Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
This is not the best way to conduct research. When I was doing research at NIH we would say of this sort of thing, "After discarding all data to the contrary, the hypothesis was proven."
While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.
To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions.
Keep Smiling!
Erick
http://www.busyweather.com/
For all the servers out there, I wonder how many people actually run up2date or apt from time to time. I imagine more people run windows run windows update than any linux equivalent.
Let's face it. Linux isn't for just the uber-geek anymore. So logically, more systems are going to be hacked into when people with no security sense are managing systems.
Don't blame the operating system. Blame everyone who thinks they're a competent sysadmin, but really aren't.
Not to mention that this article doesn't weigh in percentages. There are a *LOT* more linux servers out there than there are BSD, Windows and Mac OS X servers. When one factors in percentages, Linux really isn't *that* bad.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Why would anyone want to crack a Windows box? It'd be completely useless to you.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Different distributions vary greatly in how secure they are out of the box and in how easy it is to apply security updates once they are deployed. Also, talking about absolute numbers of breakins is completely uninformative without knowing the number of systems deployed for each.
There was a paper by Brian Kernighan in the August 1979 Bell Labs Journal that predicted that this would be the case....wonder why everyone is so surprised
MACWORLD says that MACS are the most secure. Hmm... Interesting.
So does that mean that Windows is hazardous???
It's not because Linux is somehow inferior or less secure, but because the result of the how popular Linux has become in the server world and all these ex-Windows admins who know jack shit about Linux trying to admin Linux servers.
God, people, read the fucking quote by DK Matai (mi2g chairman):
"The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers."
In other words, it's the administrators, stupid -- BSD is no more secure than Linux!
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
To be news, they need to say what proportion of computers use each OS, and what apps were hacked. It even says third party software accounts for a lot of the Linux hacks.
Nothing to see here except some meaningless statistics. Yawn.
I think they forgot to include the fine print...Here what it should say:
This research project was partially funded by Microsoft and the BSD foundation.
Somebody needs to take some basic statistics. The fact that Linux is most often the operating system involved in server compromises is not surprising since Linix is the is most often the operating system involved in servers in the first place. If you normalize out for server market share, you'll find things are more or less even.
When it comes to servers, selecting a bad choice of a password or forgetting to properly set file permissions is still the easiest way to get hacked, and that will always be operating system independent. And, that accounts for the majority of security weaknesses. Worms and viri are a client-side issue, servers don't often get hit with those.
So, good work OSX fans. You finally found a metric by which having the fewest number of servers in actual use makes you look good...
Linux, being a free OS, ends up with newbie admins all over the place. The defaults arent too safe. How many of these servers surveyed were admined with something like cpanel?
Since poor Linux administration often results in mass website-defacements, I'm wondering if a single box hosting 150 websites counts as one "successful attack" or 150 "successful attacks". Details on the methodology used are a little sketchy and I can't see anything on the little thumbnails provided by mi2g.
That's not even the OS's fault. Its stupid users and bad apps.
LIES! Linux is INVINCIBLE!
crontab -e
0 0 * * * up2date --channel=redhat -u
or
0 0 * * * yum -y update
problem solved (for redhat linux users anyway, which probably compromises 50% of linux hack attempts)
Does the name Pavlov ring a bell?
Would you be cautioning people to understand correct statistical analysis as you just did above, or would you be gloating and laughing at yet another of Gates' follies?
I'm guessing the hypocrite in you would have reared it's ugly head. Your pet OS is found to be lacking, and now you want to advocate "reason". Now show me some previous posts where you don't jump all over non-Linux OSes like a cheap coat, and I might take you seriously.
The BSD variants have long been at the top of the security heap. The windows move up is not a surprise to those of us running windows 2003 (heck, I'm running it as a desktop). I love Linux, and will continue to implement it and recommend it, but Microsoft did a really good job with their latest server OS. They we're so bad, they could only get better. But they did get better, and that's all that matters.
::puts on flame-proof suit::
Linux is made up of _many_ distributions, who hack together systems out of many disparate apps. Each is slightly different. This diversity means none can Q.A. their systems as well as a unified project like FreeBSD does. I've seen some unbelievable bugs in a very well-known Linux distro, there for no reason there than their resources are stretched too thin.
Linux is also a Unix. People who put up *BSD servers are Unix hacks. People who put up Linux servers are oftentimes ordinary people who are trying to cut costs from not going with Windows. Unix is powerful, if you don't know how to handle that power, you put your systems at real risk.
Looks like mi2g doesn't have the best reputation:
h is tory.html
t ml
m l"
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
How many linux servers are there in the wild, how many bsd ones, and how many windows ones. I'd be tempted to guess that the geeks favourite OS is by far the most popular server OS...
In other words, it's the same story as Windows on the desktop - there are more attacks because there are more servers. Since they don't give us percentages of installed vs breached, the data is essentially useless. Rule #1: Normalise your data before comparison....
Simon.
Physicists get Hadrons!
Not only is BSD (apparently) the "safest", but you mignt be suprised to notice that the 50 highest uptimes on the net belong to BSD
And I run linux. You'd think I would learn...
Politics, Culture, Food?
Time to face it and stop thinking Linux is the best thing since sliced bread in security. Linux has as many holes as everything else.
Time to start taking a hard look at Linux source and other Open Source like MySQL and make sure they are as secure as they can be!~
Linux is secure... out of the box. However without a skilled administrator, it's very easy to open up LOTS of holes. I think that linux is a great operating system for power users, but lets face it, the average desktop user or the new sys admin, doesn't belong on a powerful distro right now. Perhaps lindows, but not Red Hat Enterprise. One thing I found interesting was this:
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
The system admins usually don't know what they're doing, and the system gets broken into--it has nothing to do with the system itself. The admins should know how to configure the system - instead of leaving the defaults on. The defaults for other systems are most probably simply safer than the defaults in Linux.
Scorta futuere amo!
I don't understand why anyone would publish a study that is so loosely and poorly substantiated; that would be like looking at a Syrian prison and count the number of syrians imprisoned, and then on that basis summise that "Syrians are more criminal than south africans, since there are hundreds of syrians and not a single south african." /Paven
The numbers quoted probably reflect the popularity of Linux as a web server platform. As with any net-connected machine, the administrators must be diligent when it comes to applying the security patches. Most aren't; they seem to feel that once the thing is set up, they can just forget the OS and concentrate on content.
--
read: Connection reset by beer
they forgot a very important piece of information: the percentage of total servers accounted for by these systems.
armed with this statistic and the age old mathematical operation of *division* one could make these results meaningful.
in other news, a new study finds that red heads are much less likely to commit violent crimes. Data for left-handed people is also encouraging.
-ashot
Mi2g
Second link leads to this page which shows what a crock this (company/report) is.
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide.
"When we ignore most of the break-ins that windows had, it had less than linux!"
followed by BSD and Mac OS X with 555 breaches
This completely ignores the proportion of these OS's that got hacked. If there are only 556 of them deployed, then this is a terrible break-in rate. Obviously there are more than 556, but there are fewer BSD servers than linux servers.
<high-level position here>
<name of stupid small company here>
The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
I dont want to troll, but wasnt this the same thing with windows ? They have a larger share of the desktop, ofcourse it gets more attacks. ... Unix(Linux) is very user friendly, it's just picky about who its friends are.
Same goes for linux and servers.
How should I put it
Dan
Who in the world is surprised by these results? Everyone knows BSD systems tend to be more secure relative to Windows and Linux.
*yawn*
Microsoft announces acquition of the UK-based security firm mi2g.
:wq
Then you'd think these statistics weren't meaningless, eh Mr. Penguin?
Perhaps Linux needs an auto-update feature to install security patches as well (like the Win2K product line).
Read Why is mi2g so unpopular?
Then read this complete debunking of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
-- @rjamestaylor on Ello
I am wondering if this test was performed on a system that has yet to be tweaked. After all, if you leave FTP and Telnet ports wide open, of course it's gonna get compromised! I spent some time turning off all my ports, setting up the iptables, etc and now she's definately a lot safer. Exactly what are these 'holes' that are being exploited? Withouth that information, it's like a Windows v Linux experiment run by Msft on an unconfigured Samba connection.
Define "Safest".
It is 4 AM and you're flying into Heathrow in zero visbility.
Which OS/hardware combo would you want controlling your descent and landing? And since this is slashdot, also assume that technicians, and not you, would install the system.
I'm sure there is more to 'Safety' than just not getting hacked. This seems a bit simplistic. Also, where are the results for Solaris, AIX, Tru-64 etc? In fact any of the commercial UNIXes? This isn't just simplistic; there's an entire quarter or so of server systems missing from the data. Well done to BSD, if this data is worth anything, but in my opinion it's just about worthless. And that's from a BSD user...
"This is crazy, you realise we could all go to jail for this?" - my manager, somewhere I used to work.
BSD is open, too. It's not about open, it's about a shitty article.
bash: rtfm: command not found
as seen here last year
I don't read your sig, why do you read mine?
While I'll admit that I find these behaviors pretty annoying, you can bet that Linux would enjoy a somewhat better security record if it were that hard to forget updates. It's a shame more Linuxes don't ship with at least the option of turning this on for desktop and small server folks.
At SCO, we offer increased security by running our website with Linux and only connecting the SCO machines to McDonald's cash registers and machines too old and slow to run root toolkits.
So, I've said it before, and I'll say it again: Linux is horribly inconsistent, and can be much worse than Windows, at its worst.
Come on, give it up, that's
If mi2g is saying that BSD OS's and Mac OS-X's are the most secure, then why are they using Linux? Netcraft shows they're running Linux with Apache and have been for over 1.5 years. To me, this study is pointless.
"Happily lived Mankind in the peaceful Valley of Ignorance." -- Hendrik Willem Van Loon
Absolute numbers are fine, but what about normalizing it for the total number of BSD, Linux, and Windows servers in use in this study? That's the more meaningful number. Then, what constitutes a successful attack?
Also, a useful study would look at how machines are maintained, password policies, etc.
Now before I come off sounding like a Linux apologist, it is quite possible there are some serious weaknesses that need to be addressed. If so, I hope they give us full info on the attacks so we can fix the problems. But these numbers as they stand don't tell us a darn thing.
If a dedicated admin configures Selinux and heavy duty firewalls, and puts Klingon password policies in place, I'd personally still be confident to match that system against anything out there. Default Redhat installs, on the other hand, are something else again. So again we need more info. It's all in how things are set up and maintained. The question actually being asked here - which OS is strongest, all other things being equal - is a really really tough one to answer. There are many other issues that must be addressed first.
So, as far as any useful information is concerned, this article doesn't appear to have any. What if the Linux machines simply had the best intrusion detection in place? (I'm not saying they did, but it's a fair question.) Need More Information!
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
We really have to admit that FreeBSD is in decline. In all likelihood, there may be only one more (or possibly two) releases before FreeBSD goes away forever.
I know it is now almost a mantra set in stone that "FreeBSD is dying". Unfortunately, the abuse of that fact by trolls has obscured the truth, that truth being that FreeBSD really is dying.
My main reason for moving away from FreeBSD has been twofold. First, to avoid the constant political infighting and bickering. And secondly, to investigate more promising and viable entries in the operating systems sweepstakes. FreeBSD is no longer a legitimate player, I'm sorry to say.
Yeah, right after MS made the switch from ASP to PHP :-p
I think this paragraph says it all - it comes down to poor admins. If you have a bajillion-dollar lock made out of unobtainuim, but leave the key under the doormat, you're less secure than if you have a 2-dollar master lock but aren't dumb about the key.
mi2g analysed 17.074 successful digital attacks against servers and networks. It states: "With Linux accounting for 13,654 breaches, Windows for 2,005 breaches followed by BSD and Mac OS X with 555 breaches worldwide in January 2004."
They say how many attacks they analyzed, but they didn't mention the pool of hosts that these attacks were taken from.
Were there 1000000 linux hosts, 200 Windows hosts, and 6 Mac OS hosts? If so, that would radically change the conclusion that is implied.
Also, it's interesting to note that they did NOT count automated attacks by viruses, etc.
I'm sure there are interesting conclusions in their study of attacks, but given the lack of data, this study doesn't provide enough data to conclude that one OS is safer than other.
For god's sake, how many more times will Slashdot fall for crap from this bunch of cowboys? mi2g are the archetypal media whores, they have no clue, no idea what they're talking about but they have the uncanny ability to tune a press release for maximum meaningless security. These 'surveys' they put out every do often are utterly meaningless, based on nothing. They're nothing more than a bunch of bullshitters who should be ignored. Five minutes with Google will turn up all the proof you need, failing that go search www.ntk.net.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
s/Linux server/Windows desktops/ and vice versa and the same applies to John Doe Windows user.
So why is everyone complaining about Windows but eager to defend such a similar situation in Linux server land?
Wasn't it the OS we blamed on the Windows side? Maybe some answers lie in the interface with which Linux kernels have to be updated on a system, next to just pressing 'install' at windows update?
We should not be concentrating on which operating is more secure than another. This just promotes the myth that people can 'choose' the most secure operating system and then they are secure. No operating is secure, if you do not keep it up to date and patched.
Everytime I see an article like this, I wonder how many users and administrators will get the false impression that if they just switch to another platform they will have done their job.
Security is a process. It is not all about the technology, and it requires educating users and managers to be effective.
when they THREW OUT Windows Third Party apps (Outlook, etc) because they only wanted to target direct attacks.
I mean, c'mon what are we talking about here? Sendmail? SSH?
Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."
Well, let's see here.
1. Government. Stupid is as stupid does.
2. Inadequate training.
3. Inadequate knowledge.
Three strikes and you're out. The VAST majority of government workers are NOT highly educated people, and as a matter of fact, most of them are former welfare workers placed into government jobs to get them off the welfare log books.
When you factor in all these things you should expect the results they came up with.
But I say this, you put a GOOD, trained, educated, and skilled sys admin behind those same Linux systems and those numbers will flip.
Although it has been pointed out that worms, viruses, and other type attacks were completely ignored, there were other significant pieces of information left out as well.
.1% of reported cases.
What percentage of servers over all use what operating system? If only.1% use Mac then actually it would show that Macs are MORE vulnerable because they account for more than
How did they get these statistics? For them to record a breach two things have to happen. You have to notice the breach and you have to report it. Is there a higher percentage of Windows users who don't notice the breach? Is there a higher percentage that don't report a breach? Linux users would tend to be more open to sharing the information imho since they are already users of open source which by nature is a choice to share information.
