentoo but the majority of our users use Windows because
that is what they know.

Winged

Joachim Schipper wrote:

> Michael J. Pelletier <> wrote:
>> "Microsoft Corp. released eight security fixes Tuesday that carry its
>> highest threat rating and urged computer users to install them quickly
>> because all the vulnerabilities they address could let attackers take
>> complete control of systems."
>>
>>
http://story.news.yahoo.com/news?tmp...osoft_security
>
> As much as I support Linux, though, there have been quite a few kernel
> problems lately (cf. the author of GrSecurity posting six - I believe -
> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
> the kernel maintainers have now created a special patch branch,
> 2.6.10-as2. Applying the patches in there really isn't optional).
>
> Microsoft has a long-standing history of producing bad security, but
> this time round, Linux hasn't performed much better. (Of course, this is
> mitigated by the fact that a Linux kernel need not include all
> vulnerable parts - for example, I don't need IGMP, 64-bit support or
> SMP; solves a lot of bugs...)
>
> Linux' open development model may have allowed for quicker fixes, though
> - all my machines were patched within six hours of disclosure. (And this
> 'patch pack' fixes problems that had been known for quite a while,
> though frankly, the patches have been around, albeit individually, for a
> while too).
>
> Oh well, let's wait for the OpenBSD supporters...
>
> Joachim

Actually I am a FreeBSD dude...

Leythos wrote:

> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>> IIRC the linux kernel has around 1000 documented bugs, by comparison
>> Bill's kernel has an estimated 1.4 million bugs.
>
> How many lines of code in each - your stats mean nothing without knowing
> the number of lines of code in each.
>
>> I administer both
>> windows and gentoo linux boxes, I've had windows updates that have
>> virtually brought a system to it's knees - repair installation required.
>
> I run hundreds of Windows workstations and servers, only 1 time has a
> service pack trashed an installation (since the NT3.51 days).
>
> I'm also running Fedora Core 3 and a kernel update trashed by install of
> FC3 causing me to reinstall from scratch.
>
>> Updates to the gentoo boxes have never caused any serious problems and
>> as you say security fixes are usually much more timely with open source
>> software.
>
> Updates take about the same amount of time in both worlds, some are easy
> to code others take longer. Neither side is perfect, it's knowing where
> the holes are, how to eliminate exposure, and how to secure the box that
> matters.
>


Oh come one now! I do computer security for a living. MS is absolutely
horrible in the amount of time it takes from discovery to fix. Linux/BSD
has an average of 3 days. MS has an average of 30 to 60. that is 10 times
longer ...let's be honest here.


As far a patches on MS not blowing up a system. How long have you been
installing patches? It has happened to everyone! XP SP2 anyone???????????

Michael

winged wrote:

> Leythos wrote:
>> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>>
>>>IIRC the linux kernel has around 1000 documented bugs, by comparison
>>>Bill's kernel has an estimated 1.4 million bugs.
>>
>>
>> How many lines of code in each - your stats mean nothing without knowing
>> the number of lines of code in each.
>>
>>
>>> I administer both
>>>windows and gentoo linux boxes, I've had windows updates that have
>>>virtually brought a system to it's knees - repair installation required.
>>
>>
>> I run hundreds of Windows workstations and servers, only 1 time has a
>> service pack trashed an installation (since the NT3.51 days).
>>
>> I'm also running Fedora Core 3 and a kernel update trashed by install of
>> FC3 causing me to reinstall from scratch.
>>
>>
>>>Updates to the gentoo boxes have never caused any serious problems and
>>>as you say security fixes are usually much more timely with open source
>>>software.
>>
>>
>> Updates take about the same amount of time in both worlds, some are easy
>> to code others take longer. Neither side is perfect, it's knowing where
>> the holes are, how to eliminate exposure, and how to secure the box that
>> matters.
>>
>>
> Leythos,
>
> I couldn't agree more with that last paragraph! The key is:
>
> 1. What meets the requirement best?
> 2. How you can fulfill your users desires without breeching the security
> and policies of your network.
>
> We have many OS flavors. If one can keep only authorized folks, doing
> authorized things, in an authorized way, the OS is irrelevant. One can
> easily centrally control most systems these days. We tend to run more
> fedora than gentoo but the majority of our users use Windows because
> that is what they know.

Sure, but times are a-changing. Get used to it....

---------------------------------------------------------------------------
Open Source: Millions of opened minds couldn't be wrong.
---------------------------------------------------------------------------

Michael

On Wed, 09 Feb 2005 22:45:18 -0800, Michael J. Pelletier wrote:
> As far a patches on MS not blowing up a system. How long have you been
> installing patches? It has happened to everyone! XP SP2 anyone???????????

Sure, lets be honest - We've installed SP2 on more than 1000 systems since
it came out and have found 2 systems that were problematic - one required
a BIOS update, one didn't require, but was easier to just wipe/reinstall.
Sounds like a good track record to me.

--

remove 999 in order to email me

Michael J. Pelletier <> wrote:
> Joachim Schipper wrote:

>> As much as I support Linux, though, there have been quite a few kernel
>> problems lately (cf. the author of GrSecurity posting six - I believe -
>> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
>> the kernel maintainers have now created a special patch branch,
>> 2.6.10-as2. Applying the patches in there really isn't optional).
>>
>> Microsoft has a long-standing history of producing bad security, but
>> this time round, Linux hasn't performed much better. (Of course, this is
>> mitigated by the fact that a Linux kernel need not include all
>> vulnerable parts - for example, I don't need IGMP, 64-bit support or
>> SMP; solves a lot of bugs...)
>>
>> Linux' open development model may have allowed for quicker fixes, though
>> - all my machines were patched within six hours of disclosure. (And this
>> 'patch pack' fixes problems that had been known for quite a while,
>> though frankly, the patches have been around, albeit individually, for a
>> while too).
>>
>> Oh well, let's wait for the OpenBSD supporters...
>>
>> Joachim
>
> Actually I am a FreeBSD dude...

You didn't try to tell anyone to switch to OpenBSD, either...

Seriously though, OpenBSD looks great but I'm staying with GNU for now.
I like their idealism. (That, and I feel Linux can be very secure if
properly hardened - why aren't GrSecurity, loop-AES and PaX in mainline?
All have been around for a long time; loop-AES might be a little
intrusive, completely replacing the loop drivers, but GrSecurity/PaX
applies very cleanly and can easily be disabled, if so desired.)

For the record: I administer about six Windows boxes - depending on what
counts as 'administering' - and two Linux machines. The latter are
LFS-based, run a couple of services, and have undergone some hardening.
The former I keep in working condition to allow others to work on them.
I plan to install at least four more machines, all running Linux, but I
keep putting it off for lack of time. Most of these machines are either
the property of family members or my students' association - my own
machine runs Linux, and Linux only.

Joachim