Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
That's not even the OS's fault. Its stupid users and bad apps.
Looks like mi2g doesn't have the best reputation:
h is tory.html
t ml
m l"
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
Mi2g
Second link leads to this page which shows what a crock this (company/report) is.
Read Why is mi2g so unpopular?
Then read this complete debunking of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
-- @rjamestaylor on Ello
as seen here last year
I don't read your sig, why do you read mine?
I don't know about the results but this 'security company' has been in the news before and as far as I know it was labeled as bunch of charlatans by real security experts at security focus. Read more about mig2 at: http://www.attrition.org/errata/charlatan/mi2g-his tory.html
up2date -u
All those moments will be lost in time, like tears in rain.
You're kidding, right? The main /problem/ with Windows is the number of (often hidden) servers that are running by default. UPnP, DCOM, Windows Messenger, etc, etc, etc.
It's always a long day... 86400 doesn't fit into a short.
But it is instructive to read some prior comment on mi2g, such as "Iraq will destroy us by computer" the experts screamed, or a more general index of mi2g myths, or a search for mi2g at NTK or even their own reasonably barking mad press releases.
I'm not uncomfortable with a finding that Linus boxes leak like sieves whilst windows boxes immitate Fort Knox; I'm by no means in security denial here. But I simply don't believe a word mi2g say.
Windows for home usage (95,98,me,2k,xp) does not come with a pre-enabled HTTP/FTP server, and most people don't even know it's there. Windows Server appearantly does (have no experience with it whatsoever), but i'd like to assume that installed Windows' for desktop outnumber the installs of the Windows Server family. Please correct me if I'm wrong.
No encryption can withstand the power of the Lucky Guess.
If the average Linux user runs everything as root or SUID-root, he's no better off than the average Windows user.
But really, inadequate training on newly-commissioned linux systems seems like the true cause.
Not really true. AFAIK, lots offer C1 or C2, but few go up to the B ratings. I know DG/UX did, but that's sadly now discontinued. Trusted Solaris 2.5.1 was rated to B1, but Trusted Solaris 8 isn't. Bull did a secure version of AIX, and HP will sell you SEVMS, but if you're looking for a modern B2 Unix, then your options ar elimited (no Solaris, HP-UX, Tru64, IRIX or Linux, AFAIK).
Incidentally, that's not to say that those OSes couldn't be made to meet those requirements, just that they haven't been certified as such to date.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
No it doesn't. It reads as shades of grey. "Here, let's discount all the big problems/hacks that are affecting Windows. My, now it looks much more secure then Linux."
Furthermore, given how quickly a potential problem can be fixed in Linux, as opposed to the "wait, and wait, and wait some more" approach to the MS Service Packs, I'd have to say that the methodology used to reach at least some of the conclusions in the article is seriously flawed.
Kierthos
Mr. Hu is not a ninja.
We are 100% Macintosh on the desktop because I can then spend time on billable hour projects, not internal stuff. But generally speaking, I really just like how BSD, especially the ports system, is organized and managed. Linux has always been scattered brained with more distros that you can count, where as I like the core development teams in both Free & Open BSD.
When I used to run an online browser-based game system, we often had more people trying to beat the system than the game. Led to problems under Linux and since it was a hobby site that I maintianed on my spare time, I didn't have time to mess with keeping everything 100% uptodate. So I reset up the game on an OpenBSD platform. Sure it didn't scale as well, but had no sucessful breaches from the script kiddies.
Now that I work as a consultant with small and medium sized companies in this area, security has become a staple of my business. Most of my work is in Policy advising because we still see a lot of network breachs, a vast majority, having some kind of internal proceedure issue. Aka, someone calls saying they are from branch y and forgot a password and someone gives it to them or a disgruntled employee sells information to a competitor. Or worse yet, employee fired/let go and no one removes accesss to the system until after they're gone if at all. I have seen some companies that still have user accounts for people that haven't worked there in over 3 years.
