Underground without firewalls

Deep in England, an open source data hosting center

Financial Times

CIT downgrade adds to woes

Financial stocks lead Wall Street rally

DST in Facebook common stock deal

Short View: Nikkei and yen

Media moguls rediscover scepticism

Subscribe to FT.com
Comment & analysis
In today's FT
Data & tools

By Dan Ilett

updated 4:14 p.m. ET Sept. 22, 2005

Deep underground somewhere in south-east England, security experts have built a data hosting center almost entirely based on open source operating systems.

The cryptologists at the Bunker, an ex-Nato anti-nuclear hideout owned by a data hosting group also known as the Bunker, are so confident of good security, that they say they have no need for firewalls – the tools commonly used for keeping hackers away.

"We secure each system for its services rather than relying on firewalls to do that," says Adam Laurie, technical director at the Bunker. "We will use [firewalls] now and then but they are open source – if customers request them and if we're involved with the design process."

Story continues below ↓

advertisement | your ad here

Laurie believes that open source operating systems, such as Linux and BSD, are more secure than Microsoft's various versions of Windows. (MSNBC is a Microsoft-NBC joint venture.)

He says: "The problem with Windows is that it's not designed as a server technology. It is designed to offer a service to end-users and I've never understood why you would use that. Part of the problem is that they are always adding features that could cause problems and there are a 1m back doors."

The superiority of open source security over Microsoft has almost reached the status of conventional wisdom. But is it true?

Much of the answer depends on which products are being compared. But one way of measuring the quality of software is to look at the number of weaknesses that hackers or virus writers exploit to disrupt systems.

In many cases, people who discover vulnerabilities submit their findings to Microsoft and open source developers. The developers then attempt to release patches that bung the holes as quickly as possible.

"With open source, it means you can get to a community and get a patch in relatively little time," says Howard Schmidt, the former White House cyber security adviser. "Whereas with Microsoft in a production environment, you will get a high quality product but it may take longer. But I would encourage both sides to make better coding in their programs so they are less vulnerable."

Between April and August this year, vulnerability experts at Secunia issued 21 warnings of flaws in Windows XP Professional. Of these, 1 percent were dubbed "critical" requiring urgent attention, and 24 percent were still awaiting patches by Microsoft at the time of writing. In the same period, Secunia issued 26 warnings for Novell's SUSE Linux 9.3, all of which have been patched and none of which were considered critical.

Vulnerability experts at SANS, the security organization, say security cannot be measured by patches alone, as an operating system is only as secure as its administrator makes it.

"It's not the operating system that is weak, it's the configuration," says Johannes Ullrich, chief technical officer at the SANS Internet Storm Center. "A skilled administrator can fix this, or an unskilled one can make it worse."

CONTINUED : Mixing and matching tools

1 | 2 | Next >