|
The issue of security is crucial and will continue to grow as an
important concern for users. Truly independent research finds that
GNU/Linux has fewer flaws than proprietary software. A four year
project that completed in 2004 identified 985 bugs in nearly 6 million
lines of code in GNU/Linux (Kernel 2.6) while proprietary software is
thought to have between 5,000 and 40,000 bugs in similar sized code
(but of course, is also not open to such scrutiny by just any one).
CNET report on the research in
Security
research suggests Linux has fewer flaws, published 13 December
2004.
An article in the 27 August 2001 issue of Interactive Week by Rob
Fixmer recalls a 1998 interview with then Symantec CEO Gordon Eubanks:
Everybody can see what's under the hood, so we're on equal footing
with hackers. With proprietary systems intruders often have illegal
means of learning things about the underlying code that are superior
to the legal information at our disposal--even though we get
excellent cooperation and support from Microsoft.
Gartner Group's John Pescatore on 19 September 2001 had the following
to say in an advisory from the Gartner
web site2.1(emphasis is mine):
Gartner recommends that enterprises hit by both Code Red and Nimda
immediately investigate alternatives to IIS, including moving Web
applications to Web server software from other vendors, such as
iPlanet and Apache. Although these Web servers have
required some security patches, they have much better security
records than IIS and are not under active attack by the vast number
of virus and worm writers. Gartner remains concerned that viruses
and worms will continue to attack IIS until Microsoft has released a
completely rewritten, thoroughly and publicly tested, new release of
IIS. Sufficient operational testing should follow to ensure that
the initial wave of security vulnerabilities every software product
experiences has been uncovered and fixed. This move should include
any Microsoft .NET Web services, which requires the use of IIS.
Gartner believes that this rewriting will not occur before year-end
2002 (0.8 probability)
Any one can scan the GNU/Linux code for vulnerabilities (and for
inefficiencies and bugs) and as they are discovered the solutions
quickly become available for all to access. Of course, the
unscrupulous can also scan the code for opportunities to attack a
system, unlike proprietary code where only a few have access to the
source code. But would you prefer security by obscurity or security by
peer review? It is a choice!
Copyright © 1995-2006 [email protected]
|
|