Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.
Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.
What's your damage, Heather?
Personally I have all my end-users sign on as root. So far so good
I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.
My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.
I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
A system is only as secure as its most insecure user / service.
I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.
It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).
btw, if you want to secure your linux box against viruses, etc... you at least have the option to recompile the distro.
Make sure everyone's vote counts: Verified Voting
Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)
The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.
Got Extra Money?
Email viruses like Sobig are aimed at desktop users. Since most of the desktop users run Windows, it makes sense that most of the viruses would be targeted at them and not Linux users.
Download my free songs!
Species of Windows Programmer: Human
Species of Linux Programmer : Human
Chances of human error making it into the code: Equal
Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?
Looks like some of that "defacement" is happening close to home.
view-source:http://www.zone-h.org/
DB connection failed ().
Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.
You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!
Or your admin makes it.
I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.
It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.
So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.
I just install a vanilla Redhat on all my boxes. They get rooted within a few days, and the hax0rs take care of the security updates for me. Course, I can't log in as root anymore, but hey... that's a feature.
When I say that Linux is more secure then windows, I see it on many levels.
For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE.
Then there is the whole open source vs closed source security. I Truely beleive in that. It only makes sense that it is going to be more secure in the long term. This doesn't mean exploits don't exist - its just Im prone to beleive that there is someone using an unknown windows exploit as we speak to do something bad and it might be YEARS before that one is ever found (history backs me up on this one) but yet if there is something as blatent as the RPC exploit in OSS, we tend to see fixes for rather quickly (again history backs me up here).
Don't confuse the idea of inherint security with stupid users and sysadmins or even part time sys admins that aren't paid enough / don't work enough hours to keep a handful of servers updated across town.
The ultimate network admin tool needs HELP!
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would lower for Linux than Windows?
Anyone can write a worm that leverages a security hole in a default service of a default Red Hat Linux install. Or Windows XP Home Edition.
However, it takes considerably more skill to be able to write a worm that can target vulnerable services across multiple distributions of Linux, multiple versions of each distribution, etc.
As long as Linux evilware continues to exploit C program unchecked boundaries, a single universal worm that can effective exploit every potentially vulnerable Linux system remains highly unlikely.
Linux is less vulnerable because there are fewer identically configured machines on the internet.
:)
One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.
With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.
Not that the internet hasn't been shut down by a UNIX worm in the past, that is...
Windows web defacements are the fault of a crappy, inherently insecure operating system from a criminal monopoly.
Linux defacements are the fault of stupid admins who can't be bothered to install the latest patches, or who are too incompetent to install the OS and configure it for security.
I thought everyone knew that.
Cheers
-b
I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.
Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.
Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.
If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.
Modern viruses work by two major routes:
.tar.gz isn't likely to fool many people. I have a hard time believing that most SoBig victims are those who know what Bayesian filtering is; actually, I have a hard time believing that most SoBig victims know what Inbox means.
A) Exploits
B) Social Engineering
Exploits are hard to stop without patches. Get enough unpatched systems, and your virus spreads. There are a lot of guilty linux users here, I'm sure: people download software all the time without checking it's security. People run software daily without bothering to check for updates. It happens.
Social engineering, however, is by far the most widely used virus tactic. It's easier to fool a user than to fool a well-secured computer, says this adage. The basic premise fails under linux: it's really, really hard to get someone to run malicious code that you want them to run. Most linux users are above-average on the computer-tech-savvy curve - I would say that the mean computing knowledge for an average linux-desktop user is above the 90% mark on a curve of all computer users.
This means linux users don't do stupid things as readily. The subject line RE: DOWNLOAD MY NEW SCREENSAVER with the attached
Furthermore, it's tough to write code that will run without a hitch on everyone's system, as there's so few distro standards. Also, as email virii work, with linux being a small desktop percentage, it's tough to get emails into the boxes of most Linux users.
Last but not least: There are few people who want to see Linux die. The rivalry doesn't work in both directions. There are thousands of anti-MS'ers, but a sad few anti-Linux'ers (SCO not included. =P). What would the protests be? "Hey, assholes! Keep your free operating systems off of our clean hardware! You're ruining good pentium chips by corrupting them with something non-proprietary!" etc.
Just a few points. I'm sure there are better ones.
I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
At least, not always
IMHO, the single greatest threat to having a site defaced is the use of insecure protocols for publishing. Let me be more specific: FTP. Most web development tools use FTP for their "publish" feature (e.g. Dreamweaver, just to pick on them). Securing FTP is a nightmare, with all the ports randomly popping up and so forth. You have to dumb down a firewall quite a bit, and having it tunnel over SSH only partialy secures it (and you still have to deal with the firewall woes).
So, an employee goes home at night, and updates his company's web site over her cable modem connection, and the 12 year old down the block running a sniffer captures the user ID and password. She then passes this information on in a chat room, and viola! The site is defaced shortly thereafter. It does not matter what OS the site is on.
Having said that, some systems are more prone to social engineering. If the server goes down due to numerous patches being applied (and the requisite reboots), a web developer might get used to the IS department resetting her password and thus more suceptable to that phone call asking for the login info. But my point is, web site defacements do not necessarily indicate the security of the OS. It is a combination of protocols used (how about only allowing SFTP?), policies, and implementation by knowledgeable admins. Unix (Linux, BSD, etc.) admins tend to be better at implementation and policy development then their Windows brethren, perhaps that is the causal connection.
The OS is only as secure as the user. If a lame Linux user does everything as root, he's going to be more vulnerable than someone using Windows 2000 with a firewall. If a lame Windows administrator doesn't have a decent firewall and keeps all kinds of ports open, he's going to get hit too. It's about users knowing what they are using. But I have to say that a default Windows installation does appear to be less secure than most default Linux installations.
An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.
But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.
The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".
- David A. Wheeler (see my Secure Programming HOWTO)
Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?Obviously Honda, as there are more of them on the road... so...
Linux may or may not be as bad for security, but when Windows gets exploited, it's felt... and it's felt HUGE!
---
Programming is like sex... Make one mistake and support it the rest of your life.
It has come to our attention that not only are you wasting your time posting to slashdot when you should be looking for a job, but you are also a moron. The W32.Blaster worm goes by many names, something you as a geek should know.
Please move out of our basement and take all your Hentai DVDs with you.
Love,
Mum and Dad.
I've actually gotten irritated enough with "Linux is more secure than anything!" zealots that I've considered writing a Linux worm. I seriously doubt it would be hard. Go find some old security advisories for Apache, SSL, and anything else you want. Hook together a Linux-killer worm that tries all of the exploits, installs a rootkit on the compromised system, and sets that one up to probe. If you wanted to be really evil, you could code it to start doing subtle damage after a week - wiping random passwords, deleting random files in user's directories, and so forth. After a few months it could start causing kernel panics if you wanted.
Would it work? Of course it would work. For all the "Linux is secure!" talk going on, what they really mean is "Linux is secure if it's patched up to the most recent versions" (curiously enough, this is the same as Windows). I'll bet you cold hard cash that there are plenty of old unmodified Redhat 5.0 systems out there. How many root exploits have been found in the last few years? How many holes have there been in Apache, SSL, Samba, any other program that's installed by default?
Nobody's done it yet - but that doesn't mean it's not possible.
The only reason I haven't written the worm is because, in the end, I'd cause a whole lot of financial problems and headaches for a lot of people who didn't deserve it. I'd love to prove Linux doesn't have intrinsic perfect security, but I don't want to actually do damage to prove it.
But just wait - someone's going to do this someday. In fact, for all you know, somebody already *has* - they've just programmed it to be unbelievably stealthy and only target systems that the admin hasn't logged onto in months.
Go on - prove it's impossible. I dare you.
Breaking Into the Industry - A development log about starting a game studio.
Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
Personally, I think Linux will always be more secure as long as Windows doesn't implement users and groups correctly. In XP, the default login is Administrator, which allows for access to EVERY single file on the system. The installation doesn't tell you this either, it just uses it if you setup only one account. With Linux, even if someone were to break your user password, or exploit their way into a user account, they can't do nearly as much damage as in Windows. Of course if they get the root password, you're just as screwed, but at least there's a barrier of protection between levels.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.
And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.
And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.
--Nuintari
slashdot : where an opinion can be wrong.
Hmmm for today's defacements, I see there have been 16. I also see that they have all taken place on Win2000 servers. Also, while viewing these stats, I saw a banner-ad at the top of the page for Zone-H that says Windows is the most insecure OS and that 51% of defacements are performed on Windows servers.
I say Linux is *overall* more secure than Windows. Not because of the of then number of exploits, but the *attitude*.
Let's face it: nothing is 100% secure. As long as software is made by humans, there *will* be security vulnerabilities.
