Is Linux as Secure as We'd Like to Think?

man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Psychology plays a role

[Brento]

First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.

Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.

Re:Psychology plays a role

Maybe skilled users make the difference, but not in and of itself. Otherwise we would expect to see heaps of security problems/viruses with Mac OSX boxes.

Re:Psychology plays a role

[Brento]

But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

That's actually the point: there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place. Those people are more technically inclined. While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update. You don't bite the hand that feeds you, and I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

Re:Psychology plays a role

[511pf]

People don't go after big business because it's "cool." People go after big business because it's visible. It gets their message across to more people. Big business is also a target because any change in business practices has a wide effect. If McDonalds increases their food safety standards, the change has a real effect on national food safety because of McD's sheer mass. In addition, other fast food chains will follow suit to avoid bad publicity. Going after McDonalds isn't "cool." It's effective.

Re:Psychology plays a role

[Dog+and+Pony]

the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base

Or so they would like to think...

I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there.

I think you'll find the average Linux user to know a bit more about computers yes, but to make the assumption that Linux users are "inherently" more secure users is just begging for trouble.

And furthermore, lots and lots of Linux users are most likely too confident because they are so savvy and knowledgable. Hubris is dangerous on any platform.

Of course, since we all want to feel special and look down on some other group and be "better" than them, that is not what people want to hear around here.

Re:Psychology plays a role

[KrispyKringle]

You make a good point; one of the explanations I've seen for statistics similar to those the article posting cites (61% of defaced machines being Linux) is that when an amateur wants to set up a personal website on his cable modem, he doesn't usually install IIS. He installs Linux and Apache. When he wants a really basic comment board or CMS, he uses PHP-Nuke. For his e-mail server, he uses Sendmail.

Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.

Re:Psychology plays a role

[I_redwolf]

Ugh.. this is so inherently based on faulty logic itself that it's beyond the scope of a comment to explain but I will try.

Unix and Unix like systems are based on a simple and easy concept when it comes to security. That is, if you don't have what is known as "root" you don't get to do any damage to system resource files.

Windows operates on an everyone is root notion, allowing anyone to make changes to system resource files. Not only that but because of the way Windows is designed where everything is mashed together, when one card falls so does the whole deck.

Unix and Unix-like systems operate on one tool for one job and with inventions like the pipe and IPC ta whole host of new functionality becomes capable just by passing output of one program to the next.

That's as simple as I can possibly explain it. I'm not saying Linux is the most secure thing since sliced bread, I'm simply stating the facts, and the fact is that Unix and Unix-Like systems tend to be more secure because they were DESIGNED that way. Windows was not designed with security in mind and the fact is that it is less secure.

All the other linux virus writing is less because windows is so prevelant hippy bullshit I'll save for PHB's. If you really believe that I've got an SCO license to sell you too.

Re:Psychology plays a role

[Malc]

Rubbish. My employer bought a company that was deployed on RedHat 7.0. We are a MSFT only shop. Let me tell you, those RedHat servers were in worse condition than our Win2K boxes. The servers have been exploited as spam relays (very old formmail) amongst other things. It's pretty bad when a software engineer (me) has to come in and get a server running properly due to the incompetence of the IT staff. They had all kinds of stuff installed that should never have been there. They never cleaned things up. Based on that, I would say there are probably other Linux boxes out there administered by idiots.

Re:Psychology plays a role

[Zeinfeld]

True, at this point. But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

I can't say that replacing a Microsoft monoploy with a Linux monopoly looks like any advance to me. Linux development is still way behind Windows in terms of features, in particular security features. Security does not only come from lack of bugs, it is also a matter of support for security features and tight integration of those security features.

Microsoft has in the past done baddly on the bugs side of things, but in the area of support for security featurs it has no peer. Windows 2000 has PKI and Kerberos security embedded deep into the core of the O/S. Sure you can get add ons for Linux to provide features like an encrypting file system, but you don't get deep intgration so you end up having to choose between the encrypting file system and the journaling file system. Same goes for Kerberos, you can add a Kerberos package onto Unix but you don't get the same tight integration you get on Windows 2000.

The virus issue is also rather more complex than some make it out see Phill H-B's security blog. The basic point here is that to propagate a virus needs to infect an average of more than one new host each time it spreads. So it is much harder for viruses to spread on a platform that represents only 9% of the population than 90%.

The problem with all the Linux boosterism on the security issue is that many of the 'facts' being asserted are nothing of the sort. If you ignore toy O/S that do not use protected memory such as the Mac before OS-x and the Windows-95 flavors Unix has historically been no better than comparabloe platforms. OK so there are few security vulnerabilities reported in the UNIX core, but that is the same for Windows. Most security bugs turn up in server code running at application level. Sendmail has been considerably worse over its life than IIS.

The problem with the complacency in the Linux camp is that Microsoft shows every sign that it has the security religion now. The recent spate of Microsoft patches are mostly for bugs Microsoft themselves discovered during their code reviews. Windows 2003 now loads the way a secure O/S should - in installments starting from a minimal core functionality.

Sure Linux can keep up, but only if developers respond to the challenge rather than sitting arround congratulating themselves on how much better they are. That seems to have been classic behavior of previous would be Microsoft challengers who lost.

