Slashdot Mirror
Windows vs. Linux Security, Once More
TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
What, no macro virus-infected Word file?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Is this a critique of Slashdot's failure to cooperate with third party sites and/or provide basic mirroring, of the editors failure to properly check story submissions, or of both?
I think the "mysterious future" feature available to subscribers allowing them to see upcoming stories ahead of the rest of us is meant to be an ironic joke: you've got to read the stories whilst they are still there, because whether or not the links will be accessible in the future is a mystery...
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Nicholas Petreley is a Linux advocate... there is a basic problem with a partisan person presenting a "fair and balanced" argument. Kinda like doing research with fixed goals.
The latter two links appear to be broken, but match the links provided in TFA. Perhaps the Register forgot to upload the actual reports?
"You're older than you've ever been, and now you're even older."
I'd rather see OSX security compared to Windows. I only have one user adventurous enough to use Linux on their desktop. The rest are about 70/30 Win/Mac.
What I would like to see is some security comparison of Microsoft software and FOSS, corrected for target size.
/. can come up with a good test, and some people can carry it out?
FOSS advocates often whine about MS insecurity, whereas MS advocates often claim MS only gets more break-ins because it's used more. The MS folks are probably not right in the Apache vs IIS case, but what about other cases? Is FOSS really more secure?
Unfortunately, I cannot think of any good way to measure this. Perhaps a little brainstorm on
Please correct me if I got my facts wrong.
From TFA: Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.
"You're older than you've ever been, and now you're even older."
Windows Design
Windows has only recently evolved from a single-user design to a multi-user model
Windows is Monolithic by Design, not Modular
Windows Depends Too Heavily on the RPC model
Windows focuses on its familiar graphical desktop interface
Linux Design
Linux is based on a long history of well fleshed-out multi-user design
Linux is Modular by Design, not Monolithic
Linux is Not Constrained by an RPC Model
Linux servers are ideal for headless non-local administration
Oh yeah thats unbiased.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Amazing that it took a report to tell us what we already know
We already knew this. This report is for them.
Free XBox, PS2
Sorry, but as long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are writen by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt. I'm not trying to say Windows is safe, but you can't expect me to believe this when a 'report' like this comes out every other week. If this guy was an ex-Windows programmer I'd be more understanding, but "former lives include editorial director of LinuxWorld"? Somehow I doubt they ran Windows on their machines.
And besides, last night while I was watching $stupid_cable_news_show I saw an ad for Microsoft. It said they were secure. Then I saw that same ad in $idiot_management_magazine. They can't advertise it if it's not true, so we should go with Windows Server 2003 for our new application.
And, besides, I just got Microsoft to sell Windows Server 2003 for $50 per copy by saying we'd switch to Linux. Here's the box, now go install it.
You have two hands and one brain, so always code twice as much as you think!
I look forward to the Fedora SELinux project getting a good workable set of policies so that SELinux can default to being on for Fedora installs. Once that happens the "Linux is more Secure" claim will actually have some serious hard evidence behind it. SELinux and other Mandatory Access Control systems (anything hooking into the Linux Security Module in the kernel really) really are a serious step up in security, and there really is nothing comparable in the windows world.
A good way to think of MAC or SELinux is as a firewall between processes on your machine and the files and devices etc. on your machine. At the kernel level there is a set of rules, at pretty much as fine a grained level as you care to write, as to what can access what. It's well worth readign the FAQ to et a fuller idea of what we're talking about here.
Jedidiah.
Craft Beer Programming T-shirts
...are usually dismissed as "astroturfing" when Microsoft comes out on top.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
Ask some people that admin a mixed environment. Our Linux boxes get owned just the same as our Windows boxes do. When comparing older version of windows there is no doubt Linux owns windows but 2003 server it a pretty big improvement in security over NT 4.0 or 02. SP2 (with firewall) is also a huge improvement, just too bad it took MS this long to get it.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
meh..any system is only as secure as its users anyway..which i suspect is why linux has practically no problems.
Basically anyone who knows what a terminal window is isn't likely to run suspect attachments or not configure a firewall
I have discovered a truly remarkable sig which this post is too small to contain.
The author bashes Enterprise Server 2003 as being unstable, quoting MS's average uptime of around 59 days as evidence of this.
What people forget to mention is that MS security patches seem to like reboots, do the way filelocking works on Windows. Thus, whenever a "critical" flaw is released, they have to either patch it with a workaround (firewall rules, etc.) or they need to reboot the server.