So, what matters is how you deal with bugs and vulnerability. The open source community is much better at this than Microsoft. Security patches are often released in a few days *and* peer reviewed. Those patches break a lot less things than MS patches because they're peer reviewed.
Also, no Linux email client supports automatic execution of executable code. This already eliminates most of the viruses today that are made by script kiddies. And you have to manually save the attachment to disk and add the execute bit. This is a lot of work for Joe Average.
Of course it's still possible to get a virus, but the point is that the overall chance is lower.
So yes, I'd say Linux and open source is overall more secure than Microsoft. Security is not measured by the number of exploits alone!
Kernel? Applications?
All operating systems are insecure by nature. Windows, Linux, Unix... ad nauseum. What makes Linux appear to be a more secure OS is that there are not nearly as many Linux hosts as Windows on the net and the technical abilities of Linux users are remarkably higher than your average Windows user and AOL subscriber.
Does anyone remember Redhat 6? How many people got rooted via SunRPC?
I really like linux... I run Debian unstable with:
hermes:~$ uname -a
Linux hermes 2.6.0-test4 #0 Mon Aug 25 15:25:10 CDT 2003 i686 GNU/Linux
File permissions don't mean a damn when you've got root.
But if Dell shipped 95% Red Hat boxen, you'd see a lot more Linux worms show up. Maybe not as many as Windows, but still...
Schnapple
The way I see it, the reason you see more Windows exploits is because:
a) There are more people working to find exploits in Windows.
b) There are more people to affect by finding a Windows exploit.
What would be the point of distributing a worm that used a Linux exploit? Relative to Windows, Linux has basically no userbase, so you wouldn't have the "strength in numbers" to cause any widespread damage. Bottom line - if you want to wreak havoc, you need to do it on Windows, just by the numbers alone.
It really is the COMBINATION of factors: ...) -- if you know how;
* number one reason is probably that most user desktops are windows;
* an average linux user is a lot more technically savvy than an average windows user, and is much more likely to understand the importance of applying patches [my non-technically oriented friends ALWAYS IGNORE those "updates are ready for installation" messages];
* as a lot of posters have mentioned, Linux systems can be made more secure (open source, security-minded design,
* I'd guess people who create these things might use MS hatred as an excuse;
* there is greater diversity among linux software, whereas most people use outlook/msie on windows; (maybe to a lesser extent,) same is true for OS versions; this makes it easier to target MS.
* (Probably more that can be added here.)
For instance, they don't think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: "if I want to do something with my machine, I should be able to just do it. Don't put anything in my way." And if they were forced to take precautions, their password would end up being something like 'a'. And a regular schedule of changing passwords? Forget it.
Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They'd be bored to tears if they had secure email. And they'd be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.
And it's astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about 'Hot pics' or those 'Snow White and the Seven Dwarves' emails. Sheesh.
All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It's been possible to run as an unpriveliged user for a long time with Windows. And it's not difficult to do. But guess how many people actually do that.
There was a story on kuro5hin a few months ago about this, where a guy figured out a way to enter his own price for a product on an electronics website and was ordering hardware for less than what the page said it cost. And got away with it. This kind of hole is scarily prevalent i've found, as alot of backend developers are very lazy and inexperienced people.
I think this is whats meant by 'applications' security. The box itself may be locked down well, but its taking advantage of the open services in ways the developers never intended.
-
"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.
Any homogenous system will always be voulnerable to these kind of attacks.
The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.
The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.
The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).
My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..
It's those communist dual-booters that we have to worry about.
You can't judge a book by the way it wears its hair.
The only way to know how many exploits and holes there are in Linux is to find them and fix them. (Fixing is important, as code changes at point X can impact the code at point Y. Thus, as one hole is closed, another could potentially be opened.)
To do this with every single hole in every component in a standard Linux install - in short, to produce an A1-compliant desktop OS, with all the capabilities you'd typically want - would be a financial and logistical nightmare. I did a quick back-of-the-envelope calculation on what you'd need in manpower, just to keep up with the rapid development of the software.
You're looking at a few million coders, and about the same number of Higher-Order Logic mathematicians. This translates to a cost of about a hundred billion dollars a year.
Now, you can argue that this is to get an exact evaluation of Linux, and to produce a completely secure implementation. To get a rough estimate only (no actual improvements, just the figures), you are still probably looking at ten to a hundred times the amount IBM spent on their certification.
Any estimates that anyone can reasonably afford are going to be impossibly inaccurate, and swayed by the mood of the day.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The above poster is absolutely right. For instance, when comparing applications on one system to apps on another, that's an entirely different discussion from the user model of Windows vs. Unix/Linux. The Windows user model is pretty retarded and very insecure, allowing all kinds of bad things to effectively run as "root", something that doesn't happen on Unix without some level of user intervention. Another major problem is the level of component integration within Windows. Why on earth does an instant messenger client need system level access, like it has (or possibly used to have, if they've changed things, although this isn't likely) with MSN?
If somebody discovers a buffer overrun error on Unix, as has happened from time to time (like the ftp buffer problem discovered many years ago), it takes a lot of machine and architecture-specific information to do anything invasive. But on just about any Windows machine, you need to know much less in order to successfully exploit a buffer overrun.
I don't consider the security of Windows to be anywhere near that of Unix, and I think anyone who seriously tries to argue that (or even question whether they're possibly equivalent) has a lot to learn about operating systems.
So the first step is to get used to that idea.
Beyond that is an optimally configured Linux system more secure than an optimally secured Windows system?
Yes, I think so, that's one of the reasons I use Linux. But let me ask you this, how many optimally configured systems do you think there really are? For that matter how sure are you that your system is optimally configured? If you have to spend even a couple seconds thinking about that question think about average bloke.
There's a social flaw in the system as well, which thus effects all systems no matter what operating system they're running.
To secure your home you call in an expert. A locksmith, perhaps an alarm systems expert as well. Virtually everybody does this. It's so ingrained that it's considered a no brainer. You'd have to be an idiot not to have proper locks on your doors and windows, right? If your security is ever breached ( say someone steals your keys) you can't get to the phone fast enough to have the locksmith come over and change all the locks.
How often have you had a pro come over and check the "locks" on your OS? Do you even know anyone who can do this? Can you look one up in the Yellow Pages?
Why not?
If you are such an expert yourself how many systems have you, outside of your "job" bothered to secure for people? Are you too snippy and think that "lusers" just shouldn't be allowed to operate computers? Maybe you're a part of the problem. Help be the cure.
I've just given you an entreprenurial niche on a silver platter. Why not take a nibble?
KFG
I personally would prefer to use an OS that has been refined over and over... and over.
It is very comforting to think that the OS I'm using has been improved by hundreds of thousands of people. Some of them have security in mind, some have performance in mind. I can hardly think that Microsoft has anything but the bottom line in mind. That's swell and all for the economy (kinda..?) but the bottom line doesn't help me sleep at night. The knowledge that I'm using an OS built by a generation, not a company helps me sleep.
As was stated in "Pirates of Silicoln Valley" - it wasn't that Microsoft did it best, they just did it first. Any CEO that would say that... whose best interest did HE have in mind???
R-
Hard loop..... huh?
Dynamic Designs
That's an excellent first post.
I think you are about half right about the first point... how many really clueless users do you know that run linux? To run linux, a person has to get over the "activation energy" of actually getting it installed. This goes beyond just having a pretty GUI installer rather than some text-based option... it's actually knowing how to answer the questions the installer asks: How many joe-sixpack guys even know what an IP address is? Or know their primary and secondary DNS server addresses? If some well-meaning geek has installed a linux system for their grandma, they probably set up IPtables and killed all the unnecessary services... that's a HUGE security advantage right from the start. It's amazing what a clueful install can do.
But onto your second point. I think it has more to do with the variety of linux users/systems rather than their iconoclastic attitudes (though the latter probably breeds the former, so in a way, you could be right). As a medical professional, I'd compare it to a genetically heterogeneous population. In a MS-centric environment, there's only so many ways to skin a cat... Win2K, WinXP, et al. That lack of variability has administration advantages, but that sword cuts both ways. Common systems are easily administered, but just as easily cracked if they share a common vulnerability.
In nature, genetic variability is your friend... keeps an entire population from being wiped out by a plague. The Cystic Fibrosis gene is a defect, but saved some people from death during the cholera epidemics of the middle ages, and the gene has stayed in the northern european population ever since.
Variation on systems is FAR more prevelant in the linux world. Different kernel versions, different daemon versions, different firewalls, different configs (chroot, etc). Add that to a tech-savvy population, and a successful linux worm becomes a serious challenge.
