This weblog is no longer being maintained. All information here has been ported to EclecticEchoes.com. This site (heupel.com/eclectic) remains only for archival purposes.

September 03, 2003

Security counting: 2+2=5

I was reading Anil Dash’s dead on commentary of Jupiter Analyst Michael Gartenberg wanting to throw the book at Jeffrey Lee Parson, when I decided to see a few of the analyst’s, well analysis. One page over and he is “observing”

“If you look around a bit, you find that The Computer Emergency Response Team (CERT) released data showing that 16 of the 29 security advisories it released last year involved Linux or open-source products. Perhaps Linux isn’t the silver bullet to solve security issues.”

Hmmmm… a couple of problems here.

First problem – Nobody who understands the issues even superficially, and especially nobody in the security or computer science fields, believes that there is a silver-bullet, short of disconnecting all computers from the net/each other and disallowing removable media use. This is practiced in extremely sensitive situations and it works, but its a PITA — not practical for mainstream use.

The second problem is one that is more factual in nature. Mr. Gartenberg believes, or wants us to believe, that CERT issued 29 security advisories last year, and that 16 of those were advisories on Linux or open-source products. Not True. In fact CERT lists all the advisories for anyone to view. They have for a very long time in fact. Also there is a CERT security notification mail list and an RSS feed.

In 2002 CERT issued 37 separate Advisories, incidentally the same number as in 2001. So far this year they have issued 22. So where does Mr. Gartenberg get 29? Why does he choose 2002 instead of choosing the current year to date?

Well I don’t know, but I do think it is disingenuous to cite a source without providing any link, while misrepresenting the sources data to fit his purposes. To be perfectly fair it is possible that he recalled an old newsclipping or Byte.com article from near the end of 2002, when it genuinely was 29 advisories. I have no way of knowing and should not presume that he is massaging the data… I would be interested to find out.

I did go through the CERT advisory notices from 2001 to present.
Short story– no “vendor” is perfect, it’s up to users/administrators and vendors to keep working to secure systems and employ best practices for deployment, updates and education. Advisories are only one indicator of a system/platform’s overall securability.

Long story– Here is how I checked:
Using CERT’s own advisories archive from January 2001 to the present, I briefly scanned the advisory title, the “Affected” and the “Vendor” sections looking only for the brief description of the vulnurability, and whether MS or Linux/open-source was directly involved. If the title said Microsoft, or had MS in it it, and in the “affected” or “vendors” it listed Microsoft and did not list any open-source products/vendors then it was a Microsoft advisory. If the title or the “affected” or the “vendors” listed any open-source product or company but not Microsoft, it was an open-source advisory. If the title, affected and vendors did not list an open source product/company or Microsoft, it was an “other” advisory. Similarly if the “affected” or “vendors” indicated a vulnerability for Microsoft and open source companies, I filed it as an “other” advisory. (For example a cross platform standards based vulnerability) Whew!  To the unofficial, hopefully relatively unbiased, results1:

Summary of advisories January 2001–present
Year/Camp 2003 2002 2001
Microsoft 10 7 15
Linux / open-source 7 16 5
“other” 5 14 17

It should be noted that with the exception of the one apache worm I don’t recall any widespread damages or system outages from any of the advisories attributable to open-source. The recent and historical worm issues under Windows have typically cased large scale issue for the internet in general and often mail and domain outages for specific hard hit areas.

The number of advisories a software platform has is really a crude indicator of that platform’s security, and it is only one of many indicators. There are many aspects of system security, and none of them should be glossed over or ignored. For my money Linux, Unix (any flavor I’ve used) and related open-source products are the safest route, especially for exposed servers. One of the main reasons is the granular level of control over what ports and services are exposed to untrusted networks. It is entirely possible to setup a server with only one port exposed. No application on an exposed server (or any system for that matter) should run with more rights than it absolutely needs to get the job done. In unix/linux this is a rule followed by most applications, even for those that do not follow the rule or that need high levels of system access they can be run in a chroot jail to severely limit the damage any exploited vulnerability can do. Linux has extremely flexible and capable firewalling built into in that is by default enabled at a very strong level.

Some of these ideas are starting to be absorbed by Microsoft, and I applaud Microsoft’s recent emphasis on security, track record of releasing patches and security vulnerability information. Yet there is very little that an administratorcan do to control what ports are exposed to untrusted networks from within windows itself. There is better control allowed over what user/system rights a program runs as in XP and the latest Server betas, than in prior versions, but it still falls far short of Linux/Unix. AFAIK there is no way to effect the equivelent of a chroot jail for a program which insists on running as administrator or a superuser. At least Windows XP has a built in firewall (that is not enable by default and does not allow much control over how it behaves) it is not a very capable firewall though. Any broadband connected windows box relying on the built in lightweight firewall to protect them from port attacks and other insecurities is rolling the dice. Maybe more to the point it’s like having unprotected sex, it’s not a matter of if, just when. Do yourself a favor, get a dedicated broadband router/firewall from any of the companies out there. Oh, and guess what operating system most of those little boxes are running… Linux1.

1 Yes I am a linux advocate, but I also use Windows XP daily for both fun and profit. Each operating system has uses (so doe Mac OSX) , strengths and weaknesses. Use what works for you: it allows you to be as productive as possible without the operating system getting in your way or providing too many liabilities, within a budget you can support. For me this means Windows XP for 3D animation, graphics and video editing, Linux for everything else. For you the answer may be very different.

Posted by Eric at September 3, 2003 06:18 AM | TrackBack
Comments & Trackbacks

I should add:
Regarding Anil’s commentary that led me to this tangent, I agree with him: Jeffrey is going to get a lot of frustration taken out on him by the system and the public in general. What is especially disconcerting to me are the more recent laws and sections of the “Patriot Act” It is highly likely that Jeffrey will be the high profile scapegoat that Kevin Mitnick warned about not so long ago. He needs to be punished, what he did was stupid and criminal, but the damage he caused is a drop compared the original blaster, sobig or any of the virii or 2001. His motive was not one of national politics or ideology…

Posted by: eric on September 3, 2003 06:24 AM | Reply to this