Windows vs Linux On Security

e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."

Security depends on many things.

[Anonymous+MadCoe]

Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.

Re:Security depends on many things.

I know a couple MCSE guys that are "security experts". They think hackers use programs called "script kitties" to break into machines.

Meow!

Re:Security depends on many things.

[monadicIO]

In circumstances like these, I think the best metric would be to use averages. An average windows box is less likely to be well managed given the profile of an average windows user (not to say (s)he is less smart, just less of an OS/security geek). Add to this the bundling of dangerous products like VB-script enabled utilities, and the winbox (even corporate-admin managed) is a disaster waiting to happen. On the other hand, a *nix user is mostly a more sophisticated user with a little more understanding of security. I don't think it is possible to have a really completely fair and proper comparison of the two systems unless you only ask persons who use/admin both systems.

Re:Security depends on many things.

[Ed+Avis]

'Structurally more secure'? What, with a single root account and no ACLs or capabilities?

NT by *design* is much more secure than Unix, it's just the implementation and the apps (IIS, IE, Outlook, Office) which are royally screwed up.

Re:Security depends on many things.

[monadicIO]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Re:Security depends on many things.

[tres]

With a properly designed and implemented system of groups, there's no need for ACLs.

Using SUDO beats giving ON or OFF Administrator privs to multiple people.

I'd say that gives UNIX a much finer granularity of control than NT.

NT 5 is catching-up with the "run as" command, but it's really only good for point-and-click administration.

more control == better security

Re:Security depends on many things.

[haruchai]

There are kernel patches for ACLs for Linux filesystems, http://acl.bestbits.at/ and other
Unixes also have it built-in. Solaris has had this for years.

Re:Security depends on many things.

[1010011010]

You're right. NT, like its VMS predecessor, is more secure by design. It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine. Unix apps are written with the understanding that there are any number of users, none of which are root.

Re:Security depends on many things.

If the old UNIX permissions bits are so much better than ACLs, why did Solaris and all the other commercial UNIXes switch to ACLs years ago?

The suggestion that the old UNIX method gives more finely-grained control than ACLs is perplexing. The ACLs on NT and Solaris, for example, can perfectly simulate old UNIX permissions bits for software that uses them (both are certified as UNIX by The Open Group), but old UNIX permissions bits couldn't possibly simulate the typical permutations of ACLs used on, for example, NT systems.

The big drawback of ACLs is they're so much more powerful and complex that they're often confusing and often overkill for simple systems (e.g. cases where Linux is commonly used).

Re:Security depends on many things.

[SerpentMage]

While that may be true, I think that is also what makes it more insecure. I have seen tons of documentation for programmers how to manage security. This means a programmer REALLY needs to know their stuff. In other words most programmers will not know their stuff. And as a result the apps are insecure. But the cause of the insecurity is not the app, but the OS because it is SO DAMM DIFFICULT.

While UNIX security may be simpler, it did not take me a huge effort to understand.

I use Windows and LINUX daily. My notebook is usually running XP and I have to say they screwed up security royally. The easy to use guides like "make available to shared users" actually opens your machine royally. The not shared locks everything done. But there is no middle. I had to go back to traditional NT security to twiddle how I wanted things.

Here is why I am gripping. I have a home network. And on this home network typically it is my wife and I. But sometimes I have friends come by with their notebooks. So they hook into my network. At that point I want per user security. Try to do that with the new "easy" to use XP security...

It all boils down to the same thing. NT has better security, but it is so DARN difficult that managing it effectivily is impossible.

Re:Security depends on many things.

[kbielefe]

Once they gain control of a system, do they use it to launch a DOG attack?

Re:Security depends on many things.

[PurpleFloyd]

You're kidding, right? While SUDO may provide a finer granularity of control than granting admin privliges to a lot of people, ACLs are another way to increase the granularity of control.

Say you want Joe from accounting to be able to access only a certain few files owned by the Engineering working group, for whatever reason. With ACLs, you could select specific files, and say that Joe has access to them. Without, you would have to either deny Joe access, give him total access to all Engineering files, or make copies for him.

As you said, more control means better security. If you implement both ACLs and a SUDO-style "run as this user" system, you have more control than with either one. How is this not a good thing?

Re:Security depends on many things.

[secolactico]

Clueless admin are everywhere. With the advent of easy to install Linux distros (redhat, mandrake) there are people that simply do the default server install and that's it! Never mind shutting down insecure services or keeping up to date with security updates.

I've personally met a couple of these admins, who belive that locking down a box means simply install tcp wrappers for the telnet daemon. Makes me wonder if the even know about ssh.

Re:Security depends on many things.

[Asprin]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Amen, I wish I had a mod point to give. Along similar lines, didn't CDC claim that BackOrifice uses the same standard API calls as MS's own SMS to provide remote access? On second thought, maybe and maybe not.

Either way, it seems to me that most of MS's security problems have less to do with the OS not doing it's job and more to do with the fact that MS has designed every one of their products to encapsulate (arbitrary) code inside their data files so their developers have easier ways to hammer out apps.

The problem is that the same scripting engine that lets Word (usefully) puke out mailmerged documents generated from a VB/Access app also gives virus authors a platform to attack. The fact that it's useful to combine code with data just means the platform is now ubiquitous, and therefore not going away because this is a fundamental design issue, folks. MS did this on purpose to make it easier to get computers to run code, and it can't be fixed by patching holes.

To really fix this, MS would have to renounce this entire experiment and replace every copy of Win/Office/IE with new software that is less 'capable.' Those of you who are paying attention probably now understand Mr. Valentine's comments of a few weeks ago, as well as Microsoft's interest in shoving Palladium down everyone's throats.

Re:Security depends on many things.

[Ed+Avis]

The OS can compartmentalize resources so that if one app makes an illegal memory access, it doesn't crash the machine. The OS can limit access so that if one server is compromised, it can only screw up its own files and not the others on the box. NT does both these things (the latter with the ability to run a server as a particular user). However, no OS can do anything about deliberately stupid applications which choose to execute scripts stored in documents, for example.

Well, I suppose it would be possible to run Outlook under its own user account or with a reduced set of permissions, so that it could access only its own mail spool and not the rest of the user's files. But that would really get in the way of typical usage. Perhaps if there were some way to allow small extensions of permissions a la Java ('Outlook is trying to save a file c:\foo.doc. Do you wish to allow this?' and press Yes if it's something you asked for, No if it looks like a worm doing something nasty). But AFAIK no desktop OS has ever done anything like this; all desktop apps run with the uid of the current user and have full access to his files.

When developers make moronic decisions like auto-executing scripts in documents, it is not fair to blame the operating system. It is not so much Windows as the crap which festers around it (albeit coming from the same company). You don't hear about too many exploits in the Windows FTP server program (although surely there are some). Why not? Because FTP is a standard protocol and Microsoft haven't been able to set their monkeys loose on it and add insecure extensions.

Re:Security depends on many things.

[0x0d0a]

The problem is that there are a couple of issues:

** Out of box:
Linux: used to suck hard here. Traditionally, ran lots of services. You were supposed to know what you were doing and close what you didn't want. Now, unacceptable for new users. RH 5.2 shipped with tons of services, which people found holes in quickly. RH 8.0 ships with far less running.
Windows: Fewer services than old Linux, but too many things running as "root" like IIS. A ridiculous amount of holes in IIS compared to Apache. XP is supposed to have (finally) proper permissions out of box.

** Granularity:
Linux: normal UNIX stuff. Getting ACLs. Not very granular at all. You have the framework to hack up just about anything you want with sudo and scripts, but it isn't there out of box, and it isn't standardized.
Windows: Nice. You can say "sally and bob can read this file, and mary can only write to it but not read it." ACLs may not be fast or easy to examine for mistakes, but they're powerful and easy to use.

** Easy of screwing up:
Linux: UNIX is pretty easy to examine for irregularities, suid binaries, etc.
Windows: Just like VMS, it's a *bitch* to know if you have some series of permission errors that screw you over somewhere.

Re:Security depends on many things.

[PurpleFloyd]

My point is that ACLs can do the same thing more efficiently and flexibly than creating specialized users and groups. While it is possible to work the POSIX 4-octal-digit permission system into something workable for almost any situation, you will eventually be pounding a round peg into a hole that's looking more and more like a square.

While a full ACL system may not have been practical when the UNIX security model was first laid out, modern systems can handle ACLs with ease. For me, this is one major area where GNU/Linux really lags behind the competition (Solaris, WinNT). Quite simply, until the standard (unpatched!) Linux kernel comes with ACL support, and distributions include the userspace tools to manage them as standard, Linux won't be as modern an OS as many others.

Re:Security depends on many things.

[Karellen]

Compared to ACLs, the UNIX model of a single administrator with r00t access, and `everyone else', is simple. Very simple. The `setuid on execute' (with root as owner) for small, auditable programs (such as `passwd' and `su') that do simple things to allow people to do things requiring root capabilities (write passwd file, change to another user (including root)) couldn't be made more simple and straightforward unless you tried _really_, _really_ hard.

And some competent sysadmins still get it wrong on occasion. It's rare, but they can.

Stopping determined attackers cracking your system is hard, even if you have all the latest patches. The more complex your system gets, the more chances are that you'll miss something.

The complexity of ACLs? I've seen the API docs(*) for them. That's just nasty. It's _too_ complex IMO for an admin (even a good one) be certain of getting it right all the time. I'll take the simplicity of the UNIX way. I'm more confident of getting it right.

K.

*(Well, I've seen the MS ACL API docs, but MS have a habit of creating really shitty APIs, so there may be a better way)

Re:Security depends on many things.

[rutledjw]

I think MS VP What's-His-Name would disagree with you.

You remember that story, don't you? Or were you hibernating?

Re:Security depends on many things.

[rosie_bhjp]

I think the kind of functionality you may be looking for is obtainable with systrace
Or check out Niels Provos' page

Re:Security depends on many things.

[Ed+Avis]

Yup, I'm thinking of something a bit like systrace. But with a nicer interface.

Imagine a GUI library with 'save' and 'load' mechanisms. (Preferably, ones like those in ROX, which is the only intuitive and non-ugly way to load or save files; but I digress.) The loading and saving user interface is actually provided by a separate process, which will grant the application read or write access to the file chosen, and only that file.

In this way a lot of scripting holes could be avoided, and also nastiness with malware which sends data back to HQ or saves files in silly locations. But it's debatable whether this kind of setup is useful other than for paranoia value, since it's a much better answer to just not have executable code embedded in documents (or if it is, sandbox it in the application) and not run software for which you don't have source code.

Re:Security depends on many things.

[rutledjw]

Fair enough, execs as a group don't have a very good track record for honesty and ethics these days...

Re:Security depends on many things.

[electroniceric]

Well, I think you hit the nail on the head with this:

It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine.

AFAICT, in terms of usability there is a profound unsolved problem here, which is twofold.

One is that many (most?) end users just want to do stuff on their computer, and as such they _sometimes_ need to be the administrator, without really understanding permissions or security. Remember Steve Gibson's rant about how XP by default has raw socket access for all users (b/c they are root). Microsoft has opted to make them administrators all the time to avoid explanation to a million disinterested and disgruntled XP users why they can't install the educational software their kids brought home from school.

A second, deeper problem affects both *nix and windows. The most serious threat in a compromised system is the loss of data, most of which lives in userland. But at least as far as I understand there's no clear way to determine what code and data to accept. Convenience dictates that stuff from outside the machine will need to find a home on your machine, while security dictates that it should at best be data only, and no code. As we move into a more networked world, this balance needs to be reexamined and retooled over and over. But I don't see *nix making great strides in that area, frankly.

Re:Security depends on many things.

[_Sprocket_]

Do not -- ever -- bring up BackOrifice in a discussion about security. BackOrifice has nothing to do with system security, since it only works if it has the proper system privileges.

Hold your horses. If BO/BO2k is able to do something unexpected, then it does highlight problems with the system's design. Granted - BO was more about exposing security issues than BO2k. BO displayed just how insecure Win9x is. BO2k was more a remote control utility than security demonstration.

Article Summary

[Sabalon]

Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

C'mon...this was nothing but flamebait - nothing news worthy there at all.

About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.

Seeing Bugtraq postings about Linux...

From the article:

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).

In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.

It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.

Re:Seeing Bugtraq postings about Linux...

[jandrese]

And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.

Re:Seeing Bugtraq postings about Linux...

[GigsVT]

Also, for some reason a whole lot of "single site" or "very limited distribution" stuff gets on bugtraq.

There are about 6 million php blog/message board packages out there, and 5.99 million of them are coded with no security in mind. I probably get 5 messages a week that are just some stupid SQL injection attack to fooPHPblogger 0.59 alpha.

I'm sure that if you count all that stuff, Linux looks much worse off.

Re:Seeing Bugtraq postings about Linux...

[Blkdeath]

And sometimes only once, when the discoverer posts and then nothing from Microsoft.

I seem to recall a big uproar about Microsoft deciding not to further their efforts to release e-mail vulnerability/patch announcements, opting instead to have users frequent their websites to view the contents of the announcements.

I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.

Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!

I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?

Geez

[Hayzeus]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting

These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...

Re:Geez

[javahacker]

Really, I think you miss the point. Most computers sold with Windows are also distributed with Office, and Outlook or Outlook Express. These are the biggest security risks on a Windows system. Sure, those things don't normally come on servers (although IIS does, big trouble), but most Windows installs are desktops, and are very vulnerable to email attacks. Most Windows systems are poorly set up, because they default to poor settings, which is part of the problem.

Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.

Re:Geez

[Hayzeus]

Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.

I'm not trying to have it both ways. I would no more include past problems with Bind, Apache or WU-FTPD when evaluating Linux security than I would MS-Office when discussing Windows security. Nowhere have I said that I feel windows is particularly more or less secure than Linux -- In fact, using BugTraq reports as a basis for comparison is a fairly clueless means of comparing OSs for relative security. Not to put too fine a a point on it, but comparing "Linux" to "Windows" is itself a meaningless exercise, since the two are not equivalent in any sense.

The bottom line is that (as mentioned elsewhere) the weakest link in any system from a security standpoint is the operator of the system, period. If you want to make any kind of meaningful comparison, compare Windows against a particular distibution of Linux with an emphasis on securability. How easy is it to secure the system? How effective are the means provided? Then you might have a study worth reading.

Re:Geez

[jedidiah]

They are bundled with the OS to make it effectively so. This is further enhanced by the fact that any competitors have been run out of the market for the most part. For a client installation, the comment is perfectly reasonable.

You're the one that needs to get back in touch with reality.

Re:Geez

[jedidiah]

What part of KDE or GNOME is in the habit of executing untrusted binaries from random sources on other networks?

Re:Geez

[jedidiah]

This notion of blaming the user is simply bullsh*t. An OS should act with a modicum of sense as it is configured out of the box. The default configuration SHOULD be sensible. If you expect idiots and hackers to use your box, you should architect accordingly.

Unix makes these assumptions and works within them, Windows does not. Windows works under notions of "least effort required" and "sacrifice everything for convenience".

Design matters. Construction of the default distribution matters. Both matter much more than the end user.

And end user should need to work at making a default OS distribution insecure. It should not be the other way around.

Re:Geez

[Lussarn]

No one in their right mind would install a fully featured webbrowser on a server either.

Re:Geez

[jedidiah]

Such comments are trivially true of any system and as such are completely meaningless.

The elements of WinDOS that you bring up aren't the really problematic ones.

A suitable exploit should not be difficult for someone that is motivated (by malice or community interest) to construct.

However, I tend to use my personal experiences with other "marginal" operating systems as a guide. If there are exploits, they will be taken advantage of. Marketshare is meaningless. Such exploits will occur and expose the security problems in question.

The "disinterest" argument is an absurd fallacy.

Re:Geez

[jedidiah]

>>Okay.. but as far as operating systems with the
>> browser built in, KDE and Gnome are just as
>> bad as Windows

"just as bad as Windows" == automatically executes random untrusted binaries

Re:Geez

[jedidiah]

Also, an apache hole is also potentially a WinDOS hole, HP/UX hole or Solaris hole. Many of the applications associated with Linux aren't merely run on Linux. Some even get run under Windows.

Re:Geez

[jedidiah]

Your still WRONG.

There are platforms that have had less marketshare than Evolution that had plenty of virii and such. Also, Evolution is likely installed in many places that it is not even used(much like Outhouse). If an application like Evolution is "reputed" to be is even installed, it's a security issue.

Either your memory is growing dim, or you've just not been around long enough to know better.

weather Linux

[Nighttime]

Is this a new Linux distro I haven't heard about? Is it Debian-based like Storm Linux was?

There's three kinds of lies...

[Jack+Wagner]

Lies, damned lies and statistics.

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.

Re:There's three kinds of lies...

[dabadab]

Nice troll, modded highly.
I highly doubt your statements and evenso more that extreme programming would do any good to an open source project.
And don't even get me started on how complex projects were realized in the "early 90s" (and even earlier) that managed to be successfull without extreme programming.
Sure, XP does have its place and it may work under certain conditions - but for a project where the developers are far away, do not know each other personally and don't have the spare time to work on the project at the exactly same time - it would do much more harm than good.
(And finally I could cite Joel on extreme programming, but I don't because I suspect that you fully know that XP is not the holy grail of programming methodologies)

Re:There's three kinds of lies...

[bLanark]

It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

How interesting. Got anything to back it up?

Re:There's three kinds of lies...

[MuValas]

Jack Wagner writes:
It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

Really? Have any links to real studies to point this out? Did you get the information from a friend of a friend, too?

Sorry, my experience does not agree with you. A great team of four can *maybe* be faster than four on their own, but certainly not 10x the speed.

Extreme Programming has some interesting points, some of which I have taken to heart, but in general its just a way to sell books and consulting services. I was consulting for Chrysler while Kent Beck (the "father" of extreme programming) was working on the C3 project (the foundational project for extreme programming), and the project was not exactly the success story its made to be.

Like I said, some good ideas, but it isn't worth the religious status people have given it.

Re:There's three kinds of lies...

[rseuhs]

IIS runs less than 25% of webservers, Apache about 2/3.

But, IIS has the far, far worse security track record.

Re:Nice spin on the article

[N3WBI3]

Beyond this. The article refers to slapper, and the like. Many of which will not hinder a Linux system of your average user. How many people run apache with openssl on their system really? and of those people how many do not keep the revs up to date.

My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.

Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)

Bug Counting Again...

[theBraindonor]

Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.

How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?

Just ask some of the truly gifted individuals in security what they think of security through obfuscation.

Flaw in argument?

[ebuck]

It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.

1. Both platforms stem from an equal amount of design history.

2. Both platforms use technology of comparable complexity.

3. Both platforms refused to make concessions in software integrity to deliver their products.

4. Both platforms actively avoid known pitfalls in thier chosen architecture.

5. Both platforms remove flaws at approximately the same rate.

None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.

Re:I trust Linux's security implicitly

[Charlton+Heston]

I doubt the veracity of your story. The NSA has worked on a secure Linux distribution. The big laboratories were also pioneers on the Internet. They've had a lot of experience with that type of software development and your rubber stamp story doesn't fit in with that.

Depends on administrator

[hatchet]

I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.

Re:I trust Linux's security implicitly

[netphilter]

"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.

how does newer == less secure?

[kubla2000]

from the article:

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.

What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.

The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.

That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.

Re: how does newer == less secure?

[Black+Parrot]

> Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

> um, I don't get it. How does newer == "less secure" in this scenario?

Also, in what sense is Linux "newer" than any currently supported manifestation of Windows?

It's not the OS

[m00nun1t]

Just about every major worm, linux or windows, has used an exploit that's been patched for a few months or more. The admin is a far weaker link than the OS.

Stating the obvious, I know, but whoever posted this flamebait article didn't think so.

On another topic, the moves MS are making with their auto-update tools should put an interesting light on the security landscape. The previews of .NET server look pretty good in this area.

Re:It's not the OS

[rosewood]

The problem with auto update is when they roll some EULA or a "feature" you dont want -- but too bad, it was auto installed.

apt get and up2date and Red Carpet all do a very good job of keeping Linux boxen bug free

What timing!

[Pedrito]

Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.

No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).

So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.

Re:What timing!

[tom.allender]

up2date?

Re: What timing!

[Black+Parrot]

> Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers.

That's nothing - complete strangers do security scans on all my boxes every night!

Re:What timing!

[smnolde]

You need FreeBSD to get you out of RPM hell. It takes far less effort to upgrade software on FreeBSD than it does with any RPM-based lunix distro.

Getting out of RPM hell was the main reason I chose FreeBSD over lunix.

Re:What timing!

[CrosseyedPainless]

Regardless of how many years of programming experience you have, some of the things you say indicate that you're just not ready to be a server admin.

(I have no idea how, and I don't have time to learn it).
Shut-down and re-start, same thing.

If I had to guess, I'd say you have a lot of Windows experience, and you just assumed your skills would transfer.

Bottom line: if you can't set up an FTP server, you probably shouldn't be running an FTP server. I know, Windows would let you set up anything you want, quickly and easily, whether you understood what you were doing or not, but that's part of the problem.

Re:What timing!

[Pedrito]

Look, plenty of you have chastised me with your excellent experience in how to do something that I'm sure, for someone who uses Linux all the time, it's simple. The fact is, I don't use Linux every day. I set it up as my gateway not because it was easy but because I trust it more than I trust Windows as a gateway.

To the person that commented that I shouldn't be a system admin, you're right, I shouldn't be and I don't want to be. I'm a programmer.

I managed to get the machine set up, get it configured to run Squid, SSH, and wu-ftpd. I even got IPTABLES up and running (somehow, God, I can barely figure out how to do anything with IPTABLES).

You're absolutely right, I don't want to be a system admin. I don't want to be an FTP server admin. But to be able to update a piece of software should be simple and straight forward. I can upgrade almost any piece of Windows software easier than I can in Linux. That's just a fact. You run the setup or install program, and poof, it's there.

My point is, until Linux can do that, Mom and Pop aren't going to be using it. I don't care how secure it is.

I don't have time to learn how to be a Linux system admin, and frankly, I shouldn't have to to upgrade a single software package. I have a full-time+ job as a Windows developer that pays my bills.

Re:What timing!

[Cytlid]

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

Ok, I was getting ready to flame you for this... but after reading all the other replies, I thought not. I think the biggest problem people have, either on the Windows or Linux side, is living in a paradigm. Like it or not, you're most likely living in a Windows paradigm. You like the way it works, it's "easy" for you, you program in it. You promote and spread the Windows paradigm. The Linux Paradigm doesn't fit you all to well... I'm probably the opposite. Yea, I've been using Windows for years, and I'm used to it, but I honestly think I fit better into the Linux paradigm. (Read: if I were adminning a Linux server, trust it better than if I were adminning a Windows server.) I *know* I should hone my skills in Windows administration, but without really good (free, available) documentation... it's not possible unless I spend all kinds of money. Only thing I can hope for is to pick up tips from people I know are Windows Admin gurus. I think this whole debate is a matter of realizing where you stand. The people who see clearly in both paradigms will be the ones ultimately winning.

Re:What timing!

[Deagol]

Ditch wu-ftpd. For minimal setups, use proftpd, and for more comlex needs, use pureftpd. Search freshmeat for both packages. Use iptables and wrappers accordingly, too. And if you're industrious, throw in a chroot config and use the grsecurity pacthes to thwart the majority of buffer/stack/overrun/etc. attacks.

Security is like an ogre -- it has layers! And updating your RPM/package is only the first, most minimal, layer.

I still wouldn't use wu-ftpd if my paycheck depended on it. :) Just my opinion, of course.

Re:What timing!

[messiertom]

Dude, you're getting Mandrake!

RedHat is the real RPM hell. Mandrake is RPM heaven. I don't know about any of the other RPM distros, though.

