Windows vs Linux On Security

e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."

Security depends on many things.

[Anonymous+MadCoe]

Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.

Re:Security depends on many things.

I know a couple MCSE guys that are "security experts". They think hackers use programs called "script kitties" to break into machines.

Meow!

Re:Security depends on many things.

[monadicIO]

In circumstances like these, I think the best metric would be to use averages. An average windows box is less likely to be well managed given the profile of an average windows user (not to say (s)he is less smart, just less of an OS/security geek). Add to this the bundling of dangerous products like VB-script enabled utilities, and the winbox (even corporate-admin managed) is a disaster waiting to happen. On the other hand, a *nix user is mostly a more sophisticated user with a little more understanding of security. I don't think it is possible to have a really completely fair and proper comparison of the two systems unless you only ask persons who use/admin both systems.

Re:Security depends on many things.

[monadicIO]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Re:Security depends on many things.

[tres]

With a properly designed and implemented system of groups, there's no need for ACLs.

Using SUDO beats giving ON or OFF Administrator privs to multiple people.

I'd say that gives UNIX a much finer granularity of control than NT.

NT 5 is catching-up with the "run as" command, but it's really only good for point-and-click administration.

more control == better security

Re:Security depends on many things.

[haruchai]

There are kernel patches for ACLs for Linux filesystems, http://acl.bestbits.at/ and other
Unixes also have it built-in. Solaris has had this for years.

Re:Security depends on many things.

[1010011010]

You're right. NT, like its VMS predecessor, is more secure by design. It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine. Unix apps are written with the understanding that there are any number of users, none of which are root.

Re:Security depends on many things.

If the old UNIX permissions bits are so much better than ACLs, why did Solaris and all the other commercial UNIXes switch to ACLs years ago?

The suggestion that the old UNIX method gives more finely-grained control than ACLs is perplexing. The ACLs on NT and Solaris, for example, can perfectly simulate old UNIX permissions bits for software that uses them (both are certified as UNIX by The Open Group), but old UNIX permissions bits couldn't possibly simulate the typical permutations of ACLs used on, for example, NT systems.

The big drawback of ACLs is they're so much more powerful and complex that they're often confusing and often overkill for simple systems (e.g. cases where Linux is commonly used).

Re:Security depends on many things.

[SerpentMage]

While that may be true, I think that is also what makes it more insecure. I have seen tons of documentation for programmers how to manage security. This means a programmer REALLY needs to know their stuff. In other words most programmers will not know their stuff. And as a result the apps are insecure. But the cause of the insecurity is not the app, but the OS because it is SO DAMM DIFFICULT.

While UNIX security may be simpler, it did not take me a huge effort to understand.

I use Windows and LINUX daily. My notebook is usually running XP and I have to say they screwed up security royally. The easy to use guides like "make available to shared users" actually opens your machine royally. The not shared locks everything done. But there is no middle. I had to go back to traditional NT security to twiddle how I wanted things.

Here is why I am gripping. I have a home network. And on this home network typically it is my wife and I. But sometimes I have friends come by with their notebooks. So they hook into my network. At that point I want per user security. Try to do that with the new "easy" to use XP security...

It all boils down to the same thing. NT has better security, but it is so DARN difficult that managing it effectivily is impossible.

Re:Security depends on many things.

[Asprin]

Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?

Amen, I wish I had a mod point to give. Along similar lines, didn't CDC claim that BackOrifice uses the same standard API calls as MS's own SMS to provide remote access? On second thought, maybe and maybe not.

Either way, it seems to me that most of MS's security problems have less to do with the OS not doing it's job and more to do with the fact that MS has designed every one of their products to encapsulate (arbitrary) code inside their data files so their developers have easier ways to hammer out apps.

The problem is that the same scripting engine that lets Word (usefully) puke out mailmerged documents generated from a VB/Access app also gives virus authors a platform to attack. The fact that it's useful to combine code with data just means the platform is now ubiquitous, and therefore not going away because this is a fundamental design issue, folks. MS did this on purpose to make it easier to get computers to run code, and it can't be fixed by patching holes.

To really fix this, MS would have to renounce this entire experiment and replace every copy of Win/Office/IE with new software that is less 'capable.' Those of you who are paying attention probably now understand Mr. Valentine's comments of a few weeks ago, as well as Microsoft's interest in shoving Palladium down everyone's throats.

Re:Security depends on many things.

[Ed+Avis]

The OS can compartmentalize resources so that if one app makes an illegal memory access, it doesn't crash the machine. The OS can limit access so that if one server is compromised, it can only screw up its own files and not the others on the box. NT does both these things (the latter with the ability to run a server as a particular user). However, no OS can do anything about deliberately stupid applications which choose to execute scripts stored in documents, for example.

