Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
Linux is secure... out of the box. However without a skilled administrator, it's very easy to open up LOTS of holes. I think that linux is a great operating system for power users, but lets face it, the average desktop user or the new sys admin, doesn't belong on a powerful distro right now. Perhaps lindows, but not Red Hat Enterprise. One thing I found interesting was this:
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
For god's sake, how many more times will Slashdot fall for crap from this bunch of cowboys? mi2g are the archetypal media whores, they have no clue, no idea what they're talking about but they have the uncanny ability to tune a press release for maximum meaningless security. These 'surveys' they put out every do often are utterly meaningless, based on nothing. They're nothing more than a bunch of bullshitters who should be ignored. Five minutes with Google will turn up all the proof you need, failing that go search www.ntk.net.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Although it has been pointed out that worms, viruses, and other type attacks were completely ignored, there were other significant pieces of information left out as well.
.1% of reported cases.
What percentage of servers over all use what operating system? If only.1% use Mac then actually it would show that Macs are MORE vulnerable because they account for more than
How did they get these statistics? For them to record a breach two things have to happen. You have to notice the breach and you have to report it. Is there a higher percentage of Windows users who don't notice the breach? Is there a higher percentage that don't report a breach? Linux users would tend to be more open to sharing the information imho since they are already users of open source which by nature is a choice to share information.
Although there are other things too the most relevant seems to be their sampling. What portion of their sample was running Linux? They definately did not use an equal sample size of each OS. Taking result numbers alone is not good enough to make a conclusion.
While I tend to agree that some statements made about Linux security are overblown the fact reamins that when a Linux box is properly configured it *is* more secure than a Windows box. Discounting "the recent wave of trojans, virues", etc. does seem to me to skew the data. I think most Linux advocates are basically trying to say that Linux is resistent to these tyes of attacks therefore making it slightly safer than Windows out of the box, but the ability to lock it down yourself and keep it up to date are the important part. I've hardened both Linux boxes and Windows boxes and felt pretty comfortable about their security. But I have to say that Linux made me feel a bit better because I really do beleive that if you have the knowledge, time and ability to "see what's under the hood" then you are in for a more secure environment. I just can't get that kind of warm fuzzy with Windows. As a final word; to me the various OS are like hammers and screw drivers. They all have advantages and disadvatages depending on the job you need it for.
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
cpghost at Cordula's Web.
Here I go burning Karma again... Since we can't know the full details of this report unless one of us actually buys it, it is probably pointless to speculate on their methods. However... if you assume they didn't try to stack and that the following is more or less true:
* that most of these 17,074 were web servers
* that all or most of these servers were production boxes (worthy of being investigated after a break-in)
* that at least 20% of these were running Winodws/IIS (Netcraft
then all things being equal, there SHOULD have been at least 3400 Windows break-ins. Since there were about 2005 successful Windows attacks, MS and Windows admins must be doing something right. Many Windows admin ensure their boxes are patched. They follow NTBugTraq. They run lockdown tools or subscribe to security monitoring services. They are aware of potential breaches and most importantly THEY ARE NOT AS AROGANT AND SMUG as some of their Linux counterparts.
Mmmm -- nothing like the sweet smell of Karma burning on a cold February afternoon!
Is this sig nificant?
" ,,, Mac OS X has a dumb little icon that leaps and jumps and bounces and begs for attention any time an update is ready. ..."
... When the update applies itself and wants a reboot, your only options are "shutdown" and "restart." There's no "cancel" option. ..."
Doesn't do that on mine. Turn off automatic updating.
"
There's no "cancel" option because it's unnecessary. Just keep working. You can "re" boot tomorrow, like I do. (most updates dont' require a reboot at all, by the way. But if they do, fuggetaboutit. Get some work done).
I suppose you could sit there and watch the update progress. I don't; I launch all my apps first thing; one of them is software update. If one is available, I click to install, enter my password, and then do something else (there's one installing right now. Or maybe it's done. Who knows? Who cares? Use the damn computer, SW Update doesn't need any attention from you).