When I was running an internal-only Enterprise 2003 server (behind several firewalls, no public IP) the only reboots I ever experienced were those related to environmental factors: the power went out for longer than the UPS could keep the server online for; etc.
After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.) Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again. If I was so inclined, I could tweak this to be lower (1 whole minute is that the web server loads before the network module does, can't find an IP to bind to because IP isn't enabled yet, and fails to load, then waits to retry.)
It's a different design philosophy. My systems don't get "crufty" and crash, but they do have to be rebooted to apply security fixes. However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.
Microsoft, official platform of the 2004 presidential campaign.
... turning to the 3-D map, we see an unmistakable con
I'm not taking that statement as true simply because someone said it. If I did that, I'd believe all of Microsoft's claims in the other direction, too. I believe it's true because it's a logical argument and can be backed up with evidence, whereas the claim that if Linux were more popular it would be just as vulnerable is pure conjecture.
Holes are holes, no doubt about that. Linux just has fewer of them because of good design principles.
"You're older than you've ever been, and now you're even older."
Though this was interesting, it would be nice to see something comparing OS X security to Windows security. When you think about it, they're both relatively proprietary OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin, but really the two would be a better match because of thier commercial status.
Sure, there are enterprise Linux distros from coimpanies like Red Hat, but you can still get a lot of use out of a non-commercial distro. There are so many ways that you can change Linux to make it more secure that comparing it to a rigid commercial OS is a bit inappropriate. I'm not saying that I think the article was pointless, just that we should give equal attentention to systems like OS X or even some of the other commercial UNIX distros for that matter.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
Nice fuzzy logic there. How many of those 40 Microsoft vulnerabilities were related to Internet Explorer? Yes, it's Microsoft's fault for integrating it in the OS, but if you are using Server 2003 O/S to cruise the web with an admin rights role, you are the security problem, not the OS.
Why don't we look instead at security vulnerabilities in a Server OS that are relative to functions a server should be performing. How many vulnerabilities has IIS 6.0 had versus Apache in the year and a half Server 2003 has been out?
Hmmm one of those has had zero, and it sure the hell ain't Apache.
http://www.infoworld.com/articles/hn/xml/02/09/05/ 020905hnmssecure.html
Let's try that again, shall we?
...the Executive summary to your PHB. There's a reason that they're written!
./'ed, it's below:
While the Reg likely won't be
Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:
1. The severity of security vulnerabilities, derived from the following metrics:
1. damage potential (how much damage is possible?)
2. exploitation potential (how easy is it to exploit?)
3. exposure potential (what kind of access is necessary to exploit the vulnerability?)
2. The number of critically severe vulnerabilities
The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.
We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold.
Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux.
So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms:
1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations
2. Open source is inherently less secure because malicious hackers can find flaws more easily
3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows
4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows
The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results.
Finally, we also include a brief overview of relevant conceptual differences between Windows and Linux, to offer an insight into why Windows tends to be more vulnerable to attacks at both server and desktop, and why Linux is inherently more secure.
Javascript + Nintendo DSi = DSiCade
Will be exploited? Download the metasploit framework sometime; there are more exploits for Linux than for Solaris or Windows. But this is where the guy's point becomes important: because of how Windows deals with security tokens (here is a good place to start if you're curious), any exploit that gains access can probably execute code in the SYSTEM context.
So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can. That's not this one guy's opinion, that's just how the operating systems work.
All's true that is mistrusted
RSBAC should perhaps be considered. It is far more modular, been in production use a lot longer, has none of the disadvantages of selinux(eg works with any filesystem, needs no patches to filesystems, doesnt break other kernels on the same machone). It has a list of protections, has official PaX and virus(malware) scanner support, and the developer is always willing to take ideas from people and quickly fix issues. I would be interested for a detailed comparison of the two between slashdotters, thoughts and experiences etc.. But from everything I can see, RSBAC seems far superior. RSBAC.org
Tut, tut, Mr. Mytzlplk: /.land, it is bad form to accept the null hypothesis that moderators have RTFA, and clue #1 about irony.
In
The article is not misleading because the author is a linux advocate.
e .html
Now you are right if you want to remind readers to keep that in mind, but dismissing an article not on the base of its merits, but because the author is supposedly biased (mind, you didn't show or prove in any way that he was actually biased, you just wanted us to take it for granted) is a logical fallacy.
If you don't like the findings of the article, please tell us why, simply accusing the author of bias won't change the facts, sorry.
