RE: Open source security

From: Popkin, Laird (WMG Corp) <"Popkin,>
Date: Fri May 07 2004 - 21:04:20 CDT

There are a couple of data points that I like to use when discussing open
source and security:

Open source systems have the obvious pragmatic benefits that many highly
motivated people can inspect the code and fix problems, so you'd expect that
widely used open source software would be secure. But let's see how the real
world data matches with that expectation.

OpenBSD (my personal favorite server OS) is an open source OS that's
engineered primarily for security and stability. It has a record of _one_
remote hole in the default install in over eight years. Compare to any
proprietary OS, and the numbers aren't even close (it's also got a better
TCP/IP stack and filesystem, but that's a separate issue).

And to discredit the argument that "there are more Windows bugs detected
because more people use windows" let's compare Apache/Linux and IIS/NT in
terms of numbers of web sites running (market share) and in numbers of web
sites defaced, which we have data for from 1999-2001.

Over that period (and continuing to today) Apache is a far more widely used
web server than Microsoft's IIS (67% vs. 21.5% market share).

Security data in general is hard to get, because companies don't want to
publicise security problems, but when web sites are defaced it's fairly
public. Attrition.org tracked web site defacement from 1999 through 2001
(when the volume became impossible for them to manage). For each defacement,
they tracked the OS each site ran.

You'd expect that if security of NT/IIS and Apache/Linux were equal, the
proportion of NT sites defaced would be the same as the proportion of sites
using IIS, and similarly for Linux and Apache. What they actually measured,
however, was that 54.5% of defacements were to NT servers, with another 6.8%
running Windows 2000, giving Windows just over 61% of the defacements, while
open source (Linux and BSD) were running about 26% of the defaced sites.

That's:
              Sites Hacks Hacks/Sites ratio
Open Source 61% 26% .42
Proprietary 21.5% 61% 2.8

So if we divide, we see that each NT/IIS site was 6.75x as likely to get
defaced as each Linux/Apache site, based on an immense volume of real world
data.

You can check see http://www.attrition.org/mirror/attrition/os.html and
http://www.attrition.org/mirror/attrition/os-graphs.html for defacement data
broken down by OS.

You can check http://news.netcraft.com/archives/web_server_survey.html for
the historical numbers on popularity of Apache vs. IIS.

Other good sources of data:

SecurityFocus http://www.securityfocus.com/vulns/stats.shtml (1999 was a
very bad security year for MS, they everyone one of the top 12 packages in
the 'Top Vulnerable Packages 1999' list. They've gotten better, but are
nowhere near OpenBSD's record.

The E-Soft Web Server Survey http://www.securityspace.com/s_survey/data/
(they put Apache at 70%, IIS at 22.5%)

-----Original Message-----
From: owner-voting-project@afterburner.sonic.net
[mailto:owner-voting-project@afterburner.sonic.net]On Behalf Of David
Mertz
Sent: Friday, May 07, 2004 8:50 PM
To: voting-project@lists.sonic.net
Subject: [voting-project] Open source security

On May 7, 2004, at 6:58 PM, james_in_denver wrote:
> As far as I can see there have been two successful attacks on Linux
> machines. Both cases involved a Trojan Horse attack AFTER gaining
> access
> to the systems by attaining the super-user passwords. These are truly
> not Viral attacks, just some lucky guesswork or a disgruntled employee.

Trying to find scientific evidence that Linux is more secure than
Windows is kinda like trying to find scientific evidence that the sky
is blue. It's just too overwhelmingly self-evident to be a reasonable
subject for investigation. Or like the belief that species of
organisms evolve over geological time scales.

On the other hand, in all the cases, what you're likely to find, is a
bunch of misleading "studies" that posit the opposite. FUD from
Microsoft in the one case, or some sort of delusion or quibbling in the
other (i.e. "scientific" creationism). It's only worth saying if you
have something scandalously untrue-seeming as your premise.

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:17:25 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT