Advertisement
Promo

Server platforms Toolkit

Linux security under spotlight

Con Zymaris, Special to ZDNet Australia ZDNet Australia

Published: 03 Dec 2002 12:21 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Perhaps in response to the excessive publicity given to the strong security associated with Linux and open source software, it's no surprise that a number of commentators are making a high-profile argument that Linux, just like every other platform, does indeed have security issues. Members of the open source community have always known that Linux is not immune from security threats, so there is no argument there. What is in question is the final conclusion that these commentators are drawing, which is that Linux is less secure than Microsoft Windows.

Fighting for security for the past 20 years
Almost all Linux professionals are also Unix professionals, many of whom have been dealing with online security threats for over 20 years. Remember, the Unix community (and subsequently the Linux community) is the group that first created and still forms the backbone of the Internet. This community was dealing with serious security threats, like the Internet (i.e., Morris) Worm, before Windows NT even existed. Unix users know network and host security inside and out and were the first to implement almost all the intrusion-detection, perimeter-defence, and security-analysis technologies that our industry uses today. Linux/Unix is not invincible from security threats, it's true; but this group has spent the last 20-plus years ensuring that Linux/Unix is more secure than any other system.

Yet the pundits who have raised their voices in recent months, including people who should know better, like Paul Thurrott (of WinInformant), are questioning this generally accepted notion among IT professionals that Linux is more inherently secure than Microsoft's professional operating system platforms. For instance, Thurrott has stated: "In Friday's WinInfo Daily UPDATE newsletter, I mentioned a set of statistics from BugTraq, a reputable security/information provider, that shows how various OSs compare security-wise. The statistics show a surprising trend: When you aggregate all the Linux distributions, Linux, not Windows, has had the most security vulnerabilities, year after year."

The Linux way
As I said earlier, there is no shame in conceding that there are no truly secure operating systems. There is only the ongoing process of trying to keep a host or network secure. Security is like a treadmill. If you don't move forward with security patches, security tools, and revamped system security processes, you'll be flung off the end of it. Oh, and by the way, the crackers have access to the treadmill's speed control knob, and they keep increasing the speed. Needless to say, security is a difficult and continuing effort.

The open source community has worked diligently to fight the good fight against security vulnerabilities. One of this community's basic security philosophies is, "With enough eyeballs, all bugs are shallow." This Linux axiom points to the fact that when a bug becomes an issue, many people have the source code, and it can be quickly resolved without the help of a vendor.

It does, of course, help that most of the security issues that Linux faces are relatively benign, general bugs and not the exploitable security bugs that wreak such havoc on Windows systems and networks. This point matters greatly when you are looking at the statistics of each security record, because five general bug issues are not in any way the same as five exploitable security bug issues.

A general bug that hits an individual user or site gets reported and resolved. Generally, it doesn't have the same impact as a security bug, particularly one that could exploit remote systems. A general bug (if catastrophic enough) can cause loss of data or system unavailability, but a security bug can cause your system to become "owned" by a cracker. A security bug can mean that you lose data through deletion, have data sent to your competitors or leaked to the trade press, have invalid data inserted into your records, or have customer credit cards stolen and so on.

Further, once vulnerabilities become known, they can spread on backroom IRC channels like wildfire. While you and a few others may encounter a general bug, a remotely exploitable vulnerability has the attribute of attracting penetrative tests against tens of thousands of hosts in a matter of hours, causing far more damage than a general bug.

Finally, catastrophic bugs that affect a large number of systems are few and far between. Most people do not tread the bleeding edge of operating system releases, and widely-used system and subsystem software don't usually harbor catastrophic, general bugs for long. Security bugs, however, can arise in code or in a subsystem, which is widespread and very well entrenched, further accentuating the possible spread of damage.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
102 out of 229 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below:










Video icon

Video

Microsoft Futures

Windows 7: Mixed reviews from PDC attendees

As developers received their copies of Windows 7 on Tuesday, they offered varied reactions to the Microsoft operating system update More

Microsoft floats clouds on Windows Azure

At the Professional Developers Conference, Microsoft announced the Azure Services Platform, the company's cloud-computing platform More

Ozzie: Success of Azure comes down to trust

In an interview, Ray Ozzie says businesses will be taking a risk by placing core operations in Microsoft's datacentre, but that the software giant has more to lose if things go bad More


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters