Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.
Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.
C'mon...this was nothing but flamebait - nothing news worthy there at all.
About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.
Lies, damned lies and statistics.
Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.
Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.
This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.
Wagner LLC Consulting Co. - Getting it right the first time
My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.
Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)
Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.
How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?
Just ask some of the truly gifted individuals in security what they think of security through obfuscation.
I doubt the veracity of your story. The NSA has worked on a secure Linux distribution. The big laboratories were also pioneers on the Internet. They've had a lot of experience with that type of software development and your rubber stamp story doesn't fit in with that.
Get your stinking paws off me you damn dirty ape
I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.
"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.
"Herbivores eat well cause their food never, ever runs."
Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.
No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).
So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.
Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.
There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.
is that pretty much all operating systems are equally secure. The insecurities in the operating systems are not the same, but neither one is bulletproof. Windows seems more insecure, but that is because more people try to hack it, because more people use it. Linux seems more secure because it is hacked less, which is because less people use it. However UNIX is very old and very open and has just as many ways to get in as windows does.
From what I've experience operating system choice is not a major factor in security. The biggest factor in security is how well the operating system in question has been configured. You could run the newest linux with all the shiniest intrusion detection stuff, but if you let the guest account rm -f *.* you're in a bit of trouble. Nothing is more key for security than proper configuration. And of course, not downloading e-mail attachments in outlook.
The GeekNights podcast is going strong. Listen!
The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.
However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.
11*43+456^2
Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.
Oh, and the title should better be "Open source vs propietary security". Old same old ...
Well, at least linux (the newer distro's i tried like RH, Mdk, SuSe, Deb) lets you CHOOSE your security settings. None of all windows installations i performed asked me which level of security i wanted..
Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.
Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
> I think that's a big part here, any OS is as secure as the admin...
I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.
Sheesh, evil *and* a jerk. -- Jade
Quibble: ... when your machine falls over, they most of the ghosted resets will include Office and VBA. So, they are de-facto part of the OS.
... really secure. At the other extreme there is no security anywhere on the system -- think root w/ no passwd. Obviously we need to live somewhere in the middle. "Where" is the question.
For many large Windows shops they are part of the base rebuild kit
Agree:
You don't have to put all this in if you are looking to lock down a server box.
The real issue is the ratio of how fast you add functionality to how fast you add security issues. At one extreme the box is runing at runlevel 0
Who is better, bigger faster? That doesn't help any community very much either.
.rpms, .isos or .exes.
.isos to prevent man in the middle virus patch attacks.
What is good is to ask how to make actual systems better, to catch up faster with patches an so on.
My try:
Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the
But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.
Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the
Just a though.
We are Turing O-Machines. The Oracle is out there.
>1- Mighty Netbios ( Most secure protocol >invented since '95! )
:)
Any sysadmin who doesnt diable this on publicly accessable machines isn't a good sysadmin.
>2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable
Again, sysadmin problem. Its been patched.
>3- Melisa & IloveYou & others countlessly many Ms Word worms
Application problems, not OS problems, big difference.
>4- Nimda & CodeRed variants. Millions of computers got intruded in one day.
Application problems, not OS problems, big difference.
>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]
Application problems, not OS problems, big difference.
6- Windows XP UPnP Vulnerability got public after the week XP was released....
I'll give you this one
Im not saying windows is the greatest and all, but get your facts straight, please. 3 of the 5 issues above are application issues, not OS issues.
"The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
Also, in what sense is Linux "newer" than any currently supported manifestation of Windows?
Sheesh, evil *and* a jerk. -- Jade
Really, I think you miss the point. Most computers sold with Windows are also distributed with Office, and Outlook or Outlook Express. These are the biggest security risks on a Windows system. Sure, those things don't normally come on servers (although IIS does, big trouble), but most Windows installs are desktops, and are very vulnerable to email attacks. Most Windows systems are poorly set up, because they default to poor settings, which is part of the problem.
Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.
apache bugs : Application problems, not OS problems, big difference.
openssh bugs : Application problems, not OS problems, big difference.
xchat & other programs bug : Application problems, not OS problems, big difference.
Linux kernel symlink dos vulnerabilty ( 1 vulnerabilty about kernel I have ever seen in 1 year ) : os bug
See if you think like that Linux has only 1 bug....