It's really apples and oranges to compare linux and MS environments.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
If Linux was based on a system developed 15 years ago it would have problems too. Linux is based on UNIX which has 25 years of learning and growth experience. While my choice of os is a *Nix, you gotta admit M$ drove lots of features onto the forefront of consumer computing, sadly they did it with horrendous coding discipline. Anytime you introduce that many new features, a LOT of holes and bugs will crop up. The real 'CRIME' is their lackadaisical approach to fixing them. I really think if/as the Linux user base spreads out, as soon as you begin to acquire the general (L)User community you will see the incident rate shoot up.
errr....umm...*whooosh* *whoosh* Is this thing on ?
One of the reasons why Linux is not as vulnerable to virii and worms is becuase it is so configurable.. I would liken it to the immune system in humans, everyone has the same "type" of human immune system, however, some people are immune (to a potential virus or infection) due to a slightly different configuration in that system.
On that logic, windows is like a million clones of one person.. So when one virus takes hold, there is no genetic diversity.
Anyone have any similar ideas?
....move along....nothing to see here....
Sure the OSS community releases fixes faster, but how quickly do they penetrate the userbase? I think Windows Update is a far superior platform for distributing fixes than currently exists in the Linux world, if only because not every Linux distribution offers such a powerful tool.
Now I realise that you can also be the unwitting recipient of functionality and licence changing updates through Windows Update, but as a technology I think it's way better than what is available in the OSS world right now.
There are really two different problems when it comes to securing against worms and the like, and for the moment I think Linux (and any Unix) has an advantage in both areas, although it's probably not as big as many people think.
First you have to look at what a rogue program can do once in the system. For this the entry vector is unimportant. With most Unix like systems the default is for the user to not have full privilages (eg, not be root), and thus the rogue program cannot make full use of the system. That doesn't mean it can't complete it's mission, but it does make several things much harder:
The main issue is, most of the operating system differences don't mean much, as it's the applications that are the holes. From the simple password in a URL, to a complex buffer overflow attack applications are very often the vector into the system. Here you have to separate the cultural differences from the application differences.
Cultural: Many Unix users still used text based mail clients in xterms, and even when they don't the GUI's were designed to more closely mimic the behavior of those interfaces. Attachments are evil, when run are generally carefully handed to a program as data. In windows virtually all mail programs are graphical. Many users demand them to implement things like javascript that auto-execute, many of them will happily run a foreign attachment with little more coaxing than a mouse click. At the end of the day these differences require user education. That may be helped by a transparent OS, but it's still a user education difference.
Application Differences: Windows (Microsoft) encourages developers to build tightly coupled applications. Look no further than OLE. That ability to embed excel in your word doc and have it just pop up over the UI requires a tightly coupled API for program to program interaction, generally exposing full interfaces. Rogue programs can exploit this, often not needing to know what application is in use, but rather just the API. Unix developers / enviornments generally encourage a loosely coupled behavior. Programs provide some command line / pipe oriented service and handle all their own details internally. You need only look as far as printing to see this quite well, as windows pushes driver bits into the application to change behavior, while unix makes it all happen with a "system()" command running a new program.
At the end of the day, I believe the following statements are all true:
Most people who can use Linux don't double-click first and look at the attachment later...
It has always struck me as disingenuous that Linux advocates claim Linux to be more secure than Windows. The common perception is that the entity "Linux" is inherently secure but the entity "Windows" constantly needs patching. This clearly isn't true, and it ignores the ongoing development cycle of *both* operating systems.
When a Linux advocate says "Linux is more secure than Windows" what they actually mean is: "When a flaw is discovered in Linux, someone fixes it quickly and a patch is released. It takes longer with Windows."
The quantity/severity of security flaws is not the issue. Both operating systems have security flaws and always will. The issue is the speed with which security flaws are fixed.
Don't fall into the trap of believing that Linux programmers are somehow "better" than Windows programmers, simply because the former are doing it for love and the latter work for Microsoft.
Similarly, don't forget that Linux is only secure because of it constantly being patched. This is exactly what people complain about with Windows!
I realize at this point no one will probly see this but lets look at this issue closer. Linux is a kernel, not a distro or a program. This is a main point. Windows also is a kernel. The amount of exploits on the Windows kernel vs the amount of exploits on the Linux kernel is where we can claim that linux is more secure. I use Linux everyday but i must say i have more faith in an experienced NT admin then i do on someone starting out with redhat or any other distro.
Rather then flame on about this that and everything it would be nice if we could all work twords a common good. Linux facilitates such an idea more then Windows which is why i use linux.
-- botsex is {grep;touch;strip;unzip;head;mount}
Take your most savy Linux guru and your most savy Windows mouse-clicker (can often be one and the same person). Let each setup a secure server and point each server to the Internet.
Now sit back and wait for shit to happen.
Eventually it will be proven that the best platform is freebsd.
The issue is that scads of IT shops consist of people who are skilled in applying some vendor's patches and security updates, but not in the underlying system(s) or network technologies. Whether that vendor is Microsoft or Red Hat, all the worker bees know how to do is install patches. And this patching and support is mainly what all the corps are paying for.
Think of it this way - using linux or bsd as an example, doesn't it make more sense to use a free one and employ admins and programmers who know how to build and support your network, and have *them* hire worker bees as needed? Why pay an external party for support when it might cost less to hire knowledgable engineers in house and have them do the work? Or, if the admins are already savvy and are working hard even *though* you're paying for some vendor's support, then why pay for that support anyway? Just use a free opsys and do the same amount of work.
As long as IT shops are filled with patch-pushers, these issues will continue. With linux the chances of a massive worm or email virus outbreak would definately be smaller, and bsd smaller still. But the opsys isn't the only problem. Corporate IT is it's own problem.
Run your servers on openbsd - they'd love to be held accountable.
The heat from below can burn your eyes out
When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing.
/. kind) to submit security fixes, if you know they exist.
So just out of curiosity, did you submit your changes to the PHPNuke folks? Or just fix it for yourself? Seems it would be a kind thing (good for your karma, and not just the
Care to comment on where you made some of your fixes in the code, so that if you didn't report them yourself, then someone else can make those fixes public?
Thanks!
Not to sound like RMS, but what exactly do we mean by is Linux more secure.
We really need to say is Linux, Samba, Apache, Mozzialla.....more secure then windows core ( which would include things like the DCOM exploit ), or SMB, IIS, and IE.....
The real question here is, can one company be as secure as the open source community.
This is a really complicated question. In one way you could say yes, because of the huge testing advantage an OS project has. This could also be turned to no if no one gives a fly f*ck about the project except its core developers and it doesn't get tested. Microsoft has a disadvantage about testing, but a much more real obligation to provide secure systems. Linux users like to boast, but windows has a very real financial obligation ( they are public ).
MS is going to get hit more, because they have more users, and the users they have are not always up to date or as intelligent. They also have a lot of people who blindly hate them. This is actually going to be to their advantage in a few years.
There are two very real problems with MS and the way they go about patches that I see, two problems that Linux is on top of.
1) most require a reboot.
If this wasn't the case, it would be perfectly okay to automatically patch. My production database server couldn't be patched right away because it needed the uptime ( I had 225 days before the damn blaster thing ) and we can't afford a cluster to switch over to while we upgrade. I tried every work around, but ultimately I had to patch and restart the thing at midnight on a Saturday. I'm sure on a linux box I could have fixed the exploit without bothering my database box. Or maybe I'd have to disable a feature while it happened.
2) Patches not very available.
I remember MS's site went down the day I was patching for the dcom exploit, because of a DDOS, but this is retarded with the web. They should affiliate with trusted providers like download.com to make sure you can get to these.
MS puts out some good products, sometimes they make stupid mistakes in design ( but sometimes so does the linux kernel ). The real advantage here is that Linux patches itself ( the community ) while MS seems to always have a security firm find there crap. There was absolutely no reason to have a buffer overflow in DCOM, none, zilch, zero. If it had been some weird or interesting exploit I would have felt something for them, but a buffer overrun, get your crap together.
The same goes for C/C++ linux guys. I'm suprised there hasn't be a security library standardized. Java guys can rest easy, at least for the buffer overruns, but there are plenty of ways to write an insure java app.
I think overall the response was good to blaster, but worms do have a real threat, but they utlimately the immune system of our computers ( their programmers ) will figure a way around.
That is dangerous! There could be a hidden or obfuscated loophole. I, for one, never run any code that hasen't been written by myself while under polygraph examination. I keep my website running in a concrete block under the ocean and I keep all the clocks in my appartment running at different times, just in case my future self came back in time to try to sabotage my project. Every one should do it.
