On Thu, Jan 8, 2009 at 13:44, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
>
> I haven't made any claims. I've merely stated beliefs/opinion. You made
> claims, thus the onus is on you to provide proof of said claims.
While I really wish you wouldn't talk about my onus in public like
that, I am of the opinion that I've given basis and proof of that
claim already.
Restating: By design, *NIX systems have historically had (and
still do have) the *potential* to be more secure than Windows. That's
completely different than stating they *are* more secure. Likewise,
they have the potential to be less secure. It's the degree of control
one has over the operating system on *NIX-like systems as opposed to
the lack thereof with Windows. What is a blessing can also be a curse
in the wrong hands.
For the plain sake of debate (keep in mind, I'm far, far from
being a Microsoft supporter, but I'll play devil's advocate
nonetheless):
Point #1: A TRS-80 could be judged as being "more secure" than a
modern system running the most recent stable of BSD (known for its
potential for security).
So why, in 30 years, have we developed systems that are more
insecure? Because there are less points of potential failure. The
TRS-80 used DOS (multiple flavors, if memory serves, which could be
loosely-compared to today's abundance of *NIX variants) as an
operating system. There weren't all of the bells and whistles that
one now considers standard in operating systems - many of which have
multiple points of potential failure within them, introducing new
dimensions of potential exploitation, and magnifying the risk.
Point #2: The egregious tendency to use the term "operating
system" generically.
The very core of what is considered to be an operating system
comes down to the kernel. By design at the time of distribution, I
wholeheartedly agree that *NIX is more secure than Windows. However,
without trying to like I'm playing the semantics game, that is *not*
the operating system. An operating system is a collection of software
used to create an infrastructure responsible for interaction and
automation of computer system activities as an interface to the
hardware (though I'm sure Wikipedia probably has a better definition).
The more software involved, the more risk introduced - thus, the less
secure an operating system becomes. Thankfully, by design, *NIX-like
systems are modular; Microsoft should eventually begin to take note of
this as something for the "plus" or "pro" column instead of just
trying to dominate their environment by embedding everything they can
into the installation.
Point #3: Expansion on the definition of "security."
File permissions are far from the definition of computer security
(not that anyone has argued that, but since it's been brought up).
They are a component of, but do not encompass, computer security as a
whole. "Computer security" itself is a concept, and one in which the
definition cannot be black and white across the board. Rather, it's
an applied science in itself - subcategorized within the already
"subcategorical" computer science division of mathematics, etc.
Point #4: Patches and updates do not constitute software security.
Patches and updates are a response to flaws - the software was
insecure, had bugs, or ways were found to improve the overall
experience. Microsoft is relatively new to the idea of regular
delivery of patches (i.e. - "Patch Tuesday"), and I believe that the
statistics will eventually show a significant decline in widespread
incidents. It doesn't mean that these incidents will cease to occur,
nor that reporting will be skewed, but rather that response to these
incidents will be improved.
Point #5: The open source motto: release early, release often.
A serious problem with system security: version stagnation.
Windows XP sat for roughly five years while Microsoft worked on the
improved "Vista" version (almost the same amount of time it took me to
make up my mind as to which word in that sentence belonged in
"quotes"). With two (just say it: pathetic) attempts at patching and
solving all problems (both Service Pack releases) during that time,
it's no wonder vulnerabilities were exploited. Still, does that prove
that Windows itself is less secure than a *NIX system? Not really; it
means the team responsible for ensuring the ongoing security of the
product dropped the ball, and dropped it hard. On the opposite end,
open source developers with the *NIX projects not only work every
single day, but vendors send out usually one new major release each
year. The longer a release sits on store shelves, the more Bad
News[tm] is going to be sent to press about it.
Point #6: Security means protecting from accidents as well.
One of my big points of argument with folks on the subject is that
the definition of "computer security" should also cover unintentional
user-caused consequences - also known as "accidents." Windows has
evolved into the "let me dumb this down for you" operating system.
It's annoying to have to jump through hoops to perform tasks we, as
geeks, consider simple. Yet, for the technologically-challenged, it's
protection from themselves. In lieu of education, disallowing someone
the opportunity to make a mistake - even at the expense of further
limiting their abilities to expand their knowledge - may be the next
best option. For this reason, though, most *NIX systems are not good
starting points for novices or those who just want to plug and play.
So perhaps my statement should really be reworded: the operating
systems are equally insecure at their worst. *NIX systems do have the
potential to be more secure, but all systems ultimately rely on the
operator to protect and maintain them.
Again, I'm by no means defending Windows.... I honestly *hate*
Marxisoft Winblows, personally, for desktop, server, and embedded
systems alike. I see no need for an operating system with such
limited extensibility in my own arsenal, but keep it for development
testing to see what the masses see. Because, whether I like it or
not, it's a necessary (very) evil.
There's just a fine line in trying to illustrate a point in
writing and coming across as a pompous, sanctimonious asshole. This
counts as my apology if that's the case. ;-P
--
</Daniel P. Brown>
daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
http://www.parasane.net/ || http://www.pilotpig.net/
Unadvertised dedicated server deals, too low to print - email me to find out!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