Although there are other things too the most relevant seems to be their sampling. What portion of their sample was running Linux? They definately did not use an equal sample size of each OS. Taking result numbers alone is not good enough to make a conclusion.
I don't know about the results but this 'security company' has been in the news before and as far as I know it was labeled as bunch of charlatans by real security experts at security focus. Read more about mig2 at: http://www.attrition.org/errata/charlatan/mi2g-his tory.html
bsd systems are more secure than *most* linux systems by having most services turned off at install. a box is only as secure as it's admin makes it. but this comes with more ease on a bsd system.
FreeBSD Addicts
Comment removed based on user account deletion
I think its safest to say nothing is safe. Nothing will ever be completely secure, period. The most common OS will always be the most targeted (Microsoft) and the competitor that is considered to be the biggest threat (Linux) will be second most targeted. The rarer the OS the rarer the odds of getting infiltrated are. The less public and heard of you are the more underneath the radar you are.
They didn't take in count all the popular windows viruses out there, this is not quite objetive.
If you expose a Linux machine to the internet, is unlikly that it will get cracked, and this can be better if you keep up to date all important software and don't run stupid things as ROOT or have running unecesary services.
Now if you put a Windows Machine on the internet, is likly that it will get a virus or will crash. Tought if you keep your machine updated it can be safe for a while, until the new exploit gets out, or M$ locks your machine for ever.
The problem for the masses is not hackers (i don't think there is enough hackers to crack all the servers out there one by one), but viruses and other exploits out there, this is where windows is very vulnerable, anyone remember the RPC problem? it will shutdown your windows box and you don't even need to touch it.
C-x C-c
That company was probably started a year ago by some white dude who couldn't find a programming job.
I haven't RTFA yet, but just with the little information in the post, it sounds biased. I bet the Windows Servers were hardened while the Linux ones were not. I believe the BSD/OSX results. There's a *ton* of stuff inherently enabled on a default Windows install as well as Linux that makes it very exploitable.
FLR
But it is instructive to read some prior comment on mi2g, such as "Iraq will destroy us by computer" the experts screamed, or a more general index of mi2g myths, or a search for mi2g at NTK or even their own reasonably barking mad press releases.
I'm not uncomfortable with a finding that Linus boxes leak like sieves whilst windows boxes immitate Fort Knox; I'm by no means in security denial here. But I simply don't believe a word mi2g say.
With no reported vulnrenabilities according to mi2g, these OSes are far more secure than that run of mill *BSD stuff.
The number of successful break-ins to plan9 systems was zero
beat that MacOS !
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Linux has been the latest fad (and this is in no way a criticsm of Linux) amongst the psuedo-geeks who want to be cool by running Linux.
Most of these people don't know how or why they should lock down their boxes and keep their packages up to date.
Part of the problem is that many distros enable a lot of services by default, and over time, they become vulnerable to the latest buffer overflows and get rooted eventually by people who don't know about them.
The blame really doesn't go to Linux for its design. It just happens to be popular amongst people who don't know squat about security, though it would help if more distros would lock things down by default.
More uber-leet (0.9-BETA) features, more security problems. I'd guess that FreeBSD users are generally sticking with 4.x for now, Apple is putting out mostly bugfix releases, and Linux users are disproportionately chasing after the cutting edge to put them in parity with Windows users. Is there a breakdown of Linux attacks by kernel version/distro/distro version?
fact is that there are so many different states you could call secure.. that any study done in this general of a manner is complete BS, nothing is secure, nothing will ever be secure. bottom line. so stop with the MY OS is better than yours crap, if someone doesnt use what you use get over it. congrats for being more (or less) educated than them...
I'm ready to be modded flamebait by the zelots now...
..then "the most secure"
in this "security analysis" i could easily make any distro "the most secure in the world" by just disabling any services/daemons which allow for remote access.
any words about how many services each of the analyzed operating systems enables in its default install? is there any automatic update of packages? how easily can an average user/admin configure the whole box safely? nah? all of these points strongly influence the score in a test setting such as the one used here. they don't tell anything about the operating system's security however. they aren't even part of the operating system.
this isn't the only mistake this study suffers from (see other posts)
-h2o
What about Netware? Linux and Windows have had hundreds of security related patches in the last few years. Netware has had, like 4.
always felt bsd was safer than linux.
This probably isn't an issue for the vanilla BSDs, but OS X and Windows are both much more likely than Linux to simply be a workstation rather than a server, given the fact that the overwhelming number of Linux boxes are in use as servers.
It's generally not too bad to secure a workstation against remove attacks-- you can just rip out anything listening. On a server, you *have* to be running some sort of server software, and if that has holes, you are open to attack.
May we never see th
My Play Station 2 has never been hacked so it makes PS2 the most secure O/S.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Now if only this discussion were populated with people like you who know wtf they're talking about, instead of all these people making wild and unsubstantiated comments. Sigh.
Liberty.
But really, inadequate training on newly-commissioned linux systems seems like the true cause.
Ah, love that spin. Did you work for the Clinton administration?
MacWorld is sponsoring this study, makes you wonder what kind of bias is being shown here.
...whenever they have to defend against attacks on their OS from the Linux guys. How does it feel to be White?
Not unlike Black people in the USA complaining about "wetbacks", "towelheads" and "chinks" whining about them stealing "their" jobs..
is that many cracks are not being reported. We do not really know the real stats as so many companies are trying hard to hide that they were cracked. Apparently, even MS discourages sites from reporting except to the FBI who no longer releases that info.
I prefer the "u" in honour as it seems to be missing these days.
How many linux servers are out there?
How many Windows servers are out there?
I honestly don't know
but a statistic of this sort should go by percentages as these numbers mean nothing if there are 1,000,000 linux servers and 100,000 microsoft servers (very unlikely - i must add)
Don't discard the security of choosing an OS that's under the hacking radar. Microsoft systems are targeted more than Macs because Macs don't have the market share to make an attack easy or worthwhile. But isn't that a legitimate feature to take into consideration when choosing an OS?
No OS is absolutely more secure than others. there are risks and those risks have to be weighed.
Arent there many more unix and linux servers out there than windows servers? So what would be the results percapita. If 'they' were to get 'their' data from a specific number of professionally maintained Linux and Windows servers and then calculated the percentage of Linux servers cracked and the percentage of windows servers cracked, that would be some real data to look at. The survey at is for the most part useless.
If I wanted easy I wouldnt be an engineer or a patriot.
Home Office security testing. I mean lets assume the person installing linux is smart enough just not to install the server portion of the distro or maybe they have one that doesnt have one like Xandros. They do a default install of that. and they do a default install of windows. Which ones more insecure? The answer would be clear. Windows would get trashed easily with all sorts of malware(my freind contracted 400 pieces of malware over a period of two months after he plugged his new compaq from best buy into his high speed internet) Now contrast that with linux and nothing would happen. In fact, the only way theretically he would have to worry is if he pissed off some hacker, since theres no way he could just contract malware automatically.
This study was rigged. They discounted all the recent trojans, viruses, other windows exploits . . . then failed to normalise their data on the number of machines using the OS. I might be the only one running OS-X Server for all I know . . . of course it's going to be a lower number of attacks.
--Tsiangkun
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
cpghost at Cordula's Web.
Basically, they are deliberately sacrificing security for ease of use. Same as Microsoft.
There's no reason Linux can't be highly secure, except that it'll be a pain in the arse to add services like FTP, web etc. But after a default install, look, Apache is already running, FTP, telnet, rsh, etc etc is enabled, sendmail routes mail from anyone. All so that some numpty can drop a CD into a drive and it all just magically installs and works.
So instead of it taking effort to make Linux work, it takes effort to make Linux secure.
Government of the people, by corporate executives, for corporate profits.
After reading what these people have posted in the past, I don't think I'm going to pay too much attention to the report. Throwing out terms like "5th dimension defense" and "counter-attack fore" and suggesting the ENTIRE Internet be shut down in preparation for an attack that never materialized on 9/11/02 really cast doubts on the group's intelligence. One has to wonder what kind of credentials these people hold. If they're like most tech consultant groups, probably degrees in the liberal arts. I mean, did a single person in the group point out to these people that shutting down the Internet would be very close to be impossible and even if they did the damage would probably be higher than anything hackers can do themselves? Do these guys even understand the Internet? Or are they just a bunch of managers who can only attach big marketing buzz words to it? Do they not understand that the Internet is NOT homogenous? To them, the Interent is like an appliance. The Internet needs to stay UP if an attack occurs so people can communicate and coordinate a response. Can you imagine if the Internet was down while a new worm is spreading? How else are we going to get updates? Where will we go to get answers? That was just the dumbest thing any consultant group has ever said. It would have been obvious to anyone who has some kind of understanding of the Internet that it was a dumb suggestion. Therefore, I really doubt the experience and credentials of the group.
EvilCON - Made Famous by
Don't be ridiculous. All my boxes are patched; Linux, BSD and Windows. Now....I spend significantly more time keeping the Windows ones safe. And I have had many more security breaches on Windows (4) than on Linux (0) or FreeBSD (0). And most of my services are on Linux.
But the point here, that most folks do at least seem to recognize, is that the reason I have to worry about the Windows machines so much doesn't have anything to do with a "real" hacker actually "attacking" me. That's what I worry about on the Linux boxes, and just a bit on the BSD one (there are actually a really high concentration of FreeBSD boxes on the network that machine is in, so it is a bit more inviting a target than normal). On the Windows machine I just lose sleep all the time over script-kiddies and worms.
After all...why would anyone expend their 31337 h4X0r skills on some Windows box, when there are a dozen easy point-click-backdoor attacks available? No, anybody who wants to spend real energy taking over systems will point at something more impressive.
...not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.
Given a choice between free speech and free beer, most people will take the beer.
internet explorer
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
We are 100% Macintosh on the desktop because I can then spend time on billable hour projects, not internal stuff. But generally speaking, I really just like how BSD, especially the ports system, is organized and managed. Linux has always been scattered brained with more distros that you can count, where as I like the core development teams in both Free & Open BSD.
When I used to run an online browser-based game system, we often had more people trying to beat the system than the game. Led to problems under Linux and since it was a hobby site that I maintianed on my spare time, I didn't have time to mess with keeping everything 100% uptodate. So I reset up the game on an OpenBSD platform. Sure it didn't scale as well, but had no sucessful breaches from the script kiddies.
Now that I work as a consultant with small and medium sized companies in this area, security has become a staple of my business. Most of my work is in Policy advising because we still see a lot of network breachs, a vast majority, having some kind of internal proceedure issue. Aka, someone calls saying they are from branch y and forgot a password and someone gives it to them or a disgruntled employee sells information to a competitor. Or worse yet, employee fired/let go and no one removes accesss to the system until after they're gone if at all. I have seen some companies that still have user accounts for people that haven't worked there in over 3 years.
Still these are mainly small businesses with less than 10 people that are in real estate or some service business where they might have a website, POS, Email, MS Office, and Quickbooks more than larger companies that have an actual IT guy or department (even then...I am amazed at the total lack of intelligence of some of the people with MSCE at the end of their business cards)
Still, the biggest threats are comming not on the server side, but client side with viruses and trojans galore. Its the average joe blow that opens every attachment they are sent that causes the bulk of problems from my perpective.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Another interesting fact about the survey (if you have good eyes, you can look it up here ):
about 13.000 of the attacks analysed were conducted by Brasilian hacker groups. Makes me wonder how this correlates with the number of attacks on Linux systems (about 13.000)... and why the heck Brasilia is the source of more than 75% of the hacks surveyed.
What about EROS? Or KeyKOS? Were they excluded from the study for some reason? Using only few other possibilities to compare with, I could be the world prettiest and smartest man as well...
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Hmmm, how do I mod the original poster as 'troll'?
-Howard Dean
Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.
After throwing out 98% of all Windows attacks, Windows was proven safer than Linux, with 1/8 the number of breaches.
...good one, Guys.
Given a choice between free speech and free beer, most people will take the beer.
Security is a multi level process. No OS in the world will make your server secure if you are using weak passwords, haven't installed any updates, etc.
While it's the the multi-user nature of unix makes locking things down a bit easier, it's also up to the admin of the machine to make things are set up securely, and stay that way.
Great, yet another brain-damaged research that considers Linux an OS, and talks as if all Linux distributions were identical in terms of out-of-the-box security and ease of applying security updates. Hell, if we ever asked those morons what Linux distro they used to compute their Linux results, I bet they would say "uh... Linux 9.0 ?"
Give the SCO and Microsoft people something to use against us Linux users.
/.
Maybe this was an article that shouldn't have been posted here at
---
IMHO, of course.
May the SOURCE be with you.
Sorry you can't just make up things and state them as fact. Since were talking about desktop users let me make a point that is at least somewhat based on fact. Since Windows desktop users outnumber Linux users by at least 25 to 1 factor I'd propose that because of the sheer number of Windows users even if a small percentage of them run web servers they dwarf the number of Linux desktop users who do such. The number of Windows users who really know Windows as opposed to the number of Linux users who really know Linux isn't even in the same ballpark. This isn't 1995 and Windows user aren't a bunch of computer neophytes anymore. As you stated linux users "are likely to know a few things about proper server security."
"Windows users are less likely to run a web server, simply because they're not as eager to play with their system as Linux users"
That's simply not true. Windows users are curious about their computers just like linux users. I assume your never been an admin then? Because if you had you'd realize that Windows users are more than capable of totally screwing up their systems and often run software which acts as a server without even knowing it. Remember most Windows users run as administrator.
"What I want to know is the percentage of professionally installed and maintained servers that was actually vulnerable."
It should be close to equal. A properly secured Windows box is just as secure as a properly secured Linux box. Security is in the process not the OS.
If you wanna get rich, you know that payback is a bitch
What they didn't tell you is the decline in successful intrusions can be attributed to the fact that most of the servers were down because of the latest virii attacks.
Something intelligent here.
You are as safe as you make your server/system to be. If you don't patch you will get hacked and will not be safe. Same goes with windows, linux, Anything. Unless you have you're own OS that doesn't have patches :P. Can't stress how stupid it is NOT to put up a firewall blocking ports you really dont need open. Anything out of the box and kept that evil "default" setting Is bound to get h4x0r'd (hehe)
Here I go burning Karma again... Since we can't know the full details of this report unless one of us actually buys it, it is probably pointless to speculate on their methods. However... if you assume they didn't try to stack and that the following is more or less true:
* that most of these 17,074 were web servers
* that all or most of these servers were production boxes (worthy of being investigated after a break-in)
* that at least 20% of these were running Winodws/IIS (Netcraft
then all things being equal, there SHOULD have been at least 3400 Windows break-ins. Since there were about 2005 successful Windows attacks, MS and Windows admins must be doing something right. Many Windows admin ensure their boxes are patched. They follow NTBugTraq. They run lockdown tools or subscribe to security monitoring services. They are aware of potential breaches and most importantly THEY ARE NOT AS AROGANT AND SMUG as some of their Linux counterparts.
