I have tried to warn about the myth that is security in the open source world before. Today there is another big security issue in Linux: http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
As the article points out: the problem is not just the vulnerability itself, but also how the kernel developers (including Torvalds himself) deal with security issues, the obscurity (oh the irony), and lack of security advisories when releasing patches.
This once again proves that “many eyes inspecting the source” is no guarantee for secure and robust code.
Scali's OpenBlog™ 
Nice post! I read the linked previous posts and definitely agree. People have this weird idea that non-Windows OS’s are inherently invincible and are due to the processes they use. I posted something similar after seeing a video from a guy where he talked a lot of people will setup a Linux webhost and then never update it but just assume it is secure.
Not invincible. No one who knows how computers work ever said that. Just far more secure than a Windows OS could ever hope to be. Don’t be pinning such statements about open source on this one event in Linux.
“Just far more secure than a Windows OS could ever hope to be.”
That thought is dangerous enough already. But yea, some people do seem to think they’re invincible. Nobody claimed that they know how computers work 🙂
In fact, I would go as far as to say that ignorance is a big reason for people using linux. They heard that Windows is bad, and linux is the only other thing they know.
“Just far more secure than a Windows OS could ever hope to be”
Care to qualify that statement? The linked bug is a kernel privilege escalation exploit that’s been around for more than two years, and will be available on a *LOT* of hosts for a *LONG* time. How big was the timespan the IPX protocol privilege escalation bug was around before it was fixed? Couple that with whatever random non-privileged exploit in whatever random daemon – *b00m*. And there’s been year-long unpatched bugs in several of those, too.
Operating systems are made by humans – and humans are fallible. “Many eyes” don’t really help when they don’t spot the bugs.
Please don’t compare publicized, one-off problems on Linux with the multitude of issues Windows has always had and continues to have. It’s like Microsoft’s love of publishing new security issues in browsers while ignoring hundreds of pre-existing issues in IE.
You were the one who dragged Windows into this. Merely to set up a tu quoque fallacy: “But Windows has moar bugz! So Linux/open source are invincible!”.
That is pretty much what I got from your posts.
My blogpost was about the opposite of that: how it is a myth that open source code is ‘invincible’ in terms of security.
What’s funny about this is that it’s NOT just a “one off” problem. The Linux kernel contains it’s own fair share of vulnerabilities, and it’s looking as though the old (and often ridiculed) defense that Windows is most attacked just because it’s most common, and not due to actual “inherent securty” (or lack thereof), may in fact be true. Android IS the mobile platform with the most malware, after all. Surely, the “greater inherent security” of the Linux kernel would prevent that? But yet it apparently hasn’t – why would that be? Maybe it really is the case that the more popular OS just gets attacked more, and there’s nothing much else to it?
I stopped taking self-proclaimed ‘security experts’ seriously a long time ago.
Like Jed Smith, this Rob character again is some kind of web developer. These people don’t know much about programming anyway, they may use some scripting languages at best. But they don’t even interact with the OS directly. Let alone that they actually know how the OS is designed in terms of security measures, and how developers can employ these in their applications and such.
So what we have is just a combination of ignorance and prejudice. Yes, it was once true that Windows/IIS suffered from some very serious security flaws, and it is true that these once were exploited on a large scale.
But that was then, and this is now. Fact is also that Microsoft clearly learnt from their mistakes, and they have focused a lot on improving security and reliability over the past years. Their efforts have paid off as well. These people may be too prejudiced to even have noticed, but the number of security flaws, and more importantly, the number of large scale exploits have decreased tremendously. In the early XP era there were still some large-scale outbreaks. But roughly after the release of SP2, there haven’t really been any such events.
Together with improvements in the OS itself, Microsoft also improved Internet Explorer, and it is getting similar results there. IE9 and IE10 have some very advanced protection modes that go beyond any other browser on the market today.
Of course, you are only as secure as the stuff you click on, download, open, and click YES on the UAC popup on.
“Inherent security”? That ship has sailed a long time ago. The webscripting crowd should really get with the times, and update their knowledge of OSes.
Pingback: Speak of the devil… Ubuntu forums hacked | Scali's OpenBlog™
Pingback: GnuTLS: Just because people can read the source, doesn’t mean that they do | Scali's OpenBlog™
You’re point has been once again proven with the Heartbleed bug… Only if more people read this…
…and yet my money is on none of the arrogance going away.
Things may be quieter for a little but as soon as the immediate furore dies down (and as soon as the humble pie they’ve been force-fed comes out the other end!) the self-proclaimed experts who think that because they hack on Linux (or because they know how to use “ls” in some cases) they know more than security professionals will be out beating their drums again.
Indeed. This also reminds me of the GPL vs. BSD/Apache posts I just commented on, considering that newer versions of “Open”SSL were vulnerable to the Heartthrob 🙂 bug. This is not to poo-poo on all things open and/or GPL inspired, but it makes a person wonder…. Perhaps an interesting comparison here would require a test of GPL inspired OpenSSL and the Apache variant mod_SSL that plugs into OpenSSL, although mod_SSL seems not to have been updated since 2008/9. I’m sure Scali will have relevant and stimulating info. to contribute on the subject.