Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
This is not the best way to conduct research. When I was doing research at NIH we would say of this sort of thing, "After discarding all data to the contrary, the hypothesis was proven."
While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.
To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions.
Keep Smiling!
Erick
http://www.busyweather.com/
For all the servers out there, I wonder how many people actually run up2date or apt from time to time. I imagine more people run windows run windows update than any linux equivalent.
Let's face it. Linux isn't for just the uber-geek anymore. So logically, more systems are going to be hacked into when people with no security sense are managing systems.
Don't blame the operating system. Blame everyone who thinks they're a competent sysadmin, but really aren't.
Not to mention that this article doesn't weigh in percentages. There are a *LOT* more linux servers out there than there are BSD, Windows and Mac OS X servers. When one factors in percentages, Linux really isn't *that* bad.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Why would anyone want to crack a Windows box? It'd be completely useless to you.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Different distributions vary greatly in how secure they are out of the box and in how easy it is to apply security updates once they are deployed. Also, talking about absolute numbers of breakins is completely uninformative without knowing the number of systems deployed for each.
MACWORLD says that MACS are the most secure. Hmm... Interesting.
So does that mean that Windows is hazardous???
To be news, they need to say what proportion of computers use each OS, and what apps were hacked. It even says third party software accounts for a lot of the Linux hacks.
Nothing to see here except some meaningless statistics. Yawn.
Somebody needs to take some basic statistics. The fact that Linux is most often the operating system involved in server compromises is not surprising since Linix is the is most often the operating system involved in servers in the first place. If you normalize out for server market share, you'll find things are more or less even.
When it comes to servers, selecting a bad choice of a password or forgetting to properly set file permissions is still the easiest way to get hacked, and that will always be operating system independent. And, that accounts for the majority of security weaknesses. Worms and viri are a client-side issue, servers don't often get hit with those.
So, good work OSX fans. You finally found a metric by which having the fewest number of servers in actual use makes you look good...
::puts on flame-proof suit::
Linux is made up of _many_ distributions, who hack together systems out of many disparate apps. Each is slightly different. This diversity means none can Q.A. their systems as well as a unified project like FreeBSD does. I've seen some unbelievable bugs in a very well-known Linux distro, there for no reason there than their resources are stretched too thin.
Linux is also a Unix. People who put up *BSD servers are Unix hacks. People who put up Linux servers are oftentimes ordinary people who are trying to cut costs from not going with Windows. Unix is powerful, if you don't know how to handle that power, you put your systems at real risk.
Looks like mi2g doesn't have the best reputation:
h is tory.html
t ml
m l"
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
How many linux servers are there in the wild, how many bsd ones, and how many windows ones. I'd be tempted to guess that the geeks favourite OS is by far the most popular server OS...
In other words, it's the same story as Windows on the desktop - there are more attacks because there are more servers. Since they don't give us percentages of installed vs breached, the data is essentially useless. Rule #1: Normalise your data before comparison....
Simon.
Physicists get Hadrons!
Not only is BSD (apparently) the "safest", but you mignt be suprised to notice that the 50 highest uptimes on the net belong to BSD
And I run linux. You'd think I would learn...
Politics, Culture, Food?
Linux is secure... out of the box. However without a skilled administrator, it's very easy to open up LOTS of holes. I think that linux is a great operating system for power users, but lets face it, the average desktop user or the new sys admin, doesn't belong on a powerful distro right now. Perhaps lindows, but not Red Hat Enterprise. One thing I found interesting was this:
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
The system admins usually don't know what they're doing, and the system gets broken into--it has nothing to do with the system itself. The admins should know how to configure the system - instead of leaving the defaults on. The defaults for other systems are most probably simply safer than the defaults in Linux.
Scorta futuere amo!
I don't understand why anyone would publish a study that is so loosely and poorly substantiated; that would be like looking at a Syrian prison and count the number of syrians imprisoned, and then on that basis summise that "Syrians are more criminal than south africans, since there are hundreds of syrians and not a single south african." /Paven
Nope. This isn't going to fix all of the hacks this report is talking about. Simply pick a root password of "password". up2date won't scream about that... but you're sure to be hacked rather quickly.
Stupidity runs on any OS...
they forgot a very important piece of information: the percentage of total servers accounted for by these systems.
armed with this statistic and the age old mathematical operation of *division* one could make these results meaningful.
in other news, a new study finds that red heads are much less likely to commit violent crimes. Data for left-handed people is also encouraging.
-ashot
Mi2g
Second link leads to this page which shows what a crock this (company/report) is.
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide.
"When we ignore most of the break-ins that windows had, it had less than linux!"
followed by BSD and Mac OS X with 555 breaches
This completely ignores the proportion of these OS's that got hacked. If there are only 556 of them deployed, then this is a terrible break-in rate. Obviously there are more than 556, but there are fewer BSD servers than linux servers.
<high-level position here>
<name of stupid small company here>
The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
I dont want to troll, but wasnt this the same thing with windows ? They have a larger share of the desktop, ofcourse it gets more attacks. ... Unix(Linux) is very user friendly, it's just picky about who its friends are.
Same goes for linux and servers.
How should I put it
Dan
Microsoft announces acquition of the UK-based security firm mi2g.
:wq
Read Why is mi2g so unpopular?
Then read this complete debunking of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
-- @rjamestaylor on Ello
I am wondering if this test was performed on a system that has yet to be tweaked. After all, if you leave FTP and Telnet ports wide open, of course it's gonna get compromised! I spent some time turning off all my ports, setting up the iptables, etc and now she's definately a lot safer. Exactly what are these 'holes' that are being exploited? Withouth that information, it's like a Windows v Linux experiment run by Msft on an unconfigured Samba connection.
as seen here last year
I don't read your sig, why do you read mine?
While I'll admit that I find these behaviors pretty annoying, you can bet that Linux would enjoy a somewhat better security record if it were that hard to forget updates. It's a shame more Linuxes don't ship with at least the option of turning this on for desktop and small server folks.
At SCO, we offer increased security by running our website with Linux and only connecting the SCO machines to McDonald's cash registers and machines too old and slow to run root toolkits.
So, I've said it before, and I'll say it again: Linux is horribly inconsistent, and can be much worse than Windows, at its worst.
Come on, give it up, that's
If mi2g is saying that BSD OS's and Mac OS-X's are the most secure, then why are they using Linux? Netcraft shows they're running Linux with Apache and have been for over 1.5 years. To me, this study is pointless.
"Happily lived Mankind in the peaceful Valley of Ignorance." -- Hendrik Willem Van Loon
Absolute numbers are fine, but what about normalizing it for the total number of BSD, Linux, and Windows servers in use in this study? That's the more meaningful number. Then, what constitutes a successful attack?
Also, a useful study would look at how machines are maintained, password policies, etc.
Now before I come off sounding like a Linux apologist, it is quite possible there are some serious weaknesses that need to be addressed. If so, I hope they give us full info on the attacks so we can fix the problems. But these numbers as they stand don't tell us a darn thing.