Mmmm -- nothing like the sweet smell of Karma burning on a cold February afternoon!
Is this sig nificant?
"In a statement, Mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting." And what do we hear? Windows vulnerabilities went down and Linux ones went up! right...
Now that Linux is running with the big boys I hear a lot of throat clearing. What happened to being more secure? Worms were discounted because the study was based on one hacker, one server, not a script kiddie writing an automated bot designed to attack everyone's home machine. This was about servers, not workstations. Looks like Linux is in the same boat Microsoft was in with 2000/XP, namely everyone and their mother is setting up Linux servers. Linux was never more or less secure than Microsoft. It's "security" was based on it's obscurity. Now that installations abound, however, the Linux community is having their work scrutinized and put to the test. Sorry boys, the easier you make it to use, the more people will try to hack it. Goes with the territory. Just ask Microsoft =]
End of Line.
The developers of the 2.6.x line and the folks managing the various distros need to start auditing and hardening (and while you're at it, standardizing). Simple (ha!). Just a question of priorities.
You know why there's more overt hacking of Linux boxes than BSD boxes. Because there are far less BSD boxes out there to be hacked.
You know why there's far more Linux boxes that are being overtly hacked than windows? Because if you are a hacker, what the hell are you going to do with a Windows box? It's just not as interesting or powerful to remotely control a windows box.
I'm not a hacker, but if I was one, I would not waste my time on trying to 0wn windows boxes. I'd go after Linux boxes. Not because they are easier to breach, but because they are more fun to play with when you do.
This sig has been temporarily disconnected or is no longer in service
The truely funny thing here is that Mi2g is a security firm that runs Linux and sells services for Linux, but reports that Linux is the worse of the bunch. Hummmmmmm.
I suspect that shortly they will be reporting that Linux is more loaded with Viruses that Windows, to be followed with their new anti-viral software.
I prefer the "u" in honour as it seems to be missing these days.
Posting the story here gets Slashdot added to the cluster of international stories that appear on Google News and provide a way for debunking to reach outside our little community of line noise detectors.
Still, it's annoying.
-- @rjamestaylor on Ello
Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace. It also requires "modification to any of its publicly visible components whilst executing...data attacks... [or] command and control attacks."
They also don't list their methodology, which I find disturbing. Out of 17k successful, caught, non-automatic hacks, x were against these systems. However, they don't say where those 17k come from, and don't put it in the perspective of the percentage of those systems in use. If you go to their homepage, they list something called a SIPS (Security Intelligence Products and Systems) System. This data comes from "Personal Relationships at CEO, CFO, CIO, CISO level within the banking, insurance, and reinsurance industry... monitoring hacker bulletin boards... and anonymous communication channels." That's a pretty unscientific pool to be pulling data from. Essentially, you're talking about hacks that were either reported by friends in high places, friends in low places, or bragged about by hackers on publicly accessible bbses.
So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.
The ______ Agenda
More Californians got cancer this year than Rhode Islanders.
How exactly does a third party determine (a) that there has been an attack on a server, (b) that the attack was successful, and (c) the OS of the server that was attacked? The only way I could see getting this information is from people filing reports about their server when it is attacked. Likewise, in parts of the study this mi2g group quantizes exactly how many attacks certain 'hacker groups' made during the last month. I'm sure the cracker underground is just jumping at the opportunity to tell mi2g every time they compromise a server. I could see possibly establishing relationships with companies so they file reports whenever their server is compromised, but claiming they know how many attacks a given hacker group performs each month completely destroys any credibility they have in my mind.
Welcome to OpenBSD: The proactively secure Unix-like operating system.
- The only reason Slashdot should have posted this story is that this crock of line noise is that other media...
Wow. Brain rot has set in from reading mi2g press releases this morning.--
I would like to see the numbers regarding who many of each OS was tested. Also Linux CAN BE more secure than Winblows and the other OS's mentioned. If you put a Monkey behind a Linux box as a sysadmin, it can be the most dangerous situation since leaving your child with Michael Jackson. Windows was designed to be used by monkeys. A Linux box is only as secure as the geek behind it. Eric www.linuxstolescocode.com
Has anyone noticed that 'servers running on MAC-OS' article is from MACWORLD.co.uk...
I'm probably already redundant but mi2g is a con shop. How many facts in that story?
1. They failed to mention that these are >REPORTED breaches. Most organizations do not report breaches.
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
So, do they just want to throw stones, or are the interested in helping fix the problems? Are they wiling to give detailed hack info to kernel maintainers, and appropriate service program developers?
For myself, I would rather see them help the underlying problems then deal with flame wars dealing with subtalties in the statistics.
In the survey, not a single breach of security occured in mission-critical systems running Microsoft's Windows Longhorn Server.
Does anyone find it strange that you can't view the specifications of the ''test''? You have to buy it.
2005...That's like the number of windows servers on the net?
I take the bullshit option for 200, mike.
Yet another sickening blow has struck what's left of the *BSD community, as a soon-to-be-released report by an independent commission doing a year-long study concludes: *BSD is dead and mummified. Here are some of the commission's findings:
Fact: the *BSDs have balkanized yet again. There are now no less than twelve separate, competing *BSD projects, each of which has introduced fundamental incompatibilities with the other *BSDs, and frequently with Unix standards. Average number of developers in each project: fewer than five. Average number of users per project: there are no definitive numbers, but reports show that all projects are on the decline.
Fact: *BSD has no support from the media. Number of Linux magazines available at bookstores: 5 (Linux Journal, Linux World, Linux Developer, Linux Format, Linux User). Number of available *BSD magazines: 0. Current count of Linux-oriented technical books: 1071. Current count of *BSD books: 6.
Fact: XFree86 is dropping support for *BSD. The remaining core group believes that the *BSDs have strayed too far from Unix standards and have become too difficult to support along with Linux and Solaris x86. "It's too much trouble," said one anonymous developer. "If they want to make their own standards, let them doing the porting for us."
Fact: Many user-level applications will no longer work under *BSD, and no one is working to change this. The GIMP, a Photoshop-like application, has not worked at all under *BSD since version 1.1 (sorry, too much trouble for such a small base, developers have said). OpenOffice, a Microsoft Office clone, has never worked under *BSD and never will. ("Why would we bother?" said developer Steven Andrews, an OpenOffice team lead.)
Fact: servers running OpenBSD, which claims to focus on security, are frequently compromised. According to Jim Markham, editor of the online security forum SecurityWatch, the few OpenBSD servers that exist on the internet have become a joke among the hacker community. "They make a game out of it," he says. "(OpenBSD leader) Theo [de Raadt] will scramble to make a new patch to fix one problem, and they've already compromised a bunch of boxes with a different exploit."
Fact: NetBSD, which claims to focus on portability (whatever that is supposed to mean), is slow, and cannot take advantage of multiple CPUs. "That about drove the last nail in the coffin for BSD use here," said Michael Curry, CTO of Amazon.com. "We took our NetBSD boxes out to the backyard and shot them in the head. We're much happier running Linux."
Fact: There are almost no FreeBSD developers left, and its use, according to Netcraft, is down to a sadly crippled
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
With these incontroverible facts staring (what's left of) the *BSD community in the face, they can only draw one conclusion: *BSD is dead and mummified.
This article does nothing to differentiate between vulnerabilities of the OS and vulnerabilities of applications.
OpenBSD is secure by default, you have to open ports for services. Windows requires you to run around closing all of the vulnerabilities in the default install and pray you got all of them.
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
The Machine stops.
I was surprised to see CowboyNeal as the poster.If it were Taco or Timothy, I would assume that this is a dupe. This is more Michael's style. Post a troll article. Comment in the discussion. Mod dissent down. Lather. Rinse. Repeat.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
really now, unless u found a bug in linux in the last year or two why not shut your pie hole? You have no opinion that counts. You cannot write exploit code, you borrow it.
Oh yea well i admin this and that. So fucking what? You dont hack. plain and simple. you dont know how except for what others publish.
Slashdot, meaning 99% of you, shut the fuck up.
security is so meaningless now days. when people like you spout such nonsense about it.
Unless something is done to increase the reliability of all Linux distros out of the box, and improve updating technologies for the future stoopud human Linux user... the ultimate downfall of Linux, will be Linux!
Microsoft isn't stupid, they recognized this same situation for Windows and are doing something about it.
Did anyone bother to Netcraft www.mi2g.net?
Apache/1.3.28 (Unix) FrontPage/5.0.2.2510 on Linux
This story doesn't bother me, whether it's fair or not.
My current home computer environment consists primarily of a soft Linux and Windows "core" contained within a tough BSD shell.
The exterior shell currently consists of an OpenBSD firewall/NAT router/DHCP server, with the internal network containing a couple of Red Hat and Debian boxes, plus a Windows 98SE laptop. That means I have lots of flexibility and choice with user applications, along with some peace of mind when it comes to network security. I get the best of both worlds. I've been pairing BSD and Linux systems since day one. I think it's a fantastic combination. So much so that, in the interests of learning more about *NIX (just a casual hobby), I'm slowly switching to an even more diverse environment. I'm going to remove the simple OpenBSD firewall/router and replace it with an OpenBSD firewall/bridge, with a second BSD system acting as a dedicated NAT router/DHCP server. At some point in the future I'll add a Macintosh system, a Windows XP media-oriented system, and if I'm feeling extra keen to learn (and possibly paranoid), a honeypot. None of this is a big deal for me space-wise because I invested in a single, 4 post rack that keeps most of the computers out of the way, in one location. None of this is a big deal for me cash-wise because it'll all run on used or otherwise obsolete hardware (even the Mac will be a used one - no way I could afford one new). And none of this is a big deal for me time-wise because I just toy with this stuff slowly, usually taking months to complete a goal because I just string together the occasional couple of hours of free time.
Anyway, I'm really going off on a tangent. Here's my conclusion: BSD and Linux are both fantastic OSes, no matter what some cash-oriented research group says. But blended together with each fulfilling a role they happen to be good at, they are truly awesome. How many times has it been said here on Slashdot that homogeneity is not a good thing?
Whoever designed level 61 in Frozen Bubble is a sadistic bastard.
Has anybody paid for the full results? I'm curious to know exactly how much information the study really includes.
I run a 1 Windows box and 2 Linux boxes at home after finally getting frustrated with FreeBSD myself. I want to believe that my primary Linux box is secure (since I know how insecure my Windows box and second Linux box are.) I used to use FreeBSD but became frustrated trying to get software that wasn't ported to work.
I'm no security guru though I make the attempt to make sure my own box is not too terribly tempting. What worries me is that potentially sophisticated attacks could make mincemeat of my machine and I wouldn't know enough to prevent it.
Numbers are valuable, context is invaluable. I have numbers, give me context.
B) Eliminate all the stupid users. This is frowned upon by society.
I have had 10 years of statistics. It is not scientific to dump such a conclusion when they've set their 'research' up in the way they did.
It's really a nasty one. By the way - who FUNDED tha research? Billy may once again be reverting to FUDling around... naughty boy...
It is time to stop the religuous falme wars about "my OS is more secure than your OS".
We all know Windows has bugs, becuase people revel in revealing Microsoft's weaknesses. Hackers love to attack Windows because it is ubiquitous and so it is also the most attacked.
What this report points out, with all its flaws, is the the Linux system has problems too. Linux supporters have turned a blind eye to this and have loudly trumpted Linux as secure, while Windows is not. This simply wasn't true, but made Linux supporters feel goos about themselves. And even if it is a bit better, that isn't the point.
There will be bugs in Linux and Windows and other OS'es as long as new development continues. Further, as long as humans adminster the boxes, admins will do silly things and create vulnerabilities.
AmigaDOS. Their have been exactly 0 attacks on an Amiga-based server. Long live the world's safest server OS.
What does this study actually prove?
Nothing we didn't already know. Regardless of its conclusions, it's useless for anything but an excuse to argue and troll about the same points as always.
This "report" is useless on the surface, but it is good information on how the enemy is working to attack us. This report explicatly excludes viruses and worms. That and taking into account the dirth of quality *NIX SysAdmins running the Linux boxes it would be redicules to think that these numbers weren't correct. You can make any numbers look any way you want within any arbitrary parms you like to use. We, the community, need to understand how they are juggeling the numbers in order to properly and effectivly combat it.
--
If I actually could spell I'd have spelled it right in the first place.
Just one bit that I'd say this is not quite on the mark in this closing statement: Windows makes it easy to patch a machine for the consumer, one box at a time; they make it easy for corporate customers with tools that can push updates onto boxes (although the required reboots are an issue unto themselves). Please correct me if I'm wrong, but I'd venture a guess that the issue is that you don't have these tools because they cost money that isn't easy to justify for the number of Windows servers you have.
The major problem as I see is is exactly what another poster stated -- that vulnerabilities may exist for months before a patch becomes available from Microsoft, and we may not be informed of them in a timely manner. The sheer number of ways that a Windows machine may be vulnerable for variable periods of time seems to me to be orders of magnitude greater than any Open Source package or the Linux kernel itself.
The ease of patching vs. the costs of doing so is a very valid reason (among many, obviously) for choosing one operating system over another. But to me it's far more important to know when a vulnerability exists and when a patch will be available. Windows loses in this regard, hands down.
Disclaimer: IANASBIPTBOOS
- Leo
You don't use science to show that you're right, you use science to become right.
Let's look a bit at the article. If you look at the FAQ link, after "Executive Summary" ( http://www.mi2g.net/cgi/mi2g/press/faq.pdf )
1. mi2g notes that hackers they anonymously interviewed preferred attacking Linux systems, NOT because they're inherently less secure - but because of configuration errors that run rampant from poor sysadmining.
1b. Unfortunately, this immediately invalidates any analysis of the security of the actual operating systems. Not to be redundant, but the system is only as good as the administrator.
2. I don't know where I saw someone ask this, but if you look at section two: "Multiple website attacks resulting from a single system breach" do actually count as many. For instance: if foo.com and bar.com are being hosted off the same server, and that server is breached, they count it as two attacks. Their reasoning is that from an insurance perspective, the industry is shelling out twice as many bucks they would've if it had only been a single page.
