Slashdot Mirror
Linux Most Attacked Server?
Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
Linux is favourite hacker target: Study
By JACK KAPICA
Globe and Mail Update
E-mail this Article
Print this Article
Advertisement
Linux, not Microsoft Windows, remains the most-attacked operating system, a British security company reports.
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.
Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August.
The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups.
Linux remained the most attacked operating system on-line during the past year, with 51 per cent of all successful overt digital attacks.
Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion, about as much as Cmdr Taco makes per year as a male prostitute.
The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate.
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
Funding provided by Microsoft....
Where ever you go, there you are.
But think of how many more linux servers are out there than windows servers.......
We're number one! We're number one! Woo! Party!
Er... wait, what? Is this a good thing?
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Good god sir, do you know where you are posting this? ;]
On the surface, this statistic serves both as a testament to linux's growing popularity as a server OS and ammo for those windows admins who have long taken abuses about the insecure nature of their OS. These ideas, particularly the latter, however, may prove misguided; breaches against servers are rooted not only in the security of their running OS, but also in the effectiveness of the security implementation of the system admin him/herself.
Linux is favourite hacker target: Study
By JACK KAPICA
Globe and Mail Update
Linux, not Microsoft Windows, remains the most-attacked operating system, a British security company reports.
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.
Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August.
The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups.
Linux remained the most attacked operating system on-line during the past year, with 51 per cent of all successful overt digital attacks.
Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.
The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate.
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
Make even shorter URLs - 8LN.org
In all fairness, if the Windows icon is broken, shoudn't tux be bruised or crying or something?
What are the other 9.8 percent running......and why!?
But since we all know that *BSD is dying, we soon will all get 0wN3d!
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
with all the worms around... this sounds like bullshit
Maybe its just because people put their important stuff on Linux machines. Who wants to hack Windows machines when all you are going to get into is someone's Outlook mailbox full of spam and Sobig.F?
Okay... do the editors read the links anymore?
This clearly came from Canada's Globe and Mail newsmapaper, which is clearly has nothing in common with the British Broadcasting Company
Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.
I want to delete my account but Slashdot doesn't allow it.
How do these numbers relate to the number of servers which are 'attackable' by hackers? ...even assuming (as they do) that home desktop machines on DSL/cable modems which are compromised (by worms or hackers) are not considered 'server attacks'.
Well, they don't say that, but if you include the number of infected Windows desktops this year, I have a pretty good feeling it would be a LOT more than 12,000, even if you only include infections designed to give control to an outside party (as opposed to simply spreading).
It only costs you 30 pounds to read the whole report here, so if you want to know the methodology, it will cost you. I guess that's better than Microsoft paying for the report...
Don't forget that Friday is Hawaiian shirt day.
It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.
John.
Anyway, whoever posted it didn't check the archives because I did and found that all months, I could only find a handful of Linux machines 'sploited. And all of these where 5.2 to 6.2 Redhat machines.
This is a test. This is a test of the emergency sig system. This has been only a test.
Being the best at something is good...
What level of attacks is this mentioning, and on what scale though?
Some random kick playing with rh8 sets up a quick and dirty server and it gets hacked, ther ya go...
Well if the majority of web servers on the Net run Apache + Linux, then sure, because my web server continues to absorb Code Red hits looking for an exploitable Microsoft IIS server.
So, I wonder....the interesting statistic to me would be what percentage of attacks against each platform are successful? This statistic is not explicitly stated. Also did they include OS X as part of the study?
Visit Jonesblog and say hello.
Those statistics were missing anything resembling meaning. The report was basically a fluff peice supported by funny numbers in order to put a tag line in for Microsoft security.
Why did this make slashdot?
I live in a giant bucket.
More systems == more attacks. And consider that most servers are pre-configured with lame settings & passwords, and MOST newfi admins NEVER change the password... and if they do, it's a simple one that they use on ALL the systems they admin.
Geesh, it's not like we're talking broken protocols here...
These figures correspond almost directly to netcraft. Seems to me, more linux/apache boxes out on the net means more targets. IIS holds about 24% and apache is about 64%. DUH. Its not hard to see that there will be more attacks if there are more machines. I bet they didnt factor how many OS/2 boxes got attacked.
Statistics are dumb.
Wouldn't this lend itself more to Linux servers being so dominant in the market? If I have a thousand Palm Pilots, and X number of them are defective, wouldn't X increase proportionately as I looked at more and more?
Later,
Patrick
Blood flowing like red ink on paper, writing on the wall, etc, etc. You get the picture.
I suppose its easy to miss that one though...
The world is a comedy to those who think and a tragedy to those who feel.
This is obvious. I expect that the number of morons actually running Windows as a server is around 4,626.
This assumes that Windows admins are smart enough to realize that their servers are wide open. Remember children, script kiddies aren't the only h4x0rs in the word.
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.
So while these "attacks" on servers totalling about the same damage amounts as usual there was quite a new record high obtained by the RPC vunerability...
So they are attacking an OS that is known to be running on more servers around the world and the "damage" from these attacks is holding steady, yet we don't mention in the article title that because Windows is MAJORLY vunerable, there was nearly 30 BILLION dollars in damage done!
Interesting spin.
They count hacker attacks, although without knowing the relative numbers of servers we don't know which O/S is better.
But what about vender attacks, like patches that crash the server, or the DoS attacks that happen when a server is taken off-line for patching? And surely a precautionary disconnect when there is a MS virus storm has to count as a successful DoS attack.
-- Pot is safer than Beer
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent.
/me turns off logging and closes eyes, going back to my happy place.
Of course, that really depends on how you 'verify' a breach, doesn't it?
*sigh*
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft "Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.
Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August."
I'm upset that they didn't mention the ratio of machines hacked... i.e. just because more linux machines that were hacked than microsoft doesn't mean that the ratio tells a different story. There might be more linux servers out there.
What is slashdot?
But how many of these were attacks successful on machines without the correct patches? How many were because of scripting problems on webpages? How many were configured incorrectly? Behind poor firewalls? This doesn't break down what kind of attacks they were. You can't make generalizations without complete information.
Also, it has gained something of a reputation as a secure system, at least compared to IIS, and this may be undeserved in installations where best security practices are not followed (most of them). This is perhaps a wakeup call that it's important to patch, only set up services that are necessary, and use a firewall and intrustion detection system, but most people know that already.
I never vote for anyone. I always vote against.
-- W.C. Fields
I am just weondering how many of those owned boxes are run by MCSEs who now are telling everyone they know "Linux." Anyone running Unix would have known to check, check, and recheck as well as patch, patch, patch. Even with all that extra sounding work it's still cheaper to deploy and run Linux boxes.
As you can see I don't care about my karma.
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
The only way they've reduced the _proportion_ of attacks on their servers is by losing market share. The total number of attacks against Windows servers is still increasing, so it's a little premature to give them any compliments.
If voting changed anything, they'd make it illegal -- Jello Biafra
They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample. Also, these numbers are meaningless without knowing the total population of each type of server. Oy!
I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...
So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.US Democracy:The best person for the job (among These pre-selected choices...)
Anonymous guy who can't remember his login
That would be WilliamGates.
ok, attacked, maybe.
However, how many of those windows servers took part in massive worms? Those aren't attacked, those are automated attacks, and not considered.
How many of those got partial entry (I.E. not superuser).
Remember kids, when you #4x0r Windows, you get root.
I'm reminded of a quote: "There are three kinds of lies: lies, damned lies, and statistics."
a system has to be up to be attacked. given the excessive downtime and frequent reboots inherent in all MS OSes, they would be subject to fewer attacks.
Durring August. What, have they been doing the survey every month for 10 years, and finally one month Linux comes out on top?
Sure, we all know that Linux is on more Web Servers than MS.
But consider this: Do people attack the server because it's running Linux, or because it's hosting the SCO website?
I think the CONTENT drives far more hacks than the OS it's on...
The longer I'm a member of the Human Race, the more I believe Apocalypse is a valid solution.
I would think someone whould like to prove they are l33t by hacking a linux box rather than a windows box. All those vulnerabilities in Windows makes it too easy to do.
- there are more publicly accessible servers running Linux (e.g. linux/apache webservers)?
- you do need to have basic understanding of security and linux skills to make a secure server. There are fewer shrink-wrapped security-enchancing products for Linux, and a lot of people in charge of those Linux servers are the "point and click" kind.
Jobs? Which jobs?
I seem to recall some 500,000 servers being compromised by a worm last month. Do they only count attacks by people?
Well, that's sensible if you ignore the half million or so infections by Blaster - which clearly this article does.
I think that any analysis of digital attacks that filters out malware is missing a huge part of reality. Certainly you'd have to be nuts to call August a good month for Microsoft servers.
jim frost
jimf@frostbytes.com
I find this hard to believe, especially considering the amount of traffic I'm seeing from infected Windows servers trying to break into my machines.
:)
Of course, that number may be so low since all of the other Windows servers are done all the time. An attacker doesn't have a chance to break in.
mi2g disclaims all warranties as to the accuracy, completeness or adequacy of the information. mi2g shall have no liability for errors, omissions or inadequacies in the information intelligence offered or for interpretations thereof. mi2g disclaims itself of any sales lost or damages incurred to other parties as a result of this information.
Doesn't seem like this company is too confident in any of the claims made in these reports..
Their monthly intelligence has a quote that makes their "reseach methods" look shady:
The Monthly Intelligence analyses and collects data from over 7,000 hacker groups worldwide and provides detailed monthly and year-to-date information on:
Seems a little far fetched to me, I doubt many "hacker groups" are open to research companies doing data collection.
of all Linux ecommerce servers were compromised versus their Windows counterparts?
I think a much more meaningful statistic would be how many fully patched Windows and Linux servers are successfully hacked. With Windows, you are always vulnerable, because the rate at which vulnerabilities are discovered far surpasses the rate at which patches are issued. With OSS, OTOH, a patch is usually issued a few hours or days after the vulnerability is discovered. Hence, the amount of time a successful Linux exploit is usuable is usually much lower than an exploit for Windows.
I would guess that most Linux machines that get hacked are due to unpatched/deliberately insecure configurations - like using a dictionary word for a root password.
The society for a thought-free internet welcomes you.
It's a little bit vague, are they talking about "number of domains defaced" or "number of physical machines compromised"? Browse a little at Zone H to get an idea about how this could be misleading.
If this report was paired with a statistic of pentration of Windows Servers vs Linux Servers, etc., it would be a lot better. Anyone have a recent study with such information?
This would be very interesting if Windows had more penetration. It would be less interesting if Linux had a 65% share of the server market.
Payload (Hex):
/scripts/nsiislog.dll....
4745 5420 2F73 6372 6970 7473 2F6E 7369 6973 6C6F
672E 646C 6C0D 0A0D 0A
Payload (ASCII):
GET
I think most security professionals would agree that a worm infection attempt constitutes an attack on a system. Therefore, I have more than a little skepticism about these results, given recent events.
I'm guessing they're only counting intrusion attempts that involved humans on the other end of the wire. That's pretty misleading.
-Lux
and I was wondering why people were doing a minute of silence today...
... ...
Linux Flamebait
nVidia vs ATI Flamebait
Outlook Flamebait
H1-B Flamebait
RIAA Flamebait
SCO Flamebait
Liberal Flamebait
ATI vs nVidia Flamebait
The story on the frontpage started out with "Anonymous guy who can't remember his login sent in a story from the BBC that says..." then after clicking the Read More link it read "Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says..."
