As you may or may not remember, last week I commented that I think we need to rethink whether open source is or is not de facto more secure; if I had but waited a few days to go there, I could have used this article as an example of the kind of think I'm referring to. The article, originally from Infoworld, basically makes a case for why open source security tools are more popular than closed-source ones; however, I think that quite a few of the premises on which the argument is founded require further justification. To see what I mean, take a look at this quote:
Although no OS is truly secure, security tools offered on a Windows platform are immediately suspect, due to well-documented security issues of the underlying OS. Linux, FreeBSD, NetBSD, or OpenBSD-based products have a much better security track record (OpenBSD claims to have had only one remote hole in the default install in more than eight years).
OK, so Windows tools are immediately suspect. Why? The article says it's because of "well documented security issues" and that other OS'es have a "better track record" but I'm not sure what he means. What metric is he using to quantify this better track record? Is it because of number of vulnerabilities? CERT says that Windows has less. Is it because of some other features of Windows? If so, which ones specifically? The point is that the article doesn't say - the premise that other OS'es have better security is implied. I don't buy it; at least, I won't buy it without further justification.
Now people are going to say that I'm pro-Microsoft, but really the opposite is true. I'm not pro-anybody; in fact, at the house I run a number of different OS'es: OS X, Windows 2003 Server, Solaris on Sparc, and even Windows 98 (since it's the only thing around that'll still run Merchant Prince 2.) So I'm pretty much impartial - with the exception that I usually like to see the underdog win (so if anything I guess I lean toward supporting other platforms.) But I don't agree that "because it does" is acceptable supporting evidence for an argument outlining why Microsoft's security sucks. Maybe their security sucks and maybe it doesn't - but I don't think we can put a stake in the ground one way or the other until we decide on some evaluation criteria and actually do some analysis about it.
Look, I've used nessus and nmap professionally - on Linux if you're curious - but the reason for that has nothing to do with better security... It has to do with the fact that nessus is free, it provides about the same level of value as commercial scanners, and it doesn't run on Windows (until the 3.0.3 beta, that is.) If it ran on Windows, I'd use it on Windows. So at least in my case, the reason I use nessus has nothing to do with the (in)security of the OS - it has to do with what OS the tool supports (and please don't mention NeWT).
Posted by Ed at September 11, 2006 12:26 PM | TrackBack"Windows has less"... unless, of course, you understand what the document says and you have ever seen, say, a BSD machine.
Posted by: TNT at September 12, 2006 03:34 PMTNT,
Windows has fewer vulnerabilities according to CERT. What I don't understand is how that emphasizes the point that it's less secure than Linux or some other OS. It would seem to me that less vulnerabilities translates to better security not the other way around.
But that aside, if I'm reading your response right, it sounds like you're saying that OpenBSD is more secure than Windows. OK, I'll buy in - in order to verify that this is true, I'm saying that I don't think it's responsible to "go by gut instinct." "Gut instinct" isn't good enough in my opinion; no, I think we need to be able to justify a position one way or the other.
So how do we know BSD is more secure? How can we back it up with facts? Is it more secure because BSD is engineered with security in mind? Maybe so, but Microsoft's marketing claim is that there's is too. Now, maybe their marketing statement is crap (arguably it wouldn't be the first time) but how can we prove or disprove it given the data we have?
I have yet to see anyone put a stake in the ground and produce quantifiable metrics to make a case either way. Like I said, saying "it's more secure but I can't prove it" is buying into the marketing - either Microsoft's or somebody else's. Without data, the best we can say is "we think that it's more secure" - not "it is more secure."
-E
Posted by: Ed at September 12, 2006 03:50 PM