A check for security-relevant update should probably be part of a Linux admin's daily routine. Kernel updates can be ignored; there's no need to update a perfectly good Linux install just because you can. Rookie error.
As for Windows update, I did a clean install of Win98SE about 2 weeks ago. 61 updates required, though mercifully only about 24 were "critical". And yes, you do need to stop everything and reboot every time with that OS.
I use Linux, Windows 98 & XP and OSX every day. It gives you a little perspective.
It sounds like you are missing the point or trolling. What this study shows is that Linux can often be cracked if somebody takes the time to target it. As opposed to Microsoft Windows, where a single person can take over millions of systems at once with a worm or virus.
The truely funny thing here is that Mi2g is a security firm that runs Linux and sells services for Linux, but reports that Linux is the worse of the bunch. Hummmmmmm.
I suspect that shortly they will be reporting that Linux is more loaded with Viruses that Windows, to be followed with their new anti-viral software.
I prefer the "u" in honour as it seems to be missing these days.
1. They failed to mention that these are >REPORTED breaches. Most organizations do not report breaches.
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
A good quote from the MacWorld article
"Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."
As others have said, poor configurations caused the most problems for the linux machines.
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
The Machine stops.
This study committed the worst type of selection error: selection on the dependent variable. In this study (or at least in the article's description) the dependent variable is successful penetration. The value of this variable is 1 (ie yes) in every case. Therefore, the dependent variable doesn't vary. Now the independent variable (type of OS on target system) does vary, but unless the dataset includes unsuccessful penetrations (or transforms the dependent variable into a comparative measure based on average penetrations per OS/server) absolutely nothing of value can be learned. This is research design 101, folks: variables need to vary.
Make cheese not war 8:)
Linux is touted as being secure "out of the box."
So what do people do? They install it, throw it directly on the line and assume it's secure "out of the box." So they don't worry about it.
I know Windows isn't secure. There's no way in hell I'm putting ANY OS directly on the line. I run a hardware firewall between every computer and the outside. Very few ports are open and I know exactly what's running on each of those ports.
For my IcarusIndie.com server it's logged in as an Administrator 24/7 365 days a year. Guess how many times it's been hacked?
Once someone erased all the usernames and passwords out of MySQL. They did it through a PHP page that uses MySQL. Nothing was actually damaged because they couldn't get anywhere. There is no way to remotely connect to MySQL. It's pretty lame that a semicolon can allow arbitrary commands to be issued to MySQL. And yes I'm running the latest version.
Another time someone I know decided to demonstrate a nearly server crashing bug GuildFTPd has. I updated to the latest version that claimed to have fixed the problem (ignoring your settings for not allowing more than X connections from a single IP) and it wasn't actually fixed. I now run BulletProof FTP server and it isn't affected by that DoS bug and has no known remote exploits.
I also run WinVNC. Except it's modified to use a whitelist. Only when you connect with given IPs do you even get the password prompt. And there's no way to remotely change the IP list unless you already have a whitelisted IP. So when my Cox IP changes I have to go down to the ISP to get physical access to update the whitelist.
No one has ever managed to hack Windows. Even though I'm running as "root." Only some very flaky software handling the above mentioned hacked services. But they've never managed to cause any real damage.
My web-site has been running logged in as Admin for going on 4 years. That's a very stellar record. And not hard to achieve if you're not blinded by propoganda. I even ran my server on WinME to start with and never got hacked.
It's an attitude problem. Not a hardware or software problem if your systems are being hacked into.
Ben
Work Safe Porn
"last year" is pretty irrelevant, as mi2g came up with exactly
/ 10 /21/021021hnvulnerable.xml
the same report in 2002.
http://archive.infoworld.com/articles/hn/xml/02
DK Matai is simply trying to spin the same propaganda that he did in 2002 with the pretense that it contains pertinant information. On the whole it doesn't - looking at the bottom line -- the dollar -- it's the MS exploits alone which are having any real effect in the real world.
