Security...not just a Microsoft problem

As evidenced by a Linux kernel flaw that resulted in a DoS attack against Akamai, effectively denying access to large sites like Google, Yahoo, and Microsoft. Not gloating here, just observing that this demonstrates that all operating systems can be vulnerable to security issues. This also suggests that the “more eyes = more secure” assertion made by open source advocates is perhaps a little overstated. After all, the Linux kernel is probably one of the most read parts of the Linux codebase. If it’s possible to find a flaw in the kernel, what does that say for other parts of the codebase that are not as thouroughly vetted? Again, this is not about trashing Linux, it’s about being clear that security is an issue for everyone, it’s not just a Microsoft problem.

 

4 Comments

  • I wonder if they were running a demo as root?!?

  • Linux kernel is the only thing that is Linux codebase. Everything else is not Linux but GNU and other projects...



    As far as being perfect - nobody says that, but the number of bugs and their severity should be affected (and it seems that it is).

  • Hi Jerry,



    Thanks for the reminder. You are, of course, technically correct that only the kernel is Linux. But the operating system distributed as "Linux" (or GNU/Linux, and all of the various distros thereof) comprises a great deal more than just the kernel. Perhaps I should've said the GNU/Linux codebase, or just made my point about OSS in a generic sense, but I think you get where I was going with it.



    Also, FWIW, you won't find the word "perfect" anywhere in my original post. I neither stated nor implied that OSS advocates claim that OSS software is "perfect". The point I'm trying to make is that if it's a fair assumption (and I think it is) that the Linux kernel is one of the most widely studied OSS codebases, the fact that a vulnerability capable of bringing down several major web sites slipped through suggests that "more eyes" alone isn't enough.



    Lastly, regarding number of bugs, I've been following the Sans.org vulnerability mailings over the last few months, and I can't say as I've seen a substantial difference in vulnerabilities found in closed- vs. open-source software.

  • Lots of people when they think about security only think about kernel/OS level security. All the buffer overflow exploits in Windows or root exploits in the Linux kernal or GNU applications. The biggest security risks have nothing to do with the underlying OS, it's the applications running on the OS. If I'm a web developer, it doesn't matter if I'm coding in PHP, JSP, or ASP.NET. A SQL injection exploit is a SQL injection exploit no matter what platform the server is running. If I'm connecting to my database from a web app using the "sa" account or the default "tiger" user in Oracle, bad things can happen.

Comments have been disabled for this content.