Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.
Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.
So many programs get lumped into 'linux' and this is forgotten.
Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.
Then again, there are more Windows apps than Linux...
up2date?
In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.
Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.
Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.
Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".
This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.
In circumstances like these, I think the best metric would be to use averages. An average windows box is less likely to be well managed given the profile of an average windows user (not to say (s)he is less smart, just less of an OS/security geek). Add to this the bundling of dangerous products like VB-script enabled utilities, and the winbox (even corporate-admin managed) is a disaster waiting to happen. On the other hand, a *nix user is mostly a more sophisticated user with a little more understanding of security. I don't think it is possible to have a really completely fair and proper comparison of the two systems unless you only ask persons who use/admin both systems.
The law of excluded middle : Either I'm foo or I'm foobar
RH keeps original version but just patches the program only things change is the package name. From program.1.1-2 to program.1.1-6 or something. Debian also uses this way i think
Just because someone has a different opinion that yours does not mean he is wrong and you are right.
Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.
Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.
1.) c2 certication is required.
Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.
2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.
They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!
Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.
The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.
http://saveie6.com/
Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.) You can do the same thing with ME, the easy way is here. NT based systems are harder, but it's possible to achieve most of these improvements there as well, elsewhere on the same site you'll see he's still putting the finishing touches on a similar product for XP.
Yes they are, an excellent reason to step up the pace on eliminating MS from any environment where security is important.
Win 3.1 didn't include any of this, that's a very bad memory or some FUD, depending on your internal state when you wrote it. Some of the earliest versions could be run on 3.1, but that required installing Iexplore updates, it wasn't on the system by default.
Not quite, that's COM, ActiveX is how COM is made available to arbitrary code, as from a webpage or an email opened using MS tools, which as a rule don't just neglect to give the user proper warning before executing proper code, they typically give no warning at all. Click on a URL or just an email header in Outlook and you can run code without knowing you are doing so. This is a fundamental architectural flaw.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
There are kernel patches for ACLs for Linux filesystems, http://acl.bestbits.at/ and other
Unixes also have it built-in. Solaris has had this for years.
Pain is merely failure leaving the body
You're right. NT, like its VMS predecessor, is more secure by design. It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine. Unix apps are written with the understanding that there are any number of users, none of which are root.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
How odd, no one must have told them that the project ended, according to your comment.
What am I, a journalist that I must check my sources rather than just commenting from memory?
A google-search, as usual, turns up varieties of information. I discovered the following article on
ZDNet news with a 2002 date at the bottom.
[Of course, this might be an auto-generated copyright statement using the current year, but I dread to think the legal implications of them doing that on something written before they claim]
Quoted text follows:
SE Linux may be the NSA's last direct contribution to open-source
security, however. Because of the loud criticism, the NSA will have a far
less direct role in the creation of more secure versions of open-source
software.
"We didn't fully understand the consequences of releasing software under
the GPL (General Public Licence)," said Dick Schafer, deputy director of
the NSA. "We received a lot of loud complaints regarding our efforts with
SE Linux."
Many complaints criticized the agency for providing the fruits of
research to everyone, not just US companies and thus hurting American
business.
While stressing that the agency received a loud chorus of support as
well, the chagrined Schafer said that the issue was contentious enough
that "we won't be doing anything like that again."
Sources familiar with events said that aggressive Microsoft lobbying
efforts have contributed to a halt on any further work. "Microsoft was
worried that the NSA releasing open-source software would compete with
American proprietary software," said a source familiar with the
complaints against the NSA who asked not to be identified.
Microsoft would not comment directly on its lobbying efforts, but did
stress that it wanted to ensure the government continued to fund
commercial ventures. "The federal government plays an important role in
funding basic software research," said a Microsoft representative. "Our
interest is in helping to ensure that the government licenses its
research in ways that take into account a stated goal of the US
government: to promote commercialization of public research."
Dude, you're getting Mandrake!
RedHat is the real RPM hell. Mandrake is RPM heaven. I don't know about any of the other RPM distros, though.
With Mandrake, it's easy:
urpmi wuftpd
It will ask me if it's ok to download all of the other dependencies, so I enter "Y", and voila.. it downloads and installs them (assuming that your urpmi source lists are synched properly - it's not a bad idea to have a cron job to do 'urpmi.update -a' at 3 AM or so)
Debian's apt is very nice as well, but Debian's not right for everyone (in actuality, no distro or even OS is right for everyone, despite what FUD-flinging says). If you use Mandrake though, you can still fall back to the old rpm -ivh and install non-official packages (there are a lot of rpms out there, especially on SF)
for instance, slapper requires that you install gcc on your server. if anyone installs a compiler on a production server, the response should be "WTF!!!"
I don't think I have ever seen a Linux server being run in a production environment that didn't have gcc installed. Most of us don't have the luxury of homogeneous server installations where gcc-free installations are practical.
Now, of course there are other measures that could stop slapper that are a lot more practical - chrooting, tripwire, etc. are some of them.
The problem is that there are a couple of issues:
** Out of box:
Linux: used to suck hard here. Traditionally, ran lots of services. You were supposed to know what you were doing and close what you didn't want. Now, unacceptable for new users. RH 5.2 shipped with tons of services, which people found holes in quickly. RH 8.0 ships with far less running.
Windows: Fewer services than old Linux, but too many things running as "root" like IIS. A ridiculous amount of holes in IIS compared to Apache. XP is supposed to have (finally) proper permissions out of box.
** Granularity:
Linux: normal UNIX stuff. Getting ACLs. Not very granular at all. You have the framework to hack up just about anything you want with sudo and scripts, but it isn't there out of box, and it isn't standardized.
Windows: Nice. You can say "sally and bob can read this file, and mary can only write to it but not read it." ACLs may not be fast or easy to examine for mistakes, but they're powerful and easy to use.
** Easy of screwing up:
Linux: UNIX is pretty easy to examine for irregularities, suid binaries, etc.
Windows: Just like VMS, it's a *bitch* to know if you have some series of permission errors that screw you over somewhere.
May we never see th
I am not an experienced sysadmin, but I have found sysadmin tasks to be pretty easy with Debian. Here is how to run a server with Debian:
- howto/
0) install using the Debian "stable" branch. (Use the pgi to install; it's easy.)
1) once a week or so, run the commands:
apt-get update; apt-get upgrade
These will go out and get all the latest updates to your packages.
If you update your packages, worms like Slapper will not be able to get into your system.
Debian also provides a really excellent howto. Any Debian server admins should study it:
http://www.debian.org/doc/manuals/securing-debian
P.S. I'm sure Windows systems can be made secure, but it has to be more work than securing a Debian system. There is nothing as cool as "apt-get upgrade" on Windows.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).
What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?
Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.
The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).
Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.
Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.
regards,
octogen
Some further information:
Trusted Solaris, Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
Pitbull, Pitbull/LX, Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
XTS/300, Getronics; TCSEC B3;
Firewall Server, BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
Windows XP, Microsoft; TCSEC C2;
I think the kind of functionality you may be looking for is obtainable with systrace
Or check out Niels Provos' page
A radio maverick jumps to internet only. The Future of Rock n Roll
With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes!
Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up. Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).
Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?
Kjella
Live today, because you never know what tomorrow brings