With Mandrake, it's easy:

urpmi wuftpd

It will ask me if it's ok to download all of the other dependencies, so I enter "Y", and voila.. it downloads and installs them (assuming that your urpmi source lists are synched properly - it's not a bad idea to have a cron job to do 'urpmi.update -a' at 3 AM or so)

Debian's apt is very nice as well, but Debian's not right for everyone (in actuality, no distro or even OS is right for everyone, despite what FUD-flinging says). If you use Mandrake though, you can still fall back to the old rpm -ivh and install non-official packages (there are a lot of rpms out there, especially on SF)

Re:What timing!

[Random+Walk]

Have installed FreeBSD. Downloaded the ports tree. Tried to install the first port. Error message: out of free inodes. (Fixed it by deleting major parts of the ports tree).
FreeBSDs ports system takes a huge amount of disk space, and takes away countless inodes which apparently are a scarce resource in FreeBSDs filesystem.

On the other hand, my Debian installation is rock-solid, was the only Linux distro that figured out the X server configuration properly, and software upgrades are as simple as 'apt-get install xyz' ...

Re:What timing!

[Shelled]

So? In contrast, from an xterm in Gentoo I typed 'emerge pure-ftpd' and had a stock ftp server up in five minutes with no other intervention. Your experience is an example of failure of one implementation of a third party app in one distribution using one type of package manager. It's a RedHat failure, not a Linux failure. My Windows TV card software won't play full screen, something XAWTV does handily in Linux. Is this a Windows failure?

Incidentally, it sounds like wu-ftp installed twice and your start script/command is still pointed to the old version. Running rpm with the query switch will tell you where the new version was installed.

Re:What timing!

[ibennetch]

Show me an out of the box windows OS with an ftp server in it

windows 2000 advanced server. I've got it running because I'm doing some development work on the side and they want me to have the same OS as the servers have. I'm not a windows admin by nature but know my way around a server pretty well. the windows FTP service starts by default; as well as http, nntp, smtp, and probably many others I don't know about - the point being that yes, windows does start BY DEFAULT with all these services running. Granted, it is a server OS but still; not the most secure way of doing things...

Re:What timing!

[Pedrito]

My argument was never towards the stability or security of Windows. In fact, I used Linux because it is more stable and secure, as a gateway to the internet. My argument was for ease of use.

In a similar vain to your Windows experience, I wanted to enable my kernel to act as a gateway. What did I have to do? Recompile the kernel, of course. Granted, this is not something Mom or Pop would do. In Windows XP, I would simply check a checkbox under networking. After 10 or so reconfigs and recompiles, I finally got a bootable kernel. That ain't ease of use. I had an unbootable machine until I got it right.

Re:What timing!

[Some+Dumbass...]

Look, plenty of you have chastised me with your excellent experience in how to do something that I'm sure, for someone who uses Linux all the time, it's simple. The fact is, I don't use Linux every day. I set it up as my gateway not because it was easy but because I trust it more than I trust Windows as a gateway.

What happened to those "23 years of computer programming experience"?

Saying stuff like that is why you're getting so thoroughly flamed. Lots of people within the Linux community support simpler ways to configure programs and dislike RPM. But here you are running a server and claiming to be highly knowledgeable because of your years of programming experience, yet you're having trouble with fairly simple tasks (upgrading an RPM package, stopping and restarting a program).

Basically, you shouldn't claim to be an expert when you're not. You did exacly that, and now you're being flamed for it. In reality, you're a Linux newbie trying to do something moderately hard (admin web/proxy servers). Okay, so there's nothing wrong with being a newbie. Everybody has to start somewhere. But instead of admitting it, you've pretended that you're so knowledgeable that any problems you have are Linux's fault. You don't know Linux, and you apparently refuse to learn it, so you're going to have problems. Tough. If I tried to admin a Windows 2000 FTP server and refused to learn Windows 2000 I'm sure I'd have the same problems. To use a new OS, or even a new application as complex as a proxy server, _you have to do some learning_.

I don't have time to learn how to be a Linux system admin, and frankly, I shouldn't have to to upgrade a single software package.

As a side note, if you don't know why you sometimes have to upgrade packages (i.e. to fix security bugs!), and you don't want to learn to be a Linux system admin, then please don't be one. FTP servers are particularly likely to get broken into, both because the protocol is entirely plain-text, and because some of them (like WU-FTP) have lousy security records. If you're going to put a server on the internet, but you don't have this knowledge, then please don't do it. Your server will soon be yet another cracked box being used to attack my system. If you don't want to be a system admin, or an FTP admin, then I'm certain that your FTP server will get cracked.

Let me give you a little perspective. My brother has had a Windows 98 system since 1998, and I still have to explain some pretty basic stuff to him. He couldn't find a way to install separate e-mail programs for himself and my mother, for example. Changing the installation directory is apparently beyond him. And he knows _way_ more about computers than my mother. She can't even install programs. With that in mind, I'd like to point out that running servers isn't a "Mom and Pop" sort of thing by any stretch of the imagination. It is an advanced skill, if only because of the need for security. Trust me, running an FTP server/SSH server/Squid proxy is way beyond that.

Given your problems with Linux, and your unwillingness to learn Linux, my first response would be "use the OS you know - use Windows." But frankly, I'm not sure that will help. You want to run servers on your gateway system. Why not run them behind your gateway? If you want one for remote administration, why not just run ssh (and not WU-FTP)? Do you understand that you'll need to install patches (aka "upgrading programs") when security bugs are found? (OpenSSH has had a lousy security record as of late). Frankly, you sound like you know nothing about security. Even if you used an OS you're more familiar with, I bet your gateway would get cracked. There's no such thing as a "set it up and leave it" server, not on any OS.

My advice: Learn about security first, then run your servers on whatever OS works best for you. Please, please take my advice. After hearing so many disparaging things from so many Linux users, it's easy to say "Another case of the hostile, newbie-unfriendly Linux community" and just ignore this advice. But it's good advice, and it's coming from someone who obviously knows more about this topic than you do. So please, take it!

Re:What timing!

[gmhowell]

This must be some new version of RH I don't know about. Every stock kernel I used from 5.0 up through 7.3 had the ability to do NAT and firewalling builtin. Ditto the reply about scroll wheels. Nothing to do with kernel compiling. Unless you count my Gentoo install (and I don't:) I don't know when I last recompiled a kernel. Oh, wait, I did have to compile the NVidia modules.

Re:What timing!

[gmhowell]

I haven't used Mandrake since it was basically a 'search and replace 'Redhat' with 'Mandrake' and compile for i586', but 'up2date -u' would automagically update all of his packages on red hat. Similarly, 'up2date wu-ftpd' would have updated just that program.

Trust me, he couldn't have figured out Mandrake either. He would have had to do the same thing he didn't do with RH: RTFM.

Re:What timing!

[timster]

The problem here is that what you were doing was not "desktop use", but for some reason you extend your experience to desktop use. What you were doing was clearly server administration. I don't hear anybody telling me that Windows isn't a good desktop OS because the DHCP Manager isn't intuitive (which it's not, unless you understand DHCP). Server administration is always going to require skills, and whatever other skills you may have you have no skills in Linux server administration.

As for your experience, you made a number of mistakes that anyone who knew what they were doing (as a Linux sysadmin would) would never make. First problem was thinking you should go to the wu-ftpd website and try to compile the software yourself. Unless you have some tremendous reason to do this, you need to go to your distributor in all cases, since their installations are customized in numerous ways that you have probably come to expect. Second mistake was expecting an RPM to restart the service for you (RPM's don't really go for pre/post-install scripts, see Debian for that).

The third mistake was the worst, as it totally ignores the whole purpose of your distributor. Development groups (like the wu-ftpd group) generally attach security and bug fixes to new versions, since they usually prefer to work on one codebase. However, your distributor should never upgrade you to a new version that changes any functionality unless you change the version of the distribution, since a given version is supposed to be stable. So, as every Linux sysadmin in the world knows, Red Hat doesn't just toss the thing into an RPM and throw it out there. Rather, they take their existing codebase (which as I said, is usually patched in several ways) and apply the security fixes to _that_. And everyone knows this because it is _clearly_ _documented_. If you are running a server (ftpd is not a desktop app) then you need to follow the security updates for your distro, which will quite clearly explain what patch level fixes what holes.

My advice to you is to either: remove all the server programs from your system and use it as a desktop user; hire a competent sysadmin; or spend the time yourself to become a competent sysadmin. Don't play end-user-with-a-server or you'll get burned, no matter the OS.

Re:What timing!

[gmhowell]

Did you read everything I wrote, or merely home in on the assessment of the original version of Mandrake? I thought it was rather clear that this was the last time I had tried it. What was unsaid, but clearly implied, is that it is far different these days.

Re:What timing!

[horza]

I love Gentoo, and the way I can just "emerge update world" to update every package on my system automatically. No dependency hell. It's definately desktop only at the moment, but hopefully in the future there will be different levels of update. Eg "emerge update STABLE apache" and "emerge update BETA evolution", etc.

Phillip.

Re:What timing!

[Random+Walk]

Separate filesystems are bad if you have only little diskspace (this one out of five OSes on my laptop). Putting everything in / at least guarantees that no space is wasted. And the installation manual did not point out the inodes problem, neither how to solve it ...

Re:What timing!

[gmhowell]

I should have smilied the original post.

No, you don't need modules for the wheelmouse. I don't know 'bout GPM, as I don't use it, but for X, I think it's only one extra line indicating which buttons for the Z axis.

And insmod is for real men. Us wimps use modprobe:)

A good number of HOWTO's say something along the lines of "RedHat stock kernels already have ability FOO compiled in". One thing that might be helpful is a command that let's you see if there is a module named FOO already (probably a modprobe option, but I don't know). That way, the various HOWTOs could say 'lookformod FOO'. If you get something, you are good. If not, THEN you might have to recompile your kernel.

Is there any use for anything other than anonymous ftp? I use scp for everything that matters. Then SMB to get the stuff on a Windows box (does PuTTY have scp? I'm pretty sure cygwin does) Last time I looked, there were a few ftp daemons that ONLY did anonymous ftp. That's the way to go.

From what I've seen

[Apreche]

is that pretty much all operating systems are equally secure. The insecurities in the operating systems are not the same, but neither one is bulletproof. Windows seems more insecure, but that is because more people try to hack it, because more people use it. Linux seems more secure because it is hacked less, which is because less people use it. However UNIX is very old and very open and has just as many ways to get in as windows does.

From what I've experience operating system choice is not a major factor in security. The biggest factor in security is how well the operating system in question has been configured. You could run the newest linux with all the shiniest intrusion detection stuff, but if you let the guest account rm -f *.* you're in a bit of trouble. Nothing is more key for security than proper configuration. And of course, not downloading e-mail attachments in outlook.

Re:From what I've seen

[davebooth]

...The insecurities in the operating systems are not the same, but neither one is bulletproof...

Quite correct. The only secure system is the one in your basement with no power cord.

...The biggest factor in security is how well the operating system in question has been configured...

Also correct. The biggest factor in "how secure" an OS may be comes from the ease with which it can be made as secure as possible given its architectural limitations and from the steps that can be taken in advance to limit the damage of a successful compromise. I've been running unix and linux machines for more years than I care to count, I have been a windows user since its earliest days and based on my experiences as my knowledge of each increased I turned more and more towards unix and its analogues for the critical stuff I have to keep secure and stable. Dont get me wrong, I'm not (for a change) advocating that everyone should dump windows. As a gaming platform, as a platform for basic office functionality or day to day workstation use its hard to argue against. Sure, intelligent choices need to be made regarding which tools you install - I wouldnt use outlook for email, for example - but its generally a pretty decent workstation OS. Unix workstations, on the other hand are best at specialist roles. Once you move into the server room, however, the situation reverses.