The polls are acting weird too.
Somethings up with the caching at planet slash methinks.
Studies have determined that 89% of all muggings are perpretrated against rich looking people, with only 11% being perpretrated against the poorer looking population.
Brought to us by our friends at mi2g. I'd take this with a grain of salt.
Out of 1,000,000 apples, 10,000 were hacked
Out of 10,000 oranges, 1,000 were hacked
Looks like a typical Microsoft "we're scared of Linux and need some positive press" post to me, and almost on the *very* day they announce they screwed up the DCOM patch and another worm is likely too. What a coincidence!
UNIX? They're not even circumcised! Savages!
The article doesn't specify what counts as a "successful breach." Moreover, that's a record of servers. What, pray tell, do we do with the tens, or was it hundreds, of thousands of SQL-Slam'ed Window$ boxes. They were not all web-servers, but they sure as heck weren't Linux boxes. Is it just me, or did anyone else notice that none of those "successful" breaches of Linux servers compromised the whole stinking Internet?
Troll baiting *is* my life.
Number (or percentage) of successful attacks against servers maintained by professionals, sorted by operating system.
Of course there are a lot of non-secure Linux systems on the net. Lots of amateurs use Linux. After all, it's free! Notice how much the statistics in the article changed when they leveled the playing field and looked only at servers in one industry: government? Keeping to one industry caused them to look at systems maintained by sysadmins with much more equal skill levels.
From the article: Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
They fail to mention if the 'successful and verifiable digital attacks' were caused by a flaw in the software or by poor system administration.
Without more information, we don't learn much. Has anyone run across the original report?
A while back while working on our web site, we put up the default IIS page for an hour or so as a prank. Next thing I know, we're up on attrition.org as a defacement! We tried to get them to stop saying that since we had defaced our own site, but got no response. So, for weeks we had to answer questions from people wondering how the break-in had occured, and if they were vulnerable too.
I'll tell you, it was the last time I screwed around with the site like that (though the patent protest page did cause one similar inquiry).
Linux the most attacked server? Of course it is!
;-p
It -singlehandly- as the ability to ruin a large number of major players in the industry. Sun, Microsoft... SCO? They have a vested interest in undermining its success. Hence, the continual FUD attacks, sponsered reports, alledged IP infringements. The question is: how often do these attacks suceed. Answer: never!
"Canadan Newspaper != The BBC"
Canadan != Canadian
Okay... do you know how to spell.
GET A FUCKING CLUE BEFORE CRITICISING.
And now it's the other way around?
-------
Warning: Slashdot may contain traces of nuts.
So?
They keep on knocking but they can't come in!
Sometimes I doubt your commitment to Sparkle Motion.
Shut up, you idiots.
Clearly this is a testament to the prevalence of insecure Linux servers. Probably, the users didn't spend the requisite lifetime to learn the ins and outs of their system -- too much flexibility led to confusion and error.
Not to mention, the Open Source model makes it easy to find holes.
...report breakins to anyone. How many drug dealers report to the cops if their stash gets stolen?
Also, Windows' event logging capabilities aren't really up to snuff in being able to capture the important cyberforensic data like a Linux kernel and syslog can do.
Netcraft's Septemeber web survey reports that 67.28% of websites run Apache, while 24.44% run a MS server. (Keep in mind that some of those Apache servers are not running Linux.)
The article cites hacking rates of 67% to 23.2%. It does look like MS is coming out ahead here, but not by too much.
It seems to me that the researcher's own experience is considerably different.
the growth in cynicism and rebellion has not been without cause
Windows hacked = windoze is ghey!
.conf files and convoluded iptables rules (4 of them to forward a port?!) that I can't really be certain.
Linux hacked = security is the responsibility of the admin!
Just look at all the backpedalling and but.. but... but..
Linux is not the super-secure platform you think it is. Not only because it's practically impossible to "not have holes in the code", but because it's a convoluded mess to try and configure.
Is my linux based router/gateway secure? I think so, but there are so many goddamn
I don't need no instructions to know how to rock!!!!
65% of successful attacks came against SCO, which MUST be running Linux since they developed it.
Since I am running a linux server on my dsl line at home, I am prompted to ask here - Am I really safe behind a linksys router blocking all incoming ports except for 80 ( apache 2.0.40 ) and 25 ( postfix ). Both the software are current with up2date.
Last 6 hours on snort timeframe...
.ida attempt #20
MS-SQL Worm propagation attempt #30
WEB-IIS ISAPI
WEB-IIS cmd.exe access #4
WEB-IIS nsiislog.dll access #12
Oh come'on, i must be an exemption uh?
Considering everyone I know that runs Linux are people that don't know a thing about *nix, let alone a secure operating system - and the last time I installed Redhat every service known to man was left open. Sorry, just my .02 from a *BSD guy.
...and if I leave the door to my safe open, people can get inside of it as well. It's not the system that is broken, it's the operators. Though I'm sure this far into the conversation that this point is redundant.
Gotta consider the source of this study: mi2g. They haven't been totally reliable in the past, and mi2g seems to be more interested in generating press rather than doing anything.
Of course, nobody in The Media will consider the source: the sound bite is just too good.
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.
Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.
They see switching to Linux-based systems as being a simple fix.
They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.
Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.
These techs should be fired.
Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.
If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.
Let's stop pretending otherwise.
.sig Realistic fines for copyright in
All the windows machines are too busy rebooting every 60 seconds due to RPC failures.
You can't hax0r something if it doesn't stay up!
do() || do_not();
This goes against everything that I've known /. to be! Now I know how computers feel when we try to divide by zero.
If they know the how many servers are running BSD/*nix/MS/OS2 why don't they report on the percentage of linux servers that were cracked? That would seem to be more useful in evaluating the security of different server OS's.
It's nothing but crumpled porno and Ayn Rand.
Damn it, I'm actually interested in their numbers, but I wish they'd straighten out what they're measuring:
> During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.
> Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August.
Clearly that 2 per cent is not measuring the same thing.
What about
percent of linux attacks that were successful
vs. same things for Windows and BSD
?
And also give attack counts with the percents of successful attacks.
I did a search for mi2g in google. I've found the results to be... enlightening.
Is the sincerest form of flatery. I think Linux geeks should be proud. Really, no sarcasm.
:
Offtopic, redundant, flamebait, obligatory troll
"Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August"
You can't attack something that's dead.
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
As previously mentioned, the more popular a server gets the more attackes it will get. These numbers are some what redunddant. There seem to be one of these released every other week!
I think the Linux community should consentrate on / worry about is how to design a system that can defend it self better against attacts compared to other OS's.
and here's why:
I think that the staggering high cost and unreliability of their software coupled with the dot com crash made a bunch of CIO's rush out and adopt Linux without hiring enough qualified people to support the environment. Net result: poor security in the form of bad apache configurations and no firewalls to protect them.
because what hunting rifle has a bayonet lug
A system is only as secure as the sysadmin who runs it lets it be.
Both Linux and Windows NT/2K/XP are rather insecure out of the box. A default RedHat install has security holes you could drive a truck through. The big difference is Windows is more vulnerable to macro viruses. It's also worth noting that when something does go massively wrong with Windows, there is lots of press over it. Linux's biggest weakness is that people assume it is secure because it isn't Windows, when there are security holes.
Conversely, a well patched, well configured system (Linux or Windows) is quite secure. I don't know how many Win2k security holes I hear about first from Windows Update, then from Slashdot. Likewise, Linux has similar tools to keep the system properly secure.
http://lists.insecure.org/lists/isn/2002/Nov/0101. html
Word Up!
However, the biggest net crippling worm/virus fiascos that have undoubtedly caused the lionshare of actual monetary damage have all been the result of Windows exploits. So Linux may get attacked more, but the vast majority of the identifiable/billable damage is due to the ease of hacking Windows machines.
A prime example of using misleading statistics to prove a meaningless point.
We just had a bad infection of Nachi that hit about 500 of our Win2k computers, granted that doesn't add much to the already possibly skewed numbers, but it shows that they couldnt have counted every single successful attack against MS products.
Heck with just blaster and friends' numbers added to that, I'm sure that the linux number would be at least half of the MS number.
There were several hundred thousand computers compromised by blaster last month. Did they forget this statistic, or are they having steaks on uncle Billy tonight?
Another question (along with the many other desires for more information) is:
What is the relative security level per unit effort.
I imaine that most people using MS servers know that they need to be on the ball, or else. Linux server admins may be a bit less cautios, because they assume they are more secure. Old versions of any server software will bite you eventually...
So are they really comparing the same thing?
The firm quoted in the article has been accused of giving overblown statistics and buzzword-laden, scare-tactic press releases.
This post expresses my opinion, not that of my employer. And yes, IAAL.
The report implies that 67 percent of servers are LINUX boxes, and 23 percent are win boxes. What about Solaris, AIX, HP-UX boxes? Either they are not attacked at all or they don't exist. Just another laughable petty report (probably) financed my micros~1.
since this is servers, of couse this leaves out the 100 million or so windows desktops that were compromised.....many on what seems to be a monthly basis.
:-)
also would be nice to get the count of windows desktops still trying to proliferate viruses and worm exploits that were patched 2 and 3 years ago.
of course I pulled the 100 mil number out of thin air, better to swag low.
NM ;0
If you mod this as trollbait i'll kill you
Just an opinion and not trolling!
The globe and mail summary seems to be missing a lot of details. Access to the full report would be required in order to determine what the study found. Now that most people have firewalls, the attacks have moved hire up the osi model. If most apache setups are solid as most firewalls are, then the attacker moves up to the application level to perform their attacks. e.g. Bad perl/php code. Given the whole linux vs. windows mania and given the short, inadequate, and confusing summary, I would suspect the post was designed to arouse enough curiosity to get people to buy the full report. Someone said the full report was 30 pounds. Did anyone actually read the article or was it just submitted because the convoluted and confusing summary said the two phrases that fire up slashdotters, "linux bad", "windows better".
Um, I haven't research it yet but how many linux to windows servers were on the internet? Do we get any percentage of servers hacked stats?
-Tim Louden
20% of the time people call in sick, it's on a Friday.
Anybody can into Windows, but it takes a real hacker to get into Linux.
Seriously, I suspect that difference comes into play when you look at where the servers are used. You'll find that Linux is used in more servers that are much more worthwhile targets (ie credit card transaction processing) than Windows. So going back to the original comment, not only is it less of a challenge to break into Windows, but I suspect that there is also less reason to want to attempt to break into Windows servers.
myke
Mimetics Inc. Twitter
Any information that comes out of mi2g is suspect. They have been heavily criticized by Rob Rosenburger of Vmyths, a computer security hysteria site.
statistics can be very misleading. for example:
Common sense can cloud statistical results. For instance, a technology firm discovered that 40% of all sick days were taken on a Friday or a Monday. They immediately clamped down on sick leave before they realised their mistake. Forty per cent represents two days out of a five day working week and therefore is a normal spread, rather than a reflection of swathes of feckless opportunists trying to extend their weekends.
(preceding was taken from an ars technica article)
if 90% of servers are linux servers, then it makes sense that 90% of attacks should be against linux servers, right? im pretty sure linux is more than 67% of servers right now, so 67% is actually very low!
