Security FUD On Linux

bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "

Easy Question to Ask

[toupsie]

How many Linux Security Threats have made me work over 24 hours straight? 0 in 2003

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Guess which OS I like to support?

Re:Easy Question to Ask

[TheRealSlimShady]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Eight years and counting, and most of that time in Windows environments. I didn't say that you didn't need to test, testing is a given. If you're not testing, you're a fool. However, the fact is that between the time the update comes out and the time an exploit is released there is generally a windows available for testing. Blaster is a case in point - the update was out for weeks. A good admin would have reviewed the update, seen that it was a remotely exploitable hole and started testing it. Then with the automated deployment tools it's a matter of releasing the update. For what it's worth, I don't recommend Windows Update on servers at all - I prefer to patch them in a more controller fashion. Of course, in some environments the volume of servers means you have to automate it in some way.

Re:Easy Question to Ask

[pompousjerk]

Damn straight.

Although, one thing needs to stay clear: Linux is only secure if you know what the hell you're doing. 51% of all known successful root compromises occur under Linux. (Linux has more than 51% of the market share, IIRC, so it's not a very fair comparison. If anybody has market share data, please provide it so we can look at ratios.)

I prefer running Linux, of course. At least I know I can secure it.

Re:Easy Question to Ask

[MadMirko]

Well, I admin about a 150 Windows servers since the days of the late NT 4 (SP 5 and upwards), and I can't remember a MS patch that actually broke anything.

Besides, of course you do not run Windows Update on servers at all, because they generally shouldn't have someone using a browser on them.

Try SMS for automated deployment of tested patches to any number of servers, anywhere on your network. When you want, how you want.

Re:Easy Question to Ask

[TheRealSlimShady]

Hmmm... so what do you do when you have a good 2-3k client machines to handle as well? If it were just servers that would be one thing - but when you have client applications all over the place and you have to go around installing and patching that's something entirely different.

When you're running that many client machines you can either use a distributed SUS architecture, or for most businesses of that size they have management software in place (be it Altiris, SMS, Unicenter,or even HFNetCheckPro) that can be used to deploy updates in a sensible fashion. Sure, as soon as you get over about 100 machines you start getting to the point where the interdependencies start to get complicated, but if you can get say 95% of your machines with no manual intervention then you're winning. If you've got good test procedures, you should be able to get even more.

Re:Easy Question to Ask

[Qrlx]

You should put antivirus on your mail server. Or if you don't have a mail server, and users are using Outlook or OE for POP/IMAP access, put antivirus on your internet gateway.

Get fancy and put the laptop users on a separate segment with antivirus running on the gateway to the rest of the LAN.

Or you could add the Level1Add key to the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Ou tlook\Security and put .exe, .vbs, and .scr in the srting value.

There's many better options than trying to educate the (laregly uneducable) users.

Re:Spreading FUD in a submission about FUD

[tomstdenis]

Actually no. Those users are part of the Administrators [re: root] group. Check yer users settings sometime :-)

Tom

Re:Spreading FUD in a submission about FUD

[Coward+the+Anonymous]

" Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root" Maybe in the Warez copy of XP you have, but the OEM XP Dell Disc that came with my laptop creates all users as Administrators.

Easy Answer

[missing000]

MS can win a PR battle, because they have an endless amount of cash to pursue the cause.

On the other hand, OS can win the desktop domination war by creating better systems that are less vulnerable in real world situations if we focus on grass roots marketing.

Lets have a go at this, then...

[angst7]

Unfortunately the article does little more than play the part of OS-War Meteorologist, but there was one quote we can sink our teeth into, according to Steve Ballmer:

"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

Now I'm going to figure that he's saying there were somewhere between 20-40 'critical' vunerabilities in Redhat 6 in the first 150 days post release.

I assume that the reason he's picked Redhat Linux 6 for this comparison is that it was the release which moved to glibc 2.1, and migrated to the 2.0 kernel. So he's picked a big move for Redhat, instead of a point release. This isn't entirely fair (in fact its hard to draw a close comparison on security issues) due to the fact that Redhat 6.0 was released in April of 1999, whereas windows 2000 wasnt released until February of the following year. Furthermore Microsoft (wisely) relied heavily on a certain "Break into Windows 2000" campaign to test the hell out of that OS. (remember the guestbook on that server? what a riot)

Finally, comparing Redhat 6 to Windows 2003 is outright foolish. We may as well compare a freshly patched Redhat 7.3 to NT Service Pack 2 (though even this is an unfair analogy, 7.3 is far more stable than Win3k server).

In sum: Bah.

Re:Root access? No.

[gbjbaanb]

well, changing boot.ini is easy - press F8 while booting, choose the 'command line' option (in XP at least). edit and fix. reboot.

Or.. for other versions (NT or W2k), boot from the OS CD you installed from, choose R for repair, then C for Recovery Console. correct boot.ini.

If you change the drive letter from C: to X: the OS will still load (you mean, you thought you had to load Windows on primary partition called C:? shame). Some apps won't run properly though (fair enough really, they were coded to read absolute paths). Go back to Disk Management and change it back to C:. And that's a genuine answer.

Isn't that procedure quite like what you'd do with Linux?
See, windows isn't as bad as people think (no, really!), though I should say that that statement is qualified by a) windows being the NT-based kernels (not 95/98/ME), b) 'people' being Linux enthusiasts who aren't really that that knowledgeable about Windows.

Re:As if...

[Afrosheen]

In the same vein as the Visa adverts..

'For industrial strength linux applications, there's Linux. For everything else, there's VMWare.' Vmware, bridging the gap between you and your company's proprietary apps.

Ok now VMWare, pay up.