Slashdot Mirror
Battle of the Secure Distros
CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com
reviewed this distro last week, awarding it a perfect score.
Now we just need to get everyone to switch from RedHat! That'll be a piece of cake!
I have been pwned because my
When I visit the site to check out the story, I see a banner ad for - EnGarde Secure Linux!
(I'd do the same, of course)
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
A distro is (or any software for that matter(yes Windows to)) only secure if the admin who runs the distro knows what is he doing.
Interesting that the NSA security enhanced linux is not even mentioned.
http://www.nsa.gov/selinux/
--
I vote for OpenBSD
> The Openwall patch is highly regarded in the security
> community, as is its creator, SolarWall
or Solar Designer perhaps.
hello, fact checkers?
I am currently trying to write a HOWTO/make an RPM for the NSA SELinux to work with a SuSE distro (Vanilla kernel)...
Shell I stop doing so now and just install this distro instead?
Is it really more secure than LVM/RSBAC patched kernels with additional hardening?
For sure?
just my two cents...
Look at Linux Security in the left upper coner thers a interesting Sponsor of LS.
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.
In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.
I have the most secure distro,
but unfortunatly you can't have a copy, just incase you find a bug.
Logon requires you press ctrl+alt+delete , because it's oh so hard for memory resident apps to not die when this happens.
My mouse has only 1 button to confuse any computer literate people, and allow me to catch them in the act.
I've remapped the keyboard, to confuse those who touch type.
No network (because the kernel dosn't have the correct drivers),
No-ones hacked it yet.
thank God the internet isn't a human right.
Dirk
... if some website or magazine issues an "editor's award" or whatever to product, _especially_ when we're talking about security.
Dirk
In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).
Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.
Sigh.. anyone fancy rewriting Multics for the Intel platform? :)
Never email donotemail@WeAreSpammers.com
Dirk
Made by the man himself, Solar Designer (whom the article calls SolarWall).
http://www.openwall.com/Owl/
OpenBSD 3.1!!! =))
Sorry, could not resist...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Other pluses: it's Really Free(TM) Software - as opposed to Redhat and others which bundle non-free software in the default distro, it's manpages don't suck, etc.
No way, this is a carefully enginered distro, no hacking at all, years of pain and missisry have gone into finding the most obscure algorithms to get the job done.
Advanced DRM technology, for speeker licenses, if you don't have a licence to connect the speekers to the PC and play that song, then they get bombarded with square waves and lots of clipping until they follow the licence aggrement.
Why it's so secure that i cant even open the coffie cup holder.
thank God the internet isn't a human right.
What, no mention of Tinfoil Hat Linux? :)
and I am a professional sysadmin. I get paid a lot to do my job and I don't feel like there is anything mystical about it (that sort of nonsense is for university admins that have to deal with incompetent bosses -- more power to 'em, but I don't). What I feel adds value is not mere understanding of the protocols (relatively easy) but rather, the ability to choose the correct tool (protocol, framing, hardware, software) for the job, and make it work so that the rest of the people involved can do their jobs without noticing (or if they do, saying, "hey, that's really cool and easier than before!"). Needless to say I do a good deal of development to make this happen, and again, that is more challenging than administering boxes (IF you start with a sane rollout and upkeep process -- yes, RPM/apt/pkg_add is your friend; yes, CVS/CVSup/Rsync is your friend; no, ad-hoc changes are not the Better Way to proceed).
When you rattle off NNTP and crap like NIS/LDAP as if they were equivalent in complexity to full BGP4/MBGP routing, I think you belie a superficial understanding of the situation. Even something as nastily complicated as BGP route maps is not nearly as challenging as dealing with people, professionally and personally, in a fast-paced environment that values results over process or the latest fad technologies. In that respect I do not believe it is significantly harder to earn one's keep as a sysadmin than to do so as a VP Sales or a Comptroller. It's just a totally different set of technical skills used to do the job.
