Gabriel, I think you've hit it on the head. The difference between MS and Linux security rests on only a few fundamental points, mostly having to do with SysAdmin competence and historical bias.
1) In general, Microsoft's products are "easier" to use (and I use "easier" in brackets because it's not totally true, but it IS the perception). They work "out of the box" (sometimes) with little or no configuration required; a trained monkey can put it together (and by the looks of things, quite a lot of them do). Linux, coming from it's Unix CLI roots, requires (sometimes) arcane settings to setup; it SOMETIMES works "out of the box" but a small bit of intelligence not required for windows is required. The best analogy is Microsoft gives the user a fish and says "Go, eat!" while Linux (in a true sense) gives the man a fishing pole with the fish already on it, tells him to reel it in, and then eat it. Hopefully along the way, while the man is eating the fish, he'll ponder "How did that fish get on the line, and how do I get more fish on my line for tomorrow?" which will end up being in Man pages, FAQs, or some other documentation. Hardcore Linux folks realize that the next step is for the man to self teach himself to fish completely. For those who don't know the old truism I based the allegory on, it goes "If you give a man a fish, he'll eat for a day. If you teach a man to fish, he'll eat for a lifetime. If you take a man fishing with you, you'll have a drinking buddy." Oh, wait, the last is just an American addition to the old saying :) 2) Linux being Open Source, there's an "embarrassment" factor associated with any security issues or bugs; let's face it, we're all vain and like to think our code is bullet proof, but when you have 500 people who closely pour over your code (and that's about what most projects end up getting, in the end), you want your code to sparkle. Therefore, there's a Darwinian "Survival of the fittest" going on. Microsoft, on the other hand, has discrete review groups to review their code; they look only for functionality, with maybe some minor other issues (like, say, security, at least until the last year), and then ok the code via committee; the old "A camel is a horse designed by committee" bit. In general, then, Microsoft is REACTIVE to security issues, whereas Open Source STRIVES (but doesn't always succeed) to be PROACTIVE about security; Microsoft closes the barn door, whereas Open Source sees a spot on the wall that needs reinforcing. Neither is inherently BETTER for all things; Security through Obscurity IS probably a good idea in a few select cases (anyone want to publish Bank PINs generation codes in Open Source?), while in MANY cases, the many eyes approach works well too. 3) Linux isn't >INHERENTLY< more secure than a closed source OS (I'm leaving out MS software because Linux IS more inherently secure, because Unix was long ago rewritten for security, while Windows had it grafted on with NT, and has never had the top up redesign needed to start with a secure foundation). Linux is more secure because the administrators are more interested in KEEPING it secure. If Linux ever gets to the point that Windows is in now, where every Grandma, Grandpa, and baby brother has their own machine, even though WE, here, on this list, may be relatively secure, most of the machines >WON'T< be. Many, many folks still run Windows 95; even more, many of those same folks don't have the vaguest clue that they need to run Windows Update (or needed to, they can't do it now....). Now, imagine folks who have a similarly old, unpatched Redhat system; what would that be, RH 2.0 or so? How secure is THAT? But nobody runs something that old; the oldest I've heard on this list in a while was 5.2, which is only 4 years old, on par with Windows98SE. No one hear would recommend connecting an unpatched RH5.2 box to the Internet; no one here would recommend a Windows98SE box being connected unpatched, either. Anyway, that's my $0.02. And for anyone who read this far, thanks! Bill Ward > -----Original Message----- > From: gabriel [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 28, 2003 9:33 AM > To: [EMAIL PROTECTED] > Subject: Re: u.s. government recognizes Linux as official desktop OS > > > On January 28, 2003 07:42 am, Robert P. J. Day wrote: > > 1) MS software is nororiously insecure and is largely > > responsible for the insecurity of the current IT > > infrastructure, or > > > now i'm not a fan of micros~1, but i feel that i have to > check this statement > for accuracy. in cases like "the sql slammer" the one at > fault is definately > not the author of the software, but rather the halfwit who's > running it > unpatched. as i understand it, micros~1 had released a patch > for mssql > months ago, and this virus is only attacking the boxes that > have yet to be > patched. > > just think about what the internet would be like if there > were millions of > linux users running 3year-old versions of apache & mysql... > i would propose > that it's not just microsoft's inability (or unwillingness) > to get their sh*t > together, but also the ineptitude of these "sysadmins" that > insist on running > this software and don't know (or don't care to know) how to > patch it... -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