Still these are mainly small businesses with less than 10 people that are in real estate or some service business where they might have a website, POS, Email, MS Office, and Quickbooks more than larger companies that have an actual IT guy or department (even then...I am amazed at the total lack of intelligence of some of the people with MSCE at the end of their business cards)
Still, the biggest threats are comming not on the server side, but client side with viruses and trojans galore. Its the average joe blow that opens every attachment they are sent that causes the bulk of problems from my perpective.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Not necessarily - the uptime clock on many operating systems, including Linux, Solaris and HP-UX, roll over after 497 days.
Another interesting fact about the survey (if you have good eyes, you can look it up here ):
about 13.000 of the attacks analysed were conducted by Brasilian hacker groups. Makes me wonder how this correlates with the number of attacks on Linux systems (about 13.000)... and why the heck Brasilia is the source of more than 75% of the hacks surveyed.
As seen in the netcraft FAQ : Since the last server of the top 50 have an uptime of 1073 days, there's no way a Linux box could be in the list.
Why would Outlook based e-mail trojans be included in a server centric study anyway?
"In a statement, Mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting." And what do we hear? Windows vulnerabilities went down and Linux ones went up! right...
What's funny about this? This post needs to be modded informative. I think the mods are confusing the Windows Messenger service-- which, on its face, allows system administrators send message to every box on the network-- with MSN Messenger the IM tool. Windows Messenger is a known hole to allow spammers to send you a flood of advertisements. Pretty much anyone that's ever sat at a Windows box without this service disabled knows exactly what I mean.
I agree that the out-of-the-box insecurity of Windows is so sad that it's funny, I don't think comedy was the point of the parent's post.
--Obyron
But after a default install, look, Apache is already running, FTP, telnet, rsh, etc etc is enabled, sendmail routes mail from anyone.
Have you actually used Linux in the past four years or so? None of the major distributions install Apache et al by default any more, they haven't for years.
Posting the story here gets Slashdot added to the cluster of international stories that appear on Google News and provide a way for debunking to reach outside our little community of line noise detectors.
Still, it's annoying.
-- @rjamestaylor on Ello
IIRC, Windows XP shipped with the tftp server wide open and ready for a locomotive to be driven through it. SP1 or some other security patches finally locked this port down. I'm no windows expert but I casually follow the holes being reported on it, so what I say may not be 100% accurate, but it's close.
All in all, Windows XP, by default, is vulnerable to virii and worms. You have no idea how many people's machines I've had to fix because they are constantly getting redirects in their browser (a fake google result page even) or popups that won't go away. Spyware and worms run rampant on XP like you wouldn't believe. It's gotten to the point where I won't even fix it for friends anymore. I just tell them stop using Internet Explorer and Outlook/OE.
Because it is a nonsensical copout. The reason this study is invalid is because they deliberately removed two entire classes of breaches that are *major* problems for Microsoft Windows (viruses and worms).
Except it's not. That's just netcraft, which stumbled across some machines. But there are others out there, that netcraft doesn't know about. See The Uptimes Project for an OpenVMS machine which beats all your BSD boxes.
Please enlighten me. What distro comes with all this stuff pre-installed and running on first boot?
:)
I don't know about the other distros, but Mandrake has discouraged telnet installs for years. If you choose to install Apache and/or FTP + mail services, you'll get warned by the installer *before you even install them*. There are no default internet services installed hands-free on Mandrake.
Maybe Redhat or others do this, but not my favorite distro.
I meant hidden in the sense that they're not always in the usual place (the services MMC). The DCOM RPC mapper (think Welchia, etc) needed to be turned off in the DCOM manager, which is only accessible via an obscure command.
If there was a server on a Linux machine that was started in some obscure shellscript instead of the usual init.d (or whatever your system uses) scripts or inetd, I'd describe it as hidden too.