Well, I suppose it would be possible to run Outlook under its own user account or with a reduced set of permissions, so that it could access only its own mail spool and not the rest of the user's files. But that would really get in the way of typical usage. Perhaps if there were some way to allow small extensions of permissions a la Java ('Outlook is trying to save a file c:\foo.doc. Do you wish to allow this?' and press Yes if it's something you asked for, No if it looks like a worm doing something nasty). But AFAIK no desktop OS has ever done anything like this; all desktop apps run with the uid of the current user and have full access to his files.

When developers make moronic decisions like auto-executing scripts in documents, it is not fair to blame the operating system. It is not so much Windows as the crap which festers around it (albeit coming from the same company). You don't hear about too many exploits in the Windows FTP server program (although surely there are some). Why not? Because FTP is a standard protocol and Microsoft haven't been able to set their monkeys loose on it and add insecure extensions.

Re:Security depends on many things.

[0x0d0a]

The problem is that there are a couple of issues:

** Out of box:
Linux: used to suck hard here. Traditionally, ran lots of services. You were supposed to know what you were doing and close what you didn't want. Now, unacceptable for new users. RH 5.2 shipped with tons of services, which people found holes in quickly. RH 8.0 ships with far less running.
Windows: Fewer services than old Linux, but too many things running as "root" like IIS. A ridiculous amount of holes in IIS compared to Apache. XP is supposed to have (finally) proper permissions out of box.

** Granularity:
Linux: normal UNIX stuff. Getting ACLs. Not very granular at all. You have the framework to hack up just about anything you want with sudo and scripts, but it isn't there out of box, and it isn't standardized.
Windows: Nice. You can say "sally and bob can read this file, and mary can only write to it but not read it." ACLs may not be fast or easy to examine for mistakes, but they're powerful and easy to use.

** Easy of screwing up:
Linux: UNIX is pretty easy to examine for irregularities, suid binaries, etc.
Windows: Just like VMS, it's a *bitch* to know if you have some series of permission errors that screw you over somewhere.

Re:Security depends on many things.

[Karellen]

Compared to ACLs, the UNIX model of a single administrator with r00t access, and `everyone else', is simple. Very simple. The `setuid on execute' (with root as owner) for small, auditable programs (such as `passwd' and `su') that do simple things to allow people to do things requiring root capabilities (write passwd file, change to another user (including root)) couldn't be made more simple and straightforward unless you tried _really_, _really_ hard.

And some competent sysadmins still get it wrong on occasion. It's rare, but they can.

Stopping determined attackers cracking your system is hard, even if you have all the latest patches. The more complex your system gets, the more chances are that you'll miss something.

The complexity of ACLs? I've seen the API docs(*) for them. That's just nasty. It's _too_ complex IMO for an admin (even a good one) be certain of getting it right all the time. I'll take the simplicity of the UNIX way. I'm more confident of getting it right.

K.

*(Well, I've seen the MS ACL API docs, but MS have a habit of creating really shitty APIs, so there may be a better way)

Re:Security depends on many things.

[electroniceric]

Well, I think you hit the nail on the head with this:

It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine.

AFAICT, in terms of usability there is a profound unsolved problem here, which is twofold.

One is that many (most?) end users just want to do stuff on their computer, and as such they _sometimes_ need to be the administrator, without really understanding permissions or security. Remember Steve Gibson's rant about how XP by default has raw socket access for all users (b/c they are root). Microsoft has opted to make them administrators all the time to avoid explanation to a million disinterested and disgruntled XP users why they can't install the educational software their kids brought home from school.

A second, deeper problem affects both *nix and windows. The most serious threat in a compromised system is the loss of data, most of which lives in userland. But at least as far as I understand there's no clear way to determine what code and data to accept. Convenience dictates that stuff from outside the machine will need to find a home on your machine, while security dictates that it should at best be data only, and no code. As we move into a more networked world, this balance needs to be reexamined and retooled over and over. But I don't see *nix making great strides in that area, frankly.

Article Summary

[Sabalon]

Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

C'mon...this was nothing but flamebait - nothing news worthy there at all.

About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.

Seeing Bugtraq postings about Linux...

From the article:

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).

In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.

It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.

Re:Seeing Bugtraq postings about Linux...

[jandrese]

And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.

Re:Seeing Bugtraq postings about Linux...

[Blkdeath]

And sometimes only once, when the discoverer posts and then nothing from Microsoft.

I seem to recall a big uproar about Microsoft deciding not to further their efforts to release e-mail vulnerability/patch announcements, opting instead to have users frequent their websites to view the contents of the announcements.

I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.

Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!

I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?

Geez

[Hayzeus]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting

These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...

Re:Geez

[Hayzeus]

Very likely the security reports mentioned about Linux also included any that were present on the applications that came with Linux, so how can you exclude security problems with pre-installed Microsoft applications. You can't have it both ways.

I'm not trying to have it both ways. I would no more include past problems with Bind, Apache or WU-FTPD when evaluating Linux security than I would MS-Office when discussing Windows security. Nowhere have I said that I feel windows is particularly more or less secure than Linux -- In fact, using BugTraq reports as a basis for comparison is a fairly clueless means of comparing OSs for relative security. Not to put too fine a a point on it, but comparing "Linux" to "Windows" is itself a meaningless exercise, since the two are not equivalent in any sense.