I don't doubt that you meant well, but really, choosing the right tool for the job (and then using it well) is not so difficult in most cases. 'Tis a poor craftsman who blames his tools!
Remember that what's inside of you doesn't matter because nobody can see it.
The i386 (i486 and i586) version
i386 "Bonus" Package
The i686 version
i686 "Bonus" Package
------
Random, useless fact: I type in startx entirely with my left hand.
testing, Linux Lewis beat Mike Tyson Bwahahaha
Yep, got my home box r00ted six weeks ago. All because I hadn't taken all the usual basic precautions. (insert your sarcastic insult here). Being an ex sysadmin, I should have known better. Tightening up the security didn't take too long.
The hardest part was setting up ipchains to do packet filtering. Lord help a newbie doing this; you have to know a fair amount about TCP/IP. The various security HOWTOs make a brave effort of trying to explain it all, but I really wonder how many novices will understand it. I don't see how any Linux distribution can make this easy: there are too many variables about the intended use of the computer. The rules for a DMZ computer, a LAN computer, a lone dial-up computer and a firewall are completely different.
Ne mæg werig mod wyrde wiðstondan, ne se hreo hyge helpe gefremman.
Well, I think that this healthy competition is going to help *all* distros!
What the fuck am I talking about? I'll tell you!!!!
Basically, people use different secure distros (or distributions) of Linux! Like Slackware or Debian! Then they don't get destroyed by hackers (unlike Windblowze!!!) and who gets the credit? LINUX!
And so all the different Linux dsitros do better! What do you think of my idea?
Karma: Good (despite my invention of the Karma: sig)
"Score:0, Insightful"
/fun/."
Freeeowww! it was a joke!! Tchuh!
"Organic lifeforms have *no* sense of
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Most federal agencies seem to evaluate Windows against proprietary Unix solutions and (duh) find that Windows is cheaper. If they *really* care about security they almost always have their own solution (often in hardware) that you will be asked to code to / talk with / work in conjunction with. Short of that, offering to use NSA SELinux (because of the NSA's "approved" cachet) really seems to open a lot of doors for Linux.
:-). But, the odds are against it.
En Garde may be better, for all I know. But I'll be using SELinux for gov't clients wanting high security, and OpenBSD for my need-to-be-hardened services, because I know they are excellent tools for those applications. (sorry folks...)
The above are just my experiences. For all I know it could be a vast conspiracy to provide disinformation
Remember that what's inside of you doesn't matter because nobody can see it.
This is an old troll. Please mod it accordingly.
> 667 The Neighbour of the Beast
should it not be 668 (or 664) if you live on the same side of the street...
just my 25 euro
It’s just me or other people also noted EnGarde’s installer looks just like the Debian one? Would it be Debian-based?
I haven’t seen them at Debian’s derived distributions list, so maybe I’m mistaken.
Leandro Guimarães Faria Corcete DUTRA
DA, DBA, SysAdmin, Data Modeller
GNU Project, Debian GNU/Lin
http://www.networkcomputing.com/1312/1312f33.html# filter
try reading the article before making false claims.
Next question.
Even Linuxlookup.com ( http://www.linuxlookup.com/html/reviews/software/e ngarde1.1.html ) gave Engarde Linux a perfect score last week too. Think I'll give it a whirll.
I disagree, no administration AT ALL of any kind is needed for the Mac OS (all versions except the newer Unix based ones)
:
The MOST secure OS is already deployed on servers. And though this was incorrectly dowgraded to Troll in this thread earlier by people that do not like to admit this fact, It needs to be said, even if no one ever mods it up.
The fact is
No Mac webserver has ever been hacked! Ever. Even with no administration upkeep or maintenance.
This anti-hack challenge is despite two large contests (10,000 us dollars over one month duration).
That is why the US Army once gave up being exploited and for some of its sites used Mac OS 9.x and Webstar (a commercial web server).