Argumentum ad Hominem
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."
http://www.fallacyfiles.org/adhomin
When I open some page on IE6, it asks me "do you want to allow software such as activeX controls and plugins to run"... What am I supposed to think ?? and how should I respond ? Yes ? No ? (s/me/my parents/). Why on earth it does not tell me that this page contains something that require "macromedia flash" to render ? At least, I could somewhat distinguish between spyware and things that I need to see. And if they were even a little smarter, I could memorize this choice for later instead of bugging me every time.
This type of implementation of security related features is precisely why nobody use them and get their machine bloated of spyware, malware, viruses and such.
The inability to update a machine via a 56k modem is probably another reason why I know so many friends running unpatched OSes (any offline installable M$ update anyone ?). Grrrrrrr....
I used to wonder at the blinders-on group think of the hidden source folks. The elaborate unreality of their arguments was a puzzle, until I figured it out. Now I understand; it's all about the dream.
While some might dismiss the article because he is a Linux advocate, that's missing the point. His piece is geared toward Linux advocacy, but avoids the usual rhetoric. I kept looking for the usual Gates bashing, but didn't find any.
What I found instead were hard facts, distilled from public data. He didn't say, "I performed some tests which prove Linux is better." He took the publicly available information, analyzed it, and reported the results.
The response by the Microsoft marketing droids and vassal fudmeisters will be instructive to anyone who really thinks about it. Don't take away their dreams of a gold mine, at least not until they've got a Ferrari just like the guy in the next cube.
sigs, as if you care.
"Open Source Software is inherently dangerous"
Weasel words like "inherent" are convincing to dumbed-down folks. ./ ain't buying it though. God bless individualism.
"Statistics 'prove'..."
Ahhhh, the old "who can argue with scientific fact" line.
Provide us with "science" to back up this claim. Properly vetted, peer-reviewed science from an unbiased source, unfunded by those with a vested interest in the outcome please.
The psychological use of fear and "scientific" studies to convince the average American is not new. Read carefully the language of Microsoft and you'll hear JD Rockefeller, Andrew Carnegie, JP Morgan, etc. What you have to read carefully to find is their own fear that they are losing monopoly control. Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?
I don't know what this guy is talking about. Windows uses spheres for permisions to run stuff. On the inside, you have all Microsoft Programs and on the outside you have all Non-Microsoft programs. See? They use spheres just like Linux.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."e .html
http://www.fallacyfiles.org/adhomin
They addressed the Forrester survey's problem with patch speed very clearly, I thought. And your comment about the paper's professionalism is irrelevant to the points it makes.
"You're older than you've ever been, and now you're even older."
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.)
.009% is very difficult and really doesn't give you much in terms of real world reliability for MOST business needs.
Nope.
Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again.
4 minutes/month == 48 minutes/year.
99.999 availablility means 5.26 minutes of downtime per year.
At best, you've got around 99.99% availability.
However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
It isn't about "hardship". It's about reliability. Getting that last
But for those that require it, it is available. And because it is available to those, it is available to everyone. Even those who do not need it.
Sure, my print server probably doesn't need 99.999% reliability. But because it has it, I don't have to worry about it.
In my experience, it's the reboot that causes the hardware failures. The fewer reboots, the fewer chances for hardware failure.
Basically, as bad as the CERT search system is, it's a wonder anybody can figure anything out at all about the security of computer systems. It may be better than nothing, but not by much. The security of the internet as a whole and of individual systems depends on CERT. For CERT's search to suck this badly hurts us all, so while I laud the author for mentioning it, that subject is worth of an article on its own, IMHO.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Our Linux boxes get owned just the same as our Windows boxes do.
Then your Linux admins don't know what they're doing.
Just as the authors of this report claim "it takes only a little scrutiny to debunk the myths and logical errors behind the oft-repeated axioms (that suggest Windows is more secure)" their myth busting arguments also do not stand up to scrutiny.
For one, they speak at length about the uptime of web servers. While some downtime is related to security flaws, there is not a direct corrospondance between security flaws and uptime. I find this metric completely unreliable as a method of assessing web server security.
This is essentially their only argument for the first two myths.
For the third, they mention that flaws Microsoft will NEVER fix. They don't bother to mention that these flaws only occur in older, "obsolete" operating systems. Does Red Hat issue patches for version 1.0 anymore? The rest of their argument makes much more sense, however.
(Haven't read the rest yet.. but this thus far makes me skeptical that this is an unbiased report.. )
I am the maverick of Slashdot
You are right in your assessment: the Linux kernel is monolithic and the Windows one modular, but that's totally irrelevant.
