[thelist] [OT] MS vs *nix WAS:( New Critical Security Patch for Windows)

Shawn K. Quinn skquinn at xevious.kicks-ass.net
Thu Feb 12 07:24:52 CST 2004 

On Thursday 2004 February 12 06:05, Brian Cummiskey wrote:
> > I would say this is of dubious relevance, when the exploits for
> > them choke down entire networks and the fallout affects everyone,
> > even those of us who have long since ceased trusting Microsoft.
> > Also, Microsoft is not exactly known for brutal honesty when it
> > comes to owing up to a bug in their software, in particular if it
> > is security-related, and even if they acknowledge it the impact is
> > ridiculously downplayed.
>
> This has gone quite off-topic at this point, but I want to add my two
> cents.
>
> This whole MS is not secure thing really comes down to 1 thing: 
> popularity. Think about it.
>
> If 90% of the world used a *nix kernel, as a virus maker or hacker,
> what would you go after?

Well, there isn't just one "Unix kernel" to go after. You have systems 
which boot the Linux kernel (which usually run a version of GNU). You 
have FreeBSD, NetBSD, and OpenBSD. You have multiple CPU types (as in 
non-i386). In short, there is no neat, convenient "Unix kernel" to 
write a Unix virus for.

It's not just popularity. The Windows security model, even in Windows 
2000, has fundamental flaws that need to be addressed.

> I strongly feel that as *nix becomes more and more popular, that
> there are going to be a bunch of security holes, and thus viri,
> patches, and so forth.

I doubt it. The Unix security model is set up to thwart this sort of 
thing. 

> And well, sometimes things take time to fix-  a patch is not always an
> easy thing to come up- so that it doesn't hinder the rest of the o/s,
> all the while, fixing the breach in the system.

Usually, if a security exploit is found in the Linux kernel, or the rest 
of the GNU system that runs under it, or any part of the *BSD systems, 
a patch is available in hours or days (and you can fix it yourself or 
hire your own programmer to fix it, an option Microsoft does not give 
you because they don't give you source code). With Microsoft products, 
that can easily be weeks *after* the bug has been acknowledged (which 
is not guaranteed to be speedy).

-- 
Shawn K. Quinn

More information about the thelist mailing list