Is Linux as Secure as We'd Like to Think?

man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Psychology plays a role

[Brento]

First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.

Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.

Re:Psychology plays a role

[Brento]

But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

That's actually the point: there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place. Those people are more technically inclined. While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update. You don't bite the hand that feeds you, and I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

Re:Psychology plays a role

[511pf]

People don't go after big business because it's "cool." People go after big business because it's visible. It gets their message across to more people. Big business is also a target because any change in business practices has a wide effect. If McDonalds increases their food safety standards, the change has a real effect on national food safety because of McD's sheer mass. In addition, other fast food chains will follow suit to avoid bad publicity. Going after McDonalds isn't "cool." It's effective.

Re:Psychology plays a role

[Dog+and+Pony]

the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base

Or so they would like to think...

I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there.

I think you'll find the average Linux user to know a bit more about computers yes, but to make the assumption that Linux users are "inherently" more secure users is just begging for trouble.

And furthermore, lots and lots of Linux users are most likely too confident because they are so savvy and knowledgable. Hubris is dangerous on any platform.

Of course, since we all want to feel special and look down on some other group and be "better" than them, that is not what people want to hear around here.

Re:Psychology plays a role

[dnoyeb]

I guess you don't meet many gamers.

Re:Psychology plays a role

[jedidiah]

Unix is simply designed and developed much more with security and securability in mind. The Linux kernel has had a network packet filter as a standard feature for at least 8 years. This provides a rather effective first line of defense against problems of the kind that Microsoft users have been suffering of late.

Should a particular service on Linux come to be a similar sort of problem, every neighborhood guru will be able to instantly provide "patches" that are an effective workaround.

Can the average WinDOS power user come up with a script to disable Win32 IPC off the cuff?

This is not something that Windows power users are expected or encouraged to do. Thus it becomes more difficult. Even slowing down a virus can help prevent propagation.

Windows does nothing to encourage tools or practices that can easily be deployed as roadblocks to malware.

Re:Psychology plays a role

[sloppydawg]

When opening up the psychology pandoras box you have to be careful. Using psychology in combination with statistics has to be one of most 2 edged sword when used in an deductive logic argument (as well as the most foolish).

Firtly, defacement with psychological influence will happen mostly based on the type of content the site is hosting rather than any bias torwards the OS running. Granted if OS 1 is less secure than OS 2 that many more people will succeed in breaking into said site. But you must also consider attempts. Say the internets top 1000 most likely to get defaced (based on content) web sites run 80% Linux and 10% Windows. What would the results show? No matter how you cut it if these factors were distrubed in this manner linux would come out as being more defaced than windows unless linux was 700% more secure than windows.

Now for those hackers that do use the OS the site is running as their primary motivation for target selection how do they psychologically decide which OS to target? Are they motivated by a challenge so hence pick a more difficult target. Are they motivated by animosity torwards the assoicated corporation of the OS and pick MS? Are they influenced by the OS they are running and hence pick the OS for which they have the most compatible tools at their disposal? You see playing the psychological card here leaves you with an empty hand since I doubt you've done all the needed statictical gathering to answers the questions posed above. You see psychology is indiviudual staticstics are collective they don't fit together into a cohesive argument easily. While the two can be used toghether if all the pertinent factors are assessed to thrown them toghether as you and this entire post has is simply foolish.

"There are lies, damn lies, and statistics." - Mark Twain

Re:Psychology plays a role

[Zeinfeld]

True, at this point. But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

I can't say that replacing a Microsoft monoploy with a Linux monopoly looks like any advance to me. Linux development is still way behind Windows in terms of features, in particular security features. Security does not only come from lack of bugs, it is also a matter of support for security features and tight integration of those security features.

Microsoft has in the past done baddly on the bugs side of things, but in the area of support for security featurs it has no peer. Windows 2000 has PKI and Kerberos security embedded deep into the core of the O/S. Sure you can get add ons for Linux to provide features like an encrypting file system, but you don't get deep intgration so you end up having to choose between the encrypting file system and the journaling file system. Same goes for Kerberos, you can add a Kerberos package onto Unix but you don't get the same tight integration you get on Windows 2000.

The virus issue is also rather more complex than some make it out see Phill H-B's security blog. The basic point here is that to propagate a virus needs to infect an average of more than one new host each time it spreads. So it is much harder for viruses to spread on a platform that represents only 9% of the population than 90%.

The problem with all the Linux boosterism on the security issue is that many of the 'facts' being asserted are nothing of the sort. If you ignore toy O/S that do not use protected memory such as the Mac before OS-x and the Windows-95 flavors Unix has historically been no better than comparabloe platforms. OK so there are few security vulnerabilities reported in the UNIX core, but that is the same for Windows. Most security bugs turn up in server code running at application level. Sendmail has been considerably worse over its life than IIS.

The problem with the complacency in the Linux camp is that Microsoft shows every sign that it has the security religion now. The recent spate of Microsoft patches are mostly for bugs Microsoft themselves discovered during their code reviews. Windows 2003 now loads the way a secure O/S should - in installments starting from a minimal core functionality.

Sure Linux can keep up, but only if developers respond to the challenge rather than sitting arround congratulating themselves on how much better they are. That seems to have been classic behavior of previous would be Microsoft challengers who lost.

Re:Psychology plays a role

[Enonu]

If a user can install Linux on their machine, it implies the following:

* Isn't afraid of computers
* Willing to use a command line
* Knows what a partition/hard drive is
* Comfortable with various GUIs

Now, imaging a world where everybody had at least this amount of technical knowledge. It should be quite easy to instruct them about the concept of security, even if it only meant being wary of untrusted binaries.

I still know a few people who have problems distinguishing left from right click, and have a hard time double clicking. Prime candidates for people who systems are easily infected.

Re:Psychology plays a role

[Zeinfeld]

Yeah, potential buffer overruns sit in places no one would think about (hence all those bind/sendmail/iss/rpc holes...) Except that a buffer overrun in a well-configured unix system won't allow your normal cracker to do rm -rf /.

This is one of my pet peves when folk start blathering about how insecure Windows is. The buffer overrun is essentially an invention of the C programming language. Before C nobody thought of writing language compilers without bounds checking on arrays.

The answer to buffer overruns is not to try more care. The answer is to switch to programming styles and languages that prevent buffer overruns.

This is not too difficult even in standard C if you do all string handling through macros that are thin wrappers to the bounds checking code that Dennis Richie left out. A much better answer is to switch to C# or Java where the problem is caught by the managed code environment.

Re:Psychology plays a role

[xenoandroid]

I think your underestimating the inteligence of some Mac users, sure there are some dimwits out there (they exist on many OSes), but they were at least smart enough to not use Windows for something they can do easily on another OS. From what I've seen, there is a lot less common sense in the Windows community than there is for other less widely distributed OSes. Many will download and run anything in their email no matter how many times they hear "Don't download strange attachments and run them".

Re:Psychology plays a role

[mslinux]

Right on man!!!

We have a 'Webmaster' who administers a Linux Web server that has been hacked several times. We even had a visit from the FBI once because the server was doing funky things to whitehouse.gov, etc.

Our 'Webmaster' is a Mac fanatic who's a college drop-out ( he was a sociology major with a .75 GPA). He hates anything from MS... that's why he *attempts* to run a Linux server. He is dangerous, very, very dangerous and will one day be fired.

It's people like this who don't *know* what the fuck they're doing that causes servers to be hacked (Windows or Linux or any platform).

Re:Psychology plays a role

[SamBC]

I feel you are either miseducated in the matter, or a very good troll - I'll assume the former.