When have you seen the last vulnerability in either kernel? NTOSKRNL (or vmlinuz) isn't really the problem, it's all the crappy rest which is. Sure there have been some, but the vast majority of flaws are in various userland software. And Windows certainly is monolithic and Linux very modular, we aren't comparing kernels, but systems as a whole.
I read through the article, and was honestly shocked at some of the claims the author made when describing Windows in relation to Linux.
.htaccess, some odd batchfile script attacks with args to copy httpd.conf into htdocs, etc.)
Note that the purpose of this post is not to say "omg windows >>>> linux all you penguin lovers rot in hell" like a lot of this story will be. I am merely trying to clarify some of the author's points.
"Myth: Safety in Small Numbers"
"Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically."
Running through 3GB of archived log files, from Apache running on 2003 Enterprise Server, I have concluded the following:
54% of attacks against IIS (Unicode traversal, buffer overflow, cgi, alternate data streams, etc.)
46% of attacks against Apache (htpasswd.exe, httpd.conf,
"Precisely the opposite" is hardly the right phrase to use in this situation. Sampling error among different web sites (due to different audiences, traffic rates, etc.) could easily account for the fact that IIS out-edged Apache here.
As for the *successful* part of the author's claim, there was a 0% success rate across all queries directed at servers I either have access to logs on, or directly control. I have also experienced Apache servers being compromised (more often due to user-induced security holes than design flaws.) but in the end, the user leaving a filedrop which allows php scripts to execute, and such, is as dangerous as a buffer overflow. They are each different but functionally equivilant ways to circumvent the security of the system it is running on.
"But it does notexplain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime."
Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel.
I mentioned (with some flawed math) (http://slashdot.org/comments.pl?sid=126724&cid=10 600161) in more detail the reasons Windows servers are often down there on the patches. I did miscalculate availablilty. My servers average in the 99.9952% range. Which means they're down for a few hours a year. Sure, not carrier grade, but not too shabby either. Well within the reasonable expectations of most businesses. (Source: http://slashdot.org/comments.pl?sid=126724&cid=106 00658 by hehman) Note that the situations where Windows is likely to be used probably aren't nuclear power plants, airplane control software, etc. Thus, the additional powers of 9 aren't really a factor.
"Myth: Open Source is Inherently Dangerous"
I agree with the author here. Having the source code doesn't really have an impact as to whether or not a hacker can find an exploit -- there are enough tools to automate exploit finding in streamed data, especially web connections.
"Myth: Conclusions Based on Single Metrics"
Another valid point. One can spin statistics any way you want to, and have the math be perfectly valid, to reach a meaningless conclusion. Anyone who's taken statis
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
The kernel patch has been around for ages. Some distributions (FC2 and Mandrake, I think) apply the patch in their kernel. It breaks some legacy apps, like Wine, though.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"And how do you download the latest service packs?"
Certainly not by downloading them directly to the server via IE, that's for sure.
In small shops, you would download the patches with your workstation, and then copy them to the server over the network or using a CD-R, and install them manually.
In larger shops, you would set up a Software Update Services (SUS) server or SMS server to deploy the patches to the servers exactly when you're ready to do so (after testing in your lab first, of course).
You should never be using IE on a critical production server. End of story.
Carpe Cerevisi - Seize the Beer
When will this buffer enforcement be available for gcc!?!?
k Guard/ or ProPolice http://www.trl.ibm.com/projects/security/ssp/.
As soon as you do a search for StackGuard http://www.cse.ogi.edu/DISC/projects/immunix/Stac
Not that Linux is any better. The RPC systems for Linux/UNIX are clunky afterthoughts built on top of sockets.
I found the discussion of server uptime interesting. I know that for just about every Windows Security Patch the server must be rebooted. Given the release of critical security patches about once a month, the servers with 56 day uptimes haven't had the required patches applied and are vulnerable. The expense of redundant equipment necessary to keep windows applications running with no down time is far greater than other OS's.
I Bill Gates can prove that Windows is more secure than Linux. Watch as I write it down on this piece of paper. SEE? See what it says? It says 'Windows is more safe'. Don't believe me? Watch me pay someone else to say it. Believe it yet? Well how about if I buy an expensive report and tell them to say Windows is safer. Now do you believe it? NO!!
Damn, who do I have to buy off to make you people believe that Windows is safer?
This is my sig. There are many like it but this one is mine.
Windows just might be ahead of *NIX here...