There are numerous technical reasons why no mac webservers have ever been remotely hacked and exploited, many are quit interesting.
No Linux/UNIX is as secure as Mac OS 9.x and earlier, as demonstrated by the hundreds and hundreds of exploits in Unix and the lack of a single exploit ever discoverred in OS9 web servers. Ever.
If you want security in an OS implement what Apple's Mac OS 7 through 9.2 offers:
get rid of root (leaves a false sense of security lazy programmers dont understand)
get rid of command line (creates a huge way of exploiting between processes)
get rid of single file fork executables (use a second invisible file associated with each executable file)
get rid of filename extensions (use an invisible embeded file type that cannot be set by users typing)
get rid of unix utility software (use non-command line tools that use high level scripting rules)
get rid of ANSI C library based code (The mac uses safe Pascal Style Strings often, including in ROM)
avoid C string buffer exploits (again, most commercial mac programs avoid null terminated strings).
sotre all web server files meant to run as executables and CGI as specially "typed" files
and most importantly have compilers save return addres HIGHER up the stack (prevents most clever overflow exploits)
Basically you end up with Mac OS 7 through 9!
If security is paramount, to exclusion of all else, then Mac OS 7 through 9 cant be beat. And is 100% secure so far according to historical facts.
SecurityFocus concurs.
But most linux loving slashdot readers will never understand the TECHNICAL reasons no mac web server running Webstar and Mac OS has ever been rooted, or ignore the facts.
I wonder why people try to award silly designations to "secure" linux distros! When it has been shown to have many holes historically.
No, score that 0, insult to OpenBSD to call it a Loonix distro.
Bastille is a script that asks you questions, and proceeds to tighten down your Redhat or Mandrake installation, extra effort has been put into explaning the choices, and making sure you understand WHY something was done.
Here's the summary:
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:
This sig is self referential.
A week ago I probablly would have answered Slackware, being a die-hard Slackware geek for my entire Linux life. But last week I found out about Gentoo, and I have to say I like it. Especially for security. After you're done the install you're left with a VERY minimal system, there are ZERO services running, hell there are no services installed on the box. You have to explititly install any services that you wish, which is nice because you don't have any weird weird stuff installed on your system without your knowledge. Yes, this isn't for newbies who can't spell ls, but for the long-time unix geek who does everything manually already, this is the way to go.
I'm disappointed that they didn't include Kevin's Red Hat Uber Distribution. Kevin Fenzi is the author of the Linux Security HOW-TO, and the hardened version of Red Hat that they produce has served me quite well for over a year.
this is getting old and so are you
blog
But surely OpenBSD 3.1 should have won the prize for the most secure distro. According to the web page, each line of source code is actively audited by Theo De Ratdt, to ensure there is no remote exploits. Also, it is designed to be secure out of the box, no services are enabled in the default install which would give hackers a way in. Or am I way off base here ?
The first time I read that, I thought you said NTP, not NNTP. NTP is possibly the most complex RFC in existence: And while LDAP is itself a lightweight protocol, the actual directories linked by LDAP, such as NDS, or Active Directory, can be fantastically complicated. [NDS requires an underlying NTP infrastructure before you can even begin your implementation, and Active Directory requires that all important Kerberos infrastructure.]
It would be more interesting for someone to point out why or why not. OpenBSD clearly has a big lead in a secure/debugged code-base, because of their mature and ongoing auditing process. However, according to their webpage, this extensive auditing process DOES NOT extend to their ports collection (They'd need an army of developers! A use for human cloning perhaps...)
In the long term the Linux distros seem to be taking the approach of implementing (or trying to implement) OS-based mechanisms to make errors like buffer-overflows unexploitable, rather than trying to eliminate them. At least in my (perhaps-naive) understanding, this might, someday, give them an edge in a real-world full of unaudited/imperfect applications -- if they can actually pull it off.
It is complicated as hell because the whole issue of clock synchronization across a medium with varying latencies (differing both along the axes of time and location, though without any linear dependence across those two axes) is horrifically complex.