In my opinion - which is as biased as everybody elses, being based solely on my own experience - unix and its close cousins are easier to secure than windows but with a different professional background, whos to say I might not have a different opinion. YMMV.

oh, and by the way - "if you let the guest account rm -f *.* you're in a bit of trouble" - assuming I let anyone who wanted to remove any file with a dot in its name from the root dir of any of my servers I think they'd all keep working just fine ;) Let them do it recursively and theres a couple of directories that would go away but I really wouldnt miss them. To really annoy me a cracker would have to step outside the 8.3 mindset and just get rid of *

It's the user

[photon317]

The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.

However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.

Re:It's the user

[CavemanKiwi]

I can make my windows box VERY secure, just turn it off :)

Bugtraq

[qurob]

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

So many programs get lumped into 'linux' and this is forgotten.

Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.

Then again, there are more Windows apps than Linux...

Re:Bugtraq

[blancolioni]

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

If only there was some simple prefix we could insert before the word Linux that distinguished the complete GNU + Linux system from the bit that's just the kernel.

Like that would ever happen.

You're comparing apples and ....

[mustangdavis]

I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

* Gets out a kleenex, wipes off author's glasses*

IIS - enough said.

The actual number of posts may be greater, but how many people install X on their Linux servers? How many people have xmms on thier linux server?

Also, considering that Linux is open source, and thus, hackers can actually look at the code for the OS, it is AMAZING that it is more secure than Windows! Can you imagine how many exploits their would be for IIS if a good hacker could see the source code for it?

Nothing more to be said here ... move on!

Windows vs Linux Programmers

[l33t+j03]

Lets compare the people who actually write the code:

Windows Programmers
Well paid. Medium sized grayish cubicles with few restrictions on decorations. Laid back workplace.

Open Source Programmers
Live in basement of parents' home, browbeaten daily by overbearing mother, relentlessly degraded by father.

Windows Programmers
Married to a member of the opposite sex or enjoying a healthy dating life.

Open Source Programmers
Proposition other men in subway restrooms. Frequent 'glory holes'. Masturbate to Hentai porn.

WIndows Programmers
Nice cars.

Open Source Programmers
Bicycles.

Windows Programmers
Enjoy reading books, watching movies, and listening to music that all cover a wide variety of intellectually challenging subjects.

Open Source Programmers
Can't understand anything unless it deals with elves, or dwarves, or space creatures.

Windows Programmers
Secure in the knowledge that their work is contributing to increasing the productivity and happiness of workplaces and homes all over the counrty. Singularly responsible for ushering in the widespread use of personal computers for the masses.

Open Source Programmers
Waste their entire lives fighting in vain to bring down an imagined enemy by creating products that 99% of the computing public will pay to avoid having to use.

There you have it folks, a comprehensive comparison of the two camps.

If you don't report the bugs, they don't exist

Sorry, but M$ sells security-through-obscurity.

Thus, any bug-counting stats are meaningless.

And for all you folks who think M$'s ways are best: Do you really think Gates and Ballmer have your best interest in mind when they spout off about keeping bugs secret?

Security?

[Noryungi]

This sentence from the article really drew my attention:

Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.

Obviously, this guy does not know what he is talking about.

My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.

Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.

A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.

My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...

Re:Security?

[onion2k]

Most OSs can be made secure. Even windows. By a good sysadmin.

Unfortunately this doesn't say much for your dad.

Re:Security?

[Noryungi]

Most OSs can be made secure. Even windows. By a good sysadmin.

No, sorry.

My point is this one: a secure OS does not exist. Even a top-notch sysadmin will only give you "reasonable" security.

For instance, reasonable security means patching up all known security holes, as they apply to your machine/OS combination, making sure all users have good passwords and that not every user of your machine has the "root" password, not allowing everyone physical access to your machine, backing up critical data and making sure you have some IDS installed, etc.

Reasonable security is not saying: "This machine is 100% secure", it is being able to say: "AFAIK, this machine should be able to resist hostile attacks for X minutes". (Bruce Schneier had a very interesting discussion on this last one -- take a look at the Cryptogram archives).

As far as my dad is concerned, he was still a security officer for this big Fortune 500 company when he retired, so he must have been doing something right... Like offering reasonable security to his mainframe users... ;)

Re:Security?

[Pengo]

This is the first time in months I have read an post on slashdot that mentions that (they/ someone/ their friend/whoever) works at a Fortune 500 company and I felt they are not a troll or blatenly full o chit.

congradulations

A user's standpoint

[InodoroPereyra]

Even though I contribute code every once in a while, my background is not in CS and I am not an expert in Security by any means. What matters to me is not whether open source solutions are inherently a little more or less secure than open source solutions. What really matters to me is what can I do to secure my machine .

Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.

Oh, and the title should better be "Open source vs propietary security". Old same old ...

I want to choose my security settings

[magwm]

Well, at least linux (the newer distro's i tried like RH, Mdk, SuSe, Deb) lets you CHOOSE your security settings. None of all windows installations i performed asked me which level of security i wanted..

ActiveX is...

[Arker]

Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.

Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.

Re:ActiveX is...

[sqlrob]

Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older system

s/pain/impossible/

The APIs are moving to ActiveX (cf .NET), and the UI shell is all ActiveX. I don't know that you could remove it even on Win 3.1

ActiveX is also the very exemplar of security hole from the ground up.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Re:ActiveX is...

[michael_cain]

Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above.

Personally, I'm more inclined to regard this as a situation analogous to American automakers at the beginning of the 70's. At that time they built large, unreliable, poor-milage vehicles and their strengths were styling and marketing. Then a shock to the system (oil crisis) caused buyers to value other attributes, and the Japanese firms were able to make inroads into the market that continue to this day.

There is no question that ActiveX made certain kinds of Windows development faster and easier, created a whole subindustry for people writing and selling ActiveX components, and made it possible to do neat things within the IE framework. It remains unclear whether or not you can ever make ActiveX really secure on a machine connected to the Internet. Think of the plague of badly-behaved ActiveX components as the "shock to the system". If people begin to value security more than they do the flood of features or the ease of development, something else will make inroads into the market...

Re:ActiveX is...

[Arker]

s/pain/impossible

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.) You can do the same thing with ME, the easy way is here. NT based systems are harder, but it's possible to achieve most of these improvements there as well, elsewhere on the same site you'll see he's still putting the finishing touches on a similar product for XP.

The APIs are moving to ActiveX (cf .NET),

Yes they are, an excellent reason to step up the pace on eliminating MS from any environment where security is important.

I don't know that you could remove it even on Win 3.1

Win 3.1 didn't include any of this, that's a very bad memory or some FUD, depending on your internal state when you wrote it. Some of the earliest versions could be run on 3.1, but that required installing Iexplore updates, it wasn't on the system by default.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Not quite, that's COM, ActiveX is how COM is made available to arbitrary code, as from a webpage or an email opened using MS tools, which as a rule don't just neglect to give the user proper warning before executing proper code, they typically give no warning at all. Click on a URL or just an email header in Outlook and you can run code without knowing you are doing so. This is a fundamental architectural flaw.

Re:ActiveX is...

[sqlrob]

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.)

You removed ActiveX *CONTROLS* and ActiveX scripting of IE, which is completely different from removing ActiveX.

Look under your registry HKEY_CLASSES_ROOT/CLSID. If you have *ANY* entries under there, you are using ActiveX

Not quite, that's COM,

Yes, it is. The official definition of an ActiveX object is "implements IUnknown". Sound familiar? ActiveX is just the marketing name for COM.

Re:ActiveX is...

[Fizzlewhiff]

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Your reasoning for windows applications being less secure than OSS makes no sense.

Closed source software is no more complex than its open source counterpart. The fact that millions uses software package A over software package B does not make A less secure than B.

I've never worked on an open source project because the closed source world keeps me too busy. But I would imagine its very similar to working on a closed source project, the main difference being teams are not working at the same location. Still, everyone works on their assigned piece of the project and checks it in and hopefully the project leader and others on the team review the code and perform walkthroughs. In either world security holes (buffer overflows, etc.) should be spotted. So its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.

The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.

The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.

Re:ActiveX is...

[Arker]

Agreed that it's a marketing name, but if you look at the way it's used you'll see it's clearly referring to the controls and scripting capabilities. That's the point. Those are the focus of the marketing, and the locus of security problems. Getting rid of those is, from a security point of view, job one. And making that impossible is, from Microsofts point of view, job one as well. See my point yet?

pick(nit);

[Black+Parrot]

> I think that's a big part here, any OS is as secure as the admin...

I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.

Re:pick(nit);

Actually, the OS would set the upper bound on system security. The admin would be responsible to ensure that the usage policies and deployment environment areusing the security capabilities of the platform to the fullest. In that sense, the actual security of a system would be the product of the various factors, in this case: Security = OS_Security * Admin_Knowledge

Re: pick(nit);

[Black+Parrot]

> Actually, the OS would set the upper bound on system security.

Actually-actually, they both set upper bounds on the system security. The effective security is the minimum of the two bounds. You can't get better than your OS offers, and you can't get better than your sysadmin offers.

Re: pick(nit);

[Amazing+Quantum+Man]

Security(System) = MIN(Security(OS),Security(Admin))

Myths of Linux Malware...

[sheriff_p]

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:

http://www.virusbtn.com/magazine/archives/200209/l inux_malware.xml

Is Linux More Secure?

[fishlet]

Can this be sufficiently answered until alot more people are using Linux? I mean over 90% of people use Windows still... so probably a equally great percentage of hackers spend their time trying to break it. Since security problems are usually pretty obscure until someone very dedicated finds it, who's to know what's lurking in Linux. I personally don't feel linux has really gone through the 'trial by fire' needed to prove it's secureness.

Now in theory it can be very secure, it is based on Unix which has a good record. However Linux has surpassed traditional Unix's in features- and with more features comes more complexity and more breaking points. The old assumptions about it being a unix shouldn't be highly regarded.

Linux can really be more secure than windows, but lets not go touting it as fact until it's survived mainstream use.

Clueless admins vs. byzantine systems and bad docs

[swb]

I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.

A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!

My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.

My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.

Flamebait indeed

[kafka93]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.

Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".

This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.

Re:Flamebait indeed

[jedidiah]

He knows well enough to be aware of what has actually been exploited. The article is infact a "Fear mongering" piece. It presents only the information that the author wishes you to see. It is clear the author has an axe to grind against Linux in particular.

The author ignores the common pedigree that Linux shares with Unix. The author ignores the underlying design issues that distinguish Unix versus Windows in theory and practice. The author plays a naieve numbers game with the bugtrack figures while conveniently ignoring the fact that Linux is more transparent.

He also makes the absurd assertion that more vendors == less secure.

If anything, competition and diversity should allow for vendors of varying quality and priorities.

Re:Flamebait indeed

[Reziac]

Well, I would have thought it flamebait too, and then I picked up a copy of "Hacking Linux Exposed" (http://www.hackingexposed.com/) This companion volume to "Hacking Exposed" is almost as thick as the original, which covers all other OSs combined.

BTW, they're both very good reads; indeed, I would say *required* reading for sysadmins of ANY platform.

Re:Flamebait indeed

[N3WBI3]

an NT ows much of its development to VMS which is also very very old..

Re:Flamebait indeed

[N3WBI3]

Security through Obscurity is **ALWAYS** bad. If I pay you for a system I damn well better know the minute you know of a hole in that system. And while MS is not telling its current customers about vulnerabilities in their system, they are selling more as being 'secure'. Its deceptive, period.

Re:Flamebait indeed

[N3WBI3]

Here is your answer..

Linux is closer to UNIS than NT is to VMS, but not much, and not very much at all in the lower levels of the OS..

Re:Flamebait indeed

[user311]

Umm, yeah, but there is also Hacking Windows 2000 exposed - which is pretty much the same size as the other two. Hacking Linux exposed was more in depth than its predecessor, and the same with HEW2K. So your comment by no standards solves the question at hand, nor does it verify whether the the article is flamebait.

Re:Flamebait indeed

[Reziac]

Yeah, I saw the new book .. one more to pick up for my library :) But the real point is, if you're going to admin, you need to be aware that you can't just throw linux at your server and assume it's automagically secure. There are plenty of pitfalls even if one isn't afflicted with IE and Outlook.