====
Okay. This article tells us one thing: Linux systems breached are simply victims of poor sysadmining. This should spur us on to do one thing. LEARN.
Shoot, if you're doing this informally, then get a good friend and learn to hack linux systems together; spend spare time hacking each other's systems. If you're doing this professionally, then *learn*. Readreadread. Patch. Patch. Read some more. Patch again. Retouch the basics; shut down unneeded services; configure permissions correctly. Go drop a hundred bucks at Barnes and Noble and buy a 12 pound book on Linux sysadmining. Or security. Above all, no matter how you do it, or even on what platform you do it...
Learn.
'If you're flammable and have legs, you are never blocking a fire exit.'
Why would anyone want to crack a Windows box? It'd be completely useless to you.
Except to send spam...
Holds zealous connotations as well, but I think it's slightly more neutral than your new favorite :).
668.5
This study committed the worst type of selection error: selection on the dependent variable. In this study (or at least in the article's description) the dependent variable is successful penetration. The value of this variable is 1 (ie yes) in every case. Therefore, the dependent variable doesn't vary. Now the independent variable (type of OS on target system) does vary, but unless the dataset includes unsuccessful penetrations (or transforms the dependent variable into a comparative measure based on average penetrations per OS/server) absolutely nothing of value can be learned. This is research design 101, folks: variables need to vary.
Make cheese not war 8:)
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.
Let's assume for a moment that these figures are not generated in the usual im2g fashion - extracted from dark smelly places - and are indeed true. The conclusion is not - "Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Windows-based servers have fallen for the last ten months."
IN THE LAST TEN MONTHS, if these figures are to be believed, 13,654 Linux servers were compromised by a maximum of 13,654 crackers. But, does that make Linux "the most breached online server OS..."? Hardly. Unless one wants to slant the real world to favor Microsoft as the most secure OS during the last 10 months one has to ask "By any method during that same 10 month period, how many online Windows servers were breached?" The answer rises into the millions. So, in terms of security it's 13,000 versus, what?, 13 MILLION, using mi2g's methodsfigure extraction. During that 10 month period please list below the number of successful virus attacks against Linux servers.... What was that? Zero you say? Right!
Knowing that the only way to successfully break into a Linux box is by human intervention, one also has to ask why a cracker would waste time cracking Windows boxes one-on-one when a simple virus could multiple their effforts a million fold...
Running with Linux for over 20 years!
"The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."
Hackers don't do Windows: it's just too easy; BSDs are viewed more as trophies than anything useful; and Linux is the most popular of the alternative OS, and one very used by the common hacker, so it makes sense that they target it more frequently.
My point: it's not the OS fault for these statistics, it's the common hacker mentality; if they included viruses and worms, Windows would surely come first, because it is, technically at least, the less secure OS of them all.
(yes, yes, not all blackhats use Linux, and it isn't just blackhats that use Linux, but I'm talking about the hacking/cracking/defacing/whatever you want to call it community in general)
"You should never doubt what nobody is sure about." -- Willy Wonka
I'm really curious as to where OpenVMS was on that list, especially given the statistical method used.
:)
The main flaw with the method in this test - that they measured total attacks, not proportional attacks - should not be forgotten. Saying that there were zero successful attacks against FreeBSD means nothing if you have zero FreeBSD machines in your network.
Now, by that logic, I have a) never seen an OpenVMS machine successfully cracked in the last ten years and b) I doubt there are many there. I'd love to see the statistics...
Oh, and VMS and BSD are badass OSes.
...but it's being eaten...by some...Linux or something...
They should post percentages, because If I make an operating system "ALIOS" and it is only run on 10 computers and all 10 are cracked, the survey would still put me as one of the safest because only 10 servers were cracked. In other words this is bullspit.
For The Best Jazz/Hip-hop fusion > COlD DUCK
Linux is touted as being secure "out of the box."
So what do people do? They install it, throw it directly on the line and assume it's secure "out of the box." So they don't worry about it.
I know Windows isn't secure. There's no way in hell I'm putting ANY OS directly on the line. I run a hardware firewall between every computer and the outside. Very few ports are open and I know exactly what's running on each of those ports.
For my IcarusIndie.com server it's logged in as an Administrator 24/7 365 days a year. Guess how many times it's been hacked?
Once someone erased all the usernames and passwords out of MySQL. They did it through a PHP page that uses MySQL. Nothing was actually damaged because they couldn't get anywhere. There is no way to remotely connect to MySQL. It's pretty lame that a semicolon can allow arbitrary commands to be issued to MySQL. And yes I'm running the latest version.
Another time someone I know decided to demonstrate a nearly server crashing bug GuildFTPd has. I updated to the latest version that claimed to have fixed the problem (ignoring your settings for not allowing more than X connections from a single IP) and it wasn't actually fixed. I now run BulletProof FTP server and it isn't affected by that DoS bug and has no known remote exploits.
I also run WinVNC. Except it's modified to use a whitelist. Only when you connect with given IPs do you even get the password prompt. And there's no way to remotely change the IP list unless you already have a whitelisted IP. So when my Cox IP changes I have to go down to the ISP to get physical access to update the whitelist.
No one has ever managed to hack Windows. Even though I'm running as "root." Only some very flaky software handling the above mentioned hacked services. But they've never managed to cause any real damage.
My web-site has been running logged in as Admin for going on 4 years. That's a very stellar record. And not hard to achieve if you're not blinded by propoganda. I even ran my server on WinME to start with and never got hacked.
It's an attitude problem. Not a hardware or software problem if your systems are being hacked into.
Ben
Work Safe Porn
Don't worry, they're not any more. Last years' accounts showed a 90% drop in turnover and a 99% drop in profit.
Of course, their turnover went 400, 7000, 9000, 600 ('000s) in the last four years (the only reporting years). ouch, their highest paid director got 400K last year.
bb
I look at it like this.
If someone readily admits they know squat about computers (and, at the same time, doesn't want to know quat), then they're going to run Windows.
If someone genuinely is a h4X0r g0d, they'll probably pick Linux or BSD.
If someone THINKS they're a h4X0r g0d they will also choose Linux or BSD.
Even if we grant the assumption that 90% of the truly talented computer people run Linux - I'll bet that there are ten times more wanna-be High School kids who have no real clue what they're doing who just run Linux because they're wanna-bes.
Which is not to say that this is a bad thing - everyone has to start somewhere - but an incompetent sysadmin who doesn't recognize that he's incompetent will have the most insecure system - regardless of the OS. I strongly suspect this accounts for most, if not all, of the BSD and Linux hacks.
...Also, I didn't know Buggalo could fly.
just look at all you linux losers, bemoaning your tarnished nerdiness. these "results" are not surprising. your kernel is bloated, your code the result of inferior hackers. "bsd is dead, bsd is dead," said the mayonnaised-faced linux nerd.
haha, hehe
funny seeing this kind of article...
as I recall, windows has been slammed with more junk and exploited in the past few months, how accurate is this survey?
are they counting from day one or the past year?
honestly to me, seeing this coming from a mac site, where most mac fanboys are heavily biased, and biased against whatever is going to be their next rival, it wouldnt surprise me if this article was a le, though I bet the linux stats arent far off because there are so many n00bs that go over to linux, run a box, dont secure it because linux zealots tell them it's secure, giving them an impression that they dont have to do shit to secure it, or they run everything as root, and say "well, no one will hack me." it's the matter of the windows users who didnt secure windows, not securing linux, and running all the "cool" server stuff.
however, I question the merit of that study.
noting how linux recently topped apple's marketshare on the desktop front, now linux is a threat, and since it has muscle, why not make it look really bad compared to windows and "befriend" windows a bit in this study?
I'm theorizing, but I think more distros need to add firewalling security policies (ones a normal user can understand) and asked what kind of system they'll be running on the install (desktop and entertainment or server or both) on the more newbie friendly systems, not to mention they didnt name a specific distro, another classic case of someone not understanding linux.they assume it's just an operating system like windows or mac.
which distros did they look at or test? redhat? mandrake? systems that dont put good security up for a public server in the first place? (which most new users like using?)
gimme a damn break.
I wonder where SCO fits in all this, wether they counted it in the "Linux" category, or otherwise.
On a more serious note, these whole tests all suffer the same problem, widespread use does make all the craze about new exploits and such. Having less than 2% of servers running on OS X does kind of limit the amount of time one wants to try and crack it, since the person can`t use the knowledge as much.
Mod me down, i`ve basically repeated what 10 other guys said.
Macs are only the most secure because nobody cares enough about breaking into them to find vulnerabilities.
"Yay, now I can, uhh, remotely run photoshop Blazingly Fast"
earlier this week. Explain that. I think alot of info like this is either outdated or just plain wrong.
Its like saying...
"We ignored the recent crime wave, in which thousands of people were killed in AnyCity to conclude that AnyCity is in fact safer than the suburbs surrounding it, as those crimes were limited to breaking and entering.
Complete horseshit. How can you discount the use of worms? What this data says to me is that Windows machines are more vulnerable, period. Linux ranks second and BSD third. Linux might be more vulnerable to direct hacking attacks, but at the end of the day, who cares how your system got compromised, rather, that it was compromised at all.
A spokesperson for mig2: "It is at our big surprise to find expensive cars having lost attractivity with thieves and smuggling rings. We are surprised about the huge number and therefore the high attractivity of middle-class cars on thieves. Why would a Porsche be the last car to be removed illegally from a parking lot ? We can only assume that the superior technical quality of contemporary cars made by Ford and GM surpasses that of a Porsche by a factor of almost 10. Or is it rather the value on the black market that is about 10 times higher for a car of the trusted local manufacturers compared to a - at times even smaller - vehicles of dubious origin ? We do hope to answer this question in our next publication; available in Q3 this year for 29.38 (including taxes)."
The usage patterns and target market/audience for these operating systems are very different.
There are huge variations in security between
- a Linux box set up by a novice student
- a Solaris system participating in a cluster serving a major consumer website
- a Mac OS X Server machine running stock network services for a graphic design firm
I'd like to hear more about how they accounted for these differences before I make up my mind.org.slashdot.post.SignatureNotFoundException: ewg
Morons that have Outlook set up to automatically download and execute attachments
Outlook may be able to be tricked or taken advantage of to execute attachements. It may be bubble gummy and impossible to get to work and look the way you want. Overall, it may just suck like nothing has sucked before. However, I'm pretty sure there is no setting labeled, "Automatically download and run any executable I receive via e-mail."
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
And who wants to hack a Windows box? It's too easy, even a worm can do it
Not only that, if what they're watching is mostly Linux... I wonder which OS they'll see the most break-ins on?
I hereby place the above post in the public domain.
Whether the numbers were manipulated or not I find it interesting to here all the posts down-playing Linux vulnerabilities. Sounds quite a bit like MS playind down their problems. Hopefully Linux developers take these numbers seriously because if I were in business it would tell me not to use Linux if I care about security and switch to BSD.
I love to see actual numbers, very helpful and often left out.
The problem here is we don't know what the underlying distribution of Linux, BSD and Windows boxes was. So, the fact that 13/17 of the cracked boxes were Linux and 2/17 were windows doesn't mean much if there were 100 Linux and only 3 Windows in the test population. Odds are my guesses are not correct however, it does present a problem with this article. Maybe not a half-truth but, perhaps an intentional omission.
L053R
FWIW the last time they published these numbers they used www.zone-h-org as the basis. That site tracks web site defacements only. I'm not totally sure of their methodolgy for counting virtual hosts (ie is a single box hacked counted as 1 or many site hacks) but I'm sure it's mentioned somewhere. Further zone-h is reliant on defacing groups to report their acheivements.
So yeah.... It's a very selective subset of what the article attempts to purport that the data represents.
Your comparison isn't really fair in itself, either though.
The BSDs have some things which make even that shared software safer. For example, consider that the BSDs have lstrcpy/lstrcat, whereas GNU won't add it to the GNU libc. When you run Sendmail on a GNU/Linux box, it's using a marco to simulate these calls instead of actually using the safer routines.
They're also not as open to remote exploits as one another because they use different kernels and tools, which have different types and amounts of exploits. This will hold true even between the BSDs. Even Free Vs. Darwin will have differences that would make them less open to shared exploits.
Of course, the fact of the matter is every system is vulnerable to some degree. We should see this as a reason to start moving ALL the free OSes to better tools that don't leave them so open to attack, not just to try and dismiss it as meaningless line noise.
Go for it. Post it here. I'll run it and tell you if my machine crashes. This is only half a joke, because I don't believe you.
Note that the results shown in the MacWorld article are not normalised. In other words, they are the total number of attacks, not the number of attacks relative to the presence of each OS. Naturally, operating systems that power millions of web servers are more liklely to suffer attacks than operating systems that power only a few thousand (or even hundreds).
It sounds very impressive that "the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004", but then you look at the number of government servers actually running OS X, and it becomes pretty clear why they weren't attacked. There are simply very few government servers running OS X (less than 3%).
So this "study" is a joke. I only wonder who comissioned it, Apple or Microsoft...?
Of course we all know OS X servers aren't worth hacking. They're only used by cutting edge, heavily sponsored scientific institutions, sensitive government operations and advertising agencies.
:-)
Now why would a real hacker want to steal from those losers... where's the money, where's the challenge.
In the same vein it really surprised me that FreeBSD - an effort to make an extremely secure environment - is so secure.
I think, therefore I am...I think.
Look both ways before you cross the road.
Unqualified Liars
A lot of this might be due to many Linux distributions trying to be user-friendly with the default configuration leaving too many services running.
Some more reading (doesn't look like it was posted here yet)
http://www.attrition.org/errata/sec-co/mi2g-01.htCould it be that there are more Linux servers out there (as opposed to BSD or Windows)?
You can setup your daily cron jobs to automatically 'apt-get update && apt-get -y upgrade' in case of a debian system, that will update and upgrade (if there is a need to) your os and all your apps every single day.. no update utility can beat that!
Well, patch my systems and let the disk drives roll. Who'da thunk that being root on a system could present security risks?
Graham
Linux - Fast Pane Relief
Like hitting a wasp nest with a broom, listen to that angry buzz!
And right away a hundred attempts to defend linux with reasons that are just as pathetic as the reasons their enemies, the windows fanboys, would use had they been the worst in the survey.
The emperor has no clothes!
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
Well, patch my systems and let the disk drives roll. Who'da thunk that being root on a system could present security risks?
