Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
Not only is BSD (apparently) the "safest", but you mignt be suprised to notice that the 50 highest uptimes on the net belong to BSD
And I run linux. You'd think I would learn...
Politics, Culture, Food?
Linux is secure... out of the box. However without a skilled administrator, it's very easy to open up LOTS of holes. I think that linux is a great operating system for power users, but lets face it, the average desktop user or the new sys admin, doesn't belong on a powerful distro right now. Perhaps lindows, but not Red Hat Enterprise. One thing I found interesting was this:
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
It's not exaggerated, that is exactly what they said. Linux requires updating the same as any other system, the problem is under educated staff administering the boxes.
So Linux wasn't the problem, administering Linux was. This is a valid concern. I admin my systems and it is a chore. I run OS X, Linux and Windows based servers and agree OS X is by far the easiest to keep secure. Windows is next (that is applying available patches, assuming MS has released a patch for stated exploits), then Linux.
More Linux servers out there? Okay it depends what you're considering a "server". We're not just talkling web servers, we're talking database servers, file servers, Active directory servers, Exchange servers (for virtually every office in north america). I don't think you can say there are a lot more Linux servers than others.
If mi2g is saying that BSD OS's and Mac OS-X's are the most secure, then why are they using Linux? Netcraft shows they're running Linux with Apache and have been for over 1.5 years. To me, this study is pointless.
"Happily lived Mankind in the peaceful Valley of Ignorance." -- Hendrik Willem Van Loon
For god's sake, how many more times will Slashdot fall for crap from this bunch of cowboys? mi2g are the archetypal media whores, they have no clue, no idea what they're talking about but they have the uncanny ability to tune a press release for maximum meaningless security. These 'surveys' they put out every do often are utterly meaningless, based on nothing. They're nothing more than a bunch of bullshitters who should be ignored. Five minutes with Google will turn up all the proof you need, failing that go search www.ntk.net.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Where are the numbers for the high security OSs? Event major vendor has a miliraty-grade ("B2" or Trusted") OS, and there are both SEL Linux and Trusted BSD in this high-security group.
I ran Trusted Solaris on my test box at home for a while, until I needed the disk, and it shrugged off the ordinary attacks...
I'd like to know the sucessful-attack rates on Trusted BSD and SEL Linux. And they would be statistically interesting, too.
--dave c-b
davecb@spamcop.net
I have read the article. It does say more successful attacks were made on Linux. However, it does not say how many total attacks were made on each system, not does it say how many types of each system were in place.
I can show you that more people die in accidents in Fords than they do in Ferraris. Does that prove that Ferraris are safer than Fords?
To use it as a decoy to crack another Linux box...
Although it has been pointed out that worms, viruses, and other type attacks were completely ignored, there were other significant pieces of information left out as well.
.1% of reported cases.
What percentage of servers over all use what operating system? If only.1% use Mac then actually it would show that Macs are MORE vulnerable because they account for more than
How did they get these statistics? For them to record a breach two things have to happen. You have to notice the breach and you have to report it. Is there a higher percentage of Windows users who don't notice the breach? Is there a higher percentage that don't report a breach? Linux users would tend to be more open to sharing the information imho since they are already users of open source which by nature is a choice to share information.
Although there are other things too the most relevant seems to be their sampling. What portion of their sample was running Linux? They definately did not use an equal sample size of each OS. Taking result numbers alone is not good enough to make a conclusion.
While I tend to agree that some statements made about Linux security are overblown the fact reamins that when a Linux box is properly configured it *is* more secure than a Windows box. Discounting "the recent wave of trojans, virues", etc. does seem to me to skew the data. I think most Linux advocates are basically trying to say that Linux is resistent to these tyes of attacks therefore making it slightly safer than Windows out of the box, but the ability to lock it down yourself and keep it up to date are the important part. I've hardened both Linux boxes and Windows boxes and felt pretty comfortable about their security. But I have to say that Linux made me feel a bit better because I really do beleive that if you have the knowledge, time and ability to "see what's under the hood" then you are in for a more secure environment. I just can't get that kind of warm fuzzy with Windows. As a final word; to me the various OS are like hammers and screw drivers. They all have advantages and disadvatages depending on the job you need it for.