...who can't remember his login" my ass! More like "anonymous guy who was afraid of the lynching he'd get for posting this to /. under his real username".
do not read this line twice.
As I have stated numerous times on this forum, comparing Linux security & Windows security is like comparing the Cincinnati Bengals and Arizona Cardinals football teams (actually, this is the first time I used the Cardinals in my analogy, as I used to use the Detroit Lions).
It is foolish to expose either OS to the Internet. That is the job of *BSD.
Maybe Billy Gates is behind it trying to get stupid people to think that Windows is more secure and better for a server than Linux, so that he'll get more business.
I love NetHack.
280,000 attacks total
.67x)
(# of which were successful = x)
67% of successful attacks were against linux
(# is
23.2% of successful attacks were against windows
(.232x)
I was going to write the rest of the equations that I can deduce, but,
then this confused me:
> During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux,
> Linux remained the most attacked operating system on-line during the past year, with 51 per cent of all successful overt digital attacks.
I'm confused -- how to reconcile these two sentences ?
If over 12000 Servers were linux and were being sucessfully cracked compared to 4000 of windows boxes. Now representing this as 67% is to skew the results. What we dont actually know is how many were in the data set ?
Did they sample 20000 Servers ? 20,000 servers or 200,000 servers ?
Linux 67 Breached Linux Servers 12892 73.59%
Windows 23 Breached Windows Servers 4626 26.41%
90Total Cracked ? 17518
Well the percentile is only 90% of the figures. Which servers were in the missing 10%.
Did the survey compare windows to linux boxes alike e.g.
1 Linux Server examined to 1 windows box. for 20,000 boxes ?
I dont see any figures here for accuracy or qualification of the figures.
What I do see is a suggestion that Linux is very popular. If this is the case and we suggest that 80% of the net is unix to 20% microsoft. then 67% of 80% of the network being interupted seems very unusuall and rather high as a figure.
So I keep coming back to wondering where the figures have actually originated and been compiled.
Im fairly sure Microsoft can be secure, but unlike Unix it tends towards insecurity. Ive often compared running Microsoft boxes to herding sheep. You spend all your time keeping them alive and free of viruses. Unix on the other hand is the sheep dog, consistent , loyal and dependent.
They can bandy these figures all they like but unless they can flatten the survey and show a clear scope of investigation and comparison then I dont think we should be worrying about the quote.
And thats why Firecrackers and kittens don't mix.
Wow. Mi2G sucks, if you believe the reg. it's not like they even got paid by Microsoft. It just looks like they make up cool news to get hits. And probably this paper picked up the story to get...more hits.
I'm not gonna worry about it...I haven't had any of my systems get hit...*shrug*.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by...
All the Windows boxes that are 0wnZ3r3d are not verifiable!
MjM
Groovy. Gear. Mod.
XKCD:Xeric Knowledge Comically Dispen
Any time a virus gets on your system, I consider that a "crack" therefore since windows viruses far out number unix viruses, I'd say windows is far more insecure.
If there are 100,000 Linux servers and 5,000 windows servers, Linux servers look pretty good.
This being Slashdot where Linux is infallible, I'm sure there are going to be an abundance of excuses as to why Linux is the most hacked server. I'm sure someone will point out that it's the SysAdmins because they don't keep their boxes secure. Or,it's because there are a lot more Linux servers than Windows servers. If Microsoft servers were found to be more hacked none of these excuses would have flown and it would have been attributed to how evil Microsoft is and how much of a piece of crap operating system Windows is.
Just felt like playing Devil's Advocate...
Microsoft should hire me. I can write code that doesn't work faster than the guys they have doing it now.
In the end, website hacking all comes down to who has skills, and who doesn't. Statistically, you will always have a certain percentage of sysadmis who have lower skills than some of the hackers. It's just what happens in such a large system which we call the web.
Oh wait, that isn't right.
I've been using the same install for 4 years now and my patching is as automatic as it gets. My cron job runs one a day with a major update every sunday. It doesn't require paying money, just a small (less than one windows update) amount of time on my part
At least the war on the environment is going well
the 1 million succesfull "invasions" of the blaster virus.
how long until
How does this matter? A client running Windows can distribute a worm by email just as well as a server can. Could the notion that most servers run Linux account for the notion that most servers that were hacked... ran Linux?
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
One more crippling bombshell hit the already beleaguered IIS community when IDC confirmed that IIS market share has dropped yet again, now down to less than 24 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that IIS has lost more market share, this news serves to reinforce what we've known all along. IIS is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict IIS' future. The hand writing is on the wall: IIS faces a bleak future. In fact there won't be any future at all for IIS because IIS is dying. Things are looking very bad for IIS. As many of us are already aware, IIS continues to lose market share. Red ink flows like a river of blood.
IIS is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time IIS developers Bteve Stallmer and Gill Bates only serve to underscore the point more clearly. There can no longer be any doubt: IIS is dying.
Let's keep to the facts and look at the numbers.
SCO leader Darl McBride states that there are only 10156289 users of IIS. "The numbers are staggering, that's a change of -0.21 percent from last month," McBride saide in an interview Monday," Don't worry Bill, we have your back covered. We'll be suing the Apache Software Foundation next month due to stolen code found in the base of Apache, that we wrote. We can't disclose that code as we don't want it removed."
All major surveys show that IIS has steadily declined in market share. IIS is very sick and its long term survival prospects are very dim. If IIS is to survive at all it will be among OS dilettante dabblers. IIS continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, IIS is dead.
Fact: IIS is dying
First of all, these same guys got into it with microsoft over another report around last november that said Microsoft OS's were more vulnerable:
o sd ata/
http://maccentral.macworld.com/news/2002/11/08/
So now it seems that after talking with Microsoft "at the senior level", and a few months have gone by for those talks to take place they now put out a report with a different spin to it? I dunno. Even if it is bogus it doesn't matter. 99% of statistics they say... The only thing that means anything is that it made for a poor news headline.
This only proves that linux is dying!
argh!
The power and the loss of the Linux as a platform. It is very flexible and configurable. Nothing mandates you for something. That's why for instance Debian set of cds include perhaps over 200 different text editors.
..) available but they are not mandated on. For instance Grsecurity. If it was forced to all the distributions to be by default on, there would be a noticeable drop in the amount of break-ins.
... ? ... and there would be virtually no break-ins anymore. Really. It's not THAT hard. Microsoft is doing it and seems that the "Linux community" is unable because the idea of forcing the boxes to be secure is against the main philosophies behind Linux.
It is quite ridiculous since there are a lot of security improvements (patches, applications, workarounds, alternative programs,
Microsoft and Windows? Well, the security features are crap but even more and more of that crap is turned default ON. That's what is making the difference. Only Redhat seems to turn at least some (though not many enough) things default on and include some features.
Furthermore, Linux has been earlier sprouted "as the secure platform". The converts from the Windows world have taken it granted and dangerously let most of the settings to stand as default. The amount of education and easy to use admin tools and howtos have not been up to par.
To make the Linux a lot more secure platform there should be a base that all the distributions would conform to. All of them. To all the features. They might not be actually forced to be used but they should be there with just one click. Not perfectly, yes, but still.
What would be needed instantly, my first thoughts:
- Better logging facilities and better default configs
- Most of the features from Grsecurity (that don't break X which uses a perverted non-standard stack smashing methods for internal use)
- Only SSH2 with tight settings allowed
- Automatic updates on by default (there are a LOT non-patched apache 1.3.26's out there. I noticed even VA Linux running some, lol)
- Automatic system on updating the kernel (stables only, with grsecurity pathces naturally)
- Normal user should be almost forced to used with sudo to administer the boxes, not logging in as a root
- An automatic reaction and notification of important events to the administrator
- Telnet and other legacy things killed
- Iptables on by default, with a large set of preconfigured rules and easy tools for clicking services on and off
-
How many attacks were launched, against which OS's...
Folks have cottoned on to %age distribution of OS's, which seems to correspond to the %age distribution of successful attacks. However, if MS servers recieved 10 x more attacks, then they are doing well, if Linux did, then it's doing well.
Winton
...because it's the only reason I can see for coming to the conclusions that the report appears to. Let's look at those numbers again...
$707 million USD: Amount spent recovering from hacker attacks.
$28.2 BILLION USD: Amount spent recovering from hacker attacks plus worms/viruses.
After doing some simple math it appear that basically, over 95% of the economic damage being done is coming from worms and viruses, which are almost exclusively a Windows thing... and the article mentiones explicitly, "The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate."
Then the man goes on to imply that there's a higher proportion of Linux servers compromised, and then says "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
That is the part that really blows my mind. Did they just write off each and every dcom exploit incident as if it were a worm and not a "real" hack or something? What kind of credit do you give them for that? "Hey, good going Microsoft, there were a few Win2k servers still in boxes in the warehouse that didn't get compromised..."
Microsoft deserves credit where credit is due, so lets say it outright.... Their products were responsible for over 95% of the economic damage from unauthorized computer activity.
damned stinking dirty biased reprts!
wonder how much dinero ms slipped into thier pocket..
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
I must confess that the first linux server that I set up was hacked for the very reason mentioned: my ambition exceeded my knowledge.
Imagine my chagrin when I got email from a couple of companies stating that an attack had been launched on their servers from my system! Let me tell you, I fixed that right quick!
I find it interesting to note the low number of Unix boxes that the article mentions as attack victims. Based on the experience of my own personal ignorance, I figure Unix operators are probobly more savvy, ergo tighter security and fewer successful attacks. Personally, I haven't been able to figure out how to configure a Unix server in a usable manner (having tried FreeBSD and failed miserably). I find Linux easier to work with, which, perhaps, invites disaster when someone with limited savvy (such as I, once upon a time) decides to roll out a server and expose it to the wild west Internet.
[For those who wonder, the incident involved someone setting up an IRC server app on my system, which then attempted to install itself, apparantly, on other systems that were better-secured than my own. Thereafter, I put everything behind a linux firewall that was locked down tighter than a nun's dainty underthings. I hope this humble and frank admission of ignorance will learn y'all to lock those ports down TIGHT!]
Mmmmmm... Bold, yet refreshing!
Vmyths appears to summarise the anti-mi2g camps position. Searches for mi2g on NTK and The Register, (when its search engine is working) for mi2g are as enlightening as they are amusing.
You read articles like this all the time... and people will counter the article's stats with other stats. The only thing that remains constant is that 72% of all statistics are made up. -Over half the worlds population is below average
http://www.theregister.co.uk/content/55/28233.html
They suck.
12,892 Linux
4,626 Microsoft
360 BSD
------
15,878 Total attacks
43,144,374 sites (netcraft)
~64% run Apache - assume all are Linux
~23% run Microsoft
64% * 43,144,374 = 27,612,399 sites running linux
23% * 43,144,374 = 9,923,206 sites running MS
0.0466% Linux sites hacked
0.0466% MS sites hacked
So, they were each hacked equally. Now the real measure would be weather the OS was hacked or software running on the OS was hacked. In particular, compare Windows vs Linux hacks, and then Apache vs IIS hacks, and then compare all remaning. Those would be interesting.
"Time is long and life is short, so begin to live while you still can." -EV
First these stats are important in demonstrating that it is important, no, imperative that admins of all flavors keep their servers up-to-date and know how to secure them effectively.
