Windows vs Linux On Security

e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."

Nice spin on the article

You just had to throw in a "well if you stack the decks against windows and set the server up in a very insecure way...."

Do you run OpenOffice/KOffice on all of your servers? Do you even install X? These are all additional security risks. I know, most people who use MS products are scum, but a few of them have figured these similar things out that you really really really smart Linux guys did.

You and your other mindless Linux zealot buddies are why Linux will never be mainstream.

Re:Nice spin on the article

The thing is, cathedrals are inherently more secure than bazaars. This is in no small part due to the people that frequent each place.

Re:Nice spin on the article

[N3WBI3]

Beyond this. The article refers to slapper, and the like. Many of which will not hinder a Linux system of your average user. How many people run apache with openssl on their system really? and of those people how many do not keep the revs up to date.

My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.

Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)

Re:Nice spin on the article

"Hundreds of millions of people are SCUM!!"

Bingo.

Re:Nice spin on the article

[metamatic]

What's more, you can't remove Outlook Express from Windows. If you try, it copies it back from a secret cached copy. So Windoze worms can always count on a copy of Outlook Express being there...

Re:Nice spin on the article

[Penguinoflight]

No man.. OpenOffice is a network application, so it could be a security risk, but KOffice is a single user application, and not at all dangerous. And unlike Win32, there's nothing wrong with XWindows that is consistant. It's so old, and written well enough, theres very few bugs. Remember, us "mindless Linux zealots" are the ones who really care about stuff, you don't. Everyone has their "Reason" why linux wont go mainstream, but they're usually fake, like this one. You're just not ready to learn another platform, so you curse it instead. get a life.

Re:Nice spin on the article

[frankmanowar]

I thought the article didn't really stack the deck at all, in fact, it was very favorable to windows - it actually legitamized it (you motherless whore). when a security flaw is discovered in linux, a community of people work together to release a patch while a company that issues a distro/release works on their own patches. MS sits on known security issues for years without addressing them, doing damage to their customers and user base. Linux users don't pretend that their is no problem running X servers (or ttdbserver.rpc for you solaris people, holla *^_^*), they come up with solutions. MS has finally gotten around to releasing patches as they come out - but what about inherent flaws in the OS that are unpatchable - like the Windows Messaging system?

No, Windows STILL sucks.

-Frank

Re:Nice spin on the article

[Blkdeath]

The thing is, cathedrals are inherently more secure than bazaars. This is in no small part due to the people that frequent each place.

Why, because they don't let anybody peek inside?

Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?

While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.

Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.

Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.

Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).

Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.

Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.

With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."

Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.

Re:Nice spin on the article

What the FUCK does LOOL mean?

Laughing Out Online Loud?

[]-[Do not respond with YHBT. YHL. HAND.]-[]

Re:Nice spin on the article

[xingix]

Yes, but you have to run Outlook Express for it to be a problem. If it's just sitting there on your hard drive--- big deal.

Re:Nice spin on the article

[archen]

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option?

Simply put windows just doesn't have much functionality without a GUI, and many MS tools absolutely depend on it. Aside from that, strategically MS must to focus on their GUI. Why? Look at the functionality of cmd.exe vs bash . When you take things to a CLI level, UNIX is far superior. And lets face it, many in the MS world are just afraid of the command prompt.

Re:Nice spin on the article

(104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes!

That's because a service pack is basically the entire winnt directory's binary files all zipped up. It's almost the whole OS.

Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.

Are you really a complete idiot, or does it just seem that way from your ignorance?

Re:Nice spin on the article

YHBT. YHL. HAND.

Re:Nice spin on the article

[shish]

> That's because a service pack is basically the entire winnt directory's binary files all zipped up. It's almost the whole OS.

What, *every* binary in the winnt directory has bugs?

Re:Nice spin on the article

[N3WBI3]

To get nimda all you have to do is be on a nt4 (maybe nt5 im not sure) domain with a shared storage resource with an infected computer, outlook express is not even needed..

Re:Nice spin on the article

[NineNine]

My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.

Let's talk about servers, where security is REALLY important. I've never seen an NT/W2K Server with Outlook or Outlook Express installed. Nimda isn't a problem.

Slapper is a hole designed for SECURE SERVERS.
I'd say that Slapper is much more of a security problem than NIMDA ever was.

Re:Nice spin on the article

[N3WBI3]

Really nimbda was not a problem for servers? it used IIS to propigate across the network dimwit. Servers which had neither Outlook, or Express but were running IIS (ding ding ding A FRIGGEN SERVER TOOL) spread nimda to any network share it had open!

now MS is responsable for this becuase they produce IIS, apache has nothing to do with linux other than it runs on the OS.

You want to talk about which is a bigger risk? Nimda would give administrator permissions to guest accounts and share all drives RWX (even on the IIS servers without outlook/express). The number of infected webservers using IIS were more than 100 times the number of Linux with slapper.

Slapper otoh is uesd for dos attacks and does not change permissions on any important data elsewhere in the system, it also does not augment user permissions on the server.

If you wanna talk with the grownups get a clue

Re:Nice spin on the article

[NineNine]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult? Beign difficult for the sake of being difficult is just stupid. On top of that, virtually everything in W2K can be automated now with WSH. I use a GUI with MS Terminal Services over dialup and it works great for me.

Re:Nice spin on the article

[archen]

Nothing is inherently wrong with a GUI (i use one all the time), but realisticly MS just can't compete on the CLI level, that's all I'm saying - just like Linux sucks with a GUI. Saying everything can be automated using WSH on Win2k is like saying anything can be automated on UNIX using Perl - it can be done, with a lot of power, but there 's a learning curve involved for people who just want to automate something simple that they type - remember how easy it was to do a few things in batch files?

And I really don't understand how using a CLI is difficult. On a server I generally see no reason to run a GUI at all. No one sits at the computer, it serves no purpose.

Re:Nice spin on the article

[Kjella]

With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes!

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up. Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

Kjella

Re:Nice spin on the article

[abradsn]

correct. If you don't know how something works. Then you will have a harder time breaking it. QED

Re:Nice spin on the article

[benhaha]

Perhaps you could elaborate on the alleged unapatchable holes in Windows Messages?

Re:Nice spin on the article

[Blkdeath]

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up.

Assuming a business has existing Win2k installations, they would have had to apply each of them as they were released in order to be up-to-date. The only people who don't have to worry about all of them are new installations, in which case they would only need to apply SP3 (if it works for them - I've heard a number of horror stories).

Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Regardless, the codebases are doubtless very similar (just different branches for the additional functionality offered in each version). Enterprises would still download the entire service pack to apply it to each of their machines rather than performing the "express install", which is only "express" for one or two Win2k machines. When you have a dozen servers and three hundred workstations, one 100MB download is preferable.

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

I remember when I installed a vanilla Win2k Pro not too long ago, it took (using the express download from windowsupdate.microsoft.com) somewhere to the tune of 150MB or thereabouts to get the OS up to date (including IE 6, Windows Media Player 7.1, all service packs, security roll-ups, and security/component updates released after the roll-up).

Re:Nice spin on the article

[Blkdeath]

correct. If you don't know how something works. Then you will have a harder time breaking it.

Logical fallacy; not having the source code is in no way conducive to not knowing how that application works.

Proof: the sheer number of exploits to all closed-source software.

Here's to hoping you're being sarcastic!

QED

Boy, is that ever over-used. ;)

Re:Nice spin on the article

[Black+Copter+Control]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult?

GUI administration is not necessarily more or less difficult than CLI administration.

Knowing which menus you have to wind your way through to bring up the ipconfig utility is not any easier than just remembering the ipconfig command name. I, for one, have sometimes spent half an hour or more trying to remember what magical sequence of menus and options are required to get to the 'friendly' GUI display that I know is there, but I forgot to click on some obscure option 4 menus back. Navigating those menu options is like running a rat's maze. Anybody ever run into a user who never knew that you had to click on a folder to get the 'find file' menu in Win/95? Is this really easier than typing ' find -name "purple*" -size +50 '? s.

Besides having to remember where to find the GUI commands, one also has to take into account that GUI interfaces inherently take way more resources than a CLI interface. If I'm in Atlanta for a conference and I find out that there's something wrong with my Linux server in Seattle, I can call in using my laptop's modem and fix the system from anywhere (even in flight). Trying to do the same with a Windows box pretty much requires me to have an ADSL connection. One also has to take into account the resources demanded on the Server end of things. If my server is already within an inch of crashing, the last thing you want to do is load it down further with a 50MB GUI that eats 15% of the machine's CPU. -- and if I want a 'user friendly' interface without the load of X, CLI interfaces can include menu-drivern utilities that are about as easy to use as GUI interfaces, but cause 1% of the CPU load.

There's also the question of scripting. If I have something that I'm going to be doing more than a few dozen times, I'll often write a shell script that does most of the work for me. Preferrably, the script can just run entirely automated, then I can just run it as needed with cron or triggered by some other program. That's something that's a lot harder to do with a GUI -- and a lot less portable.

Unix doesn't require one to use CLI solutions -- They're available as an optional tool. The availability of those tools is, I think, part of the reason why your average Unix admin can handle way more machines than your average Windows admin. GUI tools are also available to a UNIX admin, but I only use them when they're appropriate to what I'm doing.

Re:Nice spin on the article

[Black+Copter+Control]

Perhaps you could elaborate on the alleged unapatchable holes in Windows Messages?

I would, but Microsoft threatened to sue me for violating their EULA if I did that.

Re:Nice spin on the article

Really nobody gives a crap about your personal opinion. The FACTS were that back in the mid 90s, entry level GUI (NT) admins were cheaper to hire and train than CLI/Console admins (Novell) for departmental and small office file/print servers.

Thus the market went from 80% Novell/10% MS to 80% MS/20% Other in the loweend markets. Yes, Dorthy, you really can hire a $20K/yr idiot to successfully manage your fileserver. That's the core of MS's server market and they ain't giving it up to make you happy.

Since then MS has steadily added more non-interactive and remote tools in order to target their product at the more sophsticated Unix market. The next version of NT Server will even boot (gasp) to a console.

Re:Nice spin on the article

[N3WBI3]

The reason *nix admins make more $$ is because we can maintain more servers than a windows admin. If I have to set up a network with 20 servers I can find one unix admin to take care of them (imho 20 is reaching your upper limit for an average admin). For 20 windows servers your talking 2 **maybe** 3 adming, your not that much cheaper.

I also like the 80%/10%->80% other bs stat, I would really like to see a source on the number of servers active, I was under the opinion that in the server market Linux had about 20% market (I could be wrong), when you add SUN, AIX, HPUNIX, and now OSX, im sure there are others I dont know about that have a decent share windows has much less than 80% of the server market.

now you are right that Windows has gotten a ton better, but for every two steps forward they take in software (I would use 2000 as a desktop and **maybe** for some server apps on a small (200 Clients) network, they take two steps back, imho, in terms of their EULA's. That being said I hope MS does fix its problems, 2000 was a decent server os.

Re:Nice spin on the article

[Blkdeath]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult?

A GUI does not automatically equate to an easier task of administering a server, but instead to a more mindless task. Administering a server via CLI is dead simple. For example, I needed to update my DHCP server's configuration to pass two domains instead of one to the client machines. So I SSH'd over to the server from my laptop, ran `vim /etc/dhcp/dhcpd.conf`, added the domain, and ran `killall -HUP dhcpd`.

To perform the same procedure under Windows, I would have had to either walk over to the server and connect a monitor to it, or run something like VNC (or Terminal Services, which I won't run on principle), open the start menu, the sub-menu for the DHCP server, open the configuration utility, find then alter the setting, apply changes, close the applet, open Start - Settings - Control Panel - Administrative Tools - Services, find the DHCP server, open the properties, and re-start it.

I would have had to think less, but do more and utilize about 98% more network and system resources to accomplish the same end.

All of my installed daemons can be configured from within /etc, and most an re-initialize their configs on the fly with a quich hangup signal. I can easily distribute configuration changes and software updates across a large network of Linux/UNIX boxes with any number of available tools; or even run many servers via read-only NFS with only local /etc directories, which can make updating 1000 servers happen within hours, not days.

The only supposed downside to administering a CLI system is that you have to actually know how it works before you can function. There are countless Windows administrators out there who feel that their experience with Win'98 makes them amply qualified to administer Win2k because the interfaces are similar enough.

spelling error!

[Squeezer]

Come on slashdot editors. That should be "whether" and not "weather".

Re:spelling error!

[compwiz3688]

And I'm sure somebody would start making jokes about the weather on Linux is better than on Windows :)

"100% chance of BSoD today", anyone? :)

Security depends on many things.

[Anonymous+MadCoe]

Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.

Re:Security depends on many things.

I know a couple MCSE guys that are "security experts". They think hackers use programs called "script kitties" to break into machines.

Meow!

Re:Security depends on many things.

UN*X as opposed to *NIX (MInix, LInux...etc)

Re:Security depends on many things.

[monadicIO]

In circumstances like these, I think the best metric would be to use averages. An average windows box is less likely to be well managed given the profile of an average windows user (not to say (s)he is less smart, just less of an OS/security geek). Add to this the bundling of dangerous products like VB-script enabled utilities, and the winbox (even corporate-admin managed) is a disaster waiting to happen. On the other hand, a *nix user is mostly a more sophisticated user with a little more understanding of security. I don't think it is possible to have a really completely fair and proper comparison of the two systems unless you only ask persons who use/admin both systems.

Re:Security depends on many things.

$ ls *NIX
ls: *NIX: no such file or directory
$ ls *nix
Minix
$ ls *nux
Linux

Re:Security depends on many things.

[Ed+Avis]

'Structurally more secure'? What, with a single root account and no ACLs or capabilities?

NT by *design* is much more secure than Unix, it's just the implementation and the apps (IIS, IE, Outlook, Office) which are royally screwed up.

Re:Security depends on many things.

[monadicIO]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Re:Security depends on many things.

[tres]

With a properly designed and implemented system of groups, there's no need for ACLs.

Using SUDO beats giving ON or OFF Administrator privs to multiple people.

I'd say that gives UNIX a much finer granularity of control than NT.

NT 5 is catching-up with the "run as" command, but it's really only good for point-and-click administration.

more control == better security

Re:Security depends on many things.

[haruchai]

There are kernel patches for ACLs for Linux filesystems, http://acl.bestbits.at/ and other
Unixes also have it built-in. Solaris has had this for years.

Re:Security depends on many things.

[1010011010]

You're right. NT, like its VMS predecessor, is more secure by design. It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine. Unix apps are written with the understanding that there are any number of users, none of which are root.

Re:Security depends on many things.

If the old UNIX permissions bits are so much better than ACLs, why did Solaris and all the other commercial UNIXes switch to ACLs years ago?

The suggestion that the old UNIX method gives more finely-grained control than ACLs is perplexing. The ACLs on NT and Solaris, for example, can perfectly simulate old UNIX permissions bits for software that uses them (both are certified as UNIX by The Open Group), but old UNIX permissions bits couldn't possibly simulate the typical permutations of ACLs used on, for example, NT systems.

The big drawback of ACLs is they're so much more powerful and complex that they're often confusing and often overkill for simple systems (e.g. cases where Linux is commonly used).

Re:Security depends on many things.

NT by *design* is much more secure than Unix, it's just the implementation and the apps (IIS, IE, Outlook, Office) which are royally screwed up.

Have a read of the follwing article and then come back and see if you are still thinking the same way.

http://slashdot.org/article.pl?sid=02/08/06/182825 6&mode=thread&tid=172

It shattered a few of my illusions about windows security.

Re:Security depends on many things.

[SerpentMage]

While that may be true, I think that is also what makes it more insecure. I have seen tons of documentation for programmers how to manage security. This means a programmer REALLY needs to know their stuff. In other words most programmers will not know their stuff. And as a result the apps are insecure. But the cause of the insecurity is not the app, but the OS because it is SO DAMM DIFFICULT.

While UNIX security may be simpler, it did not take me a huge effort to understand.

I use Windows and LINUX daily. My notebook is usually running XP and I have to say they screwed up security royally. The easy to use guides like "make available to shared users" actually opens your machine royally. The not shared locks everything done. But there is no middle. I had to go back to traditional NT security to twiddle how I wanted things.

Here is why I am gripping. I have a home network. And on this home network typically it is my wife and I. But sometimes I have friends come by with their notebooks. So they hook into my network. At that point I want per user security. Try to do that with the new "easy" to use XP security...

It all boils down to the same thing. NT has better security, but it is so DARN difficult that managing it effectivily is impossible.

Re:Security depends on many things.

[kbielefe]

Once they gain control of a system, do they use it to launch a DOG attack?

Re:Security depends on many things.

[PurpleFloyd]

You're kidding, right? While SUDO may provide a finer granularity of control than granting admin privliges to a lot of people, ACLs are another way to increase the granularity of control.

Say you want Joe from accounting to be able to access only a certain few files owned by the Engineering working group, for whatever reason. With ACLs, you could select specific files, and say that Joe has access to them. Without, you would have to either deny Joe access, give him total access to all Engineering files, or make copies for him.

As you said, more control means better security. If you implement both ACLs and a SUDO-style "run as this user" system, you have more control than with either one. How is this not a good thing?

Re:Security depends on many things.

[secolactico]

Clueless admin are everywhere. With the advent of easy to install Linux distros (redhat, mandrake) there are people that simply do the default server install and that's it! Never mind shutting down insecure services or keeping up to date with security updates.

I've personally met a couple of these admins, who belive that locking down a box means simply install tcp wrappers for the telnet daemon. Makes me wonder if the even know about ssh.

Re:Security depends on many things.

[benhaha]

Or read this insightful summary: http://slashdot.org/comments.pl?sid=37504&cid=4025 529

Re:Security depends on many things.

[swv3752]

So how is setting appropriate users and groups not achieve the same thing?

Re:Security depends on many things.

> I'd say that gives UNIX a much finer granularity of
> control than NT.

?! How so? Sudo is nothing more than a hack. It works, couldn't live without it, but it's a hack around the way *nix is designed. Try giving single people access to a resource on *nix with a default RH install...and a default NT install. Way easier w/NT.

Re:Security depends on many things.

[Asprin]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Amen, I wish I had a mod point to give. Along similar lines, didn't CDC claim that BackOrifice uses the same standard API calls as MS's own SMS to provide remote access? On second thought, maybe and maybe not.

Either way, it seems to me that most of MS's security problems have less to do with the OS not doing it's job and more to do with the fact that MS has designed every one of their products to encapsulate (arbitrary) code inside their data files so their developers have easier ways to hammer out apps.

The problem is that the same scripting engine that lets Word (usefully) puke out mailmerged documents generated from a VB/Access app also gives virus authors a platform to attack. The fact that it's useful to combine code with data just means the platform is now ubiquitous, and therefore not going away because this is a fundamental design issue, folks. MS did this on purpose to make it easier to get computers to run code, and it can't be fixed by patching holes.

To really fix this, MS would have to renounce this entire experiment and replace every copy of Win/Office/IE with new software that is less 'capable.' Those of you who are paying attention probably now understand Mr. Valentine's comments of a few weeks ago, as well as Microsoft's interest in shoving Palladium down everyone's throats.

Re:Security depends on many things.

[Ed+Avis]

The OS can compartmentalize resources so that if one app makes an illegal memory access, it doesn't crash the machine. The OS can limit access so that if one server is compromised, it can only screw up its own files and not the others on the box. NT does both these things (the latter with the ability to run a server as a particular user). However, no OS can do anything about deliberately stupid applications which choose to execute scripts stored in documents, for example.

Well, I suppose it would be possible to run Outlook under its own user account or with a reduced set of permissions, so that it could access only its own mail spool and not the rest of the user's files. But that would really get in the way of typical usage. Perhaps if there were some way to allow small extensions of permissions a la Java ('Outlook is trying to save a file c:\foo.doc. Do you wish to allow this?' and press Yes if it's something you asked for, No if it looks like a worm doing something nasty). But AFAIK no desktop OS has ever done anything like this; all desktop apps run with the uid of the current user and have full access to his files.

When developers make moronic decisions like auto-executing scripts in documents, it is not fair to blame the operating system. It is not so much Windows as the crap which festers around it (albeit coming from the same company). You don't hear about too many exploits in the Windows FTP server program (although surely there are some). Why not? Because FTP is a standard protocol and Microsoft haven't been able to set their monkeys loose on it and add insecure extensions.

Re:Security depends on many things.

[0x0d0a]

The problem is that there are a couple of issues:

** Out of box:
Linux: used to suck hard here. Traditionally, ran lots of services. You were supposed to know what you were doing and close what you didn't want. Now, unacceptable for new users. RH 5.2 shipped with tons of services, which people found holes in quickly. RH 8.0 ships with far less running.
Windows: Fewer services than old Linux, but too many things running as "root" like IIS. A ridiculous amount of holes in IIS compared to Apache. XP is supposed to have (finally) proper permissions out of box.

** Granularity:
Linux: normal UNIX stuff. Getting ACLs. Not very granular at all. You have the framework to hack up just about anything you want with sudo and scripts, but it isn't there out of box, and it isn't standardized.
Windows: Nice. You can say "sally and bob can read this file, and mary can only write to it but not read it." ACLs may not be fast or easy to examine for mistakes, but they're powerful and easy to use.

** Easy of screwing up:
Linux: UNIX is pretty easy to examine for irregularities, suid binaries, etc.
Windows: Just like VMS, it's a *bitch* to know if you have some series of permission errors that screw you over somewhere.

