Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
Maybe skilled users make the difference, but not in and of itself. Otherwise we would expect to see heaps of security problems/viruses with Mac OSX boxes.
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would lower for Linux than Windows?
Anyone can write a worm that leverages a security hole in a default service of a default Red Hat Linux install. Or Windows XP Home Edition.
However, it takes considerably more skill to be able to write a worm that can target vulnerable services across multiple distributions of Linux, multiple versions of each distribution, etc.
As long as Linux evilware continues to exploit C program unchecked boundaries, a single universal worm that can effective exploit every potentially vulnerable Linux system remains highly unlikely.
I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.
Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.
Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.
If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.
Modern viruses work by two major routes:
.tar.gz isn't likely to fool many people. I have a hard time believing that most SoBig victims are those who know what Bayesian filtering is; actually, I have a hard time believing that most SoBig victims know what Inbox means.
A) Exploits
B) Social Engineering
Exploits are hard to stop without patches. Get enough unpatched systems, and your virus spreads. There are a lot of guilty linux users here, I'm sure: people download software all the time without checking it's security. People run software daily without bothering to check for updates. It happens.
Social engineering, however, is by far the most widely used virus tactic. It's easier to fool a user than to fool a well-secured computer, says this adage. The basic premise fails under linux: it's really, really hard to get someone to run malicious code that you want them to run. Most linux users are above-average on the computer-tech-savvy curve - I would say that the mean computing knowledge for an average linux-desktop user is above the 90% mark on a curve of all computer users.
This means linux users don't do stupid things as readily. The subject line RE: DOWNLOAD MY NEW SCREENSAVER with the attached
Furthermore, it's tough to write code that will run without a hitch on everyone's system, as there's so few distro standards. Also, as email virii work, with linux being a small desktop percentage, it's tough to get emails into the boxes of most Linux users.
Last but not least: There are few people who want to see Linux die. The rivalry doesn't work in both directions. There are thousands of anti-MS'ers, but a sad few anti-Linux'ers (SCO not included. =P). What would the protests be? "Hey, assholes! Keep your free operating systems off of our clean hardware! You're ruining good pentium chips by corrupting them with something non-proprietary!" etc.
Just a few points. I'm sure there are better ones.
At least, not always
IMHO, the single greatest threat to having a site defaced is the use of insecure protocols for publishing. Let me be more specific: FTP. Most web development tools use FTP for their "publish" feature (e.g. Dreamweaver, just to pick on them). Securing FTP is a nightmare, with all the ports randomly popping up and so forth. You have to dumb down a firewall quite a bit, and having it tunnel over SSH only partialy secures it (and you still have to deal with the firewall woes).
So, an employee goes home at night, and updates his company's web site over her cable modem connection, and the 12 year old down the block running a sniffer captures the user ID and password. She then passes this information on in a chat room, and viola! The site is defaced shortly thereafter. It does not matter what OS the site is on.
Having said that, some systems are more prone to social engineering. If the server goes down due to numerous patches being applied (and the requisite reboots), a web developer might get used to the IS department resetting her password and thus more suceptable to that phone call asking for the login info. But my point is, web site defacements do not necessarily indicate the security of the OS. It is a combination of protocols used (how about only allowing SFTP?), policies, and implementation by knowledgeable admins. Unix (Linux, BSD, etc.) admins tend to be better at implementation and policy development then their Windows brethren, perhaps that is the causal connection.
I've actually gotten irritated enough with "Linux is more secure than anything!" zealots that I've considered writing a Linux worm. I seriously doubt it would be hard. Go find some old security advisories for Apache, SSL, and anything else you want. Hook together a Linux-killer worm that tries all of the exploits, installs a rootkit on the compromised system, and sets that one up to probe. If you wanted to be really evil, you could code it to start doing subtle damage after a week - wiping random passwords, deleting random files in user's directories, and so forth. After a few months it could start causing kernel panics if you wanted.
Would it work? Of course it would work. For all the "Linux is secure!" talk going on, what they really mean is "Linux is secure if it's patched up to the most recent versions" (curiously enough, this is the same as Windows). I'll bet you cold hard cash that there are plenty of old unmodified Redhat 5.0 systems out there. How many root exploits have been found in the last few years? How many holes have there been in Apache, SSL, Samba, any other program that's installed by default?
