First off, the Newsforge 'article' didn't contain any particularly useful
information, save for a link to an article on Security Focus, which is:
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D191
Now on to the reply:
Russell Hires wrote:
> I think MS does make a valid point about OS and "lack of security."
Not really. Mainly just more FUD. But then, no huge surprise there.
> It's not a great point, but they are right about security audits...
> ...audits MS says that MS does?
If they're so right about audits being necessary, why don't they DO anything
about it themselves?
Now the fact is (IIRC), Windows (even NT/2000) is the most widely exploited (and
exploitable) OS currently on the market. Yet here is Micro$oft talking so
seriously about the need for security code audits. I can only see two
explanations for this obvious disparity. Either Micro$oft is hoping that
because they're accusing Open Source software of lacking for security auditing,
nobody will look to deeply into what audits they may have done in the past or
are doing now. (And pay no attention to the man behind the curtain, either...)
Or their staff actually has performed audits and have merely proved
incompetent at the task. On the other hand, how much effort is required to
perform a line-by-line security audit on an operating system consisting of some
forty MILLION lines of code? How many coders does Micro$oft have? How many
years would such an effort take, even to the exclusion of other bug fixes or
feature enhancements?
Given the above, along with Micro$oft's history to date, I'd say the smart money
goes to this latest attack being nothing more than another lame attempt at a
smoke screen.
> Is there a Linux security team at any of the distros? Do they perform the audits...
Most distributions that I am aware of seem to primarily handle security fixes as
vulnerabilities become known (through websites such as SecurityFocus, et al).
When vulnerabilities are made known, the major distributions (Red Hat, Mandrake,
Suse) typically have fixes implemented and updated packages available in no more
than half the time it takes Micro$oft to do the same. (In the article,
Micro$oft claimed this was because THEY performed testing on their fixes,
implying that Open Source vendors release fixes to the public without performing
any testing whatsoever. And they REALLY expect anyone to believe this tripe?)
There are distributions which are more security-oriented. Take Trustix, for
instance. And isn't the NSA working on Linux-based security?
Then again, remember that Micro$oft wasn't just singling out Linux, but Open
Source software in general. I'll point out, then, that the OpenBSD kernel _has_
in fact undergone a line-by-line security audit, as well as being hardened in
other ways.
So no, I don't think Micro$oft has made any valid point at all in their remarks,
except perhaps, "Do as I say, not as I do."
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:39:40 EDT