But, the stats also suggest that Linux is somehow less secure because it is attacked more often. The facts are a bit different though. Firstly, the statistics are drawn from a database of reported defacements not total defacements and definitely not total compromises. If this report were to be done in a more accurate fashion it ould have to include the hundreds of thousands of machines that are regualrly rooted by worms. Most recently, MS Blaster took over thousands of machines and reported for duty on an IRC bot channel. This report fails to account for these and many others like them.
I will conceed that Linux is defaced more than any other OS at this time but, I would also point out that this does not make it less secure. More people may report compromising a Linux box to change the Apache index page but, none of the Code, Red Blaster or many others bothered to register with the defacement database and I guarantee that these compromises outnumber Linux defacements by the millions.
I would say there is an important difference between server hacks and viri in that respect. Most people making a virus specifically target windows, while most people hacking a server don't target an OS, but an organization, therefore it is relevant that there are more Linux servers, while the number of MS boxes is not relavent in cases involving virus. The attack focus is different.
are properly configured and how many are simply running the default installation settings? There are a lot of Windoze people setting up Linux boxes that don't even know how to secure it. Me thinks this analysis may not be comparing apples with apples...
I'm not surprised at all. I've always maintained that the OS installation's security is dependent on its administrator. Obviously Linux doesn't magically impart motivation or know-how on administrators. Neither does Windows. It's going to get worse for a while, as tech workers are asked to do more so that their employers don't have to take on new hires in this shaky economy. There will be less time to audit internally, and less people to do it.
By the way, how does one audit another private company's security record? Witness testimony? Crackers' boasting? Or did this firm actually send an expert out to look over every potential security issue the moment it happened? How did they know? Did the client know this information was being collected for a report?
Fred
"A fool and his freedom are soon parted"
-RMS
I don't care what everyone else does with their boxes. I know mine are locked up tight. I also know that there is no mystery about how tight they are and how someone would have to get in. I KNOW what's going on. With IIS, you've got to clicky-click-click until you hit the default page and it shows up. After that, it's a big clicky-click-mystery.
These stats don't mean diddly to me, I know my boxes are tight, but all IIS admins can say is, "Well, I've applied all the patches."
Now, back to reading/posting on Slashdot, instead of downloading crap from windowsupdate.
Toddlers are the stormtroopers of the Lord of Entropy.
Windows servers were most attacked last year. And they said this as to why Linux servers were getting hacked:
"The sudden rise in attacks on systems running Linux earlier this year was due to several easily exploitable vulnerabilities being uncovered in open source third party applications such as PHP scripts and bulletin boards. Bad or default configuration of Linux and the applications running on it were also determining factors for the success of the overt attacks."
So it looks like it isn't the Linux kernel thats exploited. Its those poorly written PHP scripts running on Apache.
There are many small ISP-ish companies out there operating off business-level broadband all over the world. I'm one of them. We've got five Linux servers doing various tasks in the third bedroom of our all-bills paid apartment. We make enough money to pay bills and have some lifestyle afterwards. Of course, that's not everything we do...but I know there are many companies like mine around the world. Some people, some boxes, some bandwidth.
Maybe we DID take the blue pill. You wouldn't remember anyway.
/. staff meeting: "Traffic on the site is down, what can we do?"
/. as Anonymous Coward
1. Find some ambigious test that claims BLANK on Linux is not as good as BLANK on MS
2. Editor posts story on
3 ???
4. Profit!!!
Live web cams
Anything published in that rag should be highly suspect and taken with a grain of salt. The only thing worse than the G&M is perhaps the enquirer.
btw, I hear that the next edition of the enquirer features Darl Mcbride on the front page and something about his addiction to crack!
From excellent karma to terible karma with a single +5 funny post...
-3Suns
~~~~
The Revolution will be Slashdotted
I do a Survey of Houses that get broken into.
I survey 100 Houses.
Of those houses 80 have windows.
the rest 20 have no windows.
Now. in my survey 30% of those houses with windows are broken into. but 60% of those houses without windows are also broken into.
This means I can say that only 30% of houses with windows are broken into compared to 60% of those without!
But lets look at those figures again.
30% of 80 is 24 Houses.
60% of 20 is 12 Houses.
So now in 100 Houses
24 with windows are broken into and
12 without are also broken into
Now when we look at those figures twice as many houses with windows are broken into as those without.
So now Ive gone from 60% insecure, to 50% more secure and the figures and the details have not actually changed !
And thats the simple maths.
And thats why Firecrackers and kittens don't mix.
which OS has taken out more nuclear power plants, airlines, rail lines, and East Coast power grids?
This statement clearly states that less than 2 percent of the BSD servers on the net were attacked. Yet that is not what the numbers show. The numbers state that less than 2 percent of the attacks were against BSD servers. That is a very different thing indeed.
As such, there are a number of pieces of information that are needed to make this article useful:
The net will not be what we demand, but what we make it. Build it well.
This is another case of so much missing data that we can conclude nothing. Others have asked about the relative % deployment (i.e., is Linux attacked more often becuase it is more common). But this is only the first of 3 missing pieces of data.
1. The percentages of types of servers in deployment (the general market share of Linux vs. Windows)
2. The percentages of types of servers in the sample studied by the securty firm. (the degree that the security firm has a representative sample of Linux vs. Windows)
3. The cooperativeness/probability of server admins admitting break-ins to the security firm (are Linux vs. Window's admins more likely to verify a break-in?)
Without these three numbers, and a wee bit'o Bayes Theorum, we can conclude nothing from this statistic. And if you want to get really persnickety, you would want to understand the temporal variations in the system to rule out over-weighting by old dat
Two wrongs don't make a right, but three lefts do.
That there are more Linux servers out there. Percentagewise -- attacks per box, and successes per attack -- Linux wins. Statistics can be made to prove anything. You just have to pick which ones you're using.
Then that makes Microsoft (a big and brown) number two? Woo! Potty!
Back to the point, which is that I was passively hacked. By examining the log files you can tell that a hack program was the one that gained access to my system. I got hacked by one person with the nick slimshady (damn you eminem!) and someone with a romainian address (I reported him to his romainian ISP, who probably laughed at the dumb american).
Honk if you're horny.
It rhymes I think.
How strange it is that the numbers match up with the ones in this article.
Let's look at this, hackers blow up on windows and claim that Bill Gates made them do it by having leaky software. Hackers hit more Linux servers (granted that there might be more Linux servers) than windows.
Now, I'm going to generalize here. That these hackers who like to claim that they're striking a blow against windows and that they have some sort of moral objective to rid the world of Bill Gate's and his corporate greed. But they hit the Linux servers.
To my knowledge there are a great number of linux platforms that one could choose from. And that these companies that provide these operating systems do not rake in cash hand over fist and try to exploit the consumer to a great degree (or so their proponents claim). So why are there hackers hacking Linux, if "Billy Gates made them do it"? The answer is because they're a bunch of little jerks, pure and simple. Sure you can point to some people and say, but they try to help people fix their secuirty, it's still hacking and they are in the clear minority. These people serve no other purpose than to set back businesses a few million dollars and make everyone incredibly frustrated. Seriously guys, you might think its fun, but it's essentially incredibly damaging vandalism, it's a juvenile activity and I think that it's time that we moved beyond it.
Normally this is the kind of story that would bring out the Troll in me to laugh or bitch at the oodles of /. posters that have given their first son the name Linus.....
But in my own experience, and maybe it's just cause i'm not as popular as say Google.com or Msn.com, but one of the sites I maintain (www.reptiliansystems.com) off of IIS gives me a lot of headaches, where as my personal site (www.galthor.com) running off of a redhat system has been nothing but porn-butt smooth from day 1.
Ave Molech Setting
I wish they'd split up the damage figures to clearly show the distribution. Just saying that 12,000 linux servers were bridged and 5000 windows servers totalling to 28 billions in damage including the damage done by the viruses kinda implies huge share of fault on linux. Worthless article.
Notice how they use percentages to decribe which OS is hacked, but use raw numbers to obsfuscate the percentage of MS vs percentage of Linux servers that were succsssfully hacked.
Why not keep consistent, such as saying "67% of systems attacked were Linux servers, but only 5% of linux servers that were attacked were successfully comprimised"? Because that would lead to a conclusion they're trying not to make - that Linux is more secure then MS....
Netcraf September 2003 survey says otherwise...
I am become Troll, destroyer of threads
One quick question this bring to mind is whether the company that purports to have researched this number tracks a bug in a Linux kernel multiple times for the multiple distributions out there.
IOW, is a kernel bug that is patched by Red Hat, Debian, Mandrake, and Gentoo counted as one bug or four?
Rule #1 -- Politics always trumps technology.
That's probably one of the worst articles I've read from Slashdot lately. The "report" in question appears to be from British security company "mi29". First of all, that name is wrong their name is mi2g. Oh wait, THAT mi2g?
Sorry people, but I don't think they're reliable or trustworthy. They're nothing but fearmongering vultures from what I've seen of them. And as for the report? Well, it's not free, it costs 30 pounds.
So we're presented with declarations from a report of which we cannot check the methodology, by a firm who likes to regularly make pronouncements of doom that never happen. Should we believe it? Certainly not. We should simply suspend judgment for the simple reason that we lack critical information to judge its value.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
what percentage of Windows Breechs are detected.....
But I'd settle for what percentage of NT Administrators know how to detect a breech.
-D
A. Let it run for a week, it'll crash by itself
Q. How do you do a root exploit on a windows box. A. Log in, everyone sets all the acounts to have admin privileges anyway.
Successful: Or perhaps the Windows people just haven't noticed yet since the majority of Windows server admins probably think that Windows Just Works(tm) and don't even review the security log.
Verifiable: So Linux just has better ways to verify that you have actually been attacked. There could have been twice as many attacks vs. Windows servers, only the admins didn't notice or couldn't "verify" the attack.
The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate.
;)
Score:-1, typical knee-jerk excuses for Linux shortcomings.
You gotta love the responsible journalistic media who base a story on an unreferenced "report" from a commercial operation who is in the business of providing server security consultation.
Needless to say the "report" is nowhere to be found. Like it really matters anyway. Yea, this is objective.
Without both OS's Attacks being equally confirmable, and the statistic being based on how many there are to begin with. That study is .. junk.
And they've been doing this for 9 years?
That's a long time to waste time.
(If at first you don't succeed, do it different next time!)
I must say this is one of the most insightful comments I've ever seen on /.
Wish I had mod points.
How many unknowing entry level sys admin types will build a linux server, and then completely ignore it because everyone talks about how "secure" linux is?
This *is* marketing, to a degree -- a group like mi2g probably needs a spin in a world of increasing Linux servers. The paragraph description on the mi2g site does discriminiate between "overt" attacks and those perpetrated by "malware" -- viruses, worms, etc. So, they can make a press release that initially seems as though they've found that Linux/UNIX/BSD is as vunerable as Windows -- if they discount SoBig, Blaster, ILoveYou, etc. And this is very important to them, not merely because they want to sell reports, but because they want to sell their business. If people start switching to Linux with the idea that it's safer--if they no longer have to worry nearly as much about the obscene level of damage that can be done by worms and viruses--then mi2g's business suffers. It's worth their while to make companies feel as unsafe and needful of their services with Linux as with Windows. The report is interesting in that it indicates that Linux may be as hackable as Windows on a 1:1 ratio, particularly if people aren't careful--but it's still market-speak.
