Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.
Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.
What's your damage, Heather?
understand the reason and you'll answer your question.
Personally I have all my end-users sign on as root. So far so good
I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.
My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.
I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
A system is only as secure as its most insecure user / service.
Better go ahead and migrate to OpenBSD.
I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.
It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).
Linux is far from secure; just look at all the updates that are on bugtraq or redhat/debian's history. the fact is, all the script hiddies and l33t haxors run linux, and prefer to target microsoft.
linux is ONLY secure because it is free, and the bad guys attack the company that wants their money.
btw, if you want to secure your linux box against viruses, etc... you at least have the option to recompile the distro.
Make sure everyone's vote counts: Verified Voting
Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)
The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.
Got Extra Money?
Email viruses like Sobig are aimed at desktop users. Since most of the desktop users run Windows, it makes sense that most of the viruses would be targeted at them and not Linux users.
Download my free songs!
SLASHDOT has various personalities, and I hope to be the first to document them all:
,rsm jpe jstf od yjsy"
Project Manager - dude was an ex-coder (visual basic 3.0) and now is a low-level bottom-feeder working through slashdot so he has some vague ideo of the issues with technology.
Anonymous - dude is angry. Angry about something but not sure what. Against everything: hates all religions, colors, air.
Modder - points Nazi. God's irony incarnate. Why are those who have the least leadership skills always given a clipboard? Like getting a bathroom pass from the farting-kid.
Grandpa - dude is old. Waaaaayyy old. Like grandpa old. Runs a plain-text website. Talks about the early days of Usenet and punch cards. Senile.
The kid - 13 year old. Thinks coding full-time sounds like a wonderful career. Masturbates at Guiness Record Book pace.
The ranchero - Indian or Pakistani. Got his full-service corporate Internet access in Bombay or Kurachi and his call-center job. Has his PhD in math or science, feels he somehow part of the global village.
The survivalist - bro feels like if you dicuss something over and over somehow it will all be okay -- like Microsoft disappearing. Can't understand the cat is already out the bag and has humped everything in sight.
Her - d00d is a chick. A chick! Runs her blog, thinks she's a programmer.
The speller - d00d is seriously into grammer and spelling. On a site where the debate is around ideas, brother-man likes to make sure the semicolon is in the right place.
The Oz - australian d00d. "I come from the land down under, where women go and make thunder"
The napster - d00d is seriously into alternative-rock and the stealing thereof. Talks intelligently about music like one might discuss a Winslow Homer or the Illiad.
Lost in Translation - d00d cannot for the freaking life of anything find the home-row keys. o
The scientist - d00d is seriously into fractals, 3-d Math, fluid dynamics, cutting-edge chaos theory -- allbeit from afar because basic physics and calculus escape him.
The microsoft - d00d is seriously against MS. Can't stand the cursor, the fonts, the windows, the design, the icons, the sounds. Uses it extensively to play games.
The thinker - writes long missives. Attempts at humor, sarcasim, wit, and pun are laudable; posts two-stories ago.
Ben Franklin - d00d loves chaos. Every judicial ruling is "another nail in the coffin of freedom". Has third-grade perspective of common law.
The formater - d00d loves to use *HTML* *TAGS* to *CREATE* posting that are *REALLY* *GHAY*
"This isn't a study in computer science, its a study in human behavior"
How DARE you criticize Linux? Don't you know that Linux allows me to live a life of smug superiority? If I weighed more and had a wife or girlfriend cheering me on, I'd kick your ass for posting such drivel.
Species of Windows Programmer: Human
Species of Linux Programmer : Human
Chances of human error making it into the code: Equal
Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?
Wait until more people are using linux on the desktop, then you'll find out exactly how secure your system is.
Also, since Linux is open source, I would imagine that a coder looking for an exploit will have an easier go at it that they would on the windows system, where you are pretty much relying on decompiled binaries and assembly analysis.
stuff
Most of these Windows problems are from people not patching their systems. Same thing would happen just as easily on any OS. More Linux users know how to patch, sure, but imagine if it had the desktops that MS had.
Looks like some of that "defacement" is happening close to home.
view-source:http://www.zone-h.org/
DB connection failed ().
Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.
You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!
Or your admin makes it.
I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.
It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.
So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.
is SoBig
I just install a vanilla Redhat on all my boxes. They get rooted within a few days, and the hax0rs take care of the security updates for me. Course, I can't log in as root anymore, but hey... that's a feature.
When I say that Linux is more secure then windows, I see it on many levels.
For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE.
Then there is the whole open source vs closed source security. I Truely beleive in that. It only makes sense that it is going to be more secure in the long term. This doesn't mean exploits don't exist - its just Im prone to beleive that there is someone using an unknown windows exploit as we speak to do something bad and it might be YEARS before that one is ever found (history backs me up on this one) but yet if there is something as blatent as the RPC exploit in OSS, we tend to see fixes for rather quickly (again history backs me up here).
Don't confuse the idea of inherint security with stupid users and sysadmins or even part time sys admins that aren't paid enough / don't work enough hours to keep a handful of servers updated across town.
The ultimate network admin tool needs HELP!
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would lower for Linux than Windows?
Anyone can write a worm that leverages a security hole in a default service of a default Red Hat Linux install. Or Windows XP Home Edition.
However, it takes considerably more skill to be able to write a worm that can target vulnerable services across multiple distributions of Linux, multiple versions of each distribution, etc.
As long as Linux evilware continues to exploit C program unchecked boundaries, a single universal worm that can effective exploit every potentially vulnerable Linux system remains highly unlikely.
60 something percent is running Linux (and I assume Apache). Who the hell is still going to be running Windows with IIS???
Somehow I'm willing to bet the poster is Carl McBride, trying to throw more Linux FUD around.
man_of_mr_e - Carl McBride.
Coincidence? I think not...
If you want a free, open source Unix like operating system that focuses on security, you can't get much better than OpenBSD (http://www.openbsd.org).
If you really want to stick with Linux, distros such as OWL (www.openwall.com) and Trusteddebian (which uses GRSEC and PaX) are OK too.
Popular distros have only very recently turned their attentions to security - just like M$; and as such they have a long ways to go. Projects like OpenBSD really serve as a model of what can be accomplished over a longer period of time with such a focus, yielding a thoroughly audited code base, many default security settings, and they're still usable from the get go (e.g. not all services are turned off, making it a completely useless piece, though perhaps still more constrained than some are used to).
Outside of some of OpenBSD & security conscious linux distros and OSS security minded projects - I think that the open source community as a whole has a lot of room to grow wrt to security, and really isn't all that different from everyone else be they MS or Oracle.
...one can rely on two truisms: 1. *nix was inherently designed better from a security model perspective 2. most users heads are not
Linux is less vulnerable because there are fewer identically configured machines on the internet.
:)
One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.
With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.
Not that the internet hasn't been shut down by a UNIX worm in the past, that is...
Windows web defacements are the fault of a crappy, inherently insecure operating system from a criminal monopoly.
Linux defacements are the fault of stupid admins who can't be bothered to install the latest patches, or who are too incompetent to install the OS and configure it for security.
I thought everyone knew that.
Cheers
-b
The real reason why windows gets so many attacks is because most of them comes from
1. wanna-be script kiddies running in windows and practicing some new skills to show off
2. Hardcore hackers/programmers running linus that do it only for the heck of finding, yet, a new hole in windows.
Even if im running windows, I find it amusing to see just how much the linux "society" is determined to prove itself right againt the $oftware giant.
Was there ever a virus exclusively for linux ? Like the article says, I believe linux users just like to believe they're safe, when in reality, no matter its quality, linux is a product made by human, thus flawed, thus opened to attacks.
If you look like your passport photo, you're too ill to travel. - Will Kommen
I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.
Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.
Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.
If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.
"While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough."
With Windows, you can get your foot in the door and shut down the system by doing something stupid. You already see what MSBLASTER and SOBIG can do without Administrator access.
You can't do those things on Linux with "foot in the door" attacks. You can't fck up services like BLASTER did or restart the computer. (Remember that the MS kbase article said that BLASTER could cause system shutdown because a RPC failure is configured to automatically restart the system in an attempt to get the service back up again. I know this is true; it happened on my sister's machine.)
Getting your foot in the door is certainly NOT enough to take down services or even the system on Linux.
I'm almost certain that (evem as I'm loath to say it), Windows Server 2003 is more secure than most versions of Linux, but of course it isn't free :)
I have over 70 freaks, do you?
Even if it turns out only old copies of Linux or Apache are being exploited, we still face the
exact same problem as Windows does: how do we
make sure that sysadmins update their systems
when security patches are released?
Modern viruses work by two major routes:
.tar.gz isn't likely to fool many people. I have a hard time believing that most SoBig victims are those who know what Bayesian filtering is; actually, I have a hard time believing that most SoBig victims know what Inbox means.
A) Exploits
B) Social Engineering
Exploits are hard to stop without patches. Get enough unpatched systems, and your virus spreads. There are a lot of guilty linux users here, I'm sure: people download software all the time without checking it's security. People run software daily without bothering to check for updates. It happens.
Social engineering, however, is by far the most widely used virus tactic. It's easier to fool a user than to fool a well-secured computer, says this adage. The basic premise fails under linux: it's really, really hard to get someone to run malicious code that you want them to run. Most linux users are above-average on the computer-tech-savvy curve - I would say that the mean computing knowledge for an average linux-desktop user is above the 90% mark on a curve of all computer users.
This means linux users don't do stupid things as readily. The subject line RE: DOWNLOAD MY NEW SCREENSAVER with the attached
Furthermore, it's tough to write code that will run without a hitch on everyone's system, as there's so few distro standards. Also, as email virii work, with linux being a small desktop percentage, it's tough to get emails into the boxes of most Linux users.
Last but not least: There are few people who want to see Linux die. The rivalry doesn't work in both directions. There are thousands of anti-MS'ers, but a sad few anti-Linux'ers (SCO not included. =P). What would the protests be? "Hey, assholes! Keep your free operating systems off of our clean hardware! You're ruining good pentium chips by corrupting them with something non-proprietary!" etc.
Just a few points. I'm sure there are better ones.
I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Not sure if they're running linux, but it looks like their defacement archive just got defaced.
DB connection failed ().
Questions.Question->Answer
A careless admin running Linux is just as insecure as a careless admin running windows. I've seen the practices put in place by many hosting companies running Linux, and if they could be doing one thing better, it's security. For a careless admin, the only real advantage of using Linux and other OSS is price, and the fact that the openness gives them an edge over closed source software in bug hunting/vuln finding. Also, the Linux defacement number could be inflated, as a higher percentage of hosting companies may be running Linux, and attackers may target Linux over windows.
At least, not always
IMHO, the single greatest threat to having a site defaced is the use of insecure protocols for publishing. Let me be more specific: FTP. Most web development tools use FTP for their "publish" feature (e.g. Dreamweaver, just to pick on them). Securing FTP is a nightmare, with all the ports randomly popping up and so forth. You have to dumb down a firewall quite a bit, and having it tunnel over SSH only partialy secures it (and you still have to deal with the firewall woes).
So, an employee goes home at night, and updates his company's web site over her cable modem connection, and the 12 year old down the block running a sniffer captures the user ID and password. She then passes this information on in a chat room, and viola! The site is defaced shortly thereafter. It does not matter what OS the site is on.
Having said that, some systems are more prone to social engineering. If the server goes down due to numerous patches being applied (and the requisite reboots), a web developer might get used to the IS department resetting her password and thus more suceptable to that phone call asking for the login info. But my point is, web site defacements do not necessarily indicate the security of the OS. It is a combination of protocols used (how about only allowing SFTP?), policies, and implementation by knowledgeable admins. Unix (Linux, BSD, etc.) admins tend to be better at implementation and policy development then their Windows brethren, perhaps that is the causal connection.
The OS is only as secure as the user. If a lame Linux user does everything as root, he's going to be more vulnerable than someone using Windows 2000 with a firewall. If a lame Windows administrator doesn't have a decent firewall and keeps all kinds of ports open, he's going to get hit too. It's about users knowing what they are using. But I have to say that a default Windows installation does appear to be less secure than most default Linux installations.
An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.
But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.
The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".
- David A. Wheeler (see my Secure Programming HOWTO)
The rest of us are OSS fans, and had a hard time convincing him that while he could use gobs of 3rd party software and his own knowledge to secure a Windows box as well as any of us could secure our machines, Windows was not "just as safe" because it has security holes you have to patch when you buy it. There are at least 5 processes that leave ports open in the background on any XP box when you install it. You don't get that with something like Linux.
He did make a good point that it's easy for typical users to secure Windows by buying a firewall, shutting off Messenger and running virus scans, but in order to make something really secure, you need a good, secure OS. It's hard to do anything that harmful in *nix without root access, and that requires things like password sniffers and keyloggers... things an educated computer user should be able to avoid.
It goes back to the fact that *nix is more secure for mainly two reasons -- design and the knowledge of its typical user.
IAALS.
I'd say the majority of those defacements are because of mistakes or bad design by the websites developer. I've made a few of those mistakes myself, but caught them before anyone else did.
If it was a vulnerability caused by Apache or the Linux kernel, you'd soon hear about it!
That's because there are twice as many Linux (apache) servers as Microsoft. How long did it take you to come up with this anti-linux angle?
Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?Obviously Honda, as there are more of them on the road... so...
Linux may or may not be as bad for security, but when Windows gets exploited, it's felt... and it's felt HUGE!
---
Programming is like sex... Make one mistake and support it the rest of your life.
I think that the important thing here is the suitability of the application: If you set up a web server and want it to be secure [and are a savvy user] people would often go for secure/stable distros [e.g. Debian] because they are usually stabler to start with and the level of exploits from nothingness-level is very low. However, most people use the standard distro which is quicker for them: remember, [most] ISPs care about making $$$ first, and their security second unless they need security to keep the first [$$$].
However, the OS is often not the case: If you have the most stable OS ever , and you are running something as setuid or a stray *inetd service is running loose with root access, you have every right to be screwed: a stable system with stable software but a big gaping hole is going nowhere other than getting penetrated unless it is patched in time before somebody comes along and kills it.
So why does this happen with the M-company more? Well, this is because of the design [the code is just layered and layered and layered from old buggy versions: it gets less stable unless you add more code to stabilize it and of course, gets less secure and more prone to buffer overflows and the likes]. However, the user is also to blame: Users often install innocent software [which is designed by developers who write for an 'innocent' operating system...]... And the loop goes on. And when one thing falls out, the rest do. Like that stacking and pull a thing out game, whatever it's called.
I would like to think that linux is as secure.... the difference between Microsoft and Linux is the peer review of code in Linux. Microsoft can continually ship beta code and wait for their customers to test it for them. Linux has a more robust peer review of code that has many programmers with different takes on coding look at the code to see if it can be cleaned up/more secure. Microsoft is unwilling to stand up to such a review. Simple as that.
Most service vulnerabilities can be worked around... if anything, by replacing the software that provides the service. Not so with kernel holes. I for one run a couple of firewalls that I'd love to 'freeze' and switch over to CD booting and RAM disks. Unfortunately, I'm not confident enough in the invulnerability of the stable kernel. So I just upgraded both to 2.4.22 this morning, and will have to keep doing so until someone convinces me otherwise, even though I don't need any new features.
Comparing Linux server defacements and Window's viruses is like comparing apples and oranges. In one case we are talking about exploiting applications that run on top of Linux ie. a web server, in the other faults within the actual operating system that can potentially be devastating to the end user. Either way no piece of software is secure as long as someone decides to use it.
I think that the most popular OS, whatever it may be, will always have the most visible and damaging virii, worms, cracks... Not only will the media be more interested in problems that affect many people, but those who cause the problems are also more interested in affecting the most systems/people as possible. That doesn't mean that the other OSes are better or more secure, just less interesting to the troublemakers.
It's up to the sysadmin to make sure his server is secure. If his Windows or Linux or BSD server is defaced he can't blame anyone but himself because he is the one who made the choice to use Windows or Linux or BSD and he is the one who made the configuration.
Some links to learn how to increase the security on your linux box:
Linux Security HOWTO
Security Quick-Start HOWTO for Linux
Security Quick-Start HOWTO for Red Hat Linux
Computers > Software > Operating Systems > Linux > Security
Linux is a kernel, upon which you can run a number of applications. To say that Linux is insecure because somebody runs a buggy web application is ridiculous. If the defacement happens because of a exploit against the OS itself, fine, but that number doesn't reflect that.
A better measure would be to calculate the approximate economic damage created by a given security breach, and then adjust the figure to acommodate for the installed base. That is, if a Linux hack costs $1,000,000 and there are 20 times as many Windows boxes, then it's equivalent to a $20,000,000 hit in Windows terms.
This sig has been temporarily disconnected or is no longer in service
...BSD^H^H^HLinux is dying!
Show me on the doll where his noodly appendage touched you.
No good will come from comparing Linux security to Windows. We should be comparing it to OpenBSD. That gives us something to strive for, and will lead to improved Linux security. We will always be able to just sit smugly on our laurels if we make comparisions to Windows -- it just isn't much of a standard.
I think the answer lies in the number of installed systems running linux at home. Most viruses/worms today seem to recruit zombie machines to carry out larger attacks. The easiest machines to compromise are those installed at the home without firewalls. Nearly all of those machines are Windows based. That being the case, those who are taking advantage of security holes to carry out attacks focus on creating windows based worms/viruses since machines running windows are more numerous and accessible.
I also believe that if the majority of unfirewalled machines were Linux based, we would see more linux security holes exploited via worm/virus. I believe there is evidence to backup this claim in that there is a higher percentage of viruses/worms per security hole on average, written to exploit windows.
It has come to our attention that not only are you wasting your time posting to slashdot when you should be looking for a job, but you are also a moron. The W32.Blaster worm goes by many names, something you as a geek should know.
Please move out of our basement and take all your Hentai DVDs with you.
Love,
Mum and Dad.
I've actually gotten irritated enough with "Linux is more secure than anything!" zealots that I've considered writing a Linux worm. I seriously doubt it would be hard. Go find some old security advisories for Apache, SSL, and anything else you want. Hook together a Linux-killer worm that tries all of the exploits, installs a rootkit on the compromised system, and sets that one up to probe. If you wanted to be really evil, you could code it to start doing subtle damage after a week - wiping random passwords, deleting random files in user's directories, and so forth. After a few months it could start causing kernel panics if you wanted.
Would it work? Of course it would work. For all the "Linux is secure!" talk going on, what they really mean is "Linux is secure if it's patched up to the most recent versions" (curiously enough, this is the same as Windows). I'll bet you cold hard cash that there are plenty of old unmodified Redhat 5.0 systems out there. How many root exploits have been found in the last few years? How many holes have there been in Apache, SSL, Samba, any other program that's installed by default?
Nobody's done it yet - but that doesn't mean it's not possible.
The only reason I haven't written the worm is because, in the end, I'd cause a whole lot of financial problems and headaches for a lot of people who didn't deserve it. I'd love to prove Linux doesn't have intrinsic perfect security, but I don't want to actually do damage to prove it.
But just wait - someone's going to do this someday. In fact, for all you know, somebody already *has* - they've just programmed it to be unbelievably stealthy and only target systems that the admin hasn't logged onto in months.
Go on - prove it's impossible. I dare you.
Breaking Into the Industry - A development log about starting a game studio.
Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
OTOH, IIS servers are insecure by design, as a quick glance at your logs will tell you. Where else would all those requests for /c/windows/cmd.exe? come from?
Let's face it. The web is always going to be the Wild Wild West.
Help stamp out iliturcy.
Email virii usually rely on stupid, sleepy, or _____ people to click on the attachment. Since most of these people are usually on desktops, which means windows, they get propigated out quickly.
Of course, security wise, there will always be buffer overflows as long as coders are allowed to decide what kind of data to put in their own buckets. Right now, windows is the OS that people love to hate and has most of the desktop share, and a good chunk of server, so naturally there is more attention paid to it then with Linux. I imagine as Linux becomes ever more popular, there will be more exploits out for it and it's applications. (See: current Sendmail exploit.)
Just because you don't see many exploits out for CP/M doesn't mean it's the most securely coded OS.
-- MrMud
The linux distributors is the ones that should adress security in linux. Developers also have a big part but for the user it more important that the dist he is using is secure out of the box. No unwarranted ports or services should run from scratch. If nothing vulnarable is running not much can be broken into right?
Developers need to make it easier to secure the systems. Often people tend to open up every port and setting things too loose when they try to get things working. Better documentation and better configuration systems should help a great deal in those cases. Many times its not linux that is insecure but the admins dont know how to secure their systems. With more and more MCSE's using linux it need to be simpler to secure.
HTTP/1.1 400
Personally, I think Linux will always be more secure as long as Windows doesn't implement users and groups correctly. In XP, the default login is Administrator, which allows for access to EVERY single file on the system. The installation doesn't tell you this either, it just uses it if you setup only one account. With Linux, even if someone were to break your user password, or exploit their way into a user account, they can't do nearly as much damage as in Windows. Of course if they get the root password, you're just as screwed, but at least there's a barrier of protection between levels.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
I always find this a laughable subject.
1. NT and it's descendants are SUPPOSED to have granular security model. However, it does no good at all to have a granular security model if you don't use it. Most every application I see either runs as Administrator OR must be installed as Administrator.
2. Linux may not have a granular security model, but in many ways this has been not as big an exposure since most admins have finally wised up and stopped running applications as root. As soon as a granular security model is globally available, I imagine pushback will quickly occur on application vendors to vanquish root access requirements (or at least they SHOULD stop requiring ROOT access).
Frankly, if end users and administrators had been demanding this early on, the exposures today would have been reduced many times. The easy road is not neccesarily the best road.
There are coming POSIX standards and other security measures that will make Linux a very ROBUST solution and the easy equal of NT's security model. If vendors will just support those models, then we will all be better off.
One example would be MAC (Mandatory Access Controls).
I would just be happy once the ability to assign privilaged operations to specific users/groups is widely available. I should never require a "root" account with all access abilities. More so, I should be able to have an account called "root" that by default has all access, and remove or re-assign them as needed.
Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.
And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.
And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.
--Nuintari
slashdot : where an opinion can be wrong.
I don't want to be able to have VBscript code running when I get an email, and I don't want the script to have access to my address book or to my whole harddrive. I don't want my default OS install to have every possible internet service enabled; even if I'm gonna use it as a dedicated server.
Regarding website defacements, it's got nothing to do with the OS that the server is running. It doesn't matter how secure your OS is or how savvy the techie running the site is, if someone's using an insecure password or uses it insecurely (saying it outloud to someone only to be overheard or writing or whatever), the site could be breached. Also, many services (ftp, htaccess, not ssh or telnet) don't protect against brute force attacks on the passwords, so there's a security problem, there.
Another problem is that some ISPs have a habbit of dispensing cookie cutter passwords (initial of first name followed by street adress for instance) to new users which, generally won't change the password to something they can call there own which could lead to further break-ins.
I agree with what one poster said earlier though, the more people who are running a given platform who don't know anything, the more likely a break-in will happen.
That's all I've got to say.
...spike
Ewwwwww, coconut...
Hmmm for today's defacements, I see there have been 16. I also see that they have all taken place on Win2000 servers. Also, while viewing these stats, I saw a banner-ad at the top of the page for Zone-H that says Windows is the most insecure OS and that 51% of defacements are performed on Windows servers.
While the problem may reside in software, i.e. not patching, updating, plain insecure code, I think many times it is also as a result of the users not choosing secure passwords. Just thought I would toss that out there.
I say Linux is *overall* more secure than Windows. Not because of the of then number of exploits, but the *attitude*.
Let's face it: nothing is 100% secure. As long as software is made by humans, there *will* be security vulnerabilities.
So, what matters is how you deal with bugs and vulnerability. The open source community is much better at this than Microsoft. Security patches are often released in a few days *and* peer reviewed. Those patches break a lot less things than MS patches because they're peer reviewed.
Also, no Linux email client supports automatic execution of executable code. This already eliminates most of the viruses today that are made by script kiddies. And you have to manually save the attachment to disk and add the execute bit. This is a lot of work for Joe Average.
Of course it's still possible to get a virus, but the point is that the overall chance is lower.
So yes, I'd say Linux and open source is overall more secure than Microsoft. Security is not measured by the number of exploits alone!
I think that the biggest difference is that there are lot of people installing default redhat boxen for webservers. they don't have the knowledge to secure them.
of course, that happens in the windows world to, but the problem with windows is that it has so many hooks to allow apps to talk to the core OS with standard user permissions that it is that much more exploitable.
it's easier to take advantages of windows flaws so most people do.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
maybe that's because 60% of websites run apache/linux?
not to mention that i would think most defaces to be because of poor security thinking in scripting and other user made holes(or not properly being prepared for such, or using some poorly written apps with them) rather than holes and poor security thinking in the actual operating system the application runs on. obviously people don't write better php or whatever just because they're serving it from a computer running linux, nor do the blogs 'made with features only on mind with security as second' magically turn into secure applications, you shouldn't run any crap on your server you know no matter what the base system is. while the attacks on iis are rather generic and scanned in fashion and targeted at the serving system itself(as anyone who runs a webserver will know from their logs).
and sobig&others largely rely on user ignorance combined with poor security isolation(and far too easy execution of code you shouldn't run, and yes it shouldn't be that easy, if you can't be bothered to do it little harder you probably don't bother thinking if it's worth it), msblaster relied just on one hole that was on a service that wouldn't need to be on most of the time(or not even recommended to be on hostile environments yet is enabled).
anyways, what would be more intresting would be seeing numbers on defaces because of some very common php&other language mistakes(or some commonly used web apps that are full of holes) so that avoiding them would be easier.
world was created 5 seconds before this post as it is.