Re:Psychology plays a role

[Zeinfeld]

Yeah, potential buffer overruns sit in places no one would think about (hence all those bind/sendmail/iss/rpc holes...) Except that a buffer overrun in a well-configured unix system won't allow your normal cracker to do rm -rf /.

This is one of my pet peves when folk start blathering about how insecure Windows is. The buffer overrun is essentially an invention of the C programming language. Before C nobody thought of writing language compilers without bounds checking on arrays.

The answer to buffer overruns is not to try more care. The answer is to switch to programming styles and languages that prevent buffer overruns.

This is not too difficult even in standard C if you do all string handling through macros that are thin wrappers to the bounds checking code that Dennis Richie left out. A much better answer is to switch to C# or Java where the problem is caught by the managed code environment.

Re:Psychology plays a role

[xenoandroid]

I think your underestimating the inteligence of some Mac users, sure there are some dimwits out there (they exist on many OSes), but they were at least smart enough to not use Windows for something they can do easily on another OS. From what I've seen, there is a lot less common sense in the Windows community than there is for other less widely distributed OSes. Many will download and run anything in their email no matter how many times they hear "Don't download strange attachments and run them".

Re:Psychology plays a role

[Ro'que]

I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

Looks like you need to get out more, then. That's a pretty broad and ignorant statement. Equally broad and ignorant statement: "I've never met someone who has been laid and simultaneously preferred using Linux as his/her desktop OS."

No, that's not how I feel. Yes, I do support Linux and the open source movement, but I don't believe in unreasonable and illogical statements against the opposing "camp" like claiming that not one of the millions of Windows-by-choice users are smart enough to write a good virus.

Re:Psychology plays a role

[Zeinfeld]

I feel you are either miseducated in the matter, or a very good troll - I'll assume the former.

Lets see, I have worked with eight Turing award winners, I have designed operating systems, databases and security systems. I am the editor of several current standards. I have no need to troll. Sounds like your definition of 'miseducated' is 'holds a different idea to me'.

The issue of whether or not things are 'integrated into the core' is a good example of the key design philosophy difference between UNIX-type OSs, and MS OSs, although I was given the impression that MS OSs were going more towards UNIX in this regard.

I am probably better informed about the state of MS security system design than any other person who does not work for them and is not a contractor. You are wrong in this assertion on two counts, first the extreme modular nature of Unix has historically been considered a security weakness, second Microsoft is not moving towards Unix. Windows NT has always been a micro-kernel design.

The problem with the bolt on approach is that there is no consistency of use in the Unix framework. You can add Kerberos but you have to separately Kerberize every application. Same for integration to a domain server or any other infrastructure.

The problem is that Unix is not really a modular architecture, it is a patchwork quilt. In a true modular architecture there is one interface to the security subsystem and a sysytem installed there will affect every application. Unix simply does not support that type of interaction. The fact that it is composed of separate modules is irrelevant, all O/S are written as independent modules. The issue is whether those modules interact in a coherent manner or an incoherent one.

Unix regretably flunks that test, although propagandists will try to deny it.

Re:Psychology plays a role

[Tony-A]

Unix is simply designed and developed much more with security and securability in mind.

From an old fart, I gotta take exception to that.
The design is from Multics, which is arguably secure, down to something that is doable on a departmental minicomputer. The design doesn't preclude some degree of security but all the emphasis is on getting something useful done. That said, Unix probably does manage to get the most useable security out of the fewest bits theoretically possible. I suspect that Unix is as simple as it can be and have any pretense to security.

NT does have security "features". It has lots of them, and they take lots of bits. They are stuck in strange places. If I have a lot of files to manage, I will not be using those features. I do a DIR. I see date and time and file size. No security information whatever. Must not be important.

Unix, if I do just an ls, just gives back the file names. If I do an ls -l to see dates and file sizes, back comes a mess of x's and hyphens. Must be important. Further, these are in my face every time I'm looking at files.

Multics was designed to be secure.
Unix wasn't.
Windows was designed to be able to claim the most "features"

Copy a directory from one place to another, where you don't have permission to read some of the files or write some of the targets.
Windows will give a pop-up and die when it runs into trouble.
Unix will copy what it can and give you the error messages with it dying breath.
Windows security. Even a little bit can be too much.
Unix security. I haven't seen it get in the way, and I haven't really got into groups yet. (Big gripe. I can't have NT users and groups with the same name. Stupid.)

Re:Psychology plays a role

[reallocate]

You're both equating intelligence with knowledge of a specific computer system. That's completely bogus and more than a little techno-elitist. It's a bit like arguing that backyard mechanics are more intelligent than Linux geeks because they fix their own cars.

What someone does or does not know is not a sign of intelligence. It is simply a sign of what they know.

One would expect Linux users to be more system savvy than Windows or Mac users because a Linux distribution typically takes some study to configure and to put on the Net.

If/when Linux becomes a significant part of the shrinkwrapped desktop market, the need for self-study to make it usable will diminish (otherwise no one but geeks will use it).

Short answer No, Long answer Maybe

Personally I have all my end-users sign on as root. So far so good

Re:Short answer No, Long answer Maybe

[deranged+unix+nut]

..sigh..

I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.