Nope. What Windows recently added, OpenBSD had been doing for quite a while. OpenBSD uses GCC, so, yes, there is a way to get GCC to provide the stack protection. Also, both OpenBSD and Solaris can provide execute protections for RAM, at least on SPARC. I'm sure other systems have this too, but I just don't know at the moment.
Again, look to OpenBSD for the cutting edge (OpenSSH, stack protection, good firewall, audited code, clean install, etc.) and see it get implemented in Windows a few years down the road.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Anyone else tired of this stuff?
I'm sorry, I love linux (I use slack at home) but this "report" seems to be nothing more than another "yea linux!" cheerleader piece. I couldn't help but notice the authors' obliviousness to the other side of the argument (I'm not saying Windows is better, far from it, BUT there are points that need to be addressed. ) I was hoping that this would be a calm, well thought out piece on something that I believe in: Linux is more secure and stable than Windows. How I was wrong. What the linux community needs is a comprehensive BELIEVEABLE and intelligent paper on this subject. I need something that I can take to my boss and say, "Look! See, linux is better." If I gave him this paper, he'd laugh and say, "This is why we don't use linux, you people are nuts."
"When I want your opinion, I'll give it to you." --leonstryker
No matter how you cut the vulnerabilities in Win2K3 some of the vulnerabilities are definitely part of IIS 6.0. However I don't believe for a second that Microsoft is reporting all security problems, such as this problem that M$ still hasn't acknowledged.
The Apache group is much more forthcoming about security problems and I don't trust Windows as a server platform.
Umm. Actually you don't need tags. Right there next to the Submit and Preview buttons is a drop down menu that allows you to select three other formatting options.
They work well.
Now, take a recent Linux box (the distro doesn't matter) and apply all official patches and upgrades, as released by the distro and the various package maintainers.
Each machine must have directly comparable software installed. Where possible, this should actually be the same software. You don't want to have too many variables in this. You're going to have some, but by keeping things uniform, you should be able to keep things sane. The other thing is that you want SOME closed-source software on Linux and SOME open-source software on Windows.
Before we do the tests, we need some diagnostics software on the machines. Memory bounds checkers, system load monitors, host intrusion detection software, etc. This will tell us what impacts we are having, beyond simply seeing if the servers and/or OS fall over or not.
At this point, we get to the tests themselves. Throw absolutely everything you can at the computers. Use every vulnerability scanner on the planet, every worm or trojan you can locate, use stress-testers, etc. Find DoS and DDoS packages, if any have been openly released.
Now we have some actual data, based on comparable usage and comparable attacks. The data will show that the different OS' respond differently to different attacks. (Surprise there, Sherlock!) We now need to determine which of the remaining variables are important.
The remaining variables are "underlying flaws within the OS", "inherent flaws, due to errors in the design methodology itself" and "unequal reporting of equal errors".
What you want to do then is a four-way analysis of variance. The first of the three components is the different vulnerabilites found within the different applications. The second way is looking at the variation between the different vulnerabilities within the OS' themselves. The third way is the variation of bugs reported for any given application, OS or combination, vs. what actually gets reported by groups such as CERT. The fourth way would be the difference in licensing policy.
The NULL Hypothesis for the applications is that all applications will have roughly the same number of vulnerabilities, regardless of what they do, what they're written for, the philosophy of the programmer, and the company producing the software.
It's doubtful you'd find enough applications, and enough vulnerabilities in each, to split the study in sufficient ways to cover all these points. However, it should be possible to collect enough to do a statistically meaningful study on a few of them.
The problem with AOVs is that you've got to have a lot of data, and that the amount of data you need increases very rapidly. You do get plenty of idiots out there who ignore the confidence level and even the methods of the study, looking for any slight comment that proves whatever they're wanting to say. Other times, even nominally sane people will do this, because they want/need the results too fast or too cheaply to do the work properly.
Let's say, for example, that the number of vulnerabilities found within the applications, when studying the variance between them, is pretty random. There's no discernable pattern. Let's also say that there's no significant variance found between FOSS and Closed Source. Then, let's say that we're in the 1% confidence level for both of these, which means that this will likely hold true 99% of the time.
We could then conclude that Closed Source vs. Open Source is purely a matter of personal choice. The net difference simply isn't significant to warrant going for one and ignoring the other.
Continuing with this fictional scenario, let's say that Linux and Windows showes a VERY signficant level of variance. We know, at this point, that it's not the Closed vs. Open nature,
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Clear Winner here is Linux. You could thrown RH 9 onto the net with no firewall or anything and there it would sit until someone hacked it.