The issue of whether or not things are 'integrated into the core' is a good example of the key design philosophy difference between UNIX-type OSs, and MS OSs, although I was given the impression that MS OSs were going more towards UNIX in this regard. The UNIX design philosophy is to keep everything seperate, with well-defined means for different components to interract. This is especially well epitomised by the HURD MKA (micro-kernel architecture), but is also seen in every UNIX-derivative OS. Kerberos is a bolt-on, but then so is the mechanism for user logins, and email, and command interpretation (shells). It is up to whoever sets the system up, be they a sysadmin or a distro maintainer, to 'tightly integrate' them as much as desired, thus allowing a UNIX/linux box to use NIS/LDAP/Kerberos/whatever as a cetralised authentication system. Many linux distros give the option of using a Windows NT domain as an authorisation service, if the user so desires.

However, I will agree with you on complacency.

Sam

Re:Psychology plays a role

[Ro'que]

I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

Looks like you need to get out more, then. That's a pretty broad and ignorant statement. Equally broad and ignorant statement: "I've never met someone who has been laid and simultaneously preferred using Linux as his/her desktop OS."

No, that's not how I feel. Yes, I do support Linux and the open source movement, but I don't believe in unreasonable and illogical statements against the opposing "camp" like claiming that not one of the millions of Windows-by-choice users are smart enough to write a good virus.

Re:Psychology plays a role

[Zeinfeld]

I feel you are either miseducated in the matter, or a very good troll - I'll assume the former.

Lets see, I have worked with eight Turing award winners, I have designed operating systems, databases and security systems. I am the editor of several current standards. I have no need to troll. Sounds like your definition of 'miseducated' is 'holds a different idea to me'.

The issue of whether or not things are 'integrated into the core' is a good example of the key design philosophy difference between UNIX-type OSs, and MS OSs, although I was given the impression that MS OSs were going more towards UNIX in this regard.

I am probably better informed about the state of MS security system design than any other person who does not work for them and is not a contractor. You are wrong in this assertion on two counts, first the extreme modular nature of Unix has historically been considered a security weakness, second Microsoft is not moving towards Unix. Windows NT has always been a micro-kernel design.

The problem with the bolt on approach is that there is no consistency of use in the Unix framework. You can add Kerberos but you have to separately Kerberize every application. Same for integration to a domain server or any other infrastructure.

The problem is that Unix is not really a modular architecture, it is a patchwork quilt. In a true modular architecture there is one interface to the security subsystem and a sysytem installed there will affect every application. Unix simply does not support that type of interaction. The fact that it is composed of separate modules is irrelevant, all O/S are written as independent modules. The issue is whether those modules interact in a coherent manner or an incoherent one.

Unix regretably flunks that test, although propagandists will try to deny it.

Re:Psychology plays a role

[SamBC]

The problem with the bolt on approach is that there is no consistency of use in the Unix framework. You can add Kerberos but you have to separately Kerberize every application. Same for integration to a domain server or any other infrastructure.

Unless, of course, you use PAM

Sam

Re:Psychology plays a role

[13Echo]

Number 3 is a really important aspect that Windows users don't seem to understand. Windows fans always use the "If Linux was more widely used" excuse, not knowing exactly how the multi-user Linux system works. It's obviously not 100% foolproof, but it does make an extreme difference.

NT is capable of locking down capabilities between users, but do most places run their machine that way? No. They've created a bunch of users that have grown used to having the ability to destroy an entire drive with one mouse click. With Linux, things aren't that way, but it does produce another layer for users that want to write to certain things (but normally only when software is installed, with very few exceptions.)

Most people never need root access for anything other than installing programs, and root should normally only be used for that. It's a model that users can learn, if (when) they migrate to a more traditional UNIX-like OS.

Re:Psychology plays a role

[reallocate]

You're both equating intelligence with knowledge of a specific computer system. That's completely bogus and more than a little techno-elitist. It's a bit like arguing that backyard mechanics are more intelligent than Linux geeks because they fix their own cars.

What someone does or does not know is not a sign of intelligence. It is simply a sign of what they know.

One would expect Linux users to be more system savvy than Windows or Mac users because a Linux distribution typically takes some study to configure and to put on the Net.

If/when Linux becomes a significant part of the shrinkwrapped desktop market, the need for self-study to make it usable will diminish (otherwise no one but geeks will use it).

Re:Psychology plays a role

[WatertonMan]

This is true. However Linux is considerably harder to setup and configure when you need to do anything out of the ordinary. As good as distros like Redhat are, you still often have to edit configuration files. Typically they are unnecessarily complex and easy to screwup, even with the purchase of an O'Reilly book for every service you configure. (Sendmail, Samba, etc.)

It is very easy to miss something and screw up security. I've seen this happen many times. The fact that things typically aren't straightforward in Linux means that many people think they are more secure than they are. Say what you will about Windows, but at least there people know it isn't secure unless they are careful. In Linux it is very easy to get a false sense of security. (And let's not even go into some of the horribly written CGI scripts that run in Linux - yeah poor administration, but easy to do)

Re:Psychology plays a role

[Transcendent]

I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

And how many people of that do you know?

I knnow many acomplished programmers that could definately write some nasty things if they wanted to. Yes, they're smart enough, and yes they use Windows on their main computer.

Using Windows isn't about how smart you are, how computer literate you are, or any other characteristic that you may posses... it's just about what you wan't out of the OS.

Do I use windows? yes. Do I use linux? No. Can I use linux? Yes. What Unix variant do i use? BSD (open/free).

That has nothing to do with my intelligence, social status, political background, religion, skin-color, sexuality, health, whatever weird excuse you come up with... it's just using the right tool for the right job. Simple enough.

Re:Psychology plays a role

[Viol8]

C was designed as a replacement for assembler in most (but not all) situations. Ergo they didn't put in any bounds checking because C is a
what-you-see-is-what-you-get language. Speed, flexibility and size were the considerations , not programmer hand holding.

"Before C nobody thought of writing language compilers without bounds checking on arrays."

Rubbish. Go read up on computer languages.

I think its the apps

[tlacicer]

I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.

My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.

I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.

Re:I think its the apps

[sphealey]

First, arrogance preceeds a fall, and that is as true of system security as anything else. So Linux users/admins should not become complancent/arrogant

IE and Outlook are not the OS,
no matter how much MS winges
about IE being intergrated into the
OS :)

Still, I have to disagree with you a bit here. Internet Explorer is very deeply embedded into the core OS. And other technologies are quite deep as well (ever try fully removing Windows Media Player from a W2K Server build and keeping it removed across service packs? Not a trivial task - but what the heck is WMP doing in a server build to begin with?).

This intertwing of core functions with much less secure access and presentation functions does IMHO make Microsoft products less secure by design. There is also the issue of Bill Gates deliberately creating a corporate culture where everything has to be reinvented from scratch. Well, sometimes the work done by other people was good work, or done for a resaon. People inside Microsoft seem to miss that thought a lot.

sPh

Re:I think its the apps

[PetWolverine]

Similarly, though, most MS worms and viruses exploit not holes in the operating system, but holes in various common programs that are Windows-specific. Blaster is an exception, but SoBig and Slammer are excellent examples--one exploits Outlook and the stupidity of many users, while the other exploits a small hole in Microsoft's SQL server. Neither, strictly speaking, exploit flaws in Windows itself. Even Blaster exploits a flaw in a network service that at least shouldn't be part of the OS, at least by the *nix OS-design paradigm.