Re:Short answer No, Long answer Maybe

[johnlcallaway]

Wanna hear something sad?? I have Unix developers who want root access because when they type 'find / malloc.c', it returns too many 'permission denied' messages. I tried to explain that if they tack on '2>/dev/null' onto the end, the errors messages would go away and they would still find their file.

Their response?? That's too much work.

It doesn't make any difference how tech-savy someone is. Secure systems by their nature prevent access to features. If the perception is that it takes longer to get something done because of the security, people want security turned off.

That's part of the reason why M$ so insecure, Bill Gate$ has made it too easy to use. My fiancee runs her XP laptop without any login, just turn it on and there you are. So much for security. I gave up trying to explain to her why she needs to login to use it. The standard answer is it takes too much time.

I guess getting to email and solitare quickly are more important than making sure all the personal data she has on it is safe.

I think its the apps

[tlacicer]

I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.

My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.

I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.

Re:I think its the apps

[sphealey]

First, arrogance preceeds a fall, and that is as true of system security as anything else. So Linux users/admins should not become complancent/arrogant

IE and Outlook are not the OS,
no matter how much MS winges
about IE being intergrated into the
OS :)

Still, I have to disagree with you a bit here. Internet Explorer is very deeply embedded into the core OS. And other technologies are quite deep as well (ever try fully removing Windows Media Player from a W2K Server build and keeping it removed across service packs? Not a trivial task - but what the heck is WMP doing in a server build to begin with?).

This intertwing of core functions with much less secure access and presentation functions does IMHO make Microsoft products less secure by design. There is also the issue of Bill Gates deliberately creating a corporate culture where everything has to be reinvented from scratch. Well, sometimes the work done by other people was good work, or done for a resaon. People inside Microsoft seem to miss that thought a lot.

sPh

Re:I think its the apps

[BrynM]

I think website defacement and Linux security are 2 different issues all together.

Exactly! People tend to trust website "packages", like PHP-Nuke or site building applications a little too much. They tend to assume that someone has already fixed whatever security holes may be in it. When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing. Since these sites usually end up being run on Linux and Apache, Linux and Apache get blamed when the site is defaced, when the actual weakness that led to the defacement was in the PHP/HTML pages themselves.

I don't expect everyone to know how to clean up security for a PHP site, but if they decide to use what they don't understand bad things will happen. If you know a novice that wants a site, start them out with some static HTML rather than let them use whatever code strikes their whim as "neat", "shiny" or "cool". Explain to them that they are learning how to eventually do the "shiny" stuff, but they need to learn how to use it safely first.

Re:I think its the apps

[commodoresloat]

From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script.

I think one could say the same about Windows, no? It has nothing to do with the security of the OS if hackers find vulnerabilities in a commonly used application (e.g. Outlook).

Re:I think its the apps

[PetWolverine]

Similarly, though, most MS worms and viruses exploit not holes in the operating system, but holes in various common programs that are Windows-specific. Blaster is an exception, but SoBig and Slammer are excellent examples--one exploits Outlook and the stupidity of many users, while the other exploits a small hole in Microsoft's SQL server. Neither, strictly speaking, exploit flaws in Windows itself. Even Blaster exploits a flaw in a network service that at least shouldn't be part of the OS, at least by the *nix OS-design paradigm.

When determining how secure an operating system is, it is essential to take into account the security of all the various programs people will run on it. Linux itself is very secure, but mostly because it doesn't do anything; all the potentially dangerous work is left to other programs, which often screw it up. Take a look at sendmail, for instance, and try to tell me it's more secure than a Microsoft product. Looking at security from this perspective, Linux isn't really an operating system, but rather the whole *nix category should be considered (in many ways) one OS.

When determining the security of a particular system, not only does the specific implementation of *nix become relevant, but the programs you run remain relevant--only now it really is the programs you run, not the programs that are available. Obviously the next root exploit in sendmail won't affect me if I'm running postfix. If I instead write my own mail server (just to keep the same example), it might be very secure through obscurity, but (since I'm a sysadmin, not a programmer) it won't be very fundamentally secure.

Basically, security is a lot more complicated than simply "Windows sux0r5." Bad programming and bad configuration can make any operating system insecure, and assessing the security of a particular system is quite a different thing from assessing the security of an OS in general.

But are we talking about the same thing?...

[mrdlcastle]

I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.

It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).

scewed results?

[iamkrinkle]

Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)

The Only...

[strateego]

The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.

Something to think about:

[Anonvmous+Coward]

Species of Windows Programmer: Human
Species of Linux Programmer : Human

Chances of human error making it into the code: Equal

Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?

Re:Something to think about:

[Anonvmous+Coward]

I wish people would understand what I'm saying instead of feeling like Linux needs to be defended.

Linux may have a better foundation to work from in a security point of view, that does not in any way negate what I said. I had a Windows NT webserver that was up for 2 years without being exploited. I replaced it with a Redhat/Apache box thinking I'd be even more secure and within 2 weeks it was rooted.

This is not Linux's fault, it is entirely my own. I felt a false sense of security and didn't stay up to date with the machine. With Windows, since it was always under attack, I constantly checked it to make sure it was hardened. If I had been vigilant, like I recommended in my original post, I would not have been rooted.