If a dedicated admin configures Selinux and heavy duty firewalls, and puts Klingon password policies in place, I'd personally still be confident to match that system against anything out there. Default Redhat installs, on the other hand, are something else again. So again we need more info. It's all in how things are set up and maintained. The question actually being asked here - which OS is strongest, all other things being equal - is a really really tough one to answer. There are many other issues that must be addressed first.
So, as far as any useful information is concerned, this article doesn't appear to have any. What if the Linux machines simply had the best intrusion detection in place? (I'm not saying they did, but it's a fair question.) Need More Information!
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I think this paragraph says it all - it comes down to poor admins. If you have a bajillion-dollar lock made out of unobtainuim, but leave the key under the doormat, you're less secure than if you have a 2-dollar master lock but aren't dumb about the key.
mi2g analysed 17.074 successful digital attacks against servers and networks. It states: "With Linux accounting for 13,654 breaches, Windows for 2,005 breaches followed by BSD and Mac OS X with 555 breaches worldwide in January 2004."
They say how many attacks they analyzed, but they didn't mention the pool of hosts that these attacks were taken from.
Were there 1000000 linux hosts, 200 Windows hosts, and 6 Mac OS hosts? If so, that would radically change the conclusion that is implied.
Also, it's interesting to note that they did NOT count automated attacks by viruses, etc.
I'm sure there are interesting conclusions in their study of attacks, but given the lack of data, this study doesn't provide enough data to conclude that one OS is safer than other.
For god's sake, how many more times will Slashdot fall for crap from this bunch of cowboys? mi2g are the archetypal media whores, they have no clue, no idea what they're talking about but they have the uncanny ability to tune a press release for maximum meaningless security. These 'surveys' they put out every do often are utterly meaningless, based on nothing. They're nothing more than a bunch of bullshitters who should be ignored. Five minutes with Google will turn up all the proof you need, failing that go search www.ntk.net.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
We should not be concentrating on which operating is more secure than another. This just promotes the myth that people can 'choose' the most secure operating system and then they are secure. No operating is secure, if you do not keep it up to date and patched.
Everytime I see an article like this, I wonder how many users and administrators will get the false impression that if they just switch to another platform they will have done their job.
Security is a process. It is not all about the technology, and it requires educating users and managers to be effective.
Hmmm... spend time in London or fiery death on the runway? What kind of choice is that? Hell, guide the plane in with Sinclair BASIC and at least you'll have an interesting experiment.
Hey! How did you get my root password? I thought it was hashed pretty securely.
Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."
Well, let's see here.
1. Government. Stupid is as stupid does.
2. Inadequate training.
3. Inadequate knowledge.
Three strikes and you're out. The VAST majority of government workers are NOT highly educated people, and as a matter of fact, most of them are former welfare workers placed into government jobs to get them off the welfare log books.
When you factor in all these things you should expect the results they came up with.
But I say this, you put a GOOD, trained, educated, and skilled sys admin behind those same Linux systems and those numbers will flip.
Although it has been pointed out that worms, viruses, and other type attacks were completely ignored, there were other significant pieces of information left out as well.
.1% of reported cases.
What percentage of servers over all use what operating system? If only.1% use Mac then actually it would show that Macs are MORE vulnerable because they account for more than
How did they get these statistics? For them to record a breach two things have to happen. You have to notice the breach and you have to report it. Is there a higher percentage of Windows users who don't notice the breach? Is there a higher percentage that don't report a breach? Linux users would tend to be more open to sharing the information imho since they are already users of open source which by nature is a choice to share information.
Although there are other things too the most relevant seems to be their sampling. What portion of their sample was running Linux? They definately did not use an equal sample size of each OS. Taking result numbers alone is not good enough to make a conclusion.
I don't know about the results but this 'security company' has been in the news before and as far as I know it was labeled as bunch of charlatans by real security experts at security focus. Read more about mig2 at: http://www.attrition.org/errata/charlatan/mi2g-his tory.html
But it is instructive to read some prior comment on mi2g, such as "Iraq will destroy us by computer" the experts screamed, or a more general index of mi2g myths, or a search for mi2g at NTK or even their own reasonably barking mad press releases.
I'm not uncomfortable with a finding that Linus boxes leak like sieves whilst windows boxes immitate Fort Knox; I'm by no means in security denial here. But I simply don't believe a word mi2g say.
With no reported vulnrenabilities according to mi2g, these OSes are far more secure than that run of mill *BSD stuff.
Linux has been the latest fad (and this is in no way a criticsm of Linux) amongst the psuedo-geeks who want to be cool by running Linux.
Most of these people don't know how or why they should lock down their boxes and keep their packages up to date.
Part of the problem is that many distros enable a lot of services by default, and over time, they become vulnerable to the latest buffer overflows and get rooted eventually by people who don't know about them.
The blame really doesn't go to Linux for its design. It just happens to be popular amongst people who don't know squat about security, though it would help if more distros would lock things down by default.
What about Netware? Linux and Windows have had hundreds of security related patches in the last few years. Netware has had, like 4.
Linux may have it's problems. However, it is still more secure than WinDOS. A cabal of liars that masquerade as "researchers" does not alter the facts.
Claiming that FreeBSD is more secure than Linux is simply not news.
Claiming that Win32 is more secure than Linux is simply absurd.
A Pirate and a Puritan look the same on a balance sheet.
This probably isn't an issue for the vanilla BSDs, but OS X and Windows are both much more likely than Linux to simply be a workstation rather than a server, given the fact that the overwhelming number of Linux boxes are in use as servers.
It's generally not too bad to secure a workstation against remove attacks-- you can just rip out anything listening. On a server, you *have* to be running some sort of server software, and if that has holes, you are open to attack.
May we never see th
My Play Station 2 has never been hacked so it makes PS2 the most secure O/S.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
But really, inadequate training on newly-commissioned linux systems seems like the true cause.
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
cpghost at Cordula's Web.
Basically, they are deliberately sacrificing security for ease of use. Same as Microsoft.
There's no reason Linux can't be highly secure, except that it'll be a pain in the arse to add services like FTP, web etc. But after a default install, look, Apache is already running, FTP, telnet, rsh, etc etc is enabled, sendmail routes mail from anyone. All so that some numpty can drop a CD into a drive and it all just magically installs and works.
So instead of it taking effort to make Linux work, it takes effort to make Linux secure.
Government of the people, by corporate executives, for corporate profits.
Don't be ridiculous. All my boxes are patched; Linux, BSD and Windows. Now....I spend significantly more time keeping the Windows ones safe. And I have had many more security breaches on Windows (4) than on Linux (0) or FreeBSD (0). And most of my services are on Linux.
But the point here, that most folks do at least seem to recognize, is that the reason I have to worry about the Windows machines so much doesn't have anything to do with a "real" hacker actually "attacking" me. That's what I worry about on the Linux boxes, and just a bit on the BSD one (there are actually a really high concentration of FreeBSD boxes on the network that machine is in, so it is a bit more inviting a target than normal). On the Windows machine I just lose sleep all the time over script-kiddies and worms.