The bottom line is that (as mentioned elsewhere) the weakest link in any system from a security standpoint is the operator of the system, period. If you want to make any kind of meaningful comparison, compare Windows against a particular distibution of Linux with an emphasis on securability. How easy is it to secure the system? How effective are the means provided? Then you might have a study worth reading.

weather Linux

[Nighttime]

Is this a new Linux distro I haven't heard about? Is it Debian-based like Storm Linux was?

There's three kinds of lies...

[Jack+Wagner]

Lies, damned lies and statistics.

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.

Re:There's three kinds of lies...

[dabadab]

Nice troll, modded highly.
I highly doubt your statements and evenso more that extreme programming would do any good to an open source project.
And don't even get me started on how complex projects were realized in the "early 90s" (and even earlier) that managed to be successfull without extreme programming.
Sure, XP does have its place and it may work under certain conditions - but for a project where the developers are far away, do not know each other personally and don't have the spare time to work on the project at the exactly same time - it would do much more harm than good.
(And finally I could cite Joel on extreme programming, but I don't because I suspect that you fully know that XP is not the holy grail of programming methodologies)

Re:There's three kinds of lies...

[rseuhs]

IIS runs less than 25% of webservers, Apache about 2/3.

But, IIS has the far, far worse security track record.

Re:Nice spin on the article

[N3WBI3]

Beyond this. The article refers to slapper, and the like. Many of which will not hinder a Linux system of your average user. How many people run apache with openssl on their system really? and of those people how many do not keep the revs up to date.

My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.

Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)

Bug Counting Again...

[theBraindonor]

Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.

How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?

Just ask some of the truly gifted individuals in security what they think of security through obfuscation.

Flaw in argument?

[ebuck]

It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.

1. Both platforms stem from an equal amount of design history.

2. Both platforms use technology of comparable complexity.

3. Both platforms refused to make concessions in software integrity to deliver their products.

4. Both platforms actively avoid known pitfalls in thier chosen architecture.

5. Both platforms remove flaws at approximately the same rate.

None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.

Re:I trust Linux's security implicitly

[Charlton+Heston]

I doubt the veracity of your story. The NSA has worked on a secure Linux distribution. The big laboratories were also pioneers on the Internet. They've had a lot of experience with that type of software development and your rubber stamp story doesn't fit in with that.

Depends on administrator

[hatchet]

I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.

Re:I trust Linux's security implicitly

[netphilter]

"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.

how does newer == less secure?

[kubla2000]

from the article:

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.

What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.

The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.

That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.

It's not the OS

[m00nun1t]

Just about every major worm, linux or windows, has used an exploit that's been patched for a few months or more. The admin is a far weaker link than the OS.

Stating the obvious, I know, but whoever posted this flamebait article didn't think so.

On another topic, the moves MS are making with their auto-update tools should put an interesting light on the security landscape. The previews of .NET server look pretty good in this area.

What timing!

[Pedrito]

Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.

No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).

So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.

Re: What timing!

[Black+Parrot]

> Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers.

That's nothing - complete strangers do security scans on all my boxes every night!

Re:What timing!

[smnolde]

You need FreeBSD to get you out of RPM hell. It takes far less effort to upgrade software on FreeBSD than it does with any RPM-based lunix distro.

Getting out of RPM hell was the main reason I chose FreeBSD over lunix.

Re:What timing!

[Cytlid]

Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

Ok, I was getting ready to flame you for this... but after reading all the other replies, I thought not. I think the biggest problem people have, either on the Windows or Linux side, is living in a paradigm. Like it or not, you're most likely living in a Windows paradigm. You like the way it works, it's "easy" for you, you program in it. You promote and spread the Windows paradigm. The Linux Paradigm doesn't fit you all to well... I'm probably the opposite. Yea, I've been using Windows for years, and I'm used to it, but I honestly think I fit better into the Linux paradigm. (Read: if I were adminning a Linux server, trust it better than if I were adminning a Windows server.) I *know* I should hone my skills in Windows administration, but without really good (free, available) documentation... it's not possible unless I spend all kinds of money. Only thing I can hope for is to pick up tips from people I know are Windows Admin gurus. I think this whole debate is a matter of realizing where you stand. The people who see clearly in both paradigms will be the ones ultimately winning.

Re:What timing!

[timster]

The problem here is that what you were doing was not "desktop use", but for some reason you extend your experience to desktop use. What you were doing was clearly server administration. I don't hear anybody telling me that Windows isn't a good desktop OS because the DHCP Manager isn't intuitive (which it's not, unless you understand DHCP). Server administration is always going to require skills, and whatever other skills you may have you have no skills in Linux server administration.

