Domain: securityinnovation.com
Stories and comments across the archive that link to securityinnovation.com.
Comments · 9
-
Re:The Most Secure Mobile OS
even if they encourage you to hide them behind a firewall - a kludge at best
Firewalls are a kludge now? And when you say "encourage", you mean that it blocks them all by default?
Linux has a repository from which to install software, while windows encourages users to download and run arbitrary binaries.
I never said Linux doesnt have any cool features that Windows lacks. Repositories on Windows would be awesome. But we're not exactly talking "system security" any more; we're discussing systems of trust and methods of acquiring executable code. On most desktop linux installs (and many server installs) that I've done, I've had to download a
.deb or .rpm file or else install a 3rd party repo for some program that wasnt in the base repos. Thats really not much different than downloading an exe from a known trusted site-- I often download files off of nirsoft.net or sysinternals.com or the major vendor sites (firefox, adobe, google, microsoft), and I dont see it as much different than using a repository (in both situations you have to trust that the vendor's server has not been compromised).Repos on windows ARE the biggest thing on my wishlist, all that said.
Windows has things like stack randomization and non executable pages, but so does linux and has done for much longer.
DEP was enabled in windows apparently about the same time as it was for Linux. I had thought that ASLR was introduced in Windows first and Linux later, but it seems Linux was first there-- though wikipedia notes it was a "weak form" (not really sure what is meant by that).
Its kind of irrelevant though, Im discussing the status NOW. I think this article puts it well--
"I think the question is far more complex right now actually. For example, what constitutes "Linux" or "Windows"? If we're talking only about the kernel, then they're about the same (both extremely secure). They've certainly made different design decisions, but at the end of the day kernel exploits for either OS are extremely rare."Take group policy "folder restrictions" for instance, designed to prevent you browsing certain areas of the filesystem (eg the windows dir, or the root of the hd), and sure enough if you type c:\ into explorer you will get an error... But what if you open a subdir (eg browse the temporary internet files dir using the option within the ie settings), and then keep hitting the up option..
Microsoft freely admits that that particular GPO (and others like it) are not security options. If you want security for that, use the NTFS "list directory contents" and "traverse folder" ACL settings. I am not aware of analogues for Linux ext3/4, incidentally.
Linux doesnt have "features" like these because they are pointless, if you want to prevent users from accessing a given area you need to use file permissions.
I think there are some rare use cases for that particular GPO: perhaps you prefer to prevent users from seeing that a particular folder exists or what its contents are, but it is necessary that their account have permissions to access those files (for instance, you dont wish them to be able to see or delete temp files, though it is absolutely necessary that their account be able to read / write / execute data in that folder).. At any rate, NTFS has far more granular ACL controls than ext2/3/4, and can easily do what you talk about. And I wouldnt exactly boast about the lack of GPO support; GPOs are IMO one of the most powerful features of Windows. Being able to deploy a policy that says, for example, deny "execute" permission to any file not in C:\Windows and C:\Program Files, or else to publish a whitelist of executable hashes that are permitted to run, is pretty darn powerful.
-
Security Innovation
My company uses a company called Security Innovation. We have used them several times for various engagements including an embedded system, Unix applications, and our latest Web based interface into the system. Each time they have found some serious security vulnerabilities that our customers would have been extremely alarmed if they had been found by their own pentesting teams (which they use for each release of our product). Highly recommended!
-
Most Valuable Professional?
FFE4: What kind of credibility do you think you have, being a Microsoft MVP?
-
Here's the link for the REAL pdf.
The link posted in the story is not correct.
Just click through and don't give them any info. You can still download it.
http://www.securityinnovation.com/reliability.shtm l -
Page 25 of their whitepaper.
Where did you find that information? The PDF at the website seems to be a completely different study.
