Slashdot Mirror
Security FUD On Linux
bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "
As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
First they ignore you
Then they laugh at you
Then they fight you
Then you win
Mohandas Gandhi
Physicists get Hadrons!
The number of major-collateral-damage internet worms that have struck becasue of unpatched or unfixed problems in Microsoft OSes in the last two to four years.
And then I point at the number of similar-scale linux worms that have occured in the same time period.
And then note that despite the fact nothing but Windows worms so much as *register* on the scale, Windows is not a majority in the server space.
>> InfoWorld reports that Microsoft is planning
>> an "security assault on Linux"
Microsoft prefers marketing...
Linux prefers a solid product...
Perhaps Microsoft should spend some more money on fixing their own products instead of trying to bring down others, it's turned in to a politcal compaign for them.
Linux isn't perfect. By design, the implementation, or the way people admin their machines.
There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.
I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.
If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.
Since there is no such thing as bad publicity this has to be considered a good thing.
Think about it, the article mentions Red Hat and lets them discuss what think of the whole matter.
Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?
Isn't that a given?
Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.
DG
Want to learn about race cars? Read my Book
such as root access for all users
On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.
Any sufficiently simple magic can be passed off as mere advanced technology.
That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.
This hole exists and actually has working exploits.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Ummm, because we can look at it before we install it instead of just 'trusting' someone that it is good?
And just how much code comes out of China anyway!?
"Some things have to be believed to be seen." - Ralph Hodgson
They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)
John_Chalisque
It's called Job Security.
Job security like a janitor who runs around throwing dirt and trash on the floor?
Hey Guys, For the first time after a decade on the net I was scare to connect to the net.. Do you know why? I just moved to a new house and I had to transfer my SBC/yahoo DSL account to there. They gave me 10 days for complete the moving so, I am without dsl connection on my house... I had to use dial-up (I forgot was slow it was) but the only machine I had available with modem was a station with Windows 2K professional that my wife use... To be sincere, I was too lazy to install a modem on my linux desktop that I use was a firewall for my home too. So, I looked to the Windows Desktop connected by dial-up and I start thinking... Jesus, I am connected to the internet using Windows and without a firewall or anti-virus (I don't like any anti-virus...I don't think I need one till I see my M$ windows connected to the net)!!!! As soon as I connected I got that SPAM using the the message service! Windows is a hell! Microsoft is a hell!
You have to admit that the entire fiasco between microsoft, a multi-billion dollar a year company is being so shaken by a community of rogue hobbyists is really quite amusing. Microsoft should have a superior product. After all, they've been doing this for over a decade, pretty much have access to unlimited resources, and in the face of all that there are rival products out there that cost next to nothing to use. I think that in the next few years we are going to see some major economic shifting in the IT world. I think that the market is going to move towards supporting various services, and not charging for the actual software itself. Thats the glory of the internet - it gives power and recognition to those who earn it and not to those who buy it.
As I can see it, this logically suggests one of two conclusions:
1. Microsoft knew about the bug beforehand and waited until they had a solution to tell us.
or
2. Microsoft believes that quality code for security bug-fixes can be written, tested and released within the span of a day.
Gee... both of those sound like winning ideas to me! ;)
They'd probably be better off if they just shut up about the issue and hope it goes away. Drawing attention like this could easily backfire.
Ancient Chinese Proverb:
"We are fastest to attack others for the weaknesses we most fear in ourselves".
OK, I just made it up, but it's true anyhow.
Ceci n'est pas une signature
This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.
[Please sign here]
You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.
Point #1 says that if there's an equal number of exploits, and each exploit takes a constant amount of time per machine to fix, then since around 90% of machines are Windows boxes, your total time spent fixing them is obviously going to be a lot higher.