After all...why would anyone expend their 31337 h4X0r skills on some Windows box, when there are a dozen easy point-click-backdoor attacks available? No, anybody who wants to spend real energy taking over systems will point at something more impressive.
...not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.
Given a choice between free speech and free beer, most people will take the beer.
We are 100% Macintosh on the desktop because I can then spend time on billable hour projects, not internal stuff. But generally speaking, I really just like how BSD, especially the ports system, is organized and managed. Linux has always been scattered brained with more distros that you can count, where as I like the core development teams in both Free & Open BSD.
When I used to run an online browser-based game system, we often had more people trying to beat the system than the game. Led to problems under Linux and since it was a hobby site that I maintianed on my spare time, I didn't have time to mess with keeping everything 100% uptodate. So I reset up the game on an OpenBSD platform. Sure it didn't scale as well, but had no sucessful breaches from the script kiddies.
Now that I work as a consultant with small and medium sized companies in this area, security has become a staple of my business. Most of my work is in Policy advising because we still see a lot of network breachs, a vast majority, having some kind of internal proceedure issue. Aka, someone calls saying they are from branch y and forgot a password and someone gives it to them or a disgruntled employee sells information to a competitor. Or worse yet, employee fired/let go and no one removes accesss to the system until after they're gone if at all. I have seen some companies that still have user accounts for people that haven't worked there in over 3 years.
Still these are mainly small businesses with less than 10 people that are in real estate or some service business where they might have a website, POS, Email, MS Office, and Quickbooks more than larger companies that have an actual IT guy or department (even then...I am amazed at the total lack of intelligence of some of the people with MSCE at the end of their business cards)
Still, the biggest threats are comming not on the server side, but client side with viruses and trojans galore. Its the average joe blow that opens every attachment they are sent that causes the bulk of problems from my perpective.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
I'm guessing the hypocrite in you would have reared it's ugly head.
And this is a good example of discarding all the data, coming to any conclusion you wish, and then putting the onus on others to debunk your unsupported premise, which, as it happens, has no logical bearing on the argument you are attacking.
A very popular methodolgy, but not a valid one.
For purposes of bias I will point out my posting history will show that I use Windows 98, Mac System 7, Mac OS8 and various flavors of Linux at the moment, but have a very strong preference for Linux for explicitly stated reasons, some of which relate directly to the deleted data in this study, some of which do not. You'll find that my position is at least unbiased enough that I have been accused of being both an MS lackey and a Linux zealot, although I don't recall that I've ever been accused of being a Mac head. I have never so much as sat at a BSD terminal or an OSX box, although I would have no particular objection to doing so, it would be fun, and I am inclined to believe that BSD is more secure than the majority of Linux distros at the moment.
If you wish to debunk this you will have to do your own homework in finding evidence to the contrary.
Ad hominem strawman arguments will be promptly and cheerfully ignored.
KFG
Another interesting fact about the survey (if you have good eyes, you can look it up here ):
about 13.000 of the attacks analysed were conducted by Brasilian hacker groups. Makes me wonder how this correlates with the number of attacks on Linux systems (about 13.000)... and why the heck Brasilia is the source of more than 75% of the hacks surveyed.
Hmmm, how do I mod the original poster as 'troll'?
Security is a multi level process. No OS in the world will make your server secure if you are using weak passwords, haven't installed any updates, etc.
While it's the the multi-user nature of unix makes locking things down a bit easier, it's also up to the admin of the machine to make things are set up securely, and stay that way.
Great, yet another brain-damaged research that considers Linux an OS, and talks as if all Linux distributions were identical in terms of out-of-the-box security and ease of applying security updates. Hell, if we ever asked those morons what Linux distro they used to compute their Linux results, I bet they would say "uh... Linux 9.0 ?"
Give the SCO and Microsoft people something to use against us Linux users.
/.
Maybe this was an article that shouldn't have been posted here at
---
IMHO, of course.
May the SOURCE be with you.
Sorry you can't just make up things and state them as fact. Since were talking about desktop users let me make a point that is at least somewhat based on fact. Since Windows desktop users outnumber Linux users by at least 25 to 1 factor I'd propose that because of the sheer number of Windows users even if a small percentage of them run web servers they dwarf the number of Linux desktop users who do such. The number of Windows users who really know Windows as opposed to the number of Linux users who really know Linux isn't even in the same ballpark. This isn't 1995 and Windows user aren't a bunch of computer neophytes anymore. As you stated linux users "are likely to know a few things about proper server security."
"Windows users are less likely to run a web server, simply because they're not as eager to play with their system as Linux users"
That's simply not true. Windows users are curious about their computers just like linux users. I assume your never been an admin then? Because if you had you'd realize that Windows users are more than capable of totally screwing up their systems and often run software which acts as a server without even knowing it. Remember most Windows users run as administrator.
"What I want to know is the percentage of professionally installed and maintained servers that was actually vulnerable."
It should be close to equal. A properly secured Windows box is just as secure as a properly secured Linux box. Security is in the process not the OS.
If you wanna get rich, you know that payback is a bitch
What they didn't tell you is the decline in successful intrusions can be attributed to the fact that most of the servers were down because of the latest virii attacks.
Something intelligent here.
You are as safe as you make your server/system to be. If you don't patch you will get hacked and will not be safe. Same goes with windows, linux, Anything. Unless you have you're own OS that doesn't have patches :P. Can't stress how stupid it is NOT to put up a firewall blocking ports you really dont need open. Anything out of the box and kept that evil "default" setting Is bound to get h4x0r'd (hehe)
Here I go burning Karma again... Since we can't know the full details of this report unless one of us actually buys it, it is probably pointless to speculate on their methods. However... if you assume they didn't try to stack and that the following is more or less true:
* that most of these 17,074 were web servers
* that all or most of these servers were production boxes (worthy of being investigated after a break-in)
* that at least 20% of these were running Winodws/IIS (Netcraft
then all things being equal, there SHOULD have been at least 3400 Windows break-ins. Since there were about 2005 successful Windows attacks, MS and Windows admins must be doing something right. Many Windows admin ensure their boxes are patched. They follow NTBugTraq. They run lockdown tools or subscribe to security monitoring services. They are aware of potential breaches and most importantly THEY ARE NOT AS AROGANT AND SMUG as some of their Linux counterparts.
Mmmm -- nothing like the sweet smell of Karma burning on a cold February afternoon!
Is this sig nificant?
"In a statement, Mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting." And what do we hear? Windows vulnerabilities went down and Linux ones went up! right...
Oooooh...
cabal of liars that masquerade as "researchers" does not alter the facts.
I love that word. Cabal. You see it so rarely in everyday life. I'm going to start using it more.