Instead of cooking up an argument, think about what I just said. You're not secure. It is as simple as that.

Ha - Ha! (Nelson voice)

[Outland+Traveller]

Looks like some of that "defacement" is happening close to home.

view-source:http://www.zone-h.org/

DB connection failed ().

Social-engineering != Virus

[RealityProphet]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would [be] lower for Linux than Windows?

Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.

You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!

Re:Social-engineering != Virus

[Gherald]

> These are socially engineered programs designed to get the user to run them.

Re: Approved

Please log in as root to accept this offer...

Re:Social-engineering != Virus

[IntlHarvester]

A unprivileged Unix user can parse an address book, delete MP3 files, and send mail. In most cases they can also run a proxy server on a high port. So, "root" isn't much protection against these viruses.

In fact, I'd argue that the whole timesharing SuperUser vs Peon security distinction is a fundamentally broken design for how most people use Personal Computers. It's a relic of minicomputing. On a modern PC, virtually every user needs some administrative rights, and almost everyone wants to run "untrusted" programs such as file sharing and so on.

It would be great if we could chuck the whole user-based system in favor of some sort of role or program-based model where programs have privileges based on what they are rather than who is running them. But since both Unix and Windows are heavily based on the user-centric model, that's going to be very difficult.

It's only as secure as you make it.

[bartyboy]

Or your admin makes it.

I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.

It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.

So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.

Updates on Linux

[rantenki]

I just install a vanilla Redhat on all my boxes. They get rooted within a few days, and the hax0rs take care of the security updates for me. Course, I can't log in as root anymore, but hey... that's a feature.

Security through obscurity

[defile]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would lower for Linux than Windows?

Anyone can write a worm that leverages a security hole in a default service of a default Red Hat Linux install. Or Windows XP Home Edition.

However, it takes considerably more skill to be able to write a worm that can target vulnerable services across multiple distributions of Linux, multiple versions of each distribution, etc.

As long as Linux evilware continues to exploit C program unchecked boundaries, a single universal worm that can effective exploit every potentially vulnerable Linux system remains highly unlikely.

How about this?

[wadeb]

Linux is less vulnerable because there are fewer identically configured machines on the internet.

One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.

With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.

Not that the internet hasn't been shut down by a UNIX worm in the past, that is... :)

It's easy

[brooks_talley]

Windows web defacements are the fault of a crappy, inherently insecure operating system from a criminal monopoly.

Linux defacements are the fault of stupid admins who can't be bothered to install the latest patches, or who are too incompetent to install the OS and configure it for security.

I thought everyone knew that.

Cheers
-b

Just my 2c...

[dark-br]

I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.

Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.

Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.

If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.

Re:Just my 2c...

[BrynM]

.And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of.

You bring up an interesting point. I bet we'll never see Microsoft patch a theoretical exploit. They seem to see patching as a reactionary process rather than as bug tracking. "If it aint bad PR, then don't fix it." - Too bad that attitude still leaves it "broke".

Social Engineering

[Ieshan]

Modern viruses work by two major routes:

A) Exploits
B) Social Engineering

Exploits are hard to stop without patches. Get enough unpatched systems, and your virus spreads. There are a lot of guilty linux users here, I'm sure: people download software all the time without checking it's security. People run software daily without bothering to check for updates. It happens.

Social engineering, however, is by far the most widely used virus tactic. It's easier to fool a user than to fool a well-secured computer, says this adage. The basic premise fails under linux: it's really, really hard to get someone to run malicious code that you want them to run. Most linux users are above-average on the computer-tech-savvy curve - I would say that the mean computing knowledge for an average linux-desktop user is above the 90% mark on a curve of all computer users.

This means linux users don't do stupid things as readily. The subject line RE: DOWNLOAD MY NEW SCREENSAVER with the attached .tar.gz isn't likely to fool many people. I have a hard time believing that most SoBig victims are those who know what Bayesian filtering is; actually, I have a hard time believing that most SoBig victims know what Inbox means.

Furthermore, it's tough to write code that will run without a hitch on everyone's system, as there's so few distro standards. Also, as email virii work, with linux being a small desktop percentage, it's tough to get emails into the boxes of most Linux users.

Last but not least: There are few people who want to see Linux die. The rivalry doesn't work in both directions. There are thousands of anti-MS'ers, but a sad few anti-Linux'ers (SCO not included. =P). What would the protests be? "Hey, assholes! Keep your free operating systems off of our clean hardware! You're ruining good pentium chips by corrupting them with something non-proprietary!" etc.

Just a few points. I'm sure there are better ones.

From considerable experience lately,

[Sevn]

I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.

It's more complicated than all that.

[dwheeler]

The arguments are all far more complicated.

An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.

But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.

The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".

Linux Security

[FsG]

Linux isn't secure; it's securable, and if you simply throw a default RedHat install onto the web, then you're missing the whole point and effectively negating all of the security potential that Linux has to offer.

Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.

Re:Numbers!

[Brento]

Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?

The Ferraris, because nobody important drives a Civic.

Knock off balding middle-aged, filthy rich tycoon, and that'll get more press than offing a bunch of morons who put rear spoilers on front-wheel-drive cars.

But I digress...

Only As Secure As The Person Running It

[nuintari]

Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.

And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.

And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.