No, not really. But there is something to be said about separation of privileges and what-have-you.
It's always a long day... 86400 doesn't fit into a short.
We all know the average Linux user is more likely to tamper with his setup...
I hope not, for the Windows admins' sakes. If you don't "tamper with your setup" some (or put the box behind some other firewall) by turning off all the services Windows runs by default, you are asking for it on Windows. But then, I'm not "discounting" all the recent attacks on Windows.
That's the problem I see with this article; to focus entirely on these direct hacking attacks just doesn't make sense....or at least doesn't support their conclusion. To say that one OS is "safer" than the others you must evaluate all the dangers. It's like you have two cars, one of which is somewhat easier to break into than the other...but the other one has an extremely high rate of bursting into flame when the owner leaves it parked. These guys would say the flaming car is "safer to leave your expensive stuff in" after they "discounted" the "latest round of car-sitting-still fires."
Given a choice between free speech and free beer, most people will take the beer.
Linux has been the latest fad (and this is in no way a criticsm of Linux) amongst the psuedo-geeks who want to be cool by running Linux.
Most of these people don't know how or why they should lock down their boxes and keep their packages up to date.
Part of the problem is that many distros enable a lot of services by default, and over time, they become vulnerable to the latest buffer overflows and get rooted eventually by people who don't know about them.
The blame really doesn't go to Linux for its design. It just happens to be popular amongst people who don't know squat about security, though it would help if more distros would lock things down by default.
I disagree. (English gentleman drives off quickly a la Family Guy.)
Every OS doesn't need to be idiot friendly, they do need ease of use. I don't think administering a system should be done by anyone without any background/training. However, that is the world we live in. I'd say only 1 in 10 of admin's I've worked with actually have any formal training or a college education. In the end it comes back to bite them and the company they work for.
What about Netware? Linux and Windows have had hundreds of security related patches in the last few years. Netware has had, like 4.
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
cpghost at Cordula's Web.
Basically, they are deliberately sacrificing security for ease of use. Same as Microsoft.
There's no reason Linux can't be highly secure, except that it'll be a pain in the arse to add services like FTP, web etc. But after a default install, look, Apache is already running, FTP, telnet, rsh, etc etc is enabled, sendmail routes mail from anyone. All so that some numpty can drop a CD into a drive and it all just magically installs and works.
So instead of it taking effort to make Linux work, it takes effort to make Linux secure.
Government of the people, by corporate executives, for corporate profits.
Don't be ridiculous. All my boxes are patched; Linux, BSD and Windows. Now....I spend significantly more time keeping the Windows ones safe. And I have had many more security breaches on Windows (4) than on Linux (0) or FreeBSD (0). And most of my services are on Linux.
But the point here, that most folks do at least seem to recognize, is that the reason I have to worry about the Windows machines so much doesn't have anything to do with a "real" hacker actually "attacking" me. That's what I worry about on the Linux boxes, and just a bit on the BSD one (there are actually a really high concentration of FreeBSD boxes on the network that machine is in, so it is a bit more inviting a target than normal). On the Windows machine I just lose sleep all the time over script-kiddies and worms.
After all...why would anyone expend their 31337 h4X0r skills on some Windows box, when there are a dozen easy point-click-backdoor attacks available? No, anybody who wants to spend real energy taking over systems will point at something more impressive.
...not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.
Given a choice between free speech and free beer, most people will take the beer.
There is one flaw in your attempted reversal - typically there actually is a security patch for linux, typicall there is not one for windows
Add on to that the fact that windows [security] flaws are systemic and linux flaws tend to be in indvidual daemons which may or may not have system level security (See apache running in it's own user/group, same with mysql, etc).
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Here I go burning Karma again... Since we can't know the full details of this report unless one of us actually buys it, it is probably pointless to speculate on their methods. However... if you assume they didn't try to stack and that the following is more or less true:
* that most of these 17,074 were web servers
* that all or most of these servers were production boxes (worthy of being investigated after a break-in)
* that at least 20% of these were running Winodws/IIS (Netcraft
then all things being equal, there SHOULD have been at least 3400 Windows break-ins. Since there were about 2005 successful Windows attacks, MS and Windows admins must be doing something right. Many Windows admin ensure their boxes are patched. They follow NTBugTraq. They run lockdown tools or subscribe to security monitoring services. They are aware of potential breaches and most importantly THEY ARE NOT AS AROGANT AND SMUG as some of their Linux counterparts.