Linux is usually more secure then windows mainly in the fact that most services don't run as root or administrator like Windows does. Also most Linux Distros have pretty good security defaults compared to windows. But it is really easy to find and configure a Linux Distro to be a security nightmare which is far worse then any windows distribution can ever be. It is actually a lot easier to make a Linux Disto very insecure compared to a windows system. Just because you are using Linux or OpenBSD or whatever else you cannot assume that you vulnerable against security issues. To protect yourself from these security issues you need proper planning and knowledge on how to continue this plan. Although I know how much many slashdot people hate consultants. But if you feel that their might be something that may be a security issue or you have already had one I would strongly suggest that you swallow your pride and higher an independent consultant who can run a security audit on your network and help make and help implement a plan to help secure your network properly.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Kernel? Applications?
All operating systems are insecure by nature. Windows, Linux, Unix... ad nauseum. What makes Linux appear to be a more secure OS is that there are not nearly as many Linux hosts as Windows on the net and the technical abilities of Linux users are remarkably higher than your average Windows user and AOL subscriber.
Does anyone remember Redhat 6? How many people got rooted via SunRPC?
I really like linux... I run Debian unstable with:
hermes:~$ uname -a
Linux hermes 2.6.0-test4 #0 Mon Aug 25 15:25:10 CDT 2003 i686 GNU/Linux
File permissions don't mean a damn when you've got root.
But if Dell shipped 95% Red Hat boxen, you'd see a lot more Linux worms show up. Maybe not as many as Windows, but still...
Schnapple
Since Linux is Open Source, it is MORE secure. I think that it's pretty much like writing an english paper... more people proof-reading means more errors will be detected.
Many people would like to see Microsoft's code more secure, more stable... unfortunately, Microsucks is too short-sighted to release their code.
linux is predominately not on the desktop .. if it .. however,
were rife with all the easy-use functions that win
users have (executable attachments, etc) i expect
it would be even more insecure, as coding for linux
is a lot easier than writing for windows
because linux systems tend to differ widely (in
contrast to windows systems, which are almost all
alike in the way they do things) i don't think a
single bit of code would be as widely successful
The way I see it, the reason you see more Windows exploits is because:
a) There are more people working to find exploits in Windows.
b) There are more people to affect by finding a Windows exploit.
What would be the point of distributing a worm that used a Linux exploit? Relative to Windows, Linux has basically no userbase, so you wouldn't have the "strength in numbers" to cause any widespread damage. Bottom line - if you want to wreak havoc, you need to do it on Windows, just by the numbers alone.
It really is the COMBINATION of factors: ...) -- if you know how;
* number one reason is probably that most user desktops are windows;
* an average linux user is a lot more technically savvy than an average windows user, and is much more likely to understand the importance of applying patches [my non-technically oriented friends ALWAYS IGNORE those "updates are ready for installation" messages];
* as a lot of posters have mentioned, Linux systems can be made more secure (open source, security-minded design,
* I'd guess people who create these things might use MS hatred as an excuse;
* there is greater diversity among linux software, whereas most people use outlook/msie on windows; (maybe to a lesser extent,) same is true for OS versions; this makes it easier to target MS.
* (Probably more that can be added here.)
So we have N sites hosted on Linux defaced. How many of these were because of people who ran an old sendmail on their webserver? How many of these were because of someone logging in via FTP or Telnet without encryption? How many of these were because of people with username "web" password "web"? How many of these were because Joe User set up some blog software without reading the documentation? (I suspect that this last segment, incorrectly configured web generator software, would count for a lot.
The fact is, a default configuration (of most major distributions of) Linux box is more secure than a default configuration windows box. The Windows box will have the RPC port publicly available and exploitable whether it's a home system or a server. The Linux box typically has inetd with chargen, discard, daytime, time, and echo (and most current distributions disable most of these).
Then you start throw the server on: Apache on Linux, Apache on Windows. I'd use IIS except that everyone uses Apache on Windows. Here, its a draw.
Then you put up your webpage: Buggy PHP code on Linux, Buggy PHP code on Windows. Again, a draw.
So, we can see that everything else being equal and all parties equally incompetent and/or lazy, doing the absolute minimum work, Linux comes out ahead due to the remote exploits inherent in Windows. Joe Linux runs apt-get upgrade or up2date or whatever, and gets the latest fixes made available by their distribution. Joe Windows runs Windows Update and might get that critical patch, if Windows realizes that it hasn't gotten it yet. Or Joe Windows may have disabled windows update after getting the same patch 5 reboots in a row. Linux stays ahead.
So, where did it go wrong? Probably from Joe User deciding that it was too hard to use an encrypted ftp service or ssh2's sftp to transfer is website, and logging in over ftp over a cable modem. Or from Joe User thinking "I'm a badass admin and all because I've got every server available installed and open to the world, and what the hell is this snmpd? oh well I'll run it anyway!"
Remember this one thing about security: Your security on your boxes is proportional to your sysadmin's intelligence/paranoia levels. Ok... now, if we factor out human error... The question that remains is: Which OS is more securable: from my experience it is BSD... (pain in the ass.. but worth it in the end if you are super paranoid).. but not all apps will run in BSD... so for most people, Linux is their best bet.. yes.. people will be stupid and not patch their systems.. but that is the admin's fault (same w/ MS admins) but at least you know whats going on with your system, what services are running, and you can patch without restarting (big plus) .. while on MS systems you are at the mercy of your system... especially when things start going awry.. most of the time the solution for MS server admins (as far as ive seen) when their server is bombing... is to reimage the server :P ... so too bad if its a production server
I'm concerned that your assertion that the average linux user is more "systems-savvy" than the average Windows user doesn't fully address the situation. While the statement itself is more than likely true at this point (given the wide dispairity between adoption of Linux vs Windows on the vast majority of consumer desktop systems), it doesn't necessarily follow that Linux systems are more secure due to the higher skill level of their users. Indeed, there may be reasons to believe that a Linux machine operated by a relatively unskilled user may be less secure than a Windows machine operated by another user with comprable familiarity with the Windows operating system.
Consider that the actual technical skill level between a Linux user and a Windows user is not necessarily that disparate. Easy-to-use installation assistants have lowered the bar, so to speak, for use of Linux. This is obviously a good thing if one is interested in propagation of Linux as a desktop operating system, but it can be dangerous if installation programs rely on [possibly uneducated] user choices for configuration of, say, sendmail. I have seen enough misconfigured Linux systems to know that many users, especially when first introduced to the OS, are unprepared to deal with the complexity of setting up and maintaining a [what may seem to be] dizzying array of network services & applications. While it is fairly easy for a person with little or no preexisting expertise or experience to run Linux on their home system, there is no guarantee that that person is running it well.
Combining inexperience with the open invitation to play around with the operating system's most intimate details is a recipie for headaches in any case, as most beginner Linux users no doubt discover. However, when misconfigured systems are connected to the Internet the potential for real problems rises dramatically. As adoption of Linux as a desktop alternative increases, you can be *sure* that the user bases are going to resemble each other more and more, and when your grandmother is asked whether she wants to run such-and-such service, can we rely on her (or the installation wizard) to make the right choice?
I see 100% windows 2000 defacements on the page. Does that mean we are no longer using Linux - and nobody told me!
...and I decided that it's really only a matter of time. Okay, so it's unlikely that Linux user will run a strange attachment from an email, but we routinely download and install strange software from the net without thinking twice--after all, freely distributable software is the cornerstone of our culture. Besides, what kind of virus is going to ./configure, make, make install itself ;)?
For instance, they don't think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: "if I want to do something with my machine, I should be able to just do it. Don't put anything in my way." And if they were forced to take precautions, their password would end up being something like 'a'. And a regular schedule of changing passwords? Forget it.
Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They'd be bored to tears if they had secure email. And they'd be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.
And it's astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about 'Hot pics' or those 'Snow White and the Seven Dwarves' emails. Sheesh.
All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It's been possible to run as an unpriveliged user for a long time with Windows. And it's not difficult to do. But guess how many people actually do that.
Do any of you stop to think about what % of those webservers are running linux vs some other operating system? The ratio of defaced web servers running linux is probably proportional to the number of web servers running linux, if not lower in proportion (just a guess).
"61% of the defaced servers run linux" as a stat by itself means precisely jack. You need some context.
Yet everybody is quick to start a massive argument about the security of windows vs linux, when really, this isn't even about platform security, it's about web site defacement, which doesn't even directly corelate to platform security.
heh....
There was a story on kuro5hin a few months ago about this, where a guy figured out a way to enter his own price for a product on an electronics website and was ordering hardware for less than what the page said it cost. And got away with it. This kind of hole is scarily prevalent i've found, as alot of backend developers are very lazy and inexperienced people.
I think this is whats meant by 'applications' security. The box itself may be locked down well, but its taking advantage of the open services in ways the developers never intended.
-
I can't seem to access the data noted in the Slashdot article. But other sources of data don't support this claim. See http://www.dwheeler.com/oss_fs_why.html#security - Attrition.org and alldas.de data suggests that, in the time they collected data, Windows was less secure.
- David A. Wheeler (see my Secure Programming HOWTO)
"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.
Any homogenous system will always be voulnerable to these kind of attacks.
The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.
The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.
The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).
My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..
(note, this figure changes, so it might be different when you view it)
:)
If you don't agree with the data, make sure the data doesn't exist.
You say 61% of defaced sites run linux? Well, 64% of web sites are running Apache, according to netcraft. I will now wave my hands wildly and assert that those are all running on linux. Well, maybe not, but I suspect that a big chunk of that 15% "other" is linux. So, from stats (and hand-waving) alone, once should deduce that Linux is more secure than Windows.
...thus more media attention for a wormy. Pretty easy concept, innit?
If a train station is a place where a train stops, what's a workstation?
According to the given link, 17 out of 17 defacements are Win2K.
How does this reflect badly on Linux?
Lacking <sarcasm> tags,
Linux is only as secure as you make it. You can install Linux, with Apache, don't install the patches, don't update PHP, don't bother with shutting down unused ports, and your system will get defaced or cracked.
Also, defacing a website can depend on the applications running on that server...it won't matter what the server runs, if the cgi is insecure, it can lead to cracks. If you had 60% of servers running linux, 40% running windows, and all were running insecure cgi apps, you'd have a 60% linux defacement count, and a 40% windows defacement count - even though it's got nothing to do with windows or linux.
It's those communist dual-booters that we have to worry about.
You can't judge a book by the way it wears its hair.
The only way to know how many exploits and holes there are in Linux is to find them and fix them. (Fixing is important, as code changes at point X can impact the code at point Y. Thus, as one hole is closed, another could potentially be opened.)
To do this with every single hole in every component in a standard Linux install - in short, to produce an A1-compliant desktop OS, with all the capabilities you'd typically want - would be a financial and logistical nightmare. I did a quick back-of-the-envelope calculation on what you'd need in manpower, just to keep up with the rapid development of the software.
You're looking at a few million coders, and about the same number of Higher-Order Logic mathematicians. This translates to a cost of about a hundred billion dollars a year.
Now, you can argue that this is to get an exact evaluation of Linux, and to produce a completely secure implementation. To get a rough estimate only (no actual improvements, just the figures), you are still probably looking at ten to a hundred times the amount IBM spent on their certification.
Any estimates that anyone can reasonably afford are going to be impossibly inaccurate, and swayed by the mood of the day.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The above poster is absolutely right. For instance, when comparing applications on one system to apps on another, that's an entirely different discussion from the user model of Windows vs. Unix/Linux. The Windows user model is pretty retarded and very insecure, allowing all kinds of bad things to effectively run as "root", something that doesn't happen on Unix without some level of user intervention. Another major problem is the level of component integration within Windows. Why on earth does an instant messenger client need system level access, like it has (or possibly used to have, if they've changed things, although this isn't likely) with MSN?
If somebody discovers a buffer overrun error on Unix, as has happened from time to time (like the ftp buffer problem discovered many years ago), it takes a lot of machine and architecture-specific information to do anything invasive. But on just about any Windows machine, you need to know much less in order to successfully exploit a buffer overrun.
I don't consider the security of Windows to be anywhere near that of Unix, and I think anyone who seriously tries to argue that (or even question whether they're possibly equivalent) has a lot to learn about operating systems.
Well, what percentage of all websites are run on Linux? Do people who run webservers on Linux tend to put up more attractive targets for some reason? Maybe it's just more fun to break into a Linux system than a Windows one.
It's easy to see "61%" and jump to conclusions, but statistics can be manipulated so easily, you can't really trust them.
So the first step is to get used to that idea.
Beyond that is an optimally configured Linux system more secure than an optimally secured Windows system?
Yes, I think so, that's one of the reasons I use Linux. But let me ask you this, how many optimally configured systems do you think there really are? For that matter how sure are you that your system is optimally configured? If you have to spend even a couple seconds thinking about that question think about average bloke.
There's a social flaw in the system as well, which thus effects all systems no matter what operating system they're running.
To secure your home you call in an expert. A locksmith, perhaps an alarm systems expert as well. Virtually everybody does this. It's so ingrained that it's considered a no brainer. You'd have to be an idiot not to have proper locks on your doors and windows, right? If your security is ever breached ( say someone steals your keys) you can't get to the phone fast enough to have the locksmith come over and change all the locks.
How often have you had a pro come over and check the "locks" on your OS? Do you even know anyone who can do this? Can you look one up in the Yellow Pages?
Why not?
If you are such an expert yourself how many systems have you, outside of your "job" bothered to secure for people? Are you too snippy and think that "lusers" just shouldn't be allowed to operate computers? Maybe you're a part of the problem. Help be the cure.
I've just given you an entreprenurial niche on a silver platter. Why not take a nibble?
KFG
I personally would prefer to use an OS that has been refined over and over... and over.
It is very comforting to think that the OS I'm using has been improved by hundreds of thousands of people. Some of them have security in mind, some have performance in mind. I can hardly think that Microsoft has anything but the bottom line in mind. That's swell and all for the economy (kinda..?) but the bottom line doesn't help me sleep at night. The knowledge that I'm using an OS built by a generation, not a company helps me sleep.
As was stated in "Pirates of Silicoln Valley" - it wasn't that Microsoft did it best, they just did it first. Any CEO that would say that... whose best interest did HE have in mind???
R-
Hard loop..... huh?
Dynamic Designs
Is Linux as Secure as We'd Like to Think?
That depends on how secure we'd like to think Linux is. Its fast becoming my pet peeve of the internet that after ripping someone up on premise, faulty logic, and everything else someone should base an arguement on they turn around and say "yeah but your not perfect".
While I clearly admit to not being perfect, the discussion is really not ever about my level of perfection. This story is about the same thing. While previously the security of Windows was discussed very well in the article "Windows insecure by design", this posting amounts to be a simple "yeah but Linux isn't perfect" as if to deflect the majority of technical problems people have with Windows?
So if you think Linux is perfect, then perhaps this article is for you. But if your main concern is whether or not Linux is inherently more secure than Windows this article (although pretending to answer that question) does not do a very good job of discussing that point.
On the web site you'll see an ad stating that over 50% of the web defacements they've categorized have been Windows, while closer to 25% web defacements are Linux. That inspite that the last 24hours figure puts Linux at 61%. But no matter which is out front, the answer can only be that they are both not perfect and has no merits in discussing which is more or less secure.
And to me its the "more secure" and why that is important.
As a personal note, this is my 1000th post. I've been around since Rob Malda was known for WindowMaker themes and was just starting out programming a blog. I suppose that means I'm not a very active poster, I'm sure that there have been people who've posted more in less time. But its still rather a milestone...
That's an excellent first post.
I think you are about half right about the first point... how many really clueless users do you know that run linux? To run linux, a person has to get over the "activation energy" of actually getting it installed. This goes beyond just having a pretty GUI installer rather than some text-based option... it's actually knowing how to answer the questions the installer asks: How many joe-sixpack guys even know what an IP address is? Or know their primary and secondary DNS server addresses? If some well-meaning geek has installed a linux system for their grandma, they probably set up IPtables and killed all the unnecessary services... that's a HUGE security advantage right from the start. It's amazing what a clueful install can do.
But onto your second point. I think it has more to do with the variety of linux users/systems rather than their iconoclastic attitudes (though the latter probably breeds the former, so in a way, you could be right). As a medical professional, I'd compare it to a genetically heterogeneous population. In a MS-centric environment, there's only so many ways to skin a cat... Win2K, WinXP, et al. That lack of variability has administration advantages, but that sword cuts both ways. Common systems are easily administered, but just as easily cracked if they share a common vulnerability.
In nature, genetic variability is your friend... keeps an entire population from being wiped out by a plague. The Cystic Fibrosis gene is a defect, but saved some people from death during the cholera epidemics of the middle ages, and the gene has stayed in the northern european population ever since.
Variation on systems is FAR more prevelant in the linux world. Different kernel versions, different daemon versions, different firewalls, different configs (chroot, etc). Add that to a tech-savvy population, and a successful linux worm becomes a serious challenge.
It's really apples and oranges to compare linux and MS environments.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
The question asked "Is Linux as secure as We'd Like to Think?" (emphasis mine) reveals a lot about the mentality of Slashdot. Not all of us are zealots who ignore the shortcomings of Linux while blasting away at any slightest problem with Windows. Some of us realize that there are insecurities in all pieces of software and that proper administration of our systems is required for security, not just a simple choice between OS's or web servers.
Please stop acting like everyone here is part of the Slashdot groupthink.
Forget the whales - save the babies.
If Linux was based on a system developed 15 years ago it would have problems too. Linux is based on UNIX which has 25 years of learning and growth experience. While my choice of os is a *Nix, you gotta admit M$ drove lots of features onto the forefront of consumer computing, sadly they did it with horrendous coding discipline. Anytime you introduce that many new features, a LOT of holes and bugs will crop up. The real 'CRIME' is their lackadaisical approach to fixing them. I really think if/as the Linux user base spreads out, as soon as you begin to acquire the general (L)User community you will see the incident rate shoot up.
errr....umm...*whooosh* *whoosh* Is this thing on ?
I have yet to see a single Linux user who actually doesn't bash anything non-Linux to date.
One of the reasons why Linux is not as vulnerable to virii and worms is becuase it is so configurable.. I would liken it to the immune system in humans, everyone has the same "type" of human immune system, however, some people are immune (to a potential virus or infection) due to a slightly different configuration in that system.
On that logic, windows is like a million clones of one person.. So when one virus takes hold, there is no genetic diversity.
Anyone have any similar ideas?
....move along....nothing to see here....
Is man_of_mr_e trying to tilt the numbers in favor of Linux? Posting this story on /. is like waving a red rag in front of a raging bull. Here come the 1337 script-kiddies!!!
All bow to his Noodliness!! His Noodle Appendage has touched me!
The entire system is only as strong as the weakest link. What is really needed is a virus that searches out PCs unprotected by firewall/anti-virus prorgrams and deletes all of the addresses in their address books. Only then will these things stop proliferating.
In the meantime, I suggest that everyone forward all of the Blaster and Sobig messages they get to Bill Gates with the subject line: I think this was meant for you! Maybe then we can all get back to work.
Sure the OSS community releases fixes faster, but how quickly do they penetrate the userbase? I think Windows Update is a far superior platform for distributing fixes than currently exists in the Linux world, if only because not every Linux distribution offers such a powerful tool.
Now I realise that you can also be the unwitting recipient of functionality and licence changing updates through Windows Update, but as a technology I think it's way better than what is available in the OSS world right now.
"Linux accounts for 61% of the defacements in the last 24 hours"
Does Linux hold a 61% share of webservers overall? If not, is it more or less than 61%? By how much?
Yes. Windows machines all have Outlook Express and IE and comprise 99% of the desktop market. Dumb answer for a journalistically 'dumb' question. Got me to answer, so it worked!
Someone more insightful than I can do the math. Exacerbating the problem is that while you can firewall vulnerable Windows machines, unless you also know about mail filters then the trojan horses will roll right through.
Wah!
I'm not entirely sure of the numbers, and I'm currently too busy (read lazy) to do the research, but I recall that linux/apache accounts for a large percentage of web servers. I would like to see a comparison between all the different web server platforms v. the defacement statistics. I would be willing to bet that there would be no statistically significant difference between any of the OS/web server program combos.
End of Line.
I suspect the bug rate of Windows is similar to that of Linux (at production release) If Linux had the popularity of Windows, we would likely see even more viruses. Why? because the vulnerabilities are well documented - the source code is readily available. Linux systems patch no quicker than Windows.
someone asked about the true nature of how secure linux is.
looking at the kernel and some drivers code is absolutely disgraceful.
how can such flawed, unclean code get checked in?
it inevitably makes you wonder how secure such a system is.
and whether it's getting as much attention from the hackers as a windows box.
On the /. Windows security bashing session based on the Washington post article, many claimed that it was a myth that Windows was more often attacked because it was more often used. They then cited Apache vs IIS as an example of how Linux was as widely used, but not attacked. Apparently, they were wrong to assume that Linux wasn't getting attacked on the web front. So maybe the correlation between use and probability of attack does hold some water.
There are really two different problems when it comes to securing against worms and the like, and for the moment I think Linux (and any Unix) has an advantage in both areas, although it's probably not as big as many people think.
First you have to look at what a rogue program can do once in the system. For this the entry vector is unimportant. With most Unix like systems the default is for the user to not have full privilages (eg, not be root), and thus the rogue program cannot make full use of the system. That doesn't mean it can't complete it's mission, but it does make several things much harder:
The main issue is, most of the operating system differences don't mean much, as it's the applications that are the holes. From the simple password in a URL, to a complex buffer overflow attack applications are very often the vector into the system. Here you have to separate the cultural differences from the application differences.
Cultural: Many Unix users still used text based mail clients in xterms, and even when they don't the GUI's were designed to more closely mimic the behavior of those interfaces. Attachments are evil, when run are generally carefully handed to a program as data. In windows virtually all mail programs are graphical. Many users demand them to implement things like javascript that auto-execute, many of them will happily run a foreign attachment with little more coaxing than a mouse click. At the end of the day these differences require user education. That may be helped by a transparent OS, but it's still a user education difference.
Application Differences: Windows (Microsoft) encourages developers to build tightly coupled applications. Look no further than OLE. That ability to embed excel in your word doc and have it just pop up over the UI requires a tightly coupled API for program to program interaction, generally exposing full interfaces. Rogue programs can exploit this, often not needing to know what application is in use, but rather just the API. Unix developers / enviornments generally encourage a loosely coupled behavior. Programs provide some command line / pipe oriented service and handle all their own details internally. You need only look as far as printing to see this quite well, as windows pushes driver bits into the application to change behavior, while unix makes it all happen with a "system()" command running a new program.
At the end of the day, I believe the following statements are all true:
and MAC by default in linux.
BUT!
That does you little good in some situations as there still are local root exploits. At the very least one should take measures against executable stack exploits (why haven't you used GRSEC yet?)
Also, we need better auditing and unified log formats for PAM and syslog (ala Apache, or Sun's BSM). SNARE is getting there, but it still needs work.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Stuff a clothespin is made of: steel
Stuff the Empire State Building is made of: steel
So the Empire State Building is as flimsy as a clothespin? I think The Moderator Has Been Trolled...
There are some differences in the design philosphy of the two systems. Linux is built by and for techies. It emphasizes transparency and modularity, and ships with a model that no port should be left open by default, i.e. services should be explicitly turned on by a presumably non-naive user. Windows is built with the philosophy that the end user is an idiot, with an emphasis on all apps sharing data. Windows traditionally ships with every port M$ apps may eventually want to use wide open. Yes, I'm sure this model is changing. But go to their knowledge base, and they'll still tell you that you should just buy a firewall rather than disabling the Microsoft Message service that allows anybody on the Internet to broadcast pop-up messages to your box!
"Freedom means freedom for everybody" -- Dick Cheney
Most people who can use Linux don't double-click first and look at the attachment later...
I'd hate to be regarded as one of the thousands of people in denial posting on this article (I actually thought it was a very good topic), but I wouldn't place too much value on those statistics..
Suppose we have 10 linux servers, and 2 windows. 3 servers get defaced: 2 linux and 1 windows. So we have 66% linux and 33% windows.. but we also have that 20% of the 10 linux servers got hacked, while 50% of the 2 windows machines got hacked. Again, I'm not trying to add to the denial, I'm just pointing out that statistics need to be handled with care (or not at all).
--
Stay tuned for some shock and awe coming right up after this messages!
It has always struck me as disingenuous that Linux advocates claim Linux to be more secure than Windows. The common perception is that the entity "Linux" is inherently secure but the entity "Windows" constantly needs patching. This clearly isn't true, and it ignores the ongoing development cycle of *both* operating systems.
When a Linux advocate says "Linux is more secure than Windows" what they actually mean is: "When a flaw is discovered in Linux, someone fixes it quickly and a patch is released. It takes longer with Windows."
The quantity/severity of security flaws is not the issue. Both operating systems have security flaws and always will. The issue is the speed with which security flaws are fixed.
Don't fall into the trap of believing that Linux programmers are somehow "better" than Windows programmers, simply because the former are doing it for love and the latter work for Microsoft.
Similarly, don't forget that Linux is only secure because of it constantly being patched. This is exactly what people complain about with Windows!