Still, a working NTP infrastructure is a requirement not just for NDS, but (IMHO) for ANY scalable deployment of service that is meant to be reliable. How can you get anything interesting from your logfiles (on a correlation-across-the-site basis) without a standardized meaning for the timestamp?
Complicated, yes, but also valuable. I have had the misfortune of trying to read the RFC. I even read the source for ntpd and xntpd (v4). The complexity arises (and damned if this isn't going to sound familiar) as a result of multiple people in multiple locations trying to coordinate their metrics for timekeeping. LDAP and NIS complexity also arises from social interactions (upkeep) and scaling (emergent behavior of a system). NTP is a great tool for minimizing the chaos created by bugs in authentication schemes like LDAP, btw.
Aside:
If you want to get really sick, try running a Coda or AFS deployment (with IPSec or SSH tunnels to link nodes) across multiple timezones. Woo Hah!
All of my servers run NTP, from the routers, which in turn pull from tick and tock at the Naval Academy (or NRC, can't remember offhand which).
Remember that what's inside of you doesn't matter because nobody can see it.
I did not mean to imply that SELinux actually offers a greater level of security than the alternatives, nor to imply that it was blessed by the NSA (or for use in NSA projects, for that matter).
;-).
Rather, my experience has been that other three-letter agencies find it helpful in the decision-making process if a solution based on Linux also has the imprimatur of the NSA (eg., "we can do this on NSA SELinux if it suits you better") so that it need not be seen as a rogue deployment of something outside the norm.
I am sorry if anyone got the idea that SELinux is Orange Book or NSA approved or in any other way superior to a properly-implemented kernel MAC implementation. What I was commenting on is the "aura", if you will, of offering a product that is Linux-based, but NSA-Linux-based. It makes life easier. I had trouble the first time I explained this to my boss, so clearly I need to work on my presentation of the issues some more
YMMV...
Remember that what's inside of you doesn't matter because nobody can see it.
i really hate the phrase "me thinks".
You ARE off base. Not every line of source code in (for example) the ports and packages can be audited by the development team, let alone all by Theo himself. The OpenBSD developers do a terrific job, and I trust it above any other OSes for my "hardened" public servers, but it simply is not possible for the degree of hardening and auditing you describe to be done by such a small group. The auditing is done to the kernel, the base utilities, and other aspects of the default install. Outside of that, you're on your own.
Furthermore, several of the services that run by default on a raw install of OpenBSD have been shown over time to have local root exploits possible. Not remote root, mind you, and not without a swift and comprehensive patch being released, but the moral is, No One Is Perfect.
That said, I have never had a compromise of any sort on my OpenBSD systems. I buy each and every release on CD direct from them to support the project, and have donated a little bit, too. If anyone who just runs Linux says "so what, it doesn't affect us" I request that you look at what version of SSH you're running. OpenSSH? Hmm, guess which dev team wrote that? Yeah, that's right. *BSD will be dead around the same time we see the paperless office (and the paperless restroom, and flying pigs, and...). OpenBSD is good stuff when you just can't take chances!
Remember that what's inside of you doesn't matter because nobody can see it.
Um... My brain is working slowly today. I want to summarize your post.
The Mac server can't be rooted because... it has no root.
And there aren't any command line utilties because... it has no command line.
And... this means that the machine is secure.
Ok, some challanges for you (simple tasks to
perform, that I do all the time).
1 - My server box is headless (no monitor/keyboard). That's because I am never PHYSICALLY there. Yet, I update web pages, email services, add new forms, etc. I can even update the OS remotely. Can you do this on the Mac? Serious question, I'd like to know the answer (I SUSPECT its NO, but I do want to know).
2 - I can provide additional services on my servers. (I run a simple collaboration server). If I need to, I can add additional services (again, remotely, because these machines DON'T have monitors/mice/keyboards).