Mmmm -- nothing like the sweet smell of Karma burning on a cold February afternoon!
Is this sig nificant?
" ,,, Mac OS X has a dumb little icon that leaps and jumps and bounces and begs for attention any time an update is ready. ..."
... When the update applies itself and wants a reboot, your only options are "shutdown" and "restart." There's no "cancel" option. ..."
Doesn't do that on mine. Turn off automatic updating.
"
There's no "cancel" option because it's unnecessary. Just keep working. You can "re" boot tomorrow, like I do. (most updates dont' require a reboot at all, by the way. But if they do, fuggetaboutit. Get some work done).
I suppose you could sit there and watch the update progress. I don't; I launch all my apps first thing; one of them is software update. If one is available, I click to install, enter my password, and then do something else (there's one installing right now. Or maybe it's done. Who knows? Who cares? Use the damn computer, SW Update doesn't need any attention from you).
A check for security-relevant update should probably be part of a Linux admin's daily routine. Kernel updates can be ignored; there's no need to update a perfectly good Linux install just because you can. Rookie error.
As for Windows update, I did a clean install of Win98SE about 2 weeks ago. 61 updates required, though mercifully only about 24 were "critical". And yes, you do need to stop everything and reboot every time with that OS.
I use Linux, Windows 98 & XP and OSX every day. It gives you a little perspective.
It sounds like you are missing the point or trolling. What this study shows is that Linux can often be cracked if somebody takes the time to target it. As opposed to Microsoft Windows, where a single person can take over millions of systems at once with a worm or virus.
The truely funny thing here is that Mi2g is a security firm that runs Linux and sells services for Linux, but reports that Linux is the worse of the bunch. Hummmmmmm.
I suspect that shortly they will be reporting that Linux is more loaded with Viruses that Windows, to be followed with their new anti-viral software.
I prefer the "u" in honour as it seems to be missing these days.
MI2G has an established history of releasing publicity seeking press releases that security researchers find to be questionable. I'd have to see a third party review of their methodology before I would trust their analysis. I don't doubt there are security concerns about linux as much as any other OS, and I'd be interested to see some hard actionable evidence.
Time to face it and stop thinking Linux is the best thing since sliced bread in security. Linux has as many holes as everything else.
Oops, looks like another anonymous newbie showing his credulity, swallowing the sensational headline hook, line and sinker without so much as a passing nod to actually getting the facts.
Note the very common troll technique: create an absurd position out of thin air, a straw man ("linux is the best thing since sliced bread in security") which nobody has ever said, and then attempt to make oneself look like the voice of reason by attacking the absurd position.
Then, having established oneself as the voice of reason, chime in with an absurd non-sequitur which, once examined, lacks any basis whatsoever ("Linux has as many holes as everything else").
Seriously, look at the so-called report and find out what they are saying. try to put it into your own words. ask yourself if you understand everything clearly, or whether there is missing information. What could that missing information be, and why was it withheld, just sloppiness, or a clumsy attempt to deceive?
Clearly, if they begin by tossing out any reference to any of the major security issues of the past year (the relentless variety of microsoft worms and viruses) you have to be suspect. Naturally, you'd wonder what else they tossed out, and what sort of goofy methodologies they used, what they define as a successful attack, etc.
It turns out these guys have a pretty crappy reputation in general, google them for a heads-up!
1. They failed to mention that these are >REPORTED breaches. Most organizations do not report breaches.
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
A good quote from the MacWorld article
"Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."
As others have said, poor configurations caused the most problems for the linux machines.
Slammer was an exploit against SQL Server, not Windows. Would a similar worm targetting PostgreSQL be counted as an exploit against Linux or BSD?
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
The Machine stops.
Unless something is done to increase the reliability of all Linux distros out of the box, and improve updating technologies for the future stoopud human Linux user... the ultimate downfall of Linux, will be Linux!
Microsoft isn't stupid, they recognized this same situation for Windows and are doing something about it.
I have had 10 years of statistics. It is not scientific to dump such a conclusion when they've set their 'research' up in the way they did.
It's really a nasty one. By the way - who FUNDED tha research? Billy may once again be reverting to FUDling around... naughty boy...
This study committed the worst type of selection error: selection on the dependent variable. In this study (or at least in the article's description) the dependent variable is successful penetration. The value of this variable is 1 (ie yes) in every case. Therefore, the dependent variable doesn't vary. Now the independent variable (type of OS on target system) does vary, but unless the dataset includes unsuccessful penetrations (or transforms the dependent variable into a comparative measure based on average penetrations per OS/server) absolutely nothing of value can be learned. This is research design 101, folks: variables need to vary.
Make cheese not war 8:)
"The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."
Hackers don't do Windows: it's just too easy; BSDs are viewed more as trophies than anything useful; and Linux is the most popular of the alternative OS, and one very used by the common hacker, so it makes sense that they target it more frequently.
My point: it's not the OS fault for these statistics, it's the common hacker mentality; if they included viruses and worms, Windows would surely come first, because it is, technically at least, the less secure OS of them all.
(yes, yes, not all blackhats use Linux, and it isn't just blackhats that use Linux, but I'm talking about the hacking/cracking/defacing/whatever you want to call it community in general)
"You should never doubt what nobody is sure about." -- Willy Wonka
Well, poor configurations and inadequate training cause most Windows worms and viruses too. Morons that have Outlook set up to automatically download and execute attachments, and morons that download and execute attachments their damn selves. If people weren't so fucking stupid, these problems wouldn't exist.
'Standards' in computing only impress those who are impressed by things like 'standards'.
Linux is touted as being secure "out of the box."
So what do people do? They install it, throw it directly on the line and assume it's secure "out of the box." So they don't worry about it.
I know Windows isn't secure. There's no way in hell I'm putting ANY OS directly on the line. I run a hardware firewall between every computer and the outside. Very few ports are open and I know exactly what's running on each of those ports.
For my IcarusIndie.com server it's logged in as an Administrator 24/7 365 days a year. Guess how many times it's been hacked?
Once someone erased all the usernames and passwords out of MySQL. They did it through a PHP page that uses MySQL. Nothing was actually damaged because they couldn't get anywhere. There is no way to remotely connect to MySQL. It's pretty lame that a semicolon can allow arbitrary commands to be issued to MySQL. And yes I'm running the latest version.
Another time someone I know decided to demonstrate a nearly server crashing bug GuildFTPd has. I updated to the latest version that claimed to have fixed the problem (ignoring your settings for not allowing more than X connections from a single IP) and it wasn't actually fixed. I now run BulletProof FTP server and it isn't affected by that DoS bug and has no known remote exploits.
I also run WinVNC. Except it's modified to use a whitelist. Only when you connect with given IPs do you even get the password prompt. And there's no way to remotely change the IP list unless you already have a whitelisted IP. So when my Cox IP changes I have to go down to the ISP to get physical access to update the whitelist.
No one has ever managed to hack Windows. Even though I'm running as "root." Only some very flaky software handling the above mentioned hacked services. But they've never managed to cause any real damage.
My web-site has been running logged in as Admin for going on 4 years. That's a very stellar record. And not hard to achieve if you're not blinded by propoganda. I even ran my server on WinME to start with and never got hacked.
It's an attitude problem. Not a hardware or software problem if your systems are being hacked into.
Ben
Work Safe Porn
"last year" is pretty irrelevant, as mi2g came up with exactly
/ 10 /21/021021hnvulnerable.xml
the same report in 2002.
http://archive.infoworld.com/articles/hn/xml/02
DK Matai is simply trying to spin the same propaganda that he did in 2002 with the pretense that it contains pertinant information. On the whole it doesn't - looking at the bottom line -- the dollar -- it's the MS exploits alone which are having any real effect in the real world.
Sure, to pretend that Linux systems are magically impenetrable is equally not in the real world, but I think things need to be put in perspective.
Also - do sysadmin misconfigurations (e.g. setting anonymous ftp with access to all areas) count as an exploit? It's not the OS's fault if a human has selected a brain-dead configuration.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
So it comes down to NON-UNIX people have made Linux popular because that was their FIRST exposure to UNIX.
Is there ANYONE here that was HEAVILY into BSD and switched to a Redhat or any other Linux distro? I would imagine those numbers be few to none. I've known Solaris admins switching to Linux on x86 based servers for cost savings, but none of them really ever played with BSD before choosing Linux ... I would imagine had they been exposed to BSD first, they would have chosen BSD over Linux.
Note that the results shown in the MacWorld article are not normalised. In other words, they are the total number of attacks, not the number of attacks relative to the presence of each OS. Naturally, operating systems that power millions of web servers are more liklely to suffer attacks than operating systems that power only a few thousand (or even hundreds).
It sounds very impressive that "the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004", but then you look at the number of government servers actually running OS X, and it becomes pretty clear why they weren't attacked. There are simply very few government servers running OS X (less than 3%).
So this "study" is a joke. I only wonder who comissioned it, Apple or Microsoft...?
Look both ways before you cross the road.
I brought a SunOS5.6 box to it's knees with the following script called "ps"
#!/bin/bash
ps&
Unfortunately this was a config problem. The number of processes allowed per user was the same as the number of processes for the machine (or there was no limit)
I had to phone people up to get them to logout to free up processes so I could kill the chain.
Auto-check your UK lottery lines
Using GNU Octave http://www.octave.org,
decode.m:
function decode (b)
for i = 1:length(b)
printf("%s",char(bin2dec(num2str(b(i)))));
endfor
printf("\n");
endfunction
octave:1> decode ([01100111 01101111 01110100 00100000 01110011 01101001 01100111 00111111])
got sig?
octave:2> decode ([01101110 01101111 00101100 00100000 01101001 00100000 01100100 01101111 01101110 00100111 01110100 00100000 01101000 01100001 01110110 01100101 00100000 01100001 00100000 01110011 01101001 01100111])
no, i don't have a sig
flossie
Write now. Defend liberty
It is quite well known M$ has been bed with Apple for a long time. While it is absolutely no surprise *BSD wins, and for Mac World, Mac comes in second, one has to wonder what this is about?
Who doesn't know an unpublished exploit of Windows? Perhaps because it is so easy, script kiddies have turned their noses up to Windows? More likely Micro$oft just paid someone off and this is just another example of FUD? I've used all flavours of BSD for years and certainly won't switch. I've used (and still do) use Linux and certainly it can be more trusted than anything from M$.
Others have described the mayhem Microsoft does to the Internet, the worms and all that stuff. Perhaps Linux should review security a bit, but Linux is actually just the kernel and that has been top line for years. Just watch the added and unknown software you add. Same for Windows, but the fundemental basis of that kernel is flawed and without any true 'division of priviliges' its a piece of cake to exploit.
The reason OSX (workstations) are so secure is all services are turned off by default. Definitely a good security strategy. And it's hard to turn the stuff on (no prominent shiny, candy-like buttons to enable them)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
"Morons that have Outlook set up to automatically download and execute attachments"
Set up? I didn't set it up at all, it just came like this. Look! I can click this button, and it downloads my email.
Setup? You mean those 7 tabs (2-3 of which are hidden?), with about 3-4 buttons on each tab that bring up an "advanced options" window with lists and tabs, some of which have little buttons to bring up "advanced advanced options"? I can't quite work those out, as all the options seem to be in illogical places. Is it in general->email options, or in email options->general?
I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than Windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
Depends on how you define "better".
If your primary requirement is a cheap, fast way to get a lot of machines up and running, and and security isn't at the top of your list, then a "distribution" is the way to go. You still have to decide which one, and that depends on how your people will be using it.
If your primary requirement is a way to get a few machines (e.g., a server farm) up and running so that it is secure and reliable, then what you want to do is download all the source and build your own systems one piece at a time. You make sure you understand each package's configuration and security needs before you let it go live.
There is no best way for everyone.
Historically, linux has mostly been the favorite of people who want distributions. It tends to come with everything that compiles and passes the "make test" suite. It's no surprise that linux distributions should contain packages that are insecure. That's what happens when you let everyone throw their favorite apps into the bin.
Historically, the BSDs have been the favorite of people who have serious security concerns. It's no surprise that they should lack the full bag of bells and whistles of linux, and it's no surprise that they should have few security issues.
It does seem that, if you take the build-it-yourself approach with linux, you can get a well-tailored machine that's also fairly secure. But you will have to do the work and spend the time learning about the issues.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
"If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable."
...or because of permissions set wrong on a script? ...or because of a hole in sendmail? ...or because of a buffer overflow? ...or because of ........?
No one thinks Linux is invulnerable. Linux is just MUCH BETTER than Windows. Check out SELinux for information about making Linux even MORE secure.
"When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users."
The numbers are meaningless without the background. Even assuming that those numbers are CORRECT, what does that tell you about Linux?
Were those attacks successful because of a bad choice of passwords?
There is no information presented in that "article" beyond some numbers given out of context. Because there is no information given, no actions are required.
"Deciding to leave a service off by default probably makes it more secure, though less convenient."
No "probably" about it. One of the rules of security is TURN OFF ANYTHING YOU DO NOT ABSOLUTELY NEED.
I wouldn't say "flamebait". But your post does betray a lack of knowledge about security.
Totally agreed. Linux's worst enemy is the Linux boosters who think it's perfect. I'm exhausted, but I'll try and share an anecdote.
I was up all night last night securing a Debian webserver. Maybe I pushed the wrong buttons, but when that box first booted up a port scan lit it up like a christmas tree. SSH was open, but so was RPC, Finger, FTP, time, LPD, SMTP, and Telnet. Frickin' TELNET! OS X doesn't even come with a telnet server!
This was my first Debian box, so it took quite a while to learn the ropes so that I could hunt down and properly squash all of these open ports and set up some firewall rules. Sure, a knowledgeable Linux guy could have done this a lot faster. I came from the OS X world, though, so I had a lot of catching up to do.
The BSDs don't let newbies make those kind of mistakes. Set up a Mac with all of the defaults, and it's secure. OpenBSD and FreeBSD don't have squat enabled by default. Linux is great, but it still contains a LOT of pitfalls for new admins and users. These security issues are going to get worse as Linux becomes more popular.
This
Okay, Linux advocates, hold on to your seats, ...
... " and "security
and make sure you've got your heart medecine,
but
I predict that in the coming years, you're
going to have to get used to hearing how much
more secure Windows is than Linux. Why?
Because Microsoft has no choice.
Microsoft hasn't found a way of squashing Linux
using anti-competitive business practices.
They're facing the loss of a great deal of revenue
and market share from Linux on the server side.
And their cavalier attitude about trivial
vulnerabilities from things like email
attachments has finally caught up with them.
So, reluctantly, and with a heavy heart, they
have finally decided to take security seriously.
After decades of neglect, they can't turn things
around overnight. But Microsoft is a *very*
focused company, and I predict they will, in
time (maybe a long time), turn this issue to
their advantage.
As I see it, MS has tens of billions of dollars
and tens of thousands of very smart, full time
programmers. Linux has a wild, wooly, totally
decentralized, totally disorganized development
model, with contributors of very varying talent
and knowledge. Okay, we've all heard the
arguments about "... many eyes
through obscurity." Frankly, I don't think
they hold water and I don't think Linux can
compete long term. Even the exalted BSD might
not be able to. (I used to work in a 100%
FreeBSD environment. We got cracked at least
3 times in the space of a year or so.)
I'm sure many here find the prospect of Linux
having its butt kicked off the planet in terms
of security unfathomable. But after all, only
a few years ago the big selling point of Linux
was stability. Now MS has successfully migrated
the Windows end user to XP. There's an
XP box in this room a few feet from my Linux
box. Over the past 15 months since we got it,
XP has crashed 0 times, while my Linux box
freezes up or has an X Window crash about once
a week. Maybe I push my box harder. Maybe.
But I'm not selling my wife and kids, or the
average Windows user, on the stability thing.
That's dead. What I'm saying is I see a few
years down the road the security thing will be
dead too.
So, I can't say whether this study is legitimate
or not, or exactly what it proves. However,
it's not surprising to me. What would surprise me
is if the wild world of Linux, with its very
dubious development model, were to produce a
secure OS. And what would surprise me more is
if I don't see a whole lot more studies coming
to the same conclusion in the future.