When determining how secure an operating system is, it is essential to take into account the security of all the various programs people will run on it. Linux itself is very secure, but mostly because it doesn't do anything; all the potentially dangerous work is left to other programs, which often screw it up. Take a look at sendmail, for instance, and try to tell me it's more secure than a Microsoft product. Looking at security from this perspective, Linux isn't really an operating system, but rather the whole *nix category should be considered (in many ways) one OS.

When determining the security of a particular system, not only does the specific implementation of *nix become relevant, but the programs you run remain relevant--only now it really is the programs you run, not the programs that are available. Obviously the next root exploit in sendmail won't affect me if I'm running postfix. If I instead write my own mail server (just to keep the same example), it might be very secure through obscurity, but (since I'm a sysadmin, not a programmer) it won't be very fundamentally secure.

Basically, security is a lot more complicated than simply "Windows sux0r5." Bad programming and bad configuration can make any operating system insecure, and assessing the security of a particular system is quite a different thing from assessing the security of an OS in general.

Re:I think its the apps

[Gherald]

> Care to enlighten us on how to remove IE from an XP system?

www.google.com/search?q=uninstall+internet+explore r+6.0+xp

Re:I think its the apps

[jpsowin]

Right, like MSBLAST? RPC call is wide open. What about the MESSENGER service? Wide open for spammers. That's not third party stuff, that's built right in.

Now, I'm in agreement that it is sometimes the applications, but Outlook does come with the OS and is developed by good ol' MS themselves---that isn't a third party app.

Re:I think its the apps

[Some+Dumbass...]

From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script.

I think one could say the same about Windows, no? It has nothing to do with the security of the OS if hackers find vulnerabilities in a commonly used application (e.g. Outlook).

To take this one step further, you could probably make the even more general argument that almost nothing really tells you which OS is more secure. Rather, break-ins involving a particular piece of code only tell you that the particular piece of code is insecure. You could argue that website defacements really measure the security of webservers, other web-related packages (PHP, shopping cart programs, and the like) and perhaps the security of other servers on the system, all depending on what exactly was used to break in to the system. Technically, even the security of other systems on the same network could play a factor (e.g. if someone roots the mail server and the root user has the same password on both the mail and web servers).

A big part of the difficulty here comes in splitting out applications from OS. Internet Explorer, Outlook and Media Player 9 are all technically applications, but I'm not sure that any of them can be properly "removed" from newer versions of Windows, at least not by your "average joe". Likewise in the Linux world, while it is rather clear that video games and the like are applications and thus separate (though some people insist on counting them in their Linux "vulnerability" lists anyway :) it gets harder when dealing with programs like SSH or LPD. SSH is third-party, but it's in such common use and is by far the preferred terminal server on Linux, so it seems as though it should count as part of the OS. Likewise, although LPD has sort of been replaced by CUPS, it's still in common enough use, and supplies a sufficiently basic function (printing), that many people count it as part of the OS. Yet I personally am not running either LPR or the SSH server and still have a perfectly functional Linux box, so they're hardly required parts of the OS.

Needless to say, comparing the security of OSes based on the number of times their applications are compromised is awfully hard to justify. If you include applications with the OS, then you beg the question: "which apps"? If you don't include applications with the OS, then in many cases one OS has much greater functionality and thus more opportunities to be compromised, so the comparison still seems unfair (having an always-on RPC server does provide functionality, you must admit).

Frankly, I'm starting to think that this argument should just go away. Nobody seems to agree on what constitutes Windows and Linux. Without even those basic ground rules, how in the world can we have an intelligent argument about the relative security of Windows and Linux (and MacOS, and *BSD, and...)?

weakest link

[macragge]

A system is only as secure as its most insecure user / service.

But are we talking about the same thing?...

[mrdlcastle]

I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.

It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).

Re:But are we talking about the same thing?...

[mrdlcastle]

No that is what I am saying. That protocols are not inherently secure. Applications such as Apache are not inherently secure.

But an OS that when it comes right out of the box has all these applications and protocols closed is.

So when setting up a Linux or Mac the first thing you need to do is make it less secure than it comes by default. A Windows machine, on the other hand, you need to make more secure.
That's all I am saying.

scewed results?

[iamkrinkle]

Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)

The Only...

[strateego]

The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.

email viruses

[geeber]

Email viruses like Sobig are aimed at desktop users. Since most of the desktop users run Windows, it makes sense that most of the viruses would be targeted at them and not Linux users.

Something to think about:

[Anonvmous+Coward]

Species of Windows Programmer: Human
Species of Linux Programmer : Human

Chances of human error making it into the code: Equal

Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?

Re:Something to think about:

[Anonvmous+Coward]

I wish people would understand what I'm saying instead of feeling like Linux needs to be defended.

Linux may have a better foundation to work from in a security point of view, that does not in any way negate what I said. I had a Windows NT webserver that was up for 2 years without being exploited. I replaced it with a Redhat/Apache box thinking I'd be even more secure and within 2 weeks it was rooted.

This is not Linux's fault, it is entirely my own. I felt a false sense of security and didn't stay up to date with the machine. With Windows, since it was always under attack, I constantly checked it to make sure it was hardened. If I had been vigilant, like I recommended in my original post, I would not have been rooted.

Instead of cooking up an argument, think about what I just said. You're not secure. It is as simple as that.

Social-engineering != Virus

[RealityProphet]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would [be] lower for Linux than Windows?

Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.

You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!

Re:Social-engineering != Virus

[IntlHarvester]

A unprivileged Unix user can parse an address book, delete MP3 files, and send mail. In most cases they can also run a proxy server on a high port. So, "root" isn't much protection against these viruses.

In fact, I'd argue that the whole timesharing SuperUser vs Peon security distinction is a fundamentally broken design for how most people use Personal Computers. It's a relic of minicomputing. On a modern PC, virtually every user needs some administrative rights, and almost everyone wants to run "untrusted" programs such as file sharing and so on.

It would be great if we could chuck the whole user-based system in favor of some sort of role or program-based model where programs have privileges based on what they are rather than who is running them. But since both Unix and Windows are heavily based on the user-centric model, that's going to be very difficult.

It's only as secure as you make it.

[bartyboy]

Or your admin makes it.

I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.

It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.

So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.

Re:It's only as secure as you make it.

[sterno]

check out the services turned on by default after installing Win 2k

That's the problem. Most people running Windows XP or Windows 2K wouldn't know a service if it bit them. That's why these worms wreak havoc. Linux has a smaller installed base and it's generally made up of more technical users. Thus, much of the problems that could show up under Linux are minimized because the people running it know what they are doing.

How I see it...

[rosewood]

When I say that Linux is more secure then windows, I see it on many levels.

For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE.

Then there is the whole open source vs closed source security. I Truely beleive in that. It only makes sense that it is going to be more secure in the long term. This doesn't mean exploits don't exist - its just Im prone to beleive that there is someone using an unknown windows exploit as we speak to do something bad and it might be YEARS before that one is ever found (history backs me up on this one) but yet if there is something as blatent as the RPC exploit in OSS, we tend to see fixes for rather quickly (again history backs me up here).

Don't confuse the idea of inherint security with stupid users and sysadmins or even part time sys admins that aren't paid enough / don't work enough hours to keep a handful of servers updated across town.

How about this?

[wadeb]

Linux is less vulnerable because there are fewer identically configured machines on the internet.

One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.

With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.

Not that the internet hasn't been shut down by a UNIX worm in the past, that is... :)

From considerable experience lately,

[Sevn]

I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.