:-)
When I introduce someone to coding I chop off their hands and then hide them to be sure they won't code anything. New users think I'm paranoid and arrogent but I don't want any one of the mindless rabble to come and get me in middle of the night when the KGB hacks their site.
I personally use Mozilla for email on linux (redhat 9), and as a simple test I sent myself an email with the /bin/ls binary attached. When I click on the attachment, I get a save dialog box which gives me the option to "open using an application" or "save this file to disk". There is no option to execute the code, let alone having such a dangerous choice be the default!
Continuing the test, I saved the file to /tmp, and Mozilla set the permissons to -rw-------, so in order to actually execute the contents of that file, I would need to use "chmod" (or the equivilant in a gui-based file manager) before it could be executed.
I have not tested with Evolution or other popular email clients. But if they are anything like Mozilla, where the user CAN NOT EASILY EXECUTE ATTACHMENTS and all attachment files are SAVED WITHOUT EXECUTE PERMISSION, I think it's safe to say the linux-based systems are much more resiliant to email-based virus code.
Of course, Microsoft Windows could have been made similarily secure if Microsoft (and others) had taken these simple measures. Well, at least not allowing executable code to be executed with a single click of the attachment. It's been many years since the first MS executable virus code and it's a continuing problem. When with email client software on the Windows platform finally reform to disallow easily executing attachments ??
Even if that were the case, to equal the level of protection the Mozilla/linux has by default, windows would need to implement execute permission (does it have this feature, even if it's never used to disallow execution?). Then the software would need to save all attachements without permission to execute them.
This exists today on Linux with popular email clients. Until Microsoft and others take these exrteemly simply precautions to prevent casual users from easily executing attachments.... or creates of Linux-based email clients make these incredibly unwise design decisions to allow easy execution and turn on execution permsission by default on saved files, I believe it's safe to say that Linux systems are much more secure than Mircosoft windows based PCs, in terms of propagting email attachment virus code.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Comment removed based on user account deletion
It is clearly the duty of the users to serve the computers. Users exist only for the computers' benefit.
And if whatever I want to happen takes longer than I'd like, it better be a damn pleasant experience along the way!
Spoon not. Fork, or fork not. There is no spoon.
So, even though the standard Unix security model offers more protection than the Windows 3.x/9x lineage, you can still pull an XP Home (where by default every user is an Administrator) if you work at it.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there
These same users are the ones who end up configuring their webserver with passwords such as "god" or "admin." A secure O/S is fine and dandy, but it doesn't help all that much against the same general stupidity that afflicts windows and linux users alike. How many servers are defaced because they're either very behind on security, or simply easy to get into?
Not only that, but we have a lot of people who don't know as much about security as we would like. I personally don't know as much as I'd like. How many admins who know how to configure httpd.conf for apache are good at plugging with iptables?
At work, any sensitive online-based sites are restricted to a certain port, and allowed only from local addresses. Yes, by IP-spoofing they could avoid that, but at least it's an extra level of security. How many people bother with this? A lot can be done at the firewalling level, before any attack even gets near your daemons...
Here's the important point: given any organism there's a virus that'll defeat it. So the strategy is to ensure that your offspring have variety.
Unfortunately what we have in the computing world is something of a monoculture. Everyone (OK, I exaggerate, but only slightly) runs Windows and everyone is at risk from the same viruses. And when those viruses hit everyone is taken out.
If people valued security, and chose an OS with a smaller user base as a strategy to deal with security, we'd have that variety and we'd all be much better off.
It's funny. When A says "I use Linux and don't get any viruses" and B repsonds "that's because so few people use Linux" B is failing to see that that's actually a perfectly good reason to choose Linux.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Is that 61% a stat-lie?
... the interpretation of 61% is in error. ...) are frequently defaceable. I believe, due to the obvious (cost for a Linux+Apache+Skill+Daring) already stated by others, means that the most easily defaced website are in fact probably "Linux+Apache", but also the best most secure website because of the open-community+collaboration+... implies (for me) "Linux+Apache" makes the best websites for business and government.
If there are significant more Apache websites compared to MS-Win websites on the internet, and the numerical coefficients of the variables used in the equations were not weighted appropriately, then a condition (of at least) co-variation was not taken into account
Also, novice websites (Apache, MS-Win,
So, I suspect stat-lie. However, I ain't done any major data crunching with FORTRAN and arrays in almost as many years as serious code.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
was written for Unix. I hope people don't forget that, but I doubt they will. The difference is most Unix people care about reliability and most people from the Microsoft camp relish viruses becuse the truth of the matter is tech support revenue is much greater than the cost of Windows.
There are some stats (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:
Thats Simple: In GNU/Linux most of things concerning security are done beacouse they'r needed. F.E. Some code can be possibbly buggy, so a bunch of people/firms/institutions/whatever before they start using this given software, they make an audit of code, and any posibble holes are fixed etc. Most of cracker attacks compromising Linux are related with simply people not installing patches or buggy not updatet OS scripts running their websites etc. Windows also could be fixed but M$ won't fix it! Beacouse they don't want to. Beacouse this would break compatibility (which still tends to be more important to them than security issues) etc. I'am talking about those holes in MSOE, MSOffice that existed long time and still aren't fixed etc. these holes/dangers are still there!!! Next thing is about updates. Windows is harder to maintain. Still nobody wan't to install tons of single, so called "patches" beacouse they may make the system unusable (Yes! they may do that!) or this is just uncomfortable to instal 100 patches. So people think "If it works - leave it as is... Till it works". Still M$ delays SP2 (so called "cummulative patch") for Windows XP due to "unknown reasons" etc. - this is riddiculus! Vendors WANT cumulative patches so they can sell a system patched OOTB. So do users - users WANT cumulative patches so they can patch their system easly etc. M$ is talking bullshitt about their Trusthworthly Computing bla bla but these are just words - security means that you must drop some compatibility issues and user friendly features due to have a more secure system. F.E. make Windows work nicely without running everything on an super-user "Administrator" account. PS. Sorry for my English - I'am not native English speaker.
I can introduce you to at least four. One of them writes anti-trojan software for his living.
Got time? Spend some of it coding or testing
there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames
Because they are forced to use MS products. Most people do not have strong feelings about stuff they have not personally encountered.
While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update.
The script-kiddie viruses require MSWindows to write, or at least test, the virus. Linux users have already escaped; why would they worry about MS? It is the MS users that write viruses to hurt MS.
I also like the theory that the MSBlast virus was written by MS. The primary purpose behind that virus was to annoy all the users enough to patch their systems.
- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.
- The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them.
Anybody who wanted to cause real damage would write a virus that spends 24 hours spreading itself, and then silently wipes the "drives" starting at Z: and working backwords to C:. That would cause a few heart attacks in the corporate world. It would also force the world to switch away from MS. The MSBlast virus was just a warning shot, and I doubt it was written by someone who actually wants to harm MS.
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
With scripting kits, brains are not a requirement for writing a virus. See the stories about the virus writers who have been caught; none were particularly smart. (OK, they were CAUGHT, so the sample assumes some incompetence.)
Very few people prefer MSWindows; most people do not know there was a choice.
---
The Linux community wants to succeed by demonstrating that the community development process develops better code and applications than hidden proprietary code can produce. MS's security holes are a demonstration that their development process has severe faults. Linux and OpenOffice should remove MS's revenues very soon, and then MS will fall. We want to win fair.
I spend my life entertaining my brain.
There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.
IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.
If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.
Got time? Spend some of it coding or testing
I have a friend that runs linux, the only skill he needed was to burn a CD using Nero and reboot.
He doesn't know a kernel from a koffice
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
So... exit Microsoft Corp, stage left; enter Linux Corp, stage right? Have I got the picture?
But Linux isn't a corporation; and Linus would happily agree that Linux isn't a person. It has, in its enemies' words, "no centre of gravity", no central bastion to attack. It has no war-chest, no lawyers, no production facilities. If it is distributed from France or Germany, it isn't because of some strategic global plan, it's just where the distributors happened to live.
In short, while you can happily replace MS-Windows with Linux, there is nothing to replace Microsoft itself.
Yeehah! (-:
Got time? Spend some of it coding or testing
I prefer GNU/Linux distributions to the BSDs... I find the userland to be a lot more friendly and modern. But I absolutely loathe the fact that every time I do a default install of nearly any Linux distribution, I have to spend lots of time either (a) downloading security patches; or (b) disabling extra software I don't need.
For one thing, whomever believes it's a good idea to continue relying on sendmail and BIND deserves broken bones. There are secure, faster alternatives available, and while they're whining about backwards compatibility and the fac that DJB doesn't want them butchering his software, their users are getting rooted.
