DISQUS

Hello! Elliott Back's Blog is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

elliottback.com/wp/ Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- elliottback
  172 comments · 1 points
- marcovhv
  40 comments · 2 points
- matilde
  6 comments · 1 points
- Robert Banghart
  3 comments · 1 points
- Otto4242
  3 comments · 1 points
Popular Threads
Recent Comments
- i want this work please reply me ....gibmel@ymail.com
  8 hours ago by gib
  
  in Solving Captchas With MIT’s $100 Computer?
- did you do at moto photo or the passport photo service???I am in need for canadian passport photo and I live near washington dc...
  20 hours ago by Antonia
  
  in Canadian Passport Photos — Elliott C. Back
- Hi, Worked for years, but today requires a new activation.... serial number 1045 1557 0885 5951 0032 1070 Activation Code 7067 3221 8552 6937 3433 2427 0144 3945 Activation Type: Repair 93:13 Many...
  4 days ago by Bazza
  
  in Photoshop CS 2 Preview — Elliott C. Back
- Hi Susan, My mother lives in Colorado Springs and is about to undergo the Canadian passport routine. Did you find a place in the Springs for Canadian passport pictures?
  6 days ago by Jason Saunders
  
  in Canadian Passport Photos — Elliott C. Back
- PHOENIX, ARIZONA For anyone in the PHOENIX metropolitan area who is looking for Canadian passport photos, I urge you to go to Hassan Photography. They were recommended by the Canadian Consulate in...
  2 weeks ago by Ellen
  
  in Canadian Passport Photos — Elliott C. Back

Elliott Back's Blog

Jump to original thread »

“We are so Secure,” they cry, hacked full of holes — Elliott C. Back

Started by elliottback · 8 months ago

No excerpt available. Jump to website »

13 comments

Dave
4 years ago

Just because a Lockergnome writer gave a bad example of Open Source security doesn't mean it doesn't exist.

Rather than listening to either side whine about how wonderful their security is, numbers speak louder than words. How good is Microsoft at responding to security problems vs. Firefox? I can compare IE to Firefox because it's a good one-to-one comparison. The Secunia vulnerability database shows the following:

Internet Explorer:
Most critical unpatched vulnerability: Highly critical
Unpatched since: April 26 2004 (yes, 2004)
Type: Remote system compromise.
Total number of highly critical vulnerabilities patched and unpatched: 33
Oldest remaining unpatched vulnerability: Sept 9 2002. Moderately critical.
Percentage of vulnerabilities that are unpatched: 30%
Percentage of vulnerabilities that are fully patched: 55%
Criticality breakdown:
Extremely - 14%
Highly - 28%
Moderately - 22%
Less - 14%
Not - 22%

Firefox
Most critical unpatched vulnerability: Less critical
Unpatched since: Multiple: oldest since August 30 2004
Type: Multiple: Spoofing and session highjacking.
Total number of highly critical vulnerabilities patched and unpatched: 3
Oldest remaining unpatched vulnerability: August 30 2004. Less critical.
Percentage of vulnerabilities that are unpatched: 24%
Percentage of vulnerabilities that are fully patched: 71%
Criticality breakdown:
Extremely - 0%
Highly - 18%
Moderately - 35%
Less - 35%
Not - 12%

While clearly Firefox is nowhere near perfect, they have so far been doing a much better job at patching their problems than Microsoft has. Does this translate into similar numbers for other closed vs. Open Source software? I'm sure it does for some, but not all. What it does prove is that having huge money behind your product doesn't make a bit of difference if you aren't ready to take responsibility for fixing security problems. Rather than saying Firefox (or any other Open Source project) handles security very well, I'm more apt to say that they both need to improve, but Microsoft has much further to go before it's acceptable... right now it's downright embarrasing.

reply

Nikc
4 years ago

Regardless, you have to admit open source, or any opposition to Microsoft, is a good thing. It's causing them to become more standard's compliant, and making them work on making their products better. Something that, I assure you, would not be happening if they still had a total monopoly on web browsers.

One of the main appeals of open source is that anyone can look at the code. Now, while this does help crackers ("Hey, look! There's a hole right here I can exploit!"), it also helps everyone else. Not only can you change FireFox into something you like better, if something is exploited, you can go in and fix it (if you know how). Furthormore, you can release your own patches, and help others. Bugs are pointed out sooner, and thus can be fixed quicker in the next patch.

reply

Eline
4 years ago

Only a doucheclown would take someone as Matt Hartley serious.

reply

Aphyr
3 years ago

You make a good point about the argument, but it doesn't seem to justify the title of your post. You didn't explain anything about the phrase "hacked full of holes".

