Recently I’ve started reading Bruce Schneier’s Blog regularly. I especially enjoy it when it he exposes what should be obvious holes in the logic of strange security measures. That’s why I was so disappointed to see him praise The Honeynet Project‘s paper on the life expectancy of unpatched or vulnerable Linux systems. I was going to simply leave a comment on the entry, but after reading the pdf there are so many issues that I figured I’d post this myself. So here are some of things that I take issue with in this report and why I’m disappointed that someone like Bruce (who is on their board of directors) would praise it.
First off, Bruce’s main focus, that “Linux” (in reality they mean, mostly Red Hat Linux, not Linux) will sit on the net for an average of 3 months before being compromised. While this is interesting, it is pretty much useless for security purposes. Since this is an average, obviously some systems were compromised sooner and some later. When it comes to security, who cares what the average is, you secure your systems. I mean, really, can you imagine a security expert simply shrugging off securing a Red Hat system simply because on average it won’t be compromised by a random attacker for three months?
Even though the intention of this pdf seems to be to show how much more likely a Win32 system is to be randomly compromised than a Linux (again, mostly Red Hat), they do mention that they had deployed vulnerable Win32 systems that went “several months” before compromised (2 in Brazil). I’m not trying to defend Window system security, but we’ve seen Microsoft (and others) play with numbers to make things come out in their favor, I’d hate to see people like Bruce doing the same.
In additional to the Linux (you guessed it, mostly Red Hat) systems they also deployed one FreeBSD 4.4 system, two Sparc Solaris 8 and two Sparc Solaris 9 systems. Of these they mention that three were compromised within three weeks and the fourth went for six months. If we assume that average for the Solaris systems was one week, this gives an average for more than ten months. The article is quick to point out that “There is not enough data here to attempt any conclusions”. If four Solaris systems aren’t enough to provide meaningful conclusions, then why bother deploying them in the first place? If they were interested comparing different Unix like systems then they should deploy enough to actually compare them. And what of the FreeBSD 4.4 system? There is no further mention of it, we are given no details on how long it lasted. For completeness I should mention that they also deployed two Suse Linux and two Fedora Core 1 Linux systems.
The whole feeling of this article is how we can try to provide more number to try and bash Microsoft. What’s the point in that? Want to do something useful, deploy several different systems: Windows 2000, Windows 2003, Red Hat Linux, Suse Linux, Fedora, Mandrake, Debian, FreeBSD, NetBSD and OpenBSD. Make sure that there are enough of each to come to some conclusion, otherwise why bother?
I hope Bruce continues to hammer people making silly security statements, I just hope that he doesn’t exclude his keen eye when it comes to projects that he is a part of.
UPDATE: 7:05pm 17 Jan 2005: Why does Slashdot even bother to link to these types of things?