[conspire] More on security

[Rick Moen]

Yeah, I probably shouldn't bother, but I occasionally put something out
in public.  Not that I think the general security of Linux distributions is 
satisfactory:  I don't.  But Marcus Ranum has said that best:
http://www.ranum.com/security/computer_security/editorials/master-tzu/

A rant worth reading (Ranum's, not mine).

-- forwarded message --
From: Rick Moen <rick at linuxmafia.com>
Subject: Re: Linux vs MS Security
Newsgroups: comp.os.linux
References: <pan.2005.08.25.17.39.22.456091 at omen.com>
Organization: If you lived here, you'd be $HOME already.
User-Agent: tin/1.7.6-20040906 ("Baleshare") (UNIX) (Linux/2.4.27-2-686 (i686))
Message-ID: <2cb20$43275e4c$c690c3ba$7659 at TSOFT.COM>
Date: Tue, 13 Sep 2005 19:18:36 -0400

Chuck Forsberg WA7KGX N2469R <caf at omen.com> wrote:
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released.

This sounds like a fairly content-free OS-advocacy discussion.  Are you
_sure_ you want to have one?  

I.e., if you stop to think for just a moment, you'll realise multiple
reasons why the relative _number_ of security patches (a) cannot be 
determined and (b) would be irrelevant to the question at hand, anyway:

1.  Linux distributions differ drastically, from one to the next, as to
the number and scope of codebases (applications, daemons, etc.)
furnished with the base OS.  E.g., there are over 17,000 packages (per
supported architecture) in Debian's stable branch.  (_However_, basically
all Linux distributions offer a considerably greater number and scope
of codebases than do Microsoft's extremely spartan MS-Windows releases.
This is the biggest single "apples and oranges" portion of the problem,
though there are others.)

2.  Distributions not only differ greatly about number and scope of 
packages, but also typically offer considerable lattitude about whether
to install the kitchen sink, almost nothing, or anything in-between.
Not all software is likely to get installed -- or run, if it is
installed.  However, security patches get released for all contents,
both often-used and almost-never-used.

For the preceding two reasons alone -- and there are others -- if there
were (hypothetically) a "comparable" number of patches released for
Debian-stable's 17,000 packages+ and for MS-Windows XP's bare OS +
Wordpad + MSIE + MS Outlook Express (and some few other mini-apps),
wouldn't that seem (on just numbers) to be an extremely damning
indictment of _MS-Windows_?

3.  However, not all "security patches" are created equal.  First, some
are reactive and others are anticipatory.  (Guess the tendencies of
Linux and MS-Windows security patches in that area:  You'll probably
guess right.) Some are against theoretical attacks that may or may not
ever be made real.   Some are to guard against remote privilege
escalation and system compromise, some are for local-only priviledge
escalation, some are for remote denial of service, some are for
local-only denial of service.  Those are of radically differing
importance.  E.g., one "hole" in Apache 1.3.x, some years back,
theoretically allowed a remote attacker to bump off Apache listening
processes, a few at a time -- and that's it.  Apache 1.3's a
fork-and-exec daemon:  You kill a few, it spawns off a bunch more.  Big
deal.  

Not all vulnerabilities are credible or serious.  Not all exploits are
credible or serious.

Some remote attacks are much more likely to give you root/Administrator
privilege.  (Guess which platform generally has a much greater problem
with remote-root attacks?)

Patches that aren't anticipatory, by definition, involve a "window" of
delay between the time the vulnerability is discovered to (1) the time
an exploit is discovered and deployed, and (2) the time a patch becomes
available and known.  Guess which platform generally has a problem with
the patches that fix serious problems arriving in public much later than
the exploit code did?

Not all patches are non-problematic.  Linux systems tend to have modular
functionality for, in particular, security-sensitive code:  You can
upgrade or patch one part without adversely affecting another part.
MS-Windows systems, by contrast, have an ongoing problem in that area:
Sites delay deploying service packs and hotfixes because they break too
many other things, while fixing others.

> 1 (SPAM)  What percentage of SPAM is transmitted by compromised
> Linux systems compared to Microsoft?

I'm not sure how you'd even determine that.

> 2 How does Linux compare with Windows for spyware vulnerability?

Spyware is essentially unknown on Linux to my knowledge.  Certainly,
there is nothing at present remotely like the forest of such things that
beset MS-Windows XP systems of recent vintage.  The only thing I can
think of, historically, that might qualify is certain releases a long
time ago of Real Networks's RealPlayer, which were said to have code in
them, put there by the publisher, to spy on the media-browsing
activities of users and report back.  (I'm not sure that code was
present in the Linux version.)  

What is in common among MS-Windows spyware packages is that it is
spy-on-the-user code installed accidentally by the user along with some
software package the user deliberately installs because believes he wants
it (the latter).  That is, in a way, an artifact of the way MS-Windows
users operate: installing and running software from any-old-where, with
a notable lack of caution.  This tends not to happen on Linux because
they rely more heavily on monitored distribution chains, because Linux
users already have much of the software they need, and because Linux Web
browsers deliberately lack some dangerous install-from-remote functions,
notably ActiveX.

> 3 How many Linux worms/virii in the last ten years??

Here's a survey.  Note the information about vulnerability windows, 
and the fact that the packages in question are in general relevant only
to machines run in server roles, deliberately exposed as such to public
networks:

http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5

-- 
Cheers,                 "Due to circumstances beyond our control, we regret to
Rick Moen               inform you that circumstances are beyond our control."
rick at linuxmafia.com                                              --Paul Benoit
-- end of forwarded message --