RE: Gates: 'You don't need perfect code' for go od security

[Andre Ludwig <ALudwig () Calfingroup com>]

Your logic of basing how secure a software system is by the amount of
patches is at the least fool hardy. If anything where i come from the amount
of patches can be construed as a positive thing rather then a negative as
you attempt to portray it.  Just think of all those wonderful little
exploits and bugs hidden deep within the bowels of code you will never have
the chance to audit nor understand fully.  Now just think about that
wonderful code you have sitting in front of you in its full naked glory that
you can audit, you can modify, and of course you can compile your self.
Isn't it wonderful to know that while you may have a few more patches at
least the software you running has passed the most critical of all reviews
(social peer review).  Anyways i am going to end this little rant, but my
original point was attempting to base the quality of software off of the
patches is a ludicrous thing to do, esp. when your comparing open vs. closed
source.  In order to deduce which is better you would have to analyze the
source of EACH respective program against EACH other.  And not simply
spouting off some bull shit about who has had more patches in the last XX
amount of weeks or months. 

Andre Ludwig

-----Original Message-----
From: Matthew Murphy [mailto:mattmurphy () kc rr com]
Sent: Sunday, November 02, 2003 8:43 AM
To: Full Disclosure
Subject: Re: [Full-disclosure] Gates: 'You don't need perfect code' for
good security

Even though MS, by the time you factor in the large number of components
they ship, has had many times fewer patch releases than competing Linux
distributions?

1. OpenSSH v. Remote Desktop / Terminal Services
OpenSSH: Two vulnerabilities in recent weeks
RD/Terminal Services: Zero vulnerabilities this year

2. Sendmail v. Exchange
As buggy as many people claim Exchange is, it has had two patches this
year -- if you include OWA.  Even though it provides substantially larger
amounts of functionality for some uses, it has still had fewer
vulnerabilities than its main competitor, Sendmail.

3. Apache v. IIS
Apache 2.0 especially, has never established itself as a server worthy of
production use, due to the fact that it is riddled with security
vulnerabilities.  Apache 1.3 has also had some vulnerabilities -- the recent
sub-request issue, Chunked encoding, etc.  IIS has steadily improved in
security, particularly with IIS 6.0.  For a relatively new product, IIS has
always been an innovator in security.  Especially on Windows platforms, IIS
offers many times better security and performance.  That said, I do realize
that Apache 1.3 was not initially written for Win32.  However, its Unix
releases also lack much of the account seperation found in IIS 6.  It is
currently not possible to serve requests from different sites as different
users in 1.3.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html