Do the same with XP or W2k and within 20 minutes or less it would become infected and begin zombie operations.
Lets go to a patched server in both cases they're still vulnerable. However there is a clear difference in vulnerabilities with the majority of Linux ones being in the realm of local hacks where in Windows you're still dealing with remote hacks and buffer overflows.
Yes in many cases both problems can be blamed on 3rd party apps but even in kernel to kernel comparisons Windows still is high on the list of being vulnerable.
Check back here for the answer at 3am...
You can (and maybe should) order a XP SP2 CD from Microsoft - it's free, al expenses paid by M$. Not patching your machine will only make the hackers and spammers happy. .... at least I'm secured against known vulnerabilities.
I'm on ISDN, so downloading XP SP2 isn't an option. I ordered the patch CD, and now my XP machines are patched & secure - so I hope
Does security really matter? I mean neither Windows nor Linux are secure, we see new ways to exploid them every few weeks or even days, be it some obscure attacks via manipulated pdf files or some remote root exploids via ssh or whatever. If people don't patch their system regularly they are lost no matter which one they use. So I see little point in comparing them on a my system "has more remote holes than yours" basis, especially when the breakins are more the result of popularity of the OS/app then anything else.
The real question should not be which system is more secure, since neither are, the question should more focus on which system is easier to maintain and mak upgrades and patches easy to install. If a system fails at that, no matter how few exploids it has, one unpatched is enough to get you into a hell of a lot of throuble.
Another question would be, what are the real alternatives and what will the future bring? I mean just patching C-bufferoverflow into all enternity is really not something on which I would build 'security', neither is the OpenBSD way of 'no features, no bugs' a real solution, since people will end up using 'features' and thus get bugs.
- So why is IE integrated into the kernel that the server is running on top of?
Internet Explorer has never been, isn't now and never will be integrated into the kernel. It does not run in kernel mode. The only thing that IE is integrated in is the shell environment and what Microsoft calls the "Windows Expierence". This integration with the 'expierence is the excuse they used to say that it had to be a part of Windows; it's a marketing reason, not a technical one.The Windows shell environment is like what KDE is on Linux, and IE is integrated into it like Konqueror is integrated into KDE. The kernel has nothing to do with it.
Ok, its a troll... but I'll bite. First, run libsafe on linux. That will offer buffer checking for the "common" cases -- at very little cost. No "recompile" needed.
And, you can go more paranoid from there...
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
From everything I've read, NT has a good security model, under the covers - even better than most Unix variants. (like Linux) It's just that they don't use it effectively. Even further, the Windows culture is pretty much contrary to their making effective use of their own security.
Perhaps Unices haven't had as much security capability, but we've had the culture to at least understand separation between root and users. We've also had the open exchange that gets bugs reported and fixed, another cultural aspect.
But then again, now we have run-as-root Lindows / Linspire. This distribution REALLY SCARES ME, especially when they sell it into the novice market - the ones least likely to do proper maintenance and most likely to click on silly attachements. (as root, no less)
I understand Lindows / Linspire is trying to make something simple for the novice. But IMHO, they've done it in entirely the wrong way. Far better than running the user as root would be to have standard setup of "user" and make the new user that. Then make a comprehensive set of sudu scripts, with extensive error checking, to administer the system.
BTW, the Linux security model isn't standing still, either.
The living have better things to do than to continue hating the dead.
Well, my Win2k box is fully patched and behing a FreeBSD firewall, etc etc. I've not seen any virus, from the begining.
But, how about those numerous friends/relatives who still run win98 and can't update to something else without changing their hardware ? I find rather embarassing that none of those update packs can'be downloaded and installed *later* on other machines, it's pure nonsense to me.
- Are sources cited?
- Are sources credible?
- Did you check the sources and find the citation was accurate and not out of context or abridged to remove inconvenient parts?
- Was the analysis presented in such a way that alternative interpretations of the facts were noted and discussed fairly?
- Can you follow the logic or do you find there are assumed facts not in evidence?
- Is the author's past history of any advocacy well-disclosed so the reader can be forewarned as to any potential bias?
- Were the experiments/benchmarks single-blind or double-blind or no-blind?
- Is the experiment/benchmark methodology well-explained and the results reproducible?
- Where people were surveyed, were the subjects selected randomly (and is the selection method disclosed)?