Never learn by your mistakes, if you do you may never dare to try again
No man.. OpenOffice is a network application, so it could be a security risk, but KOffice is a single user application, and not at all dangerous. And unlike Win32, there's nothing wrong with XWindows that is consistant. It's so old, and written well enough, theres very few bugs. Remember, us "mindless Linux zealots" are the ones who really care about stuff, you don't. Everyone has their "Reason" why linux wont go mainstream, but they're usually fake, like this one. You're just not ready to learn another platform, so you curse it instead. get a life.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I thought the article didn't really stack the deck at all, in fact, it was very favorable to windows - it actually legitamized it (you motherless whore). when a security flaw is discovered in linux, a community of people work together to release a patch while a company that issues a distro/release works on their own patches. MS sits on known security issues for years without addressing them, doing damage to their customers and user base. Linux users don't pretend that their is no problem running X servers (or ttdbserver.rpc for you solaris people, holla *^_^*), they come up with solutions. MS has finally gotten around to releasing patches as they come out - but what about inherent flaws in the OS that are unpatchable - like the Windows Messaging system?
No, Windows STILL sucks.
-Frank
"Other bands play, but Manowar KILLS"
Comment removed based on user account deletion
Playing devil's advocate here but....
MS could have documentation that is just as good, and contextual like a squid conf file.
The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".
So, IMO, it's not so much that they can't, it's that they don't.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I'm not trying to have it both ways. I would no more include past problems with Bind, Apache or WU-FTPD when evaluating Linux security than I would MS-Office when discussing Windows security. Nowhere have I said that I feel windows is particularly more or less secure than Linux -- In fact, using BugTraq reports as a basis for comparison is a fairly clueless means of comparing OSs for relative security. Not to put too fine a a point on it, but comparing "Linux" to "Windows" is itself a meaningless exercise, since the two are not equivalent in any sense.
The bottom line is that (as mentioned elsewhere) the weakest link in any system from a security standpoint is the operator of the system, period. If you want to make any kind of meaningful comparison, compare Windows against a particular distibution of Linux with an emphasis on securability. How easy is it to secure the system? How effective are the means provided? Then you might have a study worth reading.
Roving Web-Teleoperated Robot
I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen
That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?
Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?
While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.
Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.
Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.
Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.
Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).
Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.
Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.
With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."
Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Perhaps the question is not how many exploits are found in "my" or "your" os but what occurs after they are found. ie. turnaround time, transparency, propoganda et al... I would not trade the OS model for the most "angelic" vendor on earth 'casue they'd still be a vendor with their own interests ahead of mine.
And to address the "ease of patching" debate, yes, MS make it easy to apply more closed source code or patches that the end user has no idea about apart from what MS tells them. Remember Windows Media Player... OTOH RH provides the CL utility autorpm that allows checksum verification and auto-follow-deps... Point it at your local FTP mirror sometime....!
Look, some grammatically inclined Slashdot readers can be really picky about spelling and grammar in articles. Maybe it gets on your nerves or maybe you laugh it off.
But "weather" instead of "whether" being posted? That is the kind of mistake an elementary school student would make. Okay, I'll be extra forgiving and say a junior high school student might make that mistake. That is really fucking pathetic nonetheless.
You could change it now, but you won't. That is the *most* confusing part.
I just can't pay for Slashdot when I can't feel like it is a professional product (meaning that you took the extra 4.5 minutes per day to actually look over the spelling of single-paragraph articles). You may think that's ridiculous, but I think the grammar here is ridiculous, so I guess we both have our opinions. I don't want your money though.
And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.
I read the internet for the articles.
"Linux, which is even newer than Windows and is not controlled by a single
commercial entity, can be expected to have even more vulnerabilities than
Windows. Hemmendinger commented, "I see a lot more stuff coming across
BugTraq [about Linux] than any flavor of Unix or any Microsoft operating
system."
The guy who wrote this obviously didn't think that maybe more stuff goes through bugtraq for Linux because there are people actually working to resolve the issues immediatly...instead of leaving the problem for 6 months or more to then release 1 big fix.
I think the fact that it is not controlled by a single entity is much better because then no one is relying on that 1 single entity to resolve issues...which also strengthens the theory behind Open Source software. The software is open to find the bugs and vulnerabilities, and its open to be resolved. People are grateful when someone points out a vulnerability or bug in linux or its software because teams can begin working on it immediatly, whereas Microsoft would most likly see you in court for letting everyone know of any vulnerabilities or bugs.
Also, for some reason a whole lot of "single site" or "very limited distribution" stuff gets on bugtraq.