Now that Linux is running with the big boys I hear a lot of throat clearing. What happened to being more secure? Worms were discounted because the study was based on one hacker, one server, not a script kiddie writing an automated bot designed to attack everyone's home machine. This was about servers, not workstations. Looks like Linux is in the same boat Microsoft was in with 2000/XP, namely everyone and their mother is setting up Linux servers. Linux was never more or less secure than Microsoft. It's "security" was based on it's obscurity. Now that installations abound, however, the Linux community is having their work scrutinized and put to the test. Sorry boys, the easier you make it to use, the more people will try to hack it. Goes with the territory. Just ask Microsoft =]
End of Line.
You know why there's more overt hacking of Linux boxes than BSD boxes. Because there are far less BSD boxes out there to be hacked.
You know why there's far more Linux boxes that are being overtly hacked than windows? Because if you are a hacker, what the hell are you going to do with a Windows box? It's just not as interesting or powerful to remotely control a windows box.
I'm not a hacker, but if I was one, I would not waste my time on trying to 0wn windows boxes. I'd go after Linux boxes. Not because they are easier to breach, but because they are more fun to play with when you do.
This sig has been temporarily disconnected or is no longer in service
Uh...I haven't read all this other guy's posts. But they don't change the fact that his point here is incontrovertibly correct. Throwing out the most popular method for breaching security is a completely unacceptable way to conduct research that hopes to conclude relative security. That's pretty damn basic.
I mean, do you seriously disagree? You think this study actually shows that Linux is less secure than Windows? Even after you realize that they are ignoring SQL-slammer, Blaster, MyDoom, Nimda, Code Red...............and on and on?This is one of the most bone-headed studies I think I've ever seen. Anybody duped by this has absolutely no concept of either computer security or basic logic.
Given a choice between free speech and free beer, most people will take the beer.
The truely funny thing here is that Mi2g is a security firm that runs Linux and sells services for Linux, but reports that Linux is the worse of the bunch. Hummmmmmm.
I suspect that shortly they will be reporting that Linux is more loaded with Viruses that Windows, to be followed with their new anti-viral software.
I prefer the "u" in honour as it seems to be missing these days.
Posting the story here gets Slashdot added to the cluster of international stories that appear on Google News and provide a way for debunking to reach outside our little community of line noise detectors.
Still, it's annoying.
-- @rjamestaylor on Ello
Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace. It also requires "modification to any of its publicly visible components whilst executing...data attacks... [or] command and control attacks."
They also don't list their methodology, which I find disturbing. Out of 17k successful, caught, non-automatic hacks, x were against these systems. However, they don't say where those 17k come from, and don't put it in the perspective of the percentage of those systems in use. If you go to their homepage, they list something called a SIPS (Security Intelligence Products and Systems) System. This data comes from "Personal Relationships at CEO, CFO, CIO, CISO level within the banking, insurance, and reinsurance industry... monitoring hacker bulletin boards... and anonymous communication channels." That's a pretty unscientific pool to be pulling data from. Essentially, you're talking about hacks that were either reported by friends in high places, friends in low places, or bragged about by hackers on publicly accessible bbses.
So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.
The ______ Agenda
How exactly does a third party determine (a) that there has been an attack on a server, (b) that the attack was successful, and (c) the OS of the server that was attacked? The only way I could see getting this information is from people filing reports about their server when it is attacked. Likewise, in parts of the study this mi2g group quantizes exactly how many attacks certain 'hacker groups' made during the last month. I'm sure the cracker underground is just jumping at the opportunity to tell mi2g every time they compromise a server. I could see possibly establishing relationships with companies so they file reports whenever their server is compromised, but claiming they know how many attacks a given hacker group performs each month completely destroys any credibility they have in my mind.
Sure...we've got evidence. You can even (hopefully) find it in your own memory of the day when the whole Internet had major slowdowns and large service outages when SQL-slammer came out.
Or perhaps you just want to take a look at any number of statistics that compare breaches and don't ignore all worms. I'm not going to go link-hunting for you this second, but if you seriously look for any real studies on this subject and make sure they are taking all attacks into consideration, the numbers are tremendously different.
Seriously...just think about it for a second. Have you ever seen someone perform an attack on a Windows box that would be considered for this study? I've seen several hundred Windows breaches now (I've worked in computer repair shops, and now an ISP, for some time) and so far I think every last one of them involved some sort of worm, virus, scripted exploit or trojan. If you leave all this out, what do your numbers mean?
What a dumbass way to conduct a study.
Given a choice between free speech and free beer, most people will take the beer.
Has anyone noticed that 'servers running on MAC-OS' article is from MACWORLD.co.uk...
Time to face it and stop thinking Linux is the best thing since sliced bread in security. Linux has as many holes as everything else.
Oops, looks like another anonymous newbie showing his credulity, swallowing the sensational headline hook, line and sinker without so much as a passing nod to actually getting the facts.
Note the very common troll technique: create an absurd position out of thin air, a straw man ("linux is the best thing since sliced bread in security") which nobody has ever said, and then attempt to make oneself look like the voice of reason by attacking the absurd position.
Then, having established oneself as the voice of reason, chime in with an absurd non-sequitur which, once examined, lacks any basis whatsoever ("Linux has as many holes as everything else").
Seriously, look at the so-called report and find out what they are saying. try to put it into your own words. ask yourself if you understand everything clearly, or whether there is missing information. What could that missing information be, and why was it withheld, just sloppiness, or a clumsy attempt to deceive?
Clearly, if they begin by tossing out any reference to any of the major security issues of the past year (the relentless variety of microsoft worms and viruses) you have to be suspect. Naturally, you'd wonder what else they tossed out, and what sort of goofy methodologies they used, what they define as a successful attack, etc.
It turns out these guys have a pretty crappy reputation in general, google them for a heads-up!
1. They failed to mention that these are >REPORTED breaches. Most organizations do not report breaches.
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
The Machine stops.
Did anyone bother to Netcraft www.mi2g.net?
Apache/1.3.28 (Unix) FrontPage/5.0.2.2510 on Linux
It is time to stop the religuous falme wars about "my OS is more secure than your OS".
We all know Windows has bugs, becuase people revel in revealing Microsoft's weaknesses. Hackers love to attack Windows because it is ubiquitous and so it is also the most attacked.
What this report points out, with all its flaws, is the the Linux system has problems too. Linux supporters have turned a blind eye to this and have loudly trumpted Linux as secure, while Windows is not. This simply wasn't true, but made Linux supporters feel goos about themselves. And even if it is a bit better, that isn't the point.
There will be bugs in Linux and Windows and other OS'es as long as new development continues. Further, as long as humans adminster the boxes, admins will do silly things and create vulnerabilities.
AmigaDOS. Their have been exactly 0 attacks on an Amiga-based server. Long live the world's safest server OS.
What does this study actually prove?
Nothing we didn't already know. Regardless of its conclusions, it's useless for anything but an excuse to argue and troll about the same points as always.
Just one bit that I'd say this is not quite on the mark in this closing statement: Windows makes it easy to patch a machine for the consumer, one box at a time; they make it easy for corporate customers with tools that can push updates onto boxes (although the required reboots are an issue unto themselves). Please correct me if I'm wrong, but I'd venture a guess that the issue is that you don't have these tools because they cost money that isn't easy to justify for the number of Windows servers you have.