Email viruses are Windows specific for two reasons.
1: Windows does a piss poor job of providing isolation for non-admin user accounts. In practical terms, you're forced to run your desktop as an admin because it's too hard to switch to an admin account to do mudane things like install printers, and some software will just not run right in a restricted account.
2: MS likes to provide all sorts of neat 'features' in their apps, like scriptability and 'run the attachment' stuff.
Put those two together, along with a few bugs (which ALL systems have) and a gullible user base, and you have a great virus propagation system at your disposal.
Linux (or any system with true multi-user support) is not very vulnerable to email viruses because programs run fine in 'mere mortal' accounts, so that even if a virus does get executed, it can't do ONE BIT of system-level damage. It CAN destroy the user's data, but the system continues to boot and run and other users are unaffected.
Service exploits are a completely different animal. They rely on bugs in the service software. ALL systems have bugs. As a programmer, it's annoying to keep hearing about the infamous 'buffer overflow', but they exist all over the place in all sorts of software. Until server software is either written in languages that provide better buffer support (I.E. not C), or programmers stop writing crap network code, the problem will continue.
Linux probably has a greater share of the webserver market than anyone else, seeing as Apache is known to have the biggest share and Linux is probably the most-used platform for Apache. To say that 61% of defacements are Linux without stating what percentage of total websites are Linux is misleading.
All operating systems, XP and Linux included, have a variable amount of security, which varies with how persistent and knowledgeable the sysadmins involved are. Linux isn't universally more secure than XP, because there are so many variables involved, mostly at the sysadmin or user level rather than the code level. However, I think it's a fair and rational statement to say that given the same level of security expertise and dedication to security, a person can be considerably more secure in a Linux environment than a Windows one.
11*43+456^2
I realize at this point no one will probly see this but lets look at this issue closer. Linux is a kernel, not a distro or a program. This is a main point. Windows also is a kernel. The amount of exploits on the Windows kernel vs the amount of exploits on the Linux kernel is where we can claim that linux is more secure. I use Linux everyday but i must say i have more faith in an experienced NT admin then i do on someone starting out with redhat or any other distro.
Rather then flame on about this that and everything it would be nice if we could all work twords a common good. Linux facilitates such an idea more then Windows which is why i use linux.
-- botsex is {grep;touch;strip;unzip;head;mount}
Go here
Check out Apache's numbers. That would be about the same percentage as servers compromised, assuming the vast majority of Apache sites are running on Linux servers.
Now let's look at which web server runs most virtual hosting environments.
That would be apache again.
So, considering that compromising a single apache host could count for defacements of *thousands* of sites, is anyone still surprised about the numbers?
The community of crackers that commits website defacements considers it "uncool" to deface windows servers (because its "too easy"). Their targets aren't chosen at random, from all the webservers out there, but with a delibrate intent to prefer Linux targets to Windows targets.
L
Any virus, worm, etc. is designed to exploit weaknesses in a *specific* piece of software. Homogeneity is the enemy because it allows a virus to roam far and wide across identically configured systems. Thus, Microsoft suffers the downside of monopoly.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
What they don't tell you is that probably 95% of the systems had Microsoft's Frontpage extensions installed...
Not if Bill has his way. Legions of MS evil code monkeys are studying the source code of LINUX to write anything to discredit the perception of security.
</sarcasm>
Seriously though, Patching is the key to every OS. I was shut down by my ISP because they had received complaints that I was hacking other users. I had fallen behind on my firewall distro pathes and the LINUX box was the culprit, not my windows box. So, I wiped the trusty p200 clean, installed a new firewall package, and cleared things up with my ISP and life goes on.
As others have said, any lazy admin can fuck up a perfectly secure system. And now days it really doesn't even take that much effort. In the network I'm on I have multiple Linux servers which I consider to be quite secure, but there is the one server I DON'T admin that's so bad that I consider it a total write off - all other servers actually drop all packets from it. And the guys who run the server refuse to fix it (redhat 7.0) because "something might break". Well whatever, I'm sure when the shit hits the fan, I'll get blamed - but it made me realize that Linux isn't by itself secure.
Is it more secure than windows? Yes. Download a virus and double click on it in windows, chances are you just got the virus. Do the same thing on Linux. Now you have to assume that A) you're running as root, or that the virus can exploit something to gain root. B) it would have to be marked as executable in the first place to run.
The difference comes in the tools that are available to increase security. Mounting partitions as noexec, chroot, etc. Better yet, when you go to the BSD side there even more security tools to mess with. One thing that Microsoft will probably never understand is that it isn't always that "x" is cheaper than "y" or that "x" is faster than "y" - sometimes it's the tools, mindset, power and flexibility that count the most - and in this area, Linux will probably always be ahead.
Hi there, Hunny-Bunny.
I got this soooo kewl little shellscript, which is sooo sweet and good and all. You just have to do a little 'chmod u+x' on it and then it will dance just for *you*. PLEASE try it! Really, you've got to check this out!!!!
Attachment:
SayByeByeToYourData.sh
We suffer more in our imagination than in reality. - Seneca
Vulnerabilities come in many favours. Linux's and Windows' relative vulnerability depends on what you look at.
Are Linux desktops in general more or less vulnerable to email viruses? Probably less, because (1) most Linux mail clients are smart enough to not execute code sent as an attachment; and (2) most Linux processes run as an unprivileged user rather than as root/administrator.
Are Linux servers more or less vulnerable to service exploits and service worms? Probably more, because (1) Linux comes with a lot more services, and a lot more services tend to be installed; and (2) most Linux variants make it more difficult to patch a Linux system and don't provide patches as long.
Are Linux systems more or less vulnerable to trojan horses? That's out of scope -- trojan horses are a human issue. Both Linux variants and Windows have/plan to have a notion of a signed package, but the system doesn't require it, so a determined human can install a trojan horse.
Are Linux systems more or less vulnerable to privilege elevation exploits? Probably more -- Windows systems don't privilege elevate as much as Linux.
Are Linux systems more or less vulnerable to physical attacks? That's out of OS scope -- with physical access, any OS can be preempted. [Cryptography in the FS can guard the data and/or OS install, but isn't usually used, and is impractical for the OS as a whole in most scenarios.]
The statistic that started this was website defacements. Note that apache has an unusually high percentage of websites per www.netcraft.com (63.98% for August 2003), so it's not surprising that Linux has an unusually high percentage of defacements.
That's interesting, but have you heard the news about JAP having a back door? Now that's news. Run a fucking story about it already, slashdot!
A good portion of Windows-based virii spread through e-mail. Address books are read and copies of the virus are sent to all of the victim's friends and associates.
Because this form of attack almost always hits Outlook, it just isn't a problem for Linux. I've received CHECK OUT MY C00L SCREENSAVER and I LOVE YOU viruses, but amazingly they don't seem to bother my mail client. A linux virus that could deal with multiple distros and multiple email clients (elm, pine, mutt, etc) could potentially propagate itself as well as a Windows virus, but who would want to go to all that trouble when hitting MS products is so much easier?
It seems to me that all of those results deal with how to go from 6.0 back to 5. Not very helpful for someone who wants to eliminate the program completely.
The biggest holes were probably in the FTP servers, and one reason the Windows machine was safe was that it wasn't running any Microsoft servers, only clients and freeware web server that nobody had apparently cracked. I first discovered the problems when I saw (from the tcpdump that runs any time there's nothing better to do) that my machine was pinging a machine at a university in Sweden a lot - I contacted the admin there, who told me it was the Staecheldraht DDOS zombie program, and pointed me to a site with info on cleaning it up. (I'd already killed the process - the crakk0r's rootkit modified ls and ps so that it wouldn't show up, but didn't bother with /proc and some other tools....) The next week it was pinging WashU in St. Louis, which seems fair since I was running wuftpd, and the following week it was responding to pings from a machine that looked like it was at MIT (after getting ZERO usable contact information from MIT's web site or student help desk, I contacted one of their security honchos that I know from other channels - he said that it was actually a machine in Japan that had an IP address that was byte-swapped from MIT's, but somehow managed to be running DDoSware anyway). After I cleaned it up that time, the (*^%*(!&%#ers got annoyed and reformatted my disk drive....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
People do things for reasons. Remove the reasons and they won't do something based on a reason that doesn't exist (there are exceptions to all the rules and mindless people wondering around to insure this).
Often the defacement of a site is like a graffiti (sp?) paint spray can artist. They are just taging a spot saying they were there. Meaning the results are more often then not just pointing out a weakness in the site that needs to be fixed.
As to security issues of OSs, again, give someone reason to break in and they will. Now don't we all know that there is plenty of reason to give MS grief and that MS have actually earned the receipt of such grief?
Consider the DoS attack on SCO. Would it have ever happened had not SCO earned it?
You want security from internet invasion? The only sure way is to not be connected to the internet. For what we make we can break and locks are only for honest people.
There is the question of GPL source files having been accessable to someone who cracked into the FSF system and over a period of months before being detected. But it appears there was no damage done, via pre-existing check-sums of the files.
The point is - if you could crack a site, would you really want to? And if so, what sites would you want to crack and why?
Take your most savy Linux guru and your most savy Windows mouse-clicker (can often be one and the same person). Let each setup a secure server and point each server to the Internet.
Now sit back and wait for shit to happen.
Eventually it will be proven that the best platform is freebsd.
The issue is that scads of IT shops consist of people who are skilled in applying some vendor's patches and security updates, but not in the underlying system(s) or network technologies. Whether that vendor is Microsoft or Red Hat, all the worker bees know how to do is install patches. And this patching and support is mainly what all the corps are paying for.
Think of it this way - using linux or bsd as an example, doesn't it make more sense to use a free one and employ admins and programmers who know how to build and support your network, and have *them* hire worker bees as needed? Why pay an external party for support when it might cost less to hire knowledgable engineers in house and have them do the work? Or, if the admins are already savvy and are working hard even *though* you're paying for some vendor's support, then why pay for that support anyway? Just use a free opsys and do the same amount of work.
As long as IT shops are filled with patch-pushers, these issues will continue. With linux the chances of a massive worm or email virus outbreak would definately be smaller, and bsd smaller still. But the opsys isn't the only problem. Corporate IT is it's own problem.
Run your servers on openbsd - they'd love to be held accountable.
The heat from below can burn your eyes out
It probably isn't. A secure network is a network with all devices unplugged from the network. A secure server/workstation is a server/workstation that is powered down, in a vault with the key thrown away.
What's the most secure option?
- Constantly update all software/firmware/antivirus.
- ALL employees should frequently change passwords (consider forcing changes on a regular basis (1 week where I work).
- Monitor your networks.
- Create restrictive firewall rules (boo hoo...the workers can't IM their buddies...GET BACK TO WORK!!!).
- Antivirus should be installed on all machines (servers/workstations).
- E-mail virus filtering solutions must be implemented.
- Keep up to date with security publications, lectures, software, concepts, etc..
That's all the prentative requirements. Now on to the most important part of security, realizing that you still have a good chance of being compromised.
- Intrusion detection software wherever possible.
- Have a plan ready to implement in the case of an intrusion.
- Use the 5Ws and an H (Who, what, where, when, why and how.).
- Make sure you have contacts for any help handy and available to any personel who might be involved in post-intrusion procedures.
All of this is a pretty big job. Something that should perhaps be handed to a person or group of persons (depending on the size of the company you represent) who can work this on a full-time basis.
Security is as strong as your weakest link. You are the weakest link. Get some stacker 2 and beef up!
When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing.
/. kind) to submit security fixes, if you know they exist.
So just out of curiosity, did you submit your changes to the PHPNuke folks? Or just fix it for yourself? Seems it would be a kind thing (good for your karma, and not just the
Care to comment on where you made some of your fixes in the code, so that if you didn't report them yourself, then someone else can make those fixes public?
Thanks!
The 'Unknown' category probably contains all of the listed systems in much the same ratio as known systems. I don't see how that would change Linux percentage.
Whenever a virus or worm creeps its way around the internet, my daily routines are pretty much unchanged. I don't worry about .exe files showing up that I don't know about, I don't worry about getting viruses in my email, and I often don't even worry about lots of pop-up ads. My girlfriend asks me about these viruses too, as she wants to know if her computer will be safe, and I always tell her the same thing: don't worry about it.
We both have Macs.
Traditionally, the Mac has had its share of viruses and trojan horses and everything else, but "its share" is way less than the Windows world. Market share alone tells us that only about 4% of computers out there are Macs. Simple math tells me (an English major, so correct me if I'm wrong) that there are 24 times as many people who code viruses for Windows than those who code them for Macs.
So, when these things go around, it's almost always for Windows. I do check up on the latest viruses and worms to make sure, but so far there has been no major attacks for the Mac.
What all this means is not that the Mac is any more or less secure than Windows, but that it is simply less popular. As is Linux. If Linux were on 96% of computers, there would be just as many, if not more, of these things going around than there currently are for Windows. The only reason my Mac is secure is because there aren't many of us out there compared to our Windows counterparts.
It is frustrating when Linux users (and Mac users too, though they aren't as militant about it) blather on about how insecure Windows is. To me it's almost a form of sour grapes. Microsoft has Linux outnumbered any way you slice it, so Linux users respond by pointing the finger when Windows users are bothered by these worms and such. I'd like to see what would happen if the positions were reversed.
http://www.walkingtaco.com
All the security precautions you take are rendered useless if the weakest link is broken. For example, if a script kiddy gets a root password via packet sniffing, dictionary password cracking, grabbing password off a sticky note on your computer, etc.. all your security is compromised because one link has failed. Notice that some of these weak links are not even dependent on operating system, it's human error.
Script kiddies also have a lot of sources of information these days for hacking the gibson. For example, all script kiddies would know that the most common passwords are god, sex, and love if they have seen the movie hackers. These great reference materials are turning script kiddies into hardcore black hats. Hollywood has captured the nature of hacking with suprising accuracy which can be used against us. IE wearing flashy clothes with rollerblades to hack while being highly mobile and trendy, using GUIs that simulate a computer system as a digital city, visualizing how a worm actually works. Scary.j/k
"There is no spoon." - The Matrix
its not about what system is most secure. its about which sys admin is most competant to setup their servers. It's pure stupidity how this starts becoming a red team, blue team situation.
Not to sound like RMS, but what exactly do we mean by is Linux more secure.
We really need to say is Linux, Samba, Apache, Mozzialla.....more secure then windows core ( which would include things like the DCOM exploit ), or SMB, IIS, and IE.....
The real question here is, can one company be as secure as the open source community.
This is a really complicated question. In one way you could say yes, because of the huge testing advantage an OS project has. This could also be turned to no if no one gives a fly f*ck about the project except its core developers and it doesn't get tested. Microsoft has a disadvantage about testing, but a much more real obligation to provide secure systems. Linux users like to boast, but windows has a very real financial obligation ( they are public ).
MS is going to get hit more, because they have more users, and the users they have are not always up to date or as intelligent. They also have a lot of people who blindly hate them. This is actually going to be to their advantage in a few years.
There are two very real problems with MS and the way they go about patches that I see, two problems that Linux is on top of.
1) most require a reboot.
If this wasn't the case, it would be perfectly okay to automatically patch. My production database server couldn't be patched right away because it needed the uptime ( I had 225 days before the damn blaster thing ) and we can't afford a cluster to switch over to while we upgrade. I tried every work around, but ultimately I had to patch and restart the thing at midnight on a Saturday. I'm sure on a linux box I could have fixed the exploit without bothering my database box. Or maybe I'd have to disable a feature while it happened.
2) Patches not very available.
I remember MS's site went down the day I was patching for the dcom exploit, because of a DDOS, but this is retarded with the web. They should affiliate with trusted providers like download.com to make sure you can get to these.
MS puts out some good products, sometimes they make stupid mistakes in design ( but sometimes so does the linux kernel ). The real advantage here is that Linux patches itself ( the community ) while MS seems to always have a security firm find there crap. There was absolutely no reason to have a buffer overflow in DCOM, none, zilch, zero. If it had been some weird or interesting exploit I would have felt something for them, but a buffer overrun, get your crap together.
The same goes for C/C++ linux guys. I'm suprised there hasn't be a security library standardized. Java guys can rest easy, at least for the buffer overruns, but there are plenty of ways to write an insure java app.
I think overall the response was good to blaster, but worms do have a real threat, but they utlimately the immune system of our computers ( their programmers ) will figure a way around.
Windows is just bad code for the most part, (not that we could see it, but you can always tell..) Linux is, for the most part, just better code, especially underneath where it counts. Its true, most linux users (and admins, hopefully) are more security savvy, but there is also the fact that it's much more difficult to run arbitrary code as root on a unix system. Getting root the dirty way in windows is much easier. If people are dumb and allow access to WU-FTP or something, of course they are going to get hacked.
TallGreen CMS hosting
If you look at the Netcraft survey of web servers, you'll find that about 66% are running Apache or Zeus.
Within the margin of error of the statistics, it's pretty much an even distribution of defacements across various OS's.
bp
> Species of Windows Programmer: Human
> Species of Linux Programmer : Human
> Chances of human error making it into the code: Equal
Ratio of Windows versus Linux Internet platforms: About 5:4
Ratio of IIS versus Apache Internet servers: About 2:5
Ratio of Windows/IIS versus Linux/Apache major real-life exploits: Over 10:1
Number of current unpatched IE security holes: 21
Possibility for the user to patch IE himself: 0
Conclusion: The biggest problem-causing factor is Microsoft.
That is dangerous! There could be a hidden or obfuscated loophole. I, for one, never run any code that hasen't been written by myself while under polygraph examination. I keep my website running in a concrete block under the ocean and I keep all the clocks in my appartment running at different times, just in case my future self came back in time to try to sabotage my project. Every one should do it.
:-)
When I introduce someone to coding I chop off their hands and then hide them to be sure they won't code anything. New users think I'm paranoid and arrogent but I don't want any one of the mindless rabble to come and get me in middle of the night when the KGB hacks their site.
Most of those I know run Windows, but they are also rather tech-savvy and run it
a) patched
b) firewalled
c) with anti-virus scanner
And they're not bothered with any problems. Then we have this one guy I knows. He'd open and run anything and everything, gator, backorifice, subseven, irc worms, the works. No firewall, no anti-virus, not updating the OS.
Linux would do no better if people ran around as root all the time and would launch whatever was sent their way (because people would *want* it so that they can easily launch it).
Though I suppose Linux would score much higher on one group - those with one tech-savvy guy (read: the geek) and a bunch of non-tech users (read: mom, dad, imaginary gf, younger (or elder...) brothers and sisters etc.) At least unless they got tired of it and all want root access, that is.
Kjella
Live today, because you never know what tomorrow brings
I personally use Mozilla for email on linux (redhat 9), and as a simple test I sent myself an email with the /bin/ls binary attached. When I click on the attachment, I get a save dialog box which gives me the option to "open using an application" or "save this file to disk". There is no option to execute the code, let alone having such a dangerous choice be the default!
Continuing the test, I saved the file to /tmp, and Mozilla set the permissons to -rw-------, so in order to actually execute the contents of that file, I would need to use "chmod" (or the equivilant in a gui-based file manager) before it could be executed.
I have not tested with Evolution or other popular email clients. But if they are anything like Mozilla, where the user CAN NOT EASILY EXECUTE ATTACHMENTS and all attachment files are SAVED WITHOUT EXECUTE PERMISSION, I think it's safe to say the linux-based systems are much more resiliant to email-based virus code.
Of course, Microsoft Windows could have been made similarily secure if Microsoft (and others) had taken these simple measures. Well, at least not allowing executable code to be executed with a single click of the attachment. It's been many years since the first MS executable virus code and it's a continuing problem. When with email client software on the Windows platform finally reform to disallow easily executing attachments ??
Even if that were the case, to equal the level of protection the Mozilla/linux has by default, windows would need to implement execute permission (does it have this feature, even if it's never used to disallow execution?). Then the software would need to save all attachements without permission to execute them.
This exists today on Linux with popular email clients. Until Microsoft and others take these exrteemly simply precautions to prevent casual users from easily executing attachments.... or creates of Linux-based email clients make these incredibly unwise design decisions to allow easy execution and turn on execution permsission by default on saved files, I believe it's safe to say that Linux systems are much more secure than Mircosoft windows based PCs, in terms of propagting email attachment virus code.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Comment removed based on user account deletion
It is clearly the duty of the users to serve the computers. Users exist only for the computers' benefit.
And if whatever I want to happen takes longer than I'd like, it better be a damn pleasant experience along the way!
Spoon not. Fork, or fork not. There is no spoon.
So, even though the standard Unix security model offers more protection than the Windows 3.x/9x lineage, you can still pull an XP Home (where by default every user is an Administrator) if you work at it.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there
These same users are the ones who end up configuring their webserver with passwords such as "god" or "admin." A secure O/S is fine and dandy, but it doesn't help all that much against the same general stupidity that afflicts windows and linux users alike. How many servers are defaced because they're either very behind on security, or simply easy to get into?
Not only that, but we have a lot of people who don't know as much about security as we would like. I personally don't know as much as I'd like. How many admins who know how to configure httpd.conf for apache are good at plugging with iptables?
At work, any sensitive online-based sites are restricted to a certain port, and allowed only from local addresses. Yes, by IP-spoofing they could avoid that, but at least it's an extra level of security. How many people bother with this? A lot can be done at the firewalling level, before any attack even gets near your daemons...
Here's the important point: given any organism there's a virus that'll defeat it. So the strategy is to ensure that your offspring have variety.
Unfortunately what we have in the computing world is something of a monoculture. Everyone (OK, I exaggerate, but only slightly) runs Windows and everyone is at risk from the same viruses. And when those viruses hit everyone is taken out.
If people valued security, and chose an OS with a smaller user base as a strategy to deal with security, we'd have that variety and we'd all be much better off.
It's funny. When A says "I use Linux and don't get any viruses" and B repsonds "that's because so few people use Linux" B is failing to see that that's actually a perfectly good reason to choose Linux.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Is that 61% a stat-lie?
... the interpretation of 61% is in error. ...) are frequently defaceable. I believe, due to the obvious (cost for a Linux+Apache+Skill+Daring) already stated by others, means that the most easily defaced website are in fact probably "Linux+Apache", but also the best most secure website because of the open-community+collaboration+... implies (for me) "Linux+Apache" makes the best websites for business and government.
If there are significant more Apache websites compared to MS-Win websites on the internet, and the numerical coefficients of the variables used in the equations were not weighted appropriately, then a condition (of at least) co-variation was not taken into account
Also, novice websites (Apache, MS-Win,
So, I suspect stat-lie. However, I ain't done any major data crunching with FORTRAN and arrays in almost as many years as serious code.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
There is one more aspect to this problem which I think doesn't get mentioned as often as it should be - Windows is a lock-in (or lock-out, depending on your perspective) platform, and Microsoft's own apps for it are also designed to tie you to that platform. So yes, it may be that in 2010, 65% of the great unwashed will be running their shiny new LindowsOS 2010 as root and get the same amount of viruses as today... but I won't have to give a sh*t about it, because I will be able to run FreeBSD, or the Hurd, or OpenBeOS or whatever the heck I want. Without pressure. Without people telling me "Sorry, we only support this OS / browser / office file format, because 95% of the world uses it anyway. Why don't you just run [insert expletive here] like everybody else?"
Once an open-standards platform gets into the mainstream, anybody who runs the exact same software as Joe Blow will have only themselves to blame. Anybody who actually cares about security or any other IT-related issue will be able to avoid the mainstream if they wish to do so.
Sorry for the rant. I just had to get this off my chest.
was written for Unix. I hope people don't forget that, but I doubt they will. The difference is most Unix people care about reliability and most people from the Microsoft camp relish viruses becuse the truth of the matter is tech support revenue is much greater than the cost of Windows.
There are some stats (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:
People just don't take the age old adage of "An ounce of prevention is worth a pound of cure" /. and go patch my 'puter.
Most people are just too busy to apply the patches. I admit that I got hit with Blaster, but only because I had other priorities.
Windows XP has automatic updates, if you don't like to use it, then MS provides a nice little link to the Windows update site on the Start Menu.
If you're a Debian flavored Linux fan, "sudo apt-get update" works easily and well and runs nicely in the background. If you want it to be automatic, stay with stable and put it in the cron.
Of course I saved the best for last. For the Mac lovers out there, System Preferences > Software Update is two clicks away, and for most people it is already automatically set for a weekly update.
That's just my $0.02. Now if I could only get away form
Thats Simple: In GNU/Linux most of things concerning security are done beacouse they'r needed. F.E. Some code can be possibbly buggy, so a bunch of people/firms/institutions/whatever before they start using this given software, they make an audit of code, and any posibble holes are fixed etc. Most of cracker attacks compromising Linux are related with simply people not installing patches or buggy not updatet OS scripts running their websites etc. Windows also could be fixed but M$ won't fix it! Beacouse they don't want to. Beacouse this would break compatibility (which still tends to be more important to them than security issues) etc. I'am talking about those holes in MSOE, MSOffice that existed long time and still aren't fixed etc. these holes/dangers are still there!!! Next thing is about updates. Windows is harder to maintain. Still nobody wan't to install tons of single, so called "patches" beacouse they may make the system unusable (Yes! they may do that!) or this is just uncomfortable to instal 100 patches. So people think "If it works - leave it as is... Till it works". Still M$ delays SP2 (so called "cummulative patch") for Windows XP due to "unknown reasons" etc. - this is riddiculus! Vendors WANT cumulative patches so they can sell a system patched OOTB. So do users - users WANT cumulative patches so they can patch their system easly etc. M$ is talking bullshitt about their Trusthworthly Computing bla bla but these are just words - security means that you must drop some compatibility issues and user friendly features due to have a more secure system. F.E. make Windows work nicely without running everything on an super-user "Administrator" account. PS. Sorry for my English - I'am not native English speaker.