As for your experience, you made a number of mistakes that anyone who knew what they were doing (as a Linux sysadmin would) would never make. First problem was thinking you should go to the wu-ftpd website and try to compile the software yourself. Unless you have some tremendous reason to do this, you need to go to your distributor in all cases, since their installations are customized in numerous ways that you have probably come to expect. Second mistake was expecting an RPM to restart the service for you (RPM's don't really go for pre/post-install scripts, see Debian for that).

The third mistake was the worst, as it totally ignores the whole purpose of your distributor. Development groups (like the wu-ftpd group) generally attach security and bug fixes to new versions, since they usually prefer to work on one codebase. However, your distributor should never upgrade you to a new version that changes any functionality unless you change the version of the distribution, since a given version is supposed to be stable. So, as every Linux sysadmin in the world knows, Red Hat doesn't just toss the thing into an RPM and throw it out there. Rather, they take their existing codebase (which as I said, is usually patched in several ways) and apply the security fixes to _that_. And everyone knows this because it is _clearly_ _documented_. If you are running a server (ftpd is not a desktop app) then you need to follow the security updates for your distro, which will quite clearly explain what patch level fixes what holes.

My advice to you is to either: remove all the server programs from your system and use it as a desktop user; hire a competent sysadmin; or spend the time yourself to become a competent sysadmin. Don't play end-user-with-a-server or you'll get burned, no matter the OS.

It's the user

[photon317]

The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.

However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.

Re:It's the user

[CavemanKiwi]

I can make my windows box VERY secure, just turn it off :)

Bugtraq

[qurob]

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

So many programs get lumped into 'linux' and this is forgotten.

Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.

Then again, there are more Windows apps than Linux...

You're comparing apples and ....

[mustangdavis]

I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

* Gets out a kleenex, wipes off author's glasses*

IIS - enough said.

The actual number of posts may be greater, but how many people install X on their Linux servers? How many people have xmms on thier linux server?

Also, considering that Linux is open source, and thus, hackers can actually look at the code for the OS, it is AMAZING that it is more secure than Windows! Can you imagine how many exploits their would be for IIS if a good hacker could see the source code for it?

Nothing more to be said here ... move on!

Security?

[Noryungi]

This sentence from the article really drew my attention:

Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.

Obviously, this guy does not know what he is talking about.

My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.

Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.

A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.

My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...

Re:Security?

[onion2k]

Most OSs can be made secure. Even windows. By a good sysadmin.

Unfortunately this doesn't say much for your dad.

A user's standpoint

[InodoroPereyra]

Even though I contribute code every once in a while, my background is not in CS and I am not an expert in Security by any means. What matters to me is not whether open source solutions are inherently a little more or less secure than open source solutions. What really matters to me is what can I do to secure my machine .

Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.

Oh, and the title should better be "Open source vs propietary security". Old same old ...

ActiveX is...

[Arker]

Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.

Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.

Re:ActiveX is...

[Arker]

s/pain/impossible

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.) You can do the same thing with ME, the easy way is here. NT based systems are harder, but it's possible to achieve most of these improvements there as well, elsewhere on the same site you'll see he's still putting the finishing touches on a similar product for XP.

The APIs are moving to ActiveX (cf .NET),

Yes they are, an excellent reason to step up the pace on eliminating MS from any environment where security is important.

I don't know that you could remove it even on Win 3.1

Win 3.1 didn't include any of this, that's a very bad memory or some FUD, depending on your internal state when you wrote it. Some of the earliest versions could be run on 3.1, but that required installing Iexplore updates, it wasn't on the system by default.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Not quite, that's COM, ActiveX is how COM is made available to arbitrary code, as from a webpage or an email opened using MS tools, which as a rule don't just neglect to give the user proper warning before executing proper code, they typically give no warning at all. Click on a URL or just an email header in Outlook and you can run code without knowing you are doing so. This is a fundamental architectural flaw.

Re:ActiveX is...

[sqlrob]

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.)

You removed ActiveX *CONTROLS* and ActiveX scripting of IE, which is completely different from removing ActiveX.

Look under your registry HKEY_CLASSES_ROOT/CLSID. If you have *ANY* entries under there, you are using ActiveX

Not quite, that's COM,

Yes, it is. The official definition of an ActiveX object is "implements IUnknown". Sound familiar? ActiveX is just the marketing name for COM.

Re:ActiveX is...

[Fizzlewhiff]

Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

Your reasoning for windows applications being less secure than OSS makes no sense.

Closed source software is no more complex than its open source counterpart. The fact that millions uses software package A over software package B does not make A less secure than B.

I've never worked on an open source project because the closed source world keeps me too busy. But I would imagine its very similar to working on a closed source project, the main difference being teams are not working at the same location. Still, everyone works on their assigned piece of the project and checks it in and hopefully the project leader and others on the team review the code and perform walkthroughs. In either world security holes (buffer overflows, etc.) should be spotted. So its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.

The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.

The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.

pick(nit);

[Black+Parrot]

> I think that's a big part here, any OS is as secure as the admin...