The major problem as I see is is exactly what another poster stated -- that vulnerabilities may exist for months before a patch becomes available from Microsoft, and we may not be informed of them in a timely manner. The sheer number of ways that a Windows machine may be vulnerable for variable periods of time seems to me to be orders of magnitude greater than any Open Source package or the Linux kernel itself.
The ease of patching vs. the costs of doing so is a very valid reason (among many, obviously) for choosing one operating system over another. But to me it's far more important to know when a vulnerability exists and when a patch will be available. Windows loses in this regard, hands down.
Disclaimer: IANASBIPTBOOS
- Leo
You don't use science to show that you're right, you use science to become right.
Let's look a bit at the article. If you look at the FAQ link, after "Executive Summary" ( http://www.mi2g.net/cgi/mi2g/press/faq.pdf )
1. mi2g notes that hackers they anonymously interviewed preferred attacking Linux systems, NOT because they're inherently less secure - but because of configuration errors that run rampant from poor sysadmining.
1b. Unfortunately, this immediately invalidates any analysis of the security of the actual operating systems. Not to be redundant, but the system is only as good as the administrator.
2. I don't know where I saw someone ask this, but if you look at section two: "Multiple website attacks resulting from a single system breach" do actually count as many. For instance: if foo.com and bar.com are being hosted off the same server, and that server is breached, they count it as two attacks. Their reasoning is that from an insurance perspective, the industry is shelling out twice as many bucks they would've if it had only been a single page.
====
Okay. This article tells us one thing: Linux systems breached are simply victims of poor sysadmining. This should spur us on to do one thing. LEARN.
Shoot, if you're doing this informally, then get a good friend and learn to hack linux systems together; spend spare time hacking each other's systems. If you're doing this professionally, then *learn*. Readreadread. Patch. Patch. Read some more. Patch again. Retouch the basics; shut down unneeded services; configure permissions correctly. Go drop a hundred bucks at Barnes and Noble and buy a 12 pound book on Linux sysadmining. Or security. Above all, no matter how you do it, or even on what platform you do it...
Learn.
'If you're flammable and have legs, you are never blocking a fire exit.'
This study committed the worst type of selection error: selection on the dependent variable. In this study (or at least in the article's description) the dependent variable is successful penetration. The value of this variable is 1 (ie yes) in every case. Therefore, the dependent variable doesn't vary. Now the independent variable (type of OS on target system) does vary, but unless the dataset includes unsuccessful penetrations (or transforms the dependent variable into a comparative measure based on average penetrations per OS/server) absolutely nothing of value can be learned. This is research design 101, folks: variables need to vary.
Make cheese not war 8:)
"The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."
Hackers don't do Windows: it's just too easy; BSDs are viewed more as trophies than anything useful; and Linux is the most popular of the alternative OS, and one very used by the common hacker, so it makes sense that they target it more frequently.
My point: it's not the OS fault for these statistics, it's the common hacker mentality; if they included viruses and worms, Windows would surely come first, because it is, technically at least, the less secure OS of them all.
(yes, yes, not all blackhats use Linux, and it isn't just blackhats that use Linux, but I'm talking about the hacking/cracking/defacing/whatever you want to call it community in general)
"You should never doubt what nobody is sure about." -- Willy Wonka
Linux is touted as being secure "out of the box."
So what do people do? They install it, throw it directly on the line and assume it's secure "out of the box." So they don't worry about it.
I know Windows isn't secure. There's no way in hell I'm putting ANY OS directly on the line. I run a hardware firewall between every computer and the outside. Very few ports are open and I know exactly what's running on each of those ports.
For my IcarusIndie.com server it's logged in as an Administrator 24/7 365 days a year. Guess how many times it's been hacked?
Once someone erased all the usernames and passwords out of MySQL. They did it through a PHP page that uses MySQL. Nothing was actually damaged because they couldn't get anywhere. There is no way to remotely connect to MySQL. It's pretty lame that a semicolon can allow arbitrary commands to be issued to MySQL. And yes I'm running the latest version.
Another time someone I know decided to demonstrate a nearly server crashing bug GuildFTPd has. I updated to the latest version that claimed to have fixed the problem (ignoring your settings for not allowing more than X connections from a single IP) and it wasn't actually fixed. I now run BulletProof FTP server and it isn't affected by that DoS bug and has no known remote exploits.
I also run WinVNC. Except it's modified to use a whitelist. Only when you connect with given IPs do you even get the password prompt. And there's no way to remotely change the IP list unless you already have a whitelisted IP. So when my Cox IP changes I have to go down to the ISP to get physical access to update the whitelist.
No one has ever managed to hack Windows. Even though I'm running as "root." Only some very flaky software handling the above mentioned hacked services. But they've never managed to cause any real damage.
My web-site has been running logged in as Admin for going on 4 years. That's a very stellar record. And not hard to achieve if you're not blinded by propoganda. I even ran my server on WinME to start with and never got hacked.
It's an attitude problem. Not a hardware or software problem if your systems are being hacked into.
Ben
Work Safe Porn
The usage patterns and target market/audience for these operating systems are very different.
There are huge variations in security between
- a Linux box set up by a novice student
- a Solaris system participating in a cluster serving a major consumer website
- a Mac OS X Server machine running stock network services for a graphic design firm
I'd like to hear more about how they accounted for these differences before I make up my mind.org.slashdot.post.SignatureNotFoundException: ewg
Morons that have Outlook set up to automatically download and execute attachments
Outlook may be able to be tricked or taken advantage of to execute attachements. It may be bubble gummy and impossible to get to work and look the way you want. Overall, it may just suck like nothing has sucked before. However, I'm pretty sure there is no setting labeled, "Automatically download and run any executable I receive via e-mail."
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
And who wants to hack a Windows box? It's too easy, even a worm can do it
I love to see actual numbers, very helpful and often left out.
The problem here is we don't know what the underlying distribution of Linux, BSD and Windows boxes was. So, the fact that 13/17 of the cracked boxes were Linux and 2/17 were windows doesn't mean much if there were 100 Linux and only 3 Windows in the test population. Odds are my guesses are not correct however, it does present a problem with this article. Maybe not a half-truth but, perhaps an intentional omission.
L053R
Your comparison isn't really fair in itself, either though.
The BSDs have some things which make even that shared software safer. For example, consider that the BSDs have lstrcpy/lstrcat, whereas GNU won't add it to the GNU libc. When you run Sendmail on a GNU/Linux box, it's using a marco to simulate these calls instead of actually using the safer routines.
They're also not as open to remote exploits as one another because they use different kernels and tools, which have different types and amounts of exploits. This will hold true even between the BSDs. Even Free Vs. Darwin will have differences that would make them less open to shared exploits.
Of course, the fact of the matter is every system is vulnerable to some degree. We should see this as a reason to start moving ALL the free OSes to better tools that don't leave them so open to attack, not just to try and dismiss it as meaningless line noise.