Once more when we see any survey of any sort which questions Linux security, people trounce on it unthinkingly.
:-)
Sure, this report leaves out worms. But that is completely irrelevant. I'm willing to bet that most of the successful attacks on Linux could be automated in a worm.
The point about worms is that they are most successful when you have large numbers of vulnerable hosts to propogate. Windows wins simply by having sheer numbers of similarly installed machines, so worms are not an indication of how secure/insecure an OS is. Worms are mostly written for Windows, not because its less secure, but because there is a better chance of success.
A better way to criticise this survey is that it counts total numbers of attacks, not attacks as a percentage of deployed machines. I suspect that this is because this just makes Linux look even worse.
One poster even complained that they had to patch their Windows servers more often than their Linux servers. Don't people see that this is a _good_ thing. Despite what people think, Linux programmers are about equal to the same order of magnitude as Windows programmers. So bugs are likely to be at about the same rate. More patches simply means that more bugs are being discovered and fixed.
If you count vulnerabilities found, Linux and Windows have been consistently about the same order of magnitude (cf. CERT). This is about what you'd expect for similarly complex pieces of software. Being open source doesn't automatically mean that the software is more secure, you still have to have someone looking.
Instead of burying their heads in the sand and Windows bashing, Linux-o-philes should take a long hard look at how they can make Linux better.
Oh and BTW: I run FreeBSD
Exactly how would you discover an attack that was so successful as to not leave a trace? By definition such an attack cannot or has not yet been discovered or traced.
Not true.
You passively log traffic in/out of those machine using internet-invisible hardware. It gives a full record of every attack attempt, a full record of the attack method (even if it was a previously unknown attack method), a full record of eveything the attacker does before and after gaining access, and the attacker cannot detect that he's being watched.
On the other hand it's not a very practical undertaking to watch tens of thousands of random and busy commercial servers in such a manner.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Speaking as someone who has installed a lot of linux systems for other people: "Oooh! Shiny thing" syndrom is a major problem.
Lots of people will see services such as FTP, MAIL, NFS, SSH, WEB and think "That might be useful," or "That might be fun." They enable a small shitload of services, then never bother to update or use them.
By forcing a person to pay special attention before making a service available to the world (For instance, sendmail will only listen on 127.0.0.1 by default on RedHat) you force them to learn a little somthing about that service. You also make it undesireable for them to enable a lot of things that they have no hope of using.
IMO, "Install Everything" is far too tempting for many people, and far too insecure. The number of linux breakins would go down considerably if distributers would simply force people to enable a service after they install it.
I personally think that the Linux distrobutions avoid it to make things easier, and to improve people's linux experience. "Hey! I have a webserver running after 5 minutes! Neat! This linux stuff is easy." (I sure was that way when I got into Linux.) : \
Newer linux distributions tend to be packaged in a secure form with most services like Telnetd and FTPd disabled, but I have encountered many linux boxes (and other Un*xes) in the field that are years old with a telnetd running, capable of accepting a root login (and an easily guessable password to boot).
Un*x has a pedigree that was designed to be open and accessible; there was once a day when logging into a server as root over the Internet was acceptably safe, and there are many dust-covered servers out there still configured that way. More than you think, partially thanks to the IT crunch which, along with sending lots of knowledgeable IT staff packing, also left lots of Un*x servers in various back-office roles completely unattended, reliably doing what they were set up to do but w/o staff left who know to take care of them. Knowledgeable hackers look for them.
In defense of linux v. Windows, I point out that those who actively take care of their Un*x boxes, turning off telnetd, replacing it with SSH and requiring secure passwords and securing holes with patches wind up with some darn safe servers. Windows, on the contrary, is what it is. The best you can do is apply hotfixes when the company makes them available, often long after the vulnerability has been discovered compared to the quick turnaround in the open-source community.
Until Microsoft releases the Windows source code for public scrutiny, Security will not be in the admin's hands. Windows can barely log an intrusion; how's one to truly tell how many times a Windows PC has been hacked?
What about statistics on unreported or covert attacks?
