Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
Looks like mi2g doesn't have the best reputation:
h is tory.html
t ml
m l"
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
Mi2g
Second link leads to this page which shows what a crock this (company/report) is.
Read Why is mi2g so unpopular?
Then read this complete debunking of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
-- @rjamestaylor on Ello
as seen here last year
I don't read your sig, why do you read mine?
I don't know about the results but this 'security company' has been in the news before and as far as I know it was labeled as bunch of charlatans by real security experts at security focus. Read more about mig2 at: http://www.attrition.org/errata/charlatan/mi2g-his tory.html
You're kidding, right? The main /problem/ with Windows is the number of (often hidden) servers that are running by default. UPnP, DCOM, Windows Messenger, etc, etc, etc.
It's always a long day... 86400 doesn't fit into a short.
Windows for home usage (95,98,me,2k,xp) does not come with a pre-enabled HTTP/FTP server, and most people don't even know it's there. Windows Server appearantly does (have no experience with it whatsoever), but i'd like to assume that installed Windows' for desktop outnumber the installs of the Windows Server family. Please correct me if I'm wrong.
No encryption can withstand the power of the Lucky Guess.
Not really true. AFAIK, lots offer C1 or C2, but few go up to the B ratings. I know DG/UX did, but that's sadly now discontinued. Trusted Solaris 2.5.1 was rated to B1, but Trusted Solaris 8 isn't. Bull did a secure version of AIX, and HP will sell you SEVMS, but if you're looking for a modern B2 Unix, then your options ar elimited (no Solaris, HP-UX, Tru64, IRIX or Linux, AFAIK).
Incidentally, that's not to say that those OSes couldn't be made to meet those requirements, just that they haven't been certified as such to date.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
No it doesn't. It reads as shades of grey. "Here, let's discount all the big problems/hacks that are affecting Windows. My, now it looks much more secure then Linux."
Furthermore, given how quickly a potential problem can be fixed in Linux, as opposed to the "wait, and wait, and wait some more" approach to the MS Service Packs, I'd have to say that the methodology used to reach at least some of the conclusions in the article is seriously flawed.
Kierthos
Mr. Hu is not a ninja.
We are 100% Macintosh on the desktop because I can then spend time on billable hour projects, not internal stuff. But generally speaking, I really just like how BSD, especially the ports system, is organized and managed. Linux has always been scattered brained with more distros that you can count, where as I like the core development teams in both Free & Open BSD.
When I used to run an online browser-based game system, we often had more people trying to beat the system than the game. Led to problems under Linux and since it was a hobby site that I maintianed on my spare time, I didn't have time to mess with keeping everything 100% uptodate. So I reset up the game on an OpenBSD platform. Sure it didn't scale as well, but had no sucessful breaches from the script kiddies.
Now that I work as a consultant with small and medium sized companies in this area, security has become a staple of my business. Most of my work is in Policy advising because we still see a lot of network breachs, a vast majority, having some kind of internal proceedure issue. Aka, someone calls saying they are from branch y and forgot a password and someone gives it to them or a disgruntled employee sells information to a competitor. Or worse yet, employee fired/let go and no one removes accesss to the system until after they're gone if at all. I have seen some companies that still have user accounts for people that haven't worked there in over 3 years.
Still these are mainly small businesses with less than 10 people that are in real estate or some service business where they might have a website, POS, Email, MS Office, and Quickbooks more than larger companies that have an actual IT guy or department (even then...I am amazed at the total lack of intelligence of some of the people with MSCE at the end of their business cards)
Still, the biggest threats are comming not on the server side, but client side with viruses and trojans galore. Its the average joe blow that opens every attachment they are sent that causes the bulk of problems from my perpective.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Not necessarily - the uptime clock on many operating systems, including Linux, Solaris and HP-UX, roll over after 497 days.
As seen in the netcraft FAQ : Since the last server of the top 50 have an uptime of 1073 days, there's no way a Linux box could be in the list.
I meant hidden in the sense that they're not always in the usual place (the services MMC). The DCOM RPC mapper (think Welchia, etc) needed to be turned off in the DCOM manager, which is only accessible via an obscure command.
If there was a server on a Linux machine that was started in some obscure shellscript instead of the usual init.d (or whatever your system uses) scripts or inetd, I'd describe it as hidden too.
It's always a long day... 86400 doesn't fit into a short.
considering the source of the study, I wouldn't give it a lot of credence.
I think nows a good place to post a link to eeye's upcoming advisories page
The original post reminded us not to forget that Windows or OS X boxes could have undiscovered exploits. I'm reminding that Linux can also have undiscovered exploits. By definition, we cannot know how many undiscovered exploits there are in each OS, so we cannot quantify and compare them. Therefore, we must ignore them and talk about the known exploits. Flamebait?
If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable. Every choice has a downside. Deciding to leave a service off by default probably makes it more secure, though less convenient. When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users. Flamebait?