The quality of advertised British intelligence has been somewhat lacking of late. The Blaire government has shown itself more than willing to whore itself off to both corporations and the Bush administration.
I sincerely doubt the veracity of these claims given the dubious source. Microsoft has proven it's willingness to distort evidence and undermine Linux adoption by any means necessary. I would suggest that this report may be the result of well placed transactions rather than real intelligence.
At the very least we have never seen the type of whole-scale security flaws as in Windows. At the very least, brute force attacks like Denial of Service says nothing to the quality of any product besides IPv4.
In such case, all the attacks could be credited to "mobile weapons labs" producing not only weather balloons but internet attacks as well.
balanced and rational dialog.... "Damn it Sparky, point that flame thrower at the other OS!"
Makers of the GEO Metro deserve credit for having reduced the proportion of successful car thefts perpetrated against GEO Metro owners. Makers of sports cars have a lot of catching up to do in this area.
When looking at statistics of this nature you should first consider that Apache accounts for 64.2% of all web servers on the internet, which could be followed to say that about 60% of all web servers use some form of Linux/UNIX. Only 23.54% of all web servers use Microsoft IIS. (statistics from netcraft).
This being said, it is only logical that more Linux based servers will be attacked than Windows based servers. In my opinion the main reason for the successful attacks against these two OS'es are simple. Linux servers have the potential to be extremely secure, but it's not easy for most people to make them secure. Therefore, the software itself is secure and most the problems are from user error. In the case of Windows, the server is very easy to configure, meaning the security features aren't hard to use, but the software itself has a ridiculous amount of flaws.
The real issue here is that the people setting up most of these Linux servers probably don't know much about what they're doing, and thus configure things wrong. Until better trained people are used to set uo these servers (or Linux is made easier to use) and Microsoft updates its coding practices, these are the sorts of statistics we can expect. Yes, more Linux servers were compromised than Windows servers, but if you look at the percentages that were compromised they are exactly the correct proportion when compared to the numbers of each which are deployed.
Guys, look, do you really think sysadmins report successful & unsuccessful breaches to this little one man and his dog company in London?
Of course not.
Or do you imagine that this guy has a magic crystal ball that can count attacks both successful and not?
Of course not.
Then do you think he has any way of assesing the cost that the breach does for systems he can't possibly verify as breached for companies he doesn't know?
Of course not.
Its just a scam, this guy wants publicity, if he says Linux is less secure than Windows he's hoping it will be used as a counterpoint the next time another Windows worm appears and he gets his company mentioned.
user:bill_gates
pass:LiNux_costs_me_$$$
It's unfair to say that x percent of all successful attacks were against Linux servers unless you compare that to the percentage of all servers that run Linux.
A more meaningful statistic would be the percentage of all *nix servers that were successfully attacked, compared to the percentage of all Windows servers that were successfully attacked during the same time period.
formally announce the findings of our organization's latest report, which states that, based on our research, 67 percent of those who do not deposit at least US$100 into my Paypal account will develop a nasty case of head lice over the next six month period. 17% of those surveyed in this report noticed an observed improvement in my attitude when confronted with third parties who deposited in excess of US$200 into my Paypal account. Approximately 3.4% of those who negatively mod this post are also known to spontaneously combust, leaving an olive green globule.
Complete figures are available from the Advanced Cootie Research Online Consortium (ACROC) for a small fee.
I was hoping the article would provide the reader with sufficient information to make an informed decision. The percentages are based on sucessfull attacks but fail to inform the reader what percentage of all servers in use for each OS were attacked.
F -8&q=percentage+of+apache+web+servers )and the percentage of servers running IIS is 27%.
According to Netcraft, the percentage of servers running Apache is about 62% in May (old but thats the fastest article I could find, Google for newer http://www.google.com/search?hl=en&ie=UTF-8&oe=UT
So naturally there will be more attacks on Apache than IIS, but also the percentages are in proportion the number of total servers, so it does not appear to be unbalanced.
Lastly if you take desktop OS as an example you have the same problem. There tens of thousands more virus and worms for Windows than for Linux, because Windows has the greater share of market for desktop OS.
Can anyone confirm who funded this report from mi2g Intelligence Unit?
"Your having a bad day when the voices in your head put you on hold"
technically, if attacks (hacks) are not targeting the OS there should be a one-to-one ratio of attacks to server OS. If there isn't that would be interesting, I'll look it up later.
stop the energy dept from warnign nuke plants about ms desktops then!
Don't Tread on OpenSource
Actually, I think it's not just "shared hosts" but also the fact all da pornz is hosted on linux. And even tho many sites are kept very secure, many more of those sites (numerically, probably the vast majority of them) can easily be "hacked" by something as simple as a referer spoof. And every one of those spoofed intrusions counts - ergo it's not just the lack of security, but the utter ubiquity of hacks that certain webmasters seem to want to remain exploitable. Pretty sad when your business is so bad you have to try to give your stuff away.
I read that most windows servers just crash after being hacked! So we must take into account small number of hacked (and operating) windows servers AND the large chunk of hacked (and crashed) servers. My windows machine just wouldn't start up after my mbr got overwritted by something (which realtime norton av also couldn't figure out)! So like all those un-counted votes, we have to count the defunct win servers too! Now what's the ratio?
PS: I keep reinstalling windows every 1 month, my linux (RH) partition is there for the last 1.5 years! Somehow windows knows that there is something else on the system, and tries to crash the entire system - anyone thinks my analysis is correct?
Question: does Linux get the blame?
Is this another way of saying that more non-expert web developers work on Linux/Apache than on IIS and have written more buggy applications, even if those bugs have no bearing whatsoever on the host platform? Would the numbers shift if Windows/Apache/MySQL/PHP servers were more common, and those same buggy applications were available on more than one platform?
Dewey, what part of this looks like authorities should be involved?
When a new Microsoft attack comes out, everyone jumps all over how insecure the OS is. When something negative about Linux comes out, all I hear are excuses (market share, uneducated admins, all MS attacks are not reported), or "I need more statistics"...why aren't you saying that about MS articles? Because we are biased, I know. So instead of the excuses that just make us look bad and unobjective, why don't we address this issue seriously. Let's assume the report is correct (like we would with Windows) and talk about how to make it better. It would certainly be a lot easier if all Linux distros had a program that would detect when there is a serious patch out there and notify the user (I know, it sounds like windows update, but its a good idea). Also, the program would automatically detect non-essential things that can be patched and give you that option. In any case, as Linux gains marketshare and serves important information, don't be surprised that it is attacked more (even successfully). When a flaw is discovered, do you think it is the good guys who find out about it first? We have given Linux administrators a false sense of security by saying our OS is secure, Windows is not. An OS is only as secure as how up to date it is patched vs. known vulnerabilities (and a good security plan). So it looks like we have work to do, both in improving how we install and distribute patches, and how we educate Linux administrators. If we don't, pretty soon Linux could have the larger market share, and Windows admins can point to all these reports and say how insecure OUR OS is.
Support a great indie game: http://www.abaddon360.com
NetcraftWeb Server Survey: Apache 63.98 % Microsoft 23.7
Sites running on Apache are most probably GNU/Linux or *nix servers and sites running IIS are M$ Windows boxes. So what they found is only the normal distribution of Web servers running in production on the Web.
But I do not really buy that GNU/Linux servers are as equal being cracked as M$ boxes as I'm working in a data center and mostly see the opposite of this.
The blurb about this article on their web site states:
"Overt digital attacks are perpetrated by hackers as opposed to malware."
Let's see what the numbers look like when we add in the "malware" attacks....
Per the initial write-up: "...all successful and verifiable digital attacks against on-line servers targeted Linux..." (my emphasis)
The key word here is 'verifiable'. It is much easier to detect and validate that someone has hacked a Linux box, than a Windows box. We don't know the following that would lead more credence to any claims:
1. What is the ratio of M$ to Linux boxes that were attacked that we don't know about? (undetected and still infected - I would argue this number is much larger on the M$ side)
2. How were the percentages arrived at? If there are more Linux servers on the network than Windows servers, then we can not quantify 'percentage of total servers' and have it mean anything useful in terms of total numbers of attacks because, statistically, Linux attacks will outnumber Windows attacks given a standard distribution; since most script kiddie tools run on, and target Winblows machines, a 21% of total attacks on a few windows machines is more significant than a 67% of total attacks on a much larger group of Linux machines.
Social science numbers have no intrinsic value, except to the uninformed.
"Figures never lie, but liers tend to figure." - Longfellow
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Not suprising, attacks are roughly proportional to number of hosts running an OS. Also, this only cites known, detected, verifyable hacks. This means if comprises of your OS are harder to detect [Cough]Windows[Cough], then you get lower numbers. Also, the survey would appear to rely on volunteered information; if the sample set is self-selecting, then it is meaningless from the standpoint of statistics. Still, if thousands of Linux sites are getting hacked, it means we either need more secure software, or more cluefull Linux admins...
"Freedom means freedom for everybody" -- Dick Cheney
I mean, the numbers aren't from Bruce Perens or ESR or RMS, so I don't trust them. Besides, how do we REALLY know this article was put on that web server, by the owners, and it's not just another hacked W2K/IIS box. And besides, the article didn't even mention anything about standard deviations, so the statistics are 100% wrong. Besides, I read the article with IE, so I'm sure that IE manipulated the numbers that I saw. Besides... oh fucking give it up, zealots. Linux isn't as rock solid 100% secure as everybody claims it to be. It's just as hackable as W2K. Crawl back under your rocks, now.
Those numbers are not really meaningful.
There are a few things that are doing wrong. With out giving relative populations it is like saying In august, more americans died in America, then they did in Iraq.
Also they are being deceptive by picking a specific type of breach. It's like comparing the number of deaths due to
cancer of countries with average life expectancies of 22 and 122. sure maybe more people in country with the life expectancy of 122 die of cancer, but really I'm sure that they don't mind that much.
I am not a guru but it seems to me that hacking into websites is more of a compromised password issue than a host OS issue. Cracking and not hacking. Am I seeing here that the root is being compromised and hundreds of sites are compromised due to an OS vulnerability or is this a case of sloppy admin by hosts / website admins Please don't flame me ... I don't understand the intracies of all this.
The Globe and Mail is the older and generally more respected newspaper. The National Post is a recent upstart. It is generally considered much more right-wing and a bit downscale.
Free Software: Like love, it grows best when given away.
Fourth-from-last paragraph:
Moderators, please read the comments before giving them points. ( know, I know... ;-)
Microsoft actually deserves credit for producing such shoddy software that a cottage industry in anti-virus and firewall software for Windows systems has grown. See, they're helping the economy! </sarcasm>And from the article:
I feel fantastic, and I'm still alive.
I know we don't consider the primary purpose of the blaster worms as being to take down networks. Regardless, there were many networks disabled, taken down purposely to stem the flow, or just slowed to a crawl. Seems to me that Windows vulnerabilities are far more powerful and prolific than those of linux.