Nobody's done it yet - but that doesn't mean it's not possible.
The only reason I haven't written the worm is because, in the end, I'd cause a whole lot of financial problems and headaches for a lot of people who didn't deserve it. I'd love to prove Linux doesn't have intrinsic perfect security, but I don't want to actually do damage to prove it.
But just wait - someone's going to do this someday. In fact, for all you know, somebody already *has* - they've just programmed it to be unbelievably stealthy and only target systems that the admin hasn't logged onto in months.
Go on - prove it's impossible. I dare you.
Breaking Into the Industry - A development log about starting a game studio.
Personally, I think Linux will always be more secure as long as Windows doesn't implement users and groups correctly. In XP, the default login is Administrator, which allows for access to EVERY single file on the system. The installation doesn't tell you this either, it just uses it if you setup only one account. With Linux, even if someone were to break your user password, or exploit their way into a user account, they can't do nearly as much damage as in Windows. Of course if they get the root password, you're just as screwed, but at least there's a barrier of protection between levels.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
I think one could say the same about Windows, no? It has nothing to do with the security of the OS if hackers find vulnerabilities in a commonly used application (e.g. Outlook).
..sigh..
I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.
That's an excellent first post.
I think you are about half right about the first point... how many really clueless users do you know that run linux? To run linux, a person has to get over the "activation energy" of actually getting it installed. This goes beyond just having a pretty GUI installer rather than some text-based option... it's actually knowing how to answer the questions the installer asks: How many joe-sixpack guys even know what an IP address is? Or know their primary and secondary DNS server addresses? If some well-meaning geek has installed a linux system for their grandma, they probably set up IPtables and killed all the unnecessary services... that's a HUGE security advantage right from the start. It's amazing what a clueful install can do.
But onto your second point. I think it has more to do with the variety of linux users/systems rather than their iconoclastic attitudes (though the latter probably breeds the former, so in a way, you could be right). As a medical professional, I'd compare it to a genetically heterogeneous population. In a MS-centric environment, there's only so many ways to skin a cat... Win2K, WinXP, et al. That lack of variability has administration advantages, but that sword cuts both ways. Common systems are easily administered, but just as easily cracked if they share a common vulnerability.
In nature, genetic variability is your friend... keeps an entire population from being wiped out by a plague. The Cystic Fibrosis gene is a defect, but saved some people from death during the cholera epidemics of the middle ages, and the gene has stayed in the northern european population ever since.
Variation on systems is FAR more prevelant in the linux world. Different kernel versions, different daemon versions, different firewalls, different configs (chroot, etc). Add that to a tech-savvy population, and a successful linux worm becomes a serious challenge.
It's really apples and oranges to compare linux and MS environments.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Ugh.. this is so inherently based on faulty logic itself that it's beyond the scope of a comment to explain but I will try.
Unix and Unix like systems are based on a simple and easy concept when it comes to security. That is, if you don't have what is known as "root" you don't get to do any damage to system resource files.
Windows operates on an everyone is root notion, allowing anyone to make changes to system resource files. Not only that but because of the way Windows is designed where everything is mashed together, when one card falls so does the whole deck.
Unix and Unix-like systems operate on one tool for one job and with inventions like the pipe and IPC ta whole host of new functionality becomes capable just by passing output of one program to the next.
That's as simple as I can possibly explain it. I'm not saying Linux is the most secure thing since sliced bread, I'm simply stating the facts, and the fact is that Unix and Unix-Like systems tend to be more secure because they were DESIGNED that way. Windows was not designed with security in mind and the fact is that it is less secure.
All the other linux virus writing is less because windows is so prevelant hippy bullshit I'll save for PHB's. If you really believe that I've got an SCO license to sell you too.
One of the reasons why Linux is not as vulnerable to virii and worms is becuase it is so configurable.. I would liken it to the immune system in humans, everyone has the same "type" of human immune system, however, some people are immune (to a potential virus or infection) due to a slightly different configuration in that system.
On that logic, windows is like a million clones of one person.. So when one virus takes hold, there is no genetic diversity.
Anyone have any similar ideas?
....move along....nothing to see here....