Re:Flamebait indeed

[N3WBI3]

No but I will give you the crypt, I dont use abc123 or my name because I am relying on a piss poor password and just hoping because nobody knows it im safe, kid of like relying on a piss poor application or hoping nobody violates your system because you have not published a vulnerability..

Re:Flamebait indeed

[N3WBI3]

Black hats know about vulnerabilities
1) Before they are fixed
2) Before the vendors inform owners of their software of the vulnerability

This is inexcuseable, maybe if I know about an unfixed vulnerability I may move some critical data off of a vulnerable system, or take a network segment off the internet, or block a certain port, or one of a thousand things that can protect me against people who know about the problem.

Slapper is a good example, assume that slapper was out before the patch, if you know what it is and how it works you can just do a touch on the file it tries to compile to and set the rwx to 000.

Re:Flamebait indeed

[N3WBI3]

Why the hell does the application base mean anything when talking about the structural security of the operating system.

Re:Flamebait indeed

[N3WBI3]

You gotta be kidding the number of stack overflows alone in the NT core OS is more than all linux based issues..

The question is not Who? but HOW?

[Nicolay77]

Who is better, bigger faster? That doesn't help any community very much either.

What is good is to ask how to make actual systems better, to catch up faster with patches an so on.

My try:

Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the .rpms, .isos or .exes.

But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.

Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the .isos to prevent man in the middle virus patch attacks.

Just a though.

Re:security

[mustangdavis]

Steps to make a system secure:

1. Unplug all cables (Ethernet, keyboard, mouse, usb, serial, parallel, and power)
2. Place system in lead crate, seal crate
3. Encase lead crate in cement
4. When dry, place crate at the botton of the Pacific Ocean
5. Loose coordinates of system location

The moral of the story: As long as the machine is plugged into the Internet (useful and user friendly), it is not secure!

Re:Ramen, Slapper, Scalper and Mighty ?

[Ummagumma]

>1- Mighty Netbios ( Most secure protocol >invented since '95! )

Any sysadmin who doesnt diable this on publicly accessable machines isn't a good sysadmin.

>2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

Again, sysadmin problem. Its been patched.

>3- Melisa & IloveYou & others countlessly many Ms Word worms

Application problems, not OS problems, big difference.

>4- Nimda & CodeRed variants. Millions of computers got intruded in one day.

Application problems, not OS problems, big difference.

>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

6- Windows XP UPnP Vulnerability got public after the week XP was released....

I'll give you this one :)

Im not saying windows is the greatest and all, but get your facts straight, please. 3 of the 5 issues above are application issues, not OS issues.

Well, a lot of Linux developers are foreign

[typical+geek]

so your Big National Laboratory has a point about trusting an operating system that's been put together by people who aren't American. Many are Europeans, who because they live in a socialist, pacifistic paradise are insensitive to the security needs of a government agency entrusted with keeping the world safe under the Pax Americana. Many Open Source developers are from third world countries like India, Taiwan and LapLand. Their standard of living is so poor, and Open Source pays so poorly, that they can easily be bribed by a handful of rupees or drachmas or pounds into including assembly language Trojan Horses that would fatally compromise the security of Linux.

I think your IT director is right, rely on an American Operating System, coded 100% by Americans, yes, we're talking Microsoft Windows 2000. Deep in their heart of hearts, Bill Gates, Staver Ballmore and Jim Allchin know that America is the best country for them to live in (if they lived in England, half their personally generated wealth would be taken away to buy heroin for junkies), and they will work hard to make a safe OS that willl ensure the American hegemony.

Linux is fine for a hobby, but I wouldn't trust my country with it.

Re:Ramen, Slapper, Scalper and Mighty ?

[unixmaster]

apache bugs : Application problems, not OS problems, big difference.

openssh bugs : Application problems, not OS problems, big difference.

xchat & other programs bug : Application problems, not OS problems, big difference.

Linux kernel symlink dos vulnerabilty ( 1 vulnerabilty about kernel I have ever seen in 1 year ) : os bug

See if you think like that Linux has only 1 bug....

Re:Nice spin on the article

[Penguinoflight]

No man.. OpenOffice is a network application, so it could be a security risk, but KOffice is a single user application, and not at all dangerous. And unlike Win32, there's nothing wrong with XWindows that is consistant. It's so old, and written well enough, theres very few bugs. Remember, us "mindless Linux zealots" are the ones who really care about stuff, you don't. Everyone has their "Reason" why linux wont go mainstream, but they're usually fake, like this one. You're just not ready to learn another platform, so you curse it instead. get a life.

Re:Nice spin on the article

[frankmanowar]

I thought the article didn't really stack the deck at all, in fact, it was very favorable to windows - it actually legitamized it (you motherless whore). when a security flaw is discovered in linux, a community of people work together to release a patch while a company that issues a distro/release works on their own patches. MS sits on known security issues for years without addressing them, doing damage to their customers and user base. Linux users don't pretend that their is no problem running X servers (or ttdbserver.rpc for you solaris people, holla *^_^*), they come up with solutions. MS has finally gotten around to releasing patches as they come out - but what about inherent flaws in the OS that are unpatchable - like the Windows Messaging system?

No, Windows STILL sucks.

-Frank

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Clueless admins vs. byzantine systems and bad d

[GigsVT]

Playing devil's advocate here but....

MS could have documentation that is just as good, and contextual like a squid conf file.

The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".

So, IMO, it's not so much that they can't, it's that they don't.

Re:Ramen, Slapper, Scalper and Mighty ?

[Tack]

> 5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

Isn't Microsoft desperately trying to convince us that IE is part of the operating system? They can't have it both ways.

Jason.

Re:I trust Linux's security implicitly

[blibbleblobble]

"I doubt the veracity of your story. The NSA has worked on a secure Linux distribution"

And the government told them not to do it again. It was 'harming american business by encouraging competition to microsoft'

Microsoft Office

[tmark]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen

That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?

Re:Microsoft Office

[jedidiah]

Your statement contradicts itself.

If people are unable or unwilling to run Linux because msoffice is not available for it, then msoffice is for all practical purposes a part of Windows.

Otherwise, they could just run PerfectOffice ro SmartSuite and perhaps avoid the permissiveness of MS applications.

Re:Microsoft Office

[Black+Copter+Control]

It's a lucky thing that I'm not metamoderating. I could let someone get away with calling it 'interesting', but to moderate such a convoluted and almost self-conflicting argument as 'insightful' makes my logic circuits curl.

The vast majority of people who don't run Wintendos for server applications have Office Suite running on it. I wouldn't be surprised if there are some server applications that also require users to load Office.

In any event, with such a high percentage or Windows users also having Office loaded, the security issues caused by Office are effectively a Windows problem. -- and it's a really nasty security problem.

Windows' fuzzy delineation between the user and the system doesn't help things much, either.

Re:Nice spin on the article

[Blkdeath]

The thing is, cathedrals are inherently more secure than bazaars. This is in no small part due to the people that frequent each place.

Why, because they don't let anybody peek inside?

Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?

While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.

Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.

Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.

Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).

Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.

Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.

With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."

Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.

Damn spelling!

Look, some grammatically inclined Slashdot readers can be really picky about spelling and grammar in articles. Maybe it gets on your nerves or maybe you laugh it off.

But "weather" instead of "whether" being posted? That is the kind of mistake an elementary school student would make. Okay, I'll be extra forgiving and say a junior high school student might make that mistake. That is really fucking pathetic nonetheless.

You could change it now, but you won't. That is the *most* confusing part.

I just can't pay for Slashdot when I can't feel like it is a professional product (meaning that you took the extra 4.5 minutes per day to actually look over the spelling of single-paragraph articles). You may think that's ridiculous, but I think the grammar here is ridiculous, so I guess we both have our opinions. I don't want your money though.

Re:Ramen, Slapper, Scalper and Mighty ?

[WebMasterJoe]

>5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched [pivx.com]

Application problems, not OS problems, big difference.

Unfortunately, it's irrelevant that IE is an app and not an OS because Windows won't let you remove the app. Same with Windows Media Player. As a result, any flaw with those applications must be patched, even if you have no desire to even have the applications on your system.

The OS you know best will be the most secure.

[doodleboy]

I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.

Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.

But also:

- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.

- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.

- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.

- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?

Several problems

[mfos.org]

1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.

2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.

3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise

4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.

Re:4 out of 10 americans support annexing canada

[avgjoe62]

Does Canada have a secure OS?

BugTraq...

[Squidgee]

Now that I've thoroughly chastised the author about his spelling..

The fact that there are less bugs on BugTraq pertaining to Windows than there are to Linux is beside the point: Most Windows users don't give a damn about posting on BugTraq. Most Linux users want to improve their OS, so they do post on BugTraq. And if Windows users did care...oh boy would BugTraq see some bugs...

Re:I trust Linux's security implicitly

[Billly+Gates]

Just because someone has a different opinion that yours does not mean he is wrong and you are right.

Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.

Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.

1.) c2 certication is required.

Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.

2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.

They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!

Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.

The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.

GNU is Not Linux!

[RAMMS+EIN]

``Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.''
What they're forgetting here, though, is that Linux is actually GNU/Linux. The Linux kernel is a relative newcomer, but the GNU utilities that it uses have been in existense for quite a while, and have a history of testing on various Unices, etc. etc. These days, what matters is mostly the security of programs that connect to the 'Net. Vulnerabilities exists on both sides, but tend to be more braindead with Windows programs. M$ Outlook Express executes .exe attachments disguised as audio/x-midi inserted in HTML mail...WTF? Linux users are more likely to patch or upgrade to more secure software. The programs used matter, but the human factor can't be ruled out, either.

---
Running as root is bad. I don't want to run as root. But now I can't modify my config files... Hmm, chmod -R o+w /etc/*
Good, now I feel a lot safer...

Windows vs. Linux security-wise

[fudgefactor7]

(Ok, so that subject isn't that great, sue me) ;)

I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..

At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).

The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).

Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)

Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)

I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.

The history of bugs...

[rosewood]

Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.

Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.

This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.

The down side of course is smbdie being posted on /. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.

What is this guy talking about?

[ellem]

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

This makes no sense for several reasons:

1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?

Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.

Linux security...

[Junta]

First of all is hard to nail down what exactly that means. When most peoople utter those words, they refer to Apache/Linux/Linux Apps vs. IIS/Windows/Office.

Very few security issues in the recent past have really had much to do with Windows itself, mostly IIS and some Office/IE vulnerabilities. Even with those, frequently the problem is that the administrators of targeted systems are not sufficiently security minded. Also, MS products draw a lot of attacks, simply because the systems are such a large target.

The enhanced security of Linux, at least in part, is a self-fulfilling prophecy. When administrators are highly security concious, they will often go to Linux to drastically reduce the sheer number of attacks they receive and are influenced by reputation. Sure Linux boxes with Apache have had a number of problems and worms, but those administrators are far more likely to update Apache than IIS administrators.

One thing that really does make me think it would be difficult to update Windows as easily as Linux systems is the model for updating busy files. Under linux, the in-use inodes are kept open for the processes that need them, but the filesystem is updated for future processes. Under windows, the file updates are scheduled for reboot. Since so many of the updates for Windows touch so many files, updating IIS will likely require a reboot, huge no-no for mission critical apps..... Aside from that, I'm not so sure that Windows is that much less secure. However, I prefer linux because it *is* more flexible..

With the exception of OpenBSD

[flinxmeister]

Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.

It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.

The real vulnerability

[SatanicPuppy]

What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.

Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.

Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.

Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.

Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.

Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.

Exploits exist for both systems. But which ones would you rather have to deal with?

Re:Nice spin on the article

[archen]

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option?

Simply put windows just doesn't have much functionality without a GUI, and many MS tools absolutely depend on it. Aside from that, strategically MS must to focus on their GUI. Why? Look at the functionality of cmd.exe vs bash . When you take things to a CLI level, UNIX is far superior. And lets face it, many in the MS world are just afraid of the command prompt.

The Admin is as good as the Documentation...

[vrypan]

he has access to.

My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.

On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.