I can introduce you to at least four. One of them writes anti-trojan software for his living.
Got time? Spend some of it coding or testing
That Zone-h place is reporting 404% linux break in rate!!!... oh, wait...
... a few years ago. Based on a writeup I found on the SANS site, I think they came in through an un-updated lprng. I lucked out in several ways and was able to stop it and get rid of it.
It was basically no different from the Windows worms making their way around that scan the net for victim machines.
I now run behind two firewalls (a hardware firewall and the built-in Linux firewall).
Linux can slow the bad guys down and can block some kinds of attacks, but it is just as vulnerable as anything else to sophisticated attacks.
The idea of having a userid (root) which is exempt from all security checks is a clear indication, that UNIX was not designed with security in mind. Secondy it is not so long ago, when all UNIX administrators wanted us make believe, the r-commands ARE secure. So why would we use ssh then in the first place ?
there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames
Because they are forced to use MS products. Most people do not have strong feelings about stuff they have not personally encountered.
While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update.
The script-kiddie viruses require MSWindows to write, or at least test, the virus. Linux users have already escaped; why would they worry about MS? It is the MS users that write viruses to hurt MS.
I also like the theory that the MSBlast virus was written by MS. The primary purpose behind that virus was to annoy all the users enough to patch their systems.
- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.
- The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them.
Anybody who wanted to cause real damage would write a virus that spends 24 hours spreading itself, and then silently wipes the "drives" starting at Z: and working backwords to C:. That would cause a few heart attacks in the corporate world. It would also force the world to switch away from MS. The MSBlast virus was just a warning shot, and I doubt it was written by someone who actually wants to harm MS.
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
With scripting kits, brains are not a requirement for writing a virus. See the stories about the virus writers who have been caught; none were particularly smart. (OK, they were CAUGHT, so the sample assumes some incompetence.)
Very few people prefer MSWindows; most people do not know there was a choice.
---
The Linux community wants to succeed by demonstrating that the community development process develops better code and applications than hidden proprietary code can produce. MS's security holes are a demonstration that their development process has severe faults. Linux and OpenOffice should remove MS's revenues very soon, and then MS will fall. We want to win fair.
I spend my life entertaining my brain.
Doesn't matter, according to this guy Linux is a fake OS anyway:5 27.html
http://www.df-21.net/ubb/Forum1/HTML/002
Astroturfing weenie. Go back to Redmond.
There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.
IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.
If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.
Got time? Spend some of it coding or testing
You can screw up security on any system, Windows, Linux, Solaris, whatever.
The difference between Windows and Linux is that on Linux, you actually have a chance of getting it right if you know what you are doing. In part, that is because you can really get rid of pretty much every network service and piece of software on a Linux system except for what you actually want to run. In part, that is because you can actually look at the source to figure out how something works.
Using the number of web-site defacements probably isn't a very good metric of how secure an OS is. Windows runs more desktops where Linux runs more servers (as a vast generalization). Also, compromising a server running virtual hosting for 200 clients may count as 200 sites defaced due to one insecure server. You get the idea.
The reason Windows gets so much scorn about security is that it has this whole class of security issues that are much less an issue under Linux. Linux people don't tend to send around binaries for people to execute. In Windows it's very common to send executable attachments, but they implemented that while shunning safe ways of doing it.
For example, if Microsoft hadn't scorned Java, in favor of their in-house technology which has huge security issues, they could have been using sandboxes to limit the access this arbitrary code has to your system.
All systems have problems if you don't regularly update the software. There are things that can help that, but in general I think it's safe to assume that all systems need to be regularly updated to be secure.
There are a whole different class of problems that Windows seems to suffer from, which Microsoft hasn't really addressed. Obivously, they need to.
Sean
There is this common problem with so many people's thought pattern that goes something like this...
:)
Most Windows users are clueless and that's the main reason Windows virii and worms are so prevalent.
Or perhaps something like...
If people that use computers would simply learn just a little bit about their systems, they could avoid most problems.
The problem here, and this is a problem in general that the Linux community, and the open-source community as a whole to some extent, suffer from, is that they have a problem with how easy Microsoft has made computer use (relatively speaking).
Think about how difficult, relatively speaking, it used to be to drive a car. There was a time when automatic transmissions didn't exist. Even before then there were how many different controls that you had to manipulate?
No one complains thar cars have gotten easier to use, and more accessible to the masses. And no one seems to complain that it's now easier to run someone over because you aren't going to stall the car by slipping of the clutch.
Computers are becoming a commodotized appliance largely because of Microsoft. I hate this as much as the next guy, and I can readily admit why: for most of my life working with computers, I've frankly been flat out superior to most of the people around me in my knowledge and expertise. I was special.
That isn't the case any more, and for all but a very select few in the world, isn't true for very many at all.
But, the number of AVERAGE users has risen dramatically. Is this a good thing?
Depends on which day you ask me
But it IS a fact, and it's also a fact that the majority of people in the world WANT THAT TREND TO CONTINUE. Part of the cost of that trend is security because security by it's very nature demands a certain level of expertise.
If you pick a fight with an accomplished martial artist, you only stand a chance either (a) having a big gun and using it before you get hammered, or (b) have a similar skillset to combat him with. Same with security. You can't expect mom & pop to have that level of exertise required to do security right.
But, mom & pop want to use a computer. They don't WANT to develop that skillset. THEY ARE THE MAJORITY.
Microsoft realizes this, and they cater to that desire, and they obviously do so more successfully than anyone else does. The Linux community by contrast may know better when it comes to security, among other things, but the majority simply do not care.
So, the minority position continues to fight the good fight, but in the end, as is the case with most minority groups, the will of the majority will win out, whehter the human race is bettered because of it or not is irrelevant. This is a sad observation of our world, but it also happens to be accurate.
What is my point after the rambling, pointless post? Very simple:
The world is the way it is because most people want it to be that way (or are weak and allow it to become that way, the effect is the same so the result hardly matters). Microsoft is a success despite the problems they unleash on the world because most people view the benefits of their products as outweighing the negatives. Simple as that.
The sooner the Linux community comes to that realization and stops trying to convince the world they are right (which they probably are, but that doesn't matter), the sooner they stand a chance. Understand, the progress we've seen Linux make against Windows isn't really important, because in the end, the majority does not WANT Linux to win.
They are happy with the status quo, and that's that.
Sorry to hit you with a realism bomb, but there it is.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
I bet we could run into the same problems with Linux today if it was as widely deployed as Windows. But that's not even a possibility.
The question is not if Linux is as secure as we think it is, but if the people developing the technology would be willing to step up and make it secure if faults were found. Or would they sit on severe security warnings and attempt to brush them under the table, avoid bad PR and include the patches in the next service pack.
I think with the NSA's security patches being included in the 2.6 kernel along with our collective efforts to build a reputation of security, stability and compatibility with Linux there's nothing really left to worry about.
Could there be a Linux 'Blaster' just waiting to happen?
;)
Yes, there could be... But in case you forgot, WE CAN FIX IT!! (without having to wait for some lazy, rich programmers to make a patch). That's the point of open-source... If there is an exploit, WE WILL ALL KNOW WHY, and WE can find a way to fix it. The Linux community as a whole is far superior to those guys working for MS and half as lazy (provided we have our caffeine)... Though we all wish we had their money
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
it might be relevant to bring up the lack of virus and exploits for netware.
Ok, first of all, when I go to the site, I see 17 attacked machines, all of which are Win2000. It doesn't show any linux defacements. Did the writer of the article just make this up? or has the site just been massively updated?
I have a friend that runs linux, the only skill he needed was to burn a CD using Nero and reboot.
He doesn't know a kernel from a koffice
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
So... exit Microsoft Corp, stage left; enter Linux Corp, stage right? Have I got the picture?
But Linux isn't a corporation; and Linus would happily agree that Linux isn't a person. It has, in its enemies' words, "no centre of gravity", no central bastion to attack. It has no war-chest, no lawyers, no production facilities. If it is distributed from France or Germany, it isn't because of some strategic global plan, it's just where the distributors happened to live.
In short, while you can happily replace MS-Windows with Linux, there is nothing to replace Microsoft itself.
Yeehah! (-:
Got time? Spend some of it coding or testing
Why is the parent post currently marked as "+4 Insightful" when it is ignorant of the facts???
The 1000-to-1 Honda to Ferrari analogy is meaningless in this instance.
The actual ratio of Windows to Linux Internet server platforms is 5:3 (see Netcraft).
There are also more Apache servers than IIS.
And there are more Unix e-mail routing servers that there are Outlook servers.
In other words, there should be just as many exploits occuring for Linux/Apache/Unix-mail as there are for Windows/IIS/Outlook.
But instead, the exploits of Microsoft's software are more numerous, more destructive, and longer living -- by far!!!
Why? Because Microsoft has never cared about security (they put cool features like e-mail scripting ahead of security), and their software quality is extremely poor.
At a previous company, the demo systems were set up for everyone to log in as root. We get a call from a photo shoot that nobody can log into the systems and set up the pretty picture for the shoot (some screen displayed on a 2x2 grid of flatpanel monitors).
We drive out there and they go on about the problem. It makes no sence, so I ask them to show me what they are doing. The guy sits down and at the username prompt types "route"
That's not even the saddest story I have.
PHP and other frameworks are notoriously insecure.
This could account for the large number of Linux-powered site defacements.
I prefer GNU/Linux distributions to the BSDs... I find the userland to be a lot more friendly and modern. But I absolutely loathe the fact that every time I do a default install of nearly any Linux distribution, I have to spend lots of time either (a) downloading security patches; or (b) disabling extra software I don't need.
For one thing, whomever believes it's a good idea to continue relying on sendmail and BIND deserves broken bones. There are secure, faster alternatives available, and while they're whining about backwards compatibility and the fac that DJB doesn't want them butchering his software, their users are getting rooted.
We also need to remember the distinction of what Linux really is. I'm not RMS, but we do have to remember that Linux is simply a kernel. It has indeed had security problems (the most recent that comes to mind is the ptrace exploit), and sometimes this is unescapable. But when I hit up for instance the slackware security advisory list, I notice that while there are a handful of system problems, they are also listing problems with software that has little to do with running the Linux system (BitchX, EPIC4, etc).
And then I remember that each time I go to Windows Update, I'm slammed with a list of critical security updates, some of which are even rollout packages containing many other security updates. And the volume of security updates on Windows Update still far surpasses that of my favorite distro.
Handing your average computer user your average linux distribution's default installation is like handing a baby a bunch of knives... the system usually works damn well and quite stable from the get-go, so they install it in a dark corner and forget about it.
It's about design philosophy. Windows tries to tie everything together. Email clients aren't just email clients. They include html browsers, which include script interpreters, which are allowed to make system calls. Under Linux and Unix in general, generally, tools are only large enough to work. Email clients are email clients. Borwsers are browsers, and generally the scripting in them isn't allowed to run too far unchecked. That being said, let us remember that the Morris Worm primarily exploited unix...
====
Crudely Drawn Games
As has been said many times, security is only as good as the admin responsible for it. Yes, there can, and will be a Linux blaster... There might some day be a email worm too... but not like sobig.
./. Yeah, a bit harder eh? Nobody I know will be able to manage this.
:D
Lets examine the reasons why blaster and not sobig. Blaster exploits a buffer overflow, requires no user interaction. Find a overflow in Apache, you'll have a worm. Not a whole lot admins can do to prepare for this except application level filtering. It will happen. Those of us who are "in the know" will be patched long before.
SoBig: This is a user spread virus. It does not exploit any vulnerbility. It mearly requires the User to click on the attachment and hit open. It relies on badly designed software, that allows a user to execute code legally, easily. Windows lets you click Open.
Contrast that to most unix mailers: You have to deliberatly save the file to disk, chmod +x it, and then run it with
About the web site defacements. Linux is more complicated to administer, I dont think anybody can argue that. Lately, people have been given this sense of "if I replace Windows with RedHat i will be more secure". That is not true. Security is up to the ADMIN and the ADMIN alone. I would venture to say that a Linux box is MORE dangerous in the wrong hands than a Windows box. Hence your 60%.
Nothing about this changes anything at all. Those "in the know", generally Unix admins, will not be exploited, weither on Windows or Unix.
This doesn't mean Unix doesn't raise the bar of your security... you just need an admin that knows how to use it for it to be even close to it's potential. With Windows you are always stuck at whatever MS deams "secure enough".... bar writing your own IIS filter or something.
What we need are more smart admins using Unix, not sucky admins that give us all a bad face.
My two cents.
This doesn't increase the percentage, in all likelihood. The "unknown" category will contain a variety of systems, probably distributed much as they are in the known categories unless some system-specific feature lends itself to remaining unknown. The percentage stays the same.
still running inetd?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Unix is designed under the assumption that there are supposed to be users who can do whatever they please as long as it doesn't interfere with the operation of the system as a whole.
Windows is designed under the assumption that if you're not giving someone full control of the machine, it's because you don't want them to be able to do certain things that have no bearing on the rest of the machine whatsoever.
The result is that a typical Linux installation will create a user account without root privileges that you are expected to use except when you absolutely need to be root. The windows installation will prompt you to create accounts other than Administrator, but they will still be Administrator-level accounts, because the registry and the windows installer are designed to make it difficult for anyone who is not an administrator to install software.
This is why I'm an administrator on my work machine, where I do tech support and thus need to be able to mess around with things to replicate problems, and I'm a non-root user (with sudo privileges) on my home machine. I can screw up the work machine a hell of a lot faster than I can the home machine if I open up the wicked screensaver.
If windows didn't require a completely separate login to do administrator-level stuff, this problem might go away. XP's user-switching is a far cry from this. If Joe User can't copy and paste from his non-admin web browser to some admin system tool, he'll just be admin all the time, and then when he breaks beyond all repair he'll call me along with the other hundred users I talked to today at work. AAAAAAAAAH!
WARNING: there is a trojan on your
This question almost seems moot to me. There is no question in my mind that a worm targeted at linux systems will some day (sooner rather then later) spread as fast as the last few windows worms did.
People seem to forget that in this case the time between the security builletin(+patch) and the release of the worm was barely 1 *friggin* month!
Worm makers are getting "smarter" all the time, the last 2 blaster variants demonstrated new strategies of infection like scanning both for public ip's and private ip's. And there was the nice feature of renewing your payload to stay active. There's no doubt that in a few years worms will become more modular and be able to alter their payload and their scanning algorithms just to make your life a bit more miserable.
The only thing that can save you is updating your system once a day, and just pray to $fav_deity that some blackhat evildoer isn't gonna find some big ugly gaping hole in some generic app.
If a worm can't survive more than 24Hrs by default I would think all the fun is over for the worm writers.
Microsoft tackles the problem like this:
"There's a problem. How much money will it cost us to correct the problem if it gets out, PR wise? If that's greater than the cost of fixing the problem if it's exploited, then we'll fix the problem."
Linux does it a different way
"There's a problem in MY software? MY SOFTWARE??? WHAT!!! BLASPHMEY!!! KILL KILL KILL!!!"
Just by this principle alone linux should, over the years and years of work, be more secure than windows. The only time that bugs are not fixed is if the designer is too lazy to fix them.
But even if it wasn't. Lets say tomarrow a major virus, say uberblaster, that exploited a bug in both the linux kernel, mac, and the windows kernel (effecting all windows platforms) came out, all requiring a decent amount of work to fix.
The linux community would be agast, and pissed off and take it personally. I'd even bet linux himself would be up, 24 hours a day with caffine in hand to get it fixed. The patch would be released within a few hours to mabye a day. If linux couldn't get a patch out, other people could as, remember, it's all open source.
MS on the other hand would say "Fsck, we've got to work on this, kick the PR department into full kick on this issue and get the programmers working on a fix posthaste". And in a week a patch would come out.
Linux is, by principle, more secure than windows. We'll only know for sure that it is more secure once it hits the average joe market. With desktops like kde sporting kewler features than the rehashed windows desktop (which, face it, hasn't changed since win95) running on a solid linux backround, you'd hope that people would be happy with it. Until then, distribute antivirus and firewall packages to everyone who has a windows machine and advice them to run windows update until microsoft pulls another "root your machine" ploy's.
Candy-Coated Knowledge
that system security has more to do with the systems administrator than the underlying software? Of course you can break into all sorts of vulnerable systems. Tons of people run tons of vulnerable applications for various reasons (one of the biggest being compatibility). Others are just smitten with idiot administrators. One can make a Windows system just as secure as any other, required time and effort notwithstanding. So before we go blabbing about who runs the most secure OS, lets talk about system administrators first. Kthx.
www.sitetronics.com/wordpress
Yes it is!
Linux does not require technical ability anymore.
...) that may be installed by the complete novice.
There are several distributions (Mandrake, Lindows,
That said, I am using RedHat (because I live in the US and it is still the most popular distribution here.) The RH9 installer does not even make suggestions for how to partition the hard drive. (A friend asked if he should make the root ext3 or a swap partition? The interface implies that this is acceptable.)
Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.
Linux can also remove some of the fear of computers because you do not need to worry about the usual viruses. Your aquaintances that have trouble right-clicking and double-clicking may be better with Linux, since the menus are usually written before the context menus, so every option can be accessed with one button of the mouse. (My grandfather uses the ENTER key instead of double-clicking, since a couple of strokes have upset his timing for double-clicks.)
You also assumed that the Linux users must have installed Linux. In the corporate world, computers are installed by IT, regardless of the OS. And today the home consumer can buy a computer with Linux already installed. That assumption is not safe.
---
Good application designers assume the users are complete idiots. Applications designed that way are easier to use, require less documentation, and have more safeguards to prevent GarbageIn. And when the complete idiot does ask for support, invite them to be a primary tester. Even idiocy can be useful.
For Linux to become the main personal computer operating system, it must be designed for use by idiots.
- Why does it seem that most users are of below-average intelligence? Do smart people avoid computers?
I spend my life entertaining my brain.
I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.
If you've ever installed systems (of any kind) for small businesses (~50 people), you'd know why this was such a temptation and often a functional necessity.
Many of them have no full-time technical staff. The typical scenerio is a "operations manager" who spends most of their time dealing with production issues; a "back office" person (who's usually the consumer of the system, often the head financial person); and then whoever ends up being the technial liason, which in my experience is whatever office flunky can get WebShots installed the best or who has the copier repair phone number.
It's sad, but I've done a ton of installs where basically everyone who uses the system is root/wheel/administrator and there are no permissions. If I'm lucky and can figure out there's no one to even reliably change tapes before the equipment is set up, I have it do alternate full backups on different physical disks; I figure it's better than a burned up tape.
It keeps you in business, but it kind of sucks, since it's apparent that nobody really gives a shit...
The percentage is high because a lot of domain speculators park the domains on cheap out-of-the-box red hat systems. When the box is breached, so are all hundred of the domains on it. NT boxes are much more likely to be corporate web servers with only one domain on them.
This also tends to weight linux higher in the overall web server percentages.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Reading the discussion on this thread, there's no concensus. There seem to be two extremes, though:
One hand: Windows is simply a bigger target, if Linux were this big a target, it would be in just as much trouble.
Other hand: Windows is not designed for security, so it's an easy target.
Gripping hand: (my opinion) Both are true.
Security needs (at least) architecture, implementation, and culture. It's easy to argue that Win9X-based OS's fail on all three counts. It's possible to argue that WinNT-based OS's may even be superior to Linux, having stuff like ACLs from the get-go.
As for implementation, I'm not sure. It seems to me that most (not all) of the Windows exploits are really architectural, not implementation. It seems like the exploits take advantage of the tight integration Windows offers rather than buffer overflows and off-by-one, Code Red obviously excepted. Linux exploits are generally in the implementation area. One might wonder how many implementation flaws are in Windows, once architectural flaws are closed.
IMHO where Windows falls flattest is in the culture. So what if the OS can separate users from admin, when a lion's share of software requires admin to run? As others have said, Windows users expect things to be insecurely easy.
But what really scares me is Lindows.
Running ordinary users as root throws away the single simplest, strongest chunk of security we've got.
It also brings out one other aspect of Linux - I suspect/fear once a box is r00ted, it's a much more powerful base for further mischief than Windows.
I just wish Lindows could come up with some other ease-of-use scheme than running as root all the time.
The living have better things to do than to continue hating the dead.
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
The only reason I can think of is that no two Linux installations are even remotely close to identical. Linux comes in so many forms, different distributions, with different libraries, software, and packages installed, that to write a virus or worm that would take down 90% of the world's Linux systems at once would be impossible. There's just too much diversity.
In the Windows world, nearly all versions of 32-bit (and now 64-bit) Windows have the same libraries, services, and thus the same vulnerabilities. Far less diversity, so far more vulnerable.
On the one hand, consistency is good for end-users. They need it so they don't have to relearn the computer every time they sit down at a different one. But on the other hand, if all systems are identical, then a virus writer must only find one vulnerability to bring down the entire world. It reminds me of one of the big arguments against cloning for agricultural purposes: if all cows are clones, and a virus evolves that is totally fatal to that one particular genetic makeup, then all cows are dead.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
I think one of the problems is that, to have a secure machine, there's a hell of a lot to know.
/etc directory with configuration files in it. They don't want to run Windows Update every time they turn on their computer.
I've been using Unix or one flavor or another for maybe twenty years. I've been doing administration on servers for maybe ten. I know something about Unix, although I wouldn't call myself an expert. My focus is on programming rather than admin (although to be a good programmer you need to know a lot about admin, and vice versa).
The fact is, even with a lot of experience, there is an enormous amount to know if you want to keep a machine secure. And while most of it is pretty straightforward, some of it is really complicated stuff.
Couple that with the differences between flavors or even Linux distros. While the basic concepts tend to be the same, the methodology is different (for example, compare removing specific network services on Debian, RedHat, OS X, and Solaris). Security is a full-time job.
Technical people often make the analogy that the level of technical computer understanding most people want to maintain is like their house or car or office. Bar the windows, lock the doors, set the alarm. Set up the cameras if you're paranoid, and monitor them. While the top-level concepts are the same for operating systems, the kinds of attacks are different. There are only so many ways to get in through a window -- but how many programs turn up exploitable? Once you secure your windows, you know the threat level (rocks, pry bars, glass cutters, etc). With software, you may have a general idea (buffer overflows, privilege escalation, out-of-band data, unexpected input, etc), but it's continuously evolving. In both cases, vigilance is critical. In both cases, if you're security-minded you can be more or less secure, even in a hostile environment.
The problem is, this model is wrong for most people. They want to interact with their computers like they do their DVD-players or TVs. They want to use them as simple, versatile tools: think swiss-army stereo system. They don't want to have to think about security. They don't want to know that there's an
That's where the problem lies; people who are concerned about security will be secure whether they run Windows, Linux, or whatever. The people who just want a device that can play music, edit spreadsheets, write documents, send and receive email, and surf the web will likely be insecure no matter what OS they run. How many times have you had people volunteer passwords, watched the guy pound out the alarm code "1234", or had a user tell you their password was their cat's name?
Sure, some systems make it easier to be secure than others. But security is more an attitude than a system.
(This leaves out the whole issue of the heterogeneity of the Windows world, the desire on the part of worm writers to hit the largest "audience," and the anti-M$ attitude among 'leet hackers.)
Eloi, Eloi, lema sabachtani?
www.fogbound.net
While it is true that a linux system is less vulnerable than other systems, because the user base is more informed, and because one must have root permissions to get to many vital components, it is a big mistake to assume that linux is totally secure. New vulnerabilities are constantly found. I can't even begin to count the number of security vulnerabilities my RedHat 9 system has discovered and patched with updates. Missing these updates is just as bad as missing the patches for Windows. Folks, these vulnerabilites which the various worms and viruses have exploited in Windows were documented, and often protected by installing the newest patches, which is exactly what is happening with Linux. As an example, I know someone who installed linux a while ago, and was hit with a sendmail exploit. Suddenly, he was getting protests from other users and his ISP for sending spam. Sure, he fixed the problem and the exploit, but crackers are like cockroaches; once they find a way into your system, they're hard to get rid of. In this case, the spammer was irate that his victim and patched the hole, so this spammer proceeded to send a DOS attack against this man's machine. One can be arrogant and coy that this man could have taken steps to prevent this attack, but the point is, this is a learning experience for everyone. Everyone out there starts as a novice, and he was no exception. The point is this--exploits exist in linux, just as in Windows. One must constantly keep up with the latest updates and patches, as well as practice some safe computing habits, in order to avoid these attacks.
I just went to Zone-H, and it said that 100% of the defacements were on Windows 2000.
Well, it seems no one is willing to stand up for Linux as a more secure OS.
Let's make a few points, feel free to flame:
- Firstly, say what you might, but Linux does make it harder to operate as root all the time.
- Linux points you toward creating user accounts and tries to make you stay there, in a gentle way. Windows just runs you are root, by and large.
- Under windows, even as a basic user on a default install, almost full access to the file system is granted, including reading all files and program installation to anywhere on the system, including altering key system files. Hence an exploited user account can be easily escalated. Linux makes this harder. Not utterly impossible, but a lot harder.