Point #2 says that the less mainstream nature of Linux tends to self-select a userbase that knows what they're doing, security-wise. On the other hand, many Windows users just have it so they can write up their reports and check their email, and have no idea what a security update is or how to install it. The recent infamous RPC exploit, for example, had a patch out for a couple of months before exploits for it appeared in the wild, but was ignored by most Windows users. A hypothetical similar Linux root exploit would have been quickly adopted by most computer geeks, while our sysadmin was complaining that even a month after Blaster made the rounds, there were still people bringing laptops into lab that were unpatched and quickly hacked. Add to this that many of the same people were unhappy about anyone else having access to their machine, but didn't care enough to secure it, and patching security exploits was one big headache.
I've heard many good reasons why the Microsoft article about Linux security is pretty slanted in their favor, but hours of work to fix isn't a fair one. A better metric might be hours of work per Windows box versus Linux box.
The Steve Ballmer quote shows their errored way of thinking: "...And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. 'In the first 150 days after the release of Windows 2000,' he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher." Where's the RH9 comparison? He's comparing an operating system (Windows 2000 Server) to an OS *AND* applications (Linux). If he were to simply compare Windows 2000 Server to the Linux kernel in RH 6, there were no Linux vulnerabilities. Instead he compares simple Windows 2000 Server to Linux which includes Sendmail, Apache, BIND, Netscape, mySQL, etc. If we apply the same rules to his test and compare RH6 to Windows 2000 Server with IE, Exchange, MSSQL, Windows Media Player, etc... the results will be much different.
Microsoft's apparent idea of security is to sue people who expose vulnerabilities and to put out bounties so that others who might be encouraged to exploit those vulnerabilities would be afraid to do something. This doesn't suggest that Microsoft is taking security seriously, it suggests that they're pissed that people are exposing how Microsoft ISN'T taking security seriously. Microsoft can create as many initiatives as they want, but so long as they continue to live in the world where providing dancing paperclips on the screen in a single click is more important than making sure that users have to actually understand their machines before letting programs change system files - they aren't doing the world or themselves any favors.
Anyone who runs windows on a production server is a fool
They also have the cash to pursue security problems, their problem appears to be design flaws that can only be 'corrected around'.
An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.
Another political decision has been to install software to offer all kinds of services, basically to keep third party vendors out. This software defaults to being active. What was that database port vulnerability again? Another consequence of this is that a virus/worm writer has reliable idea as to what components will be running/active.
They have the cash for PR *and* fixes, but political decisions have led to a situation where this does not help. Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.
Mielipiteet omiani - Opinions personal, facts suspect.
The best thing you could do is to write your own rebuttal to the MS commissioned study and debunk their findings point by point. Then publish this paper somewhere prominent on the net, such as slashdot, or even host the paper on your own personal web site. Then submit the site to the engines and voila! You have contributed to the fight against FUD.
This way whenever someone searches for stuff like microsoft and security, or other keywords, they will hopefully get your paper instead of Microsoft's commissioned study. Better still, they will get both and make their own conslusions.
Either way, I think this is the best thing any SINGLE person can do to fight stuff like this.
Please note I haven't read the MS commissioned study, so it may or may not be FUD. No clue. It is probably biased, but this alone does not make every claim untrue. Only Slashdot can do that.
But what about all the other possibilities ? What else can happen ?
1) First they ignore you
2) Then you screw up and fail!
1) First they ignore you
2) Then they laugh at you
3) Then others laugh at you, and you fail!
1) first they ignore you
2) then they laugh at you
3) then they fight you
4) and they win !
Where are all those people ? I'd reckon they're still running OS/2.
In Soviet America the banks rob you!
It's a delaying tactic, and a very effective one.
The biggest score Microsoft has had is convincing it's users that all of the rebooting and crashing and poorly-designed security features are to be expected in powerful software, and to expect to not only pay for such software, but buy extra software and pay consultants to work around these misfeatures.
I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.
MS can release "news" as a press release, and the newspapers eat it up. The public believes it. The hardware manufacturers "sell" this crap because they sell MS to consumers for Microsoft at a profit. Wall Street helps the process. Analysts hype the latest "features" for the latest vapor product from MS, due in 2012.