Missing the point entirely

A careless admin running Linux is just as insecure as a careless admin running windows. I've seen the practices put in place by many hosting companies running Linux, and if they could be doing one thing better, it's security. For a careless admin, the only real advantage of using Linux and other OSS is price, and the fact that the openness gives them an edge over closed source software in bug hunting/vuln finding. Also, the Linux defacement number could be inflated, as a higher percentage of hosting companies may be running Linux, and attackers may target Linux over windows.

Garbage in Garbage out

[Brahmastra]

The OS is only as secure as the user. If a lame Linux user does everything as root, he's going to be more vulnerable than someone using Windows 2000 with a firewall. If a lame Windows administrator doesn't have a decent firewall and keeps all kinds of ports open, he's going to get hit too. It's about users knowing what they are using. But I have to say that a default Windows installation does appear to be less secure than most default Linux installations.

It's more complicated than all that.

[dwheeler]

The arguments are all far more complicated.

An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.

But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.

The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".

Numbers!

[Quasar1999]

Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?Obviously Honda, as there are more of them on the road... so...

Linux may or may not be as bad for security, but when Windows gets exploited, it's felt... and it's felt HUGE!

Re:Viurs != security

[deranged+unix+nut]

BTW, if your system is compromised, compiling may not help.

Reflections on Trusting Trust, Ken Thompson

Linux Security

[FsG]

Linux isn't secure; it's securable, and if you simply throw a default RedHat install onto the web, then you're missing the whole point and effectively negating all of the security potential that Linux has to offer.

Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.

Only As Secure As The Person Running It

[nuintari]

Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.

And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.

And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.

Today's attacks...

[sorrodos]

Hmmm for today's defacements, I see there have been 16. I also see that they have all taken place on Win2000 servers. Also, while viewing these stats, I saw a banner-ad at the top of the page for Zone-H that says Windows is the most insecure OS and that 51% of defacements are performed on Windows servers.

I'd say yes

[FooBarWidget]

I say Linux is *overall* more secure than Windows. Not because of the of then number of exploits, but the *attitude*.

Let's face it: nothing is 100% secure. As long as software is made by humans, there *will* be security vulnerabilities.
So, what matters is how you deal with bugs and vulnerability. The open source community is much better at this than Microsoft. Security patches are often released in a few days *and* peer reviewed. Those patches break a lot less things than MS patches because they're peer reviewed.

Also, no Linux email client supports automatic execution of executable code. This already eliminates most of the viruses today that are made by script kiddies. And you have to manually save the attachment to disk and add the execute bit. This is a lot of work for Joe Average.
Of course it's still possible to get a virus, but the point is that the overall chance is lower.

So yes, I'd say Linux and open source is overall more secure than Microsoft. Security is not measured by the number of exploits alone!

What is Linux?

[spankers]

Kernel? Applications?

All operating systems are insecure by nature. Windows, Linux, Unix... ad nauseum. What makes Linux appear to be a more secure OS is that there are not nearly as many Linux hosts as Windows on the net and the technical abilities of Linux users are remarkably higher than your average Windows user and AOL subscriber.

Does anyone remember Redhat 6? How many people got rooted via SunRPC?

I really like linux... I run Debian unstable with:
hermes:~$ uname -a
Linux hermes 2.6.0-test4 #0 Mon Aug 25 15:25:10 CDT 2003 i686 GNU/Linux

File permissions don't mean a damn when you've got root.

Law of averages

[Schnapple]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Because there's fewer of you (not myself a Linux user) and as a result the law of averages says it's less likely that it will happen. And let's be honest - smarter people run Linux. They're not smart because of Linux per se, but people who run Linux know what they're doing, usually. Lots of Windows users don't know what they're doing (think parents and grandparent types).

But if Dell shipped 95% Red Hat boxen, you'd see a lot more Linux worms show up. Maybe not as many as Windows, but still...

it's a lot of factors...

[pavel_pod]

It really is the COMBINATION of factors:
* number one reason is probably that most user desktops are windows;
* an average linux user is a lot more technically savvy than an average windows user, and is much more likely to understand the importance of applying patches [my non-technically oriented friends ALWAYS IGNORE those "updates are ready for installation" messages];
* as a lot of posters have mentioned, Linux systems can be made more secure (open source, security-minded design, ...) -- if you know how;
* I'd guess people who create these things might use MS hatred as an excuse;
* there is greater diversity among linux software, whereas most people use outlook/msie on windows; (maybe to a lesser extent,) same is true for OS versions; this makes it easier to target MS.
* (Probably more that can be added here.)

Re:Just my 2c...

[BrynM]

.And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of.

You bring up an interesting point. I bet we'll never see Microsoft patch a theoretical exploit. They seem to see patching as a reactionary process rather than as bug tracking. "If it aint bad PR, then don't fix it." - Too bad that attitude still leaves it "broke".

Here's my rant on human stupidity...

[Art+Tatum]

I think it's a little more than just being savvy. One problem is that an awful lot of Windows users have very screwed up ideas of how their computers are supposed to function.

For instance, they don't think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: "if I want to do something with my machine, I should be able to just do it. Don't put anything in my way." And if they were forced to take precautions, their password would end up being something like 'a'. And a regular schedule of changing passwords? Forget it.

Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They'd be bored to tears if they had secure email. And they'd be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.

And it's astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about 'Hot pics' or those 'Snow White and the Seven Dwarves' emails. Sheesh.

All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It's been possible to run as an unpriveliged user for a long time with Windows. And it's not difficult to do. But guess how many people actually do that.

Re:Here's my rant on human stupidity...

[DunbarTheInept]

All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it.

I don't think those two are seperable. The reason users make those unreasonable demands is precisely because they've been sold on the white elephant of similtaneous security and ease-of-use by Microsoft's practices. They don't realize they've been lied to. Good secuirity requires extra steps on the part of the user. Microsoft is trying to convince people it doesn't, and those who believe it are the ones propigating these virii.

Re:Here's my rant on human stupidity...

[Politburo]

Oh blah blah blah. This is the same old tired shit of "Windows user = stupid, Linux user = smrt". The reason Windows users have these misperceptions (yes, that's what they are) is because that is simply what they are used to. In Win9x, 3.1, and DOS, there were pretty much no passwords. To suddenly think that millions of people will overnight realize that passwords need to be commonplace for security is asking way too much. We are currently in a growing period in computers, and the worms around now are the growing pains. If people that are knowledgeable about computers acted nicer towards Joe User and explained the rationale behind passwords, and not running as root/admin, instead of being l33t and condescending, you might see a little more positive response.

Re:Here's my rant on human stupidity...

[Grishnakh]

That doesn't work. If you explain it to them nicely, they just don't get it and get pissed off that they can't do what they want on their computer without security precautions getting in their way. The only way they'll learn is the hard way. This phenomenon isn't confined to computers, either. Nontechnical people always seem to get pissed off when a technical person explains, however nicely, why they can't do something. Either that, or they just ignore the explanation.

Re:Here's my rant on human stupidity...

[Lemmy+Caution]

As a technical person who communicates well with non-technical people, I have to say that the failure of communication is almost always with the technical person.

Being more concerned with being seen as smart and informed than actually providing coherent information, spending too much time on irrelevant details instead of providing step-by-step instructions on what has to be done, geek inferiority complexes leading to arch, grating deliveries, a failure to listen and understand the end-users needs - I've seen it all. And I've almost never met an end-user type whose technical behaviour I wasn't able to amend for the better.

Re:Here's my rant on human stupidity...