- There may be more windows boxes in the world, but the majority of permanently net-connected, fixed IP machines are Linux and BSD, *BY FAR*. These are especially servers, firewalls, gateways and systems with big bandwidth and access to interesting data and corporate networks. These are also embedded systems and appliances, which are not routinely updated. If there was an easy way to exploit a Linux box, anywhere near as easily as it is to exploit a Windows box, most crackers would leap at it.
- There are slightly more warnings issued for Linux in total than windows, but they are alo pre-emptive in almost all cases, so that systems are secure, rather than MS releasing patches after exploits exist in the wild. Also, Linux exploits don't tend to break other patches and open up new vulnerabilities.
- Linux boxes are a diverse environment, proving much harder to attack than the uniform windows environment.
I'm sure there are more points I could make, and I'm sure people can and will respond about the quality of administrators, etc., but the fact is that a windows box in the wild is about ten times as likely to be broken into for defacement than a Linux box.
Moreover, to put it simply, look at the results. If there are more Linux and BSD connected machines, then why is it that we don't hear about a Linux Slammer worm taking down all of Korea's internet access? (Remember that Slammer attacked database servers, and there are far more of those on Linux than windows.) When was the last time that universities were brought to their knees by their networks being crippled by Linux worms? When was the last time that a nuclear power plant lost safety systems due to a Linux worm? When was the last time that a train network was crippled by a Linux worm?
Does anyone see a pattern here yet?
It is easy to say that Linux can be just as insecure as windows, and that Windows, if completely patched up can be secure, with a good admin. At the end of the day, however, the situations above illustrate what is happening in the real world, right now. Running a windows server clearly correlates with serious security issues, where Linux systems don't. That's the absolute bottom line.
I can appreciate that people want to give a different answer to saying that Linux is more secure. I can appreciate that they want to find an alternative angle, but what happens if the obvious answer is, in fact the right one?
If security is our main concern our community should then form a culture around it and get everyone involved. Look at what OpenBSD community has acieved by creating a culture around security with minimal effort of the user.
Perhaps a culture around security with high availability and operability could be a win win for the community as a whole.
Lets not rest on our laurels. This community has gained so much in a short amount of time. Lets move forward once again and gain more ground.
"They say travel broadens the mind, so I went over the falls in a barrel." -Thomas Dolby
"Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?" ... Linux doesn't let you double click and run things (yet) ... you would have to download it, deliberately execute it, and then it would probably crash because it's on the wrong distro and can't find the libraries it needs. It would also have a heck of a time taking advantage of the cache and address books because these things are not in as predictable a place as they are with windows.
Many distros may not. Any distro that is running telnet by default or any of the clear text authentication based services are never a good idea. Installing for example an old version of Redhat or Mandrake would not be very secure. The same could be said for Solaris or Irix. Now, I believe that niether of them enable telnet and provide SSH as an alternative. The other things are simple like do not allow remote root logins may be disabled.
69% of these comments are about how stupid the administrators are, and that they need to read their Linux-for-dummies again. These are comments from the general Linux zealots^Wusers, and are naturally ignored. We already know that admin's are brain-dead. /root/.this/.is/.secret/. Life's a b*tch...
7% talk about how safe their MacOS is, but 93% will skip those comments, as Apple is just another Microsoft OS (MS has a large portion of Apple's stock)
3% blame Apache, and promote the use of proprietary solutions as they are So Much More Secure(tm). Good for a laugh.
8% are the BSD-trolls. Only problem is that they still have to use lynx to post their remarks, nobody cares about them anymore. Especially not the general Linux zealot^Wuser reading their posts. BSD, pfff, something that free can't be good. I mean, Windows used their code...
6% are the trolls ranting against something called google, that makes all those script kiddies so-called blackhats after enough time. Yes, your kid brother has just grown up, and has exploited apache and your 2.4.20 kernel to gain root privileges on your box. Even worse, he's just told your mother about your secret pr0n stash in
4% are the MS-trolls, those who have lived under a rock for the last decade. Or at least the last few weeks. Anyway, there would be more of these posts, but i'm afraid 98% of people using Windows(tm) were attacked by all em scary worms out there, and rebooted for the 50th time today. Whoopie! No Blue -Screens anymore!
2% are the ones commenting the BSD trolls, but nobody sees their remarks or could care less.
1% are the lame people that rant about how deceptive statistics are... this post is one:
lies, damned lies and statistics.
We now return to our regular programming...
This sig is intentionally left blank
Actually, one or two of us are security geeks. My title is "Webmaster" at the moment, but I've spent much of my time convincing our administrators to move from a buggy, incredibly insecure proprietary linux (NetMAX), to a more secure, normal linux installation. It's now RedHat (8),but at least it's well patched.
No, the real people you need to worry about are those that have been doing web design "for years", but never manage to make it out of Dreamweaver or Frontpage. I consider myself a programmer before a web designer ( also wrote our company's setup CD software, for instance); for me, HTML is like a vacation.
BTW, the vast majority of the "/c/windows/cmd.exe?" queries are from the Code Red virus, not hackers.
Interesting... This the same claim as some organic farmers make against large-scale farms replacing all of certain crops with identical strains. A specific bug can wipe cause much more damage.
I don't know, but you just gave me a great idea...thanks!
The problem with most Windows users - whether they run 95/98/ME/NT/XP/2000 is that they DON'T understand how to lock down the system or that alternatives exist to Microsoft software. They don't know jack s*** about a firewall or better alternatives to Microsoft software that is often more secure, not to mention actually VIRUS scanning email attachments and downloads..
If you have to do e-mail - a very good and secure e-mail client is Pegasus Mail which does NOT blindly open up email attachments and run code like Outlook does.
Get a decent firewall like Sygate PRO or if you must even ZoneAlarm PRO and make sure it's configured properly. Again some windows users would have problems even with something so simple as this sadly.
Want to avoid the nasty crap in Internet Explorer or other browsers? Get a proxy like Proxomitron and JD5000 Filters for Proxomitron which then allows you lock down all that nasty MS crap like VB/ActiveX/Flash/Forced Download scripts/ADS and more that cause problems.
But as everyone else has mentioned here - all it takes is a moron to run a windows box - linux box or hell even a MAC OS X box and not keep up to date with patches. If he/she doesn't know what they are doing any of the three will be insecure.
Also with Microsoft a lot of users I believe are afraid to get the patches - because you keep seeing more and more supposed "horror stories" of how a patch broke Windows or a "feature". Same crap could also apply to same user running a Linux box.
You must master your joystick like a fisherman masters bait! - Gimpy
... and why should I trust what they say? They can't even survive a little /.ing, so I'm not impressed.
Did you chuckle when you read my post? Or frown?
Are you a MS programmer that I insulted? Or did they not hire you, so you assume the ones they did hire must be better than you? Or you believe that a company that makes that much money must be doing something correctly?
(Sorry that sounds like a personal attack. I hope you answered "No" to all but the first question.)
Read the websites about the hiring practices for MS. They are looking for a good personality fit with their processes. Maybe the questionaire asks, "Are you willing to release bad code because of deadlines?" and a positive answer gets the position.
I have no personal experience about the quality of programmers at MS. My personal belief is that there are very few good programmers anywhere. I do know that every time I need to fix a problem with MS software, I think about:
- how I would have written the code, then
- how a beginner programmer would have written the code, then
- how to write it worse than the beginner.
Then I assume the last case is true, and work around it. I have a reputation as a miracle worker for being able to see inside the code.
Best programmers do not rush. They know that code that works is much better than code that almost works. Taking the time to design something well is always worth it. By definition, well-designed programs take less time to write and test.
The problem with MS's code is not that it was not written well the first time, but that they have not done it correctly after hundreds of attempts, even after their customers report problems.
---
I am not a "Lunix zealot". I do not use Linux in the corporate world, and barely use it for personal stuff.
- I do recommend Linux to people and companies that cannot afford Apples (which I have not used in recent history.) And much of my recent work has been battling an incredibly poor multi-threading model in some of IBM's software.
- I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?
I spend my life entertaining my brain.
I have a theory.
If you take a look at SourceForge and Freshmeat, you'll see thousands of projects that a) aren't anything new and/or b) don't work and/or c) were abandoned after release 0.000001. I suspect that a lot of the people who started those projects would, were they Windows users, be writing virusses and worms instead.
Getting industrial-strength development tools for Windows is hard. They're expensive, the documentation is bad, the APIs are horribly complicated and the beginner-oriented tools (e.g. Visual Basic) hide the underlying workings from you. With Linux, though, you get everything for free. The APIs are small and well-documented and there are dozens of industry-standard programming languages just there for you to use.
For a geeky fifteen-year-old, the coolest thing he can do under a typical Windows installation is to write a Word macro virus. Under Linux, he could, if he wanted to, reimplement his entire operating system piece by piece. And that's a lot cooler than writing a worm.
Then, there's the open-source culture. Linus managed to become rich and famous by writing free software, all while sticking it to a giant evil corporation. I think a lot of open-source coders secretly dream of becoming as famous as Linus someday.
So my theory is that, because of the wide availability of development tools and the geek culture surrounding OSS, lots of potential virus writers get diverted into less harmful things.
(Obviously, there are other factors as well but I thought I'd bring this up.)
I chckled when I read "Best programmers do not rush" - that's 100% totally correct - unless management says, "You know that deadline we set for the end of February? It's now the end of September." I'd laugh - except I have to live with it (for real).
I do NOT have the luxury of simply saying, "no" and having the problem go away because I've said it and explained it's not a situation of being unwilling to do it but one of being physically incapable of doing it in that time. I can't get more resources, I can't get more time. Therefore I WILL rush knowing full well the end result will fail.
Flame wars aside, some applications we run require IIS.. There are no opensource equivalents. Some apps run on Irix because there are no Linux equivalents and the list goes on.. I have two examples:
1. PDF web server w/ Photoshop Engine.. The PDF server uses PDFLib w/ proprietary windows license fonts.. There is no way it will run the fonts on linux w/out licensing problems. PDFlib w/ php won't cut it.
We have the IIS also use Photoshop because there is a COM object for Visual C or Visual B.. You can script Photoshop with a IIS webserver. The com object allows us to run scripts, manipulate channels, layers,etc.
We tried ImageMagick, GIMP but they don't support our 1-2 gigabyte files regardless of how fast or fully loaded the servers were.. Photoshop has a nice virtual filesystem management that actually allows us to handle 4 gigabyte files. Moreover, files are from macintosh clients which requires resource forks, On NTFS, you can manipulate resources and data forks in streams.. We have a server object that reads resource info from quark or indesign files and processed them as blob data to SQL server.
You can't do this with linux/GNU equivalents. (no real tools for resource and netatalk has issues)
if you think you can handle a 1 gig CMYK layered Photoshop file with opensource, post your contact info and I'll get back to you.
Trust me, a 600 meg file will make a P4 Xeon linux machine w/ 2 gigs of ram process the file for over 40 minutes running imagemagick while a 1 gig P3 using W2K and Photoshop/IIS will do it in 10 minutes.
2. We also have SGI servers to handle ripping of proprietary pre-press files which have no OSS equivalent.. E.G. pantone color matching, quark, etc.
They work with certain workflows.
People need to get off their OSS frenzy.
point is.. each platform will have their specific tools unavailable to other environments.
I run Linux and I have not suffered from any
hack, worm, or virus. If you know system administration you can build a tight box.
Any box can be hacked.
I run Windows 2000. It's up to date, and it has been since I installed it. I don't use a firewall, and only installed a virus scanner two days ago after my wife insisted. Despite that, I've never had a virus. My prefered method for dealing with people trying to get in is pop up a message on their computer to stop. Either that, or I call their mom. (Which is usually a very funny conversation - give it a try sometime!)
Anyway, I blame my College for my lack of infection. The only email program we could use was pine. I still use it to this day, and it's my favorite email program. Nothing to configure, nothing to install, works anywhere in the world, extremely lag-resistant. The most important feature - you can't click on anything.
I digress: back to infection. No matter what program you're using, you can't just run whatever random garbage Undugu sends you. The majority of users will not understand that. My father, for example, can't understand the concept of Spyware, Adware, or Pr0nware. Eventually I had no choice but to physically destroy a CD he bought. It installed Spyware and Pr0nware, and he would not beleive me, no matter how many times I explained.
So, what does that have to do with Linux? It's simple. The majority of Linux users are smart enough to not click on any random thing that gets sent to you. That's the difference. It's like a gas station that offers free gas. The catch? It's 50 octane. A lot of people would go. Yes, they would. Those of us who know something about cars would know that that kind of rating would seriously mess up your car. Sure, you could install a refinery into your car and add anti-knocking agents, but you're better off not getting gas there.
People who use Linux are, from my experience, very well knoweldged about computers and take care of them. Once the goal of "Linux for the Masses" is achieved, then - AND ONLY THEN - will you see the true devastation that rampant idiocy can wreak on an operating system.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
yall be haytuz yo.
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
I think the biggest reason that something like Sobig is unlikely is that there are so few Linux machines on the Internet as compared to Windows machines, and since a majority of Linux installations are on servers an awful lot of them are behind firewalls. Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.
I think right now the reason why Linux security breaches are rare is the fact it's not yet really considered "cool" to hack Linux servers.
If I were an al-Qaeda terrorist with lots of computer knowledge, I would find a way to show that hacking into a Linux machine and causing serious damage isn't so hard after all--especially now with more and more large-scale computers running Linux.
About 1/3 of all windows XP machines crash 3 or more times daily DUE TO THE OS NOT APPS. And that is just the ones that actually click "send report".
1/3 is 1/3 regardless of how many there are. 80+% of the web runs on apache last time I looked. So to be on even keel the other 20% would have to all be IIS (which they aren't) and 80% of defacements would have to be on apache sites, and 20% on IIS. This would make it 50/50, IIS+ windows is no more or less exploitable than linux+apache.
Remember boys and girls... microsoft may have a monopoly on the desktop. But in the web sphere they are WAY out of their league.
Now what we have is 60%, not 80%, and then we start chopping... how many of those defacements are due to insecure cgi scripting (my guess would be damn near all of em), php scripting, etc. How many are due to servers which have no been properly secured. How many of them are due to applications rather than OS itself (we'll be fair, only microsoft made apps continue to count against windows 3rd party don't, and only project maintained by linux torvalds count against linux).
Actually if you think about it, as depressing as 60% sounds... These numbers show linux to be MORE secure than windows, not less.
I worked for a company last year whose Red Hat systems had been invaded by a root kit that listened on an IRC channel and launched DoS attacks on command.
Which is probably how the current/recent DoS on SCO's site is being managed - - from compromised corporate and family Red Hat systems.
I'm afraid to tell you, but there is a Linux virus, or shall I say virii (plural virus). Many Linux virii are known but seldom publicised. Many like the PLEASE_DELETE_ME.sh and the AWWW_COME_ON_DELETE_ME.pl are prime examples of the plethora of known virii that exploit the unwary and gullible Linux user.
Like all things Linux, Linux virii are open source (you can see the code) and are for the most part, free for you to download. These virii come with the GPL license attached and are subject to those license stipulations. That is to say, if you make modifications to the virus code, you ar oblicated to provide your source code for the rest of the world to benefit. Of course, you must make an attempt at running the said virus which, well, I'll answer that next.
I mentioned the PLEASE_DELETE_ME.sh virus earlier. This virus shares a common trait with all Linux virii: The intended victim is honor-bound to run the virus himself, which will in turn delete everything from the users hard drive without question rendering the computer a doorstop. completes its designated task.
man_of_mr_e, I hope this little chat we've had has been helpful in understanding the differences between the proprietary virii (such as the ILUVYOU virus, the SoBig.F virus, or even the WindowsXP virus) and the open source virii. Don't be afraid to use open source virii in any of your daily tasks. Open source is here to stay and so are its virii.
Take care.
woman_of_ms_terry
I may be an anonymous coward, but I am certainly smart enough to write a good virus and also prefer using MS Windows as my desktop OS. I know a lot of people who are smart enough to write virii and have no problem using Windows as their primary OS. You made some good points but this "Linux users are smarter" thing is foolish.
It will be beyond question that Linux is more secure when (if?) Security Enhanced Linux is adopted and used sensibly. SE Linux could even prevent process A from damaging process B's data when they belong to the same user. Say I download a new program and it turns out to be malicious or overly inquisitive, Mandatory Access Controls could prevent the program from accessing data outside its own little box like a very fancy chroot environment. I may have been asleep, but I don't think that has even been considered for Windows.
The fact that the average person using one system or the other is more or less competent isn't a very useful piece of information. If you are interested in comparing Linux to Windows you need to do so on the merits of the systems themselves, not on those of their users. What if the user base changes? Then we know nothing. What if we want to give a Linux system to someone used to Windows?
I've also got to respond to the usual arguments about security - that by not running as root you are somehow safer than if you run as root. I'll grant that you are safer from your own mistakes, but to believe that any computer user will be happy because, though all their personal files are wiped out, the system is still humming along smoothly. What possible use is a functioning system that has been wiped of all your personal data? Its no more useful to me than a system sitting on the showroom floor at Fry's Electronics.
While 61% of the defacements may have been on linux boxes, the percent of linux webservers that get defaced is less than the percent of windows webservers that get defaced because linux/unix webservers make up about 70% or more of all webservers. Also, while there may have been similar linux worms if the majority of people had run linux it would be easier to get a patch. Because MS is closed source there was only one place to patch your computer and when that system went down everyone was screwed. With linux, however, there are many more people working with the O/S so the problem would be fixed faster and more efficiently.
Linux is as secure as we want it to be without being hampered by bad programmers, because we have the power to fix what they broke, bad strategies, because we have the power to plan what they didn't, and bad default settings, because we have the power to install it how we wish. Linux isn't better because it is magically more secure... it is better because we can make it more secure without relying on someone else to be the vendor.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
As soon as we find areas where Linux security is lacking, we can change it. Lots of people can make changes, and we can use "survival of the fittest" -- In general, the best changes will survive.
Just to say the obvious!
Actually, according to McConnell's "Code Complete" (which is MS Press, but is still an excellent book on coding practice), it is true that the best programmers do not rush. Instead they clearly and methodically lay out their design before proceeding into what then is a trivial coding task.
However, solprovider, you must be incredibly arrogant to just assume you could do a better job. If so, why don't you go down to MS and give it a shot? They pay very well, and the benefits are great. I use my XP systems all the time and can't remember the last time I had to reboot. Maybe the reason that their applications aren't bullet-proof is that writing a solid application is a lot harder than complaining about it. I can't help but think you are one of those coders that asks developers to send you a half a million line program so that you can add feature X in a week. But I forgot, you are a miracle worker. Next week, why don't you just code up Longhorn and sell it to microsoft. I'm sure they would be glad to avoid two or three years of work, you would be doing the world a great favor by writing the first program with no bugs, and you could probably make several million dollars in the process. Or are you one of those programmers that don't believe in getting paid either?
In my opinion, you can build a comparably secure system using either Linux or Windows. I have run both, and have never had an intrusion, a virus, or any other malicious nasty.
Based on my anecdotal evidence, if you are aware and stay patched, you are very unlikely to have a problem. If you do not stay on top of things, you are very likely to find yourself in trouble.
Neither OS is the pinnacle of security.
BRENT ROCKWOOD, EST'd 1975
How can you make a statement on Linux security based on Apace? If Apache is hacked it has nothing to do with Linux. It is just an application that is completely unrelated to Linux. Saying Linux is insecure because of the last Apaceh/OpenSSL hole would be the same as saying FreeBSD or OpenBSD are insecure because someone broke in through Apache. Apache is a whole lot more secure then IIS, though it still had some problems. While it may make sense to complain about MS security problems because IIS is one of their products, it is silly to say Linux is insecure because of Apache. I do think security under Linux needs to constantly be watched, it is very easy to get a big head, become lazy and sloppy and get all kinds of holes. Thanks to efforts like SE Linux by the NSA, Linux will keep getting more and more secure.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I only use windows for playing games that dont work on linux. I don't keep it patched and really dont care how many virii get passed through it because the bad press for M$ makes me smile.
just quote the variables...
... userid='5 or 1=1' and so would be harmless. In the worst case, I believe all strings are c-quoted too, by MySQL, so quotes couldn't be escaped either... you'd just end up with userid='5\' or 1' which again would just return nothing.
:)
mysql_query("SELECT * FROM users WHERE userid='$USERID'");
That would expand (with your malicious value) to
Much easier in my book, and one less function to execute
Outlook doesn't come with Windows. Outlook Express does. And does your same logic apply to other operating systems? As in, since these 1200 apps came with the distribution cds, any vulnerability in them would be the OS makers responsibility? After all, they were all made by the same "company" (the open source community).
Linux is more secure than Windows out of the box by default, but what makes Linux less susceptable to worms and things like ILUVYOU is that no 2 linux systems are alike (Well, almost). If you look at a Windows package, you'll notice that Outlook Express is the default mail program, Internet Explorer is the default Web Browser, plus a whole host of other "Default" tools, utils, programs, etc. The average Joe user just installs this stuff and uses default everything complete with errata. A Linux user doesn't really have a default anything... Each user will have their own flavor of a web browser... An E-Mail Program... etc... Since these worms rely on a common piece of software for the exploit to work, making a worm to exploit Linux is difficult at best.
- Slew -
so by the submittor stating that it is 61% for Linux defacement really does make me think that the submitter BSed or that zone-h had been hacked.
I would love to see the real stats, but the submittor did not give the archival link, but he gave the current link which looked hacked, not
BTW, 2 years ago, Windows accounted for 49% of all web sites and Linux counted for 29 % according to Netcraft. So the question is, has Linux gone up or down and the same question about Windows. Somehow, I doubt that Linux has gone down, and I seriously doubt that Windows has gone up.
I wonder when netcraft will give that info again.
I prefer the "u" in honour as it seems to be missing these days.
You can bet there'll be a blaster worm for Linux soon. Why do you think Microsoft recently started a Linux lab?
Seriously, though, I can imagine Microsoft doing this (albeit very secretively). After all, who knows how to crash a computer better than Microsoft?
This side up.
My uptime is about a week before I "try something new" ie format/reinstall or change my os to the "new" one, of course I am the same under Windows, but Windows does not have as many choices in distributions. The plus side is, I get to practice disaster recovery/backups. If they was an exploit I might be "owned" for a week or so. ...again)
(before I hosed it
I am the unwilling control for my Origin.
The only security parrallels between Windows and Linux is the susceptibility to lazy users. If you don't patch... you're dead in the water and you deserve it. Linux, windows, whatever.
That's where the similarities end. Linux is inherently more organic, configurable, stable and open. Windows has an upper limit on the config bashing you can do and the efficacy of doing so.
If I, with my Linux box have a vulnerabiltiy that that vendor, or code monkey who wrote the thing, doesn't have a patch for... not a problem. I can do any one of a thousand things to make my linux system either more secure or less susceptible including looking for alternative programs that do the same thing. From the kernel to userland... I have control. It's more work, perhaps, but so is police work.
Windows. Please. I'm at their mercy. Their patches. Their schedule. Their patches to their patches. Bah!
Look at it this way: Windows is a prefab house. It comes in one flavor. Once shape. and one color. It is architected (sic) in the hopes of being able to withstand a wide range of climates.
Linux, or any of the unixen, can be a tent you use to climb Everest. Or a mansion in Palm Beach. Or a Hotel in Monaco. Or a skyscraper in NYC. Whatever you want. It's up to you and how hard you are willing to work.
Just do what you do best
Arnold "Red" Auerbach.
Web-site defacements are completely different than a worm. When a cracker defaces a site, he must actively site there and exploit vulnerabilities/holes, whereas a worm preys on insecurity so severe that it can spread without and human interaction.
Like many have said, the human factor is biggest. Bad unix admin = vulnerable unix system. Nothing, really, is inherently secure.
Imagine this-
Windows- expensive, fairly secure safe. However, many users don't or don't know how to close the door and work the lock.
Linux- free, very secure safe. Users are generally more knowledgeable about how to close the door. However, it is less colorful and user-friendly.
In both cases, if the safe-keeper leaves the door open, your money is f*cked. Get it?
According to netcraft the percentage of sites running Apache is 63.72%.
If you consider that the windows version of apache is rather insignificant, I would assume that the total linux web server installations are in line with this number.
Therefore, one must conclude that the predominate cause of web site defacements is negligence, not the opperating system one chooses. After all, technically competent sites such as the one you are reading now almost never get hacked.
Just because more defaced sites run linux, it doesn't mean Linux is less secure.
:) See 1) for considerations of that
1) Linux security holes are often due to configuration, ie something that a clooful admin could have fixed.
2) Windows security holes are due to the operating system, ie something a clooful admin can't fix (except by installing Linux
first, let me state the obvious: there are idiot linux users out there. there are even idiot linux users who are zealously anti-microsoft and pro-linux.
now let me say something that tends to get lost in all this anti-microsoft bashing: the average microsoft programmer probably has a higher IQ than the average joe-shmoe who likes to write "M$" and "microshit". even less obvious (or blindly ignored) is the fact that a lot of if not most microsoft people are actually linux geeks! microsoft runs a bunch of linux servers. go figure...
Actually, if you just delete data, it gets restored from backups (hopefully).
:-) (what, me worry?)
If one *really* wanted to play havoc, you just periodically corrupt something at random. BUT PLEASE DON'T!
I think most of these really are just the work of vandal script kiddies. Except for a few nasty industrial espionage level things that destroy all evidence that they were ever there
Yow! I'm supposed to have a plan?