Doesn't it seem oversimplistic to say that the wide variety of Linux software projects all have the same level of security?

reply

Clau
3 years ago

Elliot, I don`t know if you realise but you DO USE an open source product right now. Not to say that it`s based entirely on PHP and MySQL.

As a personal thingie I laugh my ass off when I hear someone talking about a server which is running a non-unix based operating system. Maybe you should too try to see behind the "I'm so good I'm better than myself" attitude most software companies mumble about.

Every alternative for a solution has it's very own characteristics, be them good or bad, the important thing is that they have them and your work depends on them. Being able to make a choice is great. Would you be happier to have only Microsoft Word around? How about only PostgreSQL for a database solution? Or maybe Paintbrush would be great for image editing? I believe not.

The fact that some exaggerate when they talk about their software it's no damn secret. But to take a defensive stance when someone is talking about an already shown to be totally flawed (felt, experienced, you name it) software production model, that's just strange hombre, just strange.

I'd advise you to leave your pre-teenager ambitions aside and grow up, take a real look on the software market and then come around trolling about an effort which was claimed to be futile 15 years ago.

Pax

reply

JL
3 years ago

A viable model of security would be: "Let's just stick with the unreliable system indefinately waiting for fixes that wont even start to appear and hope we don't get burned."

Viable indeed.

reply

b0
3 years ago

Until MS stops allowing write access to normal users to the system folders and stops along with their software partners writing programs that MUST be ran in Administrator mode. Then thay will NEVER be secure. The biggest problem is not the holes but the fact that once through the hole under a users account the malware or virsus can write to the system files. MS use also reteach their users to NEVER RUN UNDER ADMINISTRATOR for normal use and lock the %system% files to read - write only for users. They must also learn that when a firewall is turned on and all ports are blocked this doesn't mean that there is still over 200 UDP ports still LEFT OPENED! Yes their SP2 firewall is suppose to keep you safe when why all the ports opened? Nmap doesn't lie. Obsecurtiy from the users is not security

Microsoft hasn't realized we don have PCs anymore. They are networked workstations now and must use a network style security policy.

Full of holes??? ONLY in Microsoft.

And you should be ashamed to pick comments from posts from people that not know what they are talking about to prove your point. It only makes you look as stupid as them.

No I am not a Linux zealot I am an engineer that know both systems. I know what is secure and what is not. I know what it takes to break into a system and I know how to close them up IF the OS and the software that must be ran to do business will allow it.

Read what Dave said. These are hard numbers and yes if you check the numbers against MS and say RedHat, IBM, or Novell you will find that patches are sent out quicker from them. You can't argue with facts and figures they don't lie MS does!

reply

5um0F1
3 years ago

I followed a link to this site, could not beieive anyone would have a site *promoting* IE. You must take a lot of crack!

Look guys, use what browser you want, say what you wat, that's democracy, but please don't try to spread more MS trotted out crap.
Figures speak for themselves. IE is badly written and insecure even a casual glance show us all that.
The only reason a IE7 even talked about is because of competition. If firefox never existed, neither would IE7 you would all be stuck with IE6

Maybe they will improve it, lets face it it would be hard *not* to.
Time will tell....

reply

Jon
3 years ago

Heh, you are bashing OpenSource and using WordPress for you website? How do you explain that?

reply

Elliott Back
3 years ago

Since Clau directly addresses me and tells me to grow up, and Jon wonders how I explain using Wordpress, I tell them both: this post, if you actually read it, is anti-zealotry post, not an anti-open-source post. In this case, the zeolots I'm slamming are open-source zeolots, but if they were microsofties, they would get the same treatment. The argument that software availability leads to better throwaway security is ridiculous.

That's all. There's good open source and closed source software, but neither model is more secure because of abundance.

reply

Anonymous
3 years ago

KDE: I'm a desktop environment, damn it!

reply

Aphyr
3 years ago

Can we slam you for being a Microsoft zealot? Or would that be in bad taste? ;-)

*ducks*

reply

roger malcovich
3 years ago

This is a line from the link you provided:

"Linux users who patched their systems for a serious security vulnerability in KDE last month will have to patch once again, due to errors in the original patch, according to the KDE project."

Was there not patches for system pack 2? I rest my case.

reply