[antiMStroll]

Nice try. It ignores the fact that about 95% of today's Linux users once used DOS and 3.1. Linux wasn't around back then, the other 5% we can grant to Apple and other. We learned to use passwords. That still isn't to say Windows users are stupid, but the argument 'they're not accustomed to security' doesn't wash. Neither were we, and we learned.

And blaming Linux users for the current state of security in MS userland? High comedy or pure BS, but total fabrication either way.

or the web application most likely

[rebelcool]

I develop alot of backend web apps and its surprisingly easy for an enterprising individual to pass bad data through forms, and if the app doesn't check the incoming data properly, and simply assumes its coming from a legit source, you're going to have bad behaviors.

There was a story on kuro5hin a few months ago about this, where a guy figured out a way to enter his own price for a product on an electronics website and was ordering hardware for less than what the page said it cost. And got away with it. This kind of hole is scarily prevalent i've found, as alot of backend developers are very lazy and inexperienced people.

I think this is whats meant by 'applications' security. The box itself may be locked down well, but its taking advantage of the open services in ways the developers never intended.

Too homogenous systems are dangerous

[pere]

"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.

Any homogenous system will always be voulnerable to these kind of attacks.

The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.

The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.

The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).

My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..

The answer is unknowable...

[jd]

...unless IBM is willing to spend a great deal more than a few tens of thousands of dollars...

The only way to know how many exploits and holes there are in Linux is to find them and fix them. (Fixing is important, as code changes at point X can impact the code at point Y. Thus, as one hole is closed, another could potentially be opened.)

To do this with every single hole in every component in a standard Linux install - in short, to produce an A1-compliant desktop OS, with all the capabilities you'd typically want - would be a financial and logistical nightmare. I did a quick back-of-the-envelope calculation on what you'd need in manpower, just to keep up with the rapid development of the software.

You're looking at a few million coders, and about the same number of Higher-Order Logic mathematicians. This translates to a cost of about a hundred billion dollars a year.

Now, you can argue that this is to get an exact evaluation of Linux, and to produce a completely secure implementation. To get a rough estimate only (no actual improvements, just the figures), you are still probably looking at ten to a hundred times the amount IBM spent on their certification.

Any estimates that anyone can reasonably afford are going to be impossibly inaccurate, and swayed by the mood of the day.

Nothing is as secure as we'd like to think

[kfg]

So the first step is to get used to that idea.

Beyond that is an optimally configured Linux system more secure than an optimally secured Windows system?

Yes, I think so, that's one of the reasons I use Linux. But let me ask you this, how many optimally configured systems do you think there really are? For that matter how sure are you that your system is optimally configured? If you have to spend even a couple seconds thinking about that question think about average bloke.

There's a social flaw in the system as well, which thus effects all systems no matter what operating system they're running.

To secure your home you call in an expert. A locksmith, perhaps an alarm systems expert as well. Virtually everybody does this. It's so ingrained that it's considered a no brainer. You'd have to be an idiot not to have proper locks on your doors and windows, right? If your security is ever breached ( say someone steals your keys) you can't get to the phone fast enough to have the locksmith come over and change all the locks.

How often have you had a pro come over and check the "locks" on your OS? Do you even know anyone who can do this? Can you look one up in the Yellow Pages?

Why not?

If you are such an expert yourself how many systems have you, outside of your "job" bothered to secure for people? Are you too snippy and think that "lusers" just shouldn't be allowed to operate computers? Maybe you're a part of the problem. Help be the cure.

I've just given you an entreprenurial niche on a silver platter. Why not take a nibble?

KFG

Let us face facts

[Archfeld]

If Linux was based on a system developed 15 years ago it would have problems too. Linux is based on UNIX which has 25 years of learning and growth experience. While my choice of os is a *Nix, you gotta admit M$ drove lots of features onto the forefront of consumer computing, sadly they did it with horrendous coding discipline. Anytime you introduce that many new features, a LOT of holes and bugs will crop up. The real 'CRIME' is their lackadaisical approach to fixing them. I really think if/as the Linux user base spreads out, as soon as you begin to acquire the general (L)User community you will see the incident rate shoot up.

Are OSS fixes really faster?

[StonyUK]

Sure the OSS community releases fixes faster, but how quickly do they penetrate the userbase? I think Windows Update is a far superior platform for distributing fixes than currently exists in the Linux world, if only because not every Linux distribution offers such a powerful tool.

Now I realise that you can also be the unwitting recipient of functionality and licence changing updates through Windows Update, but as a technology I think it's way better than what is available in the OSS world right now.

Re:Are OSS fixes really faster?

I thought the thread started out about Linux users being smarter?

You would think someone who runs Linux would be able to use Windows Update properly. Don't blast your experiences out in public and think because it happened to you, that's just the way it works. Windows Update works fine. Linux needs a similar technology with the 10-15 vulnerabilities found each week.

Easy Answer

[moby]

Most people who can use Linux don't double-click first and look at the attachment later...

Security isn't the issue

[Andy+Smith]

It has always struck me as disingenuous that Linux advocates claim Linux to be more secure than Windows. The common perception is that the entity "Linux" is inherently secure but the entity "Windows" constantly needs patching. This clearly isn't true, and it ignores the ongoing development cycle of *both* operating systems.

When a Linux advocate says "Linux is more secure than Windows" what they actually mean is: "When a flaw is discovered in Linux, someone fixes it quickly and a patch is released. It takes longer with Windows."

The quantity/severity of security flaws is not the issue. Both operating systems have security flaws and always will. The issue is the speed with which security flaws are fixed.

Don't fall into the trap of believing that Linux programmers are somehow "better" than Windows programmers, simply because the former are doing it for love and the latter work for Microsoft.

Similarly, don't forget that Linux is only secure because of it constantly being patched. This is exactly what people complain about with Windows!

Re:Short answer No, Long answer Maybe

[johnlcallaway]

Wanna hear something sad?? I have Unix developers who want root access because when they type 'find / malloc.c', it returns too many 'permission denied' messages. I tried to explain that if they tack on '2>/dev/null' onto the end, the errors messages would go away and they would still find their file.

Their response?? That's too much work.

It doesn't make any difference how tech-savy someone is. Secure systems by their nature prevent access to features. If the perception is that it takes longer to get something done because of the security, people want security turned off.

That's part of the reason why M$ so insecure, Bill Gate$ has made it too easy to use. My fiancee runs her XP laptop without any login, just turn it on and there you are. So much for security. I gave up trying to explain to her why she needs to login to use it. The standard answer is it takes too much time.

I guess getting to email and solitare quickly are more important than making sure all the personal data she has on it is safe.

Look closer

[jjshoe]

I realize at this point no one will probly see this but lets look at this issue closer. Linux is a kernel, not a distro or a program. This is a main point. Windows also is a kernel. The amount of exploits on the Windows kernel vs the amount of exploits on the Linux kernel is where we can claim that linux is more secure. I use Linux everyday but i must say i have more faith in an experienced NT admin then i do on someone starting out with redhat or any other distro.

Rather then flame on about this that and everything it would be nice if we could all work twords a common good. Linux facilitates such an idea more then Windows which is why i use linux.

linux vs. windows isn't the issue

[motorsabbath]

The issue is that scads of IT shops consist of people who are skilled in applying some vendor's patches and security updates, but not in the underlying system(s) or network technologies. Whether that vendor is Microsoft or Red Hat, all the worker bees know how to do is install patches. And this patching and support is mainly what all the corps are paying for.