True. The point of security is not to make your system un-crackable, it's to make cracking your box more trouble than it's worth.
I realize that 90% of what you said was over-the-top sarcasm, however I use Windows XP too (in a dual-boot setup with Gentoo). I admit I rarely use Windows except when my uni requires me to write code for it.
Having said that, I do still check for Windows updates every now and then. Last time I checked (about three days ago) I had two updates. I had to reboot. I don't think I have ever had to reboot Gentoo for an update, be it for security or features. That's why I have also deployed it as a server on numerous occasions.
Recent events have shown all too well what happens when you don't do your updates. Do you mean that you didn't update your box?
It's GNU/Linux dammit!
YHBT.
YHL.
HAND.
Bang on! The problem is the C platform is not what the engineering profession calls 'intrinsically safe'. Less flexible platforms (Pascal, Java, etc) are designed with things like strong typing or a sandbox model in order to prevent silly things like buffer overflows and underruns. These are safer ways to build programs.
Would you want to work in a mine I design if I didn't put 'end of range' detectors on the skip that runs up and down the shaft?
-Alex Doll, P.Eng (Alberta)
When I first installed Linux, it had all kinds of daemons on by defualt. I had no idea what they were and I had no idea how to turn them off. Because I did not know what they did, I did not want to shut them off.
This was a very insecure installation. Lucky I was behind a NAT.
Religion is the main cause of atheism.
"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"
Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.
I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.
I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.
Do not look into laser with remaining eye.
"Linux is Secure" is thrown around like it's gospel so much it's easy for people to say "my site's running linux so it's secure" while completely oblivious to the fact it's not simply because they blindly believe the "gospel" and never realized you have to do things to MAKE Linux secure.
I don't trust Windows with security. I don't expect Windows to be secure or care that it isn't. I have a router that blocks every port I'm not using. And every program that runs on the open ports (25,21,110,80) are checked for security hazards. That keeps out remote exploits. Then I also run antiVirus software which takes care of local exploits that may happen to get on through FTP or whatever.
I can say "My server is secure" because *I* made it secure. It's not some mindless gospel chant that magically protects my server. It's actual research and dedication to making it secure.
I also log my server in as an admin because I don't care that Windows is insecure. It's irrelavent.
Linux would get hacked a lot less if the "gospel" got replaced with the "truth" that it takes work (and third party hardware like a router) to properly secure any network regardless of the OS handling the server programs.
Ben
Work Safe Porn
The would all be really bad passwords that were too easy to break. Or really insecure software that shouldn't have been put on the system anyway. But if you have to guess - it was the password.
Paul Seamons
people think that "linux is already secure, so I can just run it!" so they do, and dont bother securing it any, and get hacked, not to mention most admins have no clue what they're doing, or read up on how to properly secure a box. to properly secure a box, you must think like a hacker. simple as that. these people need to read up on iptables and keep updates on the latest security issues. most people dont. so yeah. it's not linux' fault, it's the person behind the wheel, it's like accusing a well secured car with a good chassis that wont crush you when you crash of driving you off a cliff. you're the one driving, not the car. same goes for linux. the system only does what you tell it to do, unlike windows.. which controls what a user does. Linux is your system, and it's up to you to make it secure. What people mean by linux being secure is that most bugs and security holes within gnu apps andt he kernel are flattened out most of the time and when discovered, fixed immediatly. and the fact it allows you to secure yourself. and the fact it's security tools are some of the best. that's what they mean by linux being secure. it also depends on what OS you run as well, and hw you set it up, so dont blame a perfectly fine system for the problems lazy/dumb administrators do. sadly, it's those with brains that must do the dirty work to keep the stupids from hurting themselves.
First off the reason so many posters think Linux is "more secure" is purely arrogance. The primary reason Linux isn't more notoriously hacked is because more people Hate Microsoft. Someday, if Linux succeeds as well as it has the potential to do - Linux will be the hated guy on the block and some new young OS will be the flavor du jour. Bad linux press will abound and the new OS will be touted as the greatest thing ever..
Not to sound like a troll, but what is wrong with that? People weigh the results of decisions every day: do I drive to work (unsafe, fast, comfy) or take the bus (safe, slow, smells funny). Do I vote for the party that offers free this, free that, and offers to tax the rich to pay for it; or do I vote for the party that offers minimal government services and tax cuts.
She's a grown-up. She's capable of living with the results of her decision, so lay off.
-AD
But I wanna know is that did one of our crafty readers take it upon themselves to , ahem, indulge in a little bit of average shifting? ;-)
..........FULL STOP.
or at least if I get the gist of the article, to say Linux isn't as secure as everyone would like to think. Come on if it's out there then someone can hack it. Period.
But defacements? It one thing to say someone took a piss in your front yard. It's another thing entirely to say someone pissed in your living room carpet.
I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?
Right.
That's all fine and good until you realize that a typical application is FAR too complicated for a single person to design, even for such a gifted miracle-worker as yourself. So you wind up working with a team of people that hate you because you're so arrogant and a pain in the ass to work with, thus delaying the project.
MS would have written a worm to trash any Linux desktops out there ;-)
The reason defacements are so frequent, is that insecure PHP code (in particular PHP Nuke) and then they can read/write what the web server can, which often (for some reason) includes the web pages. (Even though usually you don't want your web servers to have write access to your web pages, people set it up this way for some unknown reason).
I've had a server exploited before because some user ran phpnuke. Sigh. It didn't appear they got root, but we had to reinstall everything anyway. Grr, from then on, new sites had to be approved by me.
As one of the security precautions that I ended up adding, was firewalling outgoing network connections from the apache user. Apache needs to connect to port 25 on the SMTP server (since we have some apps that send mail) and port 53 on your DNS server (for various reasons). Also incoming connections to non-port 80/443 are REJECT'd. This mitigates the damage a user can do once they have compromised a system especially as most "exploits" seem to want to try and download the rest of the exploit usually via HTTP, without network access they can't. This is now a standard item on any web server I install. If you're interested in this, look up iptables for --uid-owner.
You can repeat this trick for other services (such as DNS, SMTP etc) that you have to run.
Having learned how to use ipchains or iptables doesn't say very much about how intelligent you are.
Having learned how to write scripts for sh or bash doesn't say very much about how intelligent you are.
Having learned the syntax for sendmail configuration doesn't say very much about how intelligent you are.
Configuring, patching, and building Linux (kernel) doesn't say very much about how intelligent you are.
If it is not your job to know these things, and if were you to put in the time and effort you could learn these things, then your not knowing how to do these things says practically nothing about how intelligent you are. These syntaxes and semantics are very ugly, temporal, technical things.
Will we even think of these things in ten years? Is a programmer who knows COBOL like the back of his hand and yet couldn't if his life depended upon it learn to follow good OO programming practices or how to use Scheme or Common LISP, very intelligent so far as this field goes? No, no I do not think we would consider such a programmer to be very intelligent at all.
If doing your job requires that you write VBscript and use a GUI to configure ACLs and various servers, and you have successfully learned to do this, you are in virtue of this alone no more or less intelligent than any GNU/Linux or *BSD admin using shell scripts and text-based configuration files.
Knowledge of these passing things is not the measure of a (wo)man.
From WordNet: intelligent, 1: "having the capacity for thought and reason especially to a high degree."
That said... Screw you, Microsoft.
.sig Realistic fines for copyright in
My copies of Linux are more secure. They are not out of the box secure installs however with stuff running I don't need. No OS is secure by default. Generally you have to make it that way and keep it that way. By the way the only time any of my hosted sites were ever cacked it was on a BSD machine.
As you can see I don't care about my karma.
Yet another raging battle on which is O/S is more secure. Hear me when I say this, "Security is an ILLUSION!". Even if humans could create a flawless bulletproof secure system, that system is going to have users and, as soon as you add users you can throw security out the window.
Look at all the companies that were taken down by Blaster and Nachi. Didn't all these companies have extremely powerful and sophisticated firewalls guarding their networks? Sure they did, but the VPN/dialup/laptop users were able to get in after becoming infected and circumvent all the elaborate and expensive security. Somtimes I think firewalls are a total waste of money.
I won't even get started on the topic of extremely weak user password, unsecured dialup modems, and firewalls with way too many open ports.
Luckily all the worms and virii to date have been "mostly harmless", but the day is coming when a hacker in China or Russia is going to get the urge to make a political statement and start wiping out data.
Argue and discuss this topic all you wish, but know that the dialog is meaningless. SECURITY IS AN ILLUSION!
Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc.
Other then active-X, none of those things even NEED to be left out of a secure email system. Assuming that the Flash and JS interpreters were bug-free. In fact, if windows was done 'right' you could even run active X (but it would still be a bad idea)
autopr0n is like, down and stuff.
I was just thinking the same thing this afternoon. You're totally right. But, who do we have to blame for this? It wasn't the users' idea. They were perfectly happy with plain text email until some idiots came along and developed an email client that supported HTML and scripts.
Have you never heard of Robert Morris???
Moron
According to this reasoning, companies that have a good IT department with knowledgable system administrators shouldn't have been hit by these latest two bugs. And I'm sure that nobody will argue that the DoD doesn't do everything in their power to make sure that the only spyware on their machines is the spywhere they put there to monitor their minions. Yet, I recall reading that the Navy/Marines' network was also brought to its knees (although no intrusions were reported for "really" secure systems).
I guess there's nothing any of us can do to be totally secure beyond unplugging that network cable.
Since a vanilla Red Hat install leaves one port open by default - a DHCP client.
No one reinvents (it) without using older models as a guide (those that don't usually get torn apart for being shallow).
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
n/t
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
will not protect her data if the laptop is stolen. It can help prevent remote attackers from accessing it (or you DID help her activate the built in firewall and disable the Windows Server service, right?) :-)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Is Linux as secure as we'd like to think it is? No. I'd like to think that my Linux box is completely secure, thank you very much.
But that said, in my finest Lewis Carollian tradition and practice, I not only *think* it's inherently secure, but for five minutes per day I outright completely believe it's inherently secure. If you remember, Lewis Caroll was a famous British mathematician, and quotes of his are incredibly important within the computer security industry.
It's just that I already wasted my five minutes today, and don't have more time to spend on it, while I made this posting. Catch me again next week with Taco's Weekly Topic Rerun, and you'll see me post a proof of why Linux must be 100% secure, and an insecure Linux box does not exist.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
There are of course many possible reasons why particular platforms are more susceptible to or are more frequently targeted by malicious activities. I contend that application diversity on a platform is key to its susceptibility.
/, let anyone run scripts anywhere, or had PHP set up with a super-high http post file upload limit.
For example, virtually all Microsoft Windows systems have very similar web browsers, scripting engines, pop/imap clients, and CIFS services. This makes a widespread exploit very likely.
UNIX and Linux systems, however, exhibit a much greater variety of applications. A typical GNU/Linux user might use PINE for e-mail, Mozilla Firebird for browsing with a Blackdown JVM, postfix for an MTA, etc., while a no-less-typical user of even possibly the very same system might choose to use elm, Konqueror with a genuine Sun JVM, and sendmail, while yet another might choose Evolution, lynx and fastmail. Get the picture?
UNIX systems are extremely diverse, much more diverse than in days of old when the was only one MTA. Just about the only ubiquitous daemon out there anymore is Apache httpd, but even it has good alternatives for certain applications. It is very difficult to write a worm to take out the vast majority of UNIX and Linux systems because they are all so different.
Windows systems, on the other hand, are about as diverse as the shoots of asparagus in a tin can. There is only one packager. There are only about five major default configurations out there, and the is only one default TCP/IP application suite. The installer has no options for activating or even making system administrators aware of security measures such as state-tracking firewalling. This bland array of distributions of Windows makes for a class of systems ripe for the picking.
Perhaps Microsoft would be better off offering an array of products (a nice web browser, a good proprietary scripting engine, etc.) but letting other folks distribute them as best-of-breed packages; I'm not saying that they should make their software free but that they should make their software the best and rely on the merits of their software to support their business model instead of monopolistic shenanigans and vendor-lock. Perhaps if MS let others package their software in other-than-Microsoft's-default-way, then the differences in configurations might just be enough to disuade a little of the viral heat. Also, this would lead to the distrubutors having a vested interest in the integrity of MS's software and would place the burden of creating good security-conscious configurations on third parties. Apache httpd can be just as bad as IIS if you set your DocumentRoot to
Just a few rantings and ravings.
Teach your guys how to use Bash. Then have them write their own little Bash shortcuts, which take only 2 characters plus a target name, assign them executable status, and put them in their personal bin folders.
Have them tell you about them, and post useful shortcut names + Bash command, each week, near the coffee machine. That will help standardize their commands within the company.
Problem solved.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
It's not necessary to be all that "savvy" anymore. If you're running a stock box, you can have a SuSE or Mandrake system running on the 'net with a high speed link in less time than it takes to install WinXP.
Just leave it at the default workstation settings, and answer the questions -- same as you do for Windows.
Granted it's not set up the way I'd want it, but current releases are pretty damned good for mom & pop who just want to browse the net and read their email. It even helps protect them from the "social engineering" click-me trojans, as most of that junk is engineered for Win32.
What bothers me more is the mix and match of OS and webserver stats in the main slashdot article. Most desktop Win32 users aren't running IIS, so why would we include Apache breakins and such under Linux when comparing/discussing security?
I do not fail; I succeed at finding out what does not work.
To say otherwise would be a lie.
;), keeps up then I predict we will see more security vulnerabilities showing up in GNU/Linux as time progresses.
Windows has a great deal of exposure. Therefore more people hack it. Windows also was not designed to be secure. This is apparent in some of the things you see in it every single day, like how a single Window's box handles multiple users (not cleanly in my opinion).
GNU/Linux was designed to be secure, but doesn't have as much exposure although it is doubling pretty much every 12-18 months. If this moore's law like trend, let's call it Greg's Law
The assertion that less worms implies more secure is a logical fallacy to begin with. If no one is writing worms for your OS (that is not to say no one is *using* it... lots of people are including myself) then any security issue you've got won't be apparent.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
I'm not kidding about the install time. A SuSE 8.1 3-disk install was asking for the config details before WinXP was done identifying hardware (same box.)
Add in the time and hassle of temporarily swapping out NVidia GeForce series video cards to do the initial WinXP install, and the raw-hardware-to-internet time is less than an hour for Linux, and almost 1.5 for WinXP on the same hardware (CUSL2 PIII/933 512M/PC133/CAS2 60G/7200RPM GF2MX.)
I do not fail; I succeed at finding out what does not work.
Just yesterday there was this story on Slashdot about a new version of OSSTMM (Open Source Security Testing Methodology Manual) being released. I noticed, only 6 replies to that.
And as soon as there is some story even vaguely hinting the words Windows, Linux and security - there are 100+ replies.
When will we stop comparing Linux with windows and start doing our own thing?
Nandz
It is a myth that automated login is unsecure.
;-).
Anyone with some physical access to a machine and a boot disc/CD can hijack the said machine.
And this with EVERY OS out there.
The only REAL protection is an encrypted filesystem, but very few people use it. After all, their PC is worth more than the data on it. So when the PC is stolen, they dont worry about someone reading their archived email, but about the money they need to replace the PC.
Therefor automated login FOR A PHYSICALLY PRESENT USER isnt bad. Some Linux Distris offer this as well and as long as you dont have kids/a girlfriend that you dont want to run into your hidden porn folder, automated login does no harm.
Requiring a password from the person sitting in front of the computer is really just like putting the cookies on the highest shelf. Anyone tall enough can get it, but you imagine your 3-years-old wont
So the automated part of the login of a physically present user does no harm. However, I suspect that your girlfriend does automaticly logs in with administrator rights and this IS a problem.
But it is a problem even if she would type a password.
Its a server OS that comes bundled with every service imaginable. I can almost picture the parent's IT department. "Yeah we're running redhat behind a firewall so its cool." Actually no, you still need to patch and be just as viligant, if not more so, than using a windows server.
.asp off.
What these "keeping the net healthy with secure computers" arguments come down to isn't really security design or user knowledge as much as it is the number of exploitable services running by default per machine. Imagine if Windows didn't allow file, print, RPC, etc on the WAN connection by default. Or if IIS was a seperate download that when installed also installed autoupdater to patch the machine every so often with
Same with any OS. I'll take the "controversial" stand that the net is better off with Windows machines than Linux machines. I've seen the default installs on both and the Linux vendors and distro makers really need to learn what "install only what I need" means.
Most people, even power users, don't need DNS, Samba, telnet, ssh, ftp, etc running by default. Yeah, I know some distros are cracking down on this, but if every windows machine was replaced with a popular linux distro from last year we would probably be in a worse situation than we are in now.
The only saving grace I can think of is the Linux is usually bundled with a firewall, but a lot of good that will do you when the "click-through easy setup" opens all the exploitable ports anyway.
It seems to me that when I wanted to set up my sound system, I didn't actually have to start logging in as root. Rather, I set up a "sound" group, gave it specific privileges, and then added my user name to "sound".
Now, it seems to me that that is role-based privilege. That is distinctly opposed to the Windows system, where you assign a program "trusted status", and then everything it does is considered okay.
I suppose there is a possibility for a third model of security, perhaps something you'd call database security. Every program and subprogram has the subprograms/GUI routines that it calls, and when you set up the program, you specifically give it access to those routines and no others. Then users' shells are just another one of those programs, and each shell has its own database reference list. If you need mail priveleges, you have to ask the admin.
But that kind of a security setup is going to take a ton of time to check as a program runs, and even that is going to be "broken" for a lot of business models.
As a result, there's a different kind of security I favor: it's the broken network security method. You have your internal computer network, with whatever security it has. And you have your webserver/email server. And those two computers are not on the same network. Rather, it takes physical access to get data from one to the other. Either that access is through manually installing a network cable for a short period of time, or transferring a CD-R, or some other similar method. But 99.4% of the time, there is just no access whatseover. Such a system is mostly secure against net-based attacks, 99.4% of the time. I say mostly, because someone with insider knowledge could concievably root your net box, and then have it wait until someone connected in the other network, and immediately launch a predefined attack... but that's probably less likely than J03 51XPAcK owning your 100%-internet-available company network.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Zone-H mostly posts defacements, and the reason this is easy is because of all the wannabe linux people out there. It isn't all that hard to download a RedHat ISO, slap an exploitable phpnuke on it (or some other php based web tool with a hole) and bam they go down. Maybe it takes a month or two for an exploit in their version of to surface, but when it does, they aren't paying attention as much as the people doing the exploitation.
Keeping a box up to date is important no matter what the OS. Windows makes it easy with WindowsUpdate. RedHat and many other Linux distros make it more difficult with pay-to-update or oops we-broke-your-config updates.
Linux can be more secure, but only when you know what you are doing.
I'm late to posting, so this is probably redundant by now.
I had sworn off responding to ACs, but you agreed with me so I'll answer you. I am currently reading "Code Complete". (Well, I am in Ch.11 and haven't touched it in a month because there is too much work and summer fun.) I learned from people who had read the book, and much of it is common sense, so I am not learning from it, but I would highly recommend it to any new programmers or PMs.
First, I am not an OS developer. I do not pretend to be one. I am a consultant that builds applications for very large corporations, and yes, I believe in getting paid.
I could help with the DESIGN of MS products.
- Start with removing tabs from almost everything. They are a very poor interface. Computer data is meant to be viewed vertically. Sections (twisties that hide vertical data when closed) can keep things organized. That interface has been proven easy-to-use. MSWindowsExplorer, AcrobatReader, and Mozilla uses them for menus on the left. They are also very useful for content. Having your important network settings scattered on 3 of 7 tabs (with only one prioritized since it opens first) is painful.
- Properties boxes that allow context sensitive settings are great. OpenOffice and Adobe and Lotus products use them. Why doesn't MSWord?
- Pet peeve: MSExcel. Try programming it. If you make one mistake, it pops up an error. You cannot see the code while seeing the error. And if you click/type one thing wrong, it deletes the code with no warning. Nobody can call this user-friendly. Lotus 1-2-3 did it better in the 80s.
I have probably worked on a half a million line program so that you can add feature X in a week. I never asked how many lines of code there were. I do not need to read an entire program to find where code needs to be inserted to add a feature or remove a bug. I was able to locate and fix 200 bugs in a large application in 6 hours. The PM was upset because I was not testing the fixes (he was very paperwork oriented), but the 6 developers were doing the testing as I worked and were happy that the bugs were disappearing.
I do not want to work for MS:
1. I do not like their ethics. If I treated my customers like they do, I would not have any customers.
2. I believe MS is about to go down in flames. Why join a sinking ship?
3. They may pay very well, but I probably make more as a freelance than they would pay for any technical position. I would also lose control of my time.
4. I live on the wrong coast. I travel frequently for work, but a "job" with MS would probably require relocating to Washington.
I almost took a job with IBM; I like their software, and would like it to be more usable. But I doubt I could survive working in an office.
I am unable to work 9 to 5 for more than 2 weeks without going crazy. I am too comfortable having a few months off each year. I like results; I do not consider office politics to be fun. I am a consultant because I have to be, not because the money is fantastic (but it doesn't hurt.)
I spend my life entertaining my brain.
A web site defacement on a Linux machine is probably not a problems with Linux, but a problem with Apache, ncFTP (or UWFTPD or any of the others), SAMBA, Sendmail, or anoy of the other projects that people tend to run on top of Linux.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Here is another response to an AC.
;)
I covered some of this in a post above that is currently modded Off-Topic. How can I be off-topic when I am responding to a response to my own post?
Yes, most projects involve many people. Even if there is just a single point of contact, that is one other person with whom the developer needs to be able to work.
I have several advantages when working with teams:
1. My great personality
2. I am usually added to a team because they have a problem they could not resolve. Everybody knows I am there because I have abilities that were not already present. I must be very careful not to rub their nose in that fact, or I will not be invited back. (I actually had a PM doubt my abilities because, while I let my confidence border on arrogance during the interviews, I was "too nice" when I met with the team.)
3. People who work for companies rarely have the opportunity to learn from people outside their corporations. Almost every one of my assignments involves some "knowledge-transfer" to the regular employees. The teams WANT to get along with me so they can learn from someone new.
I know that many "gurus" have the reputation as arrogant and a pain in the ass, but the reality is that if you want to be a successful consultant, you cannot be either.
I spend my life entertaining my brain.
The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours
that's funny. Netcraft says that apache accounts for 63% of www servers. I can't be sure, but there may be some reason for this correlation.
Security experts have said for years, here and elsewhere, that security is a process, and a function of administration, not some tangible goal that can be reached. Ultimately, it is up to whoever has a secret to make sure their secret is safe.
Linux is one of SEVERAL fine operating systems that give the independent system administrator the ability to examine the security flaws in their system, and to correct the problem on their own, given they have the know-how. The paranoid often do. Closed-source operating systems simply cannot offer this level of security.
This comment is fully compliant with RFC 527.
I'm SO looking forward to scrolling down and reading about how those defacements were results of irresponsible administration or loose apps... But it's going to be hard for me to remember that I'm reading about Linux and not Windows.
/. I know and love? Another article like this and the "News for Nerds. Stuff that matters" might have to change to "Fair and Balanced".
Jeez... What the hell happened to the
*grin*
Defacement really has nothing to do with a widespread virus... In the case of a defacement, a hacker is specifically working on ONE system. Next time, the exploit used to get in could be completely different.
Since there are so many different flavours of Linux, the chances of having one virus capable of attacking millions of computers at once is lowered substantially. Whereas Windows systems are pretty much identical.
Unless there is something really really wrong in the Linux kernel, not every Linux installation is going to be vulnerable to one virus, methinks.
Now, this could of course change if Linux gets mainstream, because end users are going to want some kind of standard build... that's when Linux virii will become a problem.
Linux has nothing to do with site defacement. Buggy Apache modules do...
I have used off the shelf exploits on my brothers IIS web server that got me into his web servers file system. I don't know who is to blame - Windows or IIS... But when you see a defaced Linux web server the answer is nearly always "php"...
realkiwi
If you want to discuss the success probability of a worm, there are three aspects here which need coverage: First is the actual quality of the implementation of the operating system. Second is the concepts behind that implementation. Third is the density of the system population.
The quality of the implementation in Linux is highly variable, depending on what part of the system you are looking. There are parts of Linux that are of an extremely high implementation quality such as the kernel, the Apache web server or other active and well researched projects. There are other parts of only medium quality such as for example the popular PHP language.
And there is a lot of stuff that is of actually pretty low quality, badly researched and incredibly crappily written from a security point of view. Common PHP applications such as PHP Nuke, TikiWiki or other "CMS" style applications belong into that category. Getting web server privileges through one of these using a pathname exploit, badly written uploads or other commonly known classes of security problems is usually a piece of cake. From that you need to find a local root exploit to own the machine. That's a little harder to do than a simple web exploit, but also nowhere near impossible.
Also, current PHP coding techniques do little to minimize the amount of such code being written and to encourage clean coding. Brings us directly to the concepts section: There is no equivalent of ASP.NET type infrastructure and tools in the PHP world. Window may have bugs, but in this particular instance they may be in an area where PHP for example has not even code to show...
When you are discussing security concepts, Windows often is on par or even surpasses common Linux systems. Windows failure is too often in the area of implementation, or it fails to leverage and deploy the concepts it implements. That's why Windows passes US and European securty evaluations, but does not feel "more secure" in day to day use. For example, Windows had Access Control Lists as part of NTFS since the very first 3.0 days.