Re:Security depends on many things.

[PurpleFloyd]

My point is that ACLs can do the same thing more efficiently and flexibly than creating specialized users and groups. While it is possible to work the POSIX 4-octal-digit permission system into something workable for almost any situation, you will eventually be pounding a round peg into a hole that's looking more and more like a square.

While a full ACL system may not have been practical when the UNIX security model was first laid out, modern systems can handle ACLs with ease. For me, this is one major area where GNU/Linux really lags behind the competition (Solaris, WinNT). Quite simply, until the standard (unpatched!) Linux kernel comes with ACL support, and distributions include the userspace tools to manage them as standard, Linux won't be as modern an OS as many others.

Re:Security depends on many things.

[Karellen]

Compared to ACLs, the UNIX model of a single administrator with r00t access, and `everyone else', is simple. Very simple. The `setuid on execute' (with root as owner) for small, auditable programs (such as `passwd' and `su') that do simple things to allow people to do things requiring root capabilities (write passwd file, change to another user (including root)) couldn't be made more simple and straightforward unless you tried _really_, _really_ hard.

And some competent sysadmins still get it wrong on occasion. It's rare, but they can.

Stopping determined attackers cracking your system is hard, even if you have all the latest patches. The more complex your system gets, the more chances are that you'll miss something.

The complexity of ACLs? I've seen the API docs(*) for them. That's just nasty. It's _too_ complex IMO for an admin (even a good one) be certain of getting it right all the time. I'll take the simplicity of the UNIX way. I'm more confident of getting it right.

K.

*(Well, I've seen the MS ACL API docs, but MS have a habit of creating really shitty APIs, so there may be a better way)

Re:Security depends on many things.

"Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things? "

And you think that Linux/Unix is any better than Windows in that regard? Brass tacks are that they both pretty much suck as a "secure OS".

Re:Security depends on many things.

[rutledjw]

I think MS VP What's-His-Name would disagree with you.

You remember that story, don't you? Or were you hibernating?

Re:Security depends on many things.

[fwarren]

It's not just the admins.

I do not believe that there is any insecurity that could be discovered in a *nix system that could not be patched or replaced with something else.

On the other hand, I belive that there are holes in winodws systems that are just not patachable.

Then there are the things are patachable, and it seems like there are updates every few days for those with windows.

Let's not even talk about current security holes MicroSoft knows about, and is setting on. Not telling their user base, and not correcting.

Re:Security depends on many things.

[Ed+Avis]

I think I remember the 'MS VP disses Windows security' story but I don't really take much notice of what Microsoft execs claim. This filtering applies equally whether they are promoting or disparaging their own software :-).

Re:Security depends on many things.

[rosie_bhjp]

I think the kind of functionality you may be looking for is obtainable with systrace
Or check out Niels Provos' page

Re:Security depends on many things.

[spruce]

Maybe I'm off base here, but how many of the exploits really had to do with the fact that VBA and the script engine are integrated with Office? Sure, there were definitely several exploits, but I don't think it's nearly as many as were caused from buffer overruns in code.

And I don't think they should change the platform design either. They should fix the security holes somehow. Automation of office is a HUGE feature for custom solutions, I've probably automated every singe office product except for Powerpoint, most of them several times for different projects.

Re:Security depends on many things.

[Ed+Avis]

Yup, I'm thinking of something a bit like systrace. But with a nicer interface.

Imagine a GUI library with 'save' and 'load' mechanisms. (Preferably, ones like those in ROX, which is the only intuitive and non-ugly way to load or save files; but I digress.) The loading and saving user interface is actually provided by a separate process, which will grant the application read or write access to the file chosen, and only that file.

In this way a lot of scripting holes could be avoided, and also nastiness with malware which sends data back to HQ or saves files in silly locations. But it's debatable whether this kind of setup is useful other than for paranoia value, since it's a much better answer to just not have executable code embedded in documents (or if it is, sandbox it in the application) and not run software for which you don't have source code.

Re:Security depends on many things.

[rutledjw]

Fair enough, execs as a group don't have a very good track record for honesty and ethics these days...

Re:Security depends on many things.

[electroniceric]

Well, I think you hit the nail on the head with this:

It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine.

AFAICT, in terms of usability there is a profound unsolved problem here, which is twofold.

One is that many (most?) end users just want to do stuff on their computer, and as such they _sometimes_ need to be the administrator, without really understanding permissions or security. Remember Steve Gibson's rant about how XP by default has raw socket access for all users (b/c they are root). Microsoft has opted to make them administrators all the time to avoid explanation to a million disinterested and disgruntled XP users why they can't install the educational software their kids brought home from school.

A second, deeper problem affects both *nix and windows. The most serious threat in a compromised system is the loss of data, most of which lives in userland. But at least as far as I understand there's no clear way to determine what code and data to accept. Convenience dictates that stuff from outside the machine will need to find a home on your machine, while security dictates that it should at best be data only, and no code. As we move into a more networked world, this balance needs to be reexamined and retooled over and over. But I don't see *nix making great strides in that area, frankly.

Re:Security depends on many things.

[benhaha]

What are these unpatchable holes?

As far as I can tell, this is a myth, fast becoming an urban (or online) legend, based around an exploit using WM_TIMER and WM_COPYDATA to exploit a badly written third party service.

Care to substantiate this? Am I wrong?

Re:Security depends on many things.

Do not -- ever -- bring up BackOrifice in a discussion about security. BackOrifice has nothing to do with system security, since it only works if it has the proper system privileges. BackOrifice only uses NT as it is designed. BackOrifice is not an example of a security problem with NT, as the same functionality is available on any OS.

Re:Security depends on many things.

[_Sprocket_]

Do not -- ever -- bring up BackOrifice in a discussion about security. BackOrifice has nothing to do with system security, since it only works if it has the proper system privileges.

Hold your horses. If BO/BO2k is able to do something unexpected, then it does highlight problems with the system's design. Granted - BO was more about exposing security issues than BO2k. BO displayed just how insecure Win9x is. BO2k was more a remote control utility than security demonstration.

Re:Security depends on many things.

[brad-x]

This is something not even UNIX/Linux has acheived. Many UNIX systems now implement workarounds to programmer error, such as type enforcement and bounds checking done by the kernel itself. This is a new thing, not a legacy of UNIX security.

The buffer overflow is still the number one problem for UNIX and UNIX like systems.

System security is as much about protecting from malicious users as it is protecting it from careless programmers. You could say both sides of this particular "battle" have quite a bit of work to do before they implement a rock solid security strategy.

Re:Security depends on many things.

old UNIX permissions bits couldn't possibly simulate the typical permutations of ACLs used on, for example, NT systems

Think it through. Old UNIX permissions bits (specifically, groups) can implement exactly the same level of granularity as provided by ACLs, and vice versa. The tradeoff is which is easier to use in specific situations.

Article Summary

[Sabalon]

Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

C'mon...this was nothing but flamebait - nothing news worthy there at all.

About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.

Seeing Bugtraq postings about Linux...

From the article:

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).

In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.

It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.

Re:Seeing Bugtraq postings about Linux...

[Bizzarobot]

In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.

...seperate sources, always in that order.

Re:Seeing Bugtraq postings about Linux...

[jandrese]

And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.

Re:Seeing Bugtraq postings about Linux...

[GigsVT]

Also, for some reason a whole lot of "single site" or "very limited distribution" stuff gets on bugtraq.

There are about 6 million php blog/message board packages out there, and 5.99 million of them are coded with no security in mind. I probably get 5 messages a week that are just some stupid SQL injection attack to fooPHPblogger 0.59 alpha.

I'm sure that if you count all that stuff, Linux looks much worse off.

Re:Seeing Bugtraq postings about Linux...

[Blkdeath]

And sometimes only once, when the discoverer posts and then nothing from Microsoft.

I seem to recall a big uproar about Microsoft deciding not to further their efforts to release e-mail vulnerability/patch announcements, opting instead to have users frequent their websites to view the contents of the announcements.

I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.

Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!

I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?

Re:Seeing Bugtraq postings about Linux...

[archeopterix]

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

This is probably true, but only because for Linux, every security vulnerability gets posted multiple times[...]

I think there is a more important reason for this. It's just easier to discover bugs, possible exploits and such having the source code. Notice the number of linux related bugtraq posts that are in the 'possible exploit/buffer overflow/bug found by analyzing the source' category. As to whether this means anything about open source being less secure - i don't think so. Windows bugs are there in place, they are just harder to find - you must probably do some reverse engineering or extensive testing to find them.

Re:Seeing Bugtraq postings about Linux...

[linuxelf]

Not only that, but the majority of the messages talking about Linux vulnerabilities deal with small things, like ways to figure out if a user exists on a system, or ways to DOS a service, or exloits that only work if you already have an account on the Linux box. The Windows bugs, however, are more often remotely exploitable arbitrary code execution, major freakin' flaws.

Re:Seeing Bugtraq postings about Linux...

The article draws the conclusion that its because the Linux source code is newer than Windows. I don't know if the author came to this conclusion through his interviews with security "experts," but it wouldn't suprise me if he did (the vast majority of security consultants being outright frauds.) Linux has more Bugtraq posts because its a hell of a lot easier to find vulnerabilities when the source code is public. The article was shit. Complete shit.

Re:Seeing Bugtraq postings about Linux...

Works for me.

Is this bad?

D:\netstat -a |more
Proto Local Address Foreign Address State

TCP 09-96z:12345 09-96z.xxxx.com:0 LISTENING

Re:Is this bad?

thats back orifice or sub7 i believ

I trust Linux's security implicitly

[PhysicsGenius]

I use it at home and I've never discovered a breakin. But when I tried to use it at work, I got shut down real fast. I have a high-sensitivity position at a Big National Laboratory (if you follow me) and our security needs to pass federal muster every 3 months. When I told the inspector that I was planning to install Linux to replace Windows 2000, he about had a heart attack.

The inspector related that the government's tests had indicated Linux was pretty weak on security. Apparently they feel that the open (he called it "promiscuous") development model meant that there were no controls, verification or even logged history of who checked what in, meaning that terrorists or spies could have planted trojans in there. (He also had problems with the stability, but that's not really a security issue so he couldn't make me deinstall for that).

Anyway, I obviously lodged a protest but it came right back with a stamp on it: "Linux is not being considered until the development model is safe." I guess they get a lot of requests like mine.

Re:I trust Linux's security implicitly

[Charlton+Heston]

I doubt the veracity of your story. The NSA has worked on a secure Linux distribution. The big laboratories were also pioneers on the Internet. They've had a lot of experience with that type of software development and your rubber stamp story doesn't fit in with that.

Re:I trust Linux's security implicitly

[netphilter]

"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.

Re:I trust Linux's security implicitly

[TheThinMan]

Granted, a spy could place a trojan in the source but let's think about what is more likely - 'cause it's easier - get a quality black hat and hack in the good ol' fashioned way. Seems to me they're risk analysis is rubbish/not being done/was outsourced to commercial intrests.

Re:I trust Linux's security implicitly

[cioxx]

The inspector related that the government's tests had indicated Linux was pretty weak on security.

Shenanigans. Nice story, but I have a hard time believing that.

Re:I trust Linux's security implicitly

[blibbleblobble]

"I doubt the veracity of your story. The NSA has worked on a secure Linux distribution"

And the government told them not to do it again. It was 'harming american business by encouraging competition to microsoft'

Re:I trust Linux's security implicitly

[Billly+Gates]

Just because someone has a different opinion that yours does not mean he is wrong and you are right.

Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.

Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.

1.) c2 certication is required.

Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.

2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.

They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!

Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.

The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.

Re:I trust Linux's security implicitly

[pellaeon]

w2k c2 certified? Last I heard even NT 3.51+ wasn't certified due to the fact that MS inserted the GUI into kernel mode or something, essentially adding hundreds of thousands of lines of code to the 'trusted code base' and making it too hard to certify.

I may be wrong, but if that's true then w2k certainly isn't c2 certified.

Re:I trust Linux's security implicitly

I think a key difference is that Windows 2000 is Windows 2000 is Windows 2000. If the DOD have reviewed the Windows 2000 code (which they obviously have access to), they know exactly what's in there, where as with Linux there are considerable differences between distributions, and it's trivial for the machine owner to add further changes (since the source is readily available and buildable).

If some guy installs Linux on his machine, they can't be sure what's running unless that machine itself is audited entirely, and re-audited every time the user decides to add/change something. Open source is a nightmare in secure environments.

Re:I trust Linux's security implicitly

[Tyreth]

I'm disturbed you have a list of Conservative Christians on your freaks list and are so quick to share it.

Care to explain your basis for putting those people on that list? Seems...wrong...to me.

Re:I trust Linux's security implicitly

Google found this: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/prodtech/secureev.asp

According to this link, NT4 was C2-certified, but C2 is now obsolete, and Windows 2000 is being evaluated under the new scheme that replaced it.

Re:I trust Linux's security implicitly

[netphilter]

Ummm...you misunderstand. I'm the Conservative Christian...freaks are people who don't like me. Foes would be people that I don't like. You should probably read the FAQ.

Re:I trust Linux's security implicitly

[supergiovane]

I work in a small university. In our lab we have two PCs and two old Tru64 machines. Three of them (1 PC and the Alphas) are on the public network, while the last one is on LAN.

When I told to the network admins that I was going to install Linux, they 'suggested' me to install it on the only PC connected to the private network.

I agree with them that a Win2k Pro box is more secure because it doesn't run any network server (So what the hell does it do on public network? I don't know) so it can be defaced but it's useless for any attack to other machines (but I wouldn't bet over it). One of my friends is a net admin in another departement and few days ago had to shut down a Linux box because it's owner had anonymous ftp turned on without even knowing it, and the box had been cracked. Many people approaching to Linux want a workstation, or a desktop computer, not a server. Though the efforts of distros to keep things clear it's too easy for a newbye to have servers running wihout knowing it. The desktop people is also the kind of people which doesn't update their software. How many desktop people run Win* Server? None.

Conclusions:

• Networked Linux boxes in wrong hands are potentially harmful for the entire network stability, as would be Win* Server if it were as widespread as Linux.
• A rigid network policy could limit the problem. (you must update your box, whatever your OS is, you cannot use Outlook, you cannot run telnet and ftp servers, no P2P, use strong passwords, and so on). Obviously as a user I'm in costant battle with administrators ( :-) ), but I don't think that limiting harmful programs and habits to keep the network secure and stable is a bad thing, after all.
• The network admins should motivate every restrictive policy on a practical basis, and this policy should be coherent (Example: linux on public netwok is bad, even if it's an up to date Debian with only ssh daemon, while a 4 years old, unpatched Tru64 system with telnet and ftp servers listening is considered secure).
• A well configured, updated and defaced linux box is harmful for the rest of the network, mainly because defacing that box is a work for experts, and experts know how to use a lot of Unix tools to harm the rest of the LAN.
• While all my roommates Windows PCs are constantly threatened by viruses and worms ('Antivirus? Yes, I installed it 6 months ago. Update? What are you saying, man?), my Linux PC is happy and running without any problems.
• Linux distros should include a 'dumbproof install' option. I propose a little knowledge test during the install process. If the user doesn't succeed in the test, he is precluded to install servers, network management tools and in the worst cases even to log in as administrator in its own box. After 'security through obscurity', 'security through disclosure' the new way is 'security through mutiny'. Ok, maybe I exaggerated.

Re:I trust Linux's security implicitly

[ncc74656]

I'm disturbed you have a list of Conservative Christians on your freaks list and are so quick to share it.

Umm...if I'm not mistaken, you don't put anybody on your freaks list. The freaks list is a list of everybody who's marked you as a foe. The poster is calling himself a religious conservative and is calling out those who disagree with him. (Personally, I'd prefer the label "charter member of the vast right-wing conspiracy." :-) )

Re:I trust Linux's security implicitly

True story: boss installs RH default on an external box. AS HE DRIVES AWAY, box is rooted. Calls up coworker: "hey, can't ssh into the box. Can you check it out?" Hmmm...completely compromised. Maybe installing bind/sendmail/?! BY DEFAULT is a bad idea?!

Re:I trust Linux's security implicitly

I'm disturbed you have a list of Conservative Christians on your freaks list and are so quick to share it.

Care to explain your basis for putting those people on that list? Seems...wrong...to me.

He doesn't need to explain himself to you or anyone else. If he chooses to filter people who have expressed views he does not agree with, that is his right. Just because we have the freedom of speech, does not mean anyone is required to listen.

Re:I trust Linux's security implicitly

I like Christian Conservatives in general just fine. What I can't stand are holier-than-thou, ignorant, bigotted individuals. Which most of the Christian Conservatives I've met qualify as on every count. Sucks, but it's the way it is.

Re:I trust Linux's security implicitly

[Tyreth]

Oh, shows how much I know :)

Re:I trust Linux's security implicitly

[Tyreth]

Yeah that does suck. Especially since the Bible teaches that quite often its the scum of the world that become Christians, not the best.

I'm probably what you'd consider a Christian Conservative, but without the sickening pride I hope. Still, what I see is different to everyone else. I'm biased about myself :)

Re:I trust Linux's security implicitly

[vb.warrior]

Conclusion:
You really need to get laid.

Geez

[Hayzeus]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting

These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...

Re:Geez

[liposuction]

Okay.. but as far as operating systems with the browser built in, KDE and Gnome are just as bad as Windows.

Wait.

Um...

Re:Geez

i wish more people would understand this, an Apache hole isnt a Linux hole, it may be a hole in the distribution that ships it, but it is nothing whatsoever to do with linux.

so lets count out the things that are not part of linux, ssh, apache, wuftpd, etc and you are left with a secure multi user environment. Lets take out all the things from windows that are not part of it and umm, your still left with IE, Scripting host, no peer review, all the various holes that have beec documented.

any idiot can see Linux is clearly more secure.

Re:Geez

[DavesError]

These aren't exactly a part of the operating system, though, are they?

On that note, what is that you see most often on BugTraq when it comes to Linux? Applications! These are also not exactly part of the OS, as you say, but they are taken into account in this article while MS applications are not. Seems a little one sided to me.

Re:Geez

Quibble:
For many large Windows shops they are part of the base rebuild kit ... when your machine falls over, they most of the ghosted resets will include Office and VBA. So, they are de-facto part of the OS.

Agree:
You don't have to put all this in if you are looking to lock down a server box.

The real issue is the ratio of how fast you add functionality to how fast you add security issues. At one extreme the box is runing at runlevel 0 ... really secure. At the other extreme there is no security anywhere on the system -- think root w/ no passwd. Obviously we need to live somewhere in the middle. "Where" is the question.

Re:Geez

[javahacker]

Really, I think you miss the point. Most computers sold with Windows are also distributed with Office, and Outlook or Outlook Express. These are the biggest security risks on a Windows system. Sure, those things don't normally come on servers (although IIS does, big trouble), but most Windows installs are desktops, and are very vulnerable to email attacks. Most Windows systems are poorly set up, because they default to poor settings, which is part of the problem.

Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.

Re:Geez

[moderators_are_w*nke]

Yeah, exactly. We're talking servers here. No one in their right mind install this on their server, and even if it somehow got on your server, would you actually let anyone sit at a Windows server that runs the network (or whatever) and work on their spreadsheet? It would never get run.

Neither Windows nor Linux is more secure - thats like which lock is more secure - neither if you don't fit them properly, and both if you do. Its totally dependent on who set it up and how. The question should probably be about which operating system is more easily secured.

I'm gonna make myself unpopular here and say FreeBSD, because of cvsup and ports, but to be honest, the answer probably is the OS you know best is the one thats easiest to secure.

Re:Geez

[Hayzeus]

Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.

I'm not trying to have it both ways. I would no more include past problems with Bind, Apache or WU-FTPD when evaluating Linux security than I would MS-Office when discussing Windows security. Nowhere have I said that I feel windows is particularly more or less secure than Linux -- In fact, using BugTraq reports as a basis for comparison is a fairly clueless means of comparing OSs for relative security. Not to put too fine a a point on it, but comparing "Linux" to "Windows" is itself a meaningless exercise, since the two are not equivalent in any sense.

The bottom line is that (as mentioned elsewhere) the weakest link in any system from a security standpoint is the operator of the system, period. If you want to make any kind of meaningful comparison, compare Windows against a particular distibution of Linux with an emphasis on securability. How easy is it to secure the system? How effective are the means provided? Then you might have a study worth reading.

Re:Geez

[jedidiah]

They are bundled with the OS to make it effectively so. This is further enhanced by the fact that any competitors have been run out of the market for the most part. For a client installation, the comment is perfectly reasonable.

You're the one that needs to get back in touch with reality.

Re:Geez

[jedidiah]

What part of KDE or GNOME is in the habit of executing untrusted binaries from random sources on other networks?

Re:Geez

[jedidiah]

This notion of blaming the user is simply bullsh*t. An OS should act with a modicum of sense as it is configured out of the box. The default configuration SHOULD be sensible. If you expect idiots and hackers to use your box, you should architect accordingly.

Unix makes these assumptions and works within them, Windows does not. Windows works under notions of "least effort required" and "sacrifice everything for convenience".

Design matters. Construction of the default distribution matters. Both matter much more than the end user.

And end user should need to work at making a default OS distribution insecure. It should not be the other way around.

Re:Geez

Ok -- I give up. Is this a riddle or something? Did the post you replied to mention KDE or Gnome? Hello?