It's always a long day... 86400 doesn't fit into a short.
considering the source of the study, I wouldn't give it a lot of credence.
The Windows Messenger service has nothing to do with either the horribly named Windows Messenger client in WinXP or MSN Messenger. They're all quite badly named, so it's pretty easy to mix/fuse their capabilities. Used properly, the Windows Messenger service can be useful, but it should've been designed to only work on subnets or it should *always* be blocked at your border router. See if your Cisco PIX or broadband router cares about penis enlargement pills. That said, anybody who leaves any kind of PC outside a NAT or restrictive firewall deserves what they get.
Karma: Contrapositive
You seem to be confused. A hack is a very different thing from a crash.
An application should never be able to crash the OS. If it does, then the OS is indeed unstable. Linux will hold up to a lot more punishment than Windows can at the moment. It's not perfect, but what is. And yes, a lot of programs that I run on my Linux box crash. But I don't blame Linux. When my computer completly locks up then I might blame the OS. I get a LOT more complete crashs on Windows. (Or worse, random reboots!)
A hack (or crack) has little to do with the OS. However the OS does determine what level of control a cracker could gain. For example, crack into a program running on Windows and you could easily bring down the machine. But crack into a program running on SE Linux and you'd be lucky to do anything beyond mess with that one program.
I think nows a good place to post a link to eeye's upcoming advisories page
Go for it. Post it here. I'll run it and tell you if my machine crashes. This is only half a joke, because I don't believe you.
Unqualified Liars
Yes, indeed, that is correct if you were using a poorly configured distribution several years ago.
When is the last time someone had a default install of any decent distribution with any service but SSH running by default, without specifically enabling it?
The original post reminded us not to forget that Windows or OS X boxes could have undiscovered exploits. I'm reminding that Linux can also have undiscovered exploits. By definition, we cannot know how many undiscovered exploits there are in each OS, so we cannot quantify and compare them. Therefore, we must ignore them and talk about the known exploits. Flamebait?
If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable. Every choice has a downside. Deciding to leave a service off by default probably makes it more secure, though less convenient. When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users. Flamebait?
Look both ways before you cross the road.
I've been using Slackware since version 1, so don't think this is just another anti-Linux comment.
"Total domination is bad. The Microsoft dominance already badly misled people about how to choose systems. Instead of 'what tool do I use for the job' it's 'well it was shipped with the box'. Linux is a tool, Windows is a tool and so are numerous other systems. It's really important people go back to looking for the right tool for the job. That will never always be Linux. No single tool can do everything well." Alan Cox
As far as I can tell, they are not discriminating to that level.
They're just throwing out *all* worms that hit MS operating systems, regardless. That doesn't make for a valid study, and it does not support your statement that it's 'More like "Let's discount all the stuff that rely on TOTAL DIPSHITS to execute on their own computer.'. Sure, those get thrown out - but so do attacks that should not be thrown out. Are they similarly throwing out automated attack scripts that break into a box, install a root kit, then start up a scanner to break into other machines? There's not enough info there to tell, but the info that is there points to the conclusion that they are not.
Code or be coded.
That's one thing that really bugs me about information available to monitor Windows (from log files to dynamic data).
What I can find in depth, by default, and easily on Linux is a real chore to locate or (in the case of the standard log files) typically useless.
It must take an excessive amount of effort and forsight for serious monitoring of a Windows system and even then is it trustworthy? The defaults just don't record/show enough.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
A quick Google search pointed me to this site with statistic about web server software.
The below uses data available on the above link, so don't flame me if it's wrong, this is just for example's sake
In January 2004 there were 31,040,922 Apache web servers on the Internet (let's assume those are all Linux or Un*x boxes). There were 9,675,979 Windows servers on the Internet. Let's say that mi2g's results were correct and 13,654 of the Linux/Un*x boxes are hackable. That makes roughly 4.4 percent of Linux/Un*x boxes hackable. If 2,005 of those Windows boxes are hackable, that makes roughly 2.07 percent of those boxes hackable
While those results (which I wouldn't recommend using for any kind of scientific purpose) still favor Windows (*gag*), it sort of puts things back in perspective
.Also, how many of those Linux boxes had root passwords of "root," "r00t," "toor," or "t00r?"