The problems start at page 25. Here's the beginning:For SLES 8, all required and recommended security patches were applied to the system. The same criteria was applied for Windows patches. These patches were applied in 1 month increments to the system. On the SuSE side, during the one year period under study, patches were released for the core components from multiple sources spanning package developers, individual contributors in the open source community, individuals and corporations. In this analysis, we only consider those patches issued by the operating system vendor (Novell/SuSE). From an enterprise management standpoint, this is the most common scenario given that the chief benefits of using an enterprise Linux distribution is the compatibility testing done by that Linux vendor on patches and the support extended to administrators. By going outside this channel for patches, both benefits are forfeited. In the period from July 1st, 2004 to June 30th 2005 there were 187 patches that were applied to the system. Of these patches, 13 affected the kernel. While kernel patches did not require an immediate reboot during installation, the majority of them need a system restart to immunize the system against a specific vulnerability. In general, patch application on SuSE proceeded well and most patches installed without error or conflict. Beginning at Milestone 1 however, some upgraded components were out of support from SLES 8 and updates for those components had to be obtained from the package distribution sites. As of Milestone 1, MySQL patches were obtained from the MySQL distribution site and as of milestone 2, glibc and directly related packages were maintained through manually applying SLES 9 patches. 3rd party component installations were performed according to the installation procedures specified by those vendors.
Whitepaper location:
http://www.securityinnovation.com/reliability.shtm l -
Have you READ their study?Here it is: http://www.securityinnovation.com/pdf/windows_lin
u x_final_study.pdf
So has anyone allready taken this to the test ?
What "test"? The whole point is how their "methods" are flawed.As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)
Here's the "counterevidence":
Scenario: You are running a web site on Linux. All ports are blocked by the default firewall except port 80.
Is a local exploit in a .pdf reader that is not remotely accessible, but that goes unpatched for a year worse (in your opinion) than ... ... a remote httpd exploit that gives you root access but which has the patch released with the vulnerability announcement on a public mailing list but you don't deploy it for 1 week while Red Hat packages it and tests it?
By their "methods", the .pdf reader is far, Far, FAR, FAR worse than the httpd one.Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.
Read the study. They did NOTHING that just about any 5th grade student couldn't do.
They counted the vulnerabilities (X).
They added together all the days between announcement of vulnerability and Red Hat releasing a patch (Y).
They divided Y by X to find the average time between vulnerability announcement and Red Hat releasing a patch.
They did the same for Win2003.
Then they announced that Win2003 was more secure because it had let time between public announcement and public patch.
That is all they based this "report" on.
Their methodology is fundamentally flawed. You can do the same arithmetic they did and get the same results, but that does not mean that their findings are valid.
-
Have you read the "study"? Here it is!http://www.securityinnovation.com/pdf/windows_lin
u x_final_study.pdf
Read it. Look at how they took the "default" settings EXCEPT where those settings would make Microsoft look too bad (firewall disabled by default).
Read it all. Then look at what they REALLY based their "finding on".
Nothing more than some other site's listing of security announcements/bug fixes.Unless you can find fault with the study itself, there is nothing wrong with Microsoft financing studies which show Microsoft in a favorable way as long as the study itelf was legitimate.
That's nice, in theory. But just read the "report".
That's a given. That is why Microsoft provides the financing to these "independant" "studies" by these "independant" "researchers". ...to consider the possibility that if the study was unfavorable to Microsoft's position they would simply have pulled the plug and thrown away the results?I realize this may be a difficult concept for many
Hey, here's the REAL information hidden in that report... /.'ers to grasp but give it a shot.
Look at how many security violations these to "Ph.D.'s" had to perform just to get Win2003 on par with Linux ...
Then look at the "research" these two "security experts" did that could have been done by any 5th grade student who can add and divide.
These "security experts" are prostituting their "Ph.D.'s" in support of a "study" that is beyond fundamentally flawed just so Microsoft will approve of it and give them paychecks. -
Re:UnsurprisingEvery post so far contains nothing but knee-jerk whining. Did anyone actually look at the claims of the report? Anyone care to see if it the findings might possibly be accurate? How about at least moving past the vauge claims of the submitter? Here's the beef:
The results of the research show that both Linux-based deployments contained more total security vulnerabilities and more "days of risk"-- the amount of time elapsed between public disclosure of a vulnerability and the issuance of a potential fix by a vendor--per vulnerability. The report also includes a separate, step-by-step description of the repeatable methodology, so that others can duplicated and validate the results.
-
Re:Blimey
the fact that 5 lines of TEXT can compromise the Diebold system is just plain sick!! Kudos to Herbert Thompson at Security Innovation for finding the hack... heh heh