Re:Geez

[AndrewGoat]

Heh, its slashdot man. Zealot power!

Re:Geez

The Slapper and Scalper worms have nothing to do with the Linux OS either. RMS would say that Linux is just the kernel so how many exploits, especially remotely exploitable ones, have anything to do with vulnerabilities in the Linux kernel?

This all gets confusing because your typical Linux distro contains thousands of additional applications while Windows contains practically none. Does that make Apache part of the Linux OS? All of those additional Linux apps are optional, but Windows says the web browser is a required, integral part of the OS. Should IIS, IE, and Outlook Express exploits be added in when counting Windows security holes?

Re:Geez

The fact that nobody bothers expoliting KDE or Gnome doesn't mean they are secure. They do share much of the same architectural issues as the Windows shell (integrated scripting, dynamic object loading, HTML previews, etc etc).

Re:Geez

[Lussarn]

No one in their right mind would install a fully featured webbrowser on a server either.

Re:Geez

[jedidiah]

Such comments are trivially true of any system and as such are completely meaningless.

The elements of WinDOS that you bring up aren't the really problematic ones.

A suitable exploit should not be difficult for someone that is motivated (by malice or community interest) to construct.

However, I tend to use my personal experiences with other "marginal" operating systems as a guide. If there are exploits, they will be taken advantage of. Marketshare is meaningless. Such exploits will occur and expose the security problems in question.

The "disinterest" argument is an absurd fallacy.

Re:Geez

[jedidiah]

>>Okay.. but as far as operating systems with the
>> browser built in, KDE and Gnome are just as
>> bad as Windows

"just as bad as Windows" == automatically executes random untrusted binaries

Re:Geez

[jedidiah]

Also, an apache hole is also potentially a WinDOS hole, HP/UX hole or Solaris hole. Many of the applications associated with Linux aren't merely run on Linux. Some even get run under Windows.

Re:Geez

Actually, I've seen a more than a few IIS intrante apps that use Excel through COM to generate reports. (which is a stoopid design decision because xl is single threaded and will eventually hang the server)

Re:Geez

Bah -- the default config of Lotus Notes is easily exploited by a script 'virus'*, but there's never been one in the wild because there's minimal concentration of Notes users outside a particular institution.

And yet Notes has approximately 10000x the installed base of say Evolution or KMail. You'd have trouble finding 2 evolution users in each other's address book even down at the NAMB^H^H^H^HLUG meeting. Yup, folks are disinterested -- Linux desktop expolits are less productive than popping your zits.

Now, if all you were doing is scanning subnets and pulling down a skript for obscure platform X, then sure. But that's not how desktop-style attacks work.

* fyi this isn't considered a bug because it could be stopped through policy.

Re:Geez

[Yosi]

At one extreme the box is runing at runlevel 0 ... really secure.

like this?

Re:Geez

[jedidiah]

Your still WRONG.

There are platforms that have had less marketshare than Evolution that had plenty of virii and such. Also, Evolution is likely installed in many places that it is not even used(much like Outhouse). If an application like Evolution is "reputed" to be is even installed, it's a security issue.

Either your memory is growing dim, or you've just not been around long enough to know better.

Basically....

[qurob]

A network is only as secure as it is setup to be.

security

[Ashish+Kulkarni]

if you want a really, really secure system, turn of all services and disconnect it from the network (oh yes, and protect the physical location too). that said, imho it is more easier to install and maintain a reasonably secure Linux system than a comparable Widnows system.

Re:security

[mustangdavis]

Steps to make a system secure:

1. Unplug all cables (Ethernet, keyboard, mouse, usb, serial, parallel, and power)
2. Place system in lead crate, seal crate
3. Encase lead crate in cement
4. When dry, place crate at the botton of the Pacific Ocean
5. Loose coordinates of system location

The moral of the story: As long as the machine is plugged into the Internet (useful and user friendly), it is not secure!

weather Linux

[Nighttime]

Is this a new Linux distro I haven't heard about? Is it Debian-based like Storm Linux was?

There's three kinds of lies...

[Jack+Wagner]

Lies, damned lies and statistics.

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.

Re:There's three kinds of lies...

[dabadab]

Nice troll, modded highly.
I highly doubt your statements and evenso more that extreme programming would do any good to an open source project.
And don't even get me started on how complex projects were realized in the "early 90s" (and even earlier) that managed to be successfull without extreme programming.
Sure, XP does have its place and it may work under certain conditions - but for a project where the developers are far away, do not know each other personally and don't have the spare time to work on the project at the exactly same time - it would do much more harm than good.
(And finally I could cite Joel on extreme programming, but I don't because I suspect that you fully know that XP is not the holy grail of programming methodologies)

Re:There's three kinds of lies...

[bLanark]

It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

How interesting. Got anything to back it up?

Re:There's three kinds of lies...

[MuValas]

Jack Wagner writes:
It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

Really? Have any links to real studies to point this out? Did you get the information from a friend of a friend, too?

Sorry, my experience does not agree with you. A great team of four can *maybe* be faster than four on their own, but certainly not 10x the speed.

Extreme Programming has some interesting points, some of which I have taken to heart, but in general its just a way to sell books and consulting services. I was consulting for Chrysler while Kent Beck (the "father" of extreme programming) was working on the C3 project (the foundational project for extreme programming), and the project was not exactly the success story its made to be.

Like I said, some good ideas, but it isn't worth the religious status people have given it.

Re:There's three kinds of lies...

[rseuhs]

IIS runs less than 25% of webservers, Apache about 2/3.

But, IIS has the far, far worse security track record.

Re:There's three kinds of lies...

... and then there's mixed metaphors.

"This hits at the very heart of the Achilles heel of open source" -- what? Is is the heart of the heel? Or the heart of the heel?

Bug Counting Again...

[theBraindonor]

Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.

How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?

Just ask some of the truly gifted individuals in security what they think of security through obfuscation.

Re:Bug Counting Again...

[sirius_bbr]

Actually, the author does not use the bug-count-argument to point security in linux/oss is worse than in windows/commercial software.

From the article: "Just because software is closed and [most] people don't know there are security holes doesn't mean that security holes don't exist [or that] nobody knows about them. The security holes are still there."

Re:Bug Counting Again...

[rmstar]

As a matter of fact, I failed to recognize *any* point in this article. The author brabbles, quotes two sides, and... nothing.

rmstar

Re:Bug Counting Again...

[0xdeadbeef]

Maybe that is the point. In the real world, things aren't so cut and dried, black and white, and charged with controversy. Windows has problems, Linux has problems, and they exist for different reasons. Maybe we should stop blaming each other and concentrate on how we can make sure that no software has these flaws.

*Cue The Byrds song "Turn, Turn, Turn"*

666'th post! Yea baby!

Flaw in argument?

[ebuck]

It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.

1. Both platforms stem from an equal amount of design history.

2. Both platforms use technology of comparable complexity.

3. Both platforms refused to make concessions in software integrity to deliver their products.

4. Both platforms actively avoid known pitfalls in thier chosen architecture.

5. Both platforms remove flaws at approximately the same rate.

None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.

Depends on administrator

[hatchet]

I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.

Re:Depends on administrator

Exactly. I think the underlying idea is that Linux can be more secure than Windows. Compared with Linux, there's very little you can do in Windows, as some average Administrator, to completely secure your operating environment.

That said, Linux can also be a lot more insecure, but you really have to try to be insecure, unlike Windows, where you're just forced to be by default.

Re:Depends on administrator

Have you done a recent redhat install? The majority of services don't give clear descriptions of their functionality. How should I (let alone an "Average" user) know what I do actually need?

how does newer == less secure?

[kubla2000]

from the article:

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.

What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.

The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.

That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.

Re: how does newer == less secure?

[Black+Parrot]

> Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

> um, I don't get it. How does newer == "less secure" in this scenario?

Also, in what sense is Linux "newer" than any currently supported manifestation of Windows?

Re:how does newer == less secure?

[Planesdragon]

How does newer == "less secure"

The longer a software program has been out, the higher the percentage of known exploits is.

'course, they're abusing the logic, since MS has switched just about every part of the OS since Linux came out.

Re: how does newer == less secure?

Windows XP is a direct decendant of Windows NT 3.51 which is older than Linux by several years.

Re: how does newer == less secure?

[spencerogden]

Try again. NT 3.1 was released in 1993, NT 3.51 in June 1995. Kernel .01, 1991, Kernel 1.0 1994. This doesn't even bring up the fact that much of the software has been in development by the gnu project since the early 80s.

Re:how does newer == less secure?

[anshil]

How does newer == "less secure" in this scenario?

Don't need to push on that, the article is just blantly false: Linux is eitherway older than windows. The first kernel was released in 1991, Windows NT started years later.

Re: how does newer == less secure?

The NT 3.1 release in 1993 was the 1.0 version of the system. The 1.0 release of Linux was in 1994, so the ages are pretty close.

The NT kernel itself was running in pre-1.0 form in 1989 or so, I think. The fact that Linux 1.0 was publicly available and NT 1.0 was not reflects the different development models.

Re: how does newer == less secure?

Grr, the less-than operator got removed even though I posted in plain text. Linux less-than-1.0 was public, while NT less-than-1.0 (1.0 = Windows NT 3.1) wasn't.

Re: how does newer == less secure?

[Black+Parrot]

> The NT 3.1 release in 1993 was the 1.0 version of the system.

I see that 'innovate' isn't the only thing Microsoft redefined!

Re:how does newer == less secure?

[SEWilco]

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

Notice the article separates "Unix" from "Linux" but lumps "Windows" as one entity. As if Linux did not gain from the design and experience of Unix, MULTICS...although DOS didn't until it began acquiring Unix accessories. I wonder if he's including the "X11 Window System" in the age tally with "Windows". Somehow I'm sure the version of Windows which is just an MS-DOS GUI would be separated from "Windows" if he seriously began discussing security. Of course, we also saw no mention of "VMS" and "Windows". Is there an expert in the press room?

Some sort of joke, right?

This must be some sort of joke. The best method of determining the security of a program is to have a team of experts go through every line of code and exhaustively consider the security risks of each block of code individually, and how it reacts with other code. It hearkens back to the introduction to Applied Crypto: given an infinite amount of monkies and a safe with the plans to that safe inside of it, and all the keys to all the safes in New York, how secure can an operating system be if the only person who ever sees a block of code is the guy that wrote it? (Or something like that, sorry for the paraphrase.)

It's not the OS

[m00nun1t]

Just about every major worm, linux or windows, has used an exploit that's been patched for a few months or more. The admin is a far weaker link than the OS.

Stating the obvious, I know, but whoever posted this flamebait article didn't think so.

On another topic, the moves MS are making with their auto-update tools should put an interesting light on the security landscape. The previews of .NET server look pretty good in this area.

Re:It's not the OS

[rosewood]

The problem with auto update is when they roll some EULA or a "feature" you dont want -- but too bad, it was auto installed.

apt get and up2date and Red Carpet all do a very good job of keeping Linux boxen bug free

Re:It's not the OS

Personally I'm more interested in the default state of installation in the Windows .NET line of servers. Microsoft finally realized something, install nothing! IIS6 is not installed by default (thankfully,) and even after you install it it cannot do anything but serve static pages. All dynamic content capabilities must be added by an administrator. The same goes for file sharing, and basically every other service. We'll see how it fares.

What timing!

[Pedrito]

Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.

No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).

So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.

Re:What timing!

So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.

I agree. Red Hat 8 really did improve on the interface and various aspects of the OS. The problem I had with it was the installation process. They should have made a more intuitive FileRoller for the average Linux Joe. I didn't have problems with it, but I'm pretty sure new people to Linux would without a doubt.

MSI type of installer for linux. That's what's needed.

Re:What timing!

[tom.allender]

up2date?

Re: What timing!

[Black+Parrot]

> Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers.

That's nothing - complete strangers do security scans on all my boxes every night!

Re:What timing!

RH keeps original version but just patches the program only things change is the package name. From program.1.1-2 to program.1.1-6 or something. Debian also uses this way i think

Re:What timing!

Naw, that can't be.. after all, we're talking about the intellect of a properly credentialled "programmer with 23 years of programming experience" (as if someone might mistake that for "programmer with 23 years of sheep-fucking experience"). There's no way a "programmer with 23 years of programming experience" would have missed something like that!

I mean, he's got "23 years of programming experience", that's as much qualification as anyone could expect. So be nice to the "programmer with 23 years of programming experience", he's had a tough day.

Re:What timing!

[smnolde]

You need FreeBSD to get you out of RPM hell. It takes far less effort to upgrade software on FreeBSD than it does with any RPM-based lunix distro.

Getting out of RPM hell was the main reason I chose FreeBSD over lunix.

Re:What timing!

apt-get install wu-ftpd

shit, that was hard. must've taken a good minute per letter. hmm.. still on 23 minutes. damn, i just can't get to be as retarded as you. Oh well, maybe with another 18 years programming experience I'll get there.

Re:What timing!

[CrosseyedPainless]

Regardless of how many years of programming experience you have, some of the things you say indicate that you're just not ready to be a server admin.

(I have no idea how, and I don't have time to learn it).
Shut-down and re-start, same thing.

If I had to guess, I'd say you have a lot of Windows experience, and you just assumed your skills would transfer.

Bottom line: if you can't set up an FTP server, you probably shouldn't be running an FTP server. I know, Windows would let you set up anything you want, quickly and easily, whether you understood what you were doing or not, but that's part of the problem.

Re:What timing!

[mgpeter]

The problem you are seeing is not with Linux in general, it is with the different Distributions.

Red Hat should be responsible for supplying you with an update if in fact you paid for your copy. If they aren't, send them an email, and I am sure that an updated RPM will be released.

Currently no Linux Distribution can afford to update all of their releases, but this is changing. Distributions are starting to wait longer and longer between releases (which is a good thing), and the Linux apps are actually maturing to stable - just look at OpenOffice and Mozilla.

Once the Linux software becomes more stable, the distribution companies will stick with one version and update it like Microsoft is currently doing with windows.

Patience is a virtue !

Re:What timing!

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

Why would you consider an FTP server a "simple application"?

Re:What timing!

You must be kidding! I am 15 years old and i have replaced my Apache 1.3.23 to 1.3.26 when the worm came out a few weeks ago... It took 1 hour and a half, and there was about one hour 15 mins of compilation and downloading sources.
Seriously, if you cant do that, i wont buy your 23 years experienced coding software.
In case you havent found out yet, you just go to the package manager, remove wuftp and then get the new sources or RPM (as you like) and compile or install the new version...
geez!

Re:What timing!

[Pedrito]

Look, plenty of you have chastised me with your excellent experience in how to do something that I'm sure, for someone who uses Linux all the time, it's simple. The fact is, I don't use Linux every day. I set it up as my gateway not because it was easy but because I trust it more than I trust Windows as a gateway.

To the person that commented that I shouldn't be a system admin, you're right, I shouldn't be and I don't want to be. I'm a programmer.

I managed to get the machine set up, get it configured to run Squid, SSH, and wu-ftpd. I even got IPTABLES up and running (somehow, God, I can barely figure out how to do anything with IPTABLES).

You're absolutely right, I don't want to be a system admin. I don't want to be an FTP server admin. But to be able to update a piece of software should be simple and straight forward. I can upgrade almost any piece of Windows software easier than I can in Linux. That's just a fact. You run the setup or install program, and poof, it's there.

My point is, until Linux can do that, Mom and Pop aren't going to be using it. I don't care how secure it is.

I don't have time to learn how to be a Linux system admin, and frankly, I shouldn't have to to upgrade a single software package. I have a full-time+ job as a Windows developer that pays my bills.

Re:What timing!

[Cytlid]

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

Ok, I was getting ready to flame you for this... but after reading all the other replies, I thought not. I think the biggest problem people have, either on the Windows or Linux side, is living in a paradigm. Like it or not, you're most likely living in a Windows paradigm. You like the way it works, it's "easy" for you, you program in it. You promote and spread the Windows paradigm. The Linux Paradigm doesn't fit you all to well... I'm probably the opposite. Yea, I've been using Windows for years, and I'm used to it, but I honestly think I fit better into the Linux paradigm. (Read: if I were adminning a Linux server, trust it better than if I were adminning a Windows server.) I *know* I should hone my skills in Windows administration, but without really good (free, available) documentation... it's not possible unless I spend all kinds of money. Only thing I can hope for is to pick up tips from people I know are Windows Admin gurus. I think this whole debate is a matter of realizing where you stand. The people who see clearly in both paradigms will be the ones ultimately winning.

Re:What timing!

[Deagol]

Ditch wu-ftpd. For minimal setups, use proftpd, and for more comlex needs, use pureftpd. Search freshmeat for both packages. Use iptables and wrappers accordingly, too. And if you're industrious, throw in a chroot config and use the grsecurity pacthes to thwart the majority of buffer/stack/overrun/etc. attacks.

Security is like an ogre -- it has layers! And updating your RPM/package is only the first, most minimal, layer.

I still wouldn't use wu-ftpd if my paycheck depended on it. :) Just my opinion, of course.

Re:What timing!

[messiertom]

Dude, you're getting Mandrake!

RedHat is the real RPM hell. Mandrake is RPM heaven. I don't know about any of the other RPM distros, though.

With Mandrake, it's easy:

urpmi wuftpd

It will ask me if it's ok to download all of the other dependencies, so I enter "Y", and voila.. it downloads and installs them (assuming that your urpmi source lists are synched properly - it's not a bad idea to have a cron job to do 'urpmi.update -a' at 3 AM or so)

Debian's apt is very nice as well, but Debian's not right for everyone (in actuality, no distro or even OS is right for everyone, despite what FUD-flinging says). If you use Mandrake though, you can still fall back to the old rpm -ivh and install non-official packages (there are a lot of rpms out there, especially on SF)

Re:What timing!

[croftj]

They will let you set up anything but an ftp server that is. Show me an out of the box windows OS with an ftp server in it!

That is how they make their ftp servers so secure!

Re:What timing!

[Random+Walk]

Have installed FreeBSD. Downloaded the ports tree. Tried to install the first port. Error message: out of free inodes. (Fixed it by deleting major parts of the ports tree).
FreeBSDs ports system takes a huge amount of disk space, and takes away countless inodes which apparently are a scarce resource in FreeBSDs filesystem.

On the other hand, my Debian installation is rock-solid, was the only Linux distro that figured out the X server configuration properly, and software upgrades are as simple as 'apt-get install xyz' ...

Re:What timing!

[Shelled]

So? In contrast, from an xterm in Gentoo I typed 'emerge pure-ftpd' and had a stock ftp server up in five minutes with no other intervention. Your experience is an example of failure of one implementation of a third party app in one distribution using one type of package manager. It's a RedHat failure, not a Linux failure. My Windows TV card software won't play full screen, something XAWTV does handily in Linux. Is this a Windows failure?

Incidentally, it sounds like wu-ftp installed twice and your start script/command is still pointed to the old version. Running rpm with the query switch will tell you where the new version was installed.

Re:What timing!

[ibennetch]

You run the setup or install program, and poof, it's there.

poof is right - I've run many 'updates' on windows that either messed up the original install (ie. resetting to a default config) or left behind the old version; only installing a new version on top of the old....leaving dlls, exes, and other files that I can't safely delete because I don't know what's old and what's new.

windowsupdate takes the cake though. I went to windowsupdate.com to install the ie patch of the week; rebooted, and...my registry was corrupt. I still haven't managed to fix the problems it's caused, and this was over a week ago.

Re:What timing!

[ibennetch]

Show me an out of the box windows OS with an ftp server in it

windows 2000 advanced server. I've got it running because I'm doing some development work on the side and they want me to have the same OS as the servers have. I'm not a windows admin by nature but know my way around a server pretty well. the windows FTP service starts by default; as well as http, nntp, smtp, and probably many others I don't know about - the point being that yes, windows does start BY DEFAULT with all these services running. Granted, it is a server OS but still; not the most secure way of doing things...

Re:What timing!

[Pedrito]

My argument was never towards the stability or security of Windows. In fact, I used Linux because it is more stable and secure, as a gateway to the internet. My argument was for ease of use.

In a similar vain to your Windows experience, I wanted to enable my kernel to act as a gateway. What did I have to do? Recompile the kernel, of course. Granted, this is not something Mom or Pop would do. In Windows XP, I would simply check a checkbox under networking. After 10 or so reconfigs and recompiles, I finally got a bootable kernel. That ain't ease of use. I had an unbootable machine until I got it right.

Re:What timing!

[ibennetch]

I agree that kernel compiles aren't very plesant. I tried to do this - not once but twice - to get my scroll wheel mouse working, this was a year or two ago under RedHat...I never did get the kernel options right and just gave up on having a scroll wheel under linux. I understand that kernel modules are being used in some cases to get around this but don't know as much about using them as I should. I don't mind having to install something; I don't mind having to download something - but recompiling the kernel to get my mouse scroll wheel working is definatly not, as you say, for Mom and Pop to be using. They have enough trouble using windows ME...

Re:What timing!

[swv3752]

You mentinoned earlier you installed the fresh RPM, was that rpm -i or rpm -U. Big difference as one will have two concurrent installs of a package (at least sometimes deending on the package).

The other one, at least in Mandrake there are these friendly wizards that will set thing sup for you, or you can use webmin. I use webmin to setup apache, very slick. I also used the Mandrake Control Center to setup the box as a router.

Re:What timing!

