Slashdot Mirror
More Attacks on Linux than Windows
the special sauce writes "This vnunet.com article discusses the trend of attacks this year as compared to last. Over all, according to mi2g, attacks are on the rise. However, though attacks on Linux systems are up, attacks on Windows based systems have actually dropped dramatically when compared to last year. If the trend continues, by the end of the year, attacks on Linux systems may surpass attacks on Windows systems."
Of how the phrase "and if this trend continues" can pretty much turn otherwise useful statistics into a big mess.
You know, watching a puppy grow, you could say, "And if this trend continues, this will soon be a super-dog the size of Godzilla, and will devour Tokyo."
Funny, that never seems to happen.
Perhaps more attacks on linux could be occuring because it's more likely to succeed?
Anything is possible, even if not it's not probable. It could also be a result of Linux displacing windows in the server space. If there's 100 attacks/second, and windows' market share falls by 2% at the same time the Linux market share increases by 2%, then there will be a decrease in the number of attacks on Windows, and an increase in the number of attacks on Linux.
If this trend continues, then it logically follows that there will be no more Windows servers at some point in the future.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Firstly, I question the source on these studies. We are given no real details, only "the number of attacks is up from ~5000 all of last year to ~7000 half of this year". This is completely meaningless, as we don't know what kind of attacks, or anything about the sampling method.
Here's some critical questions of this study:
1. How was this data taken? What was the sampling method? What was considered an attack?
2. Of those attacks on Linux, how many were successful? What's important isn't the number of attacks attempted -- that is irrelevant -- but ratio of the number of attacks that succeeded over the number that were attempted: in other words, the probability that an attack will be successful. I bet on Linux, that number is way below 50% and on Windows -- '95, '98, 'ME, 2000, and XP -- its way above 50%.
3. Of the attacks that were successful, how many of them were because of Linux itself, and how many because of some poor application? Same question to Windows. This is a minor point. The OS should have control and prevent security lapses, despite how crappily third parties code.
4. What kind of attacks were these? Attacks is a very general word; there may be many successful minor attacks (i.e., crashing a system), but that's not as bad as a few successful major ones (i.e., wiping the entire hard drive of a system, stealing a credit card number, etc etc). In other words, how far into the OS did the attacks go. For Linux, a relevant question is "did the attack just breach a user's account, or did it penetrate to the root?"
5. There's a lot of different "brands" or "flavors" of Linux. This matters. You'd expect Corel Linux to have much weaker security than the NSA's release of Linux, or than (for example) RT Linux. Different releases of Linux ship with different security by default, and different extra security features.
6. What is being done about the problems?
Relating to 6, we can rest somewhat assured in terms of security for Linux, as its Free Software and/or Open Sourced Software. Well-known bugs will be fixed by someone, and if they aren't, an annoyed individual could always take the initiative.
What separates Linux from MS isn't just that its more secure, its also that bugs, security flaws, stability flaws, performance pitfalls, etc, are usually fixed much more rapidly than they are in MS.
Also, no one has mentioned the attacks on other stable OSS/FS software, such as OpenBSD. Somehow, I doubt there's been much success in attacking OpenBSD.
social sciences can never use experience to verify their statemen
These statistics make sense. More and more people are adopting Linux now. There are two main drivers for this trend: People hear that Linux is better and organizations don't want to pay Microsoft's draconian licence fees.
The real question is whether these attacks are successful. Unfortunately, while the number of Linux servers is going up, so is the number of people who own or administer these systems and who aren't security-aware.
I think it's in the best interest of our community to assist the newbies when they have questions about setting up their systems, particularly when it comes to security. I've seen too many newbies laughed at in the IRC #security channels or the newsgroups. We should welcome them and try to help them; otherwise, The Forces of Evil will start using the statistics of all the h4x0red and 0wned systems (due to ignorance on the part of the users) as FUD.
There is no doubt that Linux is now a mainstream alternative. Remember, though, that the hard part is not to arrive, but to maintain a leadership position. That's the difference between the Rolling Stones and the one-hit wonders. In order to maintain our leadership, we should work together toward making the community aware of the pitfalls, and the distro vendors should probably come up with a policy of "all services closed" and forcing the users to open them, not the other way around. Other people will probably add better ideas to these suggestions.
The real measure is not whether the attacks are on the rise; it's the number of successful attacks that we should be concerned with.
Cheers!
Ehttp://eugeneciurana.com | http://ciurana.eu
What counts as an attack? So worms don't count, or the number would be in the millins. Reported attacks? Those shouldn't count much because there is "little incentive for a company to report computer attacks.
Here's another story by the supposed source, but again, they don't at all define what they mean by "attack".
Why do people continue to point to bugtraq as the measure for "Which OS is more secure?" That is so far from the truth... The key thing you are forgetting is the "bug severity" factor. I would say that in general Windows has less bugs than Linux (On bugtraq) but those bugs are more servere. Thus in my opinion, Linux is still more secure. You are also forgetting that hardening a Linux box is much easier than haddening a Widnows box. I can make my Linux box very secure with very little effort. Example:
Turn off all services except ssh.
Please stop pointing to buqtraq and saying:
Windows has less security issues than Linux, therefore Windows is more secure than Linux.
Alright, aside from the facts the following statments people are making:
A) Linux use is growing
B) How many of these were really successful attacks?
C) What counts as an attack?
D) Studies from the group which conducted this one are questionable.
Clearly people are neglecting to give MS credit for some of it's accomplishments over the last year. One of the largest changes was the speed at which updates were made available and most of these through the windows update site. Now when new holes in their products were found, MS responded for the most part almost immediatly and patched up their code within hours/days and posted it up on for everyone to download. Also, they're working on making these updates even easier than before, anyone with windows 2000 who keeps on top of patches will notice that the interface has changed, you can set it to automatically apply security patches. Also another point is that people are finally realising that their computer will be far more secure if they just apply the latest patches.
Holes in Linux are not always patched up right away and lets face it, Linux code warriors can't always respond to a patch for each distro when ones found like MS can or distribute it as easily. Because they're a single entitiy, they have quite the advantage when it comes to communication and distrobution.
In the last year Microsofts efforts to patch up their software were far and beyond anything they have done in the past, and that is something Linux buffs won't easily admit to. Now, Palladium is a whole nother ball game mind you =)