Law of averages

[Schnapple]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Because there's fewer of you (not myself a Linux user) and as a result the law of averages says it's less likely that it will happen. And let's be honest - smarter people run Linux. They're not smart because of Linux per se, but people who run Linux know what they're doing, usually. Lots of Windows users don't know what they're doing (think parents and grandparent types).

But if Dell shipped 95% Red Hat boxen, you'd see a lot more Linux worms show up. Maybe not as many as Windows, but still...

it's a lot of factors...

[pavel_pod]

It really is the COMBINATION of factors:
* number one reason is probably that most user desktops are windows;
* an average linux user is a lot more technically savvy than an average windows user, and is much more likely to understand the importance of applying patches [my non-technically oriented friends ALWAYS IGNORE those "updates are ready for installation" messages];
* as a lot of posters have mentioned, Linux systems can be made more secure (open source, security-minded design, ...) -- if you know how;
* I'd guess people who create these things might use MS hatred as an excuse;
* there is greater diversity among linux software, whereas most people use outlook/msie on windows; (maybe to a lesser extent,) same is true for OS versions; this makes it easier to target MS.
* (Probably more that can be added here.)

Here's my rant on human stupidity...

[Art+Tatum]

I think it's a little more than just being savvy. One problem is that an awful lot of Windows users have very screwed up ideas of how their computers are supposed to function.

For instance, they don't think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: "if I want to do something with my machine, I should be able to just do it. Don't put anything in my way." And if they were forced to take precautions, their password would end up being something like 'a'. And a regular schedule of changing passwords? Forget it.

Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They'd be bored to tears if they had secure email. And they'd be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.

And it's astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about 'Hot pics' or those 'Snow White and the Seven Dwarves' emails. Sheesh.

All this is not to say that Microsoft doesn't have some basic architectural issues--they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It's been possible to run as an unpriveliged user for a long time with Windows. And it's not difficult to do. But guess how many people actually do that.

Re:Here's my rant on human stupidity...

[Politburo]

Oh blah blah blah. This is the same old tired shit of "Windows user = stupid, Linux user = smrt". The reason Windows users have these misperceptions (yes, that's what they are) is because that is simply what they are used to. In Win9x, 3.1, and DOS, there were pretty much no passwords. To suddenly think that millions of people will overnight realize that passwords need to be commonplace for security is asking way too much. We are currently in a growing period in computers, and the worms around now are the growing pains. If people that are knowledgeable about computers acted nicer towards Joe User and explained the rationale behind passwords, and not running as root/admin, instead of being l33t and condescending, you might see a little more positive response.

Re:Here's my rant on human stupidity...

[Lemmy+Caution]

As a technical person who communicates well with non-technical people, I have to say that the failure of communication is almost always with the technical person.

Being more concerned with being seen as smart and informed than actually providing coherent information, spending too much time on irrelevant details instead of providing step-by-step instructions on what has to be done, geek inferiority complexes leading to arch, grating deliveries, a failure to listen and understand the end-users needs - I've seen it all. And I've almost never met an end-user type whose technical behaviour I wasn't able to amend for the better.

Too homogenous systems are dangerous

[pere]

"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.

Any homogenous system will always be voulnerable to these kind of attacks.

The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.

The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.

The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).

My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..

full-time Linux users are more savvy

[SHEENmaster]

It's those communist dual-booters that we have to worry about.

Hitting a moving target

[The+Tyro]

That's an excellent first post.

I think you are about half right about the first point... how many really clueless users do you know that run linux? To run linux, a person has to get over the "activation energy" of actually getting it installed. This goes beyond just having a pretty GUI installer rather than some text-based option... it's actually knowing how to answer the questions the installer asks: How many joe-sixpack guys even know what an IP address is? Or know their primary and secondary DNS server addresses? If some well-meaning geek has installed a linux system for their grandma, they probably set up IPtables and killed all the unnecessary services... that's a HUGE security advantage right from the start. It's amazing what a clueful install can do.

But onto your second point. I think it has more to do with the variety of linux users/systems rather than their iconoclastic attitudes (though the latter probably breeds the former, so in a way, you could be right). As a medical professional, I'd compare it to a genetically heterogeneous population. In a MS-centric environment, there's only so many ways to skin a cat... Win2K, WinXP, et al. That lack of variability has administration advantages, but that sword cuts both ways. Common systems are easily administered, but just as easily cracked if they share a common vulnerability.

In nature, genetic variability is your friend... keeps an entire population from being wiped out by a plague. The Cystic Fibrosis gene is a defect, but saved some people from death during the cholera epidemics of the middle ages, and the gene has stayed in the northern european population ever since.

Variation on systems is FAR more prevelant in the linux world. Different kernel versions, different daemon versions, different firewalls, different configs (chroot, etc). Add that to a tech-savvy population, and a successful linux worm becomes a serious challenge.

It's really apples and oranges to compare linux and MS environments.

Operating System Transparency and the Application

[Above]

There are really two different problems when it comes to securing against worms and the like, and for the moment I think Linux (and any Unix) has an advantage in both areas, although it's probably not as big as many people think.