I'd have to agree. If you're already talking about compiling from source, it's much better to go with proftpd. It didn't take more more than a few minutes to read the documentation and get it installed. It also very flexible in the setup - well worth checking out.

Re:What timing!

[Some+Dumbass...]

Look, plenty of you have chastised me with your excellent experience in how to do something that I'm sure, for someone who uses Linux all the time, it's simple. The fact is, I don't use Linux every day. I set it up as my gateway not because it was easy but because I trust it more than I trust Windows as a gateway.

What happened to those "23 years of computer programming experience"?

Saying stuff like that is why you're getting so thoroughly flamed. Lots of people within the Linux community support simpler ways to configure programs and dislike RPM. But here you are running a server and claiming to be highly knowledgeable because of your years of programming experience, yet you're having trouble with fairly simple tasks (upgrading an RPM package, stopping and restarting a program).

Basically, you shouldn't claim to be an expert when you're not. You did exacly that, and now you're being flamed for it. In reality, you're a Linux newbie trying to do something moderately hard (admin web/proxy servers). Okay, so there's nothing wrong with being a newbie. Everybody has to start somewhere. But instead of admitting it, you've pretended that you're so knowledgeable that any problems you have are Linux's fault. You don't know Linux, and you apparently refuse to learn it, so you're going to have problems. Tough. If I tried to admin a Windows 2000 FTP server and refused to learn Windows 2000 I'm sure I'd have the same problems. To use a new OS, or even a new application as complex as a proxy server, _you have to do some learning_.

I don't have time to learn how to be a Linux system admin, and frankly, I shouldn't have to to upgrade a single software package.

As a side note, if you don't know why you sometimes have to upgrade packages (i.e. to fix security bugs!), and you don't want to learn to be a Linux system admin, then please don't be one. FTP servers are particularly likely to get broken into, both because the protocol is entirely plain-text, and because some of them (like WU-FTP) have lousy security records. If you're going to put a server on the internet, but you don't have this knowledge, then please don't do it. Your server will soon be yet another cracked box being used to attack my system. If you don't want to be a system admin, or an FTP admin, then I'm certain that your FTP server will get cracked.

Let me give you a little perspective. My brother has had a Windows 98 system since 1998, and I still have to explain some pretty basic stuff to him. He couldn't find a way to install separate e-mail programs for himself and my mother, for example. Changing the installation directory is apparently beyond him. And he knows _way_ more about computers than my mother. She can't even install programs. With that in mind, I'd like to point out that running servers isn't a "Mom and Pop" sort of thing by any stretch of the imagination. It is an advanced skill, if only because of the need for security. Trust me, running an FTP server/SSH server/Squid proxy is way beyond that.

Given your problems with Linux, and your unwillingness to learn Linux, my first response would be "use the OS you know - use Windows." But frankly, I'm not sure that will help. You want to run servers on your gateway system. Why not run them behind your gateway? If you want one for remote administration, why not just run ssh (and not WU-FTP)? Do you understand that you'll need to install patches (aka "upgrading programs") when security bugs are found? (OpenSSH has had a lousy security record as of late). Frankly, you sound like you know nothing about security. Even if you used an OS you're more familiar with, I bet your gateway would get cracked. There's no such thing as a "set it up and leave it" server, not on any OS.

My advice: Learn about security first, then run your servers on whatever OS works best for you. Please, please take my advice. After hearing so many disparaging things from so many Linux users, it's easy to say "Another case of the hostile, newbie-unfriendly Linux community" and just ignore this advice. But it's good advice, and it's coming from someone who obviously knows more about this topic than you do. So please, take it!

Re:What timing!

[gmhowell]

This must be some new version of RH I don't know about. Every stock kernel I used from 5.0 up through 7.3 had the ability to do NAT and firewalling builtin. Ditto the reply about scroll wheels. Nothing to do with kernel compiling. Unless you count my Gentoo install (and I don't:) I don't know when I last recompiled a kernel. Oh, wait, I did have to compile the NVidia modules.

Re:What timing!

[gmhowell]

I haven't used Mandrake since it was basically a 'search and replace 'Redhat' with 'Mandrake' and compile for i586', but 'up2date -u' would automagically update all of his packages on red hat. Similarly, 'up2date wu-ftpd' would have updated just that program.

Trust me, he couldn't have figured out Mandrake either. He would have had to do the same thing he didn't do with RH: RTFM.

Re:What timing!

[Herkum01]

(I have no idea how, and I don't have time to learn it)

When it comes to the windows world, the above statement says it all.

Re:What timing!

[davidsansome]

RPM updates are easy with Mandrake: urpmi wu-ftpd

Re:What timing!

I bet he shut down and restarted the service, not the system, you moron.

Re:What timing!

[ShavenGoat]

If you are running out of inodes, you should consider putting /usr/ports onto it's own file system. When you create this file system, make sure you specify additional inodes during the creation. The drawback to additional inodes is reduced disk space.

You should be using separate file systems for each major partition anyway (/,/usr,/tmp,/var at least), but I suspect you just put everything in /, which is bad.

You don't have to use the ports anyway, since pkg_add -r will retrieve the package for you for your release. If you are running -stable, pkg_add -r will always get the latest binary package (and it's dependinces for you).

This makes FreeBSD easy to keep secure. The only time I've had an updated FreeBSD machine broken into was though ftp. No one should run ftp anyway, as it is a flawed protocol.

Re:What timing!

[timster]

The problem here is that what you were doing was not "desktop use", but for some reason you extend your experience to desktop use. What you were doing was clearly server administration. I don't hear anybody telling me that Windows isn't a good desktop OS because the DHCP Manager isn't intuitive (which it's not, unless you understand DHCP). Server administration is always going to require skills, and whatever other skills you may have you have no skills in Linux server administration.

As for your experience, you made a number of mistakes that anyone who knew what they were doing (as a Linux sysadmin would) would never make. First problem was thinking you should go to the wu-ftpd website and try to compile the software yourself. Unless you have some tremendous reason to do this, you need to go to your distributor in all cases, since their installations are customized in numerous ways that you have probably come to expect. Second mistake was expecting an RPM to restart the service for you (RPM's don't really go for pre/post-install scripts, see Debian for that).

The third mistake was the worst, as it totally ignores the whole purpose of your distributor. Development groups (like the wu-ftpd group) generally attach security and bug fixes to new versions, since they usually prefer to work on one codebase. However, your distributor should never upgrade you to a new version that changes any functionality unless you change the version of the distribution, since a given version is supposed to be stable. So, as every Linux sysadmin in the world knows, Red Hat doesn't just toss the thing into an RPM and throw it out there. Rather, they take their existing codebase (which as I said, is usually patched in several ways) and apply the security fixes to _that_. And everyone knows this because it is _clearly_ _documented_. If you are running a server (ftpd is not a desktop app) then you need to follow the security updates for your distro, which will quite clearly explain what patch level fixes what holes.

My advice to you is to either: remove all the server programs from your system and use it as a desktop user; hire a competent sysadmin; or spend the time yourself to become a competent sysadmin. Don't play end-user-with-a-server or you'll get burned, no matter the OS.

Re:What timing!

[messiertom]

Blockquoteth the poster:

since it was basically a 'search and replace 'Redhat' with 'Mandrake' and compile for i586'

This is the single most annoying and incorrect misconception about Mandrake. Yes, at one point it had a lot of RedHat stuff in it, but now it is very independent.

Mandrake enriched RedHat by adding nice configuration tools, urpmi, and a very nice installer. Mandrake is also still better than RedHat at the desktop level (imho, but RedHat is taking very nice steps to improve Linux on the desktop, despite what some KDE zealots proclaim).

Re:What timing!

[Vantage13]

i'm sure other people will point this out as well but Debian has this down easier than Windows/Mac/anything else out there. Found a security hole that needs patching? simple. 'apt-get update' (to update the list of available packages) followed by 'apt-get upgrade' and watch the new packages come in....

Now i'll be the first to admit that Debian's not the easiest to setup initially, but trust me, it's well worth it in the long run.

Re:What timing!

[mvdw]

You need FreeBSD to get you out of RPM hell.
Funny, that's the reason I chose Slackware...

Re:What timing!

[gmhowell]

Did you read everything I wrote, or merely home in on the assessment of the original version of Mandrake? I thought it was rather clear that this was the last time I had tried it. What was unsaid, but clearly implied, is that it is far different these days.

Re:What timing!

[Ambassador+Kosh]

Umm you know that redhat backports security fixes right just like debian and other dists do? In which case you might be running a fixed version already and the newer rpm could still be the same verison with more fixes backported. If you just trust a security scanner to see if you are vulnerable based on the software version reported then you are going to have problems. Check with your dist and see if the package you have is actually vulnerable to that problem. Redhat, Mandrake, Debian, Suse, etc etc put up very detailed information on this kind of stuff.

Very likely you just don't know much about being a system admin and you are in over your head until you learn more. Being a programmer does NOT make you qualified to be sysadmin and being a sysadmin does not make you qualified to be a programmer either.

Re:What timing!

[BattyMan]

...I don't know when I last recompiled a kernel. Oh, wait, I did have to compile the NVidia modules.

Right, modules, but _not_ the whole Kernel!

The need to recompile yer Kernel to make your mouse movements take effect is greatly overstated.

I've installed a few things - pppd, ipchains, sound, multiple ethernet cards in a firewall - ALL of which had HOWTOs which started out by telling you to recompile a Kernel to support their special function...

Bunk. Just get insmod to install the module! Most modules can autosense their situation and set themselves up. Some, notably the driver for the very common NE2000 NIC, require parameters. This is still _way_ easier and faster than building those parameters into a Kernel.

In general, you PROBABLY DO NOT GREATLY NEED TO RECOMPILE YOUR KERNEL!!!
(Assuming you run one of the standard ones that comes with a distribution)
You ALMOST UNQUESTIONABLY DO _NOT_ NEED TO RECOMPILE YOUR KERNEL IN ORDER TO RUN IPCHAINS, PPPD, ALSA, CUPS, a WIDE variety of ethernet cards, OR A _WHEELMOUSE_! All that those things require are neato drivers known as INSTALLABLE KERNEL MODULES. And I'm not at all sure that the wheelmouse even requires a module. Try gpm. These installable modules have an advantage over built-in Kernel modules in that they can be shut off, removed, reconfigured/replaced, and restarted _without_requiring_a_reboot_!

Try _that_ with M$ device "drivers"!

And you should NOT run wu-ftpd.
Switch to an ftp daemon that isn't made of swiss cheese. There are several to choose from. The older and less featureful ones are also the ones which make news in Bug-Traq less frequently.

Re:What timing!

[horza]

I love Gentoo, and the way I can just "emerge update world" to update every package on my system automatically. No dependency hell. It's definately desktop only at the moment, but hopefully in the future there will be different levels of update. Eg "emerge update STABLE apache" and "emerge update BETA evolution", etc.

Phillip.

Re:What timing!

You need FreeBSD to get you out of RPM hell. It takes far less effort to upgrade software on FreeBSD than it does with any RPM-based lunix distro.

Getting out of RPM hell was the main reason I chose FreeBSD over lunix.

I used FreeBSD for a week or so about 8 months ago, and I found that portage was worse than Linux packaging systems. Several packages, I found, didn't build at all. Others failed to work with existing software. Thus, I find it hard to believe that the much-vaunted homogeneity of FreeBSD is anything more than weak marketing copy in practice.

Secondly, it's "Linux." Calling it "lunix" makes you seem like a total fuckhead whose idea of wit fails to transcend scatology. The same goes for "M$", "Micro$oft", "Microshit", "Microsloth", and countless other permutations. If you want to be taken seriously, you must take your enemy seriously.

(yes, I know. IHBT. IHL. ISHAND.)

Re:What timing!

[Random+Walk]

Separate filesystems are bad if you have only little diskspace (this one out of five OSes on my laptop). Putting everything in / at least guarantees that no space is wasted. And the installation manual did not point out the inodes problem, neither how to solve it ...

Re:What timing!

[Tanami]

I disagree with your suggestion that the build process under Linux is more fraught than that under Windows. I have recently had to install Apache on two servers (very similar configs with mod_perl2/perl5.8, PHP4, etc...). One of these servers was an NT machine, the other a SuSE linux build. The linux build took about a sixth of the time the NT one took (including troubleshooting, etc.) This is despite having far greater experience of using (and coding) under Microsoft platforms. I can't speak for RPMs, as I have never used Redhat. Personally, I find it essential to compile a lot of things from scratch in order to configure the correct components and options.

Re:What timing!

[gmhowell]

I should have smilied the original post.

No, you don't need modules for the wheelmouse. I don't know 'bout GPM, as I don't use it, but for X, I think it's only one extra line indicating which buttons for the Z axis.

And insmod is for real men. Us wimps use modprobe:)

A good number of HOWTO's say something along the lines of "RedHat stock kernels already have ability FOO compiled in". One thing that might be helpful is a command that let's you see if there is a module named FOO already (probably a modprobe option, but I don't know). That way, the various HOWTOs could say 'lookformod FOO'. If you get something, you are good. If not, THEN you might have to recompile your kernel.

Is there any use for anything other than anonymous ftp? I use scp for everything that matters. Then SMB to get the stuff on a Windows box (does PuTTY have scp? I'm pretty sure cygwin does) Last time I looked, there were a few ftp daemons that ONLY did anonymous ftp. That's the way to go.

From what I've seen

[Apreche]

is that pretty much all operating systems are equally secure. The insecurities in the operating systems are not the same, but neither one is bulletproof. Windows seems more insecure, but that is because more people try to hack it, because more people use it. Linux seems more secure because it is hacked less, which is because less people use it. However UNIX is very old and very open and has just as many ways to get in as windows does.

From what I've experience operating system choice is not a major factor in security. The biggest factor in security is how well the operating system in question has been configured. You could run the newest linux with all the shiniest intrusion detection stuff, but if you let the guest account rm -f *.* you're in a bit of trouble. Nothing is more key for security than proper configuration. And of course, not downloading e-mail attachments in outlook.

Re:From what I've seen

but if you let the guest account rm -f *.* you're in a bit of trouble.

*.* is a DOS thing. You use * in linux. Also, rm -rf would be significantly more damaging.

Re:From what I've seen

[davebooth]

...The insecurities in the operating systems are not the same, but neither one is bulletproof...

Quite correct. The only secure system is the one in your basement with no power cord.

...The biggest factor in security is how well the operating system in question has been configured...

Also correct. The biggest factor in "how secure" an OS may be comes from the ease with which it can be made as secure as possible given its architectural limitations and from the steps that can be taken in advance to limit the damage of a successful compromise. I've been running unix and linux machines for more years than I care to count, I have been a windows user since its earliest days and based on my experiences as my knowledge of each increased I turned more and more towards unix and its analogues for the critical stuff I have to keep secure and stable. Dont get me wrong, I'm not (for a change) advocating that everyone should dump windows. As a gaming platform, as a platform for basic office functionality or day to day workstation use its hard to argue against. Sure, intelligent choices need to be made regarding which tools you install - I wouldnt use outlook for email, for example - but its generally a pretty decent workstation OS. Unix workstations, on the other hand are best at specialist roles. Once you move into the server room, however, the situation reverses.

In my opinion - which is as biased as everybody elses, being based solely on my own experience - unix and its close cousins are easier to secure than windows but with a different professional background, whos to say I might not have a different opinion. YMMV.

oh, and by the way - "if you let the guest account rm -f *.* you're in a bit of trouble" - assuming I let anyone who wanted to remove any file with a dot in its name from the root dir of any of my servers I think they'd all keep working just fine ;) Let them do it recursively and theres a couple of directories that would go away but I really wouldnt miss them. To really annoy me a cracker would have to step outside the 8.3 mindset and just get rid of *

It's the user

[photon317]

The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.

However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.

Re:It's the user

[CavemanKiwi]

I can make my windows box VERY secure, just turn it off :)

No, you are missing the point

[huge]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything

No, I would say that you are missing the point here. That's just stupidity of the user, if he/she has Office with all the widgets installed.

In this context, I think that we are rather talking about the (in)security of the operating systems than applications running on them.

Bugtraq

[qurob]

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

So many programs get lumped into 'linux' and this is forgotten.

Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.

Then again, there are more Windows apps than Linux...

Re:Bugtraq

[blancolioni]

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

If only there was some simple prefix we could insert before the word Linux that distinguished the complete GNU + Linux system from the bit that's just the kernel.

Like that would ever happen.

Re:Bugtraq

[eMilkshake]

Perhaps there should be two categories: GNU & Linux. That way, when there's a problem with the kernel, it's linux, but when it's with the GNU system, it's GNU. Of course, GNU would show all the problems. ;)

RMS would be happy and angry at the same time -- surely that's worth something.

Ramen, Slapper, Scalper and Mighty ?

[unixmaster]

Huh lets see Windows Players ?

1- Mighty Netbios ( Most secure protocol invented since '95! )

2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

3- Melisa & IloveYou & others countlessly many Ms Word worms

4- Nimda & CodeRed variants. Millions of computers got intruded in one day.

5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched

6- Windows XP UPnP Vulnerability got public after the week XP was released....

Now come on doesnt matter how clueless you are Windows is not *really* engineered for security!

Re:Ramen, Slapper, Scalper and Mighty ?

[Ummagumma]

>1- Mighty Netbios ( Most secure protocol >invented since '95! )

Any sysadmin who doesnt diable this on publicly accessable machines isn't a good sysadmin.

>2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

Again, sysadmin problem. Its been patched.

>3- Melisa & IloveYou & others countlessly many Ms Word worms

Application problems, not OS problems, big difference.

>4- Nimda & CodeRed variants. Millions of computers got intruded in one day.

Application problems, not OS problems, big difference.

>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

6- Windows XP UPnP Vulnerability got public after the week XP was released....

I'll give you this one :)

Im not saying windows is the greatest and all, but get your facts straight, please. 3 of the 5 issues above are application issues, not OS issues.

Re:Ramen, Slapper, Scalper and Mighty ?

[unixmaster]

apache bugs : Application problems, not OS problems, big difference.

openssh bugs : Application problems, not OS problems, big difference.

xchat & other programs bug : Application problems, not OS problems, big difference.

Linux kernel symlink dos vulnerabilty ( 1 vulnerabilty about kernel I have ever seen in 1 year ) : os bug

See if you think like that Linux has only 1 bug....

Re:Ramen, Slapper, Scalper and Mighty ?

[compwiz3688]

>1- Mighty Netbios ( Most secure protocol >invented since '95! )
Any sysadmin who doesnt diable this on publicly accessable machines isn't a good sysadmin.
Agreed. In fact, ever since I read that you can do all those file sharing with NetBEUI, I never looked back. Also, it is less headache than the TCP/IP variant when I know the cables and network cards are working and I still can't see other #%#@ computers on the same workgroup.

>3- Melisa & IloveYou & others countlessly many Ms Word worms
Application problems, not OS problems, big difference.
Can I say "Windows Host Scripting" here? It came with the OS and with an option to have it installed or not, but it's still VB, isn't it? (not quite sure about this)

>4- Nimda & CodeRed variants. Millions of computers got intruded in one day.
Application problems, not OS problems, big difference.
IIS came with the OS, but then again, you get to choose whether you want it installed or not.

>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]
Application problems, not OS problems, big difference.
IE came with the OS, and until recently, Bill Gates maintained that the OS and IE are not separatable, so it's not that big a difference.

>6- Windows XP UPnP Vulnerability got public after the week XP was released....
I'll give you this one :)
What about the other vulnerability that is patched in SP1, the one about accessing a file on your HD and it erases files? Ok, it's been patched, but still, it's pretty big :).

I also note that you put the blame on sysadmins. What about those who are home users?

Re:Ramen, Slapper, Scalper and Mighty ?

[Tack]

> 5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

Isn't Microsoft desperately trying to convince us that IE is part of the operating system? They can't have it both ways.

Jason.

Re:Ramen, Slapper, Scalper and Mighty ?

The reasons Microsoft proffered on why IE couldn't be removed from Windows apply here. Microsoft said that most of the dlls IE used were also used in Windows, so IE really isn't anything more than the code that ties all the buggy Windows dlls together. Probably most of the applications Microsoft churns out are glue that hold the various dlls together.

Re:Ramen, Slapper, Scalper and Mighty ?

[larsu]

5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]
Application problems, not OS problems, big difference.

MS: <Whine>But IE is a critical part of Windows. We can't remove it! </Whine>

Re:Ramen, Slapper, Scalper and Mighty ?

[WebMasterJoe]

>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

Unfortunately, it's irrelevant that IE is an app and not an OS because Windows won't let you remove the app. Same with Windows Media Player. As a result, any flaw with those applications must be patched, even if you have no desire to even have the applications on your system.

Re:Ramen, Slapper, Scalper and Mighty ?

Actually you can remove it. You just have to pay another company to do it. Ok, they do have some free ones available, but still...

And once you remove it, some of the other (3rd party) applications that rely on the IE DLLs will go kaput.

Re:Ramen, Slapper, Scalper and Mighty ?

Now come on doesnt matter how clueless you are Windows is not *really* engineered for security!

Neither is Linux. Only patches and updates are *really* engineered for security.

Both are engineered for *useability*. Everything is *secure* until it is *comprimised*.

Re:Ramen, Slapper, Scalper and Mighty ?

[schon]

>2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

Again, sysadmin problem. Its been patched.

But it's still a problem with the OS. It doesn't matter if it's been patched or not.

