Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.
My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.
I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.
It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).
Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)
The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.
Got Extra Money?
Species of Windows Programmer: Human
Species of Linux Programmer : Human
Chances of human error making it into the code: Equal
Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?
Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.
You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!
But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.
That's actually the point: there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place. Those people are more technically inclined. While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update. You don't bite the hand that feeds you, and I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
What's your damage, Heather?
Or your admin makes it.
I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.
It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.
So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.
Linux is less vulnerable because there are fewer identically configured machines on the internet.
:)
One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.
With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.
Not that the internet hasn't been shut down by a UNIX worm in the past, that is...
People don't go after big business because it's "cool." People go after big business because it's visible. It gets their message across to more people. Big business is also a target because any change in business practices has a wide effect. If McDonalds increases their food safety standards, the change has a real effect on national food safety because of McD's sheer mass. In addition, other fast food chains will follow suit to avoid bad publicity. Going after McDonalds isn't "cool." It's effective.
the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base
Or so they would like to think...
I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there.
I think you'll find the average Linux user to know a bit more about computers yes, but to make the assumption that Linux users are "inherently" more secure users is just begging for trouble.
And furthermore, lots and lots of Linux users are most likely too confident because they are so savvy and knowledgable. Hubris is dangerous on any platform.
Of course, since we all want to feel special and look down on some other group and be "better" than them, that is not what people want to hear around here.
"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.
Any homogenous system will always be voulnerable to these kind of attacks.
The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.
The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.
The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).
My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..
Wanna hear something sad?? I have Unix developers who want root access because when they type 'find / malloc.c', it returns too many 'permission denied' messages. I tried to explain that if they tack on '2>/dev/null' onto the end, the errors messages would go away and they would still find their file.
Their response?? That's too much work.
It doesn't make any difference how tech-savy someone is. Secure systems by their nature prevent access to features. If the perception is that it takes longer to get something done because of the security, people want security turned off.
That's part of the reason why M$ so insecure, Bill Gate$ has made it too easy to use. My fiancee runs her XP laptop without any login, just turn it on and there you are. So much for security. I gave up trying to explain to her why she needs to login to use it. The standard answer is it takes too much time.
I guess getting to email and solitare quickly are more important than making sure all the personal data she has on it is safe.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.
IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.
If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.
Got time? Spend some of it coding or testing
This is one of the most ridiculous statements I have ever read. Do you have any idea how difficult and competitive it is to get a programming position at Microsoft? Whether you like to believe it or not, Microsoft has some of the best programmers in the world - it also has some of the most rushed programmers in the world, and some not so great QA. Even the very best programmers don't often get their code perfect the first time around, and if a problem with some MS code is not picked up by MS's testers and QA people, it doesn't get fixed.
Idiot Lunix zealots.
As a technical person who communicates well with non-technical people, I have to say that the failure of communication is almost always with the technical person.
Being more concerned with being seen as smart and informed than actually providing coherent information, spending too much time on irrelevant details instead of providing step-by-step instructions on what has to be done, geek inferiority complexes leading to arch, grating deliveries, a failure to listen and understand the end-users needs - I've seen it all. And I've almost never met an end-user type whose technical behaviour I wasn't able to amend for the better.
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
Looks like you need to get out more, then. That's a pretty broad and ignorant statement. Equally broad and ignorant statement: "I've never met someone who has been laid and simultaneously preferred using Linux as his/her desktop OS."
No, that's not how I feel. Yes, I do support Linux and the open source movement, but I don't believe in unreasonable and illogical statements against the opposing "camp" like claiming that not one of the millions of Windows-by-choice users are smart enough to write a good virus.
"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"
Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.
I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.
I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.
Do not look into laser with remaining eye.