The SIPS database and EVEDA do not contain any specific information on attacks that are covert, not reported, validated or witnessed by any reliable source. We do, however, often receive notification on individual security breaches from our partners and clients across the globe, which are included.
In other words, the sample they are using is self-selecting: only the attacks that have been systematically reported and verified are included. The problems associated with a self-selecting sample are obvious.
What if Linux attacks far outweigh Windows attacks, because Linux administrators tend to report the attacks more often, whereas Windows and other OS administrators do not report attacks so often because it makes them look bad? I'm not trying to troll, I'm merely pointing out why the results of this study are absolutely meaningless.
Running as root (or Administrator) is not a security problem for people who visit trusted sites only, do not execute email attachments, don't run 'rm -rf *' or deltree from the root directory, and keep their systems patched.
For the average windows user (like your grandparents), who don't know how to update their systems, will open any email, and browse to random sites, it's not very safe. Running on a non-superuser account means that only your user files may be compromised by a malicious or buggy program, not the entire system (unless there is a bug in code that runs in kernel mode, like system calls, or much of Windows code that runs under the SYSTEM account).
Look at web servers, for instance. IIS runs from the LOCALSYSTEM account by default, while apache runs as nobody by default. Which is more secure? If IIS never had a flaw, it wouldn't matter, but when it does, any exploit that allows remote execution of code (most of them) runs with full priviledges, while the same vulnerability grants only read access priviledges to certain (already public) files under apache. It's the same thing with users. If you can trust them never to make a mistake or execute malicious code, they can run with full priviledges, but if you can't (most of the time), maybe you shouldn't give them the ability to destroy files or add/remove hardware.
--That's the point of being root, you can do anything you want, even if it's stupid.
Debian didn't do anything, you did it yourself.
You installed telnetd, an debconf probably told you that was a bad idea. Obviously, if you didn't configure debconf to be "non-interactive". I bet you did this too.
By the way, Debian has a package, called debootstrap, which installs all the default packages during the install process, and then boots itself into it. Then, the "base-config" package asks you things like your root password. And then, yes, only then, you install packages with dselect or tasksel (which can be done during this base-config process too).
You installed the system, you rebooted it, it asked you for the root password, and you still complain about a lack of administrator login. For what, put the password you just set?
It is OK if you were learning, but come on, you can't blame Debian. You did at least 10 mistakes on your own...
Now I am sad.
I suggest you download the Microsoft Baseline Security Analyzer and see just how vulnerable you have been running your machine.
;-) But I was able to turn it on and run the analyzer (and then turn it off as soon as it was done).
Thanks for the reminder. I ran it on my mom's XP box last time I was there, but forgot to run it here until now.
It was kind of funny. First, it wouldn't work because the Server service wasn't started. Well, it's not running because I don't need it, and it's stupid to run it if you don't need it.
It found three security updates I needed (including the MDAC one, which did show up on Windows Update for me, for some reason). So I was a bit out of date. But the other stuff it found was all "Yeah, I know, I set it up that way on purpose." Stuff like:
- One of the accounts has a blank or short password. (That's the Guest account, which is disabled.)
- None of the passwords are set to auto expire.
- Auto-logon is configured for at least one account. (This is my home machine. If my hubby needs to get into my computer account, I don't want to have to give him one of my passwords. If someone breaks into our apartment, I have bigger worries than whether they can get into my Windows box.)
- Automatic Updates is not configured properly. (I'm philosophically opposed to having my computer download things without me telling it to, and I know that in some cases this makes me more vulnerable... it's a risk I chose to take.)
- Not all hard drives are using the NTFS file system. (No, my 8GB 5400 RPM drive that I keep around for backups when I reinstall the OS is still FAT32. I'm lazy. One of these days, I'll get a new SATA hard drive, and my current main drive will become backup. Everything will be all better then. For one thing, I'll probably switch to Linux at that point, unless another cool MMOG comes out.)
- Restrict Anonymous. This is the ONLY surprise that showed up on here. I'd never heard of this before, and have since changed the registry setting.
- Telnet service is installed. But it's disabled, so no worries there.
So, I feel fairly good about how secure my box is. The MBSA served to reassure me in this case. I'll still feel safer when I switch away from Windows, if only because I'll be less of a target.
Don't you wish your girlfriend was a geek like me?