>3- Melisa & IloveYou & others countlessly many Ms Word worms

Application problems, not OS problems, big difference.

But the application (IE) is (according to MS) part of the OS. The problem is that it's integrated with the OS so much that it becomes an OS problem.

3 of the 5 issues above are application issues, not OS issues.

No, one of the 5 issues about is an application issue. If MS says that IE is part of the OS, then it's part of the OS, and there's nothing you can do to refute that.

You're comparing apples and ....

[mustangdavis]

I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

* Gets out a kleenex, wipes off author's glasses*

IIS - enough said.

The actual number of posts may be greater, but how many people install X on their Linux servers? How many people have xmms on thier linux server?

Also, considering that Linux is open source, and thus, hackers can actually look at the code for the OS, it is AMAZING that it is more secure than Windows! Can you imagine how many exploits their would be for IIS if a good hacker could see the source code for it?

Nothing more to be said here ... move on!

Re:You're comparing apples and ....

I see a lot more stuff coming across BugTraq

* Gets out a kleenex, wipes off author's glasses*

ewww

Windows vs Linux Programmers

[l33t+j03]

Lets compare the people who actually write the code:

Windows Programmers
Well paid. Medium sized grayish cubicles with few restrictions on decorations. Laid back workplace.

Open Source Programmers
Live in basement of parents' home, browbeaten daily by overbearing mother, relentlessly degraded by father.

Windows Programmers
Married to a member of the opposite sex or enjoying a healthy dating life.

Open Source Programmers
Proposition other men in subway restrooms. Frequent 'glory holes'. Masturbate to Hentai porn.

WIndows Programmers
Nice cars.

Open Source Programmers
Bicycles.

Windows Programmers
Enjoy reading books, watching movies, and listening to music that all cover a wide variety of intellectually challenging subjects.

Open Source Programmers
Can't understand anything unless it deals with elves, or dwarves, or space creatures.

Windows Programmers
Secure in the knowledge that their work is contributing to increasing the productivity and happiness of workplaces and homes all over the counrty. Singularly responsible for ushering in the widespread use of personal computers for the masses.

Open Source Programmers
Waste their entire lives fighting in vain to bring down an imagined enemy by creating products that 99% of the computing public will pay to avoid having to use.

There you have it folks, a comprehensive comparison of the two camps.

Re:Windows vs Linux Programmers

Actually, every dev at Microsoft has their own office. Albeit, small, but not "Medium sized grayish cubicles"

Re:Windows vs Linux Programmers

As an Open Source programmer, I find this insulting and degrading.

You're right, though.

Re:Windows vs Linux Programmers

Open Source Programmers
Secure in being different; no desire or need to follow a crowd, or to justify their existences to anyone who does not conform.

Windows Programmers
So insecure about their loyalties that they'll waste precious time, space and attention supporting their philosophies. EG : this

Let the justifications begin!

The NSA has nothing to do with checking security at laboratories and they certainly aren't a software development shop.

And of course they have experience--that's why they chose W2k.

Re:Let the justifications begin!

[PainKilleR-CE]

The NSA has nothing to do with checking security at laboratories and they certainly aren't a software development shop.

They have a lot to do with checking security on software, though, and for not being a software development shop, develop a lot of software. Of course, you don't have to take our word for it, you can just visit SELinux

Re:Let the justifications begin!

They've also publicly said that using Linux for this project was a mistake, and that it won't be repeated.

If you don't report the bugs, they don't exist

Sorry, but M$ sells security-through-obscurity.

Thus, any bug-counting stats are meaningless.

And for all you folks who think M$'s ways are best: Do you really think Gates and Ballmer have your best interest in mind when they spout off about keeping bugs secret?

Re:If you don't report the bugs, they don't exist

Do you really think Gates and Ballmer have your best interest in mind when they spout off about keeping bugs secret?

ABSOULUTELY!!! I own shares in M$

Security?

[Noryungi]

This sentence from the article really drew my attention:

Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.

Obviously, this guy does not know what he is talking about.

My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.

Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.

A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.

My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...

Re:Security?

[onion2k]

Most OSs can be made secure. Even windows. By a good sysadmin.

Unfortunately this doesn't say much for your dad.

Re:Security?

[Noryungi]

Most OSs can be made secure. Even windows. By a good sysadmin.

No, sorry.

My point is this one: a secure OS does not exist. Even a top-notch sysadmin will only give you "reasonable" security.

For instance, reasonable security means patching up all known security holes, as they apply to your machine/OS combination, making sure all users have good passwords and that not every user of your machine has the "root" password, not allowing everyone physical access to your machine, backing up critical data and making sure you have some IDS installed, etc.

Reasonable security is not saying: "This machine is 100% secure", it is being able to say: "AFAIK, this machine should be able to resist hostile attacks for X minutes". (Bruce Schneier had a very interesting discussion on this last one -- take a look at the Cryptogram archives).

As far as my dad is concerned, he was still a security officer for this big Fortune 500 company when he retired, so he must have been doing something right... Like offering reasonable security to his mainframe users... ;)

Re:Security?

[Pengo]

This is the first time in months I have read an post on slashdot that mentions that (they/ someone/ their friend/whoever) works at a Fortune 500 company and I felt they are not a troll or blatenly full o chit.

congradulations

like we need to read this to know what it says

Windows suxx0rz, Linux r0xxorz, etc., etc., blah blah. A badly adminned Linux box can be 0wned and r00ted same as anything else.

A user's standpoint

[InodoroPereyra]

Even though I contribute code every once in a while, my background is not in CS and I am not an expert in Security by any means. What matters to me is not whether open source solutions are inherently a little more or less secure than open source solutions. What really matters to me is what can I do to secure my machine .

Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.

Oh, and the title should better be "Open source vs propietary security". Old same old ...

I want to choose my security settings

[magwm]

Well, at least linux (the newer distro's i tried like RH, Mdk, SuSe, Deb) lets you CHOOSE your security settings. None of all windows installations i performed asked me which level of security i wanted..

Re:I want to choose my security settings

[Proc6]

Why is that impressive? "Yes, Id like the totally insecure, full of exploits, Please-Hack-Me, version of Linux please. Thanks!"

Re:I want to choose my security settings

[magwm]

nope there are several possible levels, ranging from please_hack_me to completely_paranoid

ActiveX is...

[Arker]

Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.

Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.

Re:ActiveX is...

[sqlrob]

Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older system

s/pain/impossible/

The APIs are moving to ActiveX (cf .NET), and the UI shell is all ActiveX. I don't know that you could remove it even on Win 3.1

ActiveX is also the very exemplar of security hole from the ground up.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Re:ActiveX is...

[michael_cain]

Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above.

Personally, I'm more inclined to regard this as a situation analogous to American automakers at the beginning of the 70's. At that time they built large, unreliable, poor-milage vehicles and their strengths were styling and marketing. Then a shock to the system (oil crisis) caused buyers to value other attributes, and the Japanese firms were able to make inroads into the market that continue to this day.

There is no question that ActiveX made certain kinds of Windows development faster and easier, created a whole subindustry for people writing and selling ActiveX components, and made it possible to do neat things within the IE framework. It remains unclear whether or not you can ever make ActiveX really secure on a machine connected to the Internet. Think of the plague of badly-behaved ActiveX components as the "shock to the system". If people begin to value security more than they do the flood of features or the ease of development, something else will make inroads into the market...

Re:ActiveX is...

[Arker]

s/pain/impossible

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.) You can do the same thing with ME, the easy way is here. NT based systems are harder, but it's possible to achieve most of these improvements there as well, elsewhere on the same site you'll see he's still putting the finishing touches on a similar product for XP.

The APIs are moving to ActiveX (cf .NET),

Yes they are, an excellent reason to step up the pace on eliminating MS from any environment where security is important.

I don't know that you could remove it even on Win 3.1

Win 3.1 didn't include any of this, that's a very bad memory or some FUD, depending on your internal state when you wrote it. Some of the earliest versions could be run on 3.1, but that required installing Iexplore updates, it wasn't on the system by default.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Not quite, that's COM, ActiveX is how COM is made available to arbitrary code, as from a webpage or an email opened using MS tools, which as a rule don't just neglect to give the user proper warning before executing proper code, they typically give no warning at all. Click on a URL or just an email header in Outlook and you can run code without knowing you are doing so. This is a fundamental architectural flaw.

Re:ActiveX is...

[sqlrob]

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.)

You removed ActiveX *CONTROLS* and ActiveX scripting of IE, which is completely different from removing ActiveX.

Look under your registry HKEY_CLASSES_ROOT/CLSID. If you have *ANY* entries under there, you are using ActiveX

Not quite, that's COM,

Yes, it is. The official definition of an ActiveX object is "implements IUnknown". Sound familiar? ActiveX is just the marketing name for COM.

Re:ActiveX is...

[Fizzlewhiff]

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Your reasoning for windows applications being less secure than OSS makes no sense.

Closed source software is no more complex than its open source counterpart. The fact that millions uses software package A over software package B does not make A less secure than B.

I've never worked on an open source project because the closed source world keeps me too busy. But I would imagine its very similar to working on a closed source project, the main difference being teams are not working at the same location. Still, everyone works on their assigned piece of the project and checks it in and hopefully the project leader and others on the team review the code and perform walkthroughs. In either world security holes (buffer overflows, etc.) should be spotted. So its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.

The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.

The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.

Re:ActiveX is...

[Arker]

Agreed that it's a marketing name, but if you look at the way it's used you'll see it's clearly referring to the controls and scripting capabilities. That's the point. Those are the focus of the marketing, and the locus of security problems. Getting rid of those is, from a security point of view, job one. And making that impossible is, from Microsofts point of view, job one as well. See my point yet?

Re:ActiveX is...

.NET is not ActiveX. It provides interop tools to allow COM components (including ActiveX controls) to be easily used from managed code, but the two are very different things.

Nothing new coming from MS is ActiveX. ActiveX and COM were basically obsoleted when MS release the .NET Framework, which is much better (more secure, more robust, easier to use, etc.).

Re:ActiveX is...

[Viqsi]

[...] its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.

This is true. However, one has to keep in mind that in the case of OSS, if an admin finds an error and knows how to fix it in the code, that fix can be quickly propogated to others. Or, in other words, instead of just a bug report with closed-source, open-source has the potential for a bug report and a patch. This can concievably give Free Software/Open Source a small edge, though not as great a one as many people want to believe.

The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.

*cough* Um. What about all those oodles of small shareware and freeware programs and utilities people will put out, mostly for Windows? True, they're getting slowly supersceded by Free Software/Open Source, but they haven't abruptly ceased to exist.

Re:ActiveX is...

.NET is not ActiveX, they are completely seperate component systems. While the two interop relatively easily (although the nastiness of ActiveX is apparent from .NET's point of view,) a .NET component exposed as an ActiveX component does not share it's security issues, i.e. fully trusted execution. Rather the execution of the .NET component is still determined on a per-call basis by stack-walking and evalutating the evidence of the current assembly against the security settings of the machine, which provide a very deep way of administering effectively every tiny action an assembly can perform based on where they are, who is running it, and why. Don't bundle .NET into ActiveX. ActiveX sucks. The CLR rocks.

Re:ActiveX is...

Wonder if you are aware that *nix desktop environments such as KDE and Gnome (and Mozilla to a great extent) have pretty much ripped off the ActiveX architecture wholesale.

Nobody looks at Konquerer or Mozilla's design as a security problem, but that's mainly because nobody bothers with attacking it. Or maybe because most people are smart enough to not blame the interface (ActiveX/COM) for all the rotten buggy code underneath (MSHTML, etc).

pick(nit);

[Black+Parrot]

> I think that's a big part here, any OS is as secure as the admin...

I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.

Re:pick(nit);

[Anonymous+MadCoe]

:-) Yeah that's a nice way of putting it indeed...

Re:pick(nit);

Actually, the OS would set the upper bound on system security. The admin would be responsible to ensure that the usage policies and deployment environment areusing the security capabilities of the platform to the fullest. In that sense, the actual security of a system would be the product of the various factors, in this case: Security = OS_Security * Admin_Knowledge

Re: pick(nit);

[Black+Parrot]

> Actually, the OS would set the upper bound on system security.

Actually-actually, they both set upper bounds on the system security. The effective security is the minimum of the two bounds. You can't get better than your OS offers, and you can't get better than your sysadmin offers.

Re: pick(nit);

I think you are confused about the meaning of the word "bound". A boundary defines the maximum or minimum value that a property can assume. As such, the bound is determined by the factors that exhibits the minimum or maximum value. Security capabilities of the OS are finite and no amount of skill on the part of the administrator can increase it (practically, computers are connected in systems, so this isn't entirely true). All an administrator can do is configure and maintain a system in such a fashion that the maximum security is approached. If an OS is highly insecure (let's take DOS for instance), no amount of skill on the part of the administrator can increase it. In this respect, it is the OS that sets the upper bound on security and not the administrator. But I agree that the administrator plays a part in determining the actual level of security of the system (which is generally somewhat below the upper bound).

Re: pick(nit);

[Amazing+Quantum+Man]

Security(System) = MIN(Security(OS),Security(Admin))

Re:pick(nit);

i've seen it so many times, the trend is spooky.

1. MS hammers home how easy it is to run Microsoft products, in many cases just keep hitting the "next" button, or the "reboot" button is sufficient in 99.9999% of the cases.

2. IT Managers/CIO's buy into this because in reality, they don't know that much either, so they fall into the trap. They believe that pretty much monkeys can run their gear, and so they hire monkeys. With Microsoft as your focus, it's not about the quality of the people, it's how many servers can I buy with MS products THROWN ON THEM.

3. What you end up with is NT/2K/ms-SQL/Exchange/IIS/SMS etc etc etc, littered all over the place. And it's just monkey's punching buttons.

Myths of Linux Malware...

[sheriff_p]

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:

http://www.virusbtn.com/magazine/archives/200209/l inux_malware.xml

Re:Myths of Linux Malware...

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ...

I find it hard to believe anyone said this with a straight face. Care to point me to a few quotes?

Re:Myths of Linux Malware...

I mean seriously, no-one else realised this article is written by Phil d'Espace? Maybe a long lost cousin to Dilbert's Phil de Cube perhaps?

pffft

Is Linux More Secure?

[fishlet]

Can this be sufficiently answered until alot more people are using Linux? I mean over 90% of people use Windows still... so probably a equally great percentage of hackers spend their time trying to break it. Since security problems are usually pretty obscure until someone very dedicated finds it, who's to know what's lurking in Linux. I personally don't feel linux has really gone through the 'trial by fire' needed to prove it's secureness.

Now in theory it can be very secure, it is based on Unix which has a good record. However Linux has surpassed traditional Unix's in features- and with more features comes more complexity and more breaking points. The old assumptions about it being a unix shouldn't be highly regarded.

Linux can really be more secure than windows, but lets not go touting it as fact until it's survived mainstream use.

Re:Is Linux More Secure?

1. About as many people are using Linux for servers as Windows. And servers tend to be what is attacked.

2. Hackers tend to come from Linux/Unix backgrounds. Windows is considered to be a toy for talentless hacks.

3. The comment on "who's to know what's lurking lin Linux" is idiotic. It's open source.

Clueless admins vs. byzantine systems and bad docs

[swb]

I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.

A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!

My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.

My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.

Flamebait indeed

[kafka93]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.

Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".

This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.

Re:Flamebait indeed

I don't think you know what FUD means. I don't think you know much about operating systems and security either.

Re:Flamebait indeed

[Shalda]

"Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

Actually, what this is implying is that once Microsoft patches a file, they spend three months testing it to make sure it won't break another piece of the system. It would be equally bad to fix one problem and cause two more, which they've done before. So, yes, they do rely on security through obscurity while they're testing a patch. Not always a bad thing.

Re:Flamebait indeed

[jedidiah]

He knows well enough to be aware of what has actually been exploited. The article is infact a "Fear mongering" piece. It presents only the information that the author wishes you to see. It is clear the author has an axe to grind against Linux in particular.

The author ignores the common pedigree that Linux shares with Unix. The author ignores the underlying design issues that distinguish Unix versus Windows in theory and practice. The author plays a naieve numbers game with the bugtrack figures while conveniently ignoring the fact that Linux is more transparent.

He also makes the absurd assertion that more vendors == less secure.

If anything, competition and diversity should allow for vendors of varying quality and priorities.

Re:Flamebait indeed

[Reziac]

Well, I would have thought it flamebait too, and then I picked up a copy of "Hacking Linux Exposed" (http://www.hackingexposed.com/) This companion volume to "Hacking Exposed" is almost as thick as the original, which covers all other OSs combined.

BTW, they're both very good reads; indeed, I would say *required* reading for sysadmins of ANY platform.

Re:Flamebait indeed

[N3WBI3]

an NT ows much of its development to VMS which is also very very old..

Re:Flamebait indeed

[N3WBI3]

Security through Obscurity is **ALWAYS** bad. If I pay you for a system I damn well better know the minute you know of a hole in that system. And while MS is not telling its current customers about vulnerabilities in their system, they are selling more as being 'secure'. Its deceptive, period.

Re:Flamebait indeed

[Chandon+Seldon]

How many of the major programs used on NT are old VMS programs that now also target NT as a compilation platform?

How close is NT to still being VMS?

How close is Linux to still being Unix?

Re:Flamebait indeed

[N3WBI3]

Here is your answer..

Linux is closer to UNIS than NT is to VMS, but not much, and not very much at all in the lower levels of the OS..

Re:Flamebait indeed

[user311]

Umm, yeah, but there is also Hacking Windows 2000 exposed - which is pretty much the same size as the other two. Hacking Linux exposed was more in depth than its predecessor, and the same with HEW2K. So your comment by no standards solves the question at hand, nor does it verify whether the the article is flamebait.

Re:Flamebait indeed

[benhaha]

Security through Obscurity is **ALWAYS** bad.

Care to tell me your password then?

Security through obscurity is -- duh -- a useful additional tool when used in conjunction with a fanatical attitude to security and rapid patching of holes. There will always be a lead time of some period between the discovery of an exploit and the release of a tested patch, and the fewer people who know about it in the meantime the better.

Microsoft fall down because the speed at which they fix problems is too slow, not because they try to keep them from script kiddies in the intervening time.

Re:Flamebait indeed

[Reziac]

Yeah, I saw the new book .. one more to pick up for my library :) But the real point is, if you're going to admin, you need to be aware that you can't just throw linux at your server and assume it's automagically secure. There are plenty of pitfalls even if one isn't afflicted with IE and Outlook.

Re:Flamebait indeed

[N3WBI3]

No but I will give you the crypt, I dont use abc123 or my name because I am relying on a piss poor password and just hoping because nobody knows it im safe, kid of like relying on a piss poor application or hoping nobody violates your system because you have not published a vulnerability..

Re:Flamebait indeed

[benhaha]

kind of like (...) hoping nobody violates your system because you have not published a vulnerability.

No-one is going to compromise a vendor's product because they have not published a vulnerablility. They may do so because both of the following are true:

1. They have not patched the vulnerability and/or released information about how to close the hole on systems which can do so without harm
2. The information about how to exploit the vulnerability is in the public domain.

Because, the thing you seem to be missing is, that publishing vulnerability information doesn't automagically make the customer invulnerable. Perhaps you can explain why you think it does?

Re:Flamebait indeed

[Chandon+Seldon]

My real point is that Linux and Unix share an application base. Most of the major programs that are used on UNIX will run on Linux just by recompiling.

I bet you couldn't find a single major program that will run on both VMS and NT but not Unix a/o Linux.

Re:Flamebait indeed

[N3WBI3]

Black hats know about vulnerabilities
1) Before they are fixed
2) Before the vendors inform owners of their software of the vulnerability

This is inexcuseable, maybe if I know about an unfixed vulnerability I may move some critical data off of a vulnerable system, or take a network segment off the internet, or block a certain port, or one of a thousand things that can protect me against people who know about the problem.

Slapper is a good example, assume that slapper was out before the patch, if you know what it is and how it works you can just do a touch on the file it tries to compile to and set the rwx to 000.

Re:Flamebait indeed

[N3WBI3]

Why the hell does the application base mean anything when talking about the structural security of the operating system.

Re:Flamebait indeed

[PyTHON71]

The eponymous title "Anonymous Coward" fits you really, really well.

sung to the tune of "Spam":
FUD, FUD, FUD, FUD,
FUD, FUD, FUD, FUD,
Lovely FUD, wonderful FUD!
Lovely FUD, wonderful FUD!
...ad nauseum.

Daniel.

Re:Flamebait indeed

[Chandon+Seldon]

The underlying NT "core os" has had about the same number of major security problems as the Linux kernel... none.

Where you get security holes is in applications. For example, IIS has had more major security holes than Apache. Apache is based on NCSA httpd, which wasn't developed for Linux - it was developed for Unix.

For a better example, look at Sendmail vs. Exchange. Sendmail was, for the longest time, one of the least secure pieces of software out there. By the time Microsoft released Exchange, Sendmail had matured enough that even though every other Unix hole was still attributable to Sendmail, it managed to be more secure than the newly-released Exchange.

Re:Flamebait indeed

[N3WBI3]

You gotta be kidding the number of stack overflows alone in the NT core OS is more than all linux based issues..

Re:Flamebait indeed

[benhaha]

Black hats know about vulnerabilities
1) Before they are fixed
2) Before the vendors inform owners of their software of the vulnerability

And how do they know? Occasionally they may discover them for themselves, but surely the gospel of Full Disclosure is good news for them.