Graham
Linux - Fast Pane Relief
(Somebody has very likely already pointed this out but just in case) I don't believe linux is the most insecure. It's just that if the server-owner don't know what he/she's doing it's not exactly unlikely that a determined cracker can get in. Say what you want about Windows but it's easy to fill in the holes when a vulnerability is discovered, and people running linux without being an active community member propably doesn't here of all vulernabilities either. It would be intresting to se some statistics over how "insecure" diffrent distros are too. For example Gentoo that almost has the ability to patch it self is propably not very high ranked on that list.
Obviously they weren't counting all the fucking automated attacks out there. I mean, a lot of those worms left machines as open proxies for spammers. If that's not an attack, I don't know what is.
autopr0n is like, down and stuff.
I run Apache under Win 95 - It's so easy to crack it's no fun so no one bothers.
Seriously though I'm glad the gist of the comments around here are "fun with statistics" and the like; that is certainly correct.
I haven't posted in so long, my sig is out of date.
This really doesn't surprise me. BSD's tend to be very secure by default, when the most popular Linux distro (RedHat) seems to strive for insecure defaults, and some other distros aren't much better. The problem isn't in Linux, it's the insecure packages that the distributors bundle up and turn on by default.
Really. If Linux distributions would turn services off by default, and leave it up to the user to turn them on, I honestly believe that the succesful attacks against Linux would be cut by at least 50%. And if they'd get away from the "classically insecure" daemons, I believe you'd cut the rate much, much farther.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
1. the test are biased/flawed/unfair... yeah bush probably had it fixed..
2. I would hate for this to get out, it's been easy to pretend that it is a non-issue. There are no security concerns for linux. Har har.
3. This will always be an issue as long as WE don't work together to fix it, and that requires a little bit of a better attitude. There are issues.
4. I am sure some GNurus don't want the word out, it is much easy to fiddle with others computers when they don't know your doing it.
Jeoin
Using GNU Octave http://www.octave.org,
decode.m:
function decode (b)
for i = 1:length(b)
printf("%s",char(bin2dec(num2str(b(i)))));
endfor
printf("\n");
endfunction
octave:1> decode ([01100111 01101111 01110100 00100000 01110011 01101001 01100111 00111111])
got sig?
octave:2> decode ([01101110 01101111 00101100 00100000 01101001 00100000 01100100 01101111 01101110 00100111 01110100 00100000 01101000 01100001 01110110 01100101 00100000 01100001 00100000 01110011 01101001 01100111])
no, i don't have a sig
flossie
Write now. Defend liberty
"UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising."
Note that the press release is not the "results" -- they only released a teaser in the hope that someone will purchase their research. Unless you pay for the study, there is almost nothing to be said about it. However, if you must speculate, please don't lump the millions of consumers running unpatches Windows desktops with professionals running patched, firewalled, locked-down Windows servers. I presume the breaches they analyzed were actual cases of information theft, defacement, etc -- not unwitting nodes in the distributed Win98/XP SPAM cluster.
Is this sig nificant?
I've been using Slackware since version 1, so don't think this is just another anti-Linux comment.
"Total domination is bad. The Microsoft dominance already badly misled people about how to choose systems. Instead of 'what tool do I use for the job' it's 'well it was shipped with the box'. Linux is a tool, Windows is a tool and so are numerous other systems. It's really important people go back to looking for the right tool for the job. That will never always be Linux. No single tool can do everything well." Alan Cox
Having once been a Linux user and now a convert to BSD, why exactly is this surprising to anyone but the Linux zealots? As someone who is security conscious, it's a no brainer that BSD is the place to be for security, reliability, and stability. BSD is designed, engineered, and tightly managed, whereas Linux is grown. clue_bat.apply(linux_users)
-- Sean Chittenden
Surely something like sobig or mydoom counts as a successful attack, right? Do these attacks have to be performed by an actual person sitting at a desk with a hex editor, or can somebody write a program that attacks a computer, and then uses that computer to attack other computers?
Judging by the low numbers for Windows, I'd say the study was looking for the kind of attack they show in the movies - you know, big red letters that say "ACCESS DENIED to FEDERAL BANK ACCOUNTS" or "ACCESS GRANTED - HERE IS THE PRESIDENT'S BANK ACCOUNT" and the server room is protected with swiveling lasers.
So I guess what I'm saying is, the study's view of an attack seems to have missed out a crucial segment, namely the worms that are now successful enough to combine the forces of infected machines to attack multinational corporations.
I really hate signatures, but go to my website.
It's even easier on Fedora: Just type "chkconfig yum on," (and "service yum start to start it right away) and the machine will update automatically every night. It avoids kernel updates, as far as I know, but that's it.
:)
Ok, it's not much easier, but it's easier.
that the weak point those worm authors were attacking was as much between the keyboard and chair as anything else.
I'll tell you this. Whenever I was looking for vulnerbilies in a network the first thing I'd do was look for Linux boxes. They were always the best exploit in gaining access to more secure OSs.
It is quite well known M$ has been bed with Apple for a long time. While it is absolutely no surprise *BSD wins, and for Mac World, Mac comes in second, one has to wonder what this is about?
Who doesn't know an unpublished exploit of Windows? Perhaps because it is so easy, script kiddies have turned their noses up to Windows? More likely Micro$oft just paid someone off and this is just another example of FUD? I've used all flavours of BSD for years and certainly won't switch. I've used (and still do) use Linux and certainly it can be more trusted than anything from M$.
Others have described the mayhem Microsoft does to the Internet, the worms and all that stuff. Perhaps Linux should review security a bit, but Linux is actually just the kernel and that has been top line for years. Just watch the added and unknown software you add. Same for Windows, but the fundemental basis of that kernel is flawed and without any true 'division of priviliges' its a piece of cake to exploit.
I just went and picked up a KVM switch and some other junk so I could install Mandrake (Linux noob) on a box I just put together with old stuff. I pop over here in the middle of the install and see this... I was planning on turning it into a web server too.
I like how the very first post discounts the point of this article right off by saying, sure, maybe linux got attacked successfully a lot, but what about all the other attacks that would've succeeded on Windows?
Come on, people. The fact is, the linux boxes got attacked successfully. That's a Bad Thing, regardless of what happened to Windows. It's an embarrassing thing for us linux people. Here's the real rub...
I've read studies over several years saying that linux boxes are nearly as secure as FreeBSD installations if the administrator sets up the environment properly . The results of the slashdotted study here is the result of the RTFM culture...hard to operate and administer, very little respect for the user in the design of the OS as a whole. I mean "respect" in the sense of "let's make this trivially easy to use because it's possible and respect the user's time" rather than "let's respect the user's intellect by reasoning they'll figure out how to work this thing no matter how ridiculously complicated we make it."
This study ought to convince all the people out there that don't worry about linux being too hard to use...it's affecting everyone, not just newbies. Not just dummies. Even admins can't set up a secure box. We have to keep working on usability folks. Fact is linux is more potentially secure than Windows--but not in practice because no one can figure out how to lock it down.
sev
but have you considered the following argument: shut up.
Try SCO instead.
The guy is saying the right thing.
Ya go on, have a go at my server 216.250.128.21 .
The reason OSX (workstations) are so secure is all services are turned off by default. Definitely a good security strategy. And it's hard to turn the stuff on (no prominent shiny, candy-like buttons to enable them)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
I wouldn't think that it'd be too hard to write an automated package that would lock down a base installation for any given Linux dist. Query the user to ask what kind of configuration they're running (Desktop, web server, etc) and then disable services they don't need and iptables out all non-essential ports. Close off external logins, put DNS and Mail in chroot jails and ask if they they want auto-updates and you should end up with a fairly secure system.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
When talking about saftety it is not verry usefull when counting the number of o.s. hacked and then just say "oh this o.s. is safer" because this doesn't give any accurate data.
When the breach is caused by administrator fault, you can't allways blame the o.s.
In the past it is often argued that the cause of many breaches are because windows administators where less experienced that linux admins. This has nothing to do with o.s, more with culture
Many breaches are caused by application and not because of the o.s. When for example a machine is hacked by a bug in Apache, you can't blame the o.s allways.
Another example are the public accesable web application. Many of them are verry badly written regardig safety! When such application is hacked, does this also count as a breach in the research? This has also nothing to do with the OS.
There is much more to say about this , but from above i can safely draw the conclution that for producing any sensibale data wich can be use to draw conclutions you should do seperate the data in:
* Caused by admin fault
* Caused by bug/weekness in o.s.
* Caused by application
When I was a student they learned me how carefull you should be to interpet measurements. Often people doesn't take the circumstances or correctness into account and often they do the wrong math.
Regardless the conclution, this is just bad research
I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than Windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
Funny... had this been a story that showed Microsoft OSes were the most vulnerable then you'd all have been jumping up and down proclaiming the glory of Linux. Your two-faced, double-standard nature makes you all a laughing stock and is one of the chief reasons Linux will never be taken seriously... childish zealots for cheerleaders.
However, I tend to forget most places don't have the software engineers doing the DBA, Sysadmin, etc, tasks in addition to their programming. It is true that a formal education doesn't teach you (necessarily) how to be a good admin. The thing I've noticed about formally educated (not TechSkills/Phoenix) co-workers is they tend to understand more indepth reasoning behind why things are setup as they are. Where you are correct some moron who simply gets an MCSE may not have a clue about the global aspect of being a good admin and the "why" some things should be done a certain way.
That being said, I only hire people who have degree's in a related field to do work in that area. What other industry would you choose someone to work for you without any real education? I would prefer an actual Architect designs my house than some guy who read AutoCAD 2004 and thinks he can design a house.
The numbers are probably due to the lack of knowledge or experience on the part of the sysadmins. Just like how the number of damaged ferraris would be high if non-certified mechanics were the only mechanics left due to some disease. And just like that, you can't blame the machine (or OS) for the incompetence of the operator or the repair guy.
In the same note, it can probably also be said that since the number of ppl who use BSD and OS X as servers are few (compared to the Linux and Windows), they tend to know more (primarily 'cuz they can't ask a buddy and have to learn it themselves). I guess it's a double-edged sword for Apple....on one hand, it's good that their users (and their OS) gets looked at with high praise but on the other hand, the numbers are small.
o well, as more ppl who set up linux servers learn wtf they are doing, these numbers will return to normal (with windows/iis being the majority).
In this case, the article would most likely be modded as "-1, Troll".
What makes on OS secure? The OS itself? I don't think so, computer are just machines who run some code. If you give them wrong code, in most cases they run it, is some cases they complain they can't run it. But basicly computer's aren't super (?) intelligent.
/', the OS will ask are you sure? If you say yes, they do the action without thinking about it.
:)
You say, they listen: if a users say's 'format c:' or 'rm -rf
Security comes down to the person in control of the OS. If the person in control screws up, the machine will probably be screwed up by someone/something else.
Any OS can't be made dummy prove, so security breaches will always be a problem, now and in the future. We try to work to this ideal image, but will we ever get there? Only time will tell, but i think i (24 years old) will be probably dead by then
"If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable."
...or because of permissions set wrong on a script? ...or because of a hole in sendmail? ...or because of a buffer overflow? ...or because of ........?
No one thinks Linux is invulnerable. Linux is just MUCH BETTER than Windows. Check out SELinux for information about making Linux even MORE secure.
"When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users."
The numbers are meaningless without the background. Even assuming that those numbers are CORRECT, what does that tell you about Linux?
Were those attacks successful because of a bad choice of passwords?
There is no information presented in that "article" beyond some numbers given out of context. Because there is no information given, no actions are required.
"Deciding to leave a service off by default probably makes it more secure, though less convenient."
No "probably" about it. One of the rules of security is TURN OFF ANYTHING YOU DO NOT ABSOLUTELY NEED.
I wouldn't say "flamebait". But your post does betray a lack of knowledge about security.
A quick Google search pointed me to this site with statistic about web server software.
The below uses data available on the above link, so don't flame me if it's wrong, this is just for example's sake
In January 2004 there were 31,040,922 Apache web servers on the Internet (let's assume those are all Linux or Un*x boxes). There were 9,675,979 Windows servers on the Internet. Let's say that mi2g's results were correct and 13,654 of the Linux/Un*x boxes are hackable. That makes roughly 4.4 percent of Linux/Un*x boxes hackable. If 2,005 of those Windows boxes are hackable, that makes roughly 2.07 percent of those boxes hackable
While those results (which I wouldn't recommend using for any kind of scientific purpose) still favor Windows (*gag*), it sort of puts things back in perspective
.Also, how many of those Linux boxes had root passwords of "root," "r00t," "toor," or "t00r?"
My lack of God, it's Trotsky!
First of all the right way to make the test was to make proportions between failed attempt and good attempt to breakin. Second they should see if the breakin gave an high level of control on the machine. Third they should see if the breaked-in machine were actually meant as server of if this was accidentally, to be considered a desktop PC. If they dont do this they cant exclude Windows backdoors/worms/viruses from their count, and this would radically change things.
I wonder if Microsoft really didnt "help" in this research.
I received a trojan horse message the other day. Having nothing better to do, and to figure out what smuck was passing out SubSeven, I decided to hunt him down. I was able to determine the computer it came from, the user name of the person, and the service provider. Nothing special for someone with even remotely adiquate skill. The intersting thing was the guy's mail server was running Linux AND he had everything open from SSH, telent, finger, HTTP, samba, SWAT, et al. I amased that this guy actually had every imanginable service running. But then again, the guy was passing out SubSeven trojans, so it is not too suprising.
The point that I am making is that with the popularity of Linux there are probably people out there that install everything under the moon, and then they don't relized unless they running certain services they shouldn't. This may be a situtation where vendars need to take steps to secure Linux off the CD, so to speak, to help increase the security well-being of Linux. Using a port scanner I found out that I had over ten services running on my Windows machine -- when I didn't have zone alarm running.
Now, I am a FreeBSD guru. I love the system, and at first it was nice to see that my system of choice was doing really well. But before I celebrate, I would like to see a test that is a little more scientific. Besides, I have to question the Windows being less than Linux. It sounds like more Linux FUD to me.
The views expressed are mine own and do not express the views of my employer.
When you say that windows is so insecure because it's users will execute anything, what do you think will happen if windows users move to linux? They will double click an email, see a popup window (assuming the program was written for the right desktop enviroment, which is a entirely different linux problem) that says "You're system must be updated to run this program. Please enter your root password." and BAM! you have a rooted linux box. The attacks tried in this article are do not rely on a bad users, but on insecure OSes.