There are really two different problems when it comes to securing against worms and the like, and for the moment I think Linux (and any Unix) has an advantage in both areas, although it's probably not as big as many people think.
First you have to look at what a rogue program can do once in the system. For this the entry vector is unimportant. With most Unix like systems the default is for the user to not have full privilages (eg, not be root), and thus the rogue program cannot make full use of the system. That doesn't mean it can't complete it's mission, but it does make several things much harder:
The main issue is, most of the operating system differences don't mean much, as it's the applications that are the holes. From the simple password in a URL, to a complex buffer overflow attack applications are very often the vector into the system. Here you have to separate the cultural differences from the application differences.
Cultural: Many Unix users still used text based mail clients in xterms, and even when they don't the GUI's were designed to more closely mimic the behavior of those interfaces. Attachments are evil, when run are generally carefully handed to a program as data. In windows virtually all mail programs are graphical. Many users demand them to implement things like javascript that auto-execute, many of them will happily run a foreign attachment with little more coaxing than a mouse click. At the end of the day these differences require user education. That may be helped by a transparent OS, but it's still a user education difference.
Application Differences: Windows (Microsoft) encourages developers to build tightly coupled applications. Look no further than OLE. That ability to embed excel in your word doc and have it just pop up over the UI requires a tightly coupled API for program to program interaction, generally exposing full interfaces. Rogue programs can exploit this, often not needing to know what application is in use, but rather just the API. Unix developers / enviornments generally encourage a loosely coupled behavior. Programs provide some command line / pipe oriented service and handle all their own details internally. You need only look as far as printing to see this quite well, as windows pushes driver bits into the application to change behavior, while unix makes it all happen with a "system()" command running a new program.
At the end of the day, I believe the following statements are all true:
"For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE."
Well if you just for one second assume that a Windows user is as competent as a Linux user, this sentence just does not make any sense. I haven't been running as administrator on Windows since NT4. I know how to use "Run as a different user" just as well that I can write sudo in Linux so there really is no need ever to log in with too much privileges on Windows. And as a technologically advanced user you also know your policies and such so you can harden all the other accounts in the system just the same way you might do it using Unix-like operating systems. It's even easier to do fine grained security hardening on Windows given you know how to administer your box.
And, when it comes to the RPC exploit, you just don't remember what happened with OpenSSH some time ago? A fix was available for quite some time and even then a huge amount of computers got cracked. If Linux was as popular as Windows, there might easily have been about the same number of "infections" as there were with Blaster.
To assume one system is more secure than some other just because it's different is simply stupid. Security consists of many different aspects and the underlying OS is just one of them.
When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing.
/. kind) to submit security fixes, if you know they exist.
So just out of curiosity, did you submit your changes to the PHPNuke folks? Or just fix it for yourself? Seems it would be a kind thing (good for your karma, and not just the
Care to comment on where you made some of your fixes in the code, so that if you didn't report them yourself, then someone else can make those fixes public?
Thanks!
I can introduce you to at least four. One of them writes anti-trojan software for his living.
Got time? Spend some of it coding or testing
there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames
Because they are forced to use MS products. Most people do not have strong feelings about stuff they have not personally encountered.
While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update.
The script-kiddie viruses require MSWindows to write, or at least test, the virus. Linux users have already escaped; why would they worry about MS? It is the MS users that write viruses to hurt MS.
I also like the theory that the MSBlast virus was written by MS. The primary purpose behind that virus was to annoy all the users enough to patch their systems.
- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.
- The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them.
Anybody who wanted to cause real damage would write a virus that spends 24 hours spreading itself, and then silently wipes the "drives" starting at Z: and working backwords to C:. That would cause a few heart attacks in the corporate world. It would also force the world to switch away from MS. The MSBlast virus was just a warning shot, and I doubt it was written by someone who actually wants to harm MS.
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
With scripting kits, brains are not a requirement for writing a virus. See the stories about the virus writers who have been caught; none were particularly smart. (OK, they were CAUGHT, so the sample assumes some incompetence.)
Very few people prefer MSWindows; most people do not know there was a choice.
---
The Linux community wants to succeed by demonstrating that the community development process develops better code and applications than hidden proprietary code can produce. MS's security holes are a demonstration that their development process has severe faults. Linux and OpenOffice should remove MS's revenues very soon, and then MS will fall. We want to win fair.