First you have to look at what a rogue program can do once in the system. For this the entry vector is unimportant. With most Unix like systems the default is for the user to not have full privilages (eg, not be root), and thus the rogue program cannot make full use of the system. That doesn't mean it can't complete it's mission, but it does make several things much harder:

• Hiding from the user / administrator. Almost all rogue programs try to hide. When a user only has disk permissions to their own area, and not to the entire machine there are fewer places to hide. Also due to differences in the system it's more routine for users and administrators to be presented with system data (eg, ps output) and it's easier for the administrator to collect data about programs running (ps, accounting, lsof, netstat). I know, you're going to say all that can be done on windows. The problem is windows goes to great pains to make the average user, and the average administrator not know that.
• Automatic execution. To better hide rogue programs often don't want to run all the time. Again, by design most users can't edit startup files, or couldn't append a wrapper around a standard system program on a Unix like box. Indeed, many users have no programs installed in areas they can write to. Windows on the other hand allows users to add TSR's and edit all the applications, allowing a Rogue program to hide almost anywhere.
• Built in defense mechanisms. Almost all Unix flavors come with some defense standard now. Mostly in the form of nightly scripts checking for SUID programs and the like. Some are more fancy, some less, but at least there is some attempt out of the box to notify the user / administrator of a problem.

The main issue is, most of the operating system differences don't mean much, as it's the applications that are the holes. From the simple password in a URL, to a complex buffer overflow attack applications are very often the vector into the system. Here you have to separate the cultural differences from the application differences.

Cultural: Many Unix users still used text based mail clients in xterms, and even when they don't the GUI's were designed to more closely mimic the behavior of those interfaces. Attachments are evil, when run are generally carefully handed to a program as data. In windows virtually all mail programs are graphical. Many users demand them to implement things like javascript that auto-execute, many of them will happily run a foreign attachment with little more coaxing than a mouse click. At the end of the day these differences require user education. That may be helped by a transparent OS, but it's still a user education difference.

Application Differences: Windows (Microsoft) encourages developers to build tightly coupled applications. Look no further than OLE. That ability to embed excel in your word doc and have it just pop up over the UI requires a tightly coupled API for program to program interaction, generally exposing full interfaces. Rogue programs can exploit this, often not needing to know what application is in use, but rather just the API. Unix developers / enviornments generally encourage a loosely coupled behavior. Programs provide some command line / pipe oriented service and handle all their own details internally. You need only look as far as printing to see this quite well, as windows pushes driver bits into the application to change behavior, while unix makes it all happen with a "system()" command running a new program.

At the end of the day, I believe the following statements are all true:

• Windows is targeted because it is the dominate platform, and rogue programs generally want to have the highest chance of suc

Re:How I see it...

[mikolas]

"For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE."

Well if you just for one second assume that a Windows user is as competent as a Linux user, this sentence just does not make any sense. I haven't been running as administrator on Windows since NT4. I know how to use "Run as a different user" just as well that I can write sudo in Linux so there really is no need ever to log in with too much privileges on Windows. And as a technologically advanced user you also know your policies and such so you can harden all the other accounts in the system just the same way you might do it using Unix-like operating systems. It's even easier to do fine grained security hardening on Windows given you know how to administer your box.

And, when it comes to the RPC exploit, you just don't remember what happened with OpenSSH some time ago? A fix was available for quite some time and even then a huge amount of computers got cracked. If Linux was as popular as Windows, there might easily have been about the same number of "infections" as there were with Blaster.

To assume one system is more secure than some other just because it's different is simply stupid. Security consists of many different aspects and the underlying OS is just one of them.

More to the point

[soloport]

Take your most savy Linux guru and your most savy Windows mouse-clicker (can often be one and the same person). Let each setup a secure server and point each server to the Internet.

Now sit back and wait for shit to happen.

Eventually it will be proven that the best platform is freebsd.

did you fix it for yourself, or for everyone?

[donutz]

When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing.

So just out of curiosity, did you submit your changes to the PHPNuke folks? Or just fix it for yourself? Seems it would be a kind thing (good for your karma, and not just the /. kind) to submit security fixes, if you know they exist.

Care to comment on where you made some of your fixes in the code, so that if you didn't report them yourself, then someone else can make those fixes public?

Thanks!

Re:did you fix it for yourself, or for everyone?

[BrynM]

I'm working submitting the fixes I've created actually. I've only recently (in the last two months) started the site, so it's still in-process - code submissions and all.

It all came about because I am building a module for Nuke. I started looking at the code and decided to do some house cleaning. Most of the fixes I implemented are already in the public (look around at Nuke Forums or search for "php nuke exploit"), so I'm betting that Francisco Burzi (the creator of Nuke) is working on implementing them for the next version if they aren't already in. He's been good about including fixes as problems are found.

Most of the exploits are simple SQL injection exploits, which affect all PHP/SQL code and not just Nuke. Let's say you want to query user data from a MySQL table named USERS with the USERID as the criteria:

?php mysql_query("select * from USERS where USERID=5"); ?

This will work great for one user, but to make the code portable, you'll need to use a variable for the USERID, so it becomes:

?php mysql_query("select * from USERS where USERID=$USERVAR"); ?