As an OS X user, i'm afraid that some jackass is going to take the this as a challenge and find a way to hack into my little box. If Apple ever advertises that OS X is the safest operating system that's when it's going to hit the fan. The automatic software updates feature is the perfect distribution system for some buggy code, it seems. But in my opinion, OS X does run more secure than any other OS i've ever used. Best thing - it comes that way right out of the box. -ko
in general, any time you run something that a lot of other people are running, you'll have issues... out-of-box linux x86 installs im sure will have difficulty... if you want to run linux, pick a different platform (PPC, Sparc, MIPS) and avoid skript kiddies who use pre-written x86 exploits :-P
Okay, Linux advocates, hold on to your seats, ...
... " and "security
and make sure you've got your heart medecine,
but
I predict that in the coming years, you're
going to have to get used to hearing how much
more secure Windows is than Linux. Why?
Because Microsoft has no choice.
Microsoft hasn't found a way of squashing Linux
using anti-competitive business practices.
They're facing the loss of a great deal of revenue
and market share from Linux on the server side.
And their cavalier attitude about trivial
vulnerabilities from things like email
attachments has finally caught up with them.
So, reluctantly, and with a heavy heart, they
have finally decided to take security seriously.
After decades of neglect, they can't turn things
around overnight. But Microsoft is a *very*
focused company, and I predict they will, in
time (maybe a long time), turn this issue to
their advantage.
As I see it, MS has tens of billions of dollars
and tens of thousands of very smart, full time
programmers. Linux has a wild, wooly, totally
decentralized, totally disorganized development
model, with contributors of very varying talent
and knowledge. Okay, we've all heard the
arguments about "... many eyes
through obscurity." Frankly, I don't think
they hold water and I don't think Linux can
compete long term. Even the exalted BSD might
not be able to. (I used to work in a 100%
FreeBSD environment. We got cracked at least
3 times in the space of a year or so.)
I'm sure many here find the prospect of Linux
having its butt kicked off the planet in terms
of security unfathomable. But after all, only
a few years ago the big selling point of Linux
was stability. Now MS has successfully migrated
the Windows end user to XP. There's an
XP box in this room a few feet from my Linux
box. Over the past 15 months since we got it,
XP has crashed 0 times, while my Linux box
freezes up or has an X Window crash about once
a week. Maybe I push my box harder. Maybe.
But I'm not selling my wife and kids, or the
average Windows user, on the stability thing.
That's dead. What I'm saying is I see a few
years down the road the security thing will be
dead too.
So, I can't say whether this study is legitimate
or not, or exactly what it proves. However,
it's not surprising to me. What would surprise me
is if the wild world of Linux, with its very
dubious development model, were to produce a
secure OS. And what would surprise me more is
if I don't see a whole lot more studies coming
to the same conclusion in the future.
Whereas I have strong doubts about the validity of this study, I also have strong doubts about the security of GNU/Linux. It may build on UNIX principles that have been tested through time, and Linus certainly emphasises code quality, but the system as a whole is pretty new and therefore untested, and not all contributors can reasonably be expected to be aware of all possible security issues. Also, the C library is full of unsafe functions (fgets, scanf, ...), and the privilige system is quite coarse, often requiring that processes have powers that far exceed what they need to have (e.g. to install a program in the /usr/local filesystem, virtually anyone runs it with root priviliges - which also allows the process to overwrite files elsewhere in the system.
A lot of vulnerabilities are found in programs that are part of typical GNU/Linux installations. Although patches are typically made available swiftly, it's still the admins' responsibility to apply them. A system is only as secure as you keep it, and with all the wannabees running Linux c0z 1tz 1337, I don't have very high expectations. Also, keep in mind that Linux has been a small target, which makes it less popular with crackers, and that attacks against it don't affect J. Windows Luser's system, so the chances that you'll here about them are significantly reduced.
I run Debian GNU/Linux myself and I am completely in love with it, because it provides a system that Just Works and that I can understand the workings of. Debian puts a lot of effort in quality and security, however, I won't make any claims about how secure it is until I have trustworthy data about it.
Please correct me if I got my facts wrong.
If I had a nickel for every study that told me it had proven something unpleasant that was going to rock my world any day now, and then two months later heard about another, even more reliable study that proved the exact opposite, I would have one hell of a lot of nickels.
There are lies, damn lies, and statistics.
And yeah, computers are hard. Big news.
Now try posting on some Christian Coalition blog: "Satan not so bad after all, says new study"
Whatever.
A hen is only an egg's way of making another egg. -- Samuel Butler
A helpful post on the Full Disclosure list regarding mi2g's "analysis" provides this link. Attrition has a history tracking who/what these guys are.
h is tory.html
http://www.attrition.org/errata/charlatan/mi2g-
Ive been saying this for a long time here, and it only gets me modded down. Lets ignore the fact that I do computer security for a living, and there are tons and tons of documentation detailing that fact.
Sure, there are certain distros which are more secure than others, and programs (like Bastille) which you can run after install to get the OS more secure, but the fact remains that, by default, the average Linux install has more holes than swiss cheese.
So, while MS has been steadily improving their product, the Linux community has been modding down people on slashdot, and pretending nothing is wrong. THIS is why organizations with crucial data need to go with an OS backed by a major company (I did not say closed source per se, although most companies which fit that bill generally deal in closed source software).
From the article: "The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."
They tested it correctly. They were testing for how vulnerable the OS was to hackers, not to viruses and worms. You dont do a scientific survey by testing for everything- you would never get finished. You isolate the thing you want to test, and measure the results.
Also, the whole virus/worm thing is kind of a security red herring anyway. Why? Because there are steps an organization can take to eliminate the majority of these attacks, making them very improbably. And, its not very difficult or expensive to do.
Just because the majority of viruses and worms are written targetting Windows does not mean Linux computers are invulnerable to viruses and worms. In fact, a very well-written virus could tear thru Linux computers like tissue paper, since they are absolutely no protections against them.
Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower
Its impossible to prove a negative. There is no way for me to prove that your anti-lock brakes prevented you from getting in 20 accidents, because we dont have access to some alternate reality in which anti-lock brakes dont exist. You can only prove what you can quantify, and you cant quantify something which didnt happen.
To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted
No, it means they ave been *successfully* targetted the most. And saying that Windows servers arent a target is laughable. Every script kiddie with an internet connection tries to break into Windows. Also, something like 80% of security breaches take place from INSIDE the organization, meaning that firewalls, etc, facing the internet isnt going to help in the majority of cases. People are putting too much time and effort into beefing up the security on their internet connection, and not enough on beefing up the servers.
Manipulate the moderator system! Mod someone as "overrated" today.
From their (mi2q) Methodology FAQ:
What is an ?overt digital attack??
Successful hacker attacks on digital systems, such as computers and digitally controlled machines, can
be either covert or overt ? as opposed to scans or attempts.
Covert attacks are not validated by a reliable third party source, whereas overt attacks are either public
knowledge or known to an entity other than the attacker(s) and the victim(s).
There are two types of overt digital attacks: Data attacks and Command and Control attacks.
mi2g defines an overt digital attack as being an incident when a hacker group has gained unauthorized
access to a computer network and has made modifications to any of its publicly visible components
(such as a broadcast, service routine, payment / data collection or print out) whilst executing:
(C) 1995 ? 2004 mi2g Ltd. All rights reserved worldwide. 1
1. Data Attacks: The confidentiality, integrity, authentication or non-repudiation of transactions
based on the underlying databases is violated. Such attacked databases may include
confidential credit card numbers, identity information, customer and supplier profiles and
transaction histories;
2. Command and Control Attacks: SNMP (Simple Network Management Protocol) controlled
computers, routers and switches, networks of ATMs (Automated Teller Machines), DCS
(Distributed Control Systems), SCADA (Supervisory Control And Data Acquisition) systems or
PLCs (Programmable Logic Controllers) have been compromised.
Concidering my webserver still logs %5c..%5c attacts from codered, i beleive there are many windows boxes out there that are hacked and people still dont even know about it.
I would have to say this is definately not accurate. Although it does show that the people who are running the linux boxes (and probably BSD boxes) know when their system had been compromised.
For you security conscious techies , heres the scoop
a ult. asp?url=/technet/itsolutions/migration/linux/mvc/w in2kcd.asp
For security reasons.....
Tried linux but too hard to learn 'Unix'
then try Microsoft.
An easy step by step guide for Linux to MS
http://www.microsoft.com/technet/treeview/def
But oh, to insecure , move to BSD!
Microsoft to BSD
http://zdnet.com.com/2100-1107-863169.html
Quite frankly I was shocked to see that OpenBSD was so secure. I was certain Linux was the most secure OS.
With the '-y' flag, apt-get will obediantly install without prompting:
-y Assume Yes to all queries and do not prompt
You are correct about kernel updates, however.
LLP
Once more when we see any survey of any sort which questions Linux security, people trounce on it unthinkingly.
:-)
Sure, this report leaves out worms. But that is completely irrelevant. I'm willing to bet that most of the successful attacks on Linux could be automated in a worm.
The point about worms is that they are most successful when you have large numbers of vulnerable hosts to propogate. Windows wins simply by having sheer numbers of similarly installed machines, so worms are not an indication of how secure/insecure an OS is. Worms are mostly written for Windows, not because its less secure, but because there is a better chance of success.
A better way to criticise this survey is that it counts total numbers of attacks, not attacks as a percentage of deployed machines. I suspect that this is because this just makes Linux look even worse.
One poster even complained that they had to patch their Windows servers more often than their Linux servers. Don't people see that this is a _good_ thing. Despite what people think, Linux programmers are about equal to the same order of magnitude as Windows programmers. So bugs are likely to be at about the same rate. More patches simply means that more bugs are being discovered and fixed.
If you count vulnerabilities found, Linux and Windows have been consistently about the same order of magnitude (cf. CERT). This is about what you'd expect for similarly complex pieces of software. Being open source doesn't automatically mean that the software is more secure, you still have to have someone looking.
Instead of burying their heads in the sand and Windows bashing, Linux-o-philes should take a long hard look at how they can make Linux better.
Oh and BTW: I run FreeBSD
$ man linux --flame
./--help'
/bin/* /sbin/* /usr/bin/* /usr/sbin/* /usr/X11R6/bin/* /home/sco/mcbride/linux/contrib/*
Yes...
BUGS
Its _extremely difficult_ to do anything with files named '--help' or '--version' at the command line, because ALL THE FUCKING UTILITIES have those braindead options. The whole point of fucking 'man' was to tell users how to use the command. Remeber, gnu developers, that 'man' is NOT deprecated!!
You need to approach these files with a path: 'command
FILES
"The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."
So they are not talking simply about "Your OS got 0wned more than mine." They are only talking about the number of times systems got 0wned BY A USER. I suspect that this survey would look very different if you included all the viruses, worms, and trojans that attack Windows.
And if you want to own and control a remote computer personally, you will want to attack Linux: It can be administered (or 0wned) completely by remote on a CLI, or graphically with X, and offers comprehensive remote control utilities that Windows usually lacks. What's the point of r00ting a generic Windows box, when all you can do is PING, TRACERT, and WINIPCFG without taking the time to install other software, when you can find a Linux box that's been badly mis-administered, and immediately have all the command-line utilities you'll ever need?
Linux makes up the bulk of web servers and Internet servers out there. Of course it is going to get more attacks as there are more Linux servers than Windows or OSX or *BSD servers. In fact I am shocked that Plan9 or some other Misc OS was not called the safest OS. :) They must have thrown out the results for those Misc OSes as well.
Think about it, divide the number of attacks by the systems that are actually out there to get a fair number of how often the OS is attacked.
How much can you guess that certain OSes will have a higher percent attack rate than others? If Microsoft Windows has 20% of the market and Linux has 60% of the market and MacOSX has 5% of the market, how are those numbers going to change?
I'd like to see some other company do the results and divide the number of machines that run that OS by the attacks and see what percentages they find.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
All that happens when you make things "idiot-friendly" is that you sell a lot of copies to idiots.
... in particular the very great disparity of capabilities among wetware. The hardware and software are in pretty good shape ... however, the PEBKAC.
Ask Microsoft. They wrote the book on the subject.
And what will the newbies DO with all that ACL / IDS stuff? If they don't understand how it works, they'll just make a beeline for the door. There are simply too many variables for any 'one size fits all' hardening scheme to succeed
I see Microsoft software as being for people who aren't competent to run Linux. I hope that others see it that way, too, so that people migrating to Linux will arrive mentally prepared to pay attention.
(My home system)
18:10:13 up 47 days, 22:23, 7 users, load average: 0.00, 0.00, 0.00
"Instead of "deny everything" try to explain why these numbers are wrong for Linux and not for the other OSes."
x .h tml
I did not say they were true for other OS's. From what is presented in the article, you cannot determine ANYTHING about ANY OS.
"Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure."
Actually, I can say that about Windows. Here's the evidence.
http://www.eeye.com/html/Research/Upcoming/inde
Look how long KNOWN vulnerabilities have NOT been patched by Microsoft.
With Linux, they are usually patched within 72 hours.
"Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure..."
Try sticking to the article in question. There is no "evidence" presented. Just numbers presented without any information. If you believe otherwise, then tell me HOW those 17K Linux boxes were cracked. Go ahead.
After a number of recent articles at theregister.co.uk which are completely senseless I have personally lost faith in the Register. Who knows which advertising vendor is paying them to discredit mi2g?
"That's exactly the kind of information that I don't think matters. What matters to me is that Linux is better today than it was yesterday, and then better tomorrow than it is today. Who cares about Windows?"
Because in the article it was said that Linux is cracked much more often than Windows is. If you aren't going to discuss the article then you're offtopic.
"Indeed. Doesn't it make you wonder? Doesn't it bother you that you don't know for sure that nothing that can be done?"
No. Because I look at that article and I see a company trying to drum up business for itself. That's why there isn't any information given. Now, someone like you doesn't see it that way. But then, I understand security a bit better than you do.
"How about actively working with the ones who reported the problem to see what can be done about it, rather than doing nothing?"
And who would those "ones" be? Again, NO INFORMATION is provided. Go ahead, tell me ONE company that was cracked and who I should talk to.
"Nobody owes us precise and free information on how Linux or anything other free software project can be improved."
I never said anyone owed anyone that. But if you do NOT provide it, then there MUST be a REASON why you are REFUSING to do so.
"I'm not talking about the settings on a particular machine. I'm talking about the choice of a distro to leave a service enabled or disabled by default."
That rule applies to single machines, networks, distributions, EVERYTHING. If you don't absolutely need it TURN IT OFF.
Linux has too many zealots out there who don't know how to handle honest criticism. Learn to program so that you can debug the code you're so fond of using.