We also need to remember the distinction of what Linux really is. I'm not RMS, but we do have to remember that Linux is simply a kernel. It has indeed had security problems (the most recent that comes to mind is the ptrace exploit), and sometimes this is unescapable. But when I hit up for instance the slackware security advisory list, I notice that while there are a handful of system problems, they are also listing problems with software that has little to do with running the Linux system (BitchX, EPIC4, etc).
And then I remember that each time I go to Windows Update, I'm slammed with a list of critical security updates, some of which are even rollout packages containing many other security updates. And the volume of security updates on Windows Update still far surpasses that of my favorite distro.
Handing your average computer user your average linux distribution's default installation is like handing a baby a bunch of knives... the system usually works damn well and quite stable from the get-go, so they install it in a dark corner and forget about it.
As has been said many times, security is only as good as the admin responsible for it. Yes, there can, and will be a Linux blaster... There might some day be a email worm too... but not like sobig.
./. Yeah, a bit harder eh? Nobody I know will be able to manage this.
:D
Lets examine the reasons why blaster and not sobig. Blaster exploits a buffer overflow, requires no user interaction. Find a overflow in Apache, you'll have a worm. Not a whole lot admins can do to prepare for this except application level filtering. It will happen. Those of us who are "in the know" will be patched long before.
SoBig: This is a user spread virus. It does not exploit any vulnerbility. It mearly requires the User to click on the attachment and hit open. It relies on badly designed software, that allows a user to execute code legally, easily. Windows lets you click Open.
Contrast that to most unix mailers: You have to deliberatly save the file to disk, chmod +x it, and then run it with
About the web site defacements. Linux is more complicated to administer, I dont think anybody can argue that. Lately, people have been given this sense of "if I replace Windows with RedHat i will be more secure". That is not true. Security is up to the ADMIN and the ADMIN alone. I would venture to say that a Linux box is MORE dangerous in the wrong hands than a Windows box. Hence your 60%.
Nothing about this changes anything at all. Those "in the know", generally Unix admins, will not be exploited, weither on Windows or Unix.
This doesn't mean Unix doesn't raise the bar of your security... you just need an admin that knows how to use it for it to be even close to it's potential. With Windows you are always stuck at whatever MS deams "secure enough".... bar writing your own IIS filter or something.
What we need are more smart admins using Unix, not sucky admins that give us all a bad face.
My two cents.
Unix is designed under the assumption that there are supposed to be users who can do whatever they please as long as it doesn't interfere with the operation of the system as a whole.
Windows is designed under the assumption that if you're not giving someone full control of the machine, it's because you don't want them to be able to do certain things that have no bearing on the rest of the machine whatsoever.
The result is that a typical Linux installation will create a user account without root privileges that you are expected to use except when you absolutely need to be root. The windows installation will prompt you to create accounts other than Administrator, but they will still be Administrator-level accounts, because the registry and the windows installer are designed to make it difficult for anyone who is not an administrator to install software.
This is why I'm an administrator on my work machine, where I do tech support and thus need to be able to mess around with things to replicate problems, and I'm a non-root user (with sudo privileges) on my home machine. I can screw up the work machine a hell of a lot faster than I can the home machine if I open up the wicked screensaver.
If windows didn't require a completely separate login to do administrator-level stuff, this problem might go away. XP's user-switching is a far cry from this. If Joe User can't copy and paste from his non-admin web browser to some admin system tool, he'll just be admin all the time, and then when he breaks beyond all repair he'll call me along with the other hundred users I talked to today at work. AAAAAAAAAH!
WARNING: there is a trojan on your
Linux does not require technical ability anymore.
...) that may be installed by the complete novice.
There are several distributions (Mandrake, Lindows,
That said, I am using RedHat (because I live in the US and it is still the most popular distribution here.) The RH9 installer does not even make suggestions for how to partition the hard drive. (A friend asked if he should make the root ext3 or a swap partition? The interface implies that this is acceptable.)
Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.
Linux can also remove some of the fear of computers because you do not need to worry about the usual viruses. Your aquaintances that have trouble right-clicking and double-clicking may be better with Linux, since the menus are usually written before the context menus, so every option can be accessed with one button of the mouse. (My grandfather uses the ENTER key instead of double-clicking, since a couple of strokes have upset his timing for double-clicks.)
You also assumed that the Linux users must have installed Linux. In the corporate world, computers are installed by IT, regardless of the OS. And today the home consumer can buy a computer with Linux already installed. That assumption is not safe.
---
Good application designers assume the users are complete idiots. Applications designed that way are easier to use, require less documentation, and have more safeguards to prevent GarbageIn. And when the complete idiot does ask for support, invite them to be a primary tester. Even idiocy can be useful.
For Linux to become the main personal computer operating system, it must be designed for use by idiots.
- Why does it seem that most users are of below-average intelligence? Do smart people avoid computers?
I spend my life entertaining my brain.
I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.
If you've ever installed systems (of any kind) for small businesses (~50 people), you'd know why this was such a temptation and often a functional necessity.
Many of them have no full-time technical staff. The typical scenerio is a "operations manager" who spends most of their time dealing with production issues; a "back office" person (who's usually the consumer of the system, often the head financial person); and then whoever ends up being the technial liason, which in my experience is whatever office flunky can get WebShots installed the best or who has the copier repair phone number.
It's sad, but I've done a ton of installs where basically everyone who uses the system is root/wheel/administrator and there are no permissions. If I'm lucky and can figure out there's no one to even reliably change tapes before the equipment is set up, I have it do alternate full backups on different physical disks; I figure it's better than a burned up tape.
It keeps you in business, but it kind of sucks, since it's apparent that nobody really gives a shit...
I think one of the problems is that, to have a secure machine, there's a hell of a lot to know.
/etc directory with configuration files in it. They don't want to run Windows Update every time they turn on their computer.
I've been using Unix or one flavor or another for maybe twenty years. I've been doing administration on servers for maybe ten. I know something about Unix, although I wouldn't call myself an expert. My focus is on programming rather than admin (although to be a good programmer you need to know a lot about admin, and vice versa).
The fact is, even with a lot of experience, there is an enormous amount to know if you want to keep a machine secure. And while most of it is pretty straightforward, some of it is really complicated stuff.
Couple that with the differences between flavors or even Linux distros. While the basic concepts tend to be the same, the methodology is different (for example, compare removing specific network services on Debian, RedHat, OS X, and Solaris). Security is a full-time job.
Technical people often make the analogy that the level of technical computer understanding most people want to maintain is like their house or car or office. Bar the windows, lock the doors, set the alarm. Set up the cameras if you're paranoid, and monitor them. While the top-level concepts are the same for operating systems, the kinds of attacks are different. There are only so many ways to get in through a window -- but how many programs turn up exploitable? Once you secure your windows, you know the threat level (rocks, pry bars, glass cutters, etc). With software, you may have a general idea (buffer overflows, privilege escalation, out-of-band data, unexpected input, etc), but it's continuously evolving. In both cases, vigilance is critical. In both cases, if you're security-minded you can be more or less secure, even in a hostile environment.
The problem is, this model is wrong for most people. They want to interact with their computers like they do their DVD-players or TVs. They want to use them as simple, versatile tools: think swiss-army stereo system. They don't want to have to think about security. They don't want to know that there's an
That's where the problem lies; people who are concerned about security will be secure whether they run Windows, Linux, or whatever. The people who just want a device that can play music, edit spreadsheets, write documents, send and receive email, and surf the web will likely be insecure no matter what OS they run. How many times have you had people volunteer passwords, watched the guy pound out the alarm code "1234", or had a user tell you their password was their cat's name?
Sure, some systems make it easier to be secure than others. But security is more an attitude than a system.
(This leaves out the whole issue of the heterogeneity of the Windows world, the desire on the part of worm writers to hit the largest "audience," and the anti-M$ attitude among 'leet hackers.)
Eloi, Eloi, lema sabachtani?
www.fogbound.net
I just went to Zone-H, and it said that 100% of the defacements were on Windows 2000.
It's a daily list of verified defacements...
Yesterday was 61% linux, today seems 100% win2000.
Worthless statistics.
Would be better to know what are the numbers in, lets say, a year.
Anyone know the url to this data? Or better a mirror, seems the site is under huge load.
I'm a chainsmokin' alcoholic sociopath, so-ci-o-path
69% of these comments are about how stupid the administrators are, and that they need to read their Linux-for-dummies again. These are comments from the general Linux zealots^Wusers, and are naturally ignored. We already know that admin's are brain-dead. /root/.this/.is/.secret/. Life's a b*tch...
7% talk about how safe their MacOS is, but 93% will skip those comments, as Apple is just another Microsoft OS (MS has a large portion of Apple's stock)
3% blame Apache, and promote the use of proprietary solutions as they are So Much More Secure(tm). Good for a laugh.