Let's also not forget that Windows NT marked the advent of the ignorant sysadmin. MS made it so that any yahoo willing to purchase a pc and their server software could put up their own server in very little time with very little knowledge. They literally blazed the trail for security education to those that really didn't care. Linux distros have learned from that and tightened their base security a great deal from the very early Slackware distibutions that required the enthusiast to configure everything. (where I broke my teeth)
I'd say linux has come a long way. It's broken into a new area- the ignorant sysadmin (that wants to lower the bottom line). Truth is: you can't enter this arena without doing some work and without being conscientious of your environment.
Welcome to the mainstream!
What folks really want to know is how does OS choice affect security for their organization. This study doesn't give them that information.
1) You need to get a sense of reporting bias.
2) you need to make sure you are comparing
servers in similar situations
(i.e. Linux servers at major, unpopular
corporations vs. Windows servers at major,
unpopular corporations)--and make sure they
are equally interesting targets.
I can believe that ISP's that service
certain neighborhoods are especially vulnerable
to attack--and that ISP's don't use Windows.
3) I would compare how setting affects this. I
could believe for example that Linux/BSD
are much more secure in the hands of
a professional and Linux is less secure in the
hands of a novice.
I remember something that that survey back then counted "personal web servers" that win98 or 98se had... AOL people with modems and their own webpage? I'm not sure it's a couple of years ago.
Of those to whom much is given, much is required.
Do you suppose that if 1 DOS attack was made on a website running a cluster of 1000 linux servers, they counted that as 1000 attacks?
---
Lousy rotten karmic retribution.
Since SCO put all of the important stuff in Linux, it seems like we should sue them for creating such a vulnerable OS.
If that doesn't make sense, put on your SCO colored glasses and it will all become clear.
it'slike saying that red cars are themost stolen cars in the world, so insurance on a red car is higher. but what they fail to realize is that there are more red cars made and therefore more red cars out there than any other color and thererfore an avarge selection of stole cars will have more red cars than any other color. so more linux servers get attacked becasue there are more linux servers to get attacked. now the question the should be posed is out of 100 windows and 100 linux servers which have more successful attacks? and why?
The Linux culture wants bugs identified, in this case successful crack attempts, so that they can be fixed. Generally all open source is this way.
The MS culture does not want them identified. It seems that they would rather hide them than be embarrassed by them.
Could this be a reason for Linux having more successes than Windows? More people willing to report a successful Linux attempt?
Also, wouldn't your desktop PC classify as a server if it's on the internet with ports open?
If it's not a server, why are any ports open?
Linux by default is a server, once you have ftpd or telnetd or even sendmail, they are open for use, hence they "serve" stuff out.
Vip
Come on, where do they get these figures? In August alone:
From NetworkWoldFusion
The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.
They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.
"During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent."
I read this as: While Linux admins can usually determine when they've been hacked, Windows admins usually cannot. And there appears to be nothing in this study to contradict this intrepretation of the facts presented.
Lies, Damned Lies, and Studies Funded by Microsoft.
If the conclusion of the study had been that Windows was the one more breached, I doubt you'd be quibbling. In fact, we'd see the mandatory hundreds of posts all talking about how Microsoft should be held liable, how bad Windows security is, how great Linux is, etc.
:)
I dare anyone to challenge that assumption.
Yes, kids, Linux is no more secure than any other OS, except maybe OpenBSD.
"Sufferin' succotash."
Another thing that's not clear here is what is classified as a successful breach? Does that mean defacing a web page? Does that mean getting full access to the box? I've had a web page on my server get defaced because I forgot to upgrade PHP, but I didn't really care that much. On the other hand getting my box rooted by somebody is a serious problem.
This sig has been temporarily disconnected or is no longer in service
Out of the checked and known attacks (actually defacements) for today, there are 13. 12 are Linux, and 1 is Windows. But the humour here is you check the IP on the Linux boxes. All of the "Arab VieruZ" defacements are on the same box using an alias to point to the same location. So they count the same attack 7 x rathar than just once. IOW, there is 1 windows and 6 Linux. I suspect that much of there stats are just as skewed.
I prefer the "u" in honour as it seems to be missing these days.
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
:-)
Clever, those Microsoft folks...reducing the number of attacks against their servers by the unconventional method of not having as many servers out there!
(somewhere I read that Apache has the largest server market share)
There's a windows version of tripwire.
I'll probably get modded down for this, but oh well.
I post often about how Linux is no less insecure than Windows or any other OS. And constantly, I get bashed, downmodded, told that there are more Linux servers but are less hacked, etc.
And yet here is a study that shows otherwise. Now look at all those people try to dismiss it. Try to dance around it, making excuses, and so on. If this study had shown that Windows was the most breached, people would take it at face value and we'd have the requisite hundreds of "I told you so" posts, heresay, anecdotes from idiots who don't patch their servers, and so on.
I'm sorry, but I just wanted to say, I told you so. All operating systems are as secure as their admins. Microsoft has millions of dollars and some of the top programmers in the world. They're damn secure. So is Linux. So are all the others, reasonably speaking. Linux is not the end-all of secure systems, and this just makes people who act that way look like idiots (especially when they're making ridiculous excuses to try to diffuse the study).
"Sufferin' succotash."
Of course, being subscribed to a security service doesn't mean you should unsubscribe from all the various security lists out there. Especially not if you're a system administrator (Hint: If you're a home user on a cable modem, you're a system administrator.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This data is not being shown in a way that one could say 'windows is more secure' or 'linux is more secure'. You would need a random sampling of an equal number of distributions, windows, linux, bsd, others.. What is not disclosed here (in the article at least) is the ratio of linux servers to windows servers running apps on the internet. I would bet that the majority of e-business systems out there are Java or C++ code running on linux or a proprietary unix distro. So the numbers here are not suprising, nor do they mean anything significant. The responsibility for understanding and enforcing security on a Linux server is up to the administrator, and the level of knowledge in users out there might be falling behind. Microsoft security is a matter of running around to every windows machine on your network installing patches and cleaning viruses. (or at least thats how it seems to a linux user observing a windows network admin). Microsoft also does a good job of warning admins of security flaws when they are uncovered. There are plenty of security flaws in server applications for linux, but there are also many more of them then are available for windows. You have more of a choice, some of the choices are not so good... Maybe the reason that there are more successful attacks on linux servers is the fact that many admins just let them run, assuming that Linux is Secure, and they don't have to worry much about it.
TallGreen CMS hosting
so of course it has holes in it
The Unix family is insecure by design.
That is why it is better to start again than try and paper over the cracks.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
That number matches the percentages of each type of server running. *nix runs about 65-67% of the internet, that would conclude that equals percentages would be hacked. You have the most servers, you suffer the most attacks, simple number logic. Total FUD, trying to scare people who don't know nay better.
If Kerry was the answer, it must have been a stupid question.
The UN - The largest "political" cause of death.
...When there are very few people still stupid enough to put one up on the internet without a Linux/BSD/Cisco firewall protecting it?
Of course most of the attacks are going to be on exposed servers.
That's like saying "most people that were hit by trains were standing on the tracks"
Though I think the stats from the article are probably imaginary.
"Verifiable and successful attacks" indeed.. what about the number of unsuccessful attacks?
They have no figure on that.
This means that their conclusions rely entirely on the assumption that their data has no OS bias.
There is no reason whatsoever to assume this.
For instance, for all we know linux users might be more open about admitting attacks than windows users. Perhaps more of the windows admins were out patching their machines and didn't have time to reply. Maybe they didn't even survey the same amount of linux sites as windows sites. We know nothing.
Unless their source data is unbiased their numbers mean nothing.
This should include the worms and every other attack that hits Windows boxes.
Why it would NOT consider a worm a compromise, I'll never know.
The only difference between the Windows worms and a script kiddie compromise is that the worm is working autotonomously on its own. come to think of it, alot of the script kiddie tools do too..
-- I'm the root of all that's evil, but you can call me cookie..
The crackers' ethos can be summed up thus:
Why did you exploit that security hole?
Because it was there.
Windows is just plain super-exploitable. This is due, of course, to its legacy of rush-to-market-driven design which have left its underpinnings looking like the sub-basement of a centuries-old office building.
Other types of servers certainly do get hacked, but generally these are exploits of weaknesses in older versions of Apache or sendmail. But the last place I worked the Windows servers got hacked constantly. Worms got in through IIS holes and crashed one box a lot. The guy taking care of the box would just reboot and look for memory leaks. The IS girl identified the worms and patched IIS. Two weeks later the server was infected again by a new variant.
Every news story I hear stresses "All computers are vulnerable to viruses and you need to have virus scanning software installed." Then they go on to explain for the unwashed masses how to dial 1-800-symantec. The American media simply asks no questions about the reasons for these holes. They don't ask the simple question you're asking.
Today I heard a quote from the MS executive before Congress, in which he states as a matter of fact "There is no such thing as a 100% secure networked computer." Where's that innovative spirit, Microsoft? These are *designed machines* for chrissake. We know a lot about security now. We've learned a lot from the mistakes of Microsoft. Strip it down again and again, and you will have systems secure from exploitability.
Well-administered Mac, BSD, and Linux systems excel in security, and generally speaking the script kiddies and cyberterrorists don't target these systems because they're too obscure.
-- thinkyhead software and media
Must because for Linux serves you oten do not have a firewall since you do not want to spend the money for that.
Lars
Couldn't they give her a better face for the picture O_o
My web host won't give me SSH for SFTP or provide secure POP. Nothing like handing your passwords out all day long. So if you can snort me and deface my web page, am I now a cracked server statistic?
I think anyone reading ./ is a qualified expert in this department.
"It's a very tangled subsystem." --Windows kernel guru
Duh! That's because when you root a Linux server, you're got a real system to play with -- a hacked box and a few perl scripts, and you're on your way! When you hack a Windows box, you've just got any data on it, maybe some websites you can deface, or you need to start writing hardcore C/C++/etc. code to really get something out of it.
Just thinking about it, I do find these numbers more skewed than most realize. This shows simple defacements, not real attacks. A real attack is when somebody breaks in and takes info from you.
MS IIS systems break-ins are not published unless large amounts of CC is stolen. Only then do companies actually allow it to be known that they were broken into.
For the last 3 years, I have been checking all the sites that were broken into that had CC's stolen. All were IIS except for www.playboy.com which ran Solaris (bad admin, bad boy). Which is worse? credit cards being stolen or simple defacements.
- Me: Windows is attacked because it has more boxes out there.
- Zealot: no becuase teh windoze is teh sux
- Me: See? Linux is also attacked. It is *not* completely secure.
- Zealot: no, becuase it has more boxen out there, duh.
Duh.
And yet where is that argument from you people when you talk about the insecurity of Windows? People like me have been saying all along that something more widely used will be more attacked and exploited, and Windows is no exception. All of you blasted back with the higher Apache statistics, but it looks like this report just supports what I was saying in the first place.
Also, are people still going to keep claiming Windows servers are inherently less secure? This report directly contradicts that. Looks like the only thing you can argue is that Apache is used more, but at the same time it's getting more breached. Tough.
"Sufferin' succotash."
"Hackers" want a challenge, windows does not provide that opportunity.
If at first you don't succeed, try and try again.. :)
"The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups."
So, its like, here we have an organisation that manage to track 7900 hacker gruops?
Riighht...