When the variable is passed by an online form it will look like this:

http://foo.yoursite.com/file.php?USERVAR=5

Because PHP doesn't keep strict varaible types, $USERID could contain the number 5 just as easily as it can contain the string "foo". Since the variable is at the end of the SQL query, we can append SQL to the end of our URL like:

http://foo.yoursite.com/file.php?USERVAR=5%20or% 201=1

As a result, PHP will hand MySQL a query that says "select * from users where USERID=5 or 1=1" (remember that %20 is an URL encoded space). Since 1 will always equal 1, MySQL will dump every record in the table instead of just the one with a USERID of 5. The way to fix this is simple. Before your line of PHP with the query, just do a simple

?php $USERVAR=intval($USERVAR); ?

Since our exploit relies on $USERVAR being interpreted as a string, it will fail as PHP intval() will discard everything in the variable from the first encountered non-integer onward. Thus malicious value of "5 or 1=1" becomes the number 5 again. There are a lot of places where this needs to be fixed and I haven't found them all yet. I'm working on a list that I plan to give to Francisco rather than have him try to keep track of me telling him about many individual ones and lose something along the way. Many nuke users have already fixed these themselves as well. There are other checks that need to be done for string variables, but I've already veered way too far offtopic.

I would be quite the selfish bastard to only fix the security holes for my use and no one else's. I'm glad you asked though. It never hurts to remind OSS users of their responsibilities should they touch the code. ;)

Re:I think its the apes

[Pinky]

That is dangerous! There could be a hidden or obfuscated loophole. I, for one, never run any code that hasen't been written by myself while under polygraph examination. I keep my website running in a concrete block under the ocean and I keep all the clocks in my appartment running at different times, just in case my future self came back in time to try to sabotage my project. Every one should do it.

When I introduce someone to coding I chop off their hands and then hide them to be sure they won't code anything. New users think I'm paranoid and arrogent but I don't want any one of the mindless rabble to come and get me in middle of the night when the KGB hacks their site. :-)

Reply: Maybe Stat-Lie ...?

[OldHawk777]

Is that 61% a stat-lie?

If there are significant more Apache websites compared to MS-Win websites on the internet, and the numerical coefficients of the variables used in the equations were not weighted appropriately, then a condition (of at least) co-variation was not taken into account ... the interpretation of 61% is in error.
Also, novice websites (Apache, MS-Win, ...) are frequently defaceable. I believe, due to the obvious (cost for a Linux+Apache+Skill+Daring) already stated by others, means that the most easily defaced website are in fact probably "Linux+Apache", but also the best most secure website because of the open-community+collaboration+... implies (for me) "Linux+Apache" makes the best websites for business and government.

So, I suspect stat-lie. However, I ain't done any major data crunching with FORTRAN and arrays in almost as many years as serious code.

OldHawk777

Reality is a self-induced hallucination.

Simple probability

[noda132]

There are some stats (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:

• Most web sites run Linux.
• Linux boxes cause so little fuss it's easy to forget they're there (for better or for worse, most distributions, especially older ones, are very content to leave you alone). I've never run across a Windows server that didn't ask for personal attention at least once every hundred days.
• Website defacement is often a direct act, not a simple script which happens to take down a site. All operating systems being equal, a cracker would pick sites at random and crack them; Linux would get cracked more than any operating system, assuming the cracker is great.
• In any operating system, the security is only as tight as the administrator makes it. Well-secured servers are VERY hard to come by.
• A website defacement is not a remote root. It could be a simple cross-site scripting bug in some CGI/PHP/Perl code, which is not the fault of the operating system.

MS users hate MS

[solprovider]

there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames

Because they are forced to use MS products. Most people do not have strong feelings about stuff they have not personally encountered.

While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update.

The script-kiddie viruses require MSWindows to write, or at least test, the virus. Linux users have already escaped; why would they worry about MS? It is the MS users that write viruses to hurt MS.

I also like the theory that the MSBlast virus was written by MS. The primary purpose behind that virus was to annoy all the users enough to patch their systems.
- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.
- The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them.

Anybody who wanted to cause real damage would write a virus that spends 24 hours spreading itself, and then silently wipes the "drives" starting at Z: and working backwords to C:. That would cause a few heart attacks in the corporate world. It would also force the world to switch away from MS. The MSBlast virus was just a warning shot, and I doubt it was written by someone who actually wants to harm MS.

I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

With scripting kits, brains are not a requirement for writing a virus. See the stories about the virus writers who have been caught; none were particularly smart. (OK, they were CAUGHT, so the sample assumes some incompetence.)

Very few people prefer MSWindows; most people do not know there was a choice.

---
The Linux community wants to succeed by demonstrating that the community development process develops better code and applications than hidden proprietary code can produce. MS's security holes are a demonstration that their development process has severe faults. Linux and OpenOffice should remove MS's revenues very soon, and then MS will fall. We want to win fair.

Re:MS users hate MS

[YellowElectricRat]

The virus also seems to have been poorly written. MS may not have the monopoly on bad programmers, but they definitely have the largest concentration of them

This is one of the most ridiculous statements I have ever read. Do you have any idea how difficult and competitive it is to get a programming position at Microsoft? Whether you like to believe it or not, Microsoft has some of the best programmers in the world - it also has some of the most rushed programmers in the world, and some not so great QA. Even the very best programmers don't often get their code perfect the first time around, and if a problem with some MS code is not picked up by MS's testers and QA people, it doesn't get fixed.