Panayotis.

a more secure windows

[blurpy]

everybody has heard (and many agree) that any codebase will have x number of bugs (including vulnerabilities) per n lines of code. the more mature the codebase, the fewer bugs may remain, but they are still there. solaris has 'em, linux has 'em, even openbsd has 'em.

no one should doubt the capability of microsoft's core programmers to create solid, robust and secure code. anyone who does, is not being serious.

the problem arises because those same programmers must pack many things into a base os install. for example, to install windows and have it work means i must have the entire windowing system installed and operational. it also means that ie must be there. i have heard from a microsoft employee that if i remove the media player dll from a win2k box that the entire box will cease to function, though i have not confirmed this. i imagine there are others that could be added to this list.

in the unix/linux world i have the option (though imperfect) of leaving out everything except the kernel, core libs, core services and the service / services i want the box to provide. all other code is not only turned off, it just isn't there. which means fewer lines of code, which means fewer vulnerabilities.

last i checked, the majority of vulnerabilities for both win2k and linux came from various 'non-essential' programs, programs like the browser that i don't really need on a webserver. granted, there were quite a few for iis, but even its vulnerabilities come largely from additional, non-essential code that is automatically installed and required to be there, but for non-technical reasons.

therefore, to make a more secure windows, that would conclusively compete with *nix in this arena, microsoft should release a version of windows that can be cut to the bare bones, something i could run headless, without a browser installed, without outlook express installed, etc.

would microsoft business allow such a thing to happen? perhaps not, which means microsoft programmers will forever have the deck stacked steeply against them.

its too bad.

nothing news worthy there at all

[budgenator]

In fact the only real hard statement, Linux, which is even newer than Windows is wrong if I remember correctly Linux was arround when windows386 was out, and I know I was using Linux before Windows95 was released because I remeber waiting to send in the free upgrade certificate on my first pentium machine. windows 3.10 was not an operating system by any means it was a windowing enviroment built on top of DOS. Are they realy saying that Windows XP has anything to do with 16 bit windows 3.10? I might buy an argument that Windows NT - Windows 2000 - Windows XP represent a line of evolution, but Windows 3.10 doesn't belong in there
.

Re" Microsoft and C2

[brokeninside]

Per Microsoft SQL Server 2000, Windows NT 3.5, and Windows NT 4.0 have had successful C2 (4.0 by ITSEC at a "roughly C2 level) security evaluations. (Notice W2K is missing from that list.) Bear in mind that C2 evaluations are done on specific hardware.

Re:Really?

[blibbleblobble]

How odd, no one must have told them that the project ended, according to your comment.

What am I, a journalist that I must check my sources rather than just commenting from memory?

A google-search, as usual, turns up varieties of information. I discovered the following article on
ZDNet news with a 2002 date at the bottom.

[Of course, this might be an auto-generated copyright statement using the current year, but I dread to think the legal implications of them doing that on something written before they claim]

Quoted text follows:

SE Linux may be the NSA's last direct contribution to open-source
security, however. Because of the loud criticism, the NSA will have a far
less direct role in the creation of more secure versions of open-source
software.

"We didn't fully understand the consequences of releasing software under
the GPL (General Public Licence)," said Dick Schafer, deputy director of
the NSA. "We received a lot of loud complaints regarding our efforts with
SE Linux."

Many complaints criticized the agency for providing the fruits of
research to everyone, not just US companies and thus hurting American
business.

While stressing that the agency received a loud chorus of support as
well, the chagrined Schafer said that the issue was contentious enough
that "we won't be doing anything like that again."

Sources familiar with events said that aggressive Microsoft lobbying
efforts have contributed to a halt on any further work. "Microsoft was
worried that the NSA releasing open-source software would compete with
American proprietary software," said a source familiar with the
complaints against the NSA who asked not to be identified.

Microsoft would not comment directly on its lobbying efforts, but did
stress that it wanted to ensure the government continued to fund
commercial ventures. "The federal government plays an important role in
funding basic software research," said a Microsoft representative. "Our
interest is in helping to ensure that the government licenses its
research in ways that take into account a stated goal of the US
government: to promote commercialization of public research."

Perhaps...

[Arker]

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Perhaps you hit the wrong button? I didn't write that, I didn't even quote it. I think your response is pretty much on the right track, though, as a response to the other poster. Except for the last bit which does seem to be a response to me, rather than the other poster...

The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.

Ahh, but these are totally different circumstances, IBM didn't develop and market a technology that made it easier than before to write and propogate viruses, now did it? Microsoft has without a doubt done that in the case of ActiveX, going so far as to put an enourmous amount of effort into trying to make it impossible to remove the security hole thus created, the only question is why... now it would be laughable I suppose if I suggested that this was the sole reason for ActiveX, there are clearly other reasons, but I think one would be seriously underestimating the collective intelligence level at Microsoft to suggest that they aren't at least aware of the effect this has had, and actively planning to market their DRM as a solution to the problem they've thus created.

Re:Nice spin on the article

[shish]

> That's because a service pack is basically the entire winnt directory's binary files all zipped up. It's almost the whole OS.

What, *every* binary in the winnt directory has bugs?

Re:Nice spin on the article

[N3WBI3]

To get nimda all you have to do is be on a nt4 (maybe nt5 im not sure) domain with a shared storage resource with an infected computer, outlook express is not even needed..

Repost of an excellent comment on the article...

[Codifex+Maximus]

In a comment on an article at www.newsfactor.com,
mmontagne wrote:

Not to belabor a point, but here's a real-world example of Microsoft "security." Here's some ACTUAL source code from a KLEZ virus -- which "technically" is an ActiveX object:
--E3524f8Qw3mbOk6Ma4g8333eS45V
Content-T ype: audio/x-wav;
name=Ymhx.pif
Content-Transfer-Enco ding: base64
Content-ID:
Engineers will recognize the extension indicates the attachment is a program information file -- which by Microsoft "security" measures is EXECUTED. Even neophytes will note the attachment claims to be an audio/x-wav file.
Is there ANY means of determining the file is truly of the claimed type?
No.
Is there any system structure which will ONLY open the file with an audio player -- so it won't ruin our system?
Of course not. This is MICROSOFT "security."
There are thousands and thousands of VARIETIES of such exploits which can only attack Windows systems BECAUSE Microsoft "security" is nothing but a facade.
In light of this, the concluding statement is particularly offensive. How this Hemmendinger is any kind of expert is beyond me:
"You're still not immune," Hemmendinger said, "but you can be reasonably sure that [a vulnerability] that was publicized a year ago won't bite you."
NOT SO AT ALL. EVERY KLEZ and every other ActiveX exploit before it CAN STILL get you, and WILL still get you, because there isn't the slightest HINT Microsoft will close the door to ActiveX.
To further evaluate the security of Microsoft, consider this:
Windows users SHOULD be familiar with the "security" option, "Script ActiveX controls marked safe for scripting."
What Microsoft doesn't dare tell you after spending so many millions "training" engineers to write "safe" code is, what DOES mark an ActiveX control "safe" for scripting?
The AUTHOR of the code does!
Every virus writer in the world can simply indicate his script is "safe", AND THERE IS NO MECHANISM WHATSOEVER TO DETERMINE OTHERWISE!
Safe? Security? You have to be kidding! What could get us a year ago can't get us now? No way in the world, partner.
I'll "finish" with this however:
Now, IF you were to trust a company to TRULY write secure software, WOULD you pick the company which for approximately A DECADE hasn't been able to write a "work offline" routine that won't immediately RE-DIAL the modem as soon as you work offline?
Hah.
"Security." Give us a break.
Virus writers are usually NOT expert developers, and the only reason they so readily exploit Windows systems is the door is wide open to the most basic, crude "skills."

I beg to differ

[Jeppe+Salvesen]

In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.

I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!

Re:I beg to differ

[jpmorgan]

Full automated security auditing is reducable to the halting problem, so don't expect a tool to do this any time soon (i.e., ever).

Re:I beg to differ

[photon317]

If you think you can do it, by all means do us the favor of proving it - make it your life's work and write the tool. I'm only being half sarcastic, it would be wonderful if someone actually accomplished it and we'd all be in your debt.

However, on a realistic level, I don't think it's really possible to write a generic code audit engine that fixes the problem, or even makes it go away. I think it more likely that the tool would just cause coders to care less about security because it's supposedly handled by the tool - they'll forget about or never learn about good security practices - and their lack of care will more than make up for the obvious holes plugged by the automaton.

To go out on a controversial simile here - this seems very much like the promise of OO languages and methodologies to cure the software of the world of crappy coding pratices. What it has brought us is 10 times the programmers, writing 10 times as much code 10 times sloppier. It's still riddled with bugs, and it's 10 times more bloated. The really good coders that did it "right" were doing it right before OO became popular and still code circles around your average corporate java or c++ coder. In my eyes and opinion, the OO revolution has decreased rather than increased the overall quality and design of the world's source code taken as a whole.

In both cases, I feel the right answer is that coders need to be taught better, and companies need to be more choosy about the coders they employ and the work they consider acceptable from these people.

Quick Comments...

[tqbf]

• The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?
• Ignores the worm gene pool. Several of the Linux worms cited use the same (uncommon) vulnerabilities to gain access to computers. Putting a different payload on the same attack doesn't make the "different worms" uniquely different threats.
• Newer != Insecure. SunOS is old, and insecure. djbdns is brand new, and very secure. Secure programming, and (more importantly) secure design, are new disciplines.
• Linux != New. Linux is new in implementation, but evidences the classic Unix security model. The Unix model is flawed, but not impossible. Win32 has a "better" design, but does nothing to make that apparent (in the same sense as Darwin doesn't make apparent its microkernel design).
• Bug Counting? Most Linux bugs are in packages. There are thousands of available packages, virtually all with published source code. Third-party QA teams at ISS and Network Associates can go make a list of 100 CGI programs, read bad source code for a week, and generate 15-20 new advisories. Very, very few of them will affect real, deployed systems.
• Still More Bug Counting! Linux sees more bug reports. Linux has published source code. An independant QA person can spend a month looking for a remote attack on Win32, come up with one, and coast on it for a year --- that remote hole will probably affect 80% of all deployed systems. To get the same cred, you need to find tens of holes in popular Linux packages. It is both significantly easier and more useful (to the reporter) to find numerous Linux-related holes.

Re:Quick Comments...

[PigleT]

"Newer != Insecure."

Agreed. Both on the macro scale you cite, and on the micro; to some extent, I've come to the conclusion that in this day and age, the best you can hope for is not "secure" (because that's impossible and illogical), and obviously not "insecure" (as that is undesirable), but maybe "unknown until there's a better version around".
E.g., apache-1.3.9 had its hey-day until a small series of fixes including one or two vulnerabilities pushed it up to 1.3.27 today. At all stages, if you were tracking the latest version, you were fine until the next.

"that remote hole will probably affect 80% of all deployed systems"

Agreed; you are correct to say that a given bug's severity should include both seriousness (depth of potential break into the system - remote or local, root or user) and impact on the entire user-base.

Re:Quick Comments...

[tqbf]

What the hell are you talking about?

Difference

[AftanGustur]

I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs.

My thoughts exactly when I took the NT server/admin/whatever course. I realy felt like I had been had (or that the company I worked for had been had).

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

Re:Difference

[swb]

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

I've always wondered why people don't offer more in-depth courses that cover more than just remedial networking-101 and basic dialog box entry, since the "official" curricula is so empty. The answer is probably twofold:

Most people are taking the classes for bad reasons: to pass the MS cert tests, to get out of work for a few days or because of work requirement. They're not actually interested in how it works.

-or-

Even scarier, it's because nobody (outside of 500 or so developers, MS employees and other who aren't telling) REALLY knows how it works! 15 years of weird coding, new features, parallel development paths, diverse coding groups, ad nauseum have rendered an OS and system that simply is too byzantine to be understandable by anyone. It's like a fractal design -- the closer you get, the more detail is revealed, which brings you closer, to more detail...