My lack of God, it's Trotsky!
>>"When the breach is caused by administrator fault, you can't allways blame the o.s."
The weakest link in any system is the human.
If a company wants experienced administrators, they hire Solaris or BSD administrators.
The truth that the Linux corporate interests don't want companies to know is that Linux administrators are inexperienced compared to Solaris and BSD administrators. Talking with a Linux user who has been using Linux since 1.0 was telling me about Kickstart and its benefits. He didn't know what I know, otherwise he wouldn't have bothered sharing the infomation as if it were some revelation. Solaris had Jumpstart ten years ago when this guy was cutting his teeth.
I have never understood why people don't see that companies that opt to use a free operating system will also cut costs by hiring less experienced administrators.
By the way, Apple's strategy is no accident. They deliberately approach Mac OS X with the knowledge that the weakest link in the system is the human. After all, when we talk about the Apple company today, we're really talking about the NeXT core developers who are running the company and who started formulating Mac OS X back in 1986.
A problem I've found is that Windows hyperplexes so many services to run over port 139. If you open ports 137, 138, and 139, you are allowing a whole lot more in than you're expecting!
>>The automatic software updates feature is the perfect distribution system for some buggy code, it seems.
Apple addressed a security vulnerability with Software Update back in 2002. It now connects on an encrypted channel and confirms encrypted signatures before accepting a download. This makes the application very difficult to crack. Let's just put it this way--if it were cracked then Apple wouldn't be the only company in trouble since most of the internet commerce and secure connections these days depend on the same technology.
"Wasn't the Linux kernel just patched for a number of serious bugs that existed since 2.2? Seems to me Linux is no different than Windows in this respect"
An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.
Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.
Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).
There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.
Cheers
~Dalcius
Rome wasn't burnt in a day.
From their (mi2q) Methodology FAQ:
What is an ?overt digital attack??
Successful hacker attacks on digital systems, such as computers and digitally controlled machines, can
be either covert or overt ? as opposed to scans or attempts.
Covert attacks are not validated by a reliable third party source, whereas overt attacks are either public
knowledge or known to an entity other than the attacker(s) and the victim(s).
There are two types of overt digital attacks: Data attacks and Command and Control attacks.
mi2g defines an overt digital attack as being an incident when a hacker group has gained unauthorized
access to a computer network and has made modifications to any of its publicly visible components
(such as a broadcast, service routine, payment / data collection or print out) whilst executing:
(C) 1995 ? 2004 mi2g Ltd. All rights reserved worldwide. 1
1. Data Attacks: The confidentiality, integrity, authentication or non-repudiation of transactions
based on the underlying databases is violated. Such attacked databases may include
confidential credit card numbers, identity information, customer and supplier profiles and
transaction histories;
2. Command and Control Attacks: SNMP (Simple Network Management Protocol) controlled
computers, routers and switches, networks of ATMs (Automated Teller Machines), DCS
(Distributed Control Systems), SCADA (Supervisory Control And Data Acquisition) systems or
PLCs (Programmable Logic Controllers) have been compromised.
Be sure to LART the person who installed it for you. telnetd is not part of Debian's base installation, so it had to have been manually added later.
Dewey, what part of this looks like authorities should be involved?
Debian default install puts in pretty much nothing, if I recall. To have all those things enabled, somebody had to install them. To be fair, that's pretty easy to do, since like I said, you get *nothing* to begin with, so the tendency is to start blindly installing things from dselect.
Be sure to LART the person who installed it for you. telnetd is not part of Debian's base installation, so it had to have been manually added later.