I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.

Re: pick(nit);

[Black+Parrot]

> Actually, the OS would set the upper bound on system security.

Actually-actually, they both set upper bounds on the system security. The effective security is the minimum of the two bounds. You can't get better than your OS offers, and you can't get better than your sysadmin offers.

Myths of Linux Malware...

[sheriff_p]

Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:

http://www.virusbtn.com/magazine/archives/200209/l inux_malware.xml

Clueless admins vs. byzantine systems and bad docs

[swb]

I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.

A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!

My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.

My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.

Flamebait indeed

[kafka93]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.

Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".

This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.

Re:Flamebait indeed

[jedidiah]

He knows well enough to be aware of what has actually been exploited. The article is infact a "Fear mongering" piece. It presents only the information that the author wishes you to see. It is clear the author has an axe to grind against Linux in particular.

The author ignores the common pedigree that Linux shares with Unix. The author ignores the underlying design issues that distinguish Unix versus Windows in theory and practice. The author plays a naieve numbers game with the bugtrack figures while conveniently ignoring the fact that Linux is more transparent.

He also makes the absurd assertion that more vendors == less secure.

If anything, competition and diversity should allow for vendors of varying quality and priorities.

Re:Flamebait indeed

[Reziac]

Well, I would have thought it flamebait too, and then I picked up a copy of "Hacking Linux Exposed" (http://www.hackingexposed.com/) This companion volume to "Hacking Exposed" is almost as thick as the original, which covers all other OSs combined.

BTW, they're both very good reads; indeed, I would say *required* reading for sysadmins of ANY platform.

Re:Flamebait indeed

[user311]

Umm, yeah, but there is also Hacking Windows 2000 exposed - which is pretty much the same size as the other two. Hacking Linux exposed was more in depth than its predecessor, and the same with HEW2K. So your comment by no standards solves the question at hand, nor does it verify whether the the article is flamebait.

The question is not Who? but HOW?

[Nicolay77]

Who is better, bigger faster? That doesn't help any community very much either.

What is good is to ask how to make actual systems better, to catch up faster with patches an so on.

My try:

Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the .rpms, .isos or .exes.

But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.

Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the .isos to prevent man in the middle virus patch attacks.

Just a though.

Well, a lot of Linux developers are foreign

[typical+geek]

so your Big National Laboratory has a point about trusting an operating system that's been put together by people who aren't American. Many are Europeans, who because they live in a socialist, pacifistic paradise are insensitive to the security needs of a government agency entrusted with keeping the world safe under the Pax Americana. Many Open Source developers are from third world countries like India, Taiwan and LapLand. Their standard of living is so poor, and Open Source pays so poorly, that they can easily be bribed by a handful of rupees or drachmas or pounds into including assembly language Trojan Horses that would fatally compromise the security of Linux.

I think your IT director is right, rely on an American Operating System, coded 100% by Americans, yes, we're talking Microsoft Windows 2000. Deep in their heart of hearts, Bill Gates, Staver Ballmore and Jim Allchin know that America is the best country for them to live in (if they lived in England, half their personally generated wealth would be taken away to buy heroin for junkies), and they will work hard to make a safe OS that willl ensure the American hegemony.

Linux is fine for a hobby, but I wouldn't trust my country with it.

Re:Ramen, Slapper, Scalper and Mighty ?

[unixmaster]

apache bugs : Application problems, not OS problems, big difference.

openssh bugs : Application problems, not OS problems, big difference.

xchat & other programs bug : Application problems, not OS problems, big difference.

Linux kernel symlink dos vulnerabilty ( 1 vulnerabilty about kernel I have ever seen in 1 year ) : os bug

See if you think like that Linux has only 1 bug....

Re:Nice spin on the article

[frankmanowar]

I thought the article didn't really stack the deck at all, in fact, it was very favorable to windows - it actually legitamized it (you motherless whore). when a security flaw is discovered in linux, a community of people work together to release a patch while a company that issues a distro/release works on their own patches. MS sits on known security issues for years without addressing them, doing damage to their customers and user base. Linux users don't pretend that their is no problem running X servers (or ttdbserver.rpc for you solaris people, holla *^_^*), they come up with solutions. MS has finally gotten around to releasing patches as they come out - but what about inherent flaws in the OS that are unpatchable - like the Windows Messaging system?

No, Windows STILL sucks.

-Frank

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Clueless admins vs. byzantine systems and bad d

[GigsVT]

Playing devil's advocate here but....

MS could have documentation that is just as good, and contextual like a squid conf file.

The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".

So, IMO, it's not so much that they can't, it's that they don't.

Re:I trust Linux's security implicitly

[blibbleblobble]

"I doubt the veracity of your story. The NSA has worked on a secure Linux distribution"

And the government told them not to do it again. It was 'harming american business by encouraging competition to microsoft'

Microsoft Office

[tmark]

I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen

That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?