Go for it. Post it here. I'll run it and tell you if my machine crashes. This is only half a joke, because I don't believe you.
Note that the results shown in the MacWorld article are not normalised. In other words, they are the total number of attacks, not the number of attacks relative to the presence of each OS. Naturally, operating systems that power millions of web servers are more liklely to suffer attacks than operating systems that power only a few thousand (or even hundreds).
It sounds very impressive that "the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004", but then you look at the number of government servers actually running OS X, and it becomes pretty clear why they weren't attacked. There are simply very few government servers running OS X (less than 3%).
So this "study" is a joke. I only wonder who comissioned it, Apple or Microsoft...?
Of course we all know OS X servers aren't worth hacking. They're only used by cutting edge, heavily sponsored scientific institutions, sensitive government operations and advertising agencies.
:-)
Now why would a real hacker want to steal from those losers... where's the money, where's the challenge.
In the same vein it really surprised me that FreeBSD - an effort to make an extremely secure environment - is so secure.
I think, therefore I am...I think.
Look both ways before you cross the road.
Well, patch my systems and let the disk drives roll. Who'da thunk that being root on a system could present security risks?
Graham
Linux - Fast Pane Relief
Using GNU Octave http://www.octave.org,
decode.m:
function decode (b)
for i = 1:length(b)
printf("%s",char(bin2dec(num2str(b(i)))));
endfor
printf("\n");
endfunction
octave:1> decode ([01100111 01101111 01110100 00100000 01110011 01101001 01100111 00111111])
got sig?
octave:2> decode ([01101110 01101111 00101100 00100000 01101001 00100000 01100100 01101111 01101110 00100111 01110100 00100000 01101000 01100001 01110110 01100101 00100000 01100001 00100000 01110011 01101001 01100111])
no, i don't have a sig
flossie
Write now. Defend liberty
I've been using Slackware since version 1, so don't think this is just another anti-Linux comment.
"Total domination is bad. The Microsoft dominance already badly misled people about how to choose systems. Instead of 'what tool do I use for the job' it's 'well it was shipped with the box'. Linux is a tool, Windows is a tool and so are numerous other systems. It's really important people go back to looking for the right tool for the job. That will never always be Linux. No single tool can do everything well." Alan Cox
I really hate signatures, but go to my website.
It is quite well known M$ has been bed with Apple for a long time. While it is absolutely no surprise *BSD wins, and for Mac World, Mac comes in second, one has to wonder what this is about?
Who doesn't know an unpublished exploit of Windows? Perhaps because it is so easy, script kiddies have turned their noses up to Windows? More likely Micro$oft just paid someone off and this is just another example of FUD? I've used all flavours of BSD for years and certainly won't switch. I've used (and still do) use Linux and certainly it can be more trusted than anything from M$.
Others have described the mayhem Microsoft does to the Internet, the worms and all that stuff. Perhaps Linux should review security a bit, but Linux is actually just the kernel and that has been top line for years. Just watch the added and unknown software you add. Same for Windows, but the fundemental basis of that kernel is flawed and without any true 'division of priviliges' its a piece of cake to exploit.
I like how the very first post discounts the point of this article right off by saying, sure, maybe linux got attacked successfully a lot, but what about all the other attacks that would've succeeded on Windows?
Come on, people. The fact is, the linux boxes got attacked successfully. That's a Bad Thing, regardless of what happened to Windows. It's an embarrassing thing for us linux people. Here's the real rub...
I've read studies over several years saying that linux boxes are nearly as secure as FreeBSD installations if the administrator sets up the environment properly . The results of the slashdotted study here is the result of the RTFM culture...hard to operate and administer, very little respect for the user in the design of the OS as a whole. I mean "respect" in the sense of "let's make this trivially easy to use because it's possible and respect the user's time" rather than "let's respect the user's intellect by reasoning they'll figure out how to work this thing no matter how ridiculously complicated we make it."
This study ought to convince all the people out there that don't worry about linux being too hard to use...it's affecting everyone, not just newbies. Not just dummies. Even admins can't set up a secure box. We have to keep working on usability folks. Fact is linux is more potentially secure than Windows--but not in practice because no one can figure out how to lock it down.
sev
but have you considered the following argument: shut up.
The reason OSX (workstations) are so secure is all services are turned off by default. Definitely a good security strategy. And it's hard to turn the stuff on (no prominent shiny, candy-like buttons to enable them)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
When talking about saftety it is not verry usefull when counting the number of o.s. hacked and then just say "oh this o.s. is safer" because this doesn't give any accurate data.
When the breach is caused by administrator fault, you can't allways blame the o.s.
In the past it is often argued that the cause of many breaches are because windows administators where less experienced that linux admins. This has nothing to do with o.s, more with culture
Many breaches are caused by application and not because of the o.s. When for example a machine is hacked by a bug in Apache, you can't blame the o.s allways.
Another example are the public accesable web application. Many of them are verry badly written regardig safety! When such application is hacked, does this also count as a breach in the research? This has also nothing to do with the OS.
There is much more to say about this , but from above i can safely draw the conclution that for producing any sensibale data wich can be use to draw conclutions you should do seperate the data in:
* Caused by admin fault
* Caused by bug/weekness in o.s.
* Caused by application
When I was a student they learned me how carefull you should be to interpet measurements. Often people doesn't take the circumstances or correctness into account and often they do the wrong math.
Regardless the conclution, this is just bad research
I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than Windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
A quick Google search pointed me to this site with statistic about web server software.
The below uses data available on the above link, so don't flame me if it's wrong, this is just for example's sake
In January 2004 there were 31,040,922 Apache web servers on the Internet (let's assume those are all Linux or Un*x boxes). There were 9,675,979 Windows servers on the Internet. Let's say that mi2g's results were correct and 13,654 of the Linux/Un*x boxes are hackable. That makes roughly 4.4 percent of Linux/Un*x boxes hackable. If 2,005 of those Windows boxes are hackable, that makes roughly 2.07 percent of those boxes hackable
While those results (which I wouldn't recommend using for any kind of scientific purpose) still favor Windows (*gag*), it sort of puts things back in perspective
.Also, how many of those Linux boxes had root passwords of "root," "r00t," "toor," or "t00r?"
My lack of God, it's Trotsky!
When you say that windows is so insecure because it's users will execute anything, what do you think will happen if windows users move to linux? They will double click an email, see a popup window (assuming the program was written for the right desktop enviroment, which is a entirely different linux problem) that says "You're system must be updated to run this program. Please enter your root password." and BAM! you have a rooted linux box. The attacks tried in this article are do not rely on a bad users, but on insecure OSes.