8% are the BSD-trolls. Only problem is that they still have to use lynx to post their remarks, nobody cares about them anymore. Especially not the general Linux zealot^Wuser reading their posts. BSD, pfff, something that free can't be good. I mean, Windows used their code...
6% are the trolls ranting against something called google, that makes all those script kiddies so-called blackhats after enough time. Yes, your kid brother has just grown up, and has exploited apache and your 2.4.20 kernel to gain root privileges on your box. Even worse, he's just told your mother about your secret pr0n stash in
4% are the MS-trolls, those who have lived under a rock for the last decade. Or at least the last few weeks. Anyway, there would be more of these posts, but i'm afraid 98% of people using Windows(tm) were attacked by all em scary worms out there, and rebooted for the 50th time today. Whoopie! No Blue -Screens anymore!
2% are the ones commenting the BSD trolls, but nobody sees their remarks or could care less.
1% are the lame people that rant about how deceptive statistics are... this post is one:
lies, damned lies and statistics.
We now return to our regular programming...
This sig is intentionally left blank
The problem with most Windows users - whether they run 95/98/ME/NT/XP/2000 is that they DON'T understand how to lock down the system or that alternatives exist to Microsoft software. They don't know jack s*** about a firewall or better alternatives to Microsoft software that is often more secure, not to mention actually VIRUS scanning email attachments and downloads..
If you have to do e-mail - a very good and secure e-mail client is Pegasus Mail which does NOT blindly open up email attachments and run code like Outlook does.
Get a decent firewall like Sygate PRO or if you must even ZoneAlarm PRO and make sure it's configured properly. Again some windows users would have problems even with something so simple as this sadly.
Want to avoid the nasty crap in Internet Explorer or other browsers? Get a proxy like Proxomitron and JD5000 Filters for Proxomitron which then allows you lock down all that nasty MS crap like VB/ActiveX/Flash/Forced Download scripts/ADS and more that cause problems.
But as everyone else has mentioned here - all it takes is a moron to run a windows box - linux box or hell even a MAC OS X box and not keep up to date with patches. If he/she doesn't know what they are doing any of the three will be insecure.
Also with Microsoft a lot of users I believe are afraid to get the patches - because you keep seeing more and more supposed "horror stories" of how a patch broke Windows or a "feature". Same crap could also apply to same user running a Linux box.
You must master your joystick like a fisherman masters bait! - Gimpy
... and why should I trust what they say? They can't even survive a little /.ing, so I'm not impressed.
Did you chuckle when you read my post? Or frown?
Are you a MS programmer that I insulted? Or did they not hire you, so you assume the ones they did hire must be better than you? Or you believe that a company that makes that much money must be doing something correctly?
(Sorry that sounds like a personal attack. I hope you answered "No" to all but the first question.)
Read the websites about the hiring practices for MS. They are looking for a good personality fit with their processes. Maybe the questionaire asks, "Are you willing to release bad code because of deadlines?" and a positive answer gets the position.
I have no personal experience about the quality of programmers at MS. My personal belief is that there are very few good programmers anywhere. I do know that every time I need to fix a problem with MS software, I think about:
- how I would have written the code, then
- how a beginner programmer would have written the code, then
- how to write it worse than the beginner.
Then I assume the last case is true, and work around it. I have a reputation as a miracle worker for being able to see inside the code.
Best programmers do not rush. They know that code that works is much better than code that almost works. Taking the time to design something well is always worth it. By definition, well-designed programs take less time to write and test.
The problem with MS's code is not that it was not written well the first time, but that they have not done it correctly after hundreds of attempts, even after their customers report problems.
---
I am not a "Lunix zealot". I do not use Linux in the corporate world, and barely use it for personal stuff.
- I do recommend Linux to people and companies that cannot afford Apples (which I have not used in recent history.) And much of my recent work has been battling an incredibly poor multi-threading model in some of IBM's software.
- I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?
I spend my life entertaining my brain.
I run Windows 2000. It's up to date, and it has been since I installed it. I don't use a firewall, and only installed a virus scanner two days ago after my wife insisted. Despite that, I've never had a virus. My prefered method for dealing with people trying to get in is pop up a message on their computer to stop. Either that, or I call their mom. (Which is usually a very funny conversation - give it a try sometime!)
Anyway, I blame my College for my lack of infection. The only email program we could use was pine. I still use it to this day, and it's my favorite email program. Nothing to configure, nothing to install, works anywhere in the world, extremely lag-resistant. The most important feature - you can't click on anything.
I digress: back to infection. No matter what program you're using, you can't just run whatever random garbage Undugu sends you. The majority of users will not understand that. My father, for example, can't understand the concept of Spyware, Adware, or Pr0nware. Eventually I had no choice but to physically destroy a CD he bought. It installed Spyware and Pr0nware, and he would not beleive me, no matter how many times I explained.
So, what does that have to do with Linux? It's simple. The majority of Linux users are smart enough to not click on any random thing that gets sent to you. That's the difference. It's like a gas station that offers free gas. The catch? It's 50 octane. A lot of people would go. Yes, they would. Those of us who know something about cars would know that that kind of rating would seriously mess up your car. Sure, you could install a refinery into your car and add anti-knocking agents, but you're better off not getting gas there.
People who use Linux are, from my experience, very well knoweldged about computers and take care of them. Once the goal of "Linux for the Masses" is achieved, then - AND ONLY THEN - will you see the true devastation that rampant idiocy can wreak on an operating system.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
I think the biggest reason that something like Sobig is unlikely is that there are so few Linux machines on the Internet as compared to Windows machines, and since a majority of Linux installations are on servers an awful lot of them are behind firewalls. Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.
How can you make a statement on Linux security based on Apace? If Apache is hacked it has nothing to do with Linux. It is just an application that is completely unrelated to Linux. Saying Linux is insecure because of the last Apaceh/OpenSSL hole would be the same as saying FreeBSD or OpenBSD are insecure because someone broke in through Apache. Apache is a whole lot more secure then IIS, though it still had some problems. While it may make sense to complain about MS security problems because IIS is one of their products, it is silly to say Linux is insecure because of Apache. I do think security under Linux needs to constantly be watched, it is very easy to get a big head, become lazy and sloppy and get all kinds of holes. Thanks to efforts like SE Linux by the NSA, Linux will keep getting more and more secure.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
The only security parrallels between Windows and Linux is the susceptibility to lazy users. If you don't patch... you're dead in the water and you deserve it. Linux, windows, whatever.
That's where the similarities end. Linux is inherently more organic, configurable, stable and open. Windows has an upper limit on the config bashing you can do and the efficacy of doing so.
If I, with my Linux box have a vulnerabiltiy that that vendor, or code monkey who wrote the thing, doesn't have a patch for... not a problem. I can do any one of a thousand things to make my linux system either more secure or less susceptible including looking for alternative programs that do the same thing. From the kernel to userland... I have control. It's more work, perhaps, but so is police work.
Windows. Please. I'm at their mercy. Their patches. Their schedule. Their patches to their patches. Bah!
Look at it this way: Windows is a prefab house. It comes in one flavor. Once shape. and one color. It is architected (sic) in the hopes of being able to withstand a wide range of climates.
Linux, or any of the unixen, can be a tent you use to climb Everest. Or a mansion in Palm Beach. Or a Hotel in Monaco. Or a skyscraper in NYC. Whatever you want. It's up to you and how hard you are willing to work.
Just do what you do best
Arnold "Red" Auerbach.
According to netcraft the percentage of sites running Apache is 63.72%.
If you consider that the windows version of apache is rather insignificant, I would assume that the total linux web server installations are in line with this number.
Therefore, one must conclude that the predominate cause of web site defacements is negligence, not the opperating system one chooses. After all, technically competent sites such as the one you are reading now almost never get hacked.
"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"
Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.
I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.
I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.
Do not look into laser with remaining eye.
Yet another raging battle on which is O/S is more secure. Hear me when I say this, "Security is an ILLUSION!". Even if humans could create a flawless bulletproof secure system, that system is going to have users and, as soon as you add users you can throw security out the window.
Look at all the companies that were taken down by Blaster and Nachi. Didn't all these companies have extremely powerful and sophisticated firewalls guarding their networks? Sure they did, but the VPN/dialup/laptop users were able to get in after becoming infected and circumvent all the elaborate and expensive security. Somtimes I think firewalls are a total waste of money.
I won't even get started on the topic of extremely weak user password, unsecured dialup modems, and firewalls with way too many open ports.
Luckily all the worms and virii to date have been "mostly harmless", but the day is coming when a hacker in China or Russia is going to get the urge to make a political statement and start wiping out data.