Slapper is a good example, assume that slapper was out before the patch, if you know what it is and how it works you can just do a touch on the file it tries to compile to and set the rwx to 000.

Firstly, Slapper is an exploit, not a vulnerability. Information about how to defeat Slapper such as the example you just gave can be released without releasing any information about the vulnerability at all. That's a completely irrelevant example.

Secondly, it is often possible to release information about how to make systems less vulnerable without releasing any information about what the vulnerability is. What is inexcusable is giving script kiddies recipies to allow them to break into systems which can't be turned off because the vulnerable daemon is being used for a mission critical service. Such information should be kept strictly under wraps until a patch has been out for a couple of weeks at least.

Re:Flamebait indeed

[samjam]

White Hats and Null Hats also know about vulnerabilities
1) Before they are fixed
2) Before the vendors inform owners of their software of the vulnerability - thankfully.

The gospel of full disclosure is "good news" to these (me) too.

So they (I) can take steps to reduce their own vulnarability. Recent OpenSSH holes could be closed without the fix merely by disabling certain kinds of rarely used authorisation.

Decent sysadmins can often work out decent safety procedures till the official fix.

I don't want to HAVE TO rely someone elses set of approved "white hats" to come up with a short term fix to suit my needs pending an "official" (whose?) fix, I want to be able to do it myself.

Thank heavens for open source, too.

I don't think releasing this information is inexcusable, I think holding it back is inexcusable.

I don't feel the need to argue my point to the satisfaction of anyone in particular, but I will exchange information with those who agree with me, you may feel free to not exchange your information with those who agree with you, for the duration of the embargo period.

I maintain this view after having had a remote with no direct access hacked 3 times and having recovered each time.

Because of my views I don't feel the need to have to judge between vulnerabilities and exploits and how much information on one might leak of another.

Sam

Re:Flamebait indeed

[samjam]

"Microsoft fall down because the speed at which they fix problems is too slow, not because they try to keep them from script kiddies in the intervening time."

True, and I don't mind them keeping it secret either, I just don't want people saying I can't tell publish my findings to my friends and vice versa. I'm not in favour of a mandatory publish, and I'm against mandatory silence.

I may choose not to patronise the silencers for no better reason than the silence, but what counts most of all is a quick fix installed already.

Sam

The question is not Who? but HOW?

[Nicolay77]

Who is better, bigger faster? That doesn't help any community very much either.

What is good is to ask how to make actual systems better, to catch up faster with patches an so on.

My try:

Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the .rpms, .isos or .exes.

But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.

Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the .isos to prevent man in the middle virus patch attacks.

Just a though.

Re:The question is not Who? but HOW?

Why you've just described "Software Update" on OSX. Damn Apple is there first yet again.

Well, a lot of Linux developers are foreign

[typical+geek]

so your Big National Laboratory has a point about trusting an operating system that's been put together by people who aren't American. Many are Europeans, who because they live in a socialist, pacifistic paradise are insensitive to the security needs of a government agency entrusted with keeping the world safe under the Pax Americana. Many Open Source developers are from third world countries like India, Taiwan and LapLand. Their standard of living is so poor, and Open Source pays so poorly, that they can easily be bribed by a handful of rupees or drachmas or pounds into including assembly language Trojan Horses that would fatally compromise the security of Linux.

I think your IT director is right, rely on an American Operating System, coded 100% by Americans, yes, we're talking Microsoft Windows 2000. Deep in their heart of hearts, Bill Gates, Staver Ballmore and Jim Allchin know that America is the best country for them to live in (if they lived in England, half their personally generated wealth would be taken away to buy heroin for junkies), and they will work hard to make a safe OS that willl ensure the American hegemony.

Linux is fine for a hobby, but I wouldn't trust my country with it.

Re:Well, a lot of Linux developers are foreign

[ichimunki]

Bwahahahaahahahah! Thank you for the best laugh I've had this morning.

Paranoid

[ronaldocv]

Man, what a paranoid opinion... People still misunderstand the meaning of free software. Using a Red Hat Linux is as dangerous as using Windows OS. There are no hacker-made Linux anymore: everybody use well-supported distros like Red Hat, Mandrake, Conectiva. You dont have to worry about alien, russians, nazis, hackers or even Bill Gates breaking through your box! By the way, is there something that assures you that Microsoft does not collect users information? Think about it! Think that people use Windows to access Internet for more than 6 years. Remember "Conspiracy Theory", with Mel Gibson. Are "they" tracking everything you do since then? Boooooooooooo!

Re:Paranoid

More importantly, what if the shoemakers have been putting bugs and tracking devices into shoes? Think about it! Look at all that space in the bottom of the shoe! How often do you wear shoes?

Re:Paranoid

[ncc74656]

There are no hacker-made Linux anymore: everybody use well-supported distros like Red Hat, Mandrake, Conectiva.

I guess that makes me nobody, then. I suppose there are more nobodies out there as well.

What an incredibly racist thing to say

[PhysicsGenius]

First of all, it takes a lot of brains to code for Linux. Your typical American high school graduate, for instance, would never be able to handle the doubly-linked, struct-ified lists that are common throughout the kernel code. It takes a full 4-year college education to be able to work with that kind of high-level paradigm, which is why most of the successful hackers are PhDs.

Second, those hackers smart enough to code for Linux have generally been smart enough to move to America and get an American citizenship. They are smart enough to understand that what keeps Americans safe is the 2nd Amendment. They are no longer crouching in their stinking hovels with nothing but a Dell laptop to their names.

You may call Linux a hobby, but think of a guy with a woodshop in his basement. Would you rather use a bookshelf that he himself lovingly made from only the finest parts or would you rather buy a $15 piece of laminated crap from WalMart?

Re:What an incredibly racist thing to say

It takes a full 4-year college education to be able to work with that kind of high-level paradigm, which is why most of the successful hackers are PhDs.

Any high school kid can just buy the "Hacking Exposed Linux edition" No PhD required.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Clueless admins vs. byzantine systems and bad d

[GigsVT]

Playing devil's advocate here but....

MS could have documentation that is just as good, and contextual like a squid conf file.

The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".

So, IMO, it's not so much that they can't, it's that they don't.

Microsoft Office

[tmark]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen

That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?

Re:Microsoft Office

[jedidiah]

Your statement contradicts itself.

If people are unable or unwilling to run Linux because msoffice is not available for it, then msoffice is for all practical purposes a part of Windows.

Otherwise, they could just run PerfectOffice ro SmartSuite and perhaps avoid the permissiveness of MS applications.

Re:Microsoft Office

[sp!keball]

Which 'imitation'? StarOffice? OpenOffice? AbiWord?
I would like to know in how far which programs are just pale imitations of M$Office, since nothing much bad could be said about OpenOffice, for example. The UI is pretty much intuitive and reading/writing .doc , .ppt etc. extension files from all versions works with only few flaws in most cases, sometimes even perfectly.

Re:Microsoft Office

[Black+Copter+Control]

It's a lucky thing that I'm not metamoderating. I could let someone get away with calling it 'interesting', but to moderate such a convoluted and almost self-conflicting argument as 'insightful' makes my logic circuits curl.

The vast majority of people who don't run Wintendos for server applications have Office Suite running on it. I wouldn't be surprised if there are some server applications that also require users to load Office.

In any event, with such a high percentage or Windows users also having Office loaded, the security issues caused by Office are effectively a Windows problem. -- and it's a really nasty security problem.

Windows' fuzzy delineation between the user and the system doesn't help things much, either.

Trust noone!

Perhaps the question is not how many exploits are found in "my" or "your" os but what occurs after they are found. ie. turnaround time, transparency, propoganda et al... I would not trade the OS model for the most "angelic" vendor on earth 'casue they'd still be a vendor with their own interests ahead of mine.

And to address the "ease of patching" debate, yes, MS make it easy to apply more closed source code or patches that the end user has no idea about apart from what MS tells them. Remember Windows Media Player... OTOH RH provides the CL utility autorpm that allows checksum verification and auto-follow-deps... Point it at your local FTP mirror sometime....!

Damn spelling!

Look, some grammatically inclined Slashdot readers can be really picky about spelling and grammar in articles. Maybe it gets on your nerves or maybe you laugh it off.

But "weather" instead of "whether" being posted? That is the kind of mistake an elementary school student would make. Okay, I'll be extra forgiving and say a junior high school student might make that mistake. That is really fucking pathetic nonetheless.

You could change it now, but you won't. That is the *most* confusing part.

I just can't pay for Slashdot when I can't feel like it is a professional product (meaning that you took the extra 4.5 minutes per day to actually look over the spelling of single-paragraph articles). You may think that's ridiculous, but I think the grammar here is ridiculous, so I guess we both have our opinions. I don't want your money though.

Re:Damn spelling!

[Syris]

I must admit that I get pretty irritated with the ridiculous grammatical errors that often make their way into /. posts.

That being said, I think someone needs to settle down a little.

Re:Damn spelling!

[c0rtez]

EXACTLY! Slashdot, please hire an actual Editor. You know, those guys they have at newspapers? They make sure stories are "fit to print," (to paraphrase the NYT) checking for spelling errors, grammatical errors, and relevancy. Wait - /. already has editors... How bout hiring one with an English degree, then?

biased opinion.

"Linux, which is even newer than Windows and is not controlled by a single
commercial entity, can be expected to have even more vulnerabilities than
Windows. Hemmendinger commented, "I see a lot more stuff coming across
BugTraq [about Linux] than any flavor of Unix or any Microsoft operating
system."

The guy who wrote this obviously didn't think that maybe more stuff goes through bugtraq for Linux because there are people actually working to resolve the issues immediatly...instead of leaving the problem for 6 months or more to then release 1 big fix.
I think the fact that it is not controlled by a single entity is much better because then no one is relying on that 1 single entity to resolve issues...which also strengthens the theory behind Open Source software. The software is open to find the bugs and vulnerabilities, and its open to be resolved. People are grateful when someone points out a vulnerability or bug in linux or its software because teams can begin working on it immediatly, whereas Microsoft would most likly see you in court for letting everyone know of any vulnerabilities or bugs.

The OS you know best will be the most secure.

[doodleboy]

I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.

Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.

But also:

- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.

- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.

- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.

- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?

Several problems

[mfos.org]

1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.

2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.

3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise

4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.

My Mom is about to go back to Windows

[xeno-cat]

Actually, what your describing is COM, which is the binary codification of virtual pointer tables.

ActiveX is a BS marketing term MS came up with so they could promote the things you can do with COM. It's splitting hairs I know but ActiveX, the vptrs, marketing, application integration and the whole ball of wax really are a serious problem for security. COM and DCOM have no effective security model, at least when I was using them in '98. I never really got into COM+ or whatever it was as I never opted to take another MS platform job after that last one.

Kind Regards

Re:4 out of 10 americans support annexing canada

[avgjoe62]

Does Canada have a secure OS?

BugTraq...

[Squidgee]

Now that I've thoroughly chastised the author about his spelling..

The fact that there are less bugs on BugTraq pertaining to Windows than there are to Linux is beside the point: Most Windows users don't give a damn about posting on BugTraq. Most Linux users want to improve their OS, so they do post on BugTraq. And if Windows users did care...oh boy would BugTraq see some bugs...

GNU is Not Linux!

[RAMMS+EIN]

``Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.''
What they're forgetting here, though, is that Linux is actually GNU/Linux. The Linux kernel is a relative newcomer, but the GNU utilities that it uses have been in existense for quite a while, and have a history of testing on various Unices, etc. etc. These days, what matters is mostly the security of programs that connect to the 'Net. Vulnerabilities exists on both sides, but tend to be more braindead with Windows programs. M$ Outlook Express executes .exe attachments disguised as audio/x-midi inserted in HTML mail...WTF? Linux users are more likely to patch or upgrade to more secure software. The programs used matter, but the human factor can't be ruled out, either.

---
Running as root is bad. I don't want to run as root. But now I can't modify my config files... Hmm, chmod -R o+w /etc/*
Good, now I feel a lot safer...

Well how about that title?

[xeno-cat]

Odd, it populated the title field with something from a previous post. Must have told it to save the form when I logged in or something.

Anyway, my mom seems to want to stick with Linux after all, just in case you were worried.

Kind Regards

Re:i agree

If that was really the argument put forward by Eric Raymond, it is an incredibly stupid one. Competition does not generally occur on the sub-product level, and is fairly irrelevant to the product-development process. Ford and Volkswagen, for example, independently design their cars through the 'cathedral' process, and they then compete in the market.

It may be that letting random people design a new car would produce interesting results (although I very much doubt it would be better than what, for example, Volkswagen's engineers could come up with), but it would not be the only car based on competition, since the engineers at all car firms are very focussed on what their competitors are doing.

Hey good point!

[Marc2k]

Because, ya know, installing the ubiquitous productivity suite made by the same software company as the operating system it runs on sounds like stacking the decks to me!

Re:4 out of 10 americans support annexing canada

Does Canada have a secure OS?

Actually, they do.

Better than that Lunix crap.

Windows vs. Linux security-wise

[fudgefactor7]

(Ok, so that subject isn't that great, sue me) ;)

I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..

At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).

The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).

Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)

Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)

I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.

Re:Windows vs. Linux security-wise

So you are willing to put a patch in your system not having any confidence that it won't prevent any of the real work you do on that computer from being done? As a developer of a really really secure OS, I sure wish I didn't have to do regression testing. Save me $ and time. But my customers want security and functionality and a minimum of migrations and interruptions to their real work.

Actually, I think Microsoft's approach is closer to preferable. And so do my customers.

In my world, you fix the bug, then you try a lot of testing around the area you fixed just to make sure you didn't screw other things up. Then you get your code reviewed in writing by 4 10-year average system architects each of whom have the power to fail it, then you hand the code to a tester who was neither the programmer nor the reviewer. Then your patch can get committed and go into integration testing. Then it goes into beta testing. And finally it goes out. This in a system designed for security as a priority over all else. Its possible folks, just expensive as heck and slow.

The history of bugs...

[rosewood]

Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.

Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.

This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.

The down side of course is smbdie being posted on /. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.

What is this guy talking about?

[ellem]

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

This makes no sense for several reasons:

1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?

Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.

Wasted damn near 2 1/2 decades

If you can't figure out what rc script is starting your FTP daemon in less then two minutes. Then you can see if it's been updated or not - or if the process it starts has changed.

"Shut-down and re-start"!?!?!!?! WTF kind of troubleshooting is that?!?! Why do I have the feeling you don't know what you're doing? It seems that Must Consult Someone Experienced doesn't apply here...

Linux security...

[Junta]

First of all is hard to nail down what exactly that means. When most peoople utter those words, they refer to Apache/Linux/Linux Apps vs. IIS/Windows/Office.

Very few security issues in the recent past have really had much to do with Windows itself, mostly IIS and some Office/IE vulnerabilities. Even with those, frequently the problem is that the administrators of targeted systems are not sufficiently security minded. Also, MS products draw a lot of attacks, simply because the systems are such a large target.

The enhanced security of Linux, at least in part, is a self-fulfilling prophecy. When administrators are highly security concious, they will often go to Linux to drastically reduce the sheer number of attacks they receive and are influenced by reputation. Sure Linux boxes with Apache have had a number of problems and worms, but those administrators are far more likely to update Apache than IIS administrators.

One thing that really does make me think it would be difficult to update Windows as easily as Linux systems is the model for updating busy files. Under linux, the in-use inodes are kept open for the processes that need them, but the filesystem is updated for future processes. Under windows, the file updates are scheduled for reboot. Since so many of the updates for Windows touch so many files, updating IIS will likely require a reboot, huge no-no for mission critical apps..... Aside from that, I'm not so sure that Windows is that much less secure. However, I prefer linux because it *is* more flexible..

Weather?

[selectspec]

"Weather" is a noun refering to the state of the current atmospheric conditions.

"Whether" is a conjunction used in indirect questions to introduce an alternative.

"Editor" is one who prepares written material for publication or presentation, as by correcting, revising, or adapting.

With the exception of OpenBSD

[flinxmeister]

Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.

It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.

Re:With the exception of OpenBSD

IIS is securable

But only if the computer has no network connections.

mac classic

---umm, I am guessing if what you say is true that you make enough money to afford any normal computer you want out of your own pocket. with that said why don't you use mac classic on a newer model souped up tower? not osx, "classic". Try running that idea past your higher ups and see if it passes muster. I know you lose that groovy 1337 feeling of having the command line, but if security is the issue..... well? well? anyone care to comment?

The real vulnerability

[SatanicPuppy]

What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.

Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.

Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.

Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.

Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.

Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.

Exploits exist for both systems. But which ones would you rather have to deal with?

Yes, riiiight...

[reynolds_john]

And my Linux box combined with a rootkit makes it more vulnerable than Windows + Office!

Duh.

Really?

[Marc2k]

That's kind of funny, I was reading their distribution's web site news (which goes back to Dec. 2000), and I didn't see any mention of that, though I did see mention of work being done on integrating with Linux 2.5, posted in late August. How odd, no one must have told them that the project ended, according to your comment.

Re:Really?

[blibbleblobble]

How odd, no one must have told them that the project ended, according to your comment.

What am I, a journalist that I must check my sources rather than just commenting from memory?

A google-search, as usual, turns up varieties of information. I discovered the following article on
ZDNet news with a 2002 date at the bottom.

[Of course, this might be an auto-generated copyright statement using the current year, but I dread to think the legal implications of them doing that on something written before they claim]

Quoted text follows:

SE Linux may be the NSA's last direct contribution to open-source
security, however. Because of the loud criticism, the NSA will have a far
less direct role in the creation of more secure versions of open-source
software.

"We didn't fully understand the consequences of releasing software under
the GPL (General Public Licence)," said Dick Schafer, deputy director of
the NSA. "We received a lot of loud complaints regarding our efforts with
SE Linux."

Many complaints criticized the agency for providing the fruits of
research to everyone, not just US companies and thus hurting American
business.

While stressing that the agency received a loud chorus of support as
well, the chagrined Schafer said that the issue was contentious enough
that "we won't be doing anything like that again."

Sources familiar with events said that aggressive Microsoft lobbying
efforts have contributed to a halt on any further work. "Microsoft was
worried that the NSA releasing open-source software would compete with
American proprietary software," said a source familiar with the
complaints against the NSA who asked not to be identified.

Microsoft would not comment directly on its lobbying efforts, but did
stress that it wanted to ensure the government continued to fund
commercial ventures. "The federal government plays an important role in
funding basic software research," said a Microsoft representative. "Our
interest is in helping to ensure that the government licenses its
research in ways that take into account a stated goal of the US
government: to promote commercialization of public research."

The Admin is as good as the Documentation...

[vrypan]

he has access to.

My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.

On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.

Panayotis.

Open Source

When you get older you will stop caring about trivialities of teen angst like worrying over freedom of software, manufactured bands like Britney Spears or "evil" Microsoft.

Teen angst is something that results when you realize that the whole world is screwed up and you only have a few useful years to do anything about it before you get sucked into being a part of why its so messed up. Post-teenage angst is that hopelessness that you feel when you realize you wasted your only chance to change your miserable little corner of the universe on keg parties and chasing after females that rejected you anyways, and now you've been sucked into the whole machine and must grind out your remaining years as another redundant cog that perpetuates the whole thing.

I know. I was you, now I am the cog in the machine content in my own little niche and see absolutely nothing wrong with it.

Re:Clueless admins vs. byzantine systems and bad d

How do you disable what you don't know exists?

I knew how to disable it, and I didn't require documentation. Maybe you just need to get a clue.

a more secure windows

[blurpy]

everybody has heard (and many agree) that any codebase will have x number of bugs (including vulnerabilities) per n lines of code. the more mature the codebase, the fewer bugs may remain, but they are still there. solaris has 'em, linux has 'em, even openbsd has 'em.

no one should doubt the capability of microsoft's core programmers to create solid, robust and secure code. anyone who does, is not being serious.

the problem arises because those same programmers must pack many things into a base os install. for example, to install windows and have it work means i must have the entire windowing system installed and operational. it also means that ie must be there. i have heard from a microsoft employee that if i remove the media player dll from a win2k box that the entire box will cease to function, though i have not confirmed this. i imagine there are others that could be added to this list.

in the unix/linux world i have the option (though imperfect) of leaving out everything except the kernel, core libs, core services and the service / services i want the box to provide. all other code is not only turned off, it just isn't there. which means fewer lines of code, which means fewer vulnerabilities.

last i checked, the majority of vulnerabilities for both win2k and linux came from various 'non-essential' programs, programs like the browser that i don't really need on a webserver. granted, there were quite a few for iis, but even its vulnerabilities come largely from additional, non-essential code that is automatically installed and required to be there, but for non-technical reasons.

therefore, to make a more secure windows, that would conclusively compete with *nix in this arena, microsoft should release a version of windows that can be cut to the bare bones, something i could run headless, without a browser installed, without outlook express installed, etc.

would microsoft business allow such a thing to happen? perhaps not, which means microsoft programmers will forever have the deck stacked steeply against them.

its too bad.

nothing news worthy there at all

[budgenator]

In fact the only real hard statement, Linux, which is even newer than Windows is wrong if I remember correctly Linux was arround when windows386 was out, and I know I was using Linux before Windows95 was released because I remeber waiting to send in the free upgrade certificate on my first pentium machine. windows 3.10 was not an operating system by any means it was a windowing enviroment built on top of DOS. Are they realy saying that Windows XP has anything to do with 16 bit windows 3.10? I might buy an argument that Windows NT - Windows 2000 - Windows XP represent a line of evolution, but Windows 3.10 doesn't belong in there
.

