Slashdot Mirror
Security FUD On Linux
bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "
US Democracy:The best person for the job (among These pre-selected choices...)
A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...
-You may license this sig for only $6.99.
What frustrates me about these is that people actually BELIEVE them. Though given the recent security blunders by Microsoft (such as that little problem called 'Blaster') people might finally realise that this stuff is a load of BS.. or very very twisted fiction.
And I just wish that the comments & replies of key figures in the Open Source community made the headlines in the same way as these 'reports' do.
"Hey! Unless this is a nude love-in, get the hell off my property!!"
That's not the case for NT, 2K, or XP. Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root
It's been said many times before, but it bears repeating:
First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.
- Mahatma Ghandi
Ruby on Rails Screencast
It's their report and their numbers. Do you think that they would highlight the areas in which they are weak? The report will probably focus on printer exploits or something just as inane. I think the original submitter was right in the idea that they will ignore Outlook/Script exploits and focus on the OS itself (I know - not a good track record there either, but it's better). Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles. They may have hit on a very subtle point with Linux security without addressing it directly: Linux exploits get reported sooner and OSS coders encourage others to report exploits quickly. MS obfuscates their exploit reports and would rather only know about them behind closed doors.
US Democracy:The best person for the job (among These pre-selected choices...)
Period ending June '03, Micrsoft spent 1.336 Billion in R&D. Five million isn't even half of one percent of research spending. Serious security? Doubtful.
That's why Microsoft is so committed to solving security through obscurity -- they believe that keeping the flaws secret will keep crackers from developing exploits.
The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.
I think it's funny that microsoft needs to pay people to say how great their products are. Maybe they should focus on building a better product than telling some analyst to write nice things about them. Come on. Anyone could do that.
This signature has Super Cow Powers
This is true... Windows gives just enough access to really mess things up and not enough access to do anything about it.
A fool throws a stone into a well and a thousand sages can not remove it.
Why did you have to work over 24 hours straight? Don't you have an automated patch management strategy in place? Surely that's part of supporting an OS? Surely after the first time you would have figured out that there's a better way to do it?
If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty. Linux does have the potential to shift the paradigm of the whole IT industry in the same way that Microsoft themselves did through the 80s and 90s. Sun et al are already feeling the heat in the server market. I'm certain that Bill and co are getting twitchy about how things are developing.
We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...
First the Chinese get the Source Code for Windows then they decide to back Linux?
Sounds more like our government had better look at who is more secure.
They may pull out all the stops, but they still have to explain why there is no memory protection built into the Windows Kernel, why the default user has install privleges, why they are now relasing patches on a monthly basis and not when the vulnerability is discovered.
My first point is the one I want answered, why can't Microsoft build a kernel that polices the processes that it runs?
Did Glenn Beck rape and kill a girl in 1990? gb1990.com
Uuh...We're at 9 now buddy.
[Please sign here]
Ok, so M$'s FUD machine is gearing up. What option do we have other than bitch on the /. forums? I know donate to the EFF, write open code, blah blah - bullshit.
/., despite arguements in IRC, despite all our efforts sooner or later the M$ FUD will find something that sticks in the back of the minds of all our PHBs. At which point OS security will be M$'s triumph instead of ours.
I want to know what I CAN DO. From writing a senator, to going postal at M$. What are our options as Open Source advocates to beat the M$ FUD machine? An OpenFUD project? Because despite flame wars on
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
Today, I was talking to a friend of mine who bought his first computer about 4 years ago. He wanted to back up every thing on his computer, so he dragged all the icons from the desktop over to his CD burning program. When I tried to explain to him that the only thing he burned onto the CD was a dozen shortcuts, and not the actual programs/data itself, he just looked at me with this totally blank stare and had absolutely no clue what I was talking about.
The point is this: When it comes to programmer-related problems (buffer overflows, etc) Windows and Linux seem about equal. The big problem with Windows is that Microsoft's focus has been entirely on "ease of use" for people who know little or nothing about computers. That's how you sell lots of computers (and lots of copies of Windows). They created all sorts of nifty features (scripting, etc.) and turned them all on by default -- never giving a moments thought to the harmful ways that these features could be used
Windows, in the hands of a knowledgeable person, can be just as secure as Linux.
But, "right out of the box" it's a security mightmare -- a disater waiting to happen.
Is this even legal in the USA, pointing out security hole I mean. I though the DMCA made that illegal, or was it some other silly law?
Anyway, strip down a Gnu/Linux distribution to a minimal and you'll see that the base OS has not had any major security issues. Strip down Windows and you'll still have one buggy browser to deal with, a GUI in the kernel (Pretty stupid when you think about it) and of cause you got the whole range of open ports, which of cause doesn't really do much, but still manages to pose a security risk.
Linux and Unix software isn't that much better than the Windows equivalent, but the basic operating system does have less security issues. This isn't because Linux developers are more skilled than Microsoft developers (It would be kind of weird if they where). Linux has the advantage of being just a kernel, everything else is an addon. Windows is huge and complex, even in a minimal installation, if such a thing even exists.