Think of it this way - using linux or bsd as an example, doesn't it make more sense to use a free one and employ admins and programmers who know how to build and support your network, and have *them* hire worker bees as needed? Why pay an external party for support when it might cost less to hire knowledgable engineers in house and have them do the work? Or, if the admins are already savvy and are working hard even *though* you're paying for some vendor's support, then why pay for that support anyway? Just use a free opsys and do the same amount of work.

As long as IT shops are filled with patch-pushers, these issues will continue. With linux the chances of a massive worm or email virus outbreak would definately be smaller, and bsd smaller still. But the opsys isn't the only problem. Corporate IT is it's own problem.

Run your servers on openbsd - they'd love to be held accountable.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I think the issue is obvious...

[chocolatetrumpet]

It is clearly the duty of the users to serve the computers. Users exist only for the computers' benefit.

And if whatever I want to happen takes longer than I'd like, it better be a damn pleasant experience along the way!

In addition

[phorm]

I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there

These same users are the ones who end up configuring their webserver with passwords such as "god" or "admin." A secure O/S is fine and dandy, but it doesn't help all that much against the same general stupidity that afflicts windows and linux users alike. How many servers are defaced because they're either very behind on security, or simply easy to get into?

Not only that, but we have a lot of people who don't know as much about security as we would like. I personally don't know as much as I'd like. How many admins who know how to configure httpd.conf for apache are good at plugging with iptables?

At work, any sensitive online-based sites are restricted to a certain port, and allowed only from local addresses. Yes, by IP-spoofing they could avoid that, but at least it's an extra level of security. How many people bother with this? A lot can be done at the firewalling level, before any attack even gets near your daemons...

Fewer is a good strategy

[exp(pi*sqrt(163))]

Why do so many organisms reproduce sexually? They're shuffling their genes around meaning that each generation has variety. If a virus attacks chances are some members of any generation will have the genes required for surviving it. What is fatal is to have a monoculture. If the wrong virus hits everything is wiped out.

Here's the important point: given any organism there's a virus that'll defeat it. So the strategy is to ensure that your offspring have variety.

Unfortunately what we have in the computing world is something of a monoculture. Everyone (OK, I exaggerate, but only slightly) runs Windows and everyone is at risk from the same viruses. And when those viruses hit everyone is taken out.

If people valued security, and chose an OS with a smaller user base as a strategy to deal with security, we'd have that variety and we'd all be much better off.

It's funny. When A says "I use Linux and don't get any viruses" and B repsonds "that's because so few people use Linux" B is failing to see that that's actually a perfectly good reason to choose Linux.

Reply: Maybe Stat-Lie ...?

[OldHawk777]

Is that 61% a stat-lie?

If there are significant more Apache websites compared to MS-Win websites on the internet, and the numerical coefficients of the variables used in the equations were not weighted appropriately, then a condition (of at least) co-variation was not taken into account ... the interpretation of 61% is in error.
Also, novice websites (Apache, MS-Win, ...) are frequently defaceable. I believe, due to the obvious (cost for a Linux+Apache+Skill+Daring) already stated by others, means that the most easily defaced website are in fact probably "Linux+Apache", but also the best most secure website because of the open-community+collaboration+... implies (for me) "Linux+Apache" makes the best websites for business and government.

So, I suspect stat-lie. However, I ain't done any major data crunching with FORTRAN and arrays in almost as many years as serious code.

OldHawk777

Reality is a self-induced hallucination.

The very first Internet Worm

[drfreak]

was written for Unix. I hope people don't forget that, but I doubt they will. The difference is most Unix people care about reliability and most people from the Microsoft camp relish viruses becuse the truth of the matter is tech support revenue is much greater than the cost of Windows.

Cause: M$ Attitude to their products.

[kosmosik]

Thats Simple: In GNU/Linux most of things concerning security are done beacouse they'r needed. F.E. Some code can be possibbly buggy, so a bunch of people/firms/institutions/whatever before they start using this given software, they make an audit of code, and any posibble holes are fixed etc. Most of cracker attacks compromising Linux are related with simply people not installing patches or buggy not updatet OS scripts running their websites etc. Windows also could be fixed but M$ won't fix it! Beacouse they don't want to. Beacouse this would break compatibility (which still tends to be more important to them than security issues) etc. I'am talking about those holes in MSOE, MSOffice that existed long time and still aren't fixed etc. these holes/dangers are still there!!! Next thing is about updates. Windows is harder to maintain. Still nobody wan't to install tons of single, so called "patches" beacouse they may make the system unusable (Yes! they may do that!) or this is just uncomfortable to instal 100 patches. So people think "If it works - leave it as is... Till it works". Still M$ delays SP2 (so called "cummulative patch") for Windows XP due to "unknown reasons" etc. - this is riddiculus! Vendors WANT cumulative patches so they can sell a system patched OOTB. So do users - users WANT cumulative patches so they can patch their system easly etc. M$ is talking bullshitt about their Trusthworthly Computing bla bla but these are just words - security means that you must drop some compatibility issues and user friendly features due to have a more secure system. F.E. make Windows work nicely without running everything on an super-user "Administrator" account. PS. Sorry for my English - I'am not native English speaker.

In webserver-land, it *is* reversed

[leonbrooks]

Microsoft IS the biggie out there, and Linux isn't, but we all [...] would like to see that reversed?

There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.

IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.

If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.

Re:In webserver-land, it *is* reversed

[Martin+Blank]

A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.

And this is one of the major security problems.

In my last job, I was a bit of a security hawk, particularly on the Win2K boxes. I managed to get procedures in place to remove all of the selectable modules during installation, and then disable unnecessary services (like RPC on some boxes) and features (like the POSIX subsystem). I wish I could have removed OE, but since it was never configured with a server through which it could send, I wasn't too bothered by it. The Unix guys would configure our Solaris boxes by adding in a lot of things "just in case", even to webservers. I never questioned them on it, since I figured they knew better, but something always rubbed me the wrong way on it.

Some *nix distributions can be just as bad as Windows in installing unneeded items, and some people are even worse about throwing in more. Extra code means extra room for bugs on any software.

Also, what is this "Linux" of which you speak?

[leonbrooks]

there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place.

So... exit Microsoft Corp, stage left; enter Linux Corp, stage right? Have I got the picture?

But Linux isn't a corporation; and Linus would happily agree that Linux isn't a person. It has, in its enemies' words, "no centre of gravity", no central bastion to attack. It has no war-chest, no lawyers, no production facilities. If it is distributed from France or Germany, it isn't because of some strategic global plan, it's just where the distributors happened to live.

In short, while you can happily replace MS-Windows with Linux, there is nothing to replace Microsoft itself.

Yeehah! (-:

Re:Also, what is this "Linux" of which you speak?

[Harry8]

Sun Microsystems? :)

Re:Hitting a moving target

[kapok_tree]

Darn you for pointing that out before I got to reading this thread. I agree exactly - the heterogentiy of the systems is beyond doubt an important factor in limiting the number of virii/worms/exploits against linux. As linux gains mroe acceptance ont he desktop there's sure to be a move to limit these differences, but the open source community will doubtless keep reinventing the wheel, hence assuring that we won't all be running the same thing.

Multi-User Philosophy

[ca1v1n]

Unix is designed under the assumption that there are supposed to be users who can do whatever they please as long as it doesn't interfere with the operation of the system as a whole.

Windows is designed under the assumption that if you're not giving someone full control of the machine, it's because you don't want them to be able to do certain things that have no bearing on the rest of the machine whatsoever.

The result is that a typical Linux installation will create a user account without root privileges that you are expected to use except when you absolutely need to be root. The windows installation will prompt you to create accounts other than Administrator, but they will still be Administrator-level accounts, because the registry and the windows installer are designed to make it difficult for anyone who is not an administrator to install software.

