AFTER 30 years of progress in the IT business you would think that products are maturing and that software errors are be a thing of the past.
Thats's because people still obsess over technology and having the latest gizmos, rather than getting work done properly. The computer industry, as a whole, is a very immature and impulsive group of people that give little regard to functionality.
Such describes my recent experience with Gentoo Linux...
After all, we would not expect car manufacturers to have made little progress on the safety of their cars, would we?
Competition is much, much stronger in the auto industry. Too bad reliability doesn't mean much. I still don't know why people buy crappy American cars when many foriegn vehicles consistently last longer.
The reports in the vulnerabilities databases sometimes describe errors within the operating systems themselves but more often they describe application errors through which the integrity of the operating system can be compromised.
How badly?
These three are all proprietary and they all have security that is fully integrated, not applied as some kind of after-thought.
Plus, hardly anybody uses them and they are not desktop systems. There's a reason few people have heard of them.
The other significant feature of these operating systems is the language in which they are written. The two from IBM are both written in assembler and OpenVMS uses a range of about ten languages, one of which is C.
C and similar languages that use pass-by-value techniques are exceptionally prone to buffer overflow and the consequent potential for unauthorize users to execute either their own malicious code or other programs which run with enhanced access privileges. Avoiding the use of these languages at the most vulnerable points, namely user I/O and network I/O, would appear to be wise. Linux, Unix and Windows are almost entirely written in C, and most of their middleware and application software is also in these vulnerable languages, so it should come as no surprise that they are less secure than OpenVMS, OS/400 and zOS.
In other words, "Use the right tool for the right job". That makes sense. It amazes me that people still use low-level languages like C to do user interation and data verification, when a higher-level language could do the job so much easier.
I think there should be a new language designed from scratch strictly for interface and GUI design, and C and C++ reserved for the "guts" of a program. People tell me I'm crazy when you can use GUI builders for C. Heh! Try using any GUI-based GUI program and tell me it's halfway intuitive and doesn't reguire a deep understanding of programming to use!
I hate to say it, but that's probably why HTML and CGI became so popular. It's certainly not because HTML is a great formatting language!
The other operating system that had very few vulnerabilities is Apple's OS 9, with the Secunia database showing just one in 2003 and none in 2002.
That is utterly bunk. I used to administrate a flock of MacOS 8 systems, and they started crashing right after a fresh install. I have never seen or used a single MacOS system prior to OSX that could run for more than 30 minutes before needing a restart. I've used Windows95 systems for hours, and even then, Windows will give you clues that it's going to crash. MacOS just goes blank all of a sudden. I think the real reason it works so well is because nobody uses it.
Apple recently moved to a Unix-based operating system, OS X, and the 24 vulnerabilities reported for it by Secunia in 2003 are a very telling comment.
You take the bad with the good.
Linux users are usually very fast to assert that Linux has fewer vulnerabilities than Microsoft's products.
Linux is just a kernel, and it is pretty much bombproof. The trouble is, all the other parts that run on top of Linux are FAR from perfect. XFree86, in particular, is a real pain, and in my experience, doesn't take much to crash.
I don't think I've ever gotten a Gnome session running without running into some kind of glitch right off, either. Every time I've had a problem with Linux, it's been a graphics problem, and unlike Windows, Linux distros don't have a Safe Mode, which uses a vanilla, unaccelerated VGA driver just to get the system up and running.
The Linux kernel itself has few vulnerabilities but versions such as those from Mandrake, Redhat, Sun and SuSE have far more than Windows...
Bad drivers? It's hard to tell with a macrokernel OS that does everything with kernel extentions.
Linux fans often point to press reports as evidence that Linux has fewer problems but this does not support their claim.
Again, Linux is just a kernel, written by programmers for programmers. You need to precisely specify which part of the system has the vulnerability, especially if you want to fix it.
I don't think Linux distros are any better at returning informative error messages than Windows or MacOS. For the most part, it looks like Linux distros are trying to clone Windows, which includes "sheidling" them from overy technical garbage, so nobody knows what went wrong. Why won't Gentoo Linux install on my sytem? It doesn't say, because when booting off the CD, it creates no log files and outputs no starup text. Some help that is.
Despite the fewer vulnerabilities in Microsoft's products I see no reason to cheer for Microsoft. It is responsible for the majority of the application software that runs on its various versions of Windows and so regardless of where the erroneous software might be located it only has itself to blame.
Given what it does and how many people depend on it, it's amazing it works at all. I don't think it matters what you run. If someone really wants to get into your system, they probably can.
In the forthcoming Windows XP SP2, Microsoft is finally making the security enhancements that should have been in place more than five years ago. These include having better network security by default and simplifying the automatic update of their software, something that should very rarely be needed if the software was properly written in the first place.
Standardized firewalls! Yeah, that sounds effective. Also, it's apparently not good enough to complain every five minutes in the taskbar that there's a critical update available. Might as well download and intatll it automatically and silently...
Microsoft is also tweaking the protection on dynamically created code
ActiveX: Worst idea ever.
The recent release of Linux 2.6 has also introduced some security enhancements, again rather overdue if Linux ever hopes to be a serious alternative. In particular the new release includes the ability to define privileges in finer detail rather than the simple grouping of "user" and "root", but this is something that most proprietary forms of Unix have had for many years.
Is this the same thing that prevents me, the account owner, from accessing files created by scripts? Why can I delete the script itself, but files created by the script return, "permission denied"? All that does is create tons of files in my folder I can't delete!
Maybe UNIX should start using assigns, and use dedicated folders for applications, thereby eliminating the backslash problem that plagues Perl and PHP scripts everywhere!
Windows and proprietary Unix are both more secure than Linux but the most secure operating systems continue to be certain proprietary systems from HP and IBM. Some may refer to these more secure systems as legacy systems but if legacy means secure and reliable it seems that legacy should be the preferred option.
They're called legacy because they usually don't support modern hardware. OS/2 version 2.0 is legacy, because I can't even find an ATA/66 hard drive controller for it.