Microsoft can bash Linux all they want, I really don't care, it won't make me go back to Windows. I think Linux is a much better product in general, not just security wise and if Microsoft want me to think otherwise they will need to make some serious changes to Windows.
That depends on what your definition of "Linux" is. It's pretty standard form for Microsoft to lump all the third-party packages that could conceivably come with any packaged Linux distribution and call them "Linux".
Thus, to MS marketing, a WU-FTPD security hole is a Linux security hole. A ProFTPD security hole is ANOTHER Linux security hole. It doesn't matter that these services are not included in all distros, off by default in all the distros that ship them, not even installed by most users, and it's pretty-much guaranteed that both services won't be running on the same system, and they AREN'T LINUX VULNERABILITIES. This is all irrelevant to MS marketing. It's two Linux security vulnerabilities to them.
Four actually, if you add the two SuSE vulnerabilities to the two RedHat vulnerabilities. Make that six for Mandrake. Isn't this fun?
Well, you could do the same for Windows. There's the RPC vulnerability in Windows Server 2003 and the one in Windows XP. That's two. Then there's some vulnerabilities in QuickTime and RealPlayer--if we count one apiece, that'd be four vulnerabilities, to cover both current operating systems. Oh, and Gator, that's a popular Windows app! Etc, etc. Wait, I almost forgot Windows Tablet Edition and PocketPCs! Multiply all bugs by four!
Windows has many levels of user access. The administrators group is closest to the concept of 'root' in the world of unix, but it isn't identical. Local System is the real 'root' user, which you cannot log in as.
It's perfectly permissable to run Windows not as a root user. And like Linux, this causes problems, and will require you to escalate priveleges to do certain operations (think: mounting a network share which requires elevated access in linux, or binding to ports I'm not claiming that it's got perfect security or that local escalation exploits don't exist, they do (Shatter attacks in particular!), but they also exist on all platforms. Time to take blinkers off, SlashBots.
dominionrd.blogspot.com - Restaurants on
More than 99.9% of all viruses in the wild will only work with Microsoft software.
Sobig, Mimail, Sircam, Lovebug, Nimda, Code Red the list goes on.
Microsoft will say that this is because most computers on the Internet run Windows, but a look at netcraft.com shows that more than 2 thirds of web servers run Apache, and only about 20% run IIS.
Windows has more than 90% of desktops, but not more than 99.9%. I run Linux on my desktop, and don't even bother to run the Sophos antivirus client I have a license for, no point, no one could infect my desktop with any of the 80,000+ viruses sophos detects.
If Microsoft are going to try this one then they will have to tell lies and pay for carefully run studies.
I bet they will not compare Windows and Linux viruses!!
This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.
Well, I don't know about that, but I think it will change the makeup of the virus-writing community. If Microsoft had done this 10 years ago, it might have made a small effect. I have gotten the impression that, back then, virus writers mainly did it for exposure and bragging rights. If you could no longer brag about it because it increased the odds that someone you bragged to would turn you in for $$$, it might have dissuaded a fair number of virus writers.
However now, a substantial number of virus/trojan/worm writers seem to write cyber-parasites to get zombie machines to play core wars-style turf games on the Internet (such as DDOSing the people they don't like) or to spam for money.
The motivation is no longer the same and these bounties are likely to have much less of an effect. It's too little, way too late.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
Here's a little reality for you:
Instead of reading the comments, you blindly replied with a canned response. I've listed the most common subject of the postings I've read so far so you'll know what to look for when reading the posts yourself.
If you'd like to respond to these issues point-by-point and explain how this is an objective scientific study and not (at the very least) an ignorant and misleading article, I'd be happy to join in a discussion.
Is that will everyone can audit every line of code of open source OS's, nobody (apart from microsoft) can audit windows... Who can say that windows don't have backdoors to FBI or worse?
Yes but...
Windows exploits that '0wn' your machine go in at System privilege level. That's one above Administrator; you can be logged in as such while someone 'sploits your box and there's *nothing* you can do to defend it (apart from introducing sudden air-gap security). On a GNU/Linux box, you can at least try to defend it during an attack if you wish.
The Blaster worm defect 5 year+ in age. Now in most cases you have 2 years for a virus writer to find and use bug or 4 months for a data thief. Linux is staying inside the safe space note I would like it better but nothing is perfect. But the blaster flaw was know for sure in 1995. I found it then on a data thiefs howto site(know you enemy). The reason for not patch was user want network conections out the box. Ok why in hell did it allow the port through dial up connections and why in hell could you not disable it on network cards.
That is right you have to install a firewall third party. Here is microsofts bigest problem no good default firewall. Most linux faults can be blocked out by the default firewall. The next verion will target programs if everything goes to plan what will make linux even harder to attack.
Note the one in windows XP is a poor firewall a free one shiped with the OS would have been better.
The other defence of linux is in most cases we do not have one program to do just that task. Ie mult ftp servers, different versions of appache and removal modules, mult email server.
Basicly linux defence is patch or swap out of operation. Swap out of operation stuff has patchs that are slower because there is no need to rush the patch. Ie if everyone has swap out as directed there will be no problem. Basicly a swap out directive better be called a full patch at the directive or microsoft has stuffed up it report.
Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.