Re:Nice spin on the article

[Blkdeath]

The thing is, cathedrals are inherently more secure than bazaars. This is in no small part due to the people that frequent each place.

Why, because they don't let anybody peek inside?

Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?

While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.

Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.

Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.

Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).

Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.

Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.

With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."

Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.

The OS you know best will be the most secure.

[doodleboy]

I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.

Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.

But also:

- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.

- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.

- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.

- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?

Several problems

[mfos.org]

1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.

2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.

3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise

4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.

Re:4 out of 10 americans support annexing canada

[avgjoe62]

Does Canada have a secure OS?

BugTraq...

[Squidgee]

Now that I've thoroughly chastised the author about his spelling..

The fact that there are less bugs on BugTraq pertaining to Windows than there are to Linux is beside the point: Most Windows users don't give a damn about posting on BugTraq. Most Linux users want to improve their OS, so they do post on BugTraq. And if Windows users did care...oh boy would BugTraq see some bugs...

Re:I trust Linux's security implicitly

[Billly+Gates]

Just because someone has a different opinion that yours does not mean he is wrong and you are right.

Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.

Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.

1.) c2 certication is required.

Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.

2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.

They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!

Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.

The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.

GNU is Not Linux!

[RAMMS+EIN]

``Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.''
What they're forgetting here, though, is that Linux is actually GNU/Linux. The Linux kernel is a relative newcomer, but the GNU utilities that it uses have been in existense for quite a while, and have a history of testing on various Unices, etc. etc. These days, what matters is mostly the security of programs that connect to the 'Net. Vulnerabilities exists on both sides, but tend to be more braindead with Windows programs. M$ Outlook Express executes .exe attachments disguised as audio/x-midi inserted in HTML mail...WTF? Linux users are more likely to patch or upgrade to more secure software. The programs used matter, but the human factor can't be ruled out, either.

---
Running as root is bad. I don't want to run as root. But now I can't modify my config files... Hmm, chmod -R o+w /etc/*
Good, now I feel a lot safer...

Windows vs. Linux security-wise

[fudgefactor7]

(Ok, so that subject isn't that great, sue me) ;)

I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..

At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).

The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).

Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)

Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)

I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.

The history of bugs...

[rosewood]

Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.

Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.

This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.

The down side of course is smbdie being posted on /. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.

What is this guy talking about?

[ellem]

Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

This makes no sense for several reasons:

1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?

Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.

Linux security...

[Junta]

First of all is hard to nail down what exactly that means. When most peoople utter those words, they refer to Apache/Linux/Linux Apps vs. IIS/Windows/Office.

Very few security issues in the recent past have really had much to do with Windows itself, mostly IIS and some Office/IE vulnerabilities. Even with those, frequently the problem is that the administrators of targeted systems are not sufficiently security minded. Also, MS products draw a lot of attacks, simply because the systems are such a large target.

The enhanced security of Linux, at least in part, is a self-fulfilling prophecy. When administrators are highly security concious, they will often go to Linux to drastically reduce the sheer number of attacks they receive and are influenced by reputation. Sure Linux boxes with Apache have had a number of problems and worms, but those administrators are far more likely to update Apache than IIS administrators.

One thing that really does make me think it would be difficult to update Windows as easily as Linux systems is the model for updating busy files. Under linux, the in-use inodes are kept open for the processes that need them, but the filesystem is updated for future processes. Under windows, the file updates are scheduled for reboot. Since so many of the updates for Windows touch so many files, updating IIS will likely require a reboot, huge no-no for mission critical apps..... Aside from that, I'm not so sure that Windows is that much less secure. However, I prefer linux because it *is* more flexible..

With the exception of OpenBSD

[flinxmeister]

Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.

It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.

The real vulnerability

[SatanicPuppy]

What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.

Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.

Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.

Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.

Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.

Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.

Exploits exist for both systems. But which ones would you rather have to deal with?

Re:Nice spin on the article

[archen]

Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option?

Simply put windows just doesn't have much functionality without a GUI, and many MS tools absolutely depend on it. Aside from that, strategically MS must to focus on their GUI. Why? Look at the functionality of cmd.exe vs bash . When you take things to a CLI level, UNIX is far superior. And lets face it, many in the MS world are just afraid of the command prompt.

The Admin is as good as the Documentation...

[vrypan]

he has access to.

My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.

On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.

Panayotis.

Re:Really?

[blibbleblobble]

How odd, no one must have told them that the project ended, according to your comment.

What am I, a journalist that I must check my sources rather than just commenting from memory?

A google-search, as usual, turns up varieties of information. I discovered the following article on
ZDNet news with a 2002 date at the bottom.

[Of course, this might be an auto-generated copyright statement using the current year, but I dread to think the legal implications of them doing that on something written before they claim]

Quoted text follows:

SE Linux may be the NSA's last direct contribution to open-source
security, however. Because of the loud criticism, the NSA will have a far
less direct role in the creation of more secure versions of open-source
software.

