Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.
Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.
What's your damage, Heather?
I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.
My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.
I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.
It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).
Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)
The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.
Got Extra Money?
Species of Windows Programmer: Human
Species of Linux Programmer : Human
Chances of human error making it into the code: Equal
Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?
Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.
You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!
Or your admin makes it.
I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.
It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.
So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.
Linux is less vulnerable because there are fewer identically configured machines on the internet.
:)
One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.
With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.
Not that the internet hasn't been shut down by a UNIX worm in the past, that is...
I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.
But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.
The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".
- David A. Wheeler (see my Secure Programming HOWTO)
Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.
And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.
And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.
--Nuintari
slashdot : where an opinion can be wrong.
But if Dell shipped 95% Red Hat boxen, you'd see a lot more Linux worms show up. Maybe not as many as Windows, but still...
Schnapple
It really is the COMBINATION of factors: ...) -- if you know how;
* number one reason is probably that most user desktops are windows;
* an average linux user is a lot more technically savvy than an average windows user, and is much more likely to understand the importance of applying patches [my non-technically oriented friends ALWAYS IGNORE those "updates are ready for installation" messages];
* as a lot of posters have mentioned, Linux systems can be made more secure (open source, security-minded design,
* I'd guess people who create these things might use MS hatred as an excuse;
* there is greater diversity among linux software, whereas most people use outlook/msie on windows; (maybe to a lesser extent,) same is true for OS versions; this makes it easier to target MS.
* (Probably more that can be added here.)
US Democracy:The best person for the job (among These pre-selected choices...)
For instance, they don't think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: "if I want to do something with my machine, I should be able to just do it. Don't put anything in my way." And if they were forced to take precautions, their password would end up being something like 'a'. And a regular schedule of changing passwords? Forget it.
Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They'd be bored to tears if they had secure email. And they'd be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.
And it's astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about 'Hot pics' or those 'Snow White and the Seven Dwarves' emails. Sheesh.
All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It's been possible to run as an unpriveliged user for a long time with Windows. And it's not difficult to do. But guess how many people actually do that.
"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.
Any homogenous system will always be voulnerable to these kind of attacks.
The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.
The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.
The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).
My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..
Wanna hear something sad?? I have Unix developers who want root access because when they type 'find / malloc.c', it returns too many 'permission denied' messages. I tried to explain that if they tack on '2>/dev/null' onto the end, the errors messages would go away and they would still find their file.
Their response?? That's too much work.
It doesn't make any difference how tech-savy someone is. Secure systems by their nature prevent access to features. If the perception is that it takes longer to get something done because of the security, people want security turned off.
That's part of the reason why M$ so insecure, Bill Gate$ has made it too easy to use. My fiancee runs her XP laptop without any login, just turn it on and there you are. So much for security. I gave up trying to explain to her why she needs to login to use it. The standard answer is it takes too much time.
I guess getting to email and solitare quickly are more important than making sure all the personal data she has on it is safe.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
Is that 61% a stat-lie?
... the interpretation of 61% is in error. ...) are frequently defaceable. I believe, due to the obvious (cost for a Linux+Apache+Skill+Daring) already stated by others, means that the most easily defaced website are in fact probably "Linux+Apache", but also the best most secure website because of the open-community+collaboration+... implies (for me) "Linux+Apache" makes the best websites for business and government.
If there are significant more Apache websites compared to MS-Win websites on the internet, and the numerical coefficients of the variables used in the equations were not weighted appropriately, then a condition (of at least) co-variation was not taken into account
Also, novice websites (Apache, MS-Win,
So, I suspect stat-lie. However, I ain't done any major data crunching with FORTRAN and arrays in almost as many years as serious code.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.
IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.
If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.
Got time? Spend some of it coding or testing
So... exit Microsoft Corp, stage left; enter Linux Corp, stage right? Have I got the picture?
But Linux isn't a corporation; and Linus would happily agree that Linux isn't a person. It has, in its enemies' words, "no centre of gravity", no central bastion to attack. It has no war-chest, no lawyers, no production facilities. If it is distributed from France or Germany, it isn't because of some strategic global plan, it's just where the distributors happened to live.
In short, while you can happily replace MS-Windows with Linux, there is nothing to replace Microsoft itself.
Yeehah! (-:
Got time? Spend some of it coding or testing
This is one of the most ridiculous statements I have ever read. Do you have any idea how difficult and competitive it is to get a programming position at Microsoft? Whether you like to believe it or not, Microsoft has some of the best programmers in the world - it also has some of the most rushed programmers in the world, and some not so great QA. Even the very best programmers don't often get their code perfect the first time around, and if a problem with some MS code is not picked up by MS's testers and QA people, it doesn't get fixed.
Idiot Lunix zealots.
- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.
; en-us;823980
I don't think so, since you can download the patch without going on WindowsUpdate, it's available at http://support.microsoft.com/default.aspx?scid=kb
Montreal - Best city to live in!
How can you make a statement on Linux security based on Apace? If Apache is hacked it has nothing to do with Linux. It is just an application that is completely unrelated to Linux. Saying Linux is insecure because of the last Apaceh/OpenSSL hole would be the same as saying FreeBSD or OpenBSD are insecure because someone broke in through Apache. Apache is a whole lot more secure then IIS, though it still had some problems. While it may make sense to complain about MS security problems because IIS is one of their products, it is silly to say Linux is insecure because of Apache. I do think security under Linux needs to constantly be watched, it is very easy to get a big head, become lazy and sloppy and get all kinds of holes. Thanks to efforts like SE Linux by the NSA, Linux will keep getting more and more secure.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"
Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.
I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.
I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.
Do not look into laser with remaining eye.