Are you implying that Windows is the right tool for the job? For any job? Whoa.
For non-techies, Apple is the way to go. For corporate and/or programming environments, Linux/UNIX is the way to go. Not much room for Microsoft in the middle.
There is a difference in the ways of responding to security holes.
On discovery of a security hole, Linux's and other Open Source way is to announce publicly that there is security hole that need people's attention, ways to safeguard oneself against the security holes is first discussed. A patch is then quickly produced and distributed.
On the other hand, on discovery of a security hole, Microsoft do *NOT* announce the security hole, fearing wide-spread exploitation would lead to catastrophie. A patch is produced in the mean time (when the general public have no awareness that a security hole even exists). At about the same time of annoucement of a security hole, a patch is release to the general public.
Microsoft might take advantage of this difference in the patching process to tip the scale in their favor. The public perception of "speed" of patching would be faster, because the patch is provided at around the same time as the annoucement, when the actual time between discovery and completion of patch may (or may not) be longer.
I started out as a Dos/Windows user from day 1 (actually I really started out as a TI 99a user - but that is another story). I have also managed and used all of the windows operating systems from Win 3.1 up to the present Win XP. When I didn't know any better, I used to think the DOS command line was the best thing since sliced bread, and batch files were my scripting nirvana.
Then I started using *nix. I loaded Linux for the first time in 1992, and have been using it ever since. I was also a Unix system administrator during my career, and was using Sun systems in college before that. I learned the tool building paradigm of Unix, and absorbed awk, sed, perl, python, lisp, java, and a host of tools unheard of in the Microsoft world. Things that I spent hours accomplishing with Windows and DOS, I was accomplishing in minutes with Linux.
From my vantage point, it is plain to see that the Microsoft products are not up to the task of being a general purpose workstation/server operating system. When compared to industrial strength Unix and Linux distributions, it is a toy - and should be advertised as such.
I think the key distinction we need to understand is the ability of an end user to ameliorate security problems and other bugs when they manifest themselves. In *nix, usually the source code is available for modification, or a work around can be accomplished quickly with a scripting language because of the clear text interprocess communication mechanisms available. On the Microsoft side of the house, we are clearly dependent upon the good will and scheduling of Microsoft to get the fix implemented - and there is not much we can do to alter the outcome. So, the choices are independent ability to fix things, as needed - or Big Brother Knows Best; I know what I prefer.
Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years. The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down. Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.
What really boggles me about this whole issue is how people can be screwed by MS a thousand times over (non backwards compatible file formats, blecherous incomplete implementation of java, a malformed central configuration repository that causes complete system meltdowns when corrupted - that end users are not shown how to backup out of the box, etc...the list goes on and on), and yet come back smiling for more! What is really amusing (sad, really) is how I see some people rationalize that they were the ones at fault: "It was silly of me to build my spreadsheets in MS Works 1.4 back in '85 - what was I thinking! I should have copied all those entries across to Excell back in '95". To me this is a red flag that I am being taken for a ride. I woke up. I hope you do too.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
There are numerous problems with your rant. First, Blaster has nothing to do with email. The user doesn't have to take any action at all to be infected - he or she simply has to have an unpatched and unfirewalled system on the internet.
Second, Outlook doesn't play any role at all in the case of the two email viruses/worms you mentioned (Klez and SoBig). User stupidity and lack of proper antivirus protection are the only relevant factors.
Security patches are also not relevant to these email worms, since they don't use security exploits.
Finally, the patch for the RPC exploit was available well before Blaster appeared.
These are all nit-picks, but they point to an overall problem of incorrectly assigning blame. Is MS at fault in any way for an email virus that exploits no security holes (in MS products or otherwise), and can only infest and spread if the user is foolish enough to run it? No. The user is 100% at fault for running an untrusted program. The speed with which MS issues patches has absolutely no bearing on this situation - they can't patch against user ignorance or stupidity.
Likewise, is MS at fault in any way for a virus that exploits a security hole they've already fixed, but for which the user has not updated? No. They've done their part. The user has not.
You can argue that the hole should not have existed in the first place, but in the real world it happens. The only reasonable expectation we can have is that such holes are fixed in a timely manner. You are free to have your own opinion about whether or not MS meets this expectation, but the fact remains that many (most?) worms that exploit security holes exploit old, already patched security holes.
" First they ignore you Then they laugh at you Then they fight you Then you win Mohandas Gandhi"
This quote is meaningless, except in hindsight. For instance, if Ghandi had used the same tactics in Hussein controlled Iraq, insetad of British controlled India, the quote would go
First they ignore you Then they laugh at you
Then they fight you
Then you die.
He would have ended up in a mass grave with the other 300k people.
Vote for Pedro
Last time I checked, Jim Allchin (VP at MS) talked about "unfixable security flaws" on the stand at the antitrust trial. That alone has made me laugh any time Microsoft starts talking about their security measures. Therefore, I'll take any talk on security Microsoft makes seriously only after they announce a fix for their unfixable flaws -- things like shatter attacks.
Do you like Japanese imports?
If you install a workstation, you must explicitly request servers. You must punch holes in your firewall to run some software.
See my journal, I write things there