As an OS X user, i'm afraid that some jackass is going to take the this as a challenge and find a way to hack into my little box. If Apple ever advertises that OS X is the safest operating system that's when it's going to hit the fan. The automatic software updates feature is the perfect distribution system for some buggy code, it seems. But in my opinion, OS X does run more secure than any other OS i've ever used. Best thing - it comes that way right out of the box. -ko
in general, any time you run something that a lot of other people are running, you'll have issues... out-of-box linux x86 installs im sure will have difficulty... if you want to run linux, pick a different platform (PPC, Sparc, MIPS) and avoid skript kiddies who use pre-written x86 exploits :-P
Okay, Linux advocates, hold on to your seats, ...
... " and "security
and make sure you've got your heart medecine,
but
I predict that in the coming years, you're
going to have to get used to hearing how much
more secure Windows is than Linux. Why?
Because Microsoft has no choice.
Microsoft hasn't found a way of squashing Linux
using anti-competitive business practices.
They're facing the loss of a great deal of revenue
and market share from Linux on the server side.
And their cavalier attitude about trivial
vulnerabilities from things like email
attachments has finally caught up with them.
So, reluctantly, and with a heavy heart, they
have finally decided to take security seriously.
After decades of neglect, they can't turn things
around overnight. But Microsoft is a *very*
focused company, and I predict they will, in
time (maybe a long time), turn this issue to
their advantage.
As I see it, MS has tens of billions of dollars
and tens of thousands of very smart, full time
programmers. Linux has a wild, wooly, totally
decentralized, totally disorganized development
model, with contributors of very varying talent
and knowledge. Okay, we've all heard the
arguments about "... many eyes
through obscurity." Frankly, I don't think
they hold water and I don't think Linux can
compete long term. Even the exalted BSD might
not be able to. (I used to work in a 100%
FreeBSD environment. We got cracked at least
3 times in the space of a year or so.)
I'm sure many here find the prospect of Linux
having its butt kicked off the planet in terms
of security unfathomable. But after all, only
a few years ago the big selling point of Linux
was stability. Now MS has successfully migrated
the Windows end user to XP. There's an
XP box in this room a few feet from my Linux
box. Over the past 15 months since we got it,
XP has crashed 0 times, while my Linux box
freezes up or has an X Window crash about once
a week. Maybe I push my box harder. Maybe.
But I'm not selling my wife and kids, or the
average Windows user, on the stability thing.
That's dead. What I'm saying is I see a few
years down the road the security thing will be
dead too.
So, I can't say whether this study is legitimate
or not, or exactly what it proves. However,
it's not surprising to me. What would surprise me
is if the wild world of Linux, with its very
dubious development model, were to produce a
secure OS. And what would surprise me more is
if I don't see a whole lot more studies coming
to the same conclusion in the future.
Whereas I have strong doubts about the validity of this study, I also have strong doubts about the security of GNU/Linux. It may build on UNIX principles that have been tested through time, and Linus certainly emphasises code quality, but the system as a whole is pretty new and therefore untested, and not all contributors can reasonably be expected to be aware of all possible security issues. Also, the C library is full of unsafe functions (fgets, scanf, ...), and the privilige system is quite coarse, often requiring that processes have powers that far exceed what they need to have (e.g. to install a program in the /usr/local filesystem, virtually anyone runs it with root priviliges - which also allows the process to overwrite files elsewhere in the system.
A lot of vulnerabilities are found in programs that are part of typical GNU/Linux installations. Although patches are typically made available swiftly, it's still the admins' responsibility to apply them. A system is only as secure as you keep it, and with all the wannabees running Linux c0z 1tz 1337, I don't have very high expectations. Also, keep in mind that Linux has been a small target, which makes it less popular with crackers, and that attacks against it don't affect J. Windows Luser's system, so the chances that you'll here about them are significantly reduced.
I run Debian GNU/Linux myself and I am completely in love with it, because it provides a system that Just Works and that I can understand the workings of. Debian puts a lot of effort in quality and security, however, I won't make any claims about how secure it is until I have trustworthy data about it.
Please correct me if I got my facts wrong.
That's exactly the kind of information that I don't think matters. What matters to me is that Linux is better today than it was yesterday, and then better tomorrow than it is today. Who cares about Windows?
Now, there is good reason to debunk biased reports. However, the more important task is to identify what vulnerabilities do remain, and how to fix them. How much discussion of that are we seeing in this discussion?
The numbers are meaningless without the background. Even assuming that those numbers are CORRECT, what does that tell you about Linux?
Were those attacks successful because of a bad choice of passwords? ...or because of permissions set wrong on a script? ...or because of a hole in sendmail? ...or because of a buffer overflow? ...or because of ........?
Indeed. Doesn't it make you wonder? Doesn't it bother you that you don't know for sure that nothing that can be done?
There is no information presented in that "article" beyond some numbers given out of context. Because there is no information given, no actions are required.
How about actively working with the ones who reported the problem to see what can be done about it, rather than doing nothing? Nobody owes us precise and free information on how Linux or anything other free software project can be improved.
No "probably" about it. One of the rules of security is TURN OFF ANYTHING YOU DO NOT ABSOLUTELY NEED.
I'm not talking about the settings on a particular machine. I'm talking about the choice of a distro to leave a service enabled or disabled by default.
Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure...
Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure.
Quite frankly I was shocked to see that OpenBSD was so secure. I was certain Linux was the most secure OS.
Once more when we see any survey of any sort which questions Linux security, people trounce on it unthinkingly.
:-)
Sure, this report leaves out worms. But that is completely irrelevant. I'm willing to bet that most of the successful attacks on Linux could be automated in a worm.
The point about worms is that they are most successful when you have large numbers of vulnerable hosts to propogate. Windows wins simply by having sheer numbers of similarly installed machines, so worms are not an indication of how secure/insecure an OS is. Worms are mostly written for Windows, not because its less secure, but because there is a better chance of success.
A better way to criticise this survey is that it counts total numbers of attacks, not attacks as a percentage of deployed machines. I suspect that this is because this just makes Linux look even worse.
One poster even complained that they had to patch their Windows servers more often than their Linux servers. Don't people see that this is a _good_ thing. Despite what people think, Linux programmers are about equal to the same order of magnitude as Windows programmers. So bugs are likely to be at about the same rate. More patches simply means that more bugs are being discovered and fixed.
If you count vulnerabilities found, Linux and Windows have been consistently about the same order of magnitude (cf. CERT). This is about what you'd expect for similarly complex pieces of software. Being open source doesn't automatically mean that the software is more secure, you still have to have someone looking.
Instead of burying their heads in the sand and Windows bashing, Linux-o-philes should take a long hard look at how they can make Linux better.
Oh and BTW: I run FreeBSD
"Instead of "deny everything" try to explain why these numbers are wrong for Linux and not for the other OSes."
x .h tml
I did not say they were true for other OS's. From what is presented in the article, you cannot determine ANYTHING about ANY OS.
"Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure."
Actually, I can say that about Windows. Here's the evidence.
http://www.eeye.com/html/Research/Upcoming/inde
Look how long KNOWN vulnerabilities have NOT been patched by Microsoft.
With Linux, they are usually patched within 72 hours.
"Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure..."
