Slashdot Mirror
Is Linux as Secure as We'd Like to Think?
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
Personally I have all my end-users sign on as root. So far so good
I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.
My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.
I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.
It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).
Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)
The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.
Got Extra Money?
Species of Windows Programmer: Human
Species of Linux Programmer : Human
Chances of human error making it into the code: Equal
Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?
Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.
You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!
But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.
That's actually the point: there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place. Those people are more technically inclined. While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update. You don't bite the hand that feeds you, and I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
What's your damage, Heather?
Or your admin makes it.
I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.
It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.
So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.
I just install a vanilla Redhat on all my boxes. They get rooted within a few days, and the hax0rs take care of the security updates for me. Course, I can't log in as root anymore, but hey... that's a feature.
Linux is less vulnerable because there are fewer identically configured machines on the internet.
:)
One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.
With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.
Not that the internet hasn't been shut down by a UNIX worm in the past, that is...
Windows web defacements are the fault of a crappy, inherently insecure operating system from a criminal monopoly.
Linux defacements are the fault of stupid admins who can't be bothered to install the latest patches, or who are too incompetent to install the OS and configure it for security.
I thought everyone knew that.
Cheers
-b
I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.
Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.
Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.
If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.
People don't go after big business because it's "cool." People go after big business because it's visible. It gets their message across to more people. Big business is also a target because any change in business practices has a wide effect. If McDonalds increases their food safety standards, the change has a real effect on national food safety because of McD's sheer mass. In addition, other fast food chains will follow suit to avoid bad publicity. Going after McDonalds isn't "cool." It's effective.
Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?
The Ferraris, because nobody important drives a Civic.
Knock off balding middle-aged, filthy rich tycoon, and that'll get more press than offing a bunch of morons who put rear spoilers on front-wheel-drive cars.
But I digress...
What's your damage, Heather?
the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base
Or so they would like to think...
I'm not so sure. There are lots of those savvy and knowledgable people on Windows, just as there are lots of "k3wl, I'm so 1337 d00d, because I run Linux and not M$ Winblows" amateurs out there.
I think you'll find the average Linux user to know a bit more about computers yes, but to make the assumption that Linux users are "inherently" more secure users is just begging for trouble.
And furthermore, lots and lots of Linux users are most likely too confident because they are so savvy and knowledgable. Hubris is dangerous on any platform.
Of course, since we all want to feel special and look down on some other group and be "better" than them, that is not what people want to hear around here.
"I love you" and "soBig" both happened because too many people are using Windows, not because Windows in itself are insecure.
Any homogenous system will always be voulnerable to these kind of attacks.
The problem with any homogenous system (ecological, social or digital) - even if it might be very effective and streamlined when it works - when one of the units fails: all fails.
The key to building resistant systems, is making them heterogenous. Nature has figured that out millions of years ago. The key to securing a species survival is variance.
The same goes for computer systems. When 90 % of the computers are running Windows, Office, Outlook, viruses like ILoveYou and soBig have disastrous effects. (The fact that there are several versions of Windows, with different SPs installed, is making it a lot harder to write effective viruses).
My biggest fear is that Microsoft will end up with a susbscription system, and automatical updates. This could lead to a totally homogenous computer park... it is bound to be disastrous..
Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.
Take your most savy Linux guru and your most savy Windows mouse-clicker (can often be one and the same person). Let each setup a secure server and point each server to the Internet.
Now sit back and wait for shit to happen.
Eventually it will be proven that the best platform is freebsd.
When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing.
/. kind) to submit security fixes, if you know they exist.
So just out of curiosity, did you submit your changes to the PHPNuke folks? Or just fix it for yourself? Seems it would be a kind thing (good for your karma, and not just the
Care to comment on where you made some of your fixes in the code, so that if you didn't report them yourself, then someone else can make those fixes public?
Thanks!
There are twice as many Apache sites as IIS sites, so one would expect to see twice as many Apache defacements if they were attacked equally often and defended equally well.
IRL, the Apache machines will more often be doing multiple duties (e.g. Internet gateway, email server), further skewing the results against themselves because there are simply more services to break into on those machines.
If I was a selfish, destructive little cracker, I'd be breaking into Linux boxes simply because they're more useful than a corresponding MS-Windows box once you 0\/\/|\|3rZ them.. A lot more stuff will install off-the-shelf in scripted fashion, or already be installed.