I haven't looked closely so I will not answer the question about reverse FUD. In any case, I have, at best, a mild interest in Windows TCO or Linux Security studies. I am not a PHB and I do not serve under one, so when I check slashdot comments about these studies, it's to see if someone criticizes the study in terms of the bases I set forth above. Because if a study is dubious, no matter what it advocates, a commenter will point flaws out in a specific manner. I believe there's some signal amidst the noise -- I must be an optimist.Fair enough - I'll modify my question then. If IE should never be used on production servers, why is IE so heavily integrated into the shell environment in which the server runs?
BTW, to say that the integration of IE in Windows is somehow equivalent to the integration of Konquerer in KDE is rather ridiculous. It is trivial to entirely replace one browser with another on a GNU/Linux system. Eradicating all traces of IE on MS Windows machines is nowhere near as simple.
flossie
Write now. Defend liberty
So windowsupdate.microsoft.com is an example of unprofessional design - update functionality doesn't require ActiveX in a webbrowser, as dozens of automatic update packages prove. I use automatic updates for many software products, and only windowsupdate.microsoft.com does 'require' ActiveX in a webbrowser.
The reason MS uses ActiveX at windowsupdate.microsoft.com is simple - you have to update Windows, and if you want to update Windows in a convenient way, then you have to use ActiveX and therefore Internet Explorer. It's just a part of the browser war, there is no technological necessity to use ActiveX for this purpose.
That's ridiculous... Change your windows login shell to something like cmd.exe or even better something like far.exe (www.farmanager.com) and look - you won't ever see MS IE for your admin tasks. Unregister mshtml.dll & co if you want. Look, not even hard. You just need to know how. If you don't - you shouldn't admin win2k3 box in the forst place.
Thank you for that post. Posts of that quality are a rarity on Slashdot...
I still have some concerns, though.
``At this point, we get to the tests themselves. Throw absolutely everything you can at the computers. Use every vulnerability scanner on the planet, every worm or trojan you can locate, use stress-testers, etc. Find DoS and DDoS packages, if any have been openly released.''
See, that, right there, leads to the problem I cannot see how to circumvent. You throw everything _you_ can find at the machines - but what if you can more easily find exploits for certain software than for others? Conversely, if you don't use available tools, but have a bunch of people try to break systems from scratch, their might be a bias in their skills that favors certain software.
``The third way is the variation of bugs reported for any given application, OS or combination, vs. what actually gets reported by groups such as CERT.''
I assume this corrects the problem mentioned above somewhat. You could try to exploit your test systems by hand, then compare your stast with CERT's, and conclude that either there is no apparent bias in either set of figures, or one of them is biased - but you wouldn't know which one. Or is there a thinko on my part?
I am an OS enthusiast, and I have a decent number of OSes here to test with. If I can really get convinced that such a test can be conducted in a meaningful way, I would like to actully do it.
Please correct me if I got my facts wrong.
really ? what's this then? :
D:\ResKit>su.exe
UserName required!
above available from nt4.
or "run as" available from win2k?
Look, you'd better to educate yourself before posting.
OH and last time I checked, many Linux distros install a shell environment, with a web browser, on a generic server install. You can remove all traces of Konqueror, not just the lanucher but all the HTML rendering and stuff, without breaking KDE? Can you have KDE without any web browser components?You can replace the shell with an entirely different one if you want on Windows. No, it isn't as easy since MS doesn't provide an uninstaller: you have a good point. It is possible; see nLite or LitePC. If you remove all traces of IE, it will break the shell, though. And breaking the shell will break any apps that depend on the shell, just like removing KDE would break KDE apps that depend on it.
I don't use KDE so I can't answer that for certain, but I would be very surprised if you couldn't. It is certainly possible to remove all traces of a web browser from the alternative desktop environment: GNOME.
Then again, why would you even want to run KDE or GNOME on a server? You can have a fully functional, graphical GNU/Linux machine without running those extra desktop applications.
Of course, for a server, there is probably no need to run any graphical stuff at all. It is perfectly possible (and common) to have a GNU/Linux server without installing X11 - all configuration can be performed via the command line, or remotely if you prefer a graphical configuration interface.
flossie
Write now. Defend liberty
Slashdot doesn't serve XHTML.
Technically, Slashdot doesn't serve HTML, either. Slashdot serves some markup language that is sufficiently similar to HTML that most browsers can find a reasonable way to render it if they squint at it hard enough.
Of course, the same is true of 99% of the web. Still, you'd think this bastion of geekdom would dare to be different.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I think it would be interesting to create a 3D plot of the threat space using the metrics from the article as axes. Comparing the shape and size might be enlightening.
