Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: bill gates' claim about security vulnerabilities per LOC in Unix versus Windows
Date: Mon Nov 03 2003 - 12:29:11 CST
(oy. is this security FOCUS, or security RANDOMNESS?)
as the original poster, please let me clarify:
1. i am looking for STUDIES of OS quality specifically applied to unix
and windows that attempt to use metrics and some repeatable
methodology, and explain their threat model and assumptions.
(work of the sort done at sei.cmu.edu, for example).
(one poster cited "joint chiefs" but gave no specifics.)
though it's way entertaining, i am NOT asking you to freely interpret
the statement of net worth, mind or soul of bill gates, or history
from lao tzu to attilla the hun or even the borgias to seek his
motivations in making statements about microsoft product quality. i
am looking for any DATA (preferably from independent sources, but
sources within microsoft may be able to make credible statements due
to knowledge or access) that might be reasonably interpreted to shed
light, validate (or invalidate) such claims.
btw such studies might also be useful in reaching conclusions on such
longstanding questions as "in what environments is FooLinux more
secure than BarBSD?" or "under what circumstances is win xp more secure
(this is to make explicit that by limiting the threat model, you may
be able to get any desired answer out of such studies.)
3. having finally seen some light after getting lotsa heat, microsoft
has recently spent a lot of money, visibly reeducating their
programmers and developing tools to find exploitable bugs such as
buffer overruns. i would IMAGINE they have some sort of internal
metrics to measure the effectiveness of the tools. perhaps someone at
ms research has written a paper which, say, cites a case study which
tells us how many bugs a new tool has found out of so many LOC examined.
that would be helpful too!
3. i realize everyone has *opinions* about software quality. hold onto
those, they might be valuable some day.
my personal interest is remote exploitability (including remote
insiders), and personal opinions are that all software is buggy, large
software is buggier than small, and the number of interfaces exposed
to a threat and the resourcefulness of the threat therefore are pretty
good predictors for exploitability.
almost everything else seems to fall out:
it's easy to count interfaces. (system calls, library routines, for
it's harder to characterize the threat's resourcefulness.
On Sun, Nov 02, 2003 at 08:55:51PM -0500, Lucas Holt wrote:
> If Microsoft has such secure software, then why do these "worms"
> exploit only Microsoft products. Sure one can argue that Microsoft is
> number one and therefore it would make sense to exploit windows on that
> basis to hit a larger target. By now I would think someone would
> attack linux or Mac OS X just to prove it can be done. The only linux
> worms i am aware of only attacked apache. (there could be more) Of
> course on a non windows system, a virus has less access unless its
> executed as root.
> Microsoft supporters need to realize that they don't care about
> security, just making money. Why do you have to buy Outlook 2003 to
> get security patches? Why did microsoft discontinue outlook express
> without providing a tool to remove it from users systems? Why would
> bill gates attack his greatest competitors? ( GNU/Linux and Apple)
> I think all of these questions can be easily answered. if you can't
> answer them, try an OS besides windows.
> I think the real problem with microsoft right now is they are IBM in
> 1980. Little people snuck up and bit them.. the real question is who
> will be microsoft in the next round. Bill gates is in trouble and he
> knows it.
> Lucas Holt