Idiot Lunix zealots.

Re:MS users hate MS

[PeteQC]

- It also required every unpatched MSWindows PC to report itself to MS. MS might be able to use that information.

I don't think so, since you can download the patch without going on WindowsUpdate, it's available at http://support.microsoft.com/default.aspx?scid=kb; en-us;823980

In webserver-land, it *is* reversed

[leonbrooks]

Microsoft IS the biggie out there, and Linux isn't, but we all [...] would like to see that reversed?

There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.

IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.

If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.

Also, what is this "Linux" of which you speak?

[leonbrooks]

there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place.

So... exit Microsoft Corp, stage left; enter Linux Corp, stage right? Have I got the picture?

But Linux isn't a corporation; and Linus would happily agree that Linux isn't a person. It has, in its enemies' words, "no centre of gravity", no central bastion to attack. It has no war-chest, no lawyers, no production facilities. If it is distributed from France or Germany, it isn't because of some strategic global plan, it's just where the distributors happened to live.

In short, while you can happily replace MS-Windows with Linux, there is nothing to replace Microsoft itself.

Yeehah! (-:

Linux does not require technical ability

[solprovider]

Linux does not require technical ability anymore.

There are several distributions (Mandrake, Lindows, ...) that may be installed by the complete novice.

That said, I am using RedHat (because I live in the US and it is still the most popular distribution here.) The RH9 installer does not even make suggestions for how to partition the hard drive. (A friend asked if he should make the root ext3 or a swap partition? The interface implies that this is acceptable.)

Once Linux is installed, a typical user would never see the command line, and only needs to learn one GUI.

Linux can also remove some of the fear of computers because you do not need to worry about the usual viruses. Your aquaintances that have trouble right-clicking and double-clicking may be better with Linux, since the menus are usually written before the context menus, so every option can be accessed with one button of the mouse. (My grandfather uses the ENTER key instead of double-clicking, since a couple of strokes have upset his timing for double-clicks.)

You also assumed that the Linux users must have installed Linux. In the corporate world, computers are installed by IT, regardless of the OS. And today the home consumer can buy a computer with Linux already installed. That assumption is not safe.

---
Good application designers assume the users are complete idiots. Applications designed that way are easier to use, require less documentation, and have more safeguards to prevent GarbageIn. And when the complete idiot does ask for support, invite them to be a primary tester. Even idiocy can be useful.

For Linux to become the main personal computer operating system, it must be designed for use by idiots.
- Why does it seem that most users are of below-average intelligence? Do smart people avoid computers?

Linux or Apache?

[AstroDrabb]

How can you make a statement on Linux security based on Apace? If Apache is hacked it has nothing to do with Linux. It is just an application that is completely unrelated to Linux. Saying Linux is insecure because of the last Apaceh/OpenSSL hole would be the same as saying FreeBSD or OpenBSD are insecure because someone broke in through Apache. Apache is a whole lot more secure then IIS, though it still had some problems. While it may make sense to complain about MS security problems because IIS is one of their products, it is silly to say Linux is insecure because of Apache. I do think security under Linux needs to constantly be watched, it is very easy to get a big head, become lazy and sloppy and get all kinds of holes. Thanks to efforts like SE Linux by the NSA, Linux will keep getting more and more secure.

No Contest

[gutbucket]

The only security parrallels between Windows and Linux is the susceptibility to lazy users. If you don't patch... you're dead in the water and you deserve it. Linux, windows, whatever.

That's where the similarities end. Linux is inherently more organic, configurable, stable and open. Windows has an upper limit on the config bashing you can do and the efficacy of doing so.

If I, with my Linux box have a vulnerabiltiy that that vendor, or code monkey who wrote the thing, doesn't have a patch for... not a problem. I can do any one of a thousand things to make my linux system either more secure or less susceptible including looking for alternative programs that do the same thing. From the kernel to userland... I have control. It's more work, perhaps, but so is police work.

Windows. Please. I'm at their mercy. Their patches. Their schedule. Their patches to their patches. Bah!

Look at it this way: Windows is a prefab house. It comes in one flavor. Once shape. and one color. It is architected (sic) in the hopes of being able to withstand a wide range of climates.

Linux, or any of the unixen, can be a tent you use to climb Everest. Or a mansion in Palm Beach. Or a Hotel in Monaco. Or a skyscraper in NYC. Whatever you want. It's up to you and how hard you are willing to work.

OS versus applications

[TWX]

"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"

Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.

I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.

I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.

UNIX virii/worms

[hackerm]

One comment you often hear from Linux/UNIX people is that their systems can't get infected because all code executes in userspace and cannot do any harm to the system. You can just kill the process/delete the file and all is good again. And if people execute unknown code as root, they have themselves to blame.

But many UNIX worms/virii don't rely on code being executed as root. They spread using security holes such as buffer overflows, and doesn't need anyone to click on an attachment or execute an unknown binary.

I don't have the links to back it up, but wasn't the first worm ever a UNIX worm, written by a kid whose father was in the security business and told him about security holes in UNIX systems?

I don't think that the OS decides whether a system is secure or not. Sure, it is a factor, but sloppy administrators and developers are to blame as well.