I spend my life entertaining my brain.
Linux does not require technical ability anymore.
...) that may be installed by the complete novice.
There are several distributions (Mandrake, Lindows,
That said, I am using RedHat (because I live in the US and it is still the most popular distribution here.) The RH9 installer does not even make suggestions for how to partition the hard drive. (A friend asked if he should make the root ext3 or a swap partition? The interface implies that this is acceptable.)
Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.
Linux can also remove some of the fear of computers because you do not need to worry about the usual viruses. Your aquaintances that have trouble right-clicking and double-clicking may be better with Linux, since the menus are usually written before the context menus, so every option can be accessed with one button of the mouse. (My grandfather uses the ENTER key instead of double-clicking, since a couple of strokes have upset his timing for double-clicks.)
You also assumed that the Linux users must have installed Linux. In the corporate world, computers are installed by IT, regardless of the OS. And today the home consumer can buy a computer with Linux already installed. That assumption is not safe.
---
Good application designers assume the users are complete idiots. Applications designed that way are easier to use, require less documentation, and have more safeguards to prevent GarbageIn. And when the complete idiot does ask for support, invite them to be a primary tester. Even idiocy can be useful.
For Linux to become the main personal computer operating system, it must be designed for use by idiots.
- Why does it seem that most users are of below-average intelligence? Do smart people avoid computers?
I spend my life entertaining my brain.
I just went to Zone-H, and it said that 100% of the defacements were on Windows 2000.
I run Windows 2000. It's up to date, and it has been since I installed it. I don't use a firewall, and only installed a virus scanner two days ago after my wife insisted. Despite that, I've never had a virus. My prefered method for dealing with people trying to get in is pop up a message on their computer to stop. Either that, or I call their mom. (Which is usually a very funny conversation - give it a try sometime!)
Anyway, I blame my College for my lack of infection. The only email program we could use was pine. I still use it to this day, and it's my favorite email program. Nothing to configure, nothing to install, works anywhere in the world, extremely lag-resistant. The most important feature - you can't click on anything.
I digress: back to infection. No matter what program you're using, you can't just run whatever random garbage Undugu sends you. The majority of users will not understand that. My father, for example, can't understand the concept of Spyware, Adware, or Pr0nware. Eventually I had no choice but to physically destroy a CD he bought. It installed Spyware and Pr0nware, and he would not beleive me, no matter how many times I explained.
So, what does that have to do with Linux? It's simple. The majority of Linux users are smart enough to not click on any random thing that gets sent to you. That's the difference. It's like a gas station that offers free gas. The catch? It's 50 octane. A lot of people would go. Yes, they would. Those of us who know something about cars would know that that kind of rating would seriously mess up your car. Sure, you could install a refinery into your car and add anti-knocking agents, but you're better off not getting gas there.
People who use Linux are, from my experience, very well knoweldged about computers and take care of them. Once the goal of "Linux for the Masses" is achieved, then - AND ONLY THEN - will you see the true devastation that rampant idiocy can wreak on an operating system.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
The only security parrallels between Windows and Linux is the susceptibility to lazy users. If you don't patch... you're dead in the water and you deserve it. Linux, windows, whatever.
That's where the similarities end. Linux is inherently more organic, configurable, stable and open. Windows has an upper limit on the config bashing you can do and the efficacy of doing so.
If I, with my Linux box have a vulnerabiltiy that that vendor, or code monkey who wrote the thing, doesn't have a patch for... not a problem. I can do any one of a thousand things to make my linux system either more secure or less susceptible including looking for alternative programs that do the same thing. From the kernel to userland... I have control. It's more work, perhaps, but so is police work.
Windows. Please. I'm at their mercy. Their patches. Their schedule. Their patches to their patches. Bah!
Look at it this way: Windows is a prefab house. It comes in one flavor. Once shape. and one color. It is architected (sic) in the hopes of being able to withstand a wide range of climates.
Linux, or any of the unixen, can be a tent you use to climb Everest. Or a mansion in Palm Beach. Or a Hotel in Monaco. Or a skyscraper in NYC. Whatever you want. It's up to you and how hard you are willing to work.