This is why I'm an administrator on my work machine, where I do tech support and thus need to be able to mess around with things to replicate problems, and I'm a non-root user (with sudo privileges) on my home machine. I can screw up the work machine a hell of a lot faster than I can the home machine if I open up the wicked screensaver.

If windows didn't require a completely separate login to do administrator-level stuff, this problem might go away. XP's user-switching is a far cry from this. If Joe User can't copy and paste from his non-admin web browser to some admin system tool, he'll just be admin all the time, and then when he breaks beyond all repair he'll call me along with the other hundred users I talked to today at work. AAAAAAAAAH!

Re:More to the point

[jazman_777]

Eventually it will be proven that the best platform is freebsd.

The trump OS: OpenBSD.

Re:MS users hate MS

[YellowElectricRat]

The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them

This is one of the most ridiculous statements I have ever read. Do you have any idea how difficult and competitive it is to get a programming position at Microsoft? Whether you like to believe it or not, Microsoft has some of the best programmers in the world - it also has some of the most rushed programmers in the world, and some not so great QA. Even the very best programmers don't often get their code perfect the first time around, and if a problem with some MS code is not picked up by MS's testers and QA people, it doesn't get fixed.

Idiot Lunix zealots.

A Lot to Know (long and ranting)

[angst_ridden_hipster]

I think one of the problems is that, to have a secure machine, there's a hell of a lot to know.

I've been using Unix or one flavor or another for maybe twenty years. I've been doing administration on servers for maybe ten. I know something about Unix, although I wouldn't call myself an expert. My focus is on programming rather than admin (although to be a good programmer you need to know a lot about admin, and vice versa).

The fact is, even with a lot of experience, there is an enormous amount to know if you want to keep a machine secure. And while most of it is pretty straightforward, some of it is really complicated stuff.

Couple that with the differences between flavors or even Linux distros. While the basic concepts tend to be the same, the methodology is different (for example, compare removing specific network services on Debian, RedHat, OS X, and Solaris). Security is a full-time job.

Technical people often make the analogy that the level of technical computer understanding most people want to maintain is like their house or car or office. Bar the windows, lock the doors, set the alarm. Set up the cameras if you're paranoid, and monitor them. While the top-level concepts are the same for operating systems, the kinds of attacks are different. There are only so many ways to get in through a window -- but how many programs turn up exploitable? Once you secure your windows, you know the threat level (rocks, pry bars, glass cutters, etc). With software, you may have a general idea (buffer overflows, privilege escalation, out-of-band data, unexpected input, etc), but it's continuously evolving. In both cases, vigilance is critical. In both cases, if you're security-minded you can be more or less secure, even in a hostile environment.

The problem is, this model is wrong for most people. They want to interact with their computers like they do their DVD-players or TVs. They want to use them as simple, versatile tools: think swiss-army stereo system. They don't want to have to think about security. They don't want to know that there's an /etc directory with configuration files in it. They don't want to run Windows Update every time they turn on their computer.

That's where the problem lies; people who are concerned about security will be secure whether they run Windows, Linux, or whatever. The people who just want a device that can play music, edit spreadsheets, write documents, send and receive email, and surf the web will likely be insecure no matter what OS they run. How many times have you had people volunteer passwords, watched the guy pound out the alarm code "1234", or had a user tell you their password was their cat's name?

Sure, some systems make it easier to be secure than others. But security is more an attitude than a system.

(This leaves out the whole issue of the heterogeneity of the Windows world, the desire on the part of worm writers to hit the largest "audience," and the anti-M$ attitude among 'leet hackers.)

Re:Corrected statistics

[r00zky]

It's a daily list of verified defacements...
Yesterday was 61% linux, today seems 100% win2000.

Worthless statistics.
Would be better to know what are the numbers in, lets say, a year.

Anyone know the url to this data? Or better a mirror, seems the site is under huge load.

Re:MS users hate MS

Whether you like to believe it or not, Microsoft has some of the best programmers in the world...

I believe the point was that the MS OS has a large concentration of bad programmers, not MS the company.

incontinent MS apologists.

Re:MS users hate MS

[PeteQC]

- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.

I don't think so, since you can download the patch without going on WindowsUpdate, it's available at http://support.microsoft.com/default.aspx?scid=kb; en-us;823980

Linux or Apache?

[AstroDrabb]

How can you make a statement on Linux security based on Apace? If Apache is hacked it has nothing to do with Linux. It is just an application that is completely unrelated to Linux. Saying Linux is insecure because of the last Apaceh/OpenSSL hole would be the same as saying FreeBSD or OpenBSD are insecure because someone broke in through Apache. Apache is a whole lot more secure then IIS, though it still had some problems. While it may make sense to complain about MS security problems because IIS is one of their products, it is silly to say Linux is insecure because of Apache. I do think security under Linux needs to constantly be watched, it is very easy to get a big head, become lazy and sloppy and get all kinds of holes. Thanks to efforts like SE Linux by the NSA, Linux will keep getting more and more secure.

Another thought about server OS

[missing000]

According to netcraft the percentage of sites running Apache is 63.72%.

If you consider that the windows version of apache is rather insignificant, I would assume that the total linux web server installations are in line with this number.

Therefore, one must conclude that the predominate cause of web site defacements is negligence, not the opperating system one chooses. After all, technically competent sites such as the one you are reading now almost never get hacked.

OS versus applications

[TWX]

"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"

Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.

I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.

I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.

Re:More to the point

[Telent]

So if you want to run a very secure SSH server, OpenBSD is the way to go! For anything else (i.e. anything not in OpenBSD's "secure by default" install, which is everything besides OpenSSH), it doesn't make a whole hell of a lot of difference what OS you run it on.

You, sir, madam, or genderless being, are amazingly incorrect and misinformed.

A default install of OpenBSD includes:

• Chrooted Apache
  
• Sendmail hardened with OS-specific patches
  
• ftpd
  
• popa3d
  
• dhcpd
  
• Perl 5
  
• pf
  
• NFS tools
  
• Lots more I can't think of off the top of my head...
  

Now, admittedly, in the default install, only sshd and sendmail are turned on. Big fuckin' deal. With five seconds of work, it's all on and ready. And most of those are hardened software. You should diff the source trees against the original packages someday...

OpenBSD has always been all about giving the end user a complete server-in-a-box, so to speak. In fact, most of this stuff is off by default in FreeBSD and NetBSD.

Savvy Linux users?

[msobkow]

It's not necessary to be all that "savvy" anymore. If you're running a stock box, you can have a SuSE or Mandrake system running on the 'net with a high speed link in less time than it takes to install WinXP.

Just leave it at the default workstation settings, and answer the questions -- same as you do for Windows.

Granted it's not set up the way I'd want it, but current releases are pretty damned good for mom & pop who just want to browse the net and read their email. It even helps protect them from the "social engineering" click-me trojans, as most of that junk is engineered for Win32.

What bothers me more is the mix and match of OS and webserver stats in the main slashdot article. Most desktop Win32 users aren't running IIS, so why would we include Apache breakins and such under Linux when comparing/discussing security?

No OS is perfectly secure...

[borgheron]

To say otherwise would be a lie.

Windows has a great deal of exposure. Therefore more people hack it. Windows also was not designed to be secure. This is apparent in some of the things you see in it every single day, like how a single Window's box handles multiple users (not cleanly in my opinion).

GNU/Linux was designed to be secure, but doesn't have as much exposure although it is doubling pretty much every 12-18 months. If this moore's law like trend, let's call it Greg's Law ;), keeps up then I predict we will see more security vulnerabilities showing up in GNU/Linux as time progresses.