My point. The moron that screwed the initial configuration was me. Of course, it was my first Debian install. Maybe I screwed up in dselect. I don't know. What I do know is that Debian automagically put it in my startup scripts, and I didn't know that it would do that. Debian just gave a n00b more than enough rope to hang himself.
You see, THAT'S THE PROBLEM. The most popular Linux distros let you easily turn on all sorts of insecure things without so much as a warning.
A total n00b won't get rooted on OS X or (IIRC) the BSDs because turning on services is done post-install and takes an explicit administrator login. You have to really dig to find ways to expose yourself.
This
Sure it does... It's not enabled by default, and as far as I know, there's no GUI to enable it, but it certainly comes with telnetd preinstalled:
greyfox ~% uname -a /usr/libexec/telnetd /usr/libexec/telnetd* /etc/inetd.conf /usr/libexec/tcpd telnetd
Darwin greyfox.azeotrope.org 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC Power Macintosh powerpc
greyfox ~% ls -l
-r-xr-xr-x 1 root wheel 50012 Jan 18 02:05
greyfox ~% grep telnet
#telnet stream tcp nowait root
Learn how to grok it.
/var/log contains a wealth of information that you should be looking at, how would you know where to look?
Also, there's WBEM (which are probes for SNMP) and the Performance Logging and Alerting stuff.
If your CPU usage spikes mysteriously, or some directory suddenly becomes shared, or a service dies, etc. etc. Windows comes with tools to let you know of this.
Not that I'm a big Windows fans or anything, but all the information is at your fingertips if you look around.
The same is true of Linux really... if you didn't know that
In my opinion, it's Solaris that sucks in the logging department. Not so much that it doesn't have the right capabilities, but that by default it logs close to nothing. This is very annoying.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
>You see, THAT'S THE PROBLEM. The most popular
> Linux distros let you easily turn on all sorts >of insecure things without so much as a warning.
Interesting. I have installed RedHat 7.2,9.0, Fedora Core, Mandrake 8.0 - 9.2, and each one asked what security level I wanted ( High, Normal, Minimal, None ), then it asked if I had any services I wanted to open the firewall for, and finally ( near the end of the installation ) it listed the network services I had installed, and asked me I was sure I wanted them to start automatically as they may vulnerabilites.
Now, I can't speak for any other distro's, but Mandrake, Redhat, and Fedora Core are very popular, and my experience with them definitely definitely does not jive with your statement ( quoted above ).
Do note that I usually select none as I as I have a centralized firewall that filters traffic coming and going, and that you usually have to secure services ( such as web server, ssh ) that you make publicly availabe in addition to the standard firewall rules. For example, I have ssh open, but I use hosts.allow/hosts.deny, and the firewall to limit who can connect to try and login, and I get email notification for both failed and successful attempts.
I can't afford a sig!
Im not trying to dis your windows knowledge, but if you dont know about run as service, chances are you would never know if you got hacked either. If you really want to see how vulnerable you are, even after the windows updates, I suggest you download the Microsoft Baseline Security Analyzer and see just how vulnerable you have been running your machine. I just learned about this program, and it's a real shame they don't advertise it at least. Seems like a real useful one, even if it only has a few tests and probably has a lot of holes it doesn't check. There were at least 4 critical level downloads i needed to fix certain issues that DO NOT show up in windowsupdate for some stupid ass reason. Expect to have to read some technical information about problems and search/find it yourself at microsoft.com for the updates. Something about MDAC, which I'm not too familiar with.
Disclaimer: I am not a MS shill, I just like to play games. (And this is not a sig, this is reference to MS and this security post.)
[from TFA]:
- Linux 13,654 breaches
- Windows 2,005 breaches
- BSD and Mac OS X 555
If we normalize the Mac/BSD result to 2% market share, it is 27,750 (assuming that Windows has 100% market share, which is close enough). Yet another flaw is TFA.
Still, if companies are organisms battling for survival Darwinianly, then this is what you would expect.