That should make echelon pretty jelauos. The numbers are spewed out with no explanation whyatsoever wich makes someone as paranoid as me very suspicious. I have a hard time imaging a hacker giving numbers that easily. Smart hackers tend to shut their mouth. We only see the stupid scriptkiddies who brags on irc. I hope they havent used IRC logs as a measurement even if it wouldnt surprise me at all.
"Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August."
Why arent the numbers for this accounted for? I interpret this sentence as if Windows Servers was infact more attacked at govts. Why isnt those numbers revealed? Was there like, 100 000 Windows attacks or 10? The difference is also quite amusing between the number of successfully attacked systems. It seems like the govts is better at securing their servers than comercial online shops are.
And again Riiighht...
"The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.)."
"The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion"
If im right here server attacks from hackers cost 707 million. Attacks from viruses/worms (Windows since how many has even seen a linux worm let alone experienced one?) cost about 27 billion.
In that retrospect its kind of annoying if mi29 pats Microsoft on the shoulder since they account for almost all lost productivity and loss of income. Since the Microsoft attacks costs so much more or are so much more expensive i find it very hard to come to no other conclusion than that the linux attacks are no more than supercicial breaches easy recovered from. Either that or the numbers just dont add up.
As i side note, yes i think linux need better security but to gain real security on cheap intel/amd there need to be some better memory protection and more belts and straps. If one security mesurement fails there should always be a backup system to catch what slips through the first line of defense. This is my strong belief drawn from my view that no system can be whitout faults. We should try and mimik the way airplanes are built and used.
HTTP/1.1 400
Linux has gained enough acceptance in the server field to be deployed in large numbers and at high-visibility targets. Additionally, the level of competence of the people deploying Linux is probably dropping somewhat, as it's moving from something that is just installed by those who love it and are willing to take the time to monitor all of the security flaws to something that is installed by people who just want something that works.
Funny. Replace every instance of "Linux" with "Windows NT," and you have the mid-90s.
Kinda of changes your perspective when you're on the other side of things, doesn't it?
"Sufferin' succotash."
The site www.globetechnology.com is running Apache/1.3.19 (Unix) Resin/2.1.0 on Linux.
The OS is really not as important as the security habits of the sysadmin, particularly related to password strength. I've known a lot of platform bigots (you know the ones, Linux is God you Microserf, bow before me for I am root and can write perl scripts) who used really lame passwords. Compromising a machine, regardless of platform, is easier when the machine is not patched (see bugtraq) and when strong authentication is not used.
Again, I repeat myself here, but it has to be said...EVERY OS is vulnerable. If anything, this article doesn't surprise me because of the difficulty in protecting a Linux system, an inherent problem with *nix flavors. You can build them to be beautiful, screaming machines, but you have to have in-depth knowledge about what to do, how to do it and why you should set them up a certain way. If you don't know what to protect yourself against, you won't do it...
Using 3L337 as a password won't protect your system from script kiddies, sorry.
man rtfm
After all, it's critical of Linux.
If it were critical of Windows, I doubt you'd have even posted that.
"Sufferin' succotash."
I think it's more that anything Linux-critical is suspect around here. Well, gee, Rob Rosenburger criticized them, that means their stats are wrong.
But if it were a study by mi2g showing Windows had the most breaches, you wouldn't have even posted that. You would have joined the chorus of zealots in saying "I told you so."
"Sufferin' succotash."
Yeah, and the Windows stats would have been even lower if SCO ran real OS's on their Web Servers...
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...
"Sufferin' succotash."
What about all of the worms running around MS systems? do they count? i think that blaster, sobig, and some older ones definatly raise microsoft's score...
here
Just a thought.
Given all the flaws in the 2.4 series (the kernel from hell) and the over 200 Linux forkes, it is no surprise the unwashed masses who don't patch their systems would be attacked.
Since the stats for percentage hacks of linux vs. windows boxes seems to correlate very strongly with the percentage of linux servers vs windows servers (around 65% vs. 25%), it is likely that the OS being run isn't the main cause of the security problems. My theory is that the breakins are due to poor configuration and maintenance of the software. I doubt anyone would disagree that unpatched servers that aren't properly configured are vulnerable, regardless of the OS running.
Vote for Pedro
If you are a real admin, you have scripts that monitor log files for you and notify you of any issues that require your personal attention. That is unless your OS is from M$.
I laughed out loud.
SE Linux is integrated into 2.6 and a patch to 2.4. It GREATLY improves the security of a Linux box. If someone gets root (or some other uid shell) through a buffer overflow they can no longer take over the whole system. Odds are they cannot do anything. How is this possible? By running every process in a security context carefully restricted to least priviledge through a system of mandatory access controls. If you want to see how effective this is for yourself please telnet to:
selinux.copilotconsulting.com
user: root
pass: root
Someone wanna tell the guy that a worm which drops a backdoor counts as an automated attack. Can you say "Welchia"?
He's gonna have to take his shoes off so he can count that high!
if they'd been running Linux.
;-)
Oh....
Never mind..
GENERAL PUBLIC SIGNATURE (GPS) Any replies (derivatives) of this post must also use the GPS
...I think it's safe to say that this is only because Linux has some 80% market penetration for serving web sites (Linux + Apache/Apollo/thttpd/etc), whereas Microsoft's IIS has dropped to about 17%.
Of course, you can also make the case that Linux is more easily hacked - and lets face it, because Linux offers more services and is being installed by less competant sysadmins in many cases, it is full of holes. IIS by default is fairly secure, but doesn't offer alot of services. What is needed is a decent GUI front-end for managing and configuring Apache. I haven't seen any I'm happy with.
I'm too lazy to run the numbers, but I think you'll find that all things being equal, Linux is way more secure than Windows for any application when both are installed by competant sysadmins.
Interestingly, they interpret those numbers to mean that Linux gets used by hosting companies and ISPs, and /windows/ is used by the hobbyist and self-hosting groups - which is pretty much the exact opposite of the 'received wisdom' here on /.
/sites/ rather than individual machines compromised means that they would vastly /overreport/ the number of Linux compromises.
/that/ we'd need to know how many individual machines were compromised, not how many sites. After all, just look at how different Netcraft's numbers were when they reported physical machines rather than hostnames/IPs . . .
I think those numbers and Netcraft's interpretation of them nicely backs up the claim I've seen elsewhere in this discussion that the methodology of the mi2g study is b0rken. After all, their sources seem to be executives in companies, and black hats with an interest in breaking into those kinds of companies - those sources would lead to a vast underreporting of the hobbyist and self-hosting windows users. At the same time, the fact that they report
The best we could do with the mi2g data would be tentative conclusions about one particular class of enterprise, and to get reasonable conclusions for
himi
My very own DeCSS mirror.
If you want to know how to build a web server I sugest you go to devside.net and read up. Then come post again, and if you are rooted, you have no one to blaim but yourself.
... he said gently.
I don't know what their methodology was, but from looking at the results from ethereal, it's clear that there were more than 20 Windows boxes that were successfuly attacked on my broadband provider's local NAT domain alone. I doubt the proportion of clueless Windows users in this subnet is unusually high (if anything, it's likely low) so it seems very probable that many tens of thousands of windows bozes were attcked by SoBig alone.
It seems therefore extremely unlikely that only 4000-odd Windows boxes were hacked total in their study. This makes me suspect that they are playing fast and loose with their counting methods.
Seriously, after you've hacked a Windows box, where do you go? It's hard to do anything remotely as we all bitch about so it's not very interesting. Once you get root on a Linux box you can play with all kinds of fun stuff, start sniffers easily, etc.
Obvious, when you think about it.
0. Profit!
1. Cause trouble for your enemies (in Microsoft's case, "everyone else")
2. Study the troubles at arms' length
3. Publish the most damaging set of results from those studies
4. Destroy "them" (see note for point 1)
5. Be the only competitor left standing
6. More profit!
7. Consequences, schmonsequences, as long as I'm rich!
Got time? Spend some of it coding or testing
More importantly, what are the percentage? If there were 20 times as many linux servers attacked, then based on the numbers provided, a fewer PERCENTAGE would have been successful.
Lets make sure we have a clear picture here.
It probably got 4,000 servers in my town alone!
Go ahead patch your damn penguin till it shits out easter eggs. Go pick your Windows cardiac cases off the floor.
Be a damn hero.
Or run with the BSD Devil. Forged in Hell, bulletproof.
I'm interested in see the percentage of Linux installs that are successfully breached as opposed to the percentage of Windows installs that are successfully breached; that stat would actually have more weight because it takes into account that the number of Linux-run sites as opposed to windows-run sites is much greater. Anyone want to try the math?
The Unix family is insecure by design
Only the bits that Darl McBride is laying claim to. Now he is one insecure operating system.
~
~
~
-- INSERT --
I had a linux/apache server when the code red worm was going around and created a 17 Mb file for it to suck up. But then I wasn't paying for bandwidth. On the other hand by keeping some infected machine busy maybe I was helping some other machine escape for a few minutes more.
On my servers, I also un-setuid as many programs as I can, leaving only those that will be used regularly.
Useful resources:
tinydnsA VERY secure DNS server to replace BIND.
The Ultimate Guide to FreeBSD This book includes information about how to set up Jails in FreeBSD.
Reminds me of the old times.. How is your system? Who reports what? I just can't resist this. How many attacked your CICS, IMS, (Tandem) Pathway systems - how? ( inside jobs don't count - there is nothing you can do as long as the stupid management system is in place ) I'm still amazed that anybody would allow the world to attack their systems. But then, I'm fighting the management to open all the access to out servers - go ask ?? have a nice day.
Just cos its lin ux doesn't make it secure, its possible to leave nay unix system horribly exposed with bad practices. The main difference is that in Unix you can close the hole in windows you don't even know its there, until MS releases a patch.
Its one damn thing before another. (Dick Bird 1999)
I mean, certainly part of it could be attributed to the fact that there really aren't that many windows servers. And it's pretty obvious that he's not counting viri as hacks. Could be they're counting web site compromises as "Hacks", which would explain the numbers, but which is completely misleading. It's hard as hell to totally secure a website, but a properly configured webserver should default you to "Nobody" even if it gets hacked, which would allow a theoretical intruder little leeway.
Even so, I don't know about their numbers. I mean, hypothetically speaking, if I were to go after a server, would I try a linux box, which is at least middlin secure right out of the box, or would I go after an NT box, usually hopelessly insecure, admin'd by some silly MCSE who's probably not going to notice, and not going to be able to catch me, using any one of a number of common script tools to exploit any one of a number of massive windows security flaws?
I do security for at least part of my living, and I've always found windows to be laughably insecure. I broke the security on this one box 20 TIMES in 2 weeks, and every time it was a new flaw. (And a new check for me. Mmmmmmm. Windows money.) I've never managed to do that to a linux box.
I'd really want to see their data. I mean, sure you can crack a linux box, but the easiest ways are 1) Social engineering and 2) physical access.
I've had MS guys give me their admin passwords OVER the fricking phone.
Bah. Anyway. This sounds like FUD to me.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
against Linux servers. They were SCO press releases...
How come Slashdot never gets Slashdotted?
Hell must have frozen over for Slashdot to run a story like this. I'm not going to bother reading all of the comments of people suggesting a flawed study, misleading statistics, or whatever else they can come up with.
Any Unix variant is historically, and notoriously, insecure. Get over it.