Argue and discuss this topic all you wish, but know that the dialog is meaningless. SECURITY IS AN ILLUSION!
It's not necessary to be all that "savvy" anymore. If you're running a stock box, you can have a SuSE or Mandrake system running on the 'net with a high speed link in less time than it takes to install WinXP.
Just leave it at the default workstation settings, and answer the questions -- same as you do for Windows.
Granted it's not set up the way I'd want it, but current releases are pretty damned good for mom & pop who just want to browse the net and read their email. It even helps protect them from the "social engineering" click-me trojans, as most of that junk is engineered for Win32.
What bothers me more is the mix and match of OS and webserver stats in the main slashdot article. Most desktop Win32 users aren't running IIS, so why would we include Apache breakins and such under Linux when comparing/discussing security?
I do not fail; I succeed at finding out what does not work.
To say otherwise would be a lie.
;), keeps up then I predict we will see more security vulnerabilities showing up in GNU/Linux as time progresses.
Windows has a great deal of exposure. Therefore more people hack it. Windows also was not designed to be secure. This is apparent in some of the things you see in it every single day, like how a single Window's box handles multiple users (not cleanly in my opinion).
GNU/Linux was designed to be secure, but doesn't have as much exposure although it is doubling pretty much every 12-18 months. If this moore's law like trend, let's call it Greg's Law
The assertion that less worms implies more secure is a logical fallacy to begin with. If no one is writing worms for your OS (that is not to say no one is *using* it... lots of people are including myself) then any security issue you've got won't be apparent.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
I'm not kidding about the install time. A SuSE 8.1 3-disk install was asking for the config details before WinXP was done identifying hardware (same box.)
Add in the time and hassle of temporarily swapping out NVidia GeForce series video cards to do the initial WinXP install, and the raw-hardware-to-internet time is less than an hour for Linux, and almost 1.5 for WinXP on the same hardware (CUSL2 PIII/933 512M/PC133/CAS2 60G/7200RPM GF2MX.)
I do not fail; I succeed at finding out what does not work.
A web site defacement on a Linux machine is probably not a problems with Linux, but a problem with Apache, ncFTP (or UWFTPD or any of the others), SAMBA, Sendmail, or anoy of the other projects that people tend to run on top of Linux.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
If you want to discuss the success probability of a worm, there are three aspects here which need coverage: First is the actual quality of the implementation of the operating system. Second is the concepts behind that implementation. Third is the density of the system population.
The quality of the implementation in Linux is highly variable, depending on what part of the system you are looking. There are parts of Linux that are of an extremely high implementation quality such as the kernel, the Apache web server or other active and well researched projects. There are other parts of only medium quality such as for example the popular PHP language.
And there is a lot of stuff that is of actually pretty low quality, badly researched and incredibly crappily written from a security point of view. Common PHP applications such as PHP Nuke, TikiWiki or other "CMS" style applications belong into that category. Getting web server privileges through one of these using a pathname exploit, badly written uploads or other commonly known classes of security problems is usually a piece of cake. From that you need to find a local root exploit to own the machine. That's a little harder to do than a simple web exploit, but also nowhere near impossible.
Also, current PHP coding techniques do little to minimize the amount of such code being written and to encourage clean coding. Brings us directly to the concepts section: There is no equivalent of ASP.NET type infrastructure and tools in the PHP world. Window may have bugs, but in this particular instance they may be in an area where PHP for example has not even code to show...
When you are discussing security concepts, Windows often is on par or even surpasses common Linux systems. Windows failure is too often in the area of implementation, or it fails to leverage and deploy the concepts it implements. That's why Windows passes US and European securty evaluations, but does not feel "more secure" in day to day use. For example, Windows had Access Control Lists as part of NTFS since the very first 3.0 days.
Only with the advent of Windows 2000 Microsoft started shipping Windows with halfway decent defaults, though. Also, getting to see and check the ACLs of a directory hierarchy with onboard tools is laughably complicated to what Unix presents (namely, a moderately complex security system with ugo/rwx and ACLs tacked on for that special cases, and "ls -l" to mass check an entire directory with a single command).
Windows also has superior concepts regarding impersonation (instead of SUID), RAID as part of the default operating system way before the actual Unices had it, a PKI and a directory service as part of the default operating system shipment (and code that actually uses that, by default, unlike Unix, where you have to jump though hoops to get your mail server, samba server, your different logins and your client applications to use such a service if you had one by default) and serveral other things that look nice in the book.
Unfortunately, all of this is of little use against worm style attacks. Here the conceptually bad parts of Windows reign: Treating data as code and in some cases even automatically execute data that has been recognized as code (HTML mail with Javascript, Office macros, HTML with Javascript that is being executed when entering directories) is the major attack vector. Also, badly designed and protected desktop IPC, allowing for the shatter attack and other legacy sins make the Windows desktop a primary target for worms and viruses. None of the above security mechanisms help protecting against this style of attacks, which is why Windows looks good on paper, but not on your desktop.
Also, unfortunately, the Windows population in your average company is dense enough and homogenous enough to allow for wildfire type effects when the attack is spreading over the network.
Linux has similar vulnerabilities as Windows has, but we do not see them at the moment, because even if there were a worm that could uti
Linux is more secure than Windows becouse we know it's not secure enough and never will be secure enough.
Windows however knows for a fact that is secure enough as a direct result it's not secure at all.
The latest clame that Windows is insecure by design is basicly saying that Microsoft didn't even think about security when the first designed the operating system years ago and just folowed the basic philosophys behind Dos.
At the time Dos was the only operating system to have viruses and people were crying fowl over this. That Microsoft could do better and if they do make a new operating system they should.
(It wouldn't be untill Apple adds multitasking that Macs would have any viruses)
To ferther the point a number of products entered the market to make Dos more secure. Password protection to keep users from using the computer and the ability to write protect hard disks were just two security features available from third partys.
All commertal network pacages I have had any experence with had quite a few security features to deal with the fact that they were missing from Dos. Yet people didn't use those features effectively and would leave systems open to virus infections passing over the lan. This would forshadow the Internet as it is today.
But in the end it's viglence not design that keeps Linux secure.
Becouse for as many windows worms we have seen lately and as many clames that BSD is the most secure Unix around....
The one and only BSD worm did the one thing no Windows worm could do. It took down the Internet. It flooded the network with billions of infections.
This could happen to Linux.
We can show Windows is insecure ground up. Viruses and e-mail worms need an insecure operating system to work.
Viruses need to be able to infect other binarys once run under the user account. This simply won't happen under a secure operating system.
Email worms need an e-mail client that will run programs attached to e-mail.
But normal non-email worms hack in from the outside. Look at that statistic again.. Even if only 1 Linux box is hacked that means a worm can do it. A worm can be made to hack into Linux systems just the same as a hacker could himself. Before you know it the worm has infected many systems. Millions of infected systems in the time it takes for one hacker to deface one Linux hosted website.
It could happen... IF...
If we sit on our butts. Worms take a while to write so it may be a month or so after 'discovery' that a worm is actually created.
If we sit on our butts and not make a patch,
Sit on our butts and not test the patch,
Sit on our butts and not apply the patch.
Then a worm could be released.
If we don't secure our systems.
Applying patches and bug fixes is only the start. There are countless procedural errors that could be made. Get something to test your system for all the known ways someone could hack your system and test for them. Know if your safe.
I remember one Solarus zellot actually freaking out when she discovered an SGI system was being used to run a website. She pointed out that the machies were not designed to run websites.
In other words the operating system was "secure enough" for a stand alone workstation.
I don't actually exist.
Frankly, the fact that certain distros charge money for using their automatic update system shows that we've got a way to go! After all, when you put the stuff out there and continue to put it out there, you've got a responsiblity of making sure your software is not endangering the integrity of the internet.
Here's a wishlist:
1. Automated updates by default - the likelihood of a break-in is greater than breakage because of updates.
2. Better firewall configuration tools. Maybe a standard interface for having servers request
3. Better monitoring systems - not just as emails to root, but something better.
And completely unrelated, making a secure-coding class mandatory wherever coding is taught.
Stop the brainwash
tired of rebooting?