PS Note I said "it would be interesting", not "I would be willing" - it would be a daunting task.
In my expierence sometimes (about 60% of the time) RUNAS just doesn't work. Not that this excuses running as Admin, but if 'ease of use' counts in Windows favor then it is entirely fair to point it this flaw.
There are so many things wrong with that statement in the real world. Perhaps the most important one conceptually, and one that none of the other replies have touched on, is that you don't actually have to intentionally run IE in order for it to get invoked! I hear all the time how if people run Mozilla instead, all the worries with IE are gone, but that's not entirely true. It's a security risk just sitting on the disk, never intentionally used by anyone.
Second, as has already been mentioned, patches and updates? Sure, on a server you probably shouldn't be running a web browser, but you shouldn't have a videocard and monitor on a server either. In the windows world, however, both are required. There is no apt-get, there is no console-only mode.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
But the problem is (if you read the article...) that there are far more processes in Windows that run with privilege than those that are restricted.
To quote TFA:
THAT is what makes Windows different from any other OS and thus more vulnerable.How come Slashdot never gets Slashdotted?
Yup.....and it makes it a pain in the ass if you have to do any Oracle DBA work on a win.box. We used to have at least the oracle acct. that had local admin..or enough special privs. when we needed it. Now, they've got new rules...and we have to bug the SA to come fucking sit with us, to log us in to run/build things,,,etc.
On the Sun boxes we work on...everything we need is there...and for special things...we get sudo for them. I cringe whenever they throw a windows box for us to install and maintain Oracle on...we as a group always push for a Unix platform. So much easier to care for and automate with scripts.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Easy.
Solid Unix admins will fight tooth and nail before any application is ran as root. the only applications that should be ran as root are those that directly effect the kernel or system tools (that require it) directly. anyting else, and it's the unix admin being stupid for allowing it. If it's a business decision and the unix admin has no choice, then they need to make those people making the decision aware it's not their fault when the box is ultimatedly owned.
Otherwise, for unsafe apps, there's chroots you can use, there's ways now you can run an entire instance of linux within linux (I forget the name of this right now). So even if that instance is toasted, remove the file, copy a backup in, wash, rince, repeat. (and you can just recompile it with the fix when you find it).
You can firewall things off, at ports, users, groups, any mix you want. There's even APL's available you can use to lock down various things, or tie down resource usage per process, or anything else as well.
Basically, if a unix box gets owned, there's got to be some very serious questions on why it did.
Most likely it was something dumb like outdated software that should have been patched or upgraded long ago that was... shall we say... neglected.
Actually you are right. NT's kernel is very competitive with unix, and can provide what is available in the unix kernels.
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Even with the RPCs, if they were each seperated into seperate user accounts with access rights to only allow what is needed for each service, security would be vastly improved.
And while NT may have a more feature rich access rights model, it hasn't been exercised very well.
Also you would be more convincing if "Don't run as Administrator" was as popular a phrase in the windows world as "Don't run as root" is in the Unix world.
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
"Confusing server room setup.
20 server boxes, 20 monitors, 20 keyboards, 20 mice. Or using extepensive and error prone KVM setups which may only reduce the clutter by a third or so practically.
More cable clutter, more power requirements, reduced efficiency."
Geez. How long has it been since you've touched a windows server? Every one of the benefits you listed for Linux is not only possible on windows, it's common practice. It's very easy to run a windows server totally headless. The GUI will be there if you need it, but 99% of the time, you don't.
Even my personal server at home, running W2K3, hasn't had a monitor connected to it for over a year. Everything you would ever want to do can be done remotely. You even have the choice of using Remote Desktop for the nice warm fuzzy GUI, or you can go totally command line if that's what turns your crank.
Yes, every single function that you can perform in the GUI can also be performed from the command line. Remote access security can be had any number of ways, with or without spending money on software. Windows supports IPSec natively, as well as several flavours of VPN, or there are even several free (as in beer and/or speech) SSH products available for it.
Basically, quit knocking MS for the shortcomings of NT4. That's ancient history and they've made giant leaps forward in quality and reliability. If you want to knock them for their business practices, or just general evilness, go right ahead, but the argument that windows is crap just doesn't cut it anymore.
Carpe Cerevisi - Seize the Beer
And neither do their windows admins. PHB's think that Windows servers must be easy to admin as they look like Windows desktops. Of course in reality they aren't.