There are about 6 million php blog/message board packages out there, and 5.99 million of them are coded with no security in mind. I probably get 5 messages a week that are just some stupid SQL injection attack to fooPHPblogger 0.59 alpha.
I'm sure that if you count all that stuff, Linux looks much worse off.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Most OSs can be made secure. Even windows. By a good sysadmin.
Unfortunately this doesn't say much for your dad.
http://twitter.com/onion2k
I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.
Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.
But also:
- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.
- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.
- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.
- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?
1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.
2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.
3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise
4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.
I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.
Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!
I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?
BD Phone Home!
Shameless plug. Like you weren't expecting it.
(Ok, so that subject isn't that great, sue me) ;)
I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..
At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).
The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).
Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)
Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)
I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.
Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.
It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.
He knows well enough to be aware of what has actually been exploited. The article is infact a "Fear mongering" piece. It presents only the information that the author wishes you to see. It is clear the author has an axe to grind against Linux in particular.
The author ignores the common pedigree that Linux shares with Unix. The author ignores the underlying design issues that distinguish Unix versus Windows in theory and practice. The author plays a naieve numbers game with the bugtrack figures while conveniently ignoring the fact that Linux is more transparent.
He also makes the absurd assertion that more vendors == less secure.
If anything, competition and diversity should allow for vendors of varying quality and priorities.
A Pirate and a Puritan look the same on a balance sheet.
What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.
Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.
Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.
Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.
Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.
Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.
Exploits exist for both systems. But which ones would you rather have to deal with?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option?
Simply put windows just doesn't have much functionality without a GUI, and many MS tools absolutely depend on it. Aside from that, strategically MS must to focus on their GUI. Why? Look at the functionality of cmd.exe vs bash . When you take things to a CLI level, UNIX is far superior. And lets face it, many in the MS world are just afraid of the command prompt.
he has access to.
My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.
On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.
Panayotis.
everybody has heard (and many agree) that any codebase will have x number of bugs (including vulnerabilities) per n lines of code. the more mature the codebase, the fewer bugs may remain, but they are still there. solaris has 'em, linux has 'em, even openbsd has 'em.
no one should doubt the capability of microsoft's core programmers to create solid, robust and secure code. anyone who does, is not being serious.
the problem arises because those same programmers must pack many things into a base os install. for example, to install windows and have it work means i must have the entire windowing system installed and operational. it also means that ie must be there. i have heard from a microsoft employee that if i remove the media player dll from a win2k box that the entire box will cease to function, though i have not confirmed this. i imagine there are others that could be added to this list.
in the unix/linux world i have the option (though imperfect) of leaving out everything except the kernel, core libs, core services and the service / services i want the box to provide. all other code is not only turned off, it just isn't there. which means fewer lines of code, which means fewer vulnerabilities.
last i checked, the majority of vulnerabilities for both win2k and linux came from various 'non-essential' programs, programs like the browser that i don't really need on a webserver. granted, there were quite a few for iis, but even its vulnerabilities come largely from additional, non-essential code that is automatically installed and required to be there, but for non-technical reasons.
therefore, to make a more secure windows, that would conclusively compete with *nix in this arena, microsoft should release a version of windows that can be cut to the bare bones, something i could run headless, without a browser installed, without outlook express installed, etc.
would microsoft business allow such a thing to happen? perhaps not, which means microsoft programmers will forever have the deck stacked steeply against them.
its too bad.
In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.
I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!
Stop the brainwash
I love it when people argue, as in this article, that Linux is less secure because more security holes are posted than Windows. There are two reasons why this is a specious argument. First, there is little doubt that the holes are there in Windows too. It's just that they don't get found as easily because of the closed-source nature of Windows. That doesn't mean the hackers don't know about them. I prefer *everybody* knowing, which is what tends to happen with open-source code. And, when Windows bugs are found, you certainly aren't going to see the bad sections of code posted to Bugtraq...
Second, the holes in Linux are generally less problematic than the plethora of VB script and other bugs in Windows. When a bug is found in fetchmail, for example, it's a lot harder to exploit than VB script execution in Outlook. Also, a small percentage of Linux users actually run fetchmail, but LOTS of people run Outlook (not to mention all MS Office apps). So, on Linux, unless a bug is found in the OS itself or in some program that's intrinsic to Linux's operation, it's going to be hard for hackers to exploit. Since everyone on Windows uses IE, Office, and so on, there is a much higher payoff for hackers.
It's sad how many so-called security experts are really just apologist shills for Micro$oft.