*checks win2k uptime*
35 days, 20 hours, 6 minutes and 7 seconds
this is not a server, locked up in some dark room somewhere, with no gui to make it crash, with no techies too scared to touch it because typing 'startx' may take down the whole network. it is my work machine. i currently have 3 instances of visual studio 6 open, one which is running a service in debug mode, another which runs a test app to the service thats running in debug mode, and the third is for working on another project i'm assigned to - up until recently it was also running another service in debugmode, for over 3 weeks if i recall correctly. i run distributed.net, irc, msn messenger, sql server constantly as well. query analyser is constantly open, as is outlook, opera, internet explorer, terminal services, and many in-house applications. i've also got cisco IP softphone running continuously, because of some dumbo IT decision to have software phones instead of normal phones.
im not the greatest programmer by anyones standards - heck, i'd guess i'm only slightly above average. this means that my code breaks(in all 3 instances of visual studio)... often(in all 3 instances of visual studio)... before it gets fixed. strange that my dodgy code, and my "crappy" OS is able to still remain running without any hassles?
so how have i managed to not reboot in over a month?
One comment you often hear from Linux/UNIX people is that their systems can't get infected because all code executes in userspace and cannot do any harm to the system. You can just kill the process/delete the file and all is good again. And if people execute unknown code as root, they have themselves to blame.
But many UNIX worms/virii don't rely on code being executed as root. They spread using security holes such as buffer overflows, and doesn't need anyone to click on an attachment or execute an unknown binary.
I don't have the links to back it up, but wasn't the first worm ever a UNIX worm, written by a kid whose father was in the security business and told him about security holes in UNIX systems?
I don't think that the OS decides whether a system is secure or not. Sure, it is a factor, but sloppy administrators and developers are to blame as well.
The simple thing is, and I have not seen this commented about, is that there is a difference between human attacks and virus attacks. With Windoze security, any stupid virus can destroy your system.
With Linux, however, the situation is different. Since privelege escalation is not trivial in Linux/Unix/BSD, viruses can generally only exploit userspace. Privelege escalation usually requires human intervention (or, at least, I have never read or heard of a virus that could escalate its priveleges on a Linux/Unix/BSD system). This means that Linux/Unix/BSD systems that are compromised are cracked by deliberate attackers with the attacked system specifically in mind. This is as opposed to some dumb bot that tries to infect everything on the net. Why there are not terms for the differences in these classes of attacks I cannot say, but there is no doubt that they are different. I will call them direct (human) and indirect (virus/bot).
Viruses, with the exception of superviruses, are also generally written to take advantage of one or two security holes. They cannot be written to contain every historical exploit that may exist in the wild. So, human attackers have possibly thousands of methods at their disposal while a virus has a few. One of the most commonly known military defense tactics is to get your enemy to attack you from one defensible point. Any enemy with thousands of entrances will find a weak one. Direct attacks are much more powerful than indirect attacks.
The simple conclusion is this: If someone knows what they are doing and wants to get in, they are going to get in. However, it is doubtful that Linux will ever be afflicted to any damaging degree by these silly mass mail viruses that damage your email or even wipe your hard drive.
The weakness of Windoze security is that even indirect attacks work on it.
All data is speech. All speech is Free.
UNIX and lookalikes weren't designed for the would-be user. Still, most users just migrated from M$ will be happy with the out-of-the-box install of RedHat-latest and Apache. That is simply not the way to go. A UNIX takes a lot of time to configure and then administer, and if this isn't done, you might as well pronounce yourself a windows admin.
The key concept of UNIX are it's building blocks: you build it from the ground up, not the other way around. A good server install should use the linuxfromscratch OS, with as little installed as absolutely needed. Then you hardify, using your KNOWLEDGE of the system. That's what most users think comes with linux by default. Wrong.
With M$, you get to do what M$ thinks you will do. With linux, you get to do what you want to. The downside is you must know what you want and how to get there.
-i
Morality is usually taught by the immoral.
Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.
True, true. I frequent several Linux online communities on a constant basis. Lately (in the last year or so) I've seen an increasing number of complete Linux newbies asking "how do I open a terminal or a console?"
Think about it: they have never even seen the Linux command line. To most anyone who's been using Linux for more than two years (until now) this idea seems inconcievable.
Yet the people turning to Linux for the first time these days are reacting in the same point-and-click manner they would under Windows. Their user experience is limited to whatever they had the luck to get installed by default and whatever they see in the "Start" menu or on the desktop. That's what their Linux experience borns and dies with.
In many cases they don't even think that they could choose a better application than the defaults. They don't know (or care) that they have a choice, they don't know that on Linux you have more than the usual to choose from, sometimes they don't even know how to install new stuff or uninstall the old.
And even if they surpass all of the above, their install tools are limited to whatever the distro provides. Don't let me even start on the "qualities" of various graphical package managers out there in the popular distros right now.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
isnt these wormholes (get it?) but the default mail and webbrowser programs that come with the os, sure most of hte nasty stuff have more or less been patched but getting a user on a dialup to install a number of patches going into the 50+MB range is not going to happen! if they got a notice onscreen saying that they should stop by theyre local electronics shop and pick up a free patch disk then we would be seeing more patched boxes out there.
then we can start nailing down stupid stuff like a webrowser able to install software in the background without asking the user (those porn dialers is a familiar sight) and a mailclient that support inmail scripts out of the box (big nono!) and able to run software without warning users that hello this is a program file or shortcut or something other nasty, not a IMAGE FILE (check yesterdays user friendly for a upbeat look at this:)
im damn gald i use mozilla as my default web enviroment, just need to get rid of that gameing adiction...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
40 single IP
17 mass defacements
Win 2000 (98.2)
Linux (1.8)
Tells a rather different story, doesn't it?
Every zelot in the world needs to get this: there is no *right* OS for everyone to run. Not Windows, not Linux, not BSD, not OSX, etc.
The *right* OS is the one that you feel comfortable with, and which meets your immediate needs. You might even do well by running several (at home I dual boot my game machine depending on what I want to play: EverQuest or BZFlag).
What's more: diversity is very important to resisting any kind of infection, viral or otherwise. If the net were an even mix of Linux, Windows, BSD and OSX, we would benefit from the competition, different security measures, etc.
That being said, Linux already has a great deal of diversity internally, so a virus or worm that wanted to infect Linux systems would have a hard time covering all of its bases. A Debian system would be hard to penetrate if your worm was written for Red Hat or visa versa. It's not impossible to write a cross-Linux worm, but hard. Then you have to deal with differing shells, various degrees of stack protection, radically different end-user software, major revisions being more common and thus software incompatiblities even between multiple hosts running the same vendor's OS, etc.
It's not necessily a matter of Windows Vs. Linux. It's a matter of open-source mentality Vs. closed-source mentality. Open-source software evolves, naturally. Closed-source software only evolves when the keepers of the code are forced to improve it, and usually only if they stand to receive some money for their work.
It's very hard to beat mother nature. Try developing AI software that's smarter all-around than an average five year-old child. It's similarly more difficult to harden your OSs security holes in a sterile lab, Vs. letting the planet full of open-source savages hammer away at your sourcecode and then considering their suggestions for improvement.
For instance, RPC has been enabled for use from the internet since Windows NT, and it's been a problem since Windows NT. It remained a problem through NT, windows 2000, and windows XP. It was no secret that:
- c$ shares open to the internet were a problem
- many many boxes had username=Administrator, password=blank
- guest accounts were enabled by default
- psexec and psreboot were freely available
Was anything done by MS to fix this problem? No. Why not? Was it because they're evil and should be equated to the borg? No. It's because MS is profit-motivated, and their bottom line wasn't negatively affected by leaving these problems unaddressed. Their customers would surely have benefited by a fixed OS, but that's not the driving force for a company such as MS.
When the OpenSSH exploit was identified as a problem, it was immediately fixed. Practically ALL the linux distros made the patched version of OpenSSH available immediately, and all subsequent versions of their distros had the patched OpenSSH. Was it fixed because we Showed the Money to the owners of the OpenSSH sourcecode? No. It wasn't an issue. Mother nature dictated that it was time for OpenSSH to evolve, so it improved or it died.
Those that don't look at these issues as matters of principal deserve what they get. Those that continue to ignorantly use closed-source and proprietary-file-format OSs and software, placing all their sensitive accounting and other business data into closed-source developer's hands, have no one to blame but themselves.
I'm not saying that everyone should train themselves to be a ninja programmer and write their own software. Business owners need to hire intelligent IT staff, and treat that aspect of their business with the respect that it deserves.
The IT decisions (apache Vs. IIS, outlook Vs. ANYTHING_ELSE, exchange Vs. IMAP, Windows Vs. Linux, MS OFFice Vs. OpenOffice) should get the same attention as accounting decisions, legal decisions, and HR decisions. That's not usually the case though. If the business owners don't know the right answers, they should hire at least one or two seasoned IT veterans to advise. Many of these unpatched business computers are the result of sloppy hiring at the upper IT level. If competent people manned the upper IT positions, better firewalls would be established, PCs would be patched, and possibly there'd be a little bit less closed-source, closed-file-format, proprietary software and OSs in use.