3 - If I need more compute power (and I occasionally do), I use DHCP and TFTP to load OS's into diskless and headless boards. I can then control these nodes remotely as well (good for LAME, video transcoding, other stuff). Does Mac offer anything like this?
And, please restrict your answer to Mac OS prior to OS X. I am aware that OS X will do these things, which is why I may finally get a Mac.
Due to the nature of trying to offer services that can potentially be general across the I'net, I have to be careful about security. I could offer NO services, and be fully secure, but that wouldn't be anywhere near as useful.
If Mac OS (not OS X) can offer these services, and is as secure as you say, I WILL buy as many as I can get my hands on. Really. I haven't been shown how yet. I presume that either (1) I am ignorant, or (2) It's not possible. If it isn't possible, then the Mac "solution" isn't very useful. I don't want to have to run home to update web pages, open up MP3 playback from home to my work, add email filters, monitor collaboration services, or check on the system health.
I am looking forward to being educated here.
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
Daemons that are run by default are reduced to a minimum.
Easy upgrading of security-critical packages (no, that's no ad for Debian, of course :-;)
Ability to a install a minimum system with a minimum number of packages.
Careful file permissions and special user groups (i.e. "dialup","audio")
Use of "secure" programs for a particular purpose (i.e. ssh instead of telnet, not sendmail as MTA, ...)
Any other ideas?
Don't drink and su! antidisestablishmentariazationally
because Linux is for bitches.
just because he's stating some (relative) weaknesses of linux doesn't necessarily mean he's a troll. actually as far as I can see, his points are quite relevant
Everyone knows that. The interesting question is this: assuming you have a good admin, which distro is most secure?
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
WEBSERVER HAS ITS OWN TOOLS, but other remote tools exist such as Timbuktu.
The MOST secure OS is already deployed on servers. And though this gets incorrectly dowgraded to Troll by people that do not like to admit this fact, It needs to be said, even if no one ever mods it up.
:
The fact is
No Mac webserver has ever been hacked! Ever.
This is despite two large contests (10,000 us dollars over one month duration).
That is why the US Army once gave up being exploited and for some of its sites used Mac OS 9.x and Webstar (a commercial web server).
There are numerous technical reasons why no mac webservers have ever been remotely hacked and exploited, many are quit interesting.
No Linux/UNIX is as secure as Mac OS 9.x and earlier, as demonstrated by the hundreds and hundreds of exploits in Unix and the lack of a single exploit ever discoverred in OS9 web servers. Ever.
If you want security in an OS implement what Apple's Mac OS 7 through 9.2 offers:
get rid of root (leaves a false sense of security lazy programmers dont understand)
make microkernel as small as possible (even if you pass gary dividians birthaday in a register to get into kernel space, you cannot cause mischief that can be caused external from mac kernel)
get rid of command line (creates a huge way of exploiting between processes)
get rid of single file fork executables (use a second invisible file associated with each executable file)
get rid of filename extensions (use an invisible embeded file type that cannot be set by users typing)
get rid of unix utility software (use non-command line tools that use high level scripting rules)
get rid of ANSI C library based code (The mac uses safe Pascal Style Strings often, including in ROM)
avoid C string buffer exploits (again, most commercial mac programs avoid null terminated strings).
sotre all web server files meant to run as executables and CGI as specially "typed" files
and most importantly have compilers save return addres HIGHER up the stack (prevents most clever overflow exploits)
Basically you end up with Mac OS 7 through 9!
If security is paramount, to exclusion of all else, then Mac OS 7 through 9 cant be beat. And is 100% secure so far according to historical facts.
SecurityFocus concurs.
But most linux loving slashdot readers will never understand the TECHNICAL reasons no mac web server running Webstar and Mac OS has ever been rooted, or ignore the facts.
I wonder why people try to award silly designations to "secure" linux distros! When it has been shown to have many holes historically.
This is not a troll. Why? because I am formally requesting that i am not intrerested in your rebuttals. Do not bother to criticize this post.