Got time? Spend some of it coding or testing
This is one of the most ridiculous statements I have ever read. Do you have any idea how difficult and competitive it is to get a programming position at Microsoft? Whether you like to believe it or not, Microsoft has some of the best programmers in the world - it also has some of the most rushed programmers in the world, and some not so great QA. Even the very best programmers don't often get their code perfect the first time around, and if a problem with some MS code is not picked up by MS's testers and QA people, it doesn't get fixed.
Idiot Lunix zealots.
As a technical person who communicates well with non-technical people, I have to say that the failure of communication is almost always with the technical person.
Being more concerned with being seen as smart and informed than actually providing coherent information, spending too much time on irrelevant details instead of providing step-by-step instructions on what has to be done, geek inferiority complexes leading to arch, grating deliveries, a failure to listen and understand the end-users needs - I've seen it all. And I've almost never met an end-user type whose technical behaviour I wasn't able to amend for the better.
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
Looks like you need to get out more, then. That's a pretty broad and ignorant statement. Equally broad and ignorant statement: "I've never met someone who has been laid and simultaneously preferred using Linux as his/her desktop OS."
No, that's not how I feel. Yes, I do support Linux and the open source movement, but I don't believe in unreasonable and illogical statements against the opposing "camp" like claiming that not one of the millions of Windows-by-choice users are smart enough to write a good virus.
Unix is simply designed and developed much more with security and securability in mind.
From an old fart, I gotta take exception to that.
The design is from Multics, which is arguably secure, down to something that is doable on a departmental minicomputer. The design doesn't preclude some degree of security but all the emphasis is on getting something useful done. That said, Unix probably does manage to get the most useable security out of the fewest bits theoretically possible. I suspect that Unix is as simple as it can be and have any pretense to security.
NT does have security "features". It has lots of them, and they take lots of bits. They are stuck in strange places. If I have a lot of files to manage, I will not be using those features. I do a DIR. I see date and time and file size. No security information whatever. Must not be important.
Unix, if I do just an ls, just gives back the file names. If I do an ls -l to see dates and file sizes, back comes a mess of x's and hyphens. Must be important. Further, these are in my face every time I'm looking at files.
Multics was designed to be secure.
Unix wasn't.
Windows was designed to be able to claim the most "features"
Copy a directory from one place to another, where you don't have permission to read some of the files or write some of the targets.
Windows will give a pop-up and die when it runs into trouble.
Unix will copy what it can and give you the error messages with it dying breath.
Windows security. Even a little bit can be too much.
Unix security. I haven't seen it get in the way, and I haven't really got into groups yet. (Big gripe. I can't have NT users and groups with the same name. Stupid.)
The only security parrallels between Windows and Linux is the susceptibility to lazy users. If you don't patch... you're dead in the water and you deserve it. Linux, windows, whatever.
That's where the similarities end. Linux is inherently more organic, configurable, stable and open. Windows has an upper limit on the config bashing you can do and the efficacy of doing so.
If I, with my Linux box have a vulnerabiltiy that that vendor, or code monkey who wrote the thing, doesn't have a patch for... not a problem. I can do any one of a thousand things to make my linux system either more secure or less susceptible including looking for alternative programs that do the same thing. From the kernel to userland... I have control. It's more work, perhaps, but so is police work.
Windows. Please. I'm at their mercy. Their patches. Their schedule. Their patches to their patches. Bah!
Look at it this way: Windows is a prefab house. It comes in one flavor. Once shape. and one color. It is architected (sic) in the hopes of being able to withstand a wide range of climates.
Linux, or any of the unixen, can be a tent you use to climb Everest. Or a mansion in Palm Beach. Or a Hotel in Monaco. Or a skyscraper in NYC. Whatever you want. It's up to you and how hard you are willing to work.
Just do what you do best
Arnold "Red" Auerbach.
"I am anti-MS because I am tired of rebooting, and know that I could design their apps much better than they ever will. If they have some of the best programmers in the world, why are their applications so bad?"
Hell, I'd be happy if their OS didn't crash, even if the applications did from time to time.
I've been using Linux at home for many years, and I've noticed that applications do crash. Mozilla crashes, ABIWord crashes, StarOffice crashes, but there are two important points to this. First, the applications that I've described are either free or inexpensive. So, I haven't shelled out $500 for a suite of applications that is faulty. Second, it's only the one application that goes down in flames. It isn't the OS, it usually isn't the GUI interface (though X is a hair weak for what I'd like to see), and the other programs remain running without issue.
I don't think that an application should have the ability to crash an OS. That is absolutely ridiculous.
Do not look into laser with remaining eye.