Specious arguments

[tuxlove]

I love it when people argue, as in this article, that Linux is less secure because more security holes are posted than Windows. There are two reasons why this is a specious argument. First, there is little doubt that the holes are there in Windows too. It's just that they don't get found as easily because of the closed-source nature of Windows. That doesn't mean the hackers don't know about them. I prefer *everybody* knowing, which is what tends to happen with open-source code. And, when Windows bugs are found, you certainly aren't going to see the bad sections of code posted to Bugtraq...

Second, the holes in Linux are generally less problematic than the plethora of VB script and other bugs in Windows. When a bug is found in fetchmail, for example, it's a lot harder to exploit than VB script execution in Outlook. Also, a small percentage of Linux users actually run fetchmail, but LOTS of people run Outlook (not to mention all MS Office apps). So, on Linux, unless a bug is found in the OS itself or in some program that's intrinsic to Linux's operation, it's going to be hard for hackers to exploit. Since everyone on Windows uses IE, Office, and so on, there is a much higher payoff for hackers.

It's sad how many so-called security experts are really just apologist shills for Micro$oft.

Security in a box

[huckamania]

Security comparisons of this box versus that box is a bit rediculous. No box can handle all aspects of security on their own. DoS attacks can not be stopped at the box. Port probes if conducted over a long enough time frame are nearly undetectable. One compromised box can be used to compromise all boxes on a subnet.

That's not to say that security is impossible, it's just that it is amorphous. It's as complex a problem as determining the weather or fighting multinational terrorists, simply because they change from day to day. To make matters worse, from the beginning of the internet any machine that is connected to the internet is a target for every hacker on the internet. Those are lousy odds.

The most secure systems these days are protected in multiple layers and the number of companies that are producing multi-tiered security solutions are growing. Still, without redesigning the internet as a whole I don't see security getting better, just more complex, costly and necessary.

It doesn't matter which one is more secure...

[kakos]

...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.

Re:I trust Linux's security implicitly

[netphilter]

Ummm...you misunderstand. I'm the Conservative Christian...freaks are people who don't like me. Foes would be people that I don't like. You should probably read the FAQ.

Re:different kinds of security problems

[the+eric+conspiracy]

for instance, slapper requires that you install gcc on your server. if anyone installs a compiler on a production server, the response should be "WTF!!!"

I don't think I have ever seen a Linux server being run in a production environment that didn't have gcc installed. Most of us don't have the luxury of homogeneous server installations where gcc-free installations are practical.

Now, of course there are other measures that could stop slapper that are a lot more practical - chrooting, tripwire, etc. are some of them.

Re:Flamebait indeed (Linux is older than Windows)

[gosand]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long- established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

To get even more picky, Windows is used as a generic term. Most GNU/Linux distros are older than Windows XP or 2000. Some Linux and BSD distros are older than Windows NT. The core security model of all *nix systems is much older than any Windows security model.

I didn't think much of this article, basically because it didn't really say anything.

Re:Clueless admins vs. byzantine systems and bad d

[alexjohns]

This is the sig that doesn't end, it goes on and on my friend, some people started typing it, not knowing what it was...

Malda's Law: All sigs end at 120 characters.

FACT: Security = 1 / Convenience

[md17]

I love it every time this argument comes up. It always has very few facts, and lots of emotions. It's fun to see all us nerds get so defensive about an OS. (I admit I do it too.) However, one FACT that we should focus on is this:
Security is the inverse of Convenience!
The more convenient something is, the less secure it will be. Windows, Linux, Solaris, etc. can all be very secure depending on what runs on them, and the pain, time, and messyness invloved in locking them down. Linux distros have many tools to aid in configuration. Use them, and your box will probably be less secure. Use a default Windows install and you will probably get hacked. So as some comments have pointed out. And now for my guide on how to secure any OS:
Use the Sans (I think) guides on hardening systems.
Have a good sysAdmin that knows more than clicking through wizards to set stuff up.
Keep everything patched and up to date.
Restrict user access as much as possible.
Turn off services that are not used.
Review the log files.
Use packet filters on your router.
Unplug the box for total security.

Law offices

[sharkey]

Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer...

Not really. They sound more like the kind of law firm that Microsoft would hire.

You can't compare Linux and windows

[Junks+Jerzey]

In these type of discussions, Linux is equated with the Linux kernel, some device drivers, and maybe a handful of utilities like sendmail and so on. After that you get into debates about scripting languages and window managers and desktop environments and all that--none of which could be considered part of "standard" Linux.

Standard Windows, however, includes graphics libraries and scripting systems and a GUI, and even tools like file browsers and Internet Explorer are considered part of Windows. Not surprisingly, most of the security problems are in those high-level tools, not the kernel itself. Now it could be argued that the kernel shouldn't allow tools to cause problems, but that's wishful thinking. Microsoft introduced a scripting language into Word, and that's been the cause of so-called "document viruses," for example.

To do a fair comparison, you need to put together a Linux machine running KDE, Star Office, a graphical email client, and so on. And then you have to consider all security exploits in KDE and all applications that come with it. But of course that's never how comparisons like this are done. If a KDE application is at fault, then we're quick to dismiss it as a KDE problem, not a Linux problem. And so we run in circles with this kind of meaningless argument.

Re:You can't compare Linux and windows

[jedidiah]

How easily can you replace a random Unix component, including some KDE component?

How easily can you do that with WinDOS?

Structural differences between Linux and Windows

[ites]

Windows is remarkable because it consists of many fat vertical applications running on a relatively thin OS.
Security has to be implemented in each application at many levels.
Linux (and Unix) have a much more robust underlying OS and applications are relatively thinner.
So Unix applications are vulnerable when they (e.g.) chroot to access system resources.
But Windows applications remain vulnerable all the time.
There is really no argument about which approach will work better in the long run.

Lets define operating system...

[PetiePooo]

GNU/Linux O/S:

Linux kernel

GNU binutils

glibc

Microsoft Windows 2000:

Windows 2000 kernel and DLLS

Internet Explorer

Outlook Express

NetMeeting

Pinball

The Kitchen Sink

etc.

The choices of what you don't want to install in Windows is very limited. I do custom installs whenever I install any operating system. Windows comes with all the bells and whistles, free of charge (yeah, right!) and installed whether you want them or not.

Ever try removing the pinball executable in Windows 2000? "System Protection Services" pops it right back in place! Since when can a pinball game be considered part of the operating system?!?

At least Linux allows you to install just the pieces and parts you want. Especially on servers, a minimal system is inherently more secure. Its simple guys and gals: if it ain't installed, you can't exploit it!

Note for the purists: Yes, I've left out some packages that are required for a functional Linux install. Stop nit picking and get my point.

Re:Lets define operating system...

[SuiteSisterMary]

How is it nitpicking to point out that when comparing number of packages required, you're leaving out required packages?

Any OS, ANY one at all, is only as secure as the admin makes it. Period.

Re:Nice spin on the article

[NineNine]

My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.

Let's talk about servers, where security is REALLY important. I've never seen an NT/W2K Server with Outlook or Outlook Express installed. Nimda isn't a problem.

Slapper is a hole designed for SECURE SERVERS.
I'd say that Slapper is much more of a security problem than NIMDA ever was.

Re:I trust Linux's security implicitly

[ncc74656]

I'm disturbed you have a list of Conservative Christians on your freaks list and are so quick to share it.

Umm...if I'm not mistaken, you don't put anybody on your freaks list. The freaks list is a list of everybody who's marked you as a foe. The poster is calling himself a religious conservative and is calling out those who disagree with him. (Personally, I'd prefer the label "charter member of the vast right-wing conspiracy." :-) )

Re:Paranoid

[ncc74656]

There are no hacker-made Linux anymore: everybody use well-supported distros like Red Hat, Mandrake, Conectiva.

I guess that makes me nobody, then. I suppose there are more nobodies out there as well.

How can anyone put worms in *open source* files?

[aquarian]

I don't understand- the whole point of Linux is that it's *open source,* meaning that anyone can read the source files. So how could anyone put a worm into them, without someone else seeing it?

I'm sure all kinds of crap could find its way into a Linux distribution, but if you download one from a trusted source like Debian (which is very well reviewed and tested), I don't see what the problem is.

Re:Nice spin on the article

[N3WBI3]

Really nimbda was not a problem for servers? it used IIS to propigate across the network dimwit. Servers which had neither Outlook, or Express but were running IIS (ding ding ding A FRIGGEN SERVER TOOL) spread nimda to any network share it had open!

now MS is responsable for this becuase they produce IIS, apache has nothing to do with linux other than it runs on the OS.

You want to talk about which is a bigger risk? Nimda would give administrator permissions to guest accounts and share all drives RWX (even on the IIS servers without outlook/express). The number of infected webservers using IIS were more than 100 times the number of Linux with slapper.

Slapper otoh is uesd for dos attacks and does not change permissions on any important data elsewhere in the system, it also does not augment user permissions on the server.

If you wanna talk with the grownups get a clue

LOL at the books

[Scooter]

That is so true...

Day 1 - a new Windows OS appears..
Day 2 - Large book with 1000 pages of screenshots entitled - "Windows xxx - the bleedin obvious" is published :)

Day 7 - "Instant Experts" return from MS certified class where they were taught 30 hours of "The Bleedin Obvious Admin 101" - how to fill out properties forms and click buttons. "Don't try to peek behind the curtain now - just click the buttons. To make the OS secure, for example, click the button marked "make my computer secure". No actual networks/computing/API etc knowledge required!, and certainly none imparted on this course!"

Why Debian is easy to secure

[steveha]

I am not an experienced sysadmin, but I have found sysadmin tasks to be pretty easy with Debian. Here is how to run a server with Debian:

0) install using the Debian "stable" branch. (Use the pgi to install; it's easy.)

1) once a week or so, run the commands:

apt-get update; apt-get upgrade

These will go out and get all the latest updates to your packages.

If you update your packages, worms like Slapper will not be able to get into your system.

Debian also provides a really excellent howto. Any Debian server admins should study it:

http://www.debian.org/doc/manuals/securing-debian- howto/

P.S. I'm sure Windows systems can be made secure, but it has to be more work than securing a Debian system. There is nothing as cool as "apt-get upgrade" on Windows.

steveha

Re:Why Debian is easy to secure

[steveha]

That howto I linked to has those suggestions, and many more.

Maybe you think once a week is not often enough to update packages, but a Debian server admin who updates once per week will be way ahead of 99% of amateur server admins, and some of the professionals. The Slapper worm was in the news recently because it was causing problems... but the security holes it uses had been fixed months ago. There were a whole bunch of servers with really out of date software. Probably few of those servers were running Debian.

P.S. Yes, backups! Run backups!

steveha

Re:Nice spin on the article

[NineNine]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult? Beign difficult for the sake of being difficult is just stupid. On top of that, virtually everything in W2K can be automated now with WSH. I use a GUI with MS Terminal Services over dialup and it works great for me.

Just hacked

[Ektanoor]

Well, while people were discussing here about security, in one of my works a Linux box was just hacked. Frankly, I am an anti-Windows. And please note that I been more than 15 years in touch with this OS (since the first beta). So my anti-Windows feelings are deeply rooted in inside my experience. It will be hard to change someone who dig up in several Windows, looked to tons of code and worked in more than 15 jobs... Besides I have a relative who managed to see who's BG from inside, so I have no sympathy for that guy.

However I had and have no doubts about the security of Linux. Because I know its level of security, I know it is much better than Windows and I know that if an admin takes care of its boxes, then Linux is much more secure. But not inpenetrable. People do hack it (I hacked it very frequently btw) and hack it deadly. And the worst is that a hacked Linux box can be 10 times deadlier to your network than a silly Windows machine. That's a trouble Linux has - it is too powerful for both sides. Besides it is even more powerful when you go into combat. Fighting someone installing rootkits and changing every piece of soft in your machine is something. It is spectacle that no Holywood director can be able to describe. It also can be timeconsuming, depressive and boredom like the hack I'm fighting now.

To work on Linux one should take care of a few things: Absolutisms and maxima are dangerous here. If you came to see the gun then learn to shoot or someone shoots you. Forget all those books and "Hackers", enter the Matrix religion and learn from your experience. And most: If you can't stand up maybe you should choose something else, but don't go flaming because you feel not smart enough. It makes you look like a jerk.

