Weareat.com: Where The Linux Community Meets

It does, of course, help that most of the security issues that Linux faces are relatively benign, general bugs, and not the exploitable security bugs that wreak such havoc on Windows systems and networks. This point matters greatly when you are looking at the statistics of each security record, because five general bug issues are not in any way the same as five exploitable security bug issues.

A general bug that hits an individual user or site gets reported and resolved. Generally, it doesn't have the same impact as a security bug, particularly one that could exploit remote systems. A general bug (if catastrophic enough) can cause loss of data or system unavailability, but a security bug can cause your system to become "owned" by a cracker. A security bug can mean that you lose data through deletion, have data sent to your competitors or leaked to the trade press, have invalid data inserted into your records, or have customer credit cards stolen and so on.

Further, once vulnerabilities become known, they can spread on backroom IRC channels like wildfire. While you and a few others may encounter a general bug, a remotely exploitable vulnerability has the attribute of attracting penetrative tests against tens of thousands of hosts in a matter of hours, causing far more damage than a general bug.

Finally, catastrophic bugs that affect a large number of systems are few and far between. Most people do not tread the bleeding edge of operating system releases, and widely-used system and subsystem software don't usually harbor catastrophic, general bugs for long. Security bugs, however, can arise in code or in a subsystem, which is widespread and very well entrenched, further accentuating the possible spread of damage.

Because the general bugs can and do affect all operating systems, including Linux, it is clear that even the "with enough eyeballs, all bugs are shallow" idiom isn't perfect. But we do know that the security problem in Linux will be resolved at the source level, a surety we don't have with commercial closed-source or orphaned software.

Perhaps the most important advantage that open source software can provide is that widely used code subsystems that are shown to have security vulnerabilities are fixed and reissued quickly. Microsoft and many closed-source vendors have a woeful history of tardy or nonexistent vulnerability-resolution of their code. This has, thankfully, changed in the past year or two, more than likely due to the torrents of negative publicity poured on these vendors after each security threat announcement.

prev

next

•IBM rolls out on-demand computing service
•UltraSPARC Affordable at Last
•MTI Announces 147-GB Disk Drives
•MontaVista Introduces Linux for CE Devices

•Schedule, a Cron Adjunct
•Linux developer stokes smart phone OS war
•Red Hat Linux 8.1 To Ship in April
•Apple Bridges OS X and Linux with X11 Beta
•SGI introduces its own Linux software environment

•Quick-Start Networking
•Backing up to CDs Made Simple:
•17 Easy Steps to Samba:
•Dual booting Redhat 7.2 and Windows XP Version
•One IP, Many Domains: An Apache Virtual Hosting HOWTO

•Training available for new commercial Security-Enhanced Linux
•Make 2003 more secure
•New user a security nightmare
•Linux security strong as ever

•SCO Linux 4 - Ready for the Big Time
•Linux on government servers
•Linux and TV called key to broadband tsunami
•Study: Linux headed for high end, too

website maintenance & design provided by Datums Solutions