"We didn't fully understand the consequences of releasing software under
the GPL (General Public Licence)," said Dick Schafer, deputy director of
the NSA. "We received a lot of loud complaints regarding our efforts with
SE Linux."

Many complaints criticized the agency for providing the fruits of
research to everyone, not just US companies and thus hurting American
business.

While stressing that the agency received a loud chorus of support as
well, the chagrined Schafer said that the issue was contentious enough
that "we won't be doing anything like that again."

Sources familiar with events said that aggressive Microsoft lobbying
efforts have contributed to a halt on any further work. "Microsoft was
worried that the NSA releasing open-source software would compete with
American proprietary software," said a source familiar with the
complaints against the NSA who asked not to be identified.

Microsoft would not comment directly on its lobbying efforts, but did
stress that it wanted to ensure the government continued to fund
commercial ventures. "The federal government plays an important role in
funding basic software research," said a Microsoft representative. "Our
interest is in helping to ensure that the government licenses its
research in ways that take into account a stated goal of the US
government: to promote commercialization of public research."

Re:Nice spin on the article

[shish]

> That's because a service pack is basically the entire winnt directory's binary files all zipped up. It's almost the whole OS.

What, *every* binary in the winnt directory has bugs?

I beg to differ

[Jeppe+Salvesen]

In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.

I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!

Quick Comments...

[tqbf]

• The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?
• Ignores the worm gene pool. Several of the Linux worms cited use the same (uncommon) vulnerabilities to gain access to computers. Putting a different payload on the same attack doesn't make the "different worms" uniquely different threats.
• Newer != Insecure. SunOS is old, and insecure. djbdns is brand new, and very secure. Secure programming, and (more importantly) secure design, are new disciplines.
• Linux != New. Linux is new in implementation, but evidences the classic Unix security model. The Unix model is flawed, but not impossible. Win32 has a "better" design, but does nothing to make that apparent (in the same sense as Darwin doesn't make apparent its microkernel design).
• Bug Counting? Most Linux bugs are in packages. There are thousands of available packages, virtually all with published source code. Third-party QA teams at ISS and Network Associates can go make a list of 100 CGI programs, read bad source code for a week, and generate 15-20 new advisories. Very, very few of them will affect real, deployed systems.
• Still More Bug Counting! Linux sees more bug reports. Linux has published source code. An independant QA person can spend a month looking for a remote attack on Win32, come up with one, and coast on it for a year --- that remote hole will probably affect 80% of all deployed systems. To get the same cred, you need to find tens of holes in popular Linux packages. It is both significantly easier and more useful (to the reporter) to find numerous Linux-related holes.

Difference

[AftanGustur]

I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs.

My thoughts exactly when I took the NT server/admin/whatever course. I realy felt like I had been had (or that the company I worked for had been had).

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

Re:Difference

[swb]

Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

I've always wondered why people don't offer more in-depth courses that cover more than just remedial networking-101 and basic dialog box entry, since the "official" curricula is so empty. The answer is probably twofold:

Most people are taking the classes for bad reasons: to pass the MS cert tests, to get out of work for a few days or because of work requirement. They're not actually interested in how it works.

-or-

Even scarier, it's because nobody (outside of 500 or so developers, MS employees and other who aren't telling) REALLY knows how it works! 15 years of weird coding, new features, parallel development paths, diverse coding groups, ad nauseum have rendered an OS and system that simply is too byzantine to be understandable by anyone. It's like a fractal design -- the closer you get, the more detail is revealed, which brings you closer, to more detail...

It doesn't matter which one is more secure...

[kakos]

...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.

Re:different kinds of security problems

[the+eric+conspiracy]

for instance, slapper requires that you install gcc on your server. if anyone installs a compiler on a production server, the response should be "WTF!!!"

I don't think I have ever seen a Linux server being run in a production environment that didn't have gcc installed. Most of us don't have the luxury of homogeneous server installations where gcc-free installations are practical.

Now, of course there are other measures that could stop slapper that are a lot more practical - chrooting, tripwire, etc. are some of them.

Re:Flamebait indeed (Linux is older than Windows)

[gosand]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long- established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

To get even more picky, Windows is used as a generic term. Most GNU/Linux distros are older than Windows XP or 2000. Some Linux and BSD distros are older than Windows NT. The core security model of all *nix systems is much older than any Windows security model.

I didn't think much of this article, basically because it didn't really say anything.

You can't compare Linux and windows

[Junks+Jerzey]

In these type of discussions, Linux is equated with the Linux kernel, some device drivers, and maybe a handful of utilities like sendmail and so on. After that you get into debates about scripting languages and window managers and desktop environments and all that--none of which could be considered part of "standard" Linux.

Standard Windows, however, includes graphics libraries and scripting systems and a GUI, and even tools like file browsers and Internet Explorer are considered part of Windows. Not surprisingly, most of the security problems are in those high-level tools, not the kernel itself. Now it could be argued that the kernel shouldn't allow tools to cause problems, but that's wishful thinking. Microsoft introduced a scripting language into Word, and that's been the cause of so-called "document viruses," for example.