Programmer? Use Debian

[thelexx]

Not only is it the distro most geared toward programmers, a simple 'apt-get upgrade' would have done what you wanted.

aberdeen.clueless

[twitter]

Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

If M$ security patches delivered security, M$ would not have a bad reputation for security. I'm tired of hearing this old saw because it is not true. M$ security "updates" are usually huge, hudreds of megabytes, and contain far more than security updates. It might even be argued that M$ patches create more exploits than they fix becuase M$ is so bussy trying to screw everyone out of playlists and other silly marketing data.

Aberdeen, extensively quoted, is obviously a paid whore and clueless. Anyone who would compare the security of the "not designed for security" M$ world to the peer reviewed world of multi user Linux and not see one as clearly superior to the other has loose screws. Their website states, "Unauthorized use or reproduction is forbidden." I'd say there were many things they don't get.

The only flaw in your procedure

[ebuck]

Although I sympathize with you, I did notice a flaw in your installation procedure.

At no time did you ever mention that your read the README file or attempted to get any installation documentation.

I agree that many can replace their car's AC compressor without reading the instructions, especially if they have had some experience in auto mechanics, but many of these replacements will not have the lines bled or dried properly, and even fewer will include the 1/4 cup of oil needed on some compressors to prevent them from going bad next year.

Experience can be a great asset, but it cannot generate knowledge on the fly.

Re:you can safely ignore this article

[octogen]

An Operating System should of course not be affected by a worm which exploits a bug in a webserver daemon.

However, an Operating System can not prevent a worm from exploiting a bug in an application, but it should be able to prevent an application (and even a hacked application) from taking over the operating system or other applications on the same computer.

Comparing OS securtiy

[octogen]

When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).

What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?

Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.

The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).

Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.

Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.

regards,
octogen

Some further information:
Trusted Solaris, Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
Pitbull, Pitbull/LX, Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
XTS/300, Getronics; TCSEC B3;
Firewall Server, BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
Windows XP, Microsoft; TCSEC C2;

Re:Nice spin on the article

[Kjella]

With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes!

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up. Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

Kjella

usual apples-vs.-oranges

[g4dget]

The BugTraq reports on Linux and Windows cover very different amounts and kinds of software, so comparing systems by their number is not meaningful.

In any case, the issue is not how many bugs there are in either system, but how easy it is to secure and audit either system. For example, it's much easier to stript down a Linux system to a tiny set of well-understood processes and services because it's all open. With Windows, much less of that is documented, and I can't figure it out from sources; it also changes with every release.

Programmer of 23 years vs administrator of 2 years

[Skapare]

This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.

Re:Scripting

[jedidiah]

The sad fact of the matter is that most Microsoft end users have ZERO use for an office suite that can be used to spam all of their friends and delete all of their data. Scripting in msoffice is a power user feature searching for a real purpose.

This makes it highly questionable even without getting into how robust the feature is.

At least in a Unix environment, you are much more likely to find the sort of power user that would find scripting useful. Nevermind if it's harmful.

WinDOS office suites already have more features now than most users can cope with.

A Recent Microsoft Bug - swept under the carpet?

How many bugs for Windows have been swept under the rug?

It amazes me. Really. Authors bandy about Slapper and its varients as a new kind of Linux boogyman (despite the existance of previous Unix and Linux worms) - proof that the argument for Linux, and perhapse even Unix, security is falling apart. Yet there is no talk of actual numbers in the wild. No talk about how long the actual window of vulnerability from discovery to patch existed.

Meanwhile... my organization's main VPN service (running a Microsoft PPTP server... unfortunately) has been vulnerable to a DoS, and possibly a remote compromise since at LEAST Sep 26. Exploit code that demonstrates this vulnerability was released shortly after (I believe Oct 1). Yet there has yet to be any word from Microsoft acknowleging the issue, much less any forthcoming fix/patch.

Microsoft PPTP servers - Win2k, WinXP, AND WinNT 4.0 sp6a (I have personally tested Win2K and WinNT varients) are all susceptible to this exploit as demonstrated by this code - and have been for over 2 weeks.

Sure. Sticking a Sun box, or Linux, or even OpenBSD in your server room doesn't give you instant security. Unix is not a fire-and-forget solution. But these folks have been in the trenches, successfully dealing with the technical issues of security for the last couple decades.

Microsoft still seems to see security as a marketing problem.

Re:Nice spin on the article

[Blkdeath]

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up.

Assuming a business has existing Win2k installations, they would have had to apply each of them as they were released in order to be up-to-date. The only people who don't have to worry about all of them are new installations, in which case they would only need to apply SP3 (if it works for them - I've heard a number of horror stories).

Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Regardless, the codebases are doubtless very similar (just different branches for the additional functionality offered in each version). Enterprises would still download the entire service pack to apply it to each of their machines rather than performing the "express install", which is only "express" for one or two Win2k machines. When you have a dozen servers and three hundred workstations, one 100MB download is preferable.

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

I remember when I installed a vanilla Win2k Pro not too long ago, it took (using the express download from windowsupdate.microsoft.com) somewhere to the tune of 150MB or thereabouts to get the OS up to date (including IE 6, Windows Media Player 7.1, all service packs, security roll-ups, and security/component updates released after the roll-up).

Slapper Myth

[_Sprocket_]

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ...

Who? Just who thought Linux was a magic bullet against malware? Point them out. And I'll show you an idiot who has not read RECENT history.

Sure - there are some basic architectural decissions that make Linux more resiliant than its Windows bretheren. But the history of Linux (and other flavors of Unix) worms alone show that it is not impenetrable - a history that produces plenty of examples from now until late 1999, a span of less than 3 years.

It amazes me how often zealots - both Linux and Windows - seem to view Slapper as some major new event. Its not. It is not the first Unix worm. It is not the first Linux worm. It didn't infect systems in any particularly unique or novel way. Nor did really generate the kinds of numbers that put it on a pedistal amoung worm-kind.

Slapper is only news to zealots and authors who are both new to information security and generally uninformed.

Re:Nice spin on the article

[Blkdeath]

correct. If you don't know how something works. Then you will have a harder time breaking it.

Logical fallacy; not having the source code is in no way conducive to not knowing how that application works.

Proof: the sheer number of exploits to all closed-source software.

Here's to hoping you're being sarcastic!

QED

Boy, is that ever over-used. ;)

Re:Nice spin on the article

[Black+Copter+Control]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult?

GUI administration is not necessarily more or less difficult than CLI administration.

Knowing which menus you have to wind your way through to bring up the ipconfig utility is not any easier than just remembering the ipconfig command name. I, for one, have sometimes spent half an hour or more trying to remember what magical sequence of menus and options are required to get to the 'friendly' GUI display that I know is there, but I forgot to click on some obscure option 4 menus back. Navigating those menu options is like running a rat's maze. Anybody ever run into a user who never knew that you had to click on a folder to get the 'find file' menu in Win/95? Is this really easier than typing ' find -name "purple*" -size +50 '? s.

Besides having to remember where to find the GUI commands, one also has to take into account that GUI interfaces inherently take way more resources than a CLI interface. If I'm in Atlanta for a conference and I find out that there's something wrong with my Linux server in Seattle, I can call in using my laptop's modem and fix the system from anywhere (even in flight). Trying to do the same with a Windows box pretty much requires me to have an ADSL connection. One also has to take into account the resources demanded on the Server end of things. If my server is already within an inch of crashing, the last thing you want to do is load it down further with a 50MB GUI that eats 15% of the machine's CPU. -- and if I want a 'user friendly' interface without the load of X, CLI interfaces can include menu-drivern utilities that are about as easy to use as GUI interfaces, but cause 1% of the CPU load.

There's also the question of scripting. If I have something that I'm going to be doing more than a few dozen times, I'll often write a shell script that does most of the work for me. Preferrably, the script can just run entirely automated, then I can just run it as needed with cron or triggered by some other program. That's something that's a lot harder to do with a GUI -- and a lot less portable.

Unix doesn't require one to use CLI solutions -- They're available as an optional tool. The availability of those tools is, I think, part of the reason why your average Unix admin can handle way more machines than your average Windows admin. GUI tools are also available to a UNIX admin, but I only use them when they're appropriate to what I'm doing.

Re:Nice spin on the article

[Black+Copter+Control]

Perhaps you could elaborate on the alleged unapatchable holes in Windows Messages?

I would, but Microsoft threatened to sue me for violating their EULA if I did that.

Re:Feature request: "max security" install option

[steveha]

I would prefer if there was a single install option that allowed me to automatically disable all the potentially insecure services.

Dude, read that howto that I linked to; one of the things it tells you about is the "harden" packages under Debian. When you install "harden-servers" or whatever it disables insecure services, among other things.

Debian rocks. But then, you knew that already.

steveha

Re:Clueless admins vs. byzantine systems and bad d

[mpe]

A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists?

Some of them appear to be so obscure that their major use may well be the propergation of malware. "Intergration" can translate into write very bad, even "sphagetti", code.

And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

It's quite possible that there are "black hats" who know about these...

Re:Nice spin on the article

[N3WBI3]

The reason *nix admins make more $$ is because we can maintain more servers than a windows admin. If I have to set up a network with 20 servers I can find one unix admin to take care of them (imho 20 is reaching your upper limit for an average admin). For 20 windows servers your talking 2 **maybe** 3 adming, your not that much cheaper.

I also like the 80%/10%->80% other bs stat, I would really like to see a source on the number of servers active, I was under the opinion that in the server market Linux had about 20% market (I could be wrong), when you add SUN, AIX, HPUNIX, and now OSX, im sure there are others I dont know about that have a decent share windows has much less than 80% of the server market.

now you are right that Windows has gotten a ton better, but for every two steps forward they take in software (I would use 2000 as a desktop and **maybe** for some server apps on a small (200 Clients) network, they take two steps back, imho, in terms of their EULA's. That being said I hope MS does fix its problems, 2000 was a decent server os.

Re:Ramen, Slapper, Scalper and Mighty ?

[schon]

>2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

Again, sysadmin problem. Its been patched.

But it's still a problem with the OS. It doesn't matter if it's been patched or not.

>3- Melisa & IloveYou & others countlessly many Ms Word worms

Application problems, not OS problems, big difference.

But the application (IE) is (according to MS) part of the OS. The problem is that it's integrated with the OS so much that it becomes an OS problem.

3 of the 5 issues above are application issues, not OS issues.

No, one of the 5 issues about is an application issue. If MS says that IE is part of the OS, then it's part of the OS, and there's nothing you can do to refute that.

Re:Nice spin on the article

[Blkdeath]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult?

A GUI does not automatically equate to an easier task of administering a server, but instead to a more mindless task. Administering a server via CLI is dead simple. For example, I needed to update my DHCP server's configuration to pass two domains instead of one to the client machines. So I SSH'd over to the server from my laptop, ran `vim /etc/dhcp/dhcpd.conf`, added the domain, and ran `killall -HUP dhcpd`.

To perform the same procedure under Windows, I would have had to either walk over to the server and connect a monitor to it, or run something like VNC (or Terminal Services, which I won't run on principle), open the start menu, the sub-menu for the DHCP server, open the configuration utility, find then alter the setting, apply changes, close the applet, open Start - Settings - Control Panel - Administrative Tools - Services, find the DHCP server, open the properties, and re-start it.

I would have had to think less, but do more and utilize about 98% more network and system resources to accomplish the same end.

All of my installed daemons can be configured from within /etc, and most an re-initialize their configs on the fly with a quich hangup signal. I can easily distribute configuration changes and software updates across a large network of Linux/UNIX boxes with any number of available tools; or even run many servers via read-only NFS with only local /etc directories, which can make updating 1000 servers happen within hours, not days.

The only supposed downside to administering a CLI system is that you have to actually know how it works before you can function. There are countless Windows administrators out there who feel that their experience with Win'98 makes them amply qualified to administer Win2k because the interfaces are similar enough.