MS sells themselves to the public by issuing press releases. They can say whatever they want, as long as they make a claim that they're doing something. There is no accountability. No one holds them responsible. Consumers keep throwing money at MS. Occasionally, someone points a finger, but MS then releases more press releases about vaporware due in 200x.
Politicians do the same thing, "We need to spend more money on _____. We've been spending money on _____ for ___ years, and we've not solved the problem. We are renewing our effort."
In other words, "We're going to light some money on fire, pose for a few photos with the underprivileged, and then waste a lot of money on cigars, dinner, and entertainment."
Microsoft has excellent people playing the press release game. Everyone sells Microsoft products for MS.
How many people have actually met a Microsoft employee? Yet 1/2 of the planet owns or uses something with Microsoft products in it.
-- No sig for you!
No. It makes it better for YOU. 0.5% of people who use a computer. How is that BETTER?
Nuts. It makes it better for everyone. Look at it this way: would you rather take a drug that has been tested by hundereds or thousands of independent testing labs around the world, who published their results for all to see, or one that was produced by some big company who assured you that theirs was safe and effective, but wouldn't tell anyone what was in it?
You don't have to be an independent testing lab to benefit from the existence of independent testing labs. Likewise, you don't have to be a coder to benefit from open source software.
-- MarkusQ
It's been said many times before, but it bears repeating:
The truthfullness of a statment is independent of the number of times it is repeated. (Is not! Is too!, is not! is too! is not times infinity!)
First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.
SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?
Exigo spamos et dona ferentes
So can I. But two people can't.
If you are saying nudge, nudge wink, wink that Microsoft has programmers looking thru FLOSS source for vulnerabilities, well, it wouldn't stay secret for long. They would be overheard bragging to each other, or misdirect a memo or email, or have second thoughts.
In addition, if these Microsofties are as good and hard working as the propoganda mills claim, then good that someone is finding more bugs for us.
Plus, these Microsofties won't be doing anything evil for the evil empire, but instead doing good for the rebels. This is like the FBI undercover agents in peace marches, great!
Infuriate left and right
Any modern OS can be both secure or insecure, it really depends on the user. Linux has had numerous security holes since I have been in IT, but the average admin is alert enough to patch them, not always true with Windows.
In fact I remember once a lower level admin was working on deploying a Linux server for a customer, at 5pm when he was done, he had it set up with RH 7.3, and put it on the network, leaving me with a note IP, root pass, and what the customer wanted. Unfortunate that admin accidentily hook that machine on our non-firewalled network (that company charged more for placing on the firewall network), well by the time I came it at 8pm that machine had been hacked and was DOSing some server.
Note default install of Linux, and non-firewalled network, in a honey pot book I read, the guys first honey pot Linux server hacked in 24 minutes flat (default install of Red Hat).
Being both a Linux and Windows consultant, I use both, but I make sure that both are deployed intelligently with patching systems and firewalls and gateways along with them if needed.
From the time that they acknowledge a bug until it's patched is VERY FAST.
The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.
So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?
Wake up folks. Its more than FUD. Microsoft has had security problems in the past for the same reason that most software companies do. They didn't have a business intrest in fixing them. Now that they do, watch out.
Just a few fun facts.
-MS is porting a huge amount of their code to managed code, this is the real solution to buffer overflows. I think it will be a long, long time before we see a move toward using safe languages in the open source community on any significant scale.
-MS has done a huge amount of education and culture/process transformation in the last year. As all good security types know, building secure software is about processs, and MS is clearly poised to smoke most open source stuff in this area.
-MS research has produced some pretty cutting edge stuff such as SLAM to help keep bugs out of code via. static analysis, again, count on MS to keep pushing on the tools front.
-MS patch managment solutions seem to be quite solidly ahead of what is out there in open source.