To do a fair comparison, you need to put together a Linux machine running KDE, Star Office, a graphical email client, and so on. And then you have to consider all security exploits in KDE and all applications that come with it. But of course that's never how comparisons like this are done. If a KDE application is at fault, then we're quick to dismiss it as a KDE problem, not a Linux problem. And so we run in circles with this kind of meaningless argument.

Why Debian is easy to secure

[steveha]

I am not an experienced sysadmin, but I have found sysadmin tasks to be pretty easy with Debian. Here is how to run a server with Debian:

0) install using the Debian "stable" branch. (Use the pgi to install; it's easy.)

1) once a week or so, run the commands:

apt-get update; apt-get upgrade

These will go out and get all the latest updates to your packages.

If you update your packages, worms like Slapper will not be able to get into your system.

Debian also provides a really excellent howto. Any Debian server admins should study it:

http://www.debian.org/doc/manuals/securing-debian- howto/

P.S. I'm sure Windows systems can be made secure, but it has to be more work than securing a Debian system. There is nothing as cool as "apt-get upgrade" on Windows.

steveha

Comparing OS securtiy

[octogen]

When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).

What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?

Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.

The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).

Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.

Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.

regards,
octogen

Some further information:
Trusted Solaris, Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
Pitbull, Pitbull/LX, Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
XTS/300, Getronics; TCSEC B3;
Firewall Server, BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
Windows XP, Microsoft; TCSEC C2;

Re:Nice spin on the article

[Kjella]

With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes!

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up. Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

Kjella

Programmer of 23 years vs administrator of 2 years

[Skapare]

This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.

Re:Nice spin on the article

[Blkdeath]

Um... so they total up to it, but I thought every service pack contained all the fixes in the previous ones, so it doesn't really make sense to add them up.

Assuming a business has existing Win2k installations, they would have had to apply each of them as they were released in order to be up-to-date. The only people who don't have to worry about all of them are new installations, in which case they would only need to apply SP3 (if it works for them - I've heard a number of horror stories).

Not to mention it's a service pack for several Windows 2000 versions (though similar, I'm pretty sure a Win 2k Pro only would be smaller).

Regardless, the codebases are doubtless very similar (just different branches for the additional functionality offered in each version). Enterprises would still download the entire service pack to apply it to each of their machines rather than performing the "express install", which is only "express" for one or two Win2k machines. When you have a dozen servers and three hundred workstations, one 100MB download is preferable.

Anyone have any numbers on how much a No-SP Win2k install really need to be up to date? (express download)?

I remember when I installed a vanilla Win2k Pro not too long ago, it took (using the express download from windowsupdate.microsoft.com) somewhere to the tune of 150MB or thereabouts to get the OS up to date (including IE 6, Windows Media Player 7.1, all service packs, security roll-ups, and security/component updates released after the roll-up).

Re:Nice spin on the article

[Black+Copter+Control]

Well, what I'm asking is what's inherently wrong with a GUI? *Should* server administration necessarily be difficult?

GUI administration is not necessarily more or less difficult than CLI administration.

Knowing which menus you have to wind your way through to bring up the ipconfig utility is not any easier than just remembering the ipconfig command name. I, for one, have sometimes spent half an hour or more trying to remember what magical sequence of menus and options are required to get to the 'friendly' GUI display that I know is there, but I forgot to click on some obscure option 4 menus back. Navigating those menu options is like running a rat's maze. Anybody ever run into a user who never knew that you had to click on a folder to get the 'find file' menu in Win/95? Is this really easier than typing ' find -name "purple*" -size +50 '? s.

Besides having to remember where to find the GUI commands, one also has to take into account that GUI interfaces inherently take way more resources than a CLI interface. If I'm in Atlanta for a conference and I find out that there's something wrong with my Linux server in Seattle, I can call in using my laptop's modem and fix the system from anywhere (even in flight). Trying to do the same with a Windows box pretty much requires me to have an ADSL connection. One also has to take into account the resources demanded on the Server end of things. If my server is already within an inch of crashing, the last thing you want to do is load it down further with a 50MB GUI that eats 15% of the machine's CPU. -- and if I want a 'user friendly' interface without the load of X, CLI interfaces can include menu-drivern utilities that are about as easy to use as GUI interfaces, but cause 1% of the CPU load.

There's also the question of scripting. If I have something that I'm going to be doing more than a few dozen times, I'll often write a shell script that does most of the work for me. Preferrably, the script can just run entirely automated, then I can just run it as needed with cron or triggered by some other program. That's something that's a lot harder to do with a GUI -- and a lot less portable.

Unix doesn't require one to use CLI solutions -- They're available as an optional tool. The availability of those tools is, I think, part of the reason why your average Unix admin can handle way more machines than your average Windows admin. GUI tools are also available to a UNIX admin, but I only use them when they're appropriate to what I'm doing.