Try sticking to the article in question. There is no "evidence" presented. Just numbers presented without any information. If you believe otherwise, then tell me HOW those 17K Linux boxes were cracked. Go ahead.
Learn how to grok it.
/var/log contains a wealth of information that you should be looking at, how would you know where to look?
Also, there's WBEM (which are probes for SNMP) and the Performance Logging and Alerting stuff.
If your CPU usage spikes mysteriously, or some directory suddenly becomes shared, or a service dies, etc. etc. Windows comes with tools to let you know of this.
Not that I'm a big Windows fans or anything, but all the information is at your fingertips if you look around.
The same is true of Linux really... if you didn't know that
In my opinion, it's Solaris that sucks in the logging department. Not so much that it doesn't have the right capabilities, but that by default it logs close to nothing. This is very annoying.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
i) the BSDs are pretty obscure. The people who use them do so for a reason. To get into BSD you've initially got to be attracted by something they offer, and what they offer is security. I'd say the average BSD user knows more about Unix than the average linux user. (No, I don't use BSD. Well, not much.)
/. linux weenie thinks knowing how to comment things out of inetd.conf makes him a security expert. He thinks his ultra-leet gentoo boxen are watertight, and doesn't need to implement a security policy or look at his logs, then gets worked over by a script kiddie.
ii) BSD is not a buzzword like linux. No clueless middle manager ever asked his clueless admin to set up an OpenBSD server because he saw an item on TV about it. Again, if BSD is there, it's probably there for a reason.
iii) the average
iv) the herd's reaction is "it says something negative about linux, which is perfect, ergo it's FUD"
v) why do linux vendors (and also Sun) feel bundling as much freely downloadable crap as possible adds value to the product, rather than just making more of a PITA to manage properly?
That "gooey" python stuff only lives on the RedHat derived distros as far as I can tell, and it's never stopped me from using the tried and true methods either. I tend to ignore all of that stuff completely as it's superfluous. (I also tend to just not install any of it... the package selector is nice enough to keep them together)
::shrugs::
Also, some of the scripts are damn useful. For example, the redhat-printer-conf. And I've looked at that baby, and it is some _hardcore_ python. It can handle like seven different printing systems, and detects which ones you have installed. It even comes with "Print Test Page".
Mint!
Actually, the worst offender is SuSE. YaST will completely take over all your configuration files. And YaST is written in C. OTH, YaST is pretty friggin complete, and it has a well documented plugin system so it's not as bad as it seems. Still, you just don't install it (or install it but don't use it). Problem solved.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
As Linux comes to be more and more ubiquitous I predict that we will see viruses and worms written for linux that will actually spread. This is not to say that linux is any more or less secure than windows, but all operating systems have weaknesses that can be exploited. Windows main weakness is clueless users in my opinion. Linux doesn't have that problem, but it may have the problem of having over confident users.
I have the most secure system in the world sitting in my den. It is a windows 95 box with no modem and no network card. I will give anyone $1000 if they can even do a port scan on it. Oh and the power supply is bad. Ultimate security! Almost as obscure er..secure as OSX!
We setup two firewalls facing the Internet, a MS Proxy server and a redhat9.0 as a test server. The redhat was compromised using sendmail and samba exploits and it was used as a staging area for further attacks before we knew. Thank god the admin password was different on the servers else we would have lost quite a bit of the company.
But I dont think Linux is at fault. I did not use iptables to block unneeded ports on the outside and I did not patch sendmail ( I shouldve used qmail). I shouldve taken close care of suid files, used ssh instead of telnet, jailed most servers, never used root and generally kept checksums of the important binaries. Thats what real security takes, thats whats easily possible on Linux, thats what Windows lacks and THATS what I didnt do.
Altho our firewall now is a single openbsd (which does most of the above by default), I still recommend Linux, but with patches applied, services disabled, ports blocked and servers run in jails. If they compare default installs, Windows isnt running much, older redhats are running too much with no patching of daemons whose sources are available online, and the results are biased. Just give me a server to secure, give the same to a Microsoft representative, some time for us and then attack the two servers all you want.
Just as tomshardware maxes out their test PC's specs to compare video cards properly(radeon and geforcefx will both be about the same on a pentium2 with 64mb ram, 4gb hdd), OS security tests should rule out technician incompetency.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Windows isn't inherently insecure either. After all, it's possible to turn off all the services you don't need and to keep your open ports down to a minimum. Keeping your Windows machine patched and all the server products you use patched are also essential. Furthermore, you don't have to use programs that present security issues or, at least, you don't have to use features of those products that are insecure.
In short, those are the same precautions one has to take with Linux. There are some things that *can* make Linux more secure by default, but the same can be said of Windows.
So, as always, security ultimately comes down to the administrators of the servers.
People in the Windows world have been saying this for years. I'm not trolling, but I am glad to see this issue finally come home to roost in the Linux world. There's been far too much complacent smugness in this corner of the IT world and it will do everyone good to kiss, make up, and address the issues as a unified community.
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Every time somebody comes out with a statistic negative toward windows, the less secure in their reasoning ability among this community always start with the "hurrahs" and "score one for linux!" But whenever anyone tries to tell you you're just maybe wrong, and that, perhaps, linux is not as secure as you think it is, then you get all bitchy and cry and make dumb excuses. Go ahead and mod me into the toliet, but before you do please consider all sides of the arguement for once, jeeze. (not nessesarily saying that anyone is right or wrong on either side in this particular incident, but i hear a lot of flamebait come from a lot of people every time something like this comes up)
Okay, this is the SECOND study posted to Slashdot that has shown that Linux is the most breached operating system on the Internet.
If it were shown to be Windows, nobody would be arguing, but because there is insane bias around here, we get lots of yimmer-yammer trying to run circles around the data.
How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution? GNU was hacked twice last year, and GNOME, Debian, and Gentoo were all hacked. What gives?
Just my two cents. I'm compiling Gentoo right now...I love Linux. But I'm not so naive to pretend it's the end-all solution. I haven't read all the comments, but I fully expect to read the same, typical, anectdotal bullshit--"Well, where *I* worked..." or "Well, *I* spend more time on Windows patching..." or "Well, if *I* were conducting the study, I would..."
What about statistics on unreported or covert attacks?
The SIPS database and EVEDA do not contain any specific information on attacks that are covert, not reported, validated or witnessed by any reliable source. We do, however, often receive notification on individual security breaches from our partners and clients across the globe, which are included.
In other words, the sample they are using is self-selecting: only the attacks that have been systematically reported and verified are included. The problems associated with a self-selecting sample are obvious.
What if Linux attacks far outweigh Windows attacks, because Linux administrators tend to report the attacks more often, whereas Windows and other OS administrators do not report attacks so often because it makes them look bad? I'm not trying to troll, I'm merely pointing out why the results of this study are absolutely meaningless.
Notice it's detected attacks? Perhaps it's because the Linux tools are better at detecting and defeating attacks than Windows? How many of those attacks were successful and only detected AFTER the damage was done? Not many, I bet...