A true troll, by definition, WANTS responses and is not stating anything important. By requesting no criticism, I am proving I am not a troll.
This post is meant to only educate people on why no mac servers have been rooted and state a few inarguable facts. So quit modding it as a troll without reading the FAQ on the web regarding the definition of 'trolling'. Otherwise -1 mods are merely ignorant censorship by fanboys that hate to admit they know nothing about secure OSes..
The Red Hat Linux installation program.
:)
here are details.
end of enlightenment.
my
You are correct. Security out of the box is paramount, without administration ever. Even over multi-year timespans.
:
And One OS would get a "10" on that metric.
The MOST secure OS is already deployed on servers. And though this gets incorrectly dowgraded to Troll by people that do not like to admit this fact, It needs to be said, even if no one ever mods it up.
The fact is
No Mac webserver has ever been hacked! Ever.
This is despite two large contests (10,000 us dollars over one month duration).
That is why the US Army once gave up being exploited and for some of its sites used Mac OS 9.x and Webstar (a commercial web server).
There are numerous technical reasons why no mac webservers have ever been remotely hacked and exploited, many are quit interesting.
No Linux/UNIX is as secure as Mac OS 9.x and earlier, as demonstrated by the hundreds and hundreds of exploits in Unix and the lack of a single exploit ever discoverred in OS9 web servers. Ever.
If you want security in an OS implement what Apple's Mac OS 7 through 9.2 offers:
get rid of root (leaves a false sense of security lazy programmers dont understand)
make microkernel as small as possible (even if you pass gary dividians birthaday in a register to get into kernel space, you cannot cause mischief that can be caused external from mac kernel)
get rid of command line (creates a huge way of exploiting between processes)
get rid of single file fork executables (use a second invisible file associated with each executable file)
get rid of filename extensions (use an invisible embeded file type that cannot be set by users typing)
get rid of unix utility software (use non-command line tools that use high level scripting rules)
get rid of ANSI C library based code (The mac uses safe Pascal Style Strings often, including in ROM)
avoid C string buffer exploits (again, most commercial mac programs avoid null terminated strings).
sotre all web server files meant to run as executables and CGI as specially "typed" files
and most importantly have compilers save return addres HIGHER up the stack (prevents most clever overflow exploits)
Basically you end up with Mac OS 7 through 9!
If security is paramount, to exclusion of all else, then Mac OS 7 through 9 cant be beat. And is 100% secure so far according to historical facts.
SecurityFocus concurs.
But most linux loving slashdot readers will never understand the TECHNICAL reasons no mac web server running Webstar and Mac OS has ever been rooted, or ignore the facts.
I wonder why people try to award silly designations to "secure" linux distros! When it has been shown to have many holes historically.
This is not a troll. Why? because I am formally requesting that i am not intrerested in your rebuttals. Do not bother to criticize this post.
A true troll, by definition, WANTS responses and is not stating anything important. By requesting no criticism, I am proving I am not a troll.
This post is meant to only educate people on why no mac servers have been rooted and state a few inarguable facts. So quit modding it as a troll without reading the FAQ on the web regarding the definition of 'trolling'. Otherwise -1 mods are merely ignorant censorship by fanboys that hate to admit they know nothing about secure OSes..
YABT. HAND.
See subject.
"ESL is clearly designed for those who want a product that is prepackaged and ready to go out of the box."
One of the problems with setting security to paranoid is that it usually means that nothing works. Let's face it; most small businesses are not going to have a Linux guru working for them. Unless they can afford to hire a guru to come in and set things up, they will have to figure it out for themselves.
We need distros that run "out of the box" and are secure. I know my way around a Linux box fairly well but I do not consider myself a guru. For me, there are few things more frustrating than setting the security level to paranoid and having nothing work. What makes it worst yet is that rarely (if ever) will you find adequate utilities for the non-guru to properly configure a service once setting the system's security has broken that service.