Only with the advent of Windows 2000 Microsoft started shipping Windows with halfway decent defaults, though. Also, getting to see and check the ACLs of a directory hierarchy with onboard tools is laughably complicated to what Unix presents (namely, a moderately complex security system with ugo/rwx and ACLs tacked on for that special cases, and "ls -l" to mass check an entire directory with a single command).
Windows also has superior concepts regarding impersonation (instead of SUID), RAID as part of the default operating system way before the actual Unices had it, a PKI and a directory service as part of the default operating system shipment (and code that actually uses that, by default, unlike Unix, where you have to jump though hoops to get your mail server, samba server, your different logins and your client applications to use such a service if you had one by default) and serveral other things that look nice in the book.
Unfortunately, all of this is of little use against worm style attacks. Here the conceptually bad parts of Windows reign: Treating data as code and in some cases even automatically execute data that has been recognized as code (HTML mail with Javascript, Office macros, HTML with Javascript that is being executed when entering directories) is the major attack vector. Also, badly designed and protected desktop IPC, allowing for the shatter attack and other legacy sins make the Windows desktop a primary target for worms and viruses. None of the above security mechanisms help protecting against this style of attacks, which is why Windows looks good on paper, but not on your desktop.
Also, unfortunately, the Windows population in your average company is dense enough and homogenous enough to allow for wildfire type effects when the attack is spreading over the network.
Linux has similar vulnerabilities as Windows has, but we do not see them at the moment, because even if there were a worm that could uti
I may be missing something, but this quotation seems kind of misleading. According to Web Host News, over 62.5% of all web servers are running Apache. I'm presuming that most of those Apache servers are Linux servers (does anyone have the numbers?), and if that's at all close to true... it seems like highest number of Linux site defacements is proportionaly less-than-equal to the number of Linux servers.
Also, I've never seen any high-visibility sites stay on MS/IIS for very long (MS hasn't even run MS on some of its high profile sites at times, because the platform simply couldn't handle the load). If it's even true that a disproportionate number of high-volume sites run under Linux (and I certainly know some of my customers do); well, wouldn't those sites be the most likely to be targets for defacement?
And, if either one of those mitigating factors is close to true: that's a pretty good track record. If neither is true, it's still a good thought experiment which demonstrates that taking these numbers at shock value doesn't really further understanding of how the different OSs are performing security-wise.
I don't think anyone should be so bold as to say that there will never be a security problem with a system, but throwing evidence like this out seems as scientifically responsible as trolling or grandstanding. The data just doesn't seem to mean anything.
Jake
There *will* be new Worms with Linux or more exactly Services running on Linux as a target. There will eventually be (more) Viruses (than the proof of concept viruses we have today). But to be fair, you have to make a difference between the types there are. Sobig is a completely different beast compared to the blaster thing. Blaster like outbreaks are definately possible with Linux. Eventually there will be another easy to use root exploit (think wuftp as an example) and then there will be worms exploiting it. It just has to be in a service that is default for most distributions. OpenSSH an Apache would probably be some of the most dangerous targets because of their installed base. Worms like blaster exploit programming errors. Since programming errors will always happen, there's always the chance of them happening in highly relevant places in regard to security.
The Sobig stuff is a completely different matter. Those are enduser worms. They need help of an enduser clicking on something. To be exact, those worms are outlook worms. Microsoft could stop or slow down those worms by making it harder for endusers to execute the malicious code. Linux is only (much) more secure here since poeple would have to save the attachment (seeing the full name, not just the xxx.txt part of xxx.txt.exe), make it executable and actually run it. As long as Linux mailers will not offer click and run for mail attachments, worms like that have the threat leavel of those sigs you sometimes see, saying hey, I'm a sig virus, please copy me to your sig. I'm sure though that an Outlook version that shows the full filename and does't allow executing attachments, maybe even marking them red will drastically reduce dangers of emailworms. And no, the recent methods to tackle the problem are not the right way. Blocking executable attachments completely will just make people disable the measure since it reduces peoples ability to use the software.
Zeinfeld's post is not a fragging troll.
He doesn't write like a bullshit artist, and although I REALLY have a problem with his WinSHIT defense, he's got some good points. Linux is a patchwork system, although it's quite good at it when stuff actually interacts. Linux has quite a bit of room to improve.
--- Grow a pair, liberals... stop letting the Republicans bully you!
How secure do you think Linux is?
There are many different ways to twist statistics...if there is one thing I learned being an Operations Research major, it is that statistics tell the story you *want* them to tell...
There many elements to this analysis:
1) What percentage of servers run Linux vs. Windows? This is key to understanding the percentages of exploited servers.
2) Define security. I'm not so sure defacement==security, and certainly it might be shown that while Windows and Linux are both exploitable, the nature of the majority of the exploits present on each system differs greatly.
3) The security of an OS may be best represented by *fully updated* versions of that OS. I doubt many of the defacements on Linux systems were using the most recent patches, but I believe SoBig took advantage even of the most updated Windows machines. MS released another patch AFTER the virus was out there, to my knoweldge. If I'm mistaken, great, but the point stands that it is not fair to rate the security of an OS based on old versions that are known to have exploits. Its always important to keep systems updated no matter what you choose to run. Security is not a scale of where the software is, as much as it's an attribute that is determined by the deployment of the OS, and how well the authors of the software, and the administrators of the servers keep up with the scene. There will always be new exploits.
We certainly have shown that proprietary software has one serious weakness: when an exploit is found, the patch is coming primarily from one source, and worms are learning to exploit that weakness. While SoBig didn't do it well, there will come one that will. The idea is certaihnly out there.
In other words, they're what you install if your intrusion succeeds, so they don't tell you very much about the number of ways to crack stuff.
They also suck, since many of them are built statically against old and broken libraries, which results in even the overt parts of them not working properly (and in some cases killing your system completely).
Got time? Spend some of it coding or testing
Linux is more secure than Windows becouse we know it's not secure enough and never will be secure enough.
Windows however knows for a fact that is secure enough as a direct result it's not secure at all.
The latest clame that Windows is insecure by design is basicly saying that Microsoft didn't even think about security when the first designed the operating system years ago and just folowed the basic philosophys behind Dos.
At the time Dos was the only operating system to have viruses and people were crying fowl over this. That Microsoft could do better and if they do make a new operating system they should.
(It wouldn't be untill Apple adds multitasking that Macs would have any viruses)
To ferther the point a number of products entered the market to make Dos more secure. Password protection to keep users from using the computer and the ability to write protect hard disks were just two security features available from third partys.
All commertal network pacages I have had any experence with had quite a few security features to deal with the fact that they were missing from Dos. Yet people didn't use those features effectively and would leave systems open to virus infections passing over the lan. This would forshadow the Internet as it is today.
But in the end it's viglence not design that keeps Linux secure.
Becouse for as many windows worms we have seen lately and as many clames that BSD is the most secure Unix around....
The one and only BSD worm did the one thing no Windows worm could do. It took down the Internet. It flooded the network with billions of infections.
This could happen to Linux.
We can show Windows is insecure ground up. Viruses and e-mail worms need an insecure operating system to work.
Viruses need to be able to infect other binarys once run under the user account. This simply won't happen under a secure operating system.
Email worms need an e-mail client that will run programs attached to e-mail.
But normal non-email worms hack in from the outside. Look at that statistic again.. Even if only 1 Linux box is hacked that means a worm can do it. A worm can be made to hack into Linux systems just the same as a hacker could himself. Before you know it the worm has infected many systems. Millions of infected systems in the time it takes for one hacker to deface one Linux hosted website.
It could happen... IF...
If we sit on our butts. Worms take a while to write so it may be a month or so after 'discovery' that a worm is actually created.
If we sit on our butts and not make a patch,
Sit on our butts and not test the patch,
Sit on our butts and not apply the patch.
Then a worm could be released.
If we don't secure our systems.
Applying patches and bug fixes is only the start. There are countless procedural errors that could be made. Get something to test your system for all the known ways someone could hack your system and test for them. Know if your safe.
I remember one Solarus zellot actually freaking out when she discovered an SGI system was being used to run a website. She pointed out that the machies were not designed to run websites.
In other words the operating system was "secure enough" for a stand alone workstation.
I don't actually exist.
I think we should compare apples to apples here. Windows is suffering from a larger installed base plus virus plus worms. I bet most defacements exploit misconfigurations in Linux. When you configure a box just rigth, very seldomly it will get compromised. You have a guy doing some "work" to deface you. With a worm you just release and sit down. The installed base will do the dirty work for you. There are far less Linux worms than windows worms, reasons twofold: - linux people are more security concious. - linux has a smaller installed base. No need to evaluate these OS technical excellence. You can do that when you get the same percent of the market.
There are 2 major points here: in reality the security of the system is a mix of the software and the people working with it. If the people don't have security in mind, no software will help them. The more important thing though, the difference between Win and Lin isn't that one of them is more secure per-se. It's just that I find it MUCH easier to secure a Linux machine than to secure a Windows machine. With Windows, one never knows WTF the beast is doing, and one is used not to care. MfG shurdeek
Frankly, the fact that certain distros charge money for using their automatic update system shows that we've got a way to go! After all, when you put the stuff out there and continue to put it out there, you've got a responsiblity of making sure your software is not endangering the integrity of the internet.
Here's a wishlist:
1. Automated updates by default - the likelihood of a break-in is greater than breakage because of updates.
2. Better firewall configuration tools. Maybe a standard interface for having servers request
3. Better monitoring systems - not just as emails to root, but something better.
And completely unrelated, making a secure-coding class mandatory wherever coding is taught.
Stop the brainwash
tired of rebooting?
*checks win2k uptime*
35 days, 20 hours, 6 minutes and 7 seconds
this is not a server, locked up in some dark room somewhere, with no gui to make it crash, with no techies too scared to touch it because typing 'startx' may take down the whole network. it is my work machine. i currently have 3 instances of visual studio 6 open, one which is running a service in debug mode, another which runs a test app to the service thats running in debug mode, and the third is for working on another project i'm assigned to - up until recently it was also running another service in debugmode, for over 3 weeks if i recall correctly. i run distributed.net, irc, msn messenger, sql server constantly as well. query analyser is constantly open, as is outlook, opera, internet explorer, terminal services, and many in-house applications. i've also got cisco IP softphone running continuously, because of some dumbo IT decision to have software phones instead of normal phones.
im not the greatest programmer by anyones standards - heck, i'd guess i'm only slightly above average. this means that my code breaks(in all 3 instances of visual studio)... often(in all 3 instances of visual studio)... before it gets fixed. strange that my dodgy code, and my "crappy" OS is able to still remain running without any hassles?
so how have i managed to not reboot in over a month?
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
That is a popular myth, but it is not true. The UNIX security model was developed for an environment where users, including the root user, are friendly and can be trusted.
This is something completely different from the environment we find on the Internet today, where you are better of trusting noone.
There is sufficient evidence to support this, such as: http://groups.google.com/groups?selm=2003052519003 7%2470c6%40gated-at.bofh.it
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.
Right, it will take less than 6 hours.
The fact that Microsoft has been doing a terrible job at security for years, does not mean that most Linux distributions are really that much better.The advice to shutdown services is a sign that you cannot trust Linux. Otherwise it wouldn't matter if someone broke in on a service, he couldn't do anything harmfull if he did.
All this pointing by Linux users at Microsoft Windows is like Dumb pointing at Dumber after doing something stupid. But fortunately, there are projects like Adamantix and Gentoo-hardened which are actually doing something about it.
These distributions offer the following things that are important for increasing the level of security (even though they are not perfect):
1. Protection of process memory, to keep executable code and data separate. Buffer overflows often try to execute data as code. Bad thing.
2. Compiler extensions which try to intercept buffer overflows.
3. Mandatory Access Control (MAC), where the kernel enforces a system-wide security policy. Normal *NIX systems have a Discretionary Access Control (DAC) model, where the user decides about the security of his files. (E.g. you can decide to chmod 700 $HOME or chmod 777 $HOME, not the system).
Ok, it might sound a bit strange, but isn't the best way to test a security system, to have a group of people trying to compromise it? And since we are a OSS community and want to learn from each other, it should obviously be a Opensource virus, so distro vendors could make sure, that there system is safe from it...
umm let me think about that one a second ...
.. and that's what people do every five seconds.
answer = NO.
The simple fact is that Linux has Less of a market share and is mostly run by profficient administrators whom by no choice of there own *have* to know what they are doing to use linux.
so, Less market share, and more profficient users = Linux seemingly more secure.
also, where's the fun in saying "Linux was hacked! - OMG I Got a Segfault (linux's version of the Blue Screen)!" umm there is no fun in that, because Linux is a geek os, and geeks know what a segfault means.
They also know how to use the damned thing properlly because it's "cool" to use it.
in a nutshell? Linux *seems* to be more secure because there's no fun in reporting every single incident of Linux being hacked as people do with windows.. because windows is the dominant OS in the market.
Windows has more market share, thus it seems less secure because it's attacked more. and because it's made by microsoft, and microsoft is the number one technology company in the world... it's fun to poke microsoft in the eye
so, the answer is quite clearly NO. Linux Isn't more secure - it's just less fun to poke it in the eye, because of the nature of the project.
Less market share = Less interest, = Less "news" about linux being hacked, and It's as simple as that.
and there are hacks for linux .. (just as many as windows) ... just, NO-ONE cares cos they mostly know how to fix it when something goes wrong.
One comment you often hear from Linux/UNIX people is that their systems can't get infected because all code executes in userspace and cannot do any harm to the system. You can just kill the process/delete the file and all is good again. And if people execute unknown code as root, they have themselves to blame.
But many UNIX worms/virii don't rely on code being executed as root. They spread using security holes such as buffer overflows, and doesn't need anyone to click on an attachment or execute an unknown binary.
I don't have the links to back it up, but wasn't the first worm ever a UNIX worm, written by a kid whose father was in the security business and told him about security holes in UNIX systems?
I don't think that the OS decides whether a system is secure or not. Sure, it is a factor, but sloppy administrators and developers are to blame as well.
The simple thing is, and I have not seen this commented about, is that there is a difference between human attacks and virus attacks. With Windoze security, any stupid virus can destroy your system.
With Linux, however, the situation is different. Since privelege escalation is not trivial in Linux/Unix/BSD, viruses can generally only exploit userspace. Privelege escalation usually requires human intervention (or, at least, I have never read or heard of a virus that could escalate its priveleges on a Linux/Unix/BSD system). This means that Linux/Unix/BSD systems that are compromised are cracked by deliberate attackers with the attacked system specifically in mind. This is as opposed to some dumb bot that tries to infect everything on the net. Why there are not terms for the differences in these classes of attacks I cannot say, but there is no doubt that they are different. I will call them direct (human) and indirect (virus/bot).
Viruses, with the exception of superviruses, are also generally written to take advantage of one or two security holes. They cannot be written to contain every historical exploit that may exist in the wild. So, human attackers have possibly thousands of methods at their disposal while a virus has a few. One of the most commonly known military defense tactics is to get your enemy to attack you from one defensible point. Any enemy with thousands of entrances will find a weak one. Direct attacks are much more powerful than indirect attacks.
The simple conclusion is this: If someone knows what they are doing and wants to get in, they are going to get in. However, it is doubtful that Linux will ever be afflicted to any damaging degree by these silly mass mail viruses that damage your email or even wipe your hard drive.
The weakness of Windoze security is that even indirect attacks work on it.
All data is speech. All speech is Free.
enlightenment: straight to path, or a GUI jacket?
(sorry. punning is its own re-word)
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
UNIX and lookalikes weren't designed for the would-be user. Still, most users just migrated from M$ will be happy with the out-of-the-box install of RedHat-latest and Apache. That is simply not the way to go. A UNIX takes a lot of time to configure and then administer, and if this isn't done, you might as well pronounce yourself a windows admin.
The key concept of UNIX are it's building blocks: you build it from the ground up, not the other way around. A good server install should use the linuxfromscratch OS, with as little installed as absolutely needed. Then you hardify, using your KNOWLEDGE of the system. That's what most users think comes with linux by default. Wrong.
With M$, you get to do what M$ thinks you will do. With linux, you get to do what you want to. The downside is you must know what you want and how to get there.
-i
Hello,
I think this question is very misleading. The truth is, regardless of what kind of system you run, more often than not your system is only as secure as you make it.
Some systems are designed to be "secure" out of the box, but it is the responsibility of the administrator to make it so.
I'm sure that other people have posted similar remarks, but I haven't taken the time to see so for myself.
"It was hell!" recalls former child.
Linix might be as holy as M$ windows, but it dosnt stay that way for long. Its an open source community that has more insentive to fix problems quickly. Any holes are patched, and published (hopefully in that order). If you maintain, and update your system, the I wouldn't worry.
In a big corporation one brilliant programmer doesn't make a difference. In fact I bet that even if 10% of their programmers were brilliant they could easily dissapear in the machinery of a big corporation like Microsoft.
I don't know what the problem is at Microsoft, but considering the amount of holes in their software (And more importantly the amount of stupid default settings.) something is.
Weird.
:)
I have a Win2K machine at home and it crashes like a maniac.
It freezes on me a lot of times.
I usually use Photoshop, nothing more.
3 days ago Internet Explorer didn't even run.
When I shut down, it says "Saving your settings" for like 10 minutes.
I should mention that it's a pretty clean install, it's not full of junk or something (and even if it was full of junk, that's not a reason for it to crash).
What is your trick? Share with us!
"I have a reputation as a miracle worker for being able to see inside the code."
;P
:/
Wow, and modest too
"I am anti-MS because I am tired of rebooting"
I use Windows all day every-day at home and at work and I never have a problem with it. MS-Word on the other hand is a pile of crap, I don't think I've ever heard anyone defend it. But that's one app, not the whole corporation.
"If they have some of the best programmers in the world, why are their applications so bad?"
Years of trying to maintain backwards compatibility and simultaneously change the underlying data format several times over due to decisions made by PR guys with no clue what that actually means. Etc, etc.
I've worked on Windows apps myself and I'm not bitter.. not bitter AT ALL!
Morality is usually taught by the immoral.
Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.
True, true. I frequent several Linux online communities on a constant basis. Lately (in the last year or so) I've seen an increasing number of complete Linux newbies asking "how do I open a terminal or a console?"
Think about it: they have never even seen the Linux command line. To most anyone who's been using Linux for more than two years (until now) this idea seems inconcievable.
Yet the people turning to Linux for the first time these days are reacting in the same point-and-click manner they would under Windows. Their user experience is limited to whatever they had the luck to get installed by default and whatever they see in the "Start" menu or on the desktop. That's what their Linux experience borns and dies with.
In many cases they don't even think that they could choose a better application than the defaults. They don't know (or care) that they have a choice, they don't know that on Linux you have more than the usual to choose from, sometimes they don't even know how to install new stuff or uninstall the old.
And even if they surpass all of the above, their install tools are limited to whatever the distro provides. Don't let me even start on the "qualities" of various graphical package managers out there in the popular distros right now.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
Good versions of drivers (check forums for people saying version X of your driver causes crashes)
Test all your components for hardware compatability issues. (I've had RAM thats good in one machine, bad in another. I've had NForce sound hardware that caused crashes. I've had video cards which really didn't want to work with my motherboard)
I think that almost all of the problems I've ever had with windows can be put down to hardware or driver problems. I.e. not Microsofts fault. So long as you run a good firewall, an AV program and check windows update regularly your system should be as stable and secure as most linux or BSD boxes.
Flame me if you like but I really like windows XP/2000.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
"An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage." This is true *if* the _proportion_ of Linux servers in the Unknown category to the entire population is significantly greater than the _proportion_ of Linux servers in the 'known' category. The statement as posted seems to indicate that a greater number of Linux servers in the unknown category directly results in an increase in the proportion of Linux servers hacked, which is untrue.
The number of security fixes released in the last week for directX should have anyone thinking the platform is inherantly secure quaking in their boots. Imagine if there was an openGL vulnerability in Linux, or if an X server which wasn't listening on any ports had a major remote security flaw. DirectX has had so many recently i've lost count, and it's neither a security nor a network system.
It may not be the coders fault, the problem is simply that the windows internals are screwed up. It may look like it's all shiny and cean on the surface, but underneath it's just kludge on kludge.
I checked.
/not/ ideal in my eyes (and yes, everything is hack-ish, in my eyes), and I use windows a lot for graphics (I adore Adobe Photoshop) etc.
It's a Dell optiplex, the only PCI card I added is an Intel ethernet card.
I downloaded all the drivers from Dell, for this specific model.
Linux runs PERFECTLY on it.
I also update it, and run an AV (not that I trust these programs...).
Windows XP runs so slowly, I have no idea what they shoved to the kernel...
Anyway, Linux is
But right now I prefer using Linux for most things.
Our Linux servers were attacked three times. In two cases they used stolen passwords. In one case problem was in faulty PHP script (input data not checked).
Of course its possible. There's been at least 3 "linux" worms that I can remember: ramen, slapper and lion. AFAIK, slapper was the one that had the worst spread, with something like 20000 systems infected, if i remember right.
Its highly unlikely, however, that you would be able to write a worm today that would be able to infect "workstation" linux systems, since modern linux distros tend to have firewalling turned on out of the box, few services running as root, and no server services running by default. If you're fast, and a new remote-root hole is discovered in apache/SSL, that would be your best bet for making a worm with any spread at all, but I very much doubt you'll be able to get even as wide a spread as Slapper again.
If you want to try for a linux equivalent to something like Blaster, which could infect essentially ANY NT-based windows system connected to the net and not behind a firewall, you're SOL, however.
It really doesn't take a lot to secure a box reasonably well, but a lot of people don't take the time to do it.
Put it this way, I work for a Fortune 500 company that I will leave unnamed. The IT group uses a "default install" for the servers... we still have servers running Win2K SP2, with a ton of security patches. Our Sun boxes have Telnet and FTP open, no TCP Wrappers, no SSH, and a ton of ports open like finger, rexec, rsh, etc. Nobody ever bothered to lock them down. The Linux (RedHat AS) boxes are a little better, but its a default install... our web servers come loaded with Squid, and well.. pretty much everything. Stupid, Stupid, Stupid.
I'm trying to change it, but I'm also working against a corporate mentality that says that even though *I'm* in charge of production boxes, I can't patch them... there is another "team" for that. So, I could have them all fixed up in a week, but can't touch them.. I need to define what I want and request it from the team at the data center.
isnt these wormholes (get it?) but the default mail and webbrowser programs that come with the os, sure most of hte nasty stuff have more or less been patched but getting a user on a dialup to install a number of patches going into the 50+MB range is not going to happen! if they got a notice onscreen saying that they should stop by theyre local electronics shop and pick up a free patch disk then we would be seeing more patched boxes out there.
then we can start nailing down stupid stuff like a webrowser able to install software in the background without asking the user (those porn dialers is a familiar sight) and a mailclient that support inmail scripts out of the box (big nono!) and able to run software without warning users that hello this is a program file or shortcut or something other nasty, not a IMAGE FILE (check yesterdays user friendly for a upbeat look at this:)
im damn gald i use mozilla as my default web enviroment, just need to get rid of that gameing adiction...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
but what do i know, i'm just a model.
Dear Kringle,
... EU, US, I, me, we... whoever. There are a few (very few) honorable and ethical statisticians at state/public universities. ... I trust none to be honorable and ethical, but maybe there are a couple. I have read some significant business and government reports on surveys, samples, reports, .... I finish (9 of 10 times) reports with the feeling that the findings frequently reflected the recommended outcome of the company, agency, ... that paid for the report/paper/BS/smoke (no fire). ...
Important point we agree reality is a bit more complex than that frequently implied by media, religion, politics, and sometimes
In business, politics,
I used the abbreviation a hyphen and the present participle of lying [Stat-Lie]. It is short for the BS/smoke (from questionable authoritative sources) that is presented (as fact/truth) to place a positive top-spin on the self/special-interest of business, market-media/news, politics, religion,
BPM Disraeli; said, "There are three kinds of lies: lies, damned lies, and statistics."
How to Lie with Statistics; 1954, Darrel Huff
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
40 single IP
17 mass defacements
Win 2000 (98.2)
Linux (1.8)
Only one remote hole in the default install, in more than 7 years!
If all OSes were like this, sysadmins would lose their job...
Very few people prefer MSWindows
Wrong, very few SLASHDOTTERS (and the poor users who are stuck with them as their admins) prefer Windows. *I* prefer Windows to Linux, FreeBSD, or OSX. *I* can secure a Windows system, because I've taken the time to learn how to. *I* was not in anyway affected by sobig, blaster, code red, nimda, or fuck, even Melissa! Why? 'Cause I know what I'm doing. *nix users are always talking about how technically savvy they are, yet when you put them in charge of a Windows box, they bitch and whine so much that they don't take the time to learn what's actually going on under the hood (and you CAN do that without having the fucking source code, we're all tired of that whine. Real men don't need source.). They bitch and whine that you have to be a moron to use Windows, but they couldn't lock down a Windows box if I put a fucking button on the screen that said "Lock Down". Hell, I could PRESS THAT BUTTON FOR THEM, and they still couldn't do that.
Backpedalling: the voice of the new Linux generation.
Letting users log in as root is okay as long as you disable the password. Otherwise, they'll be calling you saying they forgot their password and it'll make your job that much tougher.
...how else do we define good but by contrast. If, by some wonderful chance, linux does become more widely used than windows on the desktop, and M$ is eliminated, who will we rant against. With the exception of SCO recently, we haven't really had a "villan" other than Microsoft.
