RE: Security followup

Subject: RE: Security followup
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Fri, 17 Jan 2003 15:56:27 -0800 (PST)


One of the problems with security comparisons between platforms is that each
platform has different kinds of problems. For example...

Windows systems are tremendously susceptible to buffer overflow attacks. This
is mostly because Windows has hundreds of application programming interfaces
available. This is also exacerbated by the massive catalog of applications that
are written for Windows, many of which were never given any kind of security
testing.

Some distrbutions of Linux are susceptible to brute force and privilege
escalation attacks. This is namely because a lot of the core operational
parameters are easy to acquire once you have access to the machine. Linux boxes
are also extremely susceptible to root kits, because most root kits and hacker
tools are written for and run best on Linux.

I should note, security comparisons get even more meaningless when you consider
that there are numerous variants of Linux. Therefore, statements like "Linux is
more secure than Windows" have absolutely no meaning because it doesn't qualify
WHICH distribution of Linux (or for that matter which version of Windows.)

The overwhelming majority of security flaws are easily mitigated through proper
management, maintenance, and configuration of systems and networks. This
includes some of the things you mentioned, like anti-virus, firewalls, and
proper access controls.

This is why security professionals, such as myself, are fond of saying that
configuration, use, and administration of a system has a far greater affect on
its security than the underlying platform used.

This is why saying things like "use Linux, you'll be more secure" are totally
misleading. A Linux box, setup and used in an insecure manner is just as
susceptible to attack as a Windows box that is setup and used in an insecure
manner. Insecure usage of a system, regardless of platform, is ultimately what
makes a system more or less secure.

The open source community, like any organization, has a vested interest in
portraying their technologies in the best light possible. And with security
such a hot issue right now, its common for open source folks to make
comparisons about how open source is nn.nn% more secure than Windows. This
coupled with the fervent anti-Microsoft sentiment of most open source folks
makes for a lot of misleading and sometimes downright inaccurate information.

Personally, I don't much care for the holy wars of Linux vs. Windows. They are
no different than the Windows vs. Mac wars...a total waste of energy and
riddled with misleading propaganda from all sides. Security is no different in
this regard.

The main thing is: setup and use your system in a secure manner, regardless of
platform.

Andrew Plato


--- Peter Lucas <peterlucas -at- decadesoftware -dot- com> wrote:
> Andrew,
>
> I just have to briefly chime in on this. I'm a tech writer/net admin at my
> company (mostly tech writer), and I was also under the impression that Linux
> was "much" more secure based mostly on what I read on the Internet and at
> Slashdot. We are a Windows shop here, but just last week I had to install
> Linux on a PC here for testing purposes. It was interesting because it gave
> me a chance to see what all the commotion was regarding Linux. (I had never
> seen it until last week.)
>
> I was tasked with setting up Red Hat Linux 7.3, Apache, MySQL, and then
> configuring the FTP server. As I scoured the Internet and also Red Hat's web
> site, I was just blown away by all the security warnings and patches that
> were available for the OS and each product. As a matter of fact, MySQL 3.23
> was patched for a security vulnerability and the patch disabled a feature we
> were using!
>


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

References:
RE: Security followup: From: Peter Lucas

Previous by Author: Re: Security followup
Next by Author: Re: Security followup
Previous by Thread: RE: Security followup
Next by Thread: Re: Security followup


What this post helpful? Share it with friends and colleagues:


Sponsored Ads