-Testing...nuff' said
The open source community has the ability to produce a huge amount of stuff that mostly works. However, its not at all clear that most projects out there can match the level of quality, or even clue about security that we are seeing inside Microsoft.
Keep in mind that the Linux kernel, Apache etc. are the exception, not the rule.
If the open source community hopes to keep pace with MS in tightening down their code, some
major technological and cultural changes are going to need to take place.
There is a whole lot of backslapping and smack talking right now about how secure linux is, but really not a whole lot in the way of process, technology, etc. to back it up.
I love the biased nature of the summary.
As if Linux people don't "hype" things against Windows, either.
Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.
"Sufferin' succotash."
Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate?
[...]
If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty.
The thing is, most OSS developers I know (myself included) welcome public review and full disclosure. If I get advance notice of a security problem, I look at that as a luxury, and have no problem with finding out along with the public. Once problems are pointed out, it's usually easy enough to fix them quickly. Having Microsoft auditing open source code for free would actually be quite beneficial.
The reason full disclosure is so important is that without it, these holes still exist, circulating among the black-hats. Unlike Microsoft who'd rather sweep problems under the rug. Disclosing problems isn't "playing dirty"; it's step one in getting them fixed.
This has been a long time coming, from the looks of it--Many of you are probably familiar with the Halloween documents, "an internal strategy memorandum on Microsoft's possible responses to the Linux/Open Source phenomenon." This was back in 1998. MS verified the documents as authentic but claimed it was "a mere engineering study that does not define Microsoft policy."
They've probably been building up a case for a long time. But as Linux is systematically sound, they've apparently been forced to find specific, technical problems since their Ominously Vague Murmurs don't seem to be taking. The problem for them is whatever they pick is, by definition, fixable and not an element that defines Linux as Linux. Additionally, if you find 50 holes in Linux and 25 in, say, Windows Server 2003, that's not nearly as relevant as the average lifespan of the hole. With all the Linux distros, there may be dozens of holes at any given time, but there is only one Windows Server 2003. I challenge them to focus on one major distro.
Lastly, MS is has been coming off increasingly hostile and banging the "Linux BAD!" drum so obsessively, that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence, rather than trying to merely educate them.
So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.
Politicians love tu quoque, by the way.
--Rick "If it isn't broken, take it apart and find out why."
The people at MS truly don't get it with respect to Open Source. All that the strategy of highlighting problems with Linux will do is:
1) Make developers aware of bugs.
2) Encourage developers to fix said bugs
3) Ulitmately, Linux will get more reliable and secure.
MS should learn from their attempt to beat Apache - Open Source is a force of nature.
-- $G
SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?
I think it's worthwhile clarifying Gandhi's statement. He intends to say that when the opponent chooses to fight, you have already won. The "then" in the last line is deceptive. The message is that when the enemy attacks unfairly (fights), it is an admission of failure. At that very moment, you have won.
In this regard, it is unfair to say SCO has been "fought" against. With the exception of the unfortunate DOS attack a while ago, the attacks on SCO are justified, reasoned arguments. Thus Gandhi's aphorism doesn't apply.
Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.
A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.
I suspect that you're probably correct to a degree. However, I think that MS will probably dump all security problems, whether they're actually part of the Linux OS or not into the hopper and use that as their basis of comparison. For instance, problems with OpenOffice will be counted, but problems with MS Office won't because "MS Office is a separate product, while OO is distributed as part of the Linux system." This approach of counting Linux app problems against Linux, but not counting similar MS app problems against MS has been used before.
I'm not going to lose any sleep over a new MS offensive as the truth of the situation is obvious to anyone who looks at the situation with an unprejudiced eye. Yes, Linux has problems; yes, sometimes it takes a while to get patches out; yes, the Open SOurce process doesn't necessarily have a single point of contact when it comes to fixing a problem. The fact remains that, by any honest count, Linux has fewer problems, the problems get fixed faster, and the lack of a central contact means that a potential fix can come from anywhere. MS FUD notwithstanding I don't recall that Linux servers and workstations had problems with SOBIG, Blaster, etc. Let's approach this issue carefully and not fire until we see the whites of Microsoft's eyes.