This has got to change. I don't have time to be a Postfix guru and a MySQL guru and a apache guru and..... Further, I don't know what sadistic bastard wrote these manuals but they appear to all be written by one guy and maybe his brother. I am NOT a stupid person but twenty minutes of reading Linux man pages makes me want to go up to the roof and sit naked with a high powered rifle! Maybe some people can read that stuff and get a warm fuzzy feeling but I want something that I don't need a PHD to understand. Believe it or not, most of us want to spend more time using our Linux boxes than we spend trying to configure them.
The race isn't always to the swift... but that's the way to bet!
Drop me a mail, and I will give you a prove, that Mac OS 9 is at least as vulnerable as any other platform is, too.
I think, you should distinguish between Operating System Security and Secure Applications on top of an insecure OS.
Mac OS 9 does not have any security.
It's only the webserver which was secure. Use the same webserver on Linux, and Linux is as secure as your Mac.
This level of security can be reachen on ANY platform, including DOS and even Windows 95.
Just disable everything which has something to do with networking, and then install some secure server application.
I'd like to see a Mac OS 9 driven computer that can prevent hackers from destroying data DESPITE the fact that it is running insecure software - THIS would be real OS security.
You can do most of the above using a tool like Timbuktu, which allows remote use of a mac using the GUI; you can do most of what you want through that. A better way is to use the Remote Admin Extension, which allows you to administer MacOS (pre-X of course) through a telnet client. Most Mac webservers also have remote administration capabilities built in. I administered a headless Mac webserver for about 5 years using these tools (The OS was 7.1 and I was running Webstar 1.1; this stuff worked faithfully (though slowly) for a long time.
Of course, the real reason Macs are perceived as more secure is because fewer people have spent time hacking them, because there are fewer Macs. Every service you offer can be coded for the Mac, and many have been, but every service opens the potential for security risks. You can stay up to date on Mac security issues at http://securemac.com, among other sites.
Finally, you can always install linux on the Mac and do what you want, but that really doesn't answer your question.
1) yes, if you open up some potential security holes such as the AppleShare IP server (which is probably far more secure than SMB/CIFS).
2) no, unless you run extra software which may not be secure, such as VNC.
3) Jobs demonstrated a diskless netbooting iMac on stage a couple years ago; the client ran Mac OS 9 but the server was Mac OS X. Of course the same can be done with OSX clients. I'm not sure what all this allows you to do; it's not something I've played with at all. Of course, you should be able to netboot a *nix OS on Mac hardware, but the hardware is a bit pricey for that sort of thing.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Mac OS 9 does not have any security.
Umm... it ships out of the box with all ports closed. If the web server you install on top is actually secure (as you say), then how can the OS be compromised remotely?
I'm not questioning that there is no local security, but if you've got physical access to the box anyway, most systems aren't very secure.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I don't mean to be flip but you sould consider buying a book or two. For example Postgres is a wonderful free database, with the ten thousand dollars you saved you could spend $100.00 on a couple of good books.
War is necrophilia.
Oh, I do buy books. But even so, I don't have time to read them all. It takes a lot of effort even with books to setup EVERY system that I use.
:)
I really love Linux. It's power, flexibility and open source philosophy is wonderful. But really, business people just don't have the time to read all of the books that it takes to configure all of the various parts of a Linux server. And small businesses can't afford to hire an expert every time that they need something done.
The answer, I feel, is to have configuration tools for the complete idiots. I know I would use them!
The race isn't always to the swift... but that's the way to bet!
Most business people I know (and I know a ton) know nothing, read nothing, configure nothing, install nothing. They hire people to do that for them. Most businesses with more then two or three employees rely on local consultants to manage their IT work. Bigger ones employ bigger companies.
And you know what manually configuring things is no longer required. With programs like linuxconf and webmin (especially webmin) any body can configure just about anything. Install webmin you won't be sorry.
War is necrophilia.