What kinds of attacks have they been checking? OSes doesn't mean shit when the lazy coders have written the login-app for the admin page like this (pseudo code):
function login(string user, string pass) returns bool {
# fix later, let us log in during development
return true;
}
I have seen admin-pages for web shops looking like this. I have also seen user verification done in Java script on the client!
"Civis Europaeus sum!"
by default... it's not so eager to proffer up these vulnerable services to the outside world in a default install because Apple _knows_ people who don't know any better want none of this!
Microsoft can't say the same, they have to turn on more remote access stuff to appease those corporate customers who hire a monkey to install it on a bunch of new equipment, and then they remotely tie them in and administer them.
Fortunately it's (MacOSX's) user-space is not targetted so much by online nogoodnicks, because it's no more secure than other Unixes by default... so clicking on a script you downloaded can still hose your home directory, etc.
Nothing can "fix" user stupidity. At least an platform gap seperates Apple users from stupid PC pwn4ge tricks.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
HOW DO YOU DO? MY NAME IS SUE. NOW YOU GONNA DIE!!!
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
"I Am Not A Sysadmin But I Pretend To Be One On Slashdot".
Of course, he could've used IANASBIPOOS...
Learn how to grok it.
/var/log contains a wealth of information that you should be looking at, how would you know where to look?
Also, there's WBEM (which are probes for SNMP) and the Performance Logging and Alerting stuff.
If your CPU usage spikes mysteriously, or some directory suddenly becomes shared, or a service dies, etc. etc. Windows comes with tools to let you know of this.
Not that I'm a big Windows fans or anything, but all the information is at your fingertips if you look around.
The same is true of Linux really... if you didn't know that
In my opinion, it's Solaris that sucks in the logging department. Not so much that it doesn't have the right capabilities, but that by default it logs close to nothing. This is very annoying.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I dont want to sound like a troll but that company reeks of what i like to call "Digital Crap". Taking a look at their front page they have a "Queens Award for Enterprise and Innovation" which means about as jack as a MCSE, and i think this passage sums up what they are about:
Digital Risk Management resolves the complexity associated with implementing digital solutions and measuring their performance through Service Level Management. It includes selecting the optimum technology set, managing external partners and alliances, linking payments to targets, defining rigorous quality control procedures, managing system availability, achieving the expected return on investment, and bringing about changes in corporate culture required for successful business.
Im not saying they took figures out of the air im just speculating on the sort marketing speak company they are.
This comment does not represent the views or opinions of the user.
CIFS, NFS, these all have the same issues. Lots of RPC going on channeled through a single port... lots of security issues historically.
Only do it behind a firewall, that's for sure.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
have mi2g been regarded as a credible security firm? They're a bunch of marketeers and FUD-spreaders pretending to be security experts.
i) the BSDs are pretty obscure. The people who use them do so for a reason. To get into BSD you've initially got to be attracted by something they offer, and what they offer is security. I'd say the average BSD user knows more about Unix than the average linux user. (No, I don't use BSD. Well, not much.)
/. linux weenie thinks knowing how to comment things out of inetd.conf makes him a security expert. He thinks his ultra-leet gentoo boxen are watertight, and doesn't need to implement a security policy or look at his logs, then gets worked over by a script kiddie.
ii) BSD is not a buzzword like linux. No clueless middle manager ever asked his clueless admin to set up an OpenBSD server because he saw an item on TV about it. Again, if BSD is there, it's probably there for a reason.
iii) the average
iv) the herd's reaction is "it says something negative about linux, which is perfect, ergo it's FUD"
v) why do linux vendors (and also Sun) feel bundling as much freely downloadable crap as possible adds value to the product, rather than just making more of a PITA to manage properly?
That "gooey" python stuff only lives on the RedHat derived distros as far as I can tell, and it's never stopped me from using the tried and true methods either. I tend to ignore all of that stuff completely as it's superfluous. (I also tend to just not install any of it... the package selector is nice enough to keep them together)
::shrugs::
Also, some of the scripts are damn useful. For example, the redhat-printer-conf. And I've looked at that baby, and it is some _hardcore_ python. It can handle like seven different printing systems, and detects which ones you have installed. It even comes with "Print Test Page".
Mint!
Actually, the worst offender is SuSE. YaST will completely take over all your configuration files. And YaST is written in C. OTH, YaST is pretty friggin complete, and it has a well documented plugin system so it's not as bad as it seems. Still, you just don't install it (or install it but don't use it). Problem solved.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
NDIS is like iptables one step removed. It's a meta-networking stack. You can install filters into it, and they run with kernel privledges (IIRC).
ZoneAlarm, Personal Firewall, etc. are such filters. Windows ICF and the ICS product are such filters. Keep in mind that the "interface" you see is NOT the firewall itself, but like a configuration tool. The firewall itself is probably encapsulated as a service or driver.
BTW, the Microsoft built-in firewall for XP is just fine. It does exactly what most *nix users do with their firewalls, anyway. It doesn't let you classify packets by operating system type or anything (ala OpenBSD), but it fits the bill.
I tell people not to bother with ZoneAlarm, because although it can tell you when programs are trying to connect out, it doesn't PREVENT you from getting spyware or the like on your computer. It can tell you if you've got it, but by then it's too late.
And the really good viruses and spyware insert themselves directly into the NDIS stack to circumvent all of this.. predicated on a user running something dumb with Administrative rights.
Sigh.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
True.. and any admin would know when a stable kernel gets updated so he can do that manually.
echo 2i1010110P1100101P1110010P1111001 P0100000P1100011P 1101100P1100101P1110110P 1100101P1110010P0101110P|dc;echo
http://uptime.netcraft.com/up/graph/?host=mi2g.net
salesca@aceonsource.com They really want to sell you computers
salesusa@aceonsource.com Even if you live in the United States and have bad credit
support@aceonsource.com So get in touch with the Support Hotline
hosting@aceonsource.com Free Webhosting
design@aceonsource.com Website Design for cheap
e-commerce@aceonsource.com and E-Commerce, shopping carts, merchant accounts
Oops, I forgot the spam armor. Ah well.
slashdotcomment8349878@nervalhi.net
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
This is reinforced by you tellimg me that I now have to PAY to get a reliable easy to use patch system (Windows updates always have been free).
Windows updates are INCLUDED. I can update my Fedora, Red Hat, and SuSE machines, running OSes I legally obtained and installed for free, for free. Updating my WinXP Pro box is included in the price of the OS. You're either naieve or intentionally misrepresenting the issue here.
If I do want to pay to get faster & always availible access to updates from Red Hat or SuSE, they'll gladly let me pay to do it - but that's no different from Microsoft including it in their OS price. If anything it's better, because I can choose to do it in non-peak times for free if I want.
Hm, this just proves a lot of things, in my opinion. First, there are a bunch of stupid users, and stupid users will do stupid things. Second, it proves that the OS can be secure as hell, but only secure to those who know how to handle it. This counts for any system that is supposed to be usable by "stupid" people.
These things about Linux do not alarm me. I do not rely on lazy, stupid and non-updating admins, I rely on myself. And I know I'm doing my job.
I love Linux, for its stability, security and scalability. As an average, these three beat any other operating system that I've played with, including BSDs. Kernel-wise and server-wise, I think it's unbeatable. That's why I'll keep using it.
I'm not trying to show off, but even though many servers might have gaping holes that lazy folks don't cover up, mine does not. At least, they're outside of my knowledge and are not gaping.
Red has just published a study on their website that shows red is the best colour on the planet!!!
Shocking!!!
Why arent' they including operating systems that no one uses or hackers care about? Wouldn't this technically be a safe and secure operating system?
Dolemite
____________________
Save the World! Use a Quote!
"I'll only fly Quantus."
-- Rainman
Any connection between your reality and mine is purely coincidental.
Now I don't blame him,
He said he did not know the login or domain.
He left ma and me
nothing but a windows machine
and shitty website domain.
Now I knew I would search for that dirty dog
cause he embarrased me in front of pimple peggy,
and I knew I would never get her login.
Cause all I wanted to do was make an OS call.
But the system call was protected.
Cause it was windows.
Now if I had linux
I could have pleasured and woo'ed the crowed
And showed all the boys her panties in the bathrrom
Cause my digital camera works with linux.
FUCK I AM TOO DRUNK TO FINISH.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
As Linux comes to be more and more ubiquitous I predict that we will see viruses and worms written for linux that will actually spread. This is not to say that linux is any more or less secure than windows, but all operating systems have weaknesses that can be exploited. Windows main weakness is clueless users in my opinion. Linux doesn't have that problem, but it may have the problem of having over confident users.
I have the most secure system in the world sitting in my den. It is a windows 95 box with no modem and no network card. I will give anyone $1000 if they can even do a port scan on it. Oh and the power supply is bad. Ultimate security! Almost as obscure er..secure as OSX!
decode () { /\nP\n/g'|dc;echo
echo 2i"\n"$*P|sed -e 's/
}
don't call it with parens, just like
decode 01100111 01101111 01110100 00100000 01110011 01101001 01100111 00111111
65 windows servers 99.9 % uptime?
Not a single breakin?
Linux admin is easy properly without any experience?
And your friends at your old job kept you updated with all those stats?
I think you forgot the part where you say you're a single white female with double d's looking for a nice geek who lets the woman take charge in the network. You probably got fired for talking alotta S#17.
I remember they said the same thing before, but for every successful exploit done by hackers intentionally and maliciously, there are ten thousand self-spreading viruses that hack machines every day.
:P
I love how these studies forget that little fact.
It's been a long time.
We setup two firewalls facing the Internet, a MS Proxy server and a redhat9.0 as a test server. The redhat was compromised using sendmail and samba exploits and it was used as a staging area for further attacks before we knew. Thank god the admin password was different on the servers else we would have lost quite a bit of the company.
But I dont think Linux is at fault. I did not use iptables to block unneeded ports on the outside and I did not patch sendmail ( I shouldve used qmail). I shouldve taken close care of suid files, used ssh instead of telnet, jailed most servers, never used root and generally kept checksums of the important binaries. Thats what real security takes, thats whats easily possible on Linux, thats what Windows lacks and THATS what I didnt do.
Altho our firewall now is a single openbsd (which does most of the above by default), I still recommend Linux, but with patches applied, services disabled, ports blocked and servers run in jails. If they compare default installs, Windows isnt running much, older redhats are running too much with no patching of daemons whose sources are available online, and the results are biased. Just give me a server to secure, give the same to a Microsoft representative, some time for us and then attack the two servers all you want.
Just as tomshardware maxes out their test PC's specs to compare video cards properly(radeon and geforcefx will both be about the same on a pentium2 with 64mb ram, 4gb hdd), OS security tests should rule out technician incompetency.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
...they'd realize the article kind of made this point already. The article didn't really make any real claim about which was safest, it just presented the results of their study and suggested that it was probably because of admins who didn't know what they were doing.
This slash summary indicates glaring statictical faults.
-- Exposing the hype of Gentoo zealots. Modded into the ground to suppress opinion.
Windows isn't inherently insecure either. After all, it's possible to turn off all the services you don't need and to keep your open ports down to a minimum. Keeping your Windows machine patched and all the server products you use patched are also essential. Furthermore, you don't have to use programs that present security issues or, at least, you don't have to use features of those products that are insecure.
In short, those are the same precautions one has to take with Linux. There are some things that *can* make Linux more secure by default, but the same can be said of Windows.
So, as always, security ultimately comes down to the administrators of the servers.
People in the Windows world have been saying this for years. I'm not trolling, but I am glad to see this issue finally come home to roost in the Linux world. There's been far too much complacent smugness in this corner of the IT world and it will do everyone good to kiss, make up, and address the issues as a unified community.
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Every time somebody comes out with a statistic negative toward windows, the less secure in their reasoning ability among this community always start with the "hurrahs" and "score one for linux!" But whenever anyone tries to tell you you're just maybe wrong, and that, perhaps, linux is not as secure as you think it is, then you get all bitchy and cry and make dumb excuses. Go ahead and mod me into the toliet, but before you do please consider all sides of the arguement for once, jeeze. (not nessesarily saying that anyone is right or wrong on either side in this particular incident, but i hear a lot of flamebait come from a lot of people every time something like this comes up)
Mandrake from GUI:
Run rpmdrake.
Click ok.
Red Hat != Linux. You probably know that, but my point is look at other distros. From the few I've tried it doesn't seem to get any easier than Mandrake. The GUI for updating packages launches with "Get security updates" checked, so just press OK and it takes care of itself. It can also be set to run automatically. It's easier and quicker than Windows and never requires a reboot (kernel updates must be done in a special way and with a reboot, but are extremely rare).
Developers: We can use your help.
Okay, this is the SECOND study posted to Slashdot that has shown that Linux is the most breached operating system on the Internet.
If it were shown to be Windows, nobody would be arguing, but because there is insane bias around here, we get lots of yimmer-yammer trying to run circles around the data.
How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution? GNU was hacked twice last year, and GNOME, Debian, and Gentoo were all hacked. What gives?
Just my two cents. I'm compiling Gentoo right now...I love Linux. But I'm not so naive to pretend it's the end-all solution. I haven't read all the comments, but I fully expect to read the same, typical, anectdotal bullshit--"Well, where *I* worked..." or "Well, *I* spend more time on Windows patching..." or "Well, if *I* were conducting the study, I would..."
Those millions of systems must not have had Automatic Updates turned on--or their users must have run an executable attachment via Outlook. For instance, the RPC hole was patched a good two months before. I didn't even know Blaster was going around until I heard from people who didn't patch that their machines were rebooting...
Reading the discussion threads here is the equivalent of watching monkeys stick their fingers in their ears and chant, "Lalalalalala...give us a new 'Microsoft Violates Human Rights in China' article!"
Step 1. Get a Mac running *NIX. ;)
Step 2. Get 3 computers of the same hardware.
Step 3. Do default installs of Darwin, Windows 2003 Server, OpenBSD 3.4, and Redhat 9. I mean default.
Step 4. Get another *NIX box, doesn't matter what it's running.
Step 5. Install Nessus on the box from step 4. If you've never used Nessus, then your not really doing all of your job
Step 6. Run full Nessus scans against all 4 computers.
Step 7. Publish results, hardware config, OS Config, and Nessus config.
Leave the operating systems as default installs, this test will not tell you anything other than which OS is more secure by default according to Nessus.
Intelligence is a matter of opinion.
Oops, yet another armchair critic shows his credulity by swallowing a sensational headline and jumping to a conclusion.