Just my $.02,
Ron
Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
Default install of RedHat 9 compromise time: 10 days.
/.'rs seem to claim it is? No.
:)
Default install of Windows 98 compromise time: 4 years and counting...
I'm going to get modded down for this, but if I click the default crap on any Linux distro I'm more than likely going to install some god-forsaken client (in the case above, an ftp service) that will sit on an open port and eventually be scanned and compromised.
How is this any better than the RPC exploits?
I'd feel a lot safer if installations of *nix had easy to understand installation options.
Sure, someone can brag that you can get infected by Nachi in 6 seconds with an XP machine, but how often do you get rooted? How quickly do you notice? Is Linux as "fire-and-forget" as
Stick with Apache on *dows.
_IF_ MS were actually doing that, it would simply point to insecurity and quality-assurance problems of Open Source software. I.e., if some random (malicious) jackass can insert buggy/trojan code into the Linux codebase and get it through (non-existent) quality assurance measures, to me that speaks to an inherent flaw in the Open Source concept as a platform for serious applications. As it stand now, at least. Please bear in mind that I'm not anti-OS, but you have to realize that QA standards have to be applied fairly to both sides...
Are you stating these as times since you did an install until you got compromised?
Becuase if you have a Windows 98 default install and give it an unfirewalled connection to the Internet with a real IP address you've got 5 maybe 10 minutes before you're compromised.
I'm assuming you meant ftp server and not client, as for your box to get 0wn3d through a client requires your participation to some level.
The Nachi virus *does* root you. That's what's amazing about Windows. Many Linux vulnerabilities allow some types of access, but full remote root vulns in Linux itself are rare. Windows just doesn't seem as infected becuase most virus writers aren't out to wreck your machine and delete your data. Nachi, or any of the other ones, could have easily deleted your files, or read them and mailed the goods to the bad guys.
I'd stake money that one day in the next couple of years some malicious virus writer will strike, and all Windows users will realize that every virus since Melissa has had full control of their computers. Unfortunately, until it happens, nobody will think that virus' are more than minor nuissances.
My Linux Command of the Day site : LCOD
One very telling fact, IMHO, is that currently Apache holds over 3x the market share for web servers compared to MS's IIS. (Source November Web Server Survey - 67% vs 21%.) Yet look at the number and type of security alerts for each over the past year or two.
What's funny is that Linux zealots spread Windows FUD in the same manner ezcept for free.
"FUD" is typically reserved for unjustified fear, uncertainty, and doubt. The truth is generally not called "FUD"...
;-)
Naive.
FUD tactics _DO_ Work... how do you think microsoft got their current marketshare, and held onto it in the face of superior competition (Mac, OS/2, BeOS)
It certainly wasn't by having a superior product, it is well accepted that given versions of OS/2 BeOS or MacOS have always been superior to the versions of windows available at the same time. OS/2 had the best chance, since at the time not only was it compatible and capable of running windows/dos programs, it was also considerably faster and more stable than windows.. How did microsoft beat them? they held them back with FUD and then changed their api for intentional incompatibility.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I think a good portion of the problem is a mentality difference. Windows users are more set it and forget it, used to a certain level of separation from the workings of the OS whereas Unix folk are more traditionally involved in every aspect of the configuration of their system. Only recently has the abstraction come to Linux with the install-everything-in-one-go abilities of so many distributions, but still admins and older unix junkies still are aware they have to configure things and secure them. Unix people in general pay attention to security news and install patches right away. Windows people tend to click on "remind me in 2 weeks" if they even have the auto update feature installed. I know people that are years out of date on updates.
One concession about windows though, is there are so many things you cant turn off or uninstall. At least with linux you can have no open ports if you so desire.