Just do what you do best
Arnold "Red" Auerbach.
OpenBSD is a great secure server platform if you want to run... uh... OpenSSH...
It's like all the people who want a Mac for gaming. I mean, there's tons of great games on the Mac. Like Warcraft 3. And... Warcraft 3. And the little apple puzzle thingy...... photoshop?
So if you want to run a very secure SSH server, OpenBSD is the way to go! For anything else (i.e. anything not in OpenBSD's "secure by default" install, which is everything besides OpenSSH), it doesn't make a whole hell of a lot of difference what OS you run it on.
If you want to discuss the success probability of a worm, there are three aspects here which need coverage: First is the actual quality of the implementation of the operating system. Second is the concepts behind that implementation. Third is the density of the system population.
The quality of the implementation in Linux is highly variable, depending on what part of the system you are looking. There are parts of Linux that are of an extremely high implementation quality such as the kernel, the Apache web server or other active and well researched projects. There are other parts of only medium quality such as for example the popular PHP language.
And there is a lot of stuff that is of actually pretty low quality, badly researched and incredibly crappily written from a security point of view. Common PHP applications such as PHP Nuke, TikiWiki or other "CMS" style applications belong into that category. Getting web server privileges through one of these using a pathname exploit, badly written uploads or other commonly known classes of security problems is usually a piece of cake. From that you need to find a local root exploit to own the machine. That's a little harder to do than a simple web exploit, but also nowhere near impossible.
Also, current PHP coding techniques do little to minimize the amount of such code being written and to encourage clean coding. Brings us directly to the concepts section: There is no equivalent of ASP.NET type infrastructure and tools in the PHP world. Window may have bugs, but in this particular instance they may be in an area where PHP for example has not even code to show...
When you are discussing security concepts, Windows often is on par or even surpasses common Linux systems. Windows failure is too often in the area of implementation, or it fails to leverage and deploy the concepts it implements. That's why Windows passes US and European securty evaluations, but does not feel "more secure" in day to day use. For example, Windows had Access Control Lists as part of NTFS since the very first 3.0 days.
Only with the advent of Windows 2000 Microsoft started shipping Windows with halfway decent defaults, though. Also, getting to see and check the ACLs of a directory hierarchy with onboard tools is laughably complicated to what Unix presents (namely, a moderately complex security system with ugo/rwx and ACLs tacked on for that special cases, and "ls -l" to mass check an entire directory with a single command).
Windows also has superior concepts regarding impersonation (instead of SUID), RAID as part of the default operating system way before the actual Unices had it, a PKI and a directory service as part of the default operating system shipment (and code that actually uses that, by default, unlike Unix, where you have to jump though hoops to get your mail server, samba server, your different logins and your client applications to use such a service if you had one by default) and serveral other things that look nice in the book.
Unfortunately, all of this is of little use against worm style attacks. Here the conceptually bad parts of Windows reign: Treating data as code and in some cases even automatically execute data that has been recognized as code (HTML mail with Javascript, Office macros, HTML with Javascript that is being executed when entering directories) is the major attack vector. Also, badly designed and protected desktop IPC, allowing for the shatter attack and other legacy sins make the Windows desktop a primary target for worms and viruses. None of the above security mechanisms help protecting against this style of attacks, which is why Windows looks good on paper, but not on your desktop.
Also, unfortunately, the Windows population in your average company is dense enough and homogenous enough to allow for wildfire type effects when the attack is spreading over the network.
Linux has similar vulnerabilities as Windows has, but we do not see them at the moment, because even if there were a worm that could uti
One comment you often hear from Linux/UNIX people is that their systems can't get infected because all code executes in userspace and cannot do any harm to the system. You can just kill the process/delete the file and all is good again. And if people execute unknown code as root, they have themselves to blame.
But many UNIX worms/virii don't rely on code being executed as root. They spread using security holes such as buffer overflows, and doesn't need anyone to click on an attachment or execute an unknown binary.
I don't have the links to back it up, but wasn't the first worm ever a UNIX worm, written by a kid whose father was in the security business and told him about security holes in UNIX systems?
I don't think that the OS decides whether a system is secure or not. Sure, it is a factor, but sloppy administrators and developers are to blame as well.