Re" Microsoft and C2

[brokeninside]

Per Microsoft SQL Server 2000, Windows NT 3.5, and Windows NT 4.0 have had successful C2 (4.0 by ITSEC at a "roughly C2 level) security evaluations. (Notice W2K is missing from that list.) Bear in mind that C2 evaluations are done on specific hardware.

Today

[Herkum01]

I am sure that Windows will weather any bad press comes from this weather you are comparing Windows Security to Linux or even TCO.

the bottom line; period.

[LifesABeach]

i don't give a rat's behind about hype when it comes to the fact of security holes. its how those holes are plugged that gets my attention. if the hole is not plugged, then it's solution is smoke in my eyes. as a software contractor of secure internet solutions, i am forced to look at the bottom line. the solution of 'do not ask, and do not tell' is weak, and barren of life. maybe its time to ignore the siren's song of usability for certain 3rd party operating systems. and for these same 3rd party operating systems with puffed up egos of to open source their product. frankly, i do not care. i stopped being disappointed when linux became usable for prime time business solutions.

by the way has anyone noticed how shrill the hype is in certain washington state software firms?

Perhaps...

[Arker]

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Perhaps you hit the wrong button? I didn't write that, I didn't even quote it. I think your response is pretty much on the right track, though, as a response to the other poster. Except for the last bit which does seem to be a response to me, rather than the other poster...

The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.

Ahh, but these are totally different circumstances, IBM didn't develop and market a technology that made it easier than before to write and propogate viruses, now did it? Microsoft has without a doubt done that in the case of ActiveX, going so far as to put an enourmous amount of effort into trying to make it impossible to remove the security hole thus created, the only question is why... now it would be laughable I suppose if I suggested that this was the sole reason for ActiveX, there are clearly other reasons, but I think one would be seriously underestimating the collective intelligence level at Microsoft to suggest that they aren't at least aware of the effect this has had, and actively planning to market their DRM as a solution to the problem they've thus created.

Prick

The difference between your post and his (the elitist class bullshit), is that he was joking. You were not. Get a fucking clue.

Repost of an excellent comment on the article...

[Codifex+Maximus]

In a comment on an article at www.newsfactor.com,
mmontagne wrote:

Not to belabor a point, but here's a real-world example of Microsoft "security." Here's some ACTUAL source code from a KLEZ virus -- which "technically" is an ActiveX object:
--E3524f8Qw3mbOk6Ma4g8333eS45V
Content-T ype: audio/x-wav;
name=Ymhx.pif
Content-Transfer-Enco ding: base64
Content-ID:
Engineers will recognize the extension indicates the attachment is a program information file -- which by Microsoft "security" measures is EXECUTED. Even neophytes will note the attachment claims to be an audio/x-wav file.
Is there ANY means of determining the file is truly of the claimed type?
No.
Is there any system structure which will ONLY open the file with an audio player -- so it won't ruin our system?
Of course not. This is MICROSOFT "security."
There are thousands and thousands of VARIETIES of such exploits which can only attack Windows systems BECAUSE Microsoft "security" is nothing but a facade.
In light of this, the concluding statement is particularly offensive. How this Hemmendinger is any kind of expert is beyond me:
"You're still not immune," Hemmendinger said, "but you can be reasonably sure that [a vulnerability] that was publicized a year ago won't bite you."
NOT SO AT ALL. EVERY KLEZ and every other ActiveX exploit before it CAN STILL get you, and WILL still get you, because there isn't the slightest HINT Microsoft will close the door to ActiveX.
To further evaluate the security of Microsoft, consider this:
Windows users SHOULD be familiar with the "security" option, "Script ActiveX controls marked safe for scripting."
What Microsoft doesn't dare tell you after spending so many millions "training" engineers to write "safe" code is, what DOES mark an ActiveX control "safe" for scripting?
The AUTHOR of the code does!
Every virus writer in the world can simply indicate his script is "safe", AND THERE IS NO MECHANISM WHATSOEVER TO DETERMINE OTHERWISE!
Safe? Security? You have to be kidding! What could get us a year ago can't get us now? No way in the world, partner.
I'll "finish" with this however:
Now, IF you were to trust a company to TRULY write secure software, WOULD you pick the company which for approximately A DECADE hasn't been able to write a "work offline" routine that won't immediately RE-DIAL the modem as soon as you work offline?
Hah.
"Security." Give us a break.
Virus writers are usually NOT expert developers, and the only reason they so readily exploit Windows systems is the door is wide open to the most basic, crude "skills."

different kinds of security problems

[b17bmbr]

for instance, slapper requires that you install gcc on your server. if anyone installs a compiler on a production server, the response should be "WTF!!!". linux flaws are more related to the applications, not the core operating system. this is the key point. most microsoft servers/services are integrated into the operating system. which makes patching a) harder and more time-consuming, and b) more prone to create other breakages with other software. take for instance sendmail. lots of features, lots of holes. so, on linux, you can use postfix, or other MTA's. are there any other on windows? (please don't count novell/groupwise). i think exchange is a nightmare, eh? comparing linux vs. windows holes is meaningless. one is application based, one is OS based.

Re:different kinds of security problems

[the+eric+conspiracy]

for instance, slapper requires that you install gcc on your server. if anyone installs a compiler on a production server, the response should be "WTF!!!"

I don't think I have ever seen a Linux server being run in a production environment that didn't have gcc installed. Most of us don't have the luxury of homogeneous server installations where gcc-free installations are practical.

Now, of course there are other measures that could stop slapper that are a lot more practical - chrooting, tripwire, etc. are some of them.

Re:different kinds of security problems

[b17bmbr]

why would then productin servers have gcc installed. we're not talking a development box. most m$ servers don't have an SDK of any kind installed. now i know that m$ crap only comes in binaries, and you only have to double click a .exe, and that many patches for apache, etc. come in source, but how many companies are going to run a server on a roll your own linux.

whether they use deb, rh, mandrake, whatever, it's got package management. it wouldn't make sense to have a compiler, or am i missing something.

Re:different kinds of security problems

[IchBinEinPenguin]

My server has no gcc.
How does it run slapper?
Terribly!

I beg to differ

[Jeppe+Salvesen]

In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.

I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!

Re:I beg to differ

[jpmorgan]

Full automated security auditing is reducable to the halting problem, so don't expect a tool to do this any time soon (i.e., ever).

Re:I beg to differ

[Jeppe+Salvesen]

Certainly, but if we could make a tool that alerts about the most obvious, glaring troubles, that would still be improvements. IIRC, OpenSSH has been shipped with buffer overflows. That should never, ever happen.

Such audit-ware should at least be as good at spotting security flaws as an advanced script kiddie.

However, given your information, audit software could never fully guarantee security. Best effort still usually beats no effort if you qualify what best effort really is, though.

Re:I beg to differ

[photon317]

If you think you can do it, by all means do us the favor of proving it - make it your life's work and write the tool. I'm only being half sarcastic, it would be wonderful if someone actually accomplished it and we'd all be in your debt.

However, on a realistic level, I don't think it's really possible to write a generic code audit engine that fixes the problem, or even makes it go away. I think it more likely that the tool would just cause coders to care less about security because it's supposedly handled by the tool - they'll forget about or never learn about good security practices - and their lack of care will more than make up for the obvious holes plugged by the automaton.

To go out on a controversial simile here - this seems very much like the promise of OO languages and methodologies to cure the software of the world of crappy coding pratices. What it has brought us is 10 times the programmers, writing 10 times as much code 10 times sloppier. It's still riddled with bugs, and it's 10 times more bloated. The really good coders that did it "right" were doing it right before OO became popular and still code circles around your average corporate java or c++ coder. In my eyes and opinion, the OO revolution has decreased rather than increased the overall quality and design of the world's source code taken as a whole.

In both cases, I feel the right answer is that coders need to be taught better, and companies need to be more choosy about the coders they employ and the work they consider acceptable from these people.

Quick Comments...

[tqbf]

• The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?
• Ignores the worm gene pool. Several of the Linux worms cited use the same (uncommon) vulnerabilities to gain access to computers. Putting a different payload on the same attack doesn't make the "different worms" uniquely different threats.
• Newer != Insecure. SunOS is old, and insecure. djbdns is brand new, and very secure. Secure programming, and (more importantly) secure design, are new disciplines.
• Linux != New. Linux is new in implementation, but evidences the classic Unix security model. The Unix model is flawed, but not impossible. Win32 has a "better" design, but does nothing to make that apparent (in the same sense as Darwin doesn't make apparent its microkernel design).
• Bug Counting? Most Linux bugs are in packages. There are thousands of available packages, virtually all with published source code. Third-party QA teams at ISS and Network Associates can go make a list of 100 CGI programs, read bad source code for a week, and generate 15-20 new advisories. Very, very few of them will affect real, deployed systems.
• Still More Bug Counting! Linux sees more bug reports. Linux has published source code. An independant QA person can spend a month looking for a remote attack on Win32, come up with one, and coast on it for a year --- that remote hole will probably affect 80% of all deployed systems. To get the same cred, you need to find tens of holes in popular Linux packages. It is both significantly easier and more useful (to the reporter) to find numerous Linux-related holes.

Re:Quick Comments...

[PigleT]

"Newer != Insecure."

Agreed. Both on the macro scale you cite, and on the micro; to some extent, I've come to the conclusion that in this day and age, the best you can hope for is not "secure" (because that's impossible and illogical), and obviously not "insecure" (as that is undesirable), but maybe "unknown until there's a better version around".
E.g., apache-1.3.9 had its hey-day until a small series of fixes including one or two vulnerabilities pushed it up to 1.3.27 today. At all stages, if you were tracking the latest version, you were fine until the next.

"that remote hole will probably affect 80% of all deployed systems"

Agreed; you are correct to say that a given bug's severity should include both seriousness (depth of potential break into the system - remote or local, root or user) and impact on the entire user-base.

Re:Quick Comments...

* The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?

Masha is an author for hire. http://www.bridgewriter.com/examples.html

This time the client is m$. Hope they paid well.

Re:Quick Comments...

[miltimj]

A quick google search revealed that the person who wrote the article is most likely not a "he" (as many have been assuming), but rather, a "she". http://www.bridgewriter.com/references.html Very interesting that we be condemning the author's knowledge (regardless of gender, since many did not know the above), especially considering the geeky crowd we're a part of here on slashdot is 90+% male. (ie - do people hire females in the tech industry more readily (with perhaps less knowledge) so they can show their diversity?)

Re:Quick Comments...

[tqbf]

What the hell are you talking about?

Re:Quick Comments...

[miltimj]

Sorry for the bad formatting.. I forgot to select Plain text. (yep, should've previewed)

It's an answer to your first point (Who is Masha Zager?)

Check out the link.

My comment wasn't only directed toward your comment -- I also found many comments slamming the author (for good reason), and I found it interesting that everyone assumed that he/she was male. Rather, it seems that the author is female.

Again, sorry for the confusion.

They will never get it right

[RoC+MasterMind]

Suppliers who are scrambling to provide patches, as well as users who wish the patches would arrive more quickly, feel pressured by "white hat" hackers. They publicize security flaws before giving suppliers a chance to fix them -- thus providing tools for malicious hackers to use.

Not white hats, grey or black hats stupid newsfactor.

Linux newer than Windows

[Andy+Social]

Let's compare two similar items, the kernels.

Linux 2.4 is the current kernel, and has been released for operational use over a year now.

Windows XP is the current release of Windows, and the XP-series of kernels has been out about the same length of time as the Linux 2.4 kernel.

So, they're nearly the same age.

If the author wants to claim that Linux is newer than Windows, he must mean that Linux has not been around as long as the pre-95 series of Windows, which was not an OS but merely a shell to DOS. So, Linux development is older than the current development tree that Windows is based on, whether the Win9x/ME kernel or the NT/XP kernel.

Of course, maybe I just can't operate a calendar - I'm no professional journalist after all.

Difference

[AftanGustur]

I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs.

My thoughts exactly when I took the NT server/admin/whatever course. I realy felt like I had been had (or that the company I worked for had been had).

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

Re:Difference

[swb]

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

I've always wondered why people don't offer more in-depth courses that cover more than just remedial networking-101 and basic dialog box entry, since the "official" curricula is so empty. The answer is probably twofold:

Most people are taking the classes for bad reasons: to pass the MS cert tests, to get out of work for a few days or because of work requirement. They're not actually interested in how it works.

-or-

Even scarier, it's because nobody (outside of 500 or so developers, MS employees and other who aren't telling) REALLY knows how it works! 15 years of weird coding, new features, parallel development paths, diverse coding groups, ad nauseum have rendered an OS and system that simply is too byzantine to be understandable by anyone. It's like a fractal design -- the closer you get, the more detail is revealed, which brings you closer, to more detail...

Autoupdate

[Andy+Social]

Auto-update may be a promising feature, if it weren't for the distressing frequency of Windows patches to break previously functioning systems.

There's a reason why responsible system administrators always test Windows service packs before deploying them. Some bugs have been rather infamous, for those who remember the NT service packs.

Specious arguments

[tuxlove]

I love it when people argue, as in this article, that Linux is less secure because more security holes are posted than Windows. There are two reasons why this is a specious argument. First, there is little doubt that the holes are there in Windows too. It's just that they don't get found as easily because of the closed-source nature of Windows. That doesn't mean the hackers don't know about them. I prefer *everybody* knowing, which is what tends to happen with open-source code. And, when Windows bugs are found, you certainly aren't going to see the bad sections of code posted to Bugtraq...

Second, the holes in Linux are generally less problematic than the plethora of VB script and other bugs in Windows. When a bug is found in fetchmail, for example, it's a lot harder to exploit than VB script execution in Outlook. Also, a small percentage of Linux users actually run fetchmail, but LOTS of people run Outlook (not to mention all MS Office apps). So, on Linux, unless a bug is found in the OS itself or in some program that's intrinsic to Linux's operation, it's going to be hard for hackers to exploit. Since everyone on Windows uses IE, Office, and so on, there is a much higher payoff for hackers.

It's sad how many so-called security experts are really just apologist shills for Micro$oft.

Scripting

VBA scripting makes Windows more insecure than
anything I've ever seen

Yes, and computers that can run programs written by users are also insecure.

You can malign powerful features like scripting of MSOffice applications but not having that kind of easy application programability available in *nix environments is not in my opinion a better thing.

Truth is, unless your machine can only execute programs from ROM, your machine can be coerced to run something nasty. Why focus venom on scripting features just because they exist?

Integrated Application scripting is a feature all application suites are marching toward (for good reason) so figure out how to secure them not how to remove them.

Re:Scripting

[jedidiah]

The sad fact of the matter is that most Microsoft end users have ZERO use for an office suite that can be used to spam all of their friends and delete all of their data. Scripting in msoffice is a power user feature searching for a real purpose.

This makes it highly questionable even without getting into how robust the feature is.

At least in a Unix environment, you are much more likely to find the sort of power user that would find scripting useful. Nevermind if it's harmful.

WinDOS office suites already have more features now than most users can cope with.

Security in a box

[huckamania]

Security comparisons of this box versus that box is a bit rediculous. No box can handle all aspects of security on their own. DoS attacks can not be stopped at the box. Port probes if conducted over a long enough time frame are nearly undetectable. One compromised box can be used to compromise all boxes on a subnet.

That's not to say that security is impossible, it's just that it is amorphous. It's as complex a problem as determining the weather or fighting multinational terrorists, simply because they change from day to day. To make matters worse, from the beginning of the internet any machine that is connected to the internet is a target for every hacker on the internet. Those are lousy odds.

The most secure systems these days are protected in multiple layers and the number of companies that are producing multi-tiered security solutions are growing. Still, without redesigning the internet as a whole I don't see security getting better, just more complex, costly and necessary.

It doesn't matter which one is more secure...

[kakos]

...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.

WEATHER is not the right word !!!!!!

please use "whether"

Re:Repost of an excellent comment on the article..

[ThePeeWeeMan]

Which is probably why OE6/OLXP block attachments by default. Besides, Message Source (Alt-F3 in OE) is your friend.

Re:Flamebait indeed (Linux is older than Windows)

[gosand]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long- established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

To get even more picky, Windows is used as a generic term. Most GNU/Linux distros are older than Windows XP or 2000. Some Linux and BSD distros are older than Windows NT. The core security model of all *nix systems is much older than any Windows security model.

I didn't think much of this article, basically because it didn't really say anything.

Re:Clueless admins vs. byzantine systems and bad d

[alexjohns]

This is the sig that doesn't end, it goes on and on my friend, some people started typing it, not knowing what it was...

Malda's Law: All sigs end at 120 characters.

Umm ACL's exist for Solaris, FreeBSD, Linux etc.

... the fact that no one really uses them is a testament to the fact that they are not really needed.

As for the risk of doing "administration as root" have you ever heard of these commands:

mount /dev/sda1 / ro

chattr

sudo

jail

etc.

In other words you can set up a Linux or Unix system to have one non-root user do all administration. You can set attributes on files so that root cannot change their contents or remove or copy them. You can mount partitions so that no program execution is allowed on a partition, so that it is read only, so that a reboot is required for changing file attributes etc. Oh yeah ... then run all user accounts and server services in 2 or 3 separate chroot jails ... users never see the real / filesystem.

This "hardening" is available out of the box and free.

The classic was the PPC linux box on the net with root password etc all publically available. It was never hacked over a 400 day period.

Oh yeah ... if you want to use ACL's on your multiuser box that provided login shells.

Admit the truth: Unix is much much more secure than windows. Even if you continue to use windows there's no reason whay you shouldn't live in truth.

FACT: Security = 1 / Convenience

[md17]

I love it every time this argument comes up. It always has very few facts, and lots of emotions. It's fun to see all us nerds get so defensive about an OS. (I admit I do it too.) However, one FACT that we should focus on is this:
Security is the inverse of Convenience!
The more convenient something is, the less secure it will be. Windows, Linux, Solaris, etc. can all be very secure depending on what runs on them, and the pain, time, and messyness invloved in locking them down. Linux distros have many tools to aid in configuration. Use them, and your box will probably be less secure. Use a default Windows install and you will probably get hacked. So as some comments have pointed out. And now for my guide on how to secure any OS:
Use the Sans (I think) guides on hardening systems.
Have a good sysAdmin that knows more than clicking through wizards to set stuff up.
Keep everything patched and up to date.
Restrict user access as much as possible.
Turn off services that are not used.
Review the log files.
Use packet filters on your router.
Unplug the box for total security.

Re:FACT: Security = 1 / Convenience

FACT: Security = 1 / Convenience

That's not a general fact. It doesn't have to be that way. But if Windows and *nix are the only models you consider, it will seem that way because:

• Unix was designed with some degree of security in mind, but user friendliness was a total after thought.
• Windows was designed with user friendliness in mind, but security was a total after thought.

I don't see why a good security model couldn't be designed that accounted for both. Security and usability don't have to be at odds with each other. It would be a new design of an OS though, not another *nix clone, nor another version of windows(at least not a backwards compatible one).

Law offices

[sharkey]

Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer...

Not really. They sound more like the kind of law firm that Microsoft would hire.

You can't compare Linux and windows

[Junks+Jerzey]

In these type of discussions, Linux is equated with the Linux kernel, some device drivers, and maybe a handful of utilities like sendmail and so on. After that you get into debates about scripting languages and window managers and desktop environments and all that--none of which could be considered part of "standard" Linux.

Standard Windows, however, includes graphics libraries and scripting systems and a GUI, and even tools like file browsers and Internet Explorer are considered part of Windows. Not surprisingly, most of the security problems are in those high-level tools, not the kernel itself. Now it could be argued that the kernel shouldn't allow tools to cause problems, but that's wishful thinking. Microsoft introduced a scripting language into Word, and that's been the cause of so-called "document viruses," for example.

To do a fair comparison, you need to put together a Linux machine running KDE, Star Office, a graphical email client, and so on. And then you have to consider all security exploits in KDE and all applications that come with it. But of course that's never how comparisons like this are done. If a KDE application is at fault, then we're quick to dismiss it as a KDE problem, not a Linux problem. And so we run in circles with this kind of meaningless argument.

Re:You can't compare Linux and windows

[jedidiah]

How easily can you replace a random Unix component, including some KDE component?

How easily can you do that with WinDOS?

Re:Clueless admins vs. byzantine systems and bad d

[GigsVT]

Yeah, it did kinda suck not to be able to even finish the verse :)

I just changed my sig to that, I'm thinking it will change again soon, I don't particularly like that one, although Lambchop was one kick ass bitch.

Using RPMs.....

[bpb213]

and you are wondering why it doesnt work.

Switch to Gentoo-
emerge makes upgrading SO EASY.
emerge is my friend, and allows an incompotent former windows 2000->Mandrake lover like me to admin my servers effortlessly

(plus rh8 is fugly, but thats a different story)

The blurring of Data and process...

[croftj]

If you ever noticed, the most henious of the windows problems come from not having a clear line between data and process. The exceptions to this are code red and nimbda, which could happen to any of the OS's.

All of the worms and viruses live on because you can embed code into and document. Have an html document, add javascript or VB Script. Same with Word, Excel, emails etc.