VBA scripting makes Windows more insecure than
anything I've ever seen
Yes, and computers that can run programs written by users are also insecure.
You can malign powerful features like scripting of MSOffice applications but not having that kind of easy application programability available in *nix environments is not in my opinion a better thing.
Truth is, unless your machine can only execute programs from ROM, your machine can be coerced to run something nasty. Why focus venom on scripting features just because they exist?
Integrated Application scripting is a feature all application suites are marching toward (for good reason) so figure out how to secure them not how to remove them.
Security comparisons of this box versus that box is a bit rediculous. No box can handle all aspects of security on their own. DoS attacks can not be stopped at the box. Port probes if conducted over a long enough time frame are nearly undetectable. One compromised box can be used to compromise all boxes on a subnet.
That's not to say that security is impossible, it's just that it is amorphous. It's as complex a problem as determining the weather or fighting multinational terrorists, simply because they change from day to day. To make matters worse, from the beginning of the internet any machine that is connected to the internet is a target for every hacker on the internet. Those are lousy odds.
The most secure systems these days are protected in multiple layers and the number of companies that are producing multi-tiered security solutions are growing. Still, without redesigning the internet as a whole I don't see security getting better, just more complex, costly and necessary.
...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.
Malda's Law: All sigs end at 120 characters.
Well, while people were discussing here about security, in one of my works a Linux box was just hacked. Frankly, I am an anti-Windows. And please note that I been more than 15 years in touch with this OS (since the first beta). So my anti-Windows feelings are deeply rooted in inside my experience. It will be hard to change someone who dig up in several Windows, looked to tons of code and worked in more than 15 jobs... Besides I have a relative who managed to see who's BG from inside, so I have no sympathy for that guy.
However I had and have no doubts about the security of Linux. Because I know its level of security, I know it is much better than Windows and I know that if an admin takes care of its boxes, then Linux is much more secure. But not inpenetrable. People do hack it (I hacked it very frequently btw) and hack it deadly. And the worst is that a hacked Linux box can be 10 times deadlier to your network than a silly Windows machine. That's a trouble Linux has - it is too powerful for both sides. Besides it is even more powerful when you go into combat. Fighting someone installing rootkits and changing every piece of soft in your machine is something. It is spectacle that no Holywood director can be able to describe. It also can be timeconsuming, depressive and boredom like the hack I'm fighting now.
To work on Linux one should take care of a few things: Absolutisms and maxima are dangerous here. If you came to see the gun then learn to shoot or someone shoots you. Forget all those books and "Hackers", enter the Matrix religion and learn from your experience. And most: If you can't stand up maybe you should choose something else, but don't go flaming because you feel not smart enough. It makes you look like a jerk.
Although I sympathize with you, I did notice a flaw in your installation procedure.
At no time did you ever mention that your read the README file or attempted to get any installation documentation.
I agree that many can replace their car's AC compressor without reading the instructions, especially if they have had some experience in auto mechanics, but many of these replacements will not have the lines bled or dried properly, and even fewer will include the 1/4 cup of oil needed on some compressors to prevent them from going bad next year.
Experience can be a great asset, but it cannot generate knowledge on the fly.
This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.
now we need to go OSS in diesel cars
It amazes me. Really. Authors bandy about Slapper and its varients as a new kind of Linux boogyman (despite the existance of previous Unix and Linux worms) - proof that the argument for Linux, and perhapse even Unix, security is falling apart. Yet there is no talk of actual numbers in the wild. No talk about how long the actual window of vulnerability from discovery to patch existed.
Meanwhile... my organization's main VPN service (running a Microsoft PPTP server... unfortunately) has been vulnerable to a DoS, and possibly a remote compromise since at LEAST Sep 26. Exploit code that demonstrates this vulnerability was released shortly after (I believe Oct 1). Yet there has yet to be any word from Microsoft acknowleging the issue, much less any forthcoming fix/patch.
Microsoft PPTP servers - Win2k, WinXP, AND WinNT 4.0 sp6a (I have personally tested Win2K and WinNT varients) are all susceptible to this exploit as demonstrated by this code - and have been for over 2 weeks.
Sure. Sticking a Sun box, or Linux, or even OpenBSD in your server room doesn't give you instant security. Unix is not a fire-and-forget solution. But these folks have been in the trenches, successfully dealing with the technical issues of security for the last couple decades.
Microsoft still seems to see security as a marketing problem.
BD Phone Home!
Shameless plug. Like you weren't expecting it.