You're another one of these armchair data information crunchers who believes studies that are pro for your mindset and discredits those against.
"Linux was never more or less secure than Microsoft. It's "security" was based on it's obscurity."
While that may be the typical joe sixpack understanding of the matter, it's completely wrong.
See? I am NOT surprised this drivel was modded up.
It's absolutely, 100% true. Linux was never more secure than Microsoft. It ALL boils down to the admin doing the operating system installation and always has. You've bought into the mindless Slashdot mindset that is slowly crumbling as Linux becomes more widely-used and adopted.
The fact is, unix was a multiuser, networked OS decades ago, and many of the baby steps that microsoft is now beginning to take represent steps towards the type of sophistication unix has enjoyed since the early 80s.
I fully expect you to not provide examples of anything you're talking about. NT was always multiuser and networked as well. So? Linux 2.6.3 just recently patched a vulnerability that affected ALL kernels up to that point. It got barely a secondary blurb at the bottom of an article summary, a few days after the fact.
Linux, as a modern unixlike OS, inherited a rather sophisticated security model which is in stark contrast to the microsoft culture of "personal computer", where things like networking, security, multiple users etc were afterthoughts.
Again, no specific examples. Just endless rhetoric. "Linux is secure because it's UNIX-like, unlike Microsoft which puts out operating systems for personal computers!" Wow, you really proved something there. Meanwhile, the data shows otherwise.
As to the so-called surver, do yourself a favor and see if you can actually find out the data behind this mileading headline - and I must caution you that you are most likley in for a rude awakening if you expect to have your beliefs bolstered.
Calm down (your typos reflect your heart-pounding reaction to this news that your precious girlfriend Linux is not the flawless supermodel you thought she was) and recognize that SECURITY BOILS DOWN TO THE ADMIN DOING THE JOB.
The rational readers of Slashdot have known that fact for years. We just aren't as vocal as you new Linux users who have joined us in the past five years who have bought into the yearly "Linux will overtake the desktop; M$ is inherently insecure" BS.
The reason it is fair to iscount all the worm/trojan/virus attacks IS because it would be unfair to Windows. See, this test was to defend against attackers who might want the data. Frankly, the type of attacker who this was to test with was someone who cared more about getting into a system... not neccesarilt a windows system... but whatever system it happens to be. The unfairness is that more people write viruses and such to atatck Windows because they have a grudge. Many are Linux gurus out to prove ho insecure their system is. No other OS gets so much attention from these kinds of virus/worm writers. And everytime one attacks you Linuxs disciples yell "look at how insecure Windows is!" It's not that it is more or less secure, but that these virus/worm writers spend numerous more man-hours coding their "product" for Windows systems.
And yet, when there's an IBM-sponsored study showing Linux as the next greatest thing, all of Slashdot welcomes it with open arms!
Look--unlike most of you here, my ego is not at all affected simply because an operating system I use was revealed not to be the magic security skeleton key. Relax.
This article will be dismissed by all you biased Linux users who joined up in the past five years and who still think "M$" means something, and Slashdot will try desperately to follow up with something anti-Microsoft in the vein of "Microsoft Violates Human Rights in China" (never mind that the article didn't even dream of mentioning that China has its very own custom Linux distribution...no "OSS Violates Human Rights in China" article ever appeared).
CPM
C64 BASIC
TRS 80 BASIC
MSDOS 3.3
Would you want them counting user-ran executable attachments as inherent security flaws of an operating system? OF COURSE they're going to ignore them in a study like this. How ridiculous.
...what I usually hear.
:D
Slashdotters will tell me to no end that Linux is PROVEN more secure because there are more Linux server and yet they get less hacked.
Now, their wide usage is suddenly an excuse for being MORE hacked. Interesting, is all I'm saying. I'm compiling Gentoo as I type this using Links
But I love all the reasons people are giving to desperately make this data go away. "Normalize your data!" you say, haha.
Interesting--not being "secure by default" was always a criticism levelled against Windows.
Now it's being used to justify Linux breaches.
What about statistics on unreported or covert attacks?
The SIPS database and EVEDA do not contain any specific information on attacks that are covert, not reported, validated or witnessed by any reliable source. We do, however, often receive notification on individual security breaches from our partners and clients across the globe, which are included.
In other words, the sample they are using is self-selecting: only the attacks that have been systematically reported and verified are included. The problems associated with a self-selecting sample are obvious.
What if Linux attacks far outweigh Windows attacks, because Linux administrators tend to report the attacks more often, whereas Windows and other OS administrators do not report attacks so often because it makes them look bad? I'm not trying to troll, I'm merely pointing out why the results of this study are absolutely meaningless.
* It's a troll! It's from Mi2g! Let's ignore the breaches!
* Linux is more widely used, so that's the reason (even though this was the very reason given for Linux being so secure--it's wide usage and it's apparently low hack-rate).
* Distros aren't usually "secure by default" (even though that's a criticism that's been levelled at Windows for years...now it's used to justify Linux hacks)
* *I* spend more time patching Windows on *my* network, so my anecdotal experience must mean this study is completely wrong!
* "M$" is now doubt behind this. If not, then just look at the fact that Mi2g sells Linux security solutions. It's bias...meanwhile, let's rally around the next IBM-sponsored Linux study that gives us positive results!
Let's repeat it--ADMINS MAKE OR BREAK THE SYSTEM. The OS is irrelevant. Many of the more rational Slashdotters here have known this for years. But in the past five years, it seems a lot of new people have joined in the fray and taken on the Slashdot mindset of "M$ is evil, Linux is always good." Real UNIX veterans know this is idiotic--the best OS for the job is what counts, and the best admin is what gets you a secure network.
The discussion threads here amount to a bunch of Linux guys putting their fingers in their ears and chanting "La-la-la-la-la..." It's yet another nail in the coffin. The BSD people are just sitting back, laughing and laughing...
"When we ignore most of the break-ins that windows had, it had less than linux!"
Yes, in a study like this, believe it or not, they're going to disregard user-ran executable attachments, which is what they were referring to. Therefore, that criticism is baseless.
The study measured overt hacks. User-ran trojans-of-the-month don't count. They have nothing to do with Windows, but dumb users--this was a study of servers anyway, so of course those worms still don't count even if you think they should (unless you are running Outlook on Win2k3 for some reason...).
This completely ignores the proportion of these OS's that got hacked. If there are only 556 of them deployed, then this is a terrible break-in rate. Obviously there are more than 556, but there are fewer BSD servers than linux servers.
You're right, it's a terrible break-in rate. A terrible break-in rate is a good thing.
It's interesting that something that was always used to "prove" Linux's security--its wide usage in the face of apparently low breach rates--is suddenly being used now to JUSTIFY those breaches, which have turned how to be a very high number.
Besides, you're SEVERELY underestimating the amount of BSD servers in use.
In other words, you've decided to arbritrarily disregard the data. Now you're claiming they're "just making up statistics."
Can you prove it? Or are you just going to post your baseless opinion randomly to Slashdot so other clueless moderators can mod it up as "Interesting?"
As others have pointed out--let's face facts here.
Meanwhile, let's rally around the next IBM/FSF-sponsored Linux study that--surprise, surprise--paints Linux in a really good light! No bias there, right...
Is that most people use linux. Followed by Windows users, then FreeBSD, then MacOSX.
I'm not interested in these kinds of statastics. I want ratios.
After discarding all the posts of the Microsoft and Windows haters, I have to come to the conclusion that the data show Slashdotters love Microsoft and Windows.
Applying the same logic to SCO posts, well... I gotta come to the conclusion that there is no Slashdot.
The greatest AC in the world (ignoring all the posts that say otherwise)
Notice it's detected attacks? Perhaps it's because the Linux tools are better at detecting and defeating attacks than Windows? How many of those attacks were successful and only detected AFTER the damage was done? Not many, I bet...
How can you set up a firewall using Red Hat Linux 9 and NOT use iptables? Was it or was it not set up as a firewall?
If you had set the RH9 box as a firewall did you leave all the ports open? Did you close ANY of them? You would have to deliberately open the ports for SMTP and Samba when setting up the firewall. Were you intending to do Windows file sharing over the internet? Were you intending to use the RH9 box as an email server for incoming email?
For telnet you would have had to deliberately install that service. It is not installed by default in any of the setup configurations for RH9.
All of the mistakes you made with the RH9 box (however you managed to make them) could have been made with a Windows, *BSD, or Mac OS X box.
-DU-...etc...
"Don't sweat the technique."
look at the bright side...
I think this means we have total market dominance in the area of hacks!
tho this is one market I would have rather not 0wn3d...
but then, what do I know... don't be surprised if we get sued by microsoft for infringing on thier market of 'most hacked'
and don't even get me started on whether the boxen were cracked or hacked...
"...and I am _not_ intoxicated... YET!" --John Wayne
[from TFA]:
- Linux 13,654 breaches
- Windows 2,005 breaches
- BSD and Mac OS X 555
If we normalize the Mac/BSD result to 2% market share, it is 27,750 (assuming that Windows has 100% market share, which is close enough). Yet another flaw is TFA.
Still, if companies are organisms battling for survival Darwinianly, then this is what you would expect.
the study is BS, of course there are less successfull OSX hacks than Windows or Linux - barely anyone tries to hack OSX! Linux is gaining popular so more hackers are turning their eyes to it. The way they ran that study, whichever is the most popular OS will be the 'least secure', cuz that is the one all the hackers are focusing their attentions on.
If you have tried out Yum, its pretty much the same as Windows Update except for Linux. I've used it on RedHat and Fedora Core 1, and it is completely painless. You can either use external or internal upgrade repositories ( internal lets you ensure only approved updates gets pushed, plus saves bandwidth ), and run it as a cron job to update apps in the background.
Anyhow, I am mightily impressed by it. What is does it looks at you installed applications, check the update repository for a newer version, and then if it needs to update the software, it uses the RPM file to resolve dependencies and it will download install the update plus any dependency apps you are missing.
I am not sure as to whether it will work well with other distro's, but I would think any distro that supports RPM's should work with Yum.
I can't afford a sig!
God, I want to cry. I thought slashdot was supposed to be for people who were at least interested in science. Silly me.
Linux servers are cracked most often because they are the most common type, you slack jawed drooling morons.
Next let's add percentages together, won't that be fun?
Comment removed based on user account deletion
Fact: Out of a sample of N attacts on servers, chosen by some (presumably) fair technique, only a tiny fraction were on MacOS.
Moron Conclusion: That must be because MacOS is very secure.
Smart Conclusion: Wait, how does that compare against the number of servers actually running MacOS in the first place? If MacOS is less commonly installed as a server, those numbers might not mean anything.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
that ran on the Amiga in the mid-eighties? I remember my friend telling me that most of it was modeled on the sun os back then
Any preoccupation with ideas of what is right or wrong in conduct shows an arrested intellectual development. (Wilde)
he is so damn true...
The smaller the marketshare the less exploited the O/S.
I use FreeBSD but I don't see the *BSDs being inherently significantly safer than Linux (they are more likely to be safer- if you use various features, unless you use SELinux ). Once someone has managed to get local user, it takes a pretty locked down system for them not to get root (given the various kernel issues), sure there's jail and OpenBSD has their system trace thingy. but the Unix architecture in general doesn't really have security as highest priority.
It's a matter of how many services you run, what services you run and how up to date your systems are.
If you run crap like PHP and PHPNuke (which seems popular amongst the Linux hordes ), and tons of other services it's statistically more probable you get exploited.
BSD systems and their derivatives outnumber Linux systems on the internet and power more mission critical sites than does Linux.
AHAHAHA!!!
To have been a really effective propaganda weapon the entire report would have to have been free, instead of just the summary that formed the basis of the miniscule press coverage it has gotten so far. No one is going to trust a study they can't read for themselves, and even fewer people will be willing to shell out dough for one that's as obviously limited in scope as this one. Apart from serving as a nice slogan for Apple, I don't see this one getting much traction -- not even from a rabid "FreeBSD on the desktop" advocate like myself.
To the best of my knowledge, z?OS (and it's ancesters) has never been hacked. And, again to the best of my knowlege, it has more critical data and more installed MIPS than any other. This study is worthless IHMO.
I've wasted a lot of money in my life, the rest I spent on motorcycles and women.
It's sad, yet fascinating in the same way a spectacular and bloody car wreck is. Almost every poster in this thread is bending over backwards to come up with the most convuluted reasoning that insists that Linux cannot possibly be at fault.
So much for the belief that the great strength of the open source community is it's willingness and ability to consider and repair vulnerabilities and problems. That portion that is represented on Slashdot is far more interested in bias, zealotry, willful ignorance and comforting head-in-the-sand groupthink.
I haven't read the article, but quoting numbers is a spectacularly pointless exercise. I don't care if only one FaultyOS server got cracked if there are only two deployed anywhere. Unless these numbers are related to the total number of deployed systems they are meaningless.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
The most obvious thing that comes to my mind about this survey: BS. The results are not a bit suprising, once there was contest for hacking as many sites as you can and you got 1 point for win machine, 2pts for linux and 5 ponts for *BSD/MacOS. On the other hand the numbers for the BSDs and OSX are lower simply because there are many more systems running linux than macosx so the numbers are absolute not relative. Also many unexperienced enthusiasts choose to run linux coz it's free and windows is usually run by 'professionals'. Moreover the bigger nuber of intrusions still doesn't say that the system is less secure, it's just that the securrity holes are better known. In fact they are fixed quickly while windows remains vulnerable and users don't even know.
That is the straightest shooting I have read on this site in years. Congrats and more please.
Great ... throw out the biggest and most expensive security problems and concentrate on the rest. I see no mention of correcting the results for the installed base of each OS. In true epidemiology, you correct your reports to a standard number of persons and report as "X incidents per XX Thousand", which gives you an idea of the relative risk of something compared to another.
If Linux had 80% of the installed base and 80% of the successful attacks, it's as secure as one with 20% of the installed base and 20% of the attacks. Windows servers had a sharp decline in successful attacks? What was happening to their installed base? Unless they report the number of potential victims using each OS, they are just reporting something as useless as "fatal automobile accidents kill more 20 year olds than 105 year olds" ... and then trying to convince me that 105 year olds are safer drivers.
Why would anyone NEED to send HTML for everyday e-mail? The "scriptable" nature of Outlook simply caters to email marketing. All it does is make it possible to fill your email in-basket with same kind of day-glo tripe that cascades through the s-mail box every day.
------ The only greater hazard to your liberty than n politicians is n+1 politicians.