On Monday 04 October 2004 8:25 am, Anders Johansson wrote:
In any case, the real advantage isn't that the bugs are harder to exploit, it's that they're much easier to fix. Show me a bug in, for example, apache and give me a few hours (days?) and it will be fixed. Show me a bug in IIS and watch me sigh as I wait for a reply from MS support. It's difficult to recompile something if you don't have source code
Very true. Whether we're talking about Windows or Linux, the script kiddies depend on far better informed techies to give them the tools for their dirty work. There doesn't seem to be any disagreement here with the proposition that Linux is a far less vulnerable system than Windows. The only question is why that is. 1. The Windows code base is proprietary and closed, while the Linux code base is open source. That cuts two ways. The Linux code base has far fewer vulnerablities and those vulnerabilities that remain are more easily repaired because of the communal nature of the Linux enterprise and the many eyes that critique the code base. On the other hand, someone looking for vulnerabilities can easily examine the Linux code base but will have a hard time examining the Windows code base. Moreover, the quality of Linux code is probably far higher than that of the Windows code. It's fair to say that Linux wins this argument 80-20 or maybe even 95-5 but not 100-0. 2. It's a fact that far more attacks are aimed at Windows than at Linux, and in particular at the Outlook Express / Internet Explorer combination. That's why security folks these days recommend that Windows users switch to Mozilla (which itself is probably less vulnerable than IE, even discounting the frequency of attack). If 95% of the malefactors, script kiddies or otherwise, devote their energies to Windows rather than to Linux, it stands to reason that all other things being equal (which of course they're not), Windows users will be hit far more often and far harder. Paul Abrahams