The concept of code and information being the same thing sounds like a dandy idea and solution to all of life's problems, but, as long as you can mix code in with a document, you will have worms and trojans coming out of the wood work.

Structural differences between Linux and Windows

[ites]

Windows is remarkable because it consists of many fat vertical applications running on a relatively thin OS.
Security has to be implemented in each application at many levels.
Linux (and Unix) have a much more robust underlying OS and applications are relatively thinner.
So Unix applications are vulnerable when they (e.g.) chroot to access system resources.
But Windows applications remain vulnerable all the time.
There is really no argument about which approach will work better in the long run.

Both parent posts are playing funny

[Corporate+Troll]

You shouldn't take your parent poster is so seriously (he was damned funny!)... Actually, I think I shouldn't take you seriously either because I'm convinced that this is the kind of humour that the common slashdotter will not get.

Just a small recification:
Datastructures like you descibred get thrown at you in the first year of University (well, if you do computer science of course). They are often documented in different "hands-on" programming books. It's the basics of CS, and I am convinced you should know them better than your firstborn, but it really is pretty basic stuff.

Lets define operating system...

[PetiePooo]

GNU/Linux O/S:

Linux kernel

GNU binutils

glibc

Microsoft Windows 2000:

Windows 2000 kernel and DLLS

Internet Explorer

Outlook Express

NetMeeting

Pinball

The Kitchen Sink

etc.

The choices of what you don't want to install in Windows is very limited. I do custom installs whenever I install any operating system. Windows comes with all the bells and whistles, free of charge (yeah, right!) and installed whether you want them or not.

Ever try removing the pinball executable in Windows 2000? "System Protection Services" pops it right back in place! Since when can a pinball game be considered part of the operating system?!?

At least Linux allows you to install just the pieces and parts you want. Especially on servers, a minimal system is inherently more secure. Its simple guys and gals: if it ain't installed, you can't exploit it!

Note for the purists: Yes, I've left out some packages that are required for a functional Linux install. Stop nit picking and get my point.

Re:Lets define operating system...

[SuiteSisterMary]

How is it nitpicking to point out that when comparing number of packages required, you're leaving out required packages?

Any OS, ANY one at all, is only as secure as the admin makes it. Period.

From the article you quoted:

[Marc2k]

"Despite the intense battle surrounding the open source, the NSA will
still fund research on secure operating systems based on Linux as well as
work with US companies to create better security in their own operating
systems."

Reading the Whole Thing, as usual, gives you perspective one the whole story.

Dear Editors: Your spelling is awful

Weather
and
Whether

Are two different words.

How can anyone put worms in *open source* files?

[aquarian]

I don't understand- the whole point of Linux is that it's *open source,* meaning that anyone can read the source files. So how could anyone put a worm into them, without someone else seeing it?

I'm sure all kinds of crap could find its way into a Linux distribution, but if you download one from a trusted source like Debian (which is very well reviewed and tested), I don't see what the problem is.

Security design flaws

[Shinsei]

We have this discussion in one of the major norwegian newspapers regarding the security of using Outlook as an email client, where the commenter from MS in Norway actually admits to one of the big problems that has existed in Outlook was 'bad design by default'-additions to the program. I suspect that this heavily goes into other MS applications as well. Link to Norwegian Article[Dagbladet.no].

The other thing that I feel is a little interesting is how all these reporters manage to "overlook" the fact that what they describe as 'Linux' is what Linux-users would call a 'Linux Distribution' or 'Linux Platform'. (How many security errors have we seen posted for the Linux kernel the last year?)

But - as previously stated in the article, and actually also by the commenter from MS in the article I refer to earlier, and I quote the MS commenter: "Security is something you achieve by a combination of technology, good routines, and knowledge. (As in good administrators) It is misleading to tell someone that they can just change their OS Platform, or technology, and then they're safe". Quite good comment, for someone from MS ;)

Re:FP FUCKERS

wHY d0n't j00 sUk m1 D1Q 4$$h0l3? y0 M4M4 4lR3dy d1D! SH3'S fUll 0F m1 sPUNK1 g00dN3SS.

Re:FP FUCKERS

[eno2001]

Ummm... there are? Why? I didn't realize that giving away software that is already free counts as "warez" dood. Maybe you need a little re-ejication?

LOL at the books

[Scooter]

That is so true...

Day 1 - a new Windows OS appears..
Day 2 - Large book with 1000 pages of screenshots entitled - "Windows xxx - the bleedin obvious" is published :)

Day 7 - "Instant Experts" return from MS certified class where they were taught 30 hours of "The Bleedin Obvious Admin 101" - how to fill out properties forms and click buttons. "Don't try to peek behind the curtain now - just click the buttons. To make the OS secure, for example, click the button marked "make my computer secure". No actual networks/computing/API etc knowledge required!, and certainly none imparted on this course!"

My question is

WHY are Mom & Pop running an FTP server? For them, this is therefore a non-event.

For you, you've had a problem, and a lot of that is the way you've gotten used to working. Remember the switch from FORTRAN to C++?

That switch cost me *hours* of frustration because it was so different. You'll have the same with Linux until you learn what the system is trying to do.

Why seams immatereal

[Felinoid]

Why an Os is more secure than annother matters mostly to security companys and os makers.

But from the implementing viewpoint it's more the issue of who usually dose the best.
The reason matters to Linux people so they can keep pushing it and closing the problems.
The reason should matter to Microsoft as they can then revamp and make the next release more secure however instead they use it to nitpik and say how "well you COULD make Windows more reliable"... Sure and you could make Linux user friendly but unless your an expert in the platform it's not gona happen.

The whole reason "user friendly" matters is becouse only a few people can preform small mirricals.

The typical Linux installation is more secure than the typical Windows installation.
Maybe it's the clueless Win admin... if most are clueless you can forget finding one with a clue.
Maybe it's poor documentation... Well do we have the time and resorces to compile good documentation? Wouldn't that money be better spent elsewhere?
Maybe it's just bad software.

Maybe crackers just target Windows machines.

What ever the reason the results remain the same.

The same for viruses. No matter how many times anti-virus companys release Linux viruse alerts for viruses that don't exist untill somebody actually makes a virus for Linux there isn't any reason to be conserned about them.

I guess non-experts should watch for Linux virus alerts etc becouse it's safer than trying trying to explain worms, trojens and back doors that remain a consern to Linux.

PS: Yes I know there is ONE virus so there is reason to be conserned about IT.
Use sesnable precautions such as actually using a password on ROOT and not running software as super user.

Why Debian is easy to secure

[steveha]

I am not an experienced sysadmin, but I have found sysadmin tasks to be pretty easy with Debian. Here is how to run a server with Debian:

0) install using the Debian "stable" branch. (Use the pgi to install; it's easy.)

1) once a week or so, run the commands:

apt-get update; apt-get upgrade

These will go out and get all the latest updates to your packages.

If you update your packages, worms like Slapper will not be able to get into your system.

Debian also provides a really excellent howto. Any Debian server admins should study it:

http://www.debian.org/doc/manuals/securing-debian- howto/

P.S. I'm sure Windows systems can be made secure, but it has to be more work than securing a Debian system. There is nothing as cool as "apt-get upgrade" on Windows.

steveha

Re:Why Debian is easy to secure

There's a little more to it than that.

1) Disable all of the services that you are not using. They are probably safe by now, but you never know when a new vulnerability can be found in one. If you're not running it then this is not a problem for you.

2) You will always be out of date by up to a week. As attacks can be scripted and or happen more quickly than once a week, this may not be soon enough. In fact, no matter how often you patch you may not be covered soon enough, as the exploit could potentially be widely used before the problem is fixed and patched. Make sure that you have a plan for when your machine is compromised. Keep backups of all your important data!

Re:Why Debian is easy to secure

[steveha]

That howto I linked to has those suggestions, and many more.

Maybe you think once a week is not often enough to update packages, but a Debian server admin who updates once per week will be way ahead of 99% of amateur server admins, and some of the professionals. The Slapper worm was in the news recently because it was causing problems... but the security holes it uses had been fixed months ago. There were a whole bunch of servers with really out of date software. Probably few of those servers were running Debian.

P.S. Yes, backups! Run backups!

steveha

Just hacked

[Ektanoor]

Well, while people were discussing here about security, in one of my works a Linux box was just hacked. Frankly, I am an anti-Windows. And please note that I been more than 15 years in touch with this OS (since the first beta). So my anti-Windows feelings are deeply rooted in inside my experience. It will be hard to change someone who dig up in several Windows, looked to tons of code and worked in more than 15 jobs... Besides I have a relative who managed to see who's BG from inside, so I have no sympathy for that guy.

However I had and have no doubts about the security of Linux. Because I know its level of security, I know it is much better than Windows and I know that if an admin takes care of its boxes, then Linux is much more secure. But not inpenetrable. People do hack it (I hacked it very frequently btw) and hack it deadly. And the worst is that a hacked Linux box can be 10 times deadlier to your network than a silly Windows machine. That's a trouble Linux has - it is too powerful for both sides. Besides it is even more powerful when you go into combat. Fighting someone installing rootkits and changing every piece of soft in your machine is something. It is spectacle that no Holywood director can be able to describe. It also can be timeconsuming, depressive and boredom like the hack I'm fighting now.

To work on Linux one should take care of a few things: Absolutisms and maxima are dangerous here. If you came to see the gun then learn to shoot or someone shoots you. Forget all those books and "Hackers", enter the Matrix religion and learn from your experience. And most: If you can't stand up maybe you should choose something else, but don't go flaming because you feel not smart enough. It makes you look like a jerk.

Programmer? Use Debian

[thelexx]

Not only is it the distro most geared toward programmers, a simple 'apt-get upgrade' would have done what you wanted.

aberdeen.clueless

[twitter]

Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

If M$ security patches delivered security, M$ would not have a bad reputation for security. I'm tired of hearing this old saw because it is not true. M$ security "updates" are usually huge, hudreds of megabytes, and contain far more than security updates. It might even be argued that M$ patches create more exploits than they fix becuase M$ is so bussy trying to screw everyone out of playlists and other silly marketing data.

Aberdeen, extensively quoted, is obviously a paid whore and clueless. Anyone who would compare the security of the "not designed for security" M$ world to the peer reviewed world of multi user Linux and not see one as clearly superior to the other has loose screws. Their website states, "Unauthorized use or reproduction is forbidden." I'd say there were many things they don't get.

The only flaw in your procedure

[ebuck]

Although I sympathize with you, I did notice a flaw in your installation procedure.

At no time did you ever mention that your read the README file or attempted to get any installation documentation.

I agree that many can replace their car's AC compressor without reading the instructions, especially if they have had some experience in auto mechanics, but many of these replacements will not have the lines bled or dried properly, and even fewer will include the 1/4 cup of oil needed on some compressors to prevent them from going bad next year.

Experience can be a great asset, but it cannot generate knowledge on the fly.

OT: Evil Sig

[Amazing+Quantum+Man]

AAAARRRRRRGGGGGGGHHHHHHH!!!!!!

My kids outgrew Lambchop several years ago, and while I always liked Shari and Lambchop, when my kids sang that one it drove me crazy!!!!!!

BTW, Charlie Horse was the real star of the show!

Re:OT: Evil Sig

[GigsVT]

Yesh, excellent... /me does the evil Mr Burns fingers.

When you are sitting in that meeting tomorrow, you are doomed to have that song stuck in your head!

some study about distribution of fixes over time

I was thinking if there is some study about comparing fixes over time of open source and closed source. My guess would be that open source had more of a bell curve type of distribution where there are a lot of exploits and fixes as the software reaches maturity and then, since the source is known there are only very obscure bugs left. Whereas with closed source the distribution is more lineal cause there are still a lot of bugs even after some time because there is no source code.

Maybe somebody can compare something like
Windows NT 3.51 with all patches and
Debian Slink with patches
and see wich one has had more exploits in the last year.

you can safely ignore this article

This article is worthless. The author starts out with a mention of the four horrible 'linux' worms (that affect apache, not linux) and then goes on to refer to Operating Systems as 'programs'. The level of 'cluelessness' in this article is astounding. How can you claim an OS is insecure by citing insecurities in an application that persist across multiple OS's? The argument completely falls apart even if you accept the pathetic premise. Nothing to see here... please move on...

Re:you can safely ignore this article

[octogen]

An Operating System should of course not be affected by a worm which exploits a bug in a webserver daemon.

However, an Operating System can not prevent a worm from exploiting a bug in an application, but it should be able to prevent an application (and even a hacked application) from taking over the operating system or other applications on the same computer.

weather Linux - "when it reigns, it poors"

weather Linux - "when it reigns, it poors"

duh!

Re:Clueless admins vs. byzantine systems and bad d

>> How do you disable what you don't know exists?

If you don't know what exists, why are you the one installing the box to begin with? Most of the IIS exploits rely on an admin not securing his box, even simply setting read-only on the page folders would eliminate well over half of them.

MS has organized documentation - just not timely.

[bashly]

MS has organized documentation, they're just not timely with it. To date I haven't seen one page that I needed when I need it. what good will organized documentation do me 2 months after an attack? I'm afraid you've run out of time - morpheus.

Comparing OS securtiy

[octogen]

When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).

What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?

Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.

The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).

Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.

Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.

regards,
octogen

Some further information:
Trusted Solaris, Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
Pitbull, Pitbull/LX, Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
XTS/300, Getronics; TCSEC B3;
Firewall Server, BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
Windows XP, Microsoft; TCSEC C2;

Actually you are wron Office RUNS on Linux here

and I use Crossovers setup.
I guess you need to learn boy

Re:How can anyone put worms in *open source* files

[jesco]

The question is how thoroughly the code is reviewed. I mean, the Linux kernel alone is more than a million lines big (even more, I dunno the exact numbers). That's a hell of a lot of code to watch about. And that's only the kernel itself, not counting any services/apps.

Most malicious code can be very short, given that the person who writes it is competent enough (which I'm not, unfortunately ;))

usual apples-vs.-oranges

[g4dget]

The BugTraq reports on Linux and Windows cover very different amounts and kinds of software, so comparing systems by their number is not meaningful.

In any case, the issue is not how many bugs there are in either system, but how easy it is to secure and audit either system. For example, it's much easier to stript down a Linux system to a tiny set of well-understood processes and services because it's all open. With Windows, much less of that is documented, and I can't figure it out from sources; it also changes with every release.

Aberdeen Group background

[meridian]

A storage solution group site:microsoft.com "Aberdeen Group": 397 hits Aberdeen Group directors homepage http://dantanner.tripod.com/djt-index.html Resume http://dantanner.tripod.com/DJT.htm Consultant, Advisor, Product/Market Manager, Editor, Trainer with successful track record. Leader. Organizer. Planner. Doer. I have superior interpersonal, management, training and PC skills. I am an outstanding communicator and presenter. I am an experienced problem-solver. I am a business and scholastic award-winner. I am a Microsoft Certified System Engineer (MCSE) and Microsoft Certified Professional plus Internet (MCP+I). Executive Editor, Computer Design Magazine Published multiple issues, with supplements, on deadline with staff downsized 66%. EDUCATION, CERTIFICATIONS, AWARDS Microsoft Certified System Engineer and Professional plus Internet (ID#1169361): A.A., Electronic Engineering; Monmouth College (NJ), County Scholarship. B.S., Physics/Mathematics; Monmouth College (NJ), National Physics Honor Society. MBA Studies, Nichols College (Dudley, MA), A- average. Computer Science Studies, Worcester State College (Worcester, MA), A average. United States Navy Electronic Technician School, Great Lakes, IL, first in class. Certified Teacher (MA/NJ) physics, mathematics, general science at secondary level.

Re:How can anyone put worms in *open source* files

So the only solution is to write the OS yourself with trusted employees, ignoring that most attacks against a company (and I'd assume that government labs would at least partially qualify) are internal attacks.. Unless, of course, you really want to audit Win 2k's source? Or just trust the NSA's Linux. :)

Feature request: "max security" install option

[gnalle]

Debian has a very nice howto that tells you how to disable ftp, telnet and some other stuff. But still I would prefer if there was a single install option that allowed me to automatically disable all the potentially insecure services. This way I could avoid the trouble of guessing what to do myself, and i could avoid the chance of making a fatal mistake :)

Re:Feature request: "max security" install option

[steveha]

I would prefer if there was a single install option that allowed me to automatically disable all the potentially insecure services.

Dude, read that howto that I linked to; one of the things it tells you about is the "harden" packages under Debian. When you install "harden-servers" or whatever it disables insecure services, among other things.

Debian rocks. But then, you knew that already.

steveha

Programmer of 23 years vs administrator of 2 years

[Skapare]

This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.

Re:Clueless admins vs. byzantine systems and bad d

"I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support..."

Well, legacy support of requiring all programs to be allowed to access all RAM and hard disk...should have a little influence on security problems...

Mandatory Weakness Is Not A Bug

[SEWilco]

"What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious."

In DOS/Windows, deleting anything on disk is not a bug. It's a required feature. Thus there is nothing to fix...other than fixing the buffer-overflow which was used instead of just directly making the correct system call to alter the disk.

Nothing any intelligent person wouldn't know...

It's a good article, certainly. Anybody who is reasonably intelligent with regards to security and understands exactly how these viruses become problems would understand that Linux is no more secure than Windows. The only thing preventing more widescale problems is the relative obscurity of the system.

Re:Programmer of 23 years vs administrator of 2 ye

[ShavenGoat]

This is why the statement "Beware of programmers who carry screw drivers" was coined.

Leave app developers to do their app developing, and let sysadmins secure their box for them.

Of course, this doesn't even touch on his real problem: Linux on the desktop

Of course windows is more secure

[madenosine]

there are evil daemons lurking on my unix computer

A Recent Microsoft Bug - swept under the carpet?

How many bugs for Windows have been swept under the rug?

It amazes me. Really. Authors bandy about Slapper and its varients as a new kind of Linux boogyman (despite the existance of previous Unix and Linux worms) - proof that the argument for Linux, and perhapse even Unix, security is falling apart. Yet there is no talk of actual numbers in the wild. No talk about how long the actual window of vulnerability from discovery to patch existed.

Meanwhile... my organization's main VPN service (running a Microsoft PPTP server... unfortunately) has been vulnerable to a DoS, and possibly a remote compromise since at LEAST Sep 26. Exploit code that demonstrates this vulnerability was released shortly after (I believe Oct 1). Yet there has yet to be any word from Microsoft acknowleging the issue, much less any forthcoming fix/patch.

Microsoft PPTP servers - Win2k, WinXP, AND WinNT 4.0 sp6a (I have personally tested Win2K and WinNT varients) are all susceptible to this exploit as demonstrated by this code - and have been for over 2 weeks.

Sure. Sticking a Sun box, or Linux, or even OpenBSD in your server room doesn't give you instant security. Unix is not a fire-and-forget solution. But these folks have been in the trenches, successfully dealing with the technical issues of security for the last couple decades.

Microsoft still seems to see security as a marketing problem.

Slapper Myth

[_Sprocket_]

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ...

Who? Just who thought Linux was a magic bullet against malware? Point them out. And I'll show you an idiot who has not read RECENT history.

Sure - there are some basic architectural decissions that make Linux more resiliant than its Windows bretheren. But the history of Linux (and other flavors of Unix) worms alone show that it is not impenetrable - a history that produces plenty of examples from now until late 1999, a span of less than 3 years.

It amazes me how often zealots - both Linux and Windows - seem to view Slapper as some major new event. Its not. It is not the first Unix worm. It is not the first Linux worm. It didn't infect systems in any particularly unique or novel way. Nor did really generate the kinds of numbers that put it on a pedistal amoung worm-kind.

Slapper is only news to zealots and authors who are both new to information security and generally uninformed.

Re:4 out of 10 americans support annexing canada

[avgjoe62]

Does Canada have a secure OS?

Actually, they do. [openbsd.org]

Better than that Lunix crap

They do?!

Hell, then I'm all for annexing them, especially since someone there knows about LUNIX.

BTW, I don't consider openBSD as good as LUNIX. I still can't get it to run on my Commie...

exploits vs vulnerablities

[revengance]

I might be wrong but I am under the impression that exploits are different from vulnerabilities. I am in the opinion that vulnerabilities are possible weakness that crackers/whoever can use to crack into a system while exploits acts that make use of these weaknesses to access the system. There might be no known exploits for some vulnerabilities (especially those discovered through code scanning)?

But it seems that most people seems to equate exploits with vulnerabilities. Am I wrong or what?

It's not just the number of bugs..

[discovolante]

It's the time that your system is vulnerable that matters. When a bug in a linux system is found, it gets reported immediately, and usually there's a patch available within hours. Compare this to Windows where it can take weeks for a patch to be released.

Re:Clueless admins vs. byzantine systems and bad d

[mpe]

A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists?

Some of them appear to be so obscure that their major use may well be the propergation of malware. "Intergration" can translate into write very bad, even "sphagetti", code.

And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

It's quite possible that there are "black hats" who know about these...

Secure Windows Are Here!

[ParrotDroppings]

Just make sure you run your Windows-box behind a Linux-based Firewall.
heheheh
Smoothwall Rocks!

Re:Secure Windows Are Here!

You mean http://www.smoothwall.org...

Last Post!

[alpg]

Excerpt from a conversation between a customer support person and a
customer working for a well-known military-affiliated research lab:

Support: "You're not our only customer, you know."
Customer: "But we're one of the few with tactical nuclear weapons."

- this post brought to you by the Automated Last Post Generator...