Sure, to pretend that Linux systems are magically impenetrable is equally not in the real world, but I think things need to be put in perspective.
Also - do sysadmin misconfigurations (e.g. setting anonymous ftp with access to all areas) count as an exploit? It's not the OS's fault if a human has selected a brain-dead configuration.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
Note that the results shown in the MacWorld article are not normalised. In other words, they are the total number of attacks, not the number of attacks relative to the presence of each OS. Naturally, operating systems that power millions of web servers are more liklely to suffer attacks than operating systems that power only a few thousand (or even hundreds).
It sounds very impressive that "the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004", but then you look at the number of government servers actually running OS X, and it becomes pretty clear why they weren't attacked. There are simply very few government servers running OS X (less than 3%).
So this "study" is a joke. I only wonder who comissioned it, Apple or Microsoft...?
..not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.
/usr/share/rhn/RPM-GPG-KEY
/usr/share/rhn/RPM-GPG-KEY
/usr/share/rhn/RPM-GPG-KEY
I disagree with that from personal experience. On Windows - Control Panel, automatic updates - enable. That's it.
Fedora from GUI:
Run up2date
Be told you are not registered. Click ok.
Choose what updates you want. Select all, start the process.
Process freezes either before it starts, during, or near the end, OR you are told a package has been tampered with (when really it's just corrupt). Solution: patch one package at a time (which is a $@ing PAIN in the arse). I have Fedora boxen unpatched simply because the patch system is fsck'd.
Fedora from command line:
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]# rpm --import
[root@dredd root]#
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]#
Yeah - MUCH easier than Windows. Not.
The reason OSX (workstations) are so secure is all services are turned off by default. Definitely a good security strategy. And it's hard to turn the stuff on (no prominent shiny, candy-like buttons to enable them)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than Windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
Totally agreed. Linux's worst enemy is the Linux boosters who think it's perfect. I'm exhausted, but I'll try and share an anecdote.
I was up all night last night securing a Debian webserver. Maybe I pushed the wrong buttons, but when that box first booted up a port scan lit it up like a christmas tree. SSH was open, but so was RPC, Finger, FTP, time, LPD, SMTP, and Telnet. Frickin' TELNET! OS X doesn't even come with a telnet server!
This was my first Debian box, so it took quite a while to learn the ropes so that I could hunt down and properly squash all of these open ports and set up some firewall rules. Sure, a knowledgeable Linux guy could have done this a lot faster. I came from the OS X world, though, so I had a lot of catching up to do.
The BSDs don't let newbies make those kind of mistakes. Set up a Mac with all of the defaults, and it's secure. OpenBSD and FreeBSD don't have squat enabled by default. Linux is great, but it still contains a LOT of pitfalls for new admins and users. These security issues are going to get worse as Linux becomes more popular.
This
Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure...
Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure.
Speaking as someone who has installed a lot of linux systems for other people: "Oooh! Shiny thing" syndrom is a major problem.
Lots of people will see services such as FTP, MAIL, NFS, SSH, WEB and think "That might be useful," or "That might be fun." They enable a small shitload of services, then never bother to update or use them.
By forcing a person to pay special attention before making a service available to the world (For instance, sendmail will only listen on 127.0.0.1 by default on RedHat) you force them to learn a little somthing about that service. You also make it undesireable for them to enable a lot of things that they have no hope of using.
IMO, "Install Everything" is far too tempting for many people, and far too insecure. The number of linux breakins would go down considerably if distributers would simply force people to enable a service after they install it.
I personally think that the Linux distrobutions avoid it to make things easier, and to improve people's linux experience. "Hey! I have a webserver running after 5 minutes! Neat! This linux stuff is easy." (I sure was that way when I got into Linux.) : \