The majority of these machines still run on dial up modems, and they get hacked too! At the small retail computer store I work at, we get about 10 systems a day broken like this. Many others are owned but we can't prove it with a quick virus scan.
That's a very high number. There are about 500,000 people in my town. If we extrapolate that to all 250,000,000 million US people we get:
10( broken users/day)/500,000(home town people) * 250,000,000 (US) = 500 broken users a day in US. Or 15,500 last month.
Note that my shop is not the only one in town or the bussiest. I imagine that figure is off by one or two orders of magnitude.
Anyone working for any large company that has again been shut down by another Microsoft transmitted dissease, knows the score here. Whoever says free software is less secure than Microsoft shit is either paid to say it or woefully ignorant.
Friends don't help friends install M$ junk.
Perhaps you haven't noticed, but our measurements here on Slashdot are Volkswagen Beetle-based, not 'servers' or 'sites'.
Straight-up, please explain how many VWs were hacked, and I don't want vague terms like 'a beowulf cluster of 'em', just straight up RIAA-approved numbers (new beetles count as 10 'classic' ones).
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
My company works with 4 linux boxes and 1 windows, windows got blaster, but 2 of my linux boxes were hacked last month (debian woody, both updated) ! The guy changed init and gave me serious headaches. I removed glftpd and reinstalled everything, but I fear industrial secrets were stollen :(((
btw, I am a linux heavy user and my company manufactures embebbed linux devices.
Well - as a good friend of mine used to tell me all of the time - 63% of statistics are made up on the spot.
The possessive form of "it" is "its", not "it's".
Well, I've always liked to say it thus:
The possessive of it isn't its, it's its.
Our biggest problem in this country (US) right now:
1) We are raising and building infrastructure with
admins that do not understand the technology
they are using.
2) We are educating people to be administrators
that can only push OK or CANCEL. If they can't
they complain "Oh if I can't do that then
platform isn't mature, so we don't use it."
I give analogous representations of most hapless Windows administrators to being equivalent to people who choose not to learn calculas because it is "too hard" and therefore "too expensive" to use.
If I do use calculas I will loose productivity!
Fact is, Microsoft is trying to dumb down computing to the point every possible problem you could ever have is in a wizard or dialog box.
It will never happen, and the more decisions the software makes, without approval or human intervention beyond OK or CANCEL the easier Windows is going to be to crack.
No software is ever made more secure by adding more software to fix security leaks.
The only way you reduce software vulnerabilities, is by removing software.
As we all know, every release of Windows gets bigger, and of course so does Linux.
But with Linux I have a choice on what software I install. Windows, you have only two choices.
OK and CANCEL of course.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Thier data isn't normalize.
What is the ratio of Linux to Windows servers in the study? What was the ratio of breaches VS. Attempts?
by attempting to Normalizing the numbers we can see the following.
67% + 23.2% = 90.2 % total listed.
12892 + 4626 = 17518 combined successful attacks. = 90.2% so
100% of attacks would be 19421 breaches total.
So linux out of 13012 attacks 12892 breaches
Windows 4505 attack with 4626 Breaches
Giving linux 99.07% breach rate VS.
Microsoft at 102.67% Breach rate , Per successful attack.
If they computed there numbers correcly I should have seen 100% since there are percent and actual numbers of successful attempts.
Then again maybe there are 2% that breach MS security without a successful attack?
Anyhow its stuff like this that keeps me using FreeBSD.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
This means that too many people are putting blind faith in php.
It is php which is getting hacked not Linux.
More people should read this
realkiwi
Anyone know if CERT has some statistics to refute these?
Actually, can you specify the application you speak of?
--- Journals are boring; Go to my web page instead
Oh... stupid me for beleaving all those Code Red, Nimda, Blaster, Slammer, Sobig.F, Klez, ... (should I keep going?) ... that filled up my logs and my mailbox originated from compromized Windows hosts when they so obviously came from hosts running that sucky Linux shit. //fatal
How is the attack defined ? I'm getting knockings on port 135 every minute on my Linux server ... none of them have so far been succesfull (to my knowledge)
The possessive of it isn't its, it's its. You mean "The possessive of it isn't it's, it's its."
By any chance was this survey sponsored by Billy?
...just like the "Macintosh is easier to use than Windows" reports of old were sponsored by Apple. Seems to me that M$ are getting increasingly up the creek without a paddle, anything that detters CIOs from investigating the Linux/Unix options is good news.
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
How? Easy!
67% of the attacks were against Linux servers and 12,892 sites were successfully breached.
23.2% of the attacks were against Windows servers and 4,626 sites were successfully breached.
Let's say there were 100,000 attacks, this means that the successrate for Linux is 12,892/67,000 = 19,24%, while the successrate for Windows is 4,626/23,200 = 19,94%
Linux is better than Windows. But we knew that already, didn't we...
because Linux is free and Windows is not.
and the fact that xp is at least as stable as Linux now
If they are doing this analysis based on log files, there the first weak point in the analysis. How did mi2g get these logs? Are they from sites where they have been called in *after a breakin*?
The report can be found Here but it looks like it costs around 29.38
What a brilliant way to get rid of criticism ..
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
In the case of the "lazy" admin, I've watched how over worked MS-only shops become - patches often break things, fail to fix what they claim to, or (re-)introduce additional exploits and therefore must be tested very thoroughly before going onto a production system. Some shops try to save money and have only one server, thus they pay big time for mistakes...
In those cases, breaches are due to the patches themselves breaking things or not working. Can you say NT sp2?
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
The title states 'Attacked', but the article talks about successful compromises (Hacked).
Linux is the most hacked system?
Hmm...
Seems like a bit of reader manipulation there Slashdot!
Compared to the 67%:23%-numbers of the article, does this place Apache and Microsoft at roughly the same percentile in successful attacks per install?
a self-respecting "survey" would at *least* put the numbers found against a total server population to form a RATIO comparison.
mathematically, 6/200 linux servers breached is NOT >= 4/5 MS servers breached.
We'd have even more people giving up on computers than we do already, because they are not intuitive enough. We would have just as many worms etc spreading around the world as we do with windows, because people wouldn't be knowledgeable enough to do things like turn off unneeded services or update software. Not to mention, the majority of users would probably do everything as a root user with a blank password all the time:) Windows has it's problems, but the continually make efforts to make things easier for the end user, sometimes, to the detriment of security. They could have made things more secure and harder to use and lost a lot of customers in the process.
With no information on the total servers, this is completely useless.
Whatever happened to JonKatz?
Another stealth M$ paid survey? It is called communication war...
http://www.mi2g.com/cgi/mi2g/press/faq.pdf
...are among the least trustworthy collection of media whores pretending to be security professionals it has ever been my profound lack of pleasure to deal with.
:p And no, I don't work for their competition.
Anyone who calls their PR bulk mailing list "Inner Sanctum" deserves to be ridiculed, IMNAAHO. And their research is usually over-hyped, of dubious context or just plain ridiculous. This one is no different.
Not that I'm biased
So has anyone written a good "Secure your Server" howto? I can keep security.debian.org in my updates folder, but that doesn't teach me a whole lot about avoiding getting rooted.
When I've been making plans for our server, I just was assuming "we'll get rooted every so often. Don't have anything valuable on the server, just use it for short-term file transfer, and delete the files regularly. Keep a boot disk handy, with chkroot on it, and run it every so often. Be ready with a CD-ROM set of boot disks to wipe/reinstall, when necessary." But that doesn't seem like a great option, just a case of facing the reality of crackers.
Note: I use linux. I'm interested in a Linux how-to.
But that doesn't
Okay, first, before I take you to task, I have to agree with you on one thing: Security is more about the admin and the user than about the box.
I'm not comfortable with my level of security, and I've never been rooted. I think that if I got comfortable, I'd only need one fast case of getting owned to make me uncomfortable again.
That said, I 100% disagree that (1) Microsoft is secure. [I only 10% disagree that Linux is secure]. (2) we should immediately believe this article.
(1) When Microsoft's out-of-the-box default configuration allows it to run things sent to it, or [as bad] allows evil websites to root your box -- and note: there is no patch for this exploit available -- then you can't say that Microsoft is secure. I should say that this exploit came to my attention because I started getting bombed by 10 identical spams, same minute, different routes. I started investigating, and found that there the most recent IE patches left a previously patched hole wide open, and this is being exploited to install the wthunk32.dll worm on people's computers.
(2) Yes, I think it is possible that this article is true and accurate. But I don't think it is likely, based upon another issue. Recently, Microsoft has been funding FUD "studies" as a way of attacking Linux' marketshare. FUD studies can be made to prove anything; since it isn't a big company being targeted, it is unlikely that the organizations that do this will be held accountable. So I take this kind of thing with a huge grain of salt.
So...in summation...
Its possessive isn't it's, it's its.The Moore-Murphy Law: The number of things that will go wrong will double every 2 years.
0% of all servers running on the VIC-20 platform have been breached in the last ten years. Eat that!
If you don't believe me, go check the dictionary. There is no word virii, in computerese, or in medicine.
..........FULL STOP.
This is only natural. Unix gets about 2% sucessfull attacks because it is the most mature of the Operating systems in general use; Mirosoft gets 26% because it is maturing, but has a ways to go; Linux has more than maturity problems that'll keep it at the top of the 'hit list' for a while to come. It is the least mature so there will be more holes, sorry to pop the 'geek' bubble on this. Also, because it is considered so secure by the open source community, there is less effort to plug the holes. This is the 'see no evil, fix no evil' effect at work. Then again the whole concept of open-source might be working against fixing it, after all, the people working on it can't even agree on common abbreviations, how do they go about coordinating the effort to plug security holes?
It has been said, the more popular an op-sys gets, the more its vulnerabilities will be shown. No amount of wishing will make them go away. People wrote it, it has flaws!
Oh the irony, nurds attacking nurds! Say it ain't so Joe!
Keeper of the terrible karma ---
for those of us who are slow, not to clever, dirt-bag, scum-of-the-earth types.
i beg you sir, please show us the test data.
Here's what I'm considering:
In the OSS world, when we're breached we typically ask our compatriots for help in preventing the next breach. Since we have direct access to the source code we're able to immediately patch things ourselves (if we're that good... frankly, I'm not. I really on you experts out there). Calling for help, by definition, means letting people know I've been breached.
In Microsoft's proprietary world, the last thing I want to do if I've been breached is announce it to anyone else, since the only thing I can do for a fix is wait for MS to put out a patch (if they haven't already). Therefore most MS breaches are kept quiet.
Simple?
Allegedly real newspaper headline from 1998:
Man Struck by Lightning Faces Battery Charge
A sad day for Slashdot. Feeding trolls with misinformation ? The figures are obviously blatantly deceptive. So what, Slashdot. Don't you double-check or even just use common sense ??
I have my distro and moreover my OS, I'd just like good tools that could assist in making it more secure.
Arguements of: Switch to OS/Distro X aren't going to affect most people, unless it's somebody without a working box. Showing them tools/docs on making their boxen more secure might though...
Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.
Keeping up with security patches is not enough, as this example clearly demonstrates.
The problem is that *NIX was not designed to be a secure system. And therefore it will never be a secure system.
Hush up. The truth is not well appreciated around these parts. You're supposed to just carry the /. Linux/BSD banner. All posts must include M$, MicroSucks or WinBLOWZ somewhere in them if they are to be taken serious by this community.