The assertion that less worms implies more secure is a logical fallacy to begin with. If no one is writing worms for your OS (that is not to say no one is *using* it... lots of people are including myself) then any security issue you've got won't be apparent.

GJC

Re: Bad MS programmers

[solprovider]

I had sworn off responding to ACs, but you agreed with me so I'll answer you. I am currently reading "Code Complete". (Well, I am in Ch.11 and haven't touched it in a month because there is too much work and summer fun.) I learned from people who had read the book, and much of it is common sense, so I am not learning from it, but I would highly recommend it to any new programmers or PMs.

First, I am not an OS developer. I do not pretend to be one. I am a consultant that builds applications for very large corporations, and yes, I believe in getting paid.

I could help with the DESIGN of MS products.
- Start with removing tabs from almost everything. They are a very poor interface. Computer data is meant to be viewed vertically. Sections (twisties that hide vertical data when closed) can keep things organized. That interface has been proven easy-to-use. MSWindowsExplorer, AcrobatReader, and Mozilla uses them for menus on the left. They are also very useful for content. Having your important network settings scattered on 3 of 7 tabs (with only one prioritized since it opens first) is painful.
- Properties boxes that allow context sensitive settings are great. OpenOffice and Adobe and Lotus products use them. Why doesn't MSWord?
- Pet peeve: MSExcel. Try programming it. If you make one mistake, it pops up an error. You cannot see the code while seeing the error. And if you click/type one thing wrong, it deletes the code with no warning. Nobody can call this user-friendly. Lotus 1-2-3 did it better in the 80s.

I have probably worked on a half a million line program so that you can add feature X in a week. I never asked how many lines of code there were. I do not need to read an entire program to find where code needs to be inserted to add a feature or remove a bug. I was able to locate and fix 200 bugs in a large application in 6 hours. The PM was upset because I was not testing the fixes (he was very paperwork oriented), but the 6 developers were doing the testing as I worked and were happy that the bugs were disappearing.

I do not want to work for MS:
1. I do not like their ethics. If I treated my customers like they do, I would not have any customers.
2. I believe MS is about to go down in flames. Why join a sinking ship?
3. They may pay very well, but I probably make more as a freelance than they would pay for any technical position. I would also lose control of my time.
4. I live on the wrong coast. I travel frequently for work, but a "job" with MS would probably require relocating to Washington.

I almost took a job with IBM; I like their software, and would like it to be more usable. But I doubt I could survive working in an office.
I am unable to work 9 to 5 for more than 2 weeks without going crazy. I am too comfortable having a few months off each year. I like results; I do not consider office politics to be fun. I am a consultant because I have to be, not because the money is fantastic (but it doesn't hurt.)

Not a Linux problem

[gerardrj]

A web site defacement on a Linux machine is probably not a problems with Linux, but a problem with Apache, ncFTP (or UWFTPD or any of the others), SAMBA, Sendmail, or anoy of the other projects that people tend to run on top of Linux.

Safer distros - a wishlist

[Jeppe+Salvesen]

Frankly, the fact that certain distros charge money for using their automatic update system shows that we've got a way to go! After all, when you put the stuff out there and continue to put it out there, you've got a responsiblity of making sure your software is not endangering the integrity of the internet.

Here's a wishlist:
1. Automated updates by default - the likelihood of a break-in is greater than breakage because of updates.
2. Better firewall configuration tools. Maybe a standard interface for having servers request
3. Better monitoring systems - not just as emails to root, but something better.

And completely unrelated, making a secure-coding class mandatory wherever coding is taught.

Security loves diversity and openness

[bigsmoke]

1. The biggest threat to security is uniformity. Pluriformity is the best safeguard to the automized compromizing of operating systems. GNU/Linux is less vulnerable to worms and viruses, because Linux comes in countless incarnations. *nix in general is even less vulnerable because it includes an ever greater amount of incarnations.
2. Another reason why GNU/Linux is more secure is because of the peer review and the lack of secrecy surrounding GNU/Linux insecurity

What newbies see is what they get

[Crayon+Kid]

Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.

True, true. I frequent several Linux online communities on a constant basis. Lately (in the last year or so) I've seen an increasing number of complete Linux newbies asking "how do I open a terminal or a console?"

Think about it: they have never even seen the Linux command line. To most anyone who's been using Linux for more than two years (until now) this idea seems inconcievable.

Yet the people turning to Linux for the first time these days are reacting in the same point-and-click manner they would under Windows. Their user experience is limited to whatever they had the luck to get installed by default and whatever they see in the "Start" menu or on the desktop. That's what their Linux experience borns and dies with.

In many cases they don't even think that they could choose a better application than the defaults. They don't know (or care) that they have a choice, they don't know that on Linux you have more than the usual to choose from, sometimes they don't even know how to install new stuff or uninstall the old.

And even if they surpass all of the above, their install tools are limited to whatever the distro provides. Don't let me even start on the "qualities" of various graphical package managers out there in the popular distros right now.

the real problem

[hitmark]

isnt these wormholes (get it?) but the default mail and webbrowser programs that come with the os, sure most of hte nasty stuff have more or less been patched but getting a user on a dialup to install a number of patches going into the 50+MB range is not going to happen! if they got a notice onscreen saying that they should stop by theyre local electronics shop and pick up a free patch disk then we would be seeing more patched boxes out there.

then we can start nailing down stupid stuff like a webrowser able to install software in the background without asking the user (those porn dialers is a familiar sight) and a mailclient that support inmail scripts out of the box (big nono!) and able to run software without warning users that hello this is a program file or shortcut or something other nasty, not a IMAGE FILE (check yesterdays user friendly for a upbeat look at this:)

im damn gald i use mozilla as my default web enviroment, just need to get rid of that gameing adiction...

Re:Linux does not require technical ability

[Cro+Magnon]

Modern Linux distros don't REQUIRE much technical ability, but the very fact that you CHOOSE Linux puts you ahead of Joe Winpack who just grabs whatever is at Best Buy. Until you can walk into Best Buy and get a RedHat computer as easily as an XP box, the "average" Linux user will be more knowledgable than the "average" Windows user.

61% of attacks yesterday, but only 29% overall

[ahaile]

The original poster was confused by zone-h's reporting. Yes, linux accounted for 61% of defacements yesterday. And today it's only 1.8%. The deviation is just statistical noise. Zone-h is currently running their own banner ad with the cummulative stats:

Windows: 53%
Linux: 29.1%

Tells a rather different story, doesn't it?

Diversity is key

[ajs]

Every zelot in the world needs to get this: there is no *right* OS for everyone to run. Not Windows, not Linux, not BSD, not OSX, etc.

The *right* OS is the one that you feel comfortable with, and which meets your immediate needs. You might even do well by running several (at home I dual boot my game machine depending on what I want to play: EverQuest or BZFlag).

What's more: diversity is very important to resisting any kind of infection, viral or otherwise. If the net were an even mix of Linux, Windows, BSD and OSX, we would benefit from the competition, different security measures, etc.

That being said, Linux already has a great deal of diversity internally, so a virus or worm that wanted to infect Linux systems would have a hard time covering all of its bases. A Debian system would be hard to penetrate if your worm was written for Red Hat or visa versa. It's not impossible to write a cross-Linux worm, but hard. Then you have to deal with differing shells, various degrees of stack protection, radically different end-user software, major revisions being more common and thus software incompatiblities even between multiple hosts running the same vendor's OS, etc.