From: William Knowles (wkC4I.ORG)
Date: Thu May 04 2000 - 02:36:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Forwarded by: Bob Toxen <bobcavu.com>]

William,

> Approved-By: isnC4I.ORG
> Delivered-To: isnlists.securityfocus.com
> Delivered-To: isnsecurityfocus.com
> Date: Wed, 3 May 2000 02:28:03 -0500
> From: William Knowles <wkC4I.ORG>
> Subject: [ISN] Linux: Testing, Security Concerns Raised
> To: ISNSECURITYFOCUS.COM

> http://www.zdnet.com/intweek/stories/news/0,4164,2558624,00.html

> By Charles Babcock, Interctive Week
> May 1, 2000 11:50 AM PT

> A security hole has appeared in a recent version of Red Hat Linux, and
> a security expert said it highlights a more general weakness in open
> source code products: no quality assurance testing before hitting the
> market. Officials at Red Hat disputed the assertion, but moved quickly
> to close the hole.

> The security opening came as a surprise to some Linux users, who have
> considered the operating system (OS) either so well-designed or so
> obscure that it didnt have the same security problems as Windows. Now
> most parties agree that is not the case. The appearance of a security
> issue at a time when users are still asking for more applications is
> unlikely to bolster the fortunes of Linux stocks, which tumbled faster
> and farther than general technology issues in April.

While I agree with almost all of your columns, I really must take exception
to your statements about Linux quality control. Besides 6 years of Linux
experience, I have 25 years of Unix experience, including both working
as a principal engineer in some. I was one of the four guys who did the
Silicon Graphics port of Unix.

Linux is far, FAR less buggy and more secure than ANY popular Unix platform.
Where is your data to back up your claims of lack of quality control or
testing of Linux? It certainly did not get to be less buggy than Unix
by accident.

Frankly, I do not know what quality control is in place at Red Hat,
Slackware, or other distribution packagers. Just because it is "open source"
does not mean that a talented company does not have quality control.

Sure, Red Hat goofed with Piranha. Microsoft, with perhaps three orders
of magnitude more financial resources for engineering and not even one
order of magnitude more functionality has, perhaps, 50 times the rate of
serious security bugs! Silicon Graphics and Sun do not get high points
in the "lack of security bugs department" either.

I will agree that Red Hat is buggier than Slackware, which is why I run
Slackware on my own Linux systems. My clients are quite happy with
Red Hat and I happly work on this platform for them.

The quality assurance policy regarding Linux kernels is outstanding. The
level of testing of a new kernel before a major release is outstanding.

> Quality assurance and security arent the only issues: Outside of a few
> suites, there is a lack of widely available office software; consumer
> versions of the OS are relatively untried; and open source codes
> open-ended nature with many developers working on different parts of
> the system
> makes some information technology (IT) managers nervous about its
> predictability. Under an open source code approach, each development
> group adds changes to the system on top of a shared, underlying kernel
> or system core.

> IT managers worry that variations in the OS will spring up between
> competing versions which in addition to Red Hat now include Caldera
> Systems, Corel, Debian, Lineo, Macmillan Software, MandrakeSoft, SuSE,
> TurboLinux and Yellow Dog and that the inconsistencies may affect
> performance or systems ability to work together.

> For example, a backup software package from Legato Systems works
> without adjustment on Caldera, MandrakeSoft and RedHat, but failed
> when used on Debian systems, said Tom Stoddard, database administrator
> at BFGoodrichs Avionics division in Grand Rapids, Mich. IT managers
> want someone who is under a contractual agreement with them to be
> responsible for the software they use, said Judith Hurwitz, president
> of the Hurwitz Group.

For Linux support simply consult the Consultants HOWTO. You will find me
under "Georgia". I think that putting software on any of the major
commercial distributions should be painless. Less so, in fact, than
putting one piece of software on DOS, win3.1, win95, NT, win98, and win2000!!!

Debian is not, in my opinion, a viable commercial Linux version.

> Users installing Red Hat 6.2 who selected the "install all" option
> loaded Piranha onto their servers, giving an outsider with knowledge
> of the default log-in and password on the server an automatic entry
> point or "backdoor."

That's a violation of the first rule of computer security:

        Enable only what you need and certainly only what you understand!
        After installation, disable what you will not configure and use
        immediately.

Best regards,

Bob Toxen
bobcavu.com
http://www.cavu.com
http://www.cavu.com/sunset.html [Sunset Computer]
Fly-By-Day Consulting, Inc. "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX software consulting since 1990.
No Microsoft programs were used in the creation or distribution of this
message.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]