Now say for the sake of argument, that Redhat becomes the big distibuter of linux, and M$ is reduced to rubble. Power corrupts, and absolute power corrupts absolutely. I hold no organisation or group infallable and although i trust Redhat right now, but there is no way to make sure they would not abuse their power. Argue that teh GPL protects us... that is true, but it is also true that there are always loopholes and "some rules can be bent... others can be broken." The desire to accumulate capital is what drives capitalism... Make no mistake, Redhat is not a charity (arguable), they want to make money gain market share. Even though it serves their purposes to support the oss community right now, just wait until they don't need us anymore. People will stick to the name "Redhat" and use "their" OS becuase they no nothing else. Redhat has always been one to include "bonus cds" with commercial/binary only software. What happens when they start integrating that software into the system more and more. They would create an addiction to it's product, as M$ has with word, offive, etc... It is important to remember always that Linux is the kernel, and the kernel _only_.
I can see a demand right now to add support for hardware in linux that only have decent drivers in binary form (eg. nvidia). For now redhat has refused to include them for that reason. Eventually they might bend (as some other distributers have done) and include nvidia.o with their kernel module package. If you give an inch to corporate America, they will take a mile... and then some.
I realise that this may seem off-topic but it really is quite relavant to the discussion at hand. Binary only software means less reliability. Linux works well right now because if a bug is found, it can be fixed by anybody. If there is a bug in a binary only package, the best you can do is e-mail the company and complain.
Right now, linux is "hard" for users to learn because it is different. If one can learn to open his/her mind to new ways of doing things, linux is fantastic. It's the only OS i use right now and for everything i use it for, it's perfect for me. Linux blows windows away in terms of speed, linux is more secure. The last time i rebooted my desktop was when i last recompiled the kernel in june. As far as apps go, I've rarely seen an application marked "stable" that crashed.
Well, that's my two cents.
Start your journey into the mysterious and complex world of Windows NT security here.
As a 10 year tester/QA person, let me say that even if a bug is found by the QA/Test team, it may not get fixed. Project Managers rule, and have been known on occasion to ship software with known bugs in it. I can't imagine Microsoft is any different. I'll bet there are some QA people at Microsoft who get to say "I told you so" on a daily basis. :-)
My beliefs do not require that you agree with them.
It's a matter of numbers. Many of the WIN worms, etc. are aimed at exploiting user machines to perform some sort of attack elsewhere. Linux may have a good portion of the server market, but until Linux is as popular as Windows on the desktop, and as long as Joe User is capable of ignoring patches, updates, and security best practices, Linux will be as vulnerable. There will always be something.
Eg: Linux is good, M$ is bad. thus attacking M$ will bring people to linux... which is good. It sounds like fauty logic but it does work. No i don't support it but it has made people desire a more secure OS.
One thing I hated about windows is that all programs connect to the internet to "contact the homepage and do something". ALL OF THEM.
If you run a scanner to see which programs are sending packets to the net, you'll see most of them and some others with strange names like zxwdll.exe, msblaster.exe, foozap.exe, etc. Call me paranoId but how do I know they don't send my private data to CIA? Huh? How do I know that?
Hell.
In linux, the only program that sends packets to the net, is mozilla. And only if I tell it to.
Secondly, in windows you're always executing programs you download. Virtual girls that strip on the desktop, pirated versions of partition magic, upgraders, javascripts, asps, NET, auto updates, trojans, etc. And all this as root (yourself in your single-user home system).
In linux, you seldom do. Because there is no piracy, because there is the source, and definitelly even if you do, you won't do so as root.
So it's a completely different mentallity when working in linux.
Linux is multiple magnitudes spyware-safe than windows.
Tells a rather different story, doesn't it?
Comparing Linux security to Windows security is like comparing the Detroit Lions and Cincinnati Bengals football teams.
Not that I really like Microsoft all that much but I have to say I agree. I have one PII running Windows 2000 and the only time it reboots is when I tell it to (oops... can't forget the reboot for the weekly Microsoft security patch). It's not a super machine by any means but it's set up mostly for my wife who installs god-knows-what and for myself when I break my Linux box (being still quite a newb, that's pretty often).
Prozac makes the voices in my head say nice things to me.
Every zelot in the world needs to get this: there is no *right* OS for everyone to run. Not Windows, not Linux, not BSD, not OSX, etc.
The *right* OS is the one that you feel comfortable with, and which meets your immediate needs. You might even do well by running several (at home I dual boot my game machine depending on what I want to play: EverQuest or BZFlag).
What's more: diversity is very important to resisting any kind of infection, viral or otherwise. If the net were an even mix of Linux, Windows, BSD and OSX, we would benefit from the competition, different security measures, etc.
That being said, Linux already has a great deal of diversity internally, so a virus or worm that wanted to infect Linux systems would have a hard time covering all of its bases. A Debian system would be hard to penetrate if your worm was written for Red Hat or visa versa. It's not impossible to write a cross-Linux worm, but hard. Then you have to deal with differing shells, various degrees of stack protection, radically different end-user software, major revisions being more common and thus software incompatiblities even between multiple hosts running the same vendor's OS, etc.
When will you people understand?
BSD is dying!
And it has been for a long time. So stop y'r yapping, you fan boys.
Stupid necrofiles...
Ok, your either lying or your the typical winders user. I run a wintendo at home because I still like playing Broodwar with a friend after work. I update my system since I'm on a wireless Univ system. I have to reboot every time I update which is usually once a week.
Now, at work I use linux. When I update, I may have to restart a service. I only have to reboot when I upgrade my kernel and even then I can do it at my convience.
Don't mean to sound like an arse, but people that like linux have used windows. Windows users rag on linux because they once saw dos running and think that linux is just dos with a GUI.
When I call you the "typical winders user", I simply mean that your not security conscience and never update. Even the holier-than-thou linux zealots will admit (maybe) that there's as many if not more patches for RH/Mandrake/Deb/etc than windows. The diff is that we pay attention and install them (this is probaly because patches very very rarley break things or cause your system to become unstable/slow).
After re-reading my post maybe "lying" was too harsh...then again, maybe not.
---
--- Just say no to negativity.
As to your last point, there is one reason viruses like those metioned won't work on Linux: Microsoft software doesn't run on Linux. ;-)
I'm no Linux fan (I use OS X), but this number could be a bit misleading. Just because a web site is cracked does not mean the computer is less secure. It also is not comparing apples to apples, because cracking a web site could be as easy as finding the dumb-ass password ... some people actually set it to things like "password" or "12345", etc. That's not insecurity based on the OS, that's user error.
They are comparing cracked sites with the theory that the system it's self is insecure and vulnerable... to WHAT exactly? Viruses? Well, again, given a proper password and basic security precautions, Linux rarely (if ever) will use the built in software to take over not only YOUR system, but OTHER PEOPLE'S systems. In the Wintel world, this is the norm. Why on Earth do people use Windows? Aside from it running some proprietary app you have in house I can't see a single reason...
"Politicians find new names for institutions which under old names have become odious to the people."
That's silly, Pinky. The KGB doesn't exist anymore.
Sounds like waffle. As he says elsewhere all big systems are built from modules. Reliance on more interconnected components has never made systems more reliable. Than those with less dependencies. It isn't impossible to make big complex systems reliable, just very difficult, ask Boeing.
Reliability is usually top of the list of desirable security attributes.
I think there is a case to be made for saying that NT based systems can be more easily be deployed with more advanced security features than Linux. However that difference is quite small (check boxes and wizards versus some pretty fiddly cofiguration files - whether the Microsoft checkboxes actually do what they say, and what happens when they don't is another issue), and doesn't apply to Internet connected systems.
The main reason I suspect is market forces, people who demand serious security in their systems rightly or wrong usually buy certified systems and until recently Linux lacked suitable certification.
This led to the bizarre situation where certain military customers could buy Windows 98 because it was certified to the lowest possible security classification ("We know it is junk"), but couldn't run a Linux or other "free" Unix distribution, even if it had all sorts of fancy stack protection and other features compiled in, because the companies who built these hardened systems couldn't come up with the money to pay for certification. Even though the boxes were regularly proving themselves superior to market leading security products on the Internet day in, day out.
Free software allowed more security to be done, but the market structures prevented it being deployed. Now we see the commercial entities behind Linux getting bigger, and richer, these problems are disappearing.
Most "out of the box" Linux distros include no significant structural advantages over NT on the security front, other than less services installed by default. Linux also typically ships without features like ACL enabled, and less tools for manipulating them. But heck how many times have you seen Windows Administrators choose "Everyone, all rights, recursively....". You can drive any car badly.
I'm out of touch with the security products in Linux, but I think distros like Trustix, and some BSD derived OSes include some basic security enhancements that will actually make a difference to security. Most of these enhancements aren't rocket science, and cost in performance, but 99% of computer buyers don't need to buy based on performance any more, reliability is a bigger issue.
Next time you choose an OS, make security more of an issue.
35 days? What did I do with that copy of the dcom exploit code ...
Sun Microsystems? :)
... they at the very least issued a press release, and may well have contented themself with that).
No. They bought it very quietly, and kept the fact that they did so very close to their chest for quite some time.
Microsoft, in contrast, held a news conference. (slightly toung in cheeck
Sun Microsystems and Microsoft are the two backers of the SCO FUD and Fraud, but Sun was considerably quieter about the fact than Microsoft was. Not quiet enough, probably, as that little stunt may well push their business further into the toilet as well, whereas Microsoft will likely come out of it relatively unscathed, at least until we have an administration in Washington interested in upholding the law again.
The Future of Human Evolution: Autonomy
it doesn't take a team of programmers over a year to clean up simple documented security holes in their program logic; let's try to anywhere from 1 hour to 3 weeks. the problem is at the project tasking level. those that task determine what is most important. programmers and q.a. types are TOLD what to do; and to their credit, they do.
I have no idea why you linux fanatics all say that windows crashes constantly. I'm sorry but that is a flat out lie. Yes, Windows 95/98/ME is not that stable. However, W2K+, with its multiple layers, is at least as stable as a solid Linux install. To listen to Linux freaks, you would think W2K bluescreens if you breathe on it the wrong way.
If an application crashes on W2K/XP, the OS does not go down. The process ends and no harm done. A hardware failure/device driver problem will crash the system, but that is true for linux as well. We have over 200 xSeries servers here. All running W2K S or AS. There are hundreds of applications running across these servers, and I can count the number of times I've seen a bluescreen, not caused by a hardware failure, on one hand.
A lot of you really need to get a grip on reality. Sure Windows isnt perfect but Linux is not any better imo. The only reason there isnt large scale Linux virii incidents is that nobody would bother writing a virus that would only hurt such a tiny percentage of end users.
To the funniest clip ever!
http://www.wiredvideo.com/clips/av/applegamer.w
Remember when slashdot posted a few links to sites selling the famous swingline stapler?
Well, it turned out that in the spot where you entered how much you wanted of each color, you could type in negative numbers as well - I got all the way to the page that asked me to enter my credit card number for 100 red swinglines and -100 black ones for the cost of shipping. I didn't actually go ahead and place the order, but I wonder if it wouldn't have gone through...
There is no real reason to believe that the Linux loving script kiddie community is any more or less 'systems-savy' than a competent Windows admin. Just more malicious in how they choose to apply their skills.
Windows is attacked because it is what's there. Linux isn't there. Linux has not reached critical mass, certainly not the way that Windows has. Imagine the world that most /.ers dream of. Windows is dead and Linux rules the desktop and server. What do you think will be happening then? What if Linux actually were to become the 900lbs gorilla of the IT world? I'll tell you. You can expect Anti-Linux zealots to dedicate themselves and their resources to attacking it, and all the security shortcomings that are not heavily publicized now (because right now no one knows or cares other than the zealots that are trying to promote Linux, do you think they'll be forthright?) will creep to the surface. And Linux will be exposed for what it is, just another OS choice. No different than Windows, Netware, OS/2, or BeOS. People are delusional if they honestly believe that Linux is somehow inherently immune to malicious attacks. Changing the OS of choice will never be a substitute for the single largest rarity in the IT world, quality system administration.
Another possibility as to why so many Linux systems are exploited is due to the quickly increasing user base migrating from windows without the knowledge base required to secure a Linux system connected to the web. I work with a bunch of windows guys who have recently made a visit to the "darkside" (their description not mine...) and after installing redhat and clicking through the menus they are content to forget it's there connected via ATM network and let it sit unpatched and with a default config. On a network with no security I might add!!! Second... If you wanted to do the most damage with a virus my guess would be you would write the virus for a platform that had the widest user base as well as the largest unskilled user base. Enter MS Windows (Fill in the version).
Most of the culprits out there are earlier Windows machines pre W2K. If you think about it, none of those OS's were designed to be hooked up to the internet or even a lan for that matter. It's all money driven.
Remember when Gates thought the internet wasn't going to be anything and then suddenly IE came out. A trend was set and MS adapted to it and put its iron fist down. Now they realize in order to sell more licenses of their latest version of 0's and 1's, they need to make it more secure especially for businesses which are looking at alternatives.
They are taking a step in the right direction by putting a firewall in their new OS and turning off unneeded services. I just wish they weren't 3 Years behind the *NIX community when it comes to security features installed by default.
If I'm going to put a box out in the open, there is no way I am going to put a Windows box out there for the taking, I simply don't have the time to take care of the damn thing 24/7.
Dude, you have to be smoking crack. 61%? My ass...I even went thru the archives. I can only find a handful of Linux machines. Go back to jerkin' off
Let's set the record straight.
Microsoft became the dominant desktop OS because they provided choice to the consumer. First, the conusmer could choose what hardware to buy (motherboard, memory, chasis, soundcard, video, etc). Second, the consumer could choose where to buy their hardware (HP, Compaq, Dell, Joe's PC shack, etc). Third, the consumer could choose from a wide range of applications provided by third parties (games, development tools, office suites, etc). Finally, the consumer could choose to upgrade their OS when MS came out with a new one.
Contrast this with Apple, MS's original competition. Apple made the consumer buy a fixed set of hard from only them. Apple also used to be the #1 provider of software for their users (now it's MS). Apple has a long history of making thier OS upgrades incompatable with the systems they sold in the past. Finally, Apple marks their systems up by an astonishing amount (the original Mac was marked up 100%, 50% pure profit).
All of these things are still true today. Sure, if you want to buy a PC from Dell (HP, Gateway, Joe's PC Shack) they may charge you for an MS OS, but isn't that more Dell's (HP's, Gateway's, Joe's PC Shack's) fault? Is it not also your fault for not just buying the parts and putting together your own machine? People talking about how superior they are technically and then bitching about some preconfigured machine they bought is pretty funny when you think about it. Almost as funny as some Mac ho talking smack about the MS Tax.
P.S. OS2 failed because IBM did not support it. I owned a copy of OS2 and was supposed to get a free upgrade. An IBM support center burnt down and then they burnt all of the consumers who had shelled out for their beta release. I went from hardcore OS2 zealot to hardcore OS2 and IBM hater.
P.P.S. Want free software? There is just as much free software written for MS OSes as there is for Linux. Probably more, considering how long Windows and DOS have been around.
The parent is correct; what's worse is ms engineers gloat about the shit they shove in their kernel
9 02 0478,2133899,00.htm
http://insight.zdnet.co.uk/software/windows/0,3
You pushed some of the IIS into the kernel, didn't you?
We have what we call a listener, an HTTP handler that we pushed into the kernel. We were looking at how to improve performance. Requests come in and go all the way through the networking and back into user mode where they're handed off. There is a huge amount of the web traffic that you can respond to very quickly without having to have a user mode. So there's HTTP.SYS, a driver that runs in kernel mode and responds in ways that are very well understood, with some parsing and quite a bit of caching, and it handles sessions and it's a huge performance win.
It's not necessily a matter of Windows Vs. Linux. It's a matter of open-source mentality Vs. closed-source mentality. Open-source software evolves, naturally. Closed-source software only evolves when the keepers of the code are forced to improve it, and usually only if they stand to receive some money for their work.
It's very hard to beat mother nature. Try developing AI software that's smarter all-around than an average five year-old child. It's similarly more difficult to harden your OSs security holes in a sterile lab, Vs. letting the planet full of open-source savages hammer away at your sourcecode and then considering their suggestions for improvement.
For instance, RPC has been enabled for use from the internet since Windows NT, and it's been a problem since Windows NT. It remained a problem through NT, windows 2000, and windows XP. It was no secret that:
- c$ shares open to the internet were a problem
- many many boxes had username=Administrator, password=blank
- guest accounts were enabled by default
- psexec and psreboot were freely available
Was anything done by MS to fix this problem? No. Why not? Was it because they're evil and should be equated to the borg? No. It's because MS is profit-motivated, and their bottom line wasn't negatively affected by leaving these problems unaddressed. Their customers would surely have benefited by a fixed OS, but that's not the driving force for a company such as MS.
When the OpenSSH exploit was identified as a problem, it was immediately fixed. Practically ALL the linux distros made the patched version of OpenSSH available immediately, and all subsequent versions of their distros had the patched OpenSSH. Was it fixed because we Showed the Money to the owners of the OpenSSH sourcecode? No. It wasn't an issue. Mother nature dictated that it was time for OpenSSH to evolve, so it improved or it died.
Those that don't look at these issues as matters of principal deserve what they get. Those that continue to ignorantly use closed-source and proprietary-file-format OSs and software, placing all their sensitive accounting and other business data into closed-source developer's hands, have no one to blame but themselves.
I'm not saying that everyone should train themselves to be a ninja programmer and write their own software. Business owners need to hire intelligent IT staff, and treat that aspect of their business with the respect that it deserves.
The IT decisions (apache Vs. IIS, outlook Vs. ANYTHING_ELSE, exchange Vs. IMAP, Windows Vs. Linux, MS OFFice Vs. OpenOffice) should get the same attention as accounting decisions, legal decisions, and HR decisions. That's not usually the case though. If the business owners don't know the right answers, they should hire at least one or two seasoned IT veterans to advise. Many of these unpatched business computers are the result of sloppy hiring at the upper IT level. If competent people manned the upper IT positions, better firewalls would be established, PCs would be patched, and possibly there'd be a little bit less closed-source, closed-file-format, proprietary software and OSs in use.
OK, I ALWAYS choose the "allow customization" option, and usually recommend my friends do the same. In this case, my friend was setting up dual-boot with Windows, and did not want RH to remove the Windows partition. I believe that requires DiskDruid (please correct me if I am wrong).
/boot. Why doesn't the interface make it clear that SWAP needs to be its own partition. And if you try to continue without making a SWAP, it complains, even though SWAP is not on the list of partitions that need to be created. [I understand all this, but the interface is confusing.]
/boot.
The DiskDruid interface has SWAP under type of partition AFTER you have picked which partition you are setting up. Then when you click OK, it complains that SWAP is not valid for
The current pull-down selection system, with options that do not match, and dialog boxes warning what is wrong, is awful. It does not help that every other line is "Free Space 1K". And that the dialog box to add new partitions hides the list of current partitions, so you have to remember if you already specified
The interface I would design would:
- list all the partitions, current and all possible.
- with a checkbox next to the ones that are optional (including all current partitions)
- with a text box for the size to be created (with default recommendations),
- with the minimum size displayed,
- with the recommended size displayed (based on current free space minus mandatory free space). Yes, this is repeating what is in the text box, but it is better than using a RESET button when you realize you made a mistake. (A "SET ALL TO RECOMMENDED" button would not hurt, but the info is more important than the button.)
- option to make recommendation while leaving specified amount of free space.
An alternate would be to allow removal of existing partitions before the create partition screen. Then the create partition screen knows exactly how much space can be allocated.
To make it easier for newbies, place a definition of each partition under its name:
\boot REQUIRED [100MB] Minimum 100MB Recommended 100MB
(The Linux kernel files required to boot the computer.)
Can someone send this to RH and the DiskDruid maintainers?
---
Personal philosophy:
Pop-up dialog boxes usually imply a poor UI. Write everything so it will work in a web browser. Pop-ups can be used for alerts where the current action must be stopped, but even that can usually be accomplished by reloading the same page with all of the errors/required actions at the top. [Note the ALL in the last statement. Having a form suggest filling in one required field per submit attempt is just annoying.]
I spend my life entertaining my brain.
The same issue was brought up several months ago because Linux had a higher number of security postings last year than Windows... But the same argument still range true then: It's not the number of vulnerabilities that really matter, but the net effect (value) of them. The design of Linux is another differentiator, having been built with security in as well as the openness. The speed and relative breakage when "fixed" is also a key where Linux tends to shine.
No, we are not invincible. Security is still a process for us just as anyone else.
- I am anti-MS because I am tired of rebooting
I've had my XP Home box for about two years and I have never crashed.
I've got zero downtime, assuming thunderstorm-induced power outtages don't count.
Granted, it's not your run-of-the-mill Dell/Gateway machine, but it IS pretty standard hardware on WindowsXP.
No crashes, no bluescreens(does that still exist?), no problems at all.
I'm not an MS fan, but with XP, they finally got things stable enough that I don't curse them daily. Or even monthly. It's become a dependable utility instead of an annoying novelty.
The point is for new users installing on stock, default hardware. Where exactly did you buy a system less than 5 years old with a 1.6GB HDD?
I do not fail; I succeed at finding out what does not work.
You're talking as if there is some actual bug that allows this (which obviously you do). So what is that bug? Of course, if you know about it, it's been patched by now. Note that "guessing that password" is not considered an exploit for the purposes of this post.
Seriously, though, the point is that bugs can be fixed once they're discovered. NT does not have any such bugs that cannot be fixed once they're known. The problem with Unix is that SUID is not a bug that can be fixed -- it's a "feature".
In the NT security model, there is no method for gaining access to another account's privileges without their authority. Even an administrative account can't run a program as a regular user without the user's password/token/ticket. In the Unix model, SUID is required in order to run necessary parts of the system, such as login and su (even mkdir, once).
aQazaQa
i could post a screenshot of my network connection status dialog if you like... i hope you dont think i'd waste time doctoring that - this really doesnt mean enough to me to go to all that effort. if you still think me a liar... well, thats your opinion
regarding security... i do install patches henever the little icon thing in the system tray tells me to... now that you mention it, i havent seen that thing in a while... i guess i'll manually check for updates tomorrow when i get back to work. the IT dept at work is highly jacked up when it comes to isolating our internal network from the outside world, so i have some protection from them. i know thats no reason not to update my own machine, and, like i said before, i always do whenever i see the icon... it seems that the icon's on vacation at the moment, so i'll call it up manually tomorrow.
Why dont you check the servers that were hacked on that site first, their report sux! .de etc whats up with that?
headers say its UNIX not Linux!
So where's the patch?
Most servers were in
Any teenager seeking self-approvement in Linux world can do something more useful than virus - fix, or at least report bug in some popular package and recieve kind response from developer, start kewl project on sf.net which can either grow into something useful when our teenager grows into adult, or just be forgotten few weeks later, etc, etc.
In commercial software world, it is much harder to prove oneself in constructive way. So people try to prove theirselves in destructive way.
Anon,
Thanks for observing the obvious, I think?
Vivid hallucinations that would induce an altered-state of consciousness allowing a perception of reality different from my own or yours', there would be no inconsistencies for the observer of the reality, and no room for skepticism of their/our belief of the reality.
Therefor, for us all including me and you, " Reality is a self-induced hallucination." PLEASE (as I do), always consider that the other perspective/perception is not a threat and may have validity for our own reality.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
...that's why they take the criminal route instead of working to earn what they want. Oddly enough, I've seen crims do more work to steal things than it would take to earn them, and that's not counting the risk. Maybe they're just nuts? (-:
Got time? Spend some of it coding or testing
If you call what The SCO Group and Microsoft do "competing", then be sure that someone will stand you against a wall when the revolution comes - any revolution. Loonies are dangerous.
Got time? Spend some of it coding or testing
Being a switch-hitter on administration and C/C++ programming-give me the respective compiler and enough time, and I can code for Un*x AND the NT line-I feel qualified to add my $0.02.
I once did technical support for a clientele in which most, if not all, of the callers possessed bachelors' degrees. I once suggested a client "whip out an XTerm and PING us" when our software seemed to misfire on the WABI emulator. I believed that a user had to apply more thought to the matter of using any given Un*x than to the versions of Windows then (1996) floating around.
More often than not, however, I found myself in situations where the caller showed a lack of general computer knowledge. Sometimes it was a question of training:in a botched attempt at self-preservation, someone presented computer use as more difficult that it actually is. This, naturally, cut into the users' ability to do their jobs, and therefore damaged the client firms' bottom lines.
In other cases, it was a question of the individual user's cognitive ability. Sometimes, I got lucky, and dealt with someone who was open to learning how their machinery worked. Other times-hooboy!-the caller barely had any concept of an operating system/shell, a modem, or their ISP. Then there's the failure to "check for reasonableness" regarding strange email (subject line sounds nothing like the alleged sender, has no context, attachment easily recognized as an executable)-which still plagues the computing world to this day.
To the above, add cheesy equipment, such as dial-up Internet connections in firms with the resources for a dedicated high-capacity line, sneakernet file transfers, and network administrators who know little more than TCP port 80. The result, to an old-school mind like mine, is one or more IT disaster areas.
Such can be the case in any computing environment. It ultimately boils down to the human factor. If you've got a bunch of PHBs-in-training, you're eventually going down like RMS Titanic. If your people have IQs in the triple digits, you'll at least stay afloat, and possibly torpedo your marketplace opponent(s).