That's one thing that really bugs me about information available to monitor Windows (from log files to dynamic data).
What I can find in depth, by default, and easily on Linux is a real chore to locate or (in the case of the standard log files) typically useless.
It must take an excessive amount of effort and forsight for serious monitoring of a Windows system and even then is it trustworthy? The defaults just don't record/show enough.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
>>"When the breach is caused by administrator fault, you can't allways blame the o.s."
The weakest link in any system is the human.
If a company wants experienced administrators, they hire Solaris or BSD administrators.
The truth that the Linux corporate interests don't want companies to know is that Linux administrators are inexperienced compared to Solaris and BSD administrators. Talking with a Linux user who has been using Linux since 1.0 was telling me about Kickstart and its benefits. He didn't know what I know, otherwise he wouldn't have bothered sharing the infomation as if it were some revelation. Solaris had Jumpstart ten years ago when this guy was cutting his teeth.
I have never understood why people don't see that companies that opt to use a free operating system will also cut costs by hiring less experienced administrators.
By the way, Apple's strategy is no accident. They deliberately approach Mac OS X with the knowledge that the weakest link in the system is the human. After all, when we talk about the Apple company today, we're really talking about the NeXT core developers who are running the company and who started formulating Mac OS X back in 1986.
>>The automatic software updates feature is the perfect distribution system for some buggy code, it seems.
Apple addressed a security vulnerability with Software Update back in 2002. It now connects on an encrypted channel and confirms encrypted signatures before accepting a download. This makes the application very difficult to crack. Let's just put it this way--if it were cracked then Apple wouldn't be the only company in trouble since most of the internet commerce and secure connections these days depend on the same technology.
"Wasn't the Linux kernel just patched for a number of serious bugs that existed since 2.2? Seems to me Linux is no different than Windows in this respect"
An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.
Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.
Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).
There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.
Cheers
~Dalcius
Rome wasn't burnt in a day.
Be sure to LART the person who installed it for you. telnetd is not part of Debian's base installation, so it had to have been manually added later.
Dewey, what part of this looks like authorities should be involved?
Debian default install puts in pretty much nothing, if I recall. To have all those things enabled, somebody had to install them. To be fair, that's pretty easy to do, since like I said, you get *nothing* to begin with, so the tendency is to start blindly installing things from dselect.
Be sure to LART the person who installed it for you. telnetd is not part of Debian's base installation, so it had to have been manually added later.
My point. The moron that screwed the initial configuration was me. Of course, it was my first Debian install. Maybe I screwed up in dselect. I don't know. What I do know is that Debian automagically put it in my startup scripts, and I didn't know that it would do that. Debian just gave a n00b more than enough rope to hang himself.
You see, THAT'S THE PROBLEM. The most popular Linux distros let you easily turn on all sorts of insecure things without so much as a warning.
A total n00b won't get rooted on OS X or (IIRC) the BSDs because turning on services is done post-install and takes an explicit administrator login. You have to really dig to find ways to expose yourself.
This
Sure it does... It's not enabled by default, and as far as I know, there's no GUI to enable it, but it certainly comes with telnetd preinstalled:
greyfox ~% uname -a /usr/libexec/telnetd /usr/libexec/telnetd* /etc/inetd.conf /usr/libexec/tcpd telnetd
Darwin greyfox.azeotrope.org 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC Power Macintosh powerpc
greyfox ~% ls -l
-r-xr-xr-x 1 root wheel 50012 Jan 18 02:05
greyfox ~% grep telnet
#telnet stream tcp nowait root
Learn how to grok it.
/var/log contains a wealth of information that you should be looking at, how would you know where to look?
Also, there's WBEM (which are probes for SNMP) and the Performance Logging and Alerting stuff.
If your CPU usage spikes mysteriously, or some directory suddenly becomes shared, or a service dies, etc. etc. Windows comes with tools to let you know of this.
Not that I'm a big Windows fans or anything, but all the information is at your fingertips if you look around.
The same is true of Linux really... if you didn't know that
In my opinion, it's Solaris that sucks in the logging department. Not so much that it doesn't have the right capabilities, but that by default it logs close to nothing. This is very annoying.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Im not trying to dis your windows knowledge, but if you dont know about run as service, chances are you would never know if you got hacked either. If you really want to see how vulnerable you are, even after the windows updates, I suggest you download the Microsoft Baseline Security Analyzer and see just how vulnerable you have been running your machine. I just learned about this program, and it's a real shame they don't advertise it at least. Seems like a real useful one, even if it only has a few tests and probably has a lot of holes it doesn't check. There were at least 4 critical level downloads i needed to fix certain issues that DO NOT show up in windowsupdate for some stupid ass reason. Expect to have to read some technical information about problems and search/find it yourself at microsoft.com for the updates. Something about MDAC, which I'm not too familiar with.
Disclaimer: I am not a MS shill, I just like to play games. (And this is not a sig, this is reference to MS and this security post.)