Slashdot Mirror
Unpatched Linux Lives 3 Months on Internet
Allnighterking writes "The Honeypot project Honeynet.org has released their study on the expected lifetime of an unpatched default Linux install. If some of you remember AvanteGarde recently did a study of its own with several versions of Windows products and found that the average lifetime was about four minutes. Internet Week has an article on the study and the PDF with the full details of the study is available on Honeynet.org. Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line."
That value would depend on the distro and its age.
Note that the distros they used were basically just Red Hat variants (RH7.2, 5*RH7.3, RH8.0, 8*RH9, 2*FC1) and Suse (6.3 and 7.2). Suse is very similar to Red Hat, and Red Hat is what my friends call "Microsoft Linux" as it doesn't exactly excel in security.
It would be an interesting thing to see how the other dists would fare. I suspect Debian and Gentoo should survive quite a bit longer than those 3 months. After all, a default minimal Debian Woody installation is 34MB, compared to 0.5GB of Red Hat, and this means you simply don't have that many unnecessary services that can fail.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
From TFA:
Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.
Also:
The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added
And finally and most importantly:
"No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine."
I'd wager that any distro that enables an iptables firewall (that doesn't leave any inbound ports open) stays alive longer than the hardware lasts.
Game! - Where the stick is mightier than the sword!
Because Administrators can't patch their own shit? What makes you think they would patch Linux if they were to switch?
End of Line.
I assure you that i can run a box with any OS without any sort of internet attacks longer than you can.*
*it will not be connected to any outside network at all. your box will be. (Microsoft pulled this to give a high security rating to NT, i believe)
System.out.println(syynnapse.getSig());
This is one time when the argument about Windows being a bigger target really applies. The rate of infection is proportional to the number of vulnerable hosts.
In Soviet America the banks rob you!
SuSE 6.2 (release date: August 1999)
Comment removed based on user account deletion
Linux versus windows in the workplace will not be decided by showing them a spreadsheet of fiddled figures. This test is hardly a good way to test security, its an interesting sideshow, no more.
The message isn't Linux > Windows, it's that not keeping up to date with your patches is dangerous, and Linux is less of a target than Windows at the moment. By the submitters criterion, you would be recommending Apple to your PHB, not Linux, as an unpatched box wasn't even hit with any OS specific exploits!
Another desperately bad spin on an otherwise mildly interesting article.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
It takes me about 1 1/2 hours to setup a Windows ME install like the one I've been using for 4 years. It's been problem free for that long. Boots in about 23 seconds. Responsive GUI. And you can run programs--you're not just limited to poorly written open source stuff.
Although exploits of facilities implemented in standard linux kernels, such as arp requests or ICMP echo requests, are possible, they are far rarer than exploits of higher-level network services, such as HTTP or SSH. Consequently, a basic install of a distribution such as Gentoo, in which only those basic network services implemented in the kernel are active, would likely remain unexploited for years. Of course, this only shows that in the case of Linux, the `base install' does not provide for a very good test. (In practice, people are far more likely to use Microsoft Windows, or Linux distributions with a more expansive `base install' than Gentoo or Debian, in their base configurations.)
I'll get modded flamebait for this, but...
The Linux box wasn't compromised because it was being attacked as if it were a Windows box.
Therefore, in this case, the article is suggesting that Linux is secure because it is *obscure*. Linux can't be hacked because nobody would want to/nobody knows how to because it's so rare in comparison to Windows = Security through Obscurity.
Microsoft also uses this practice by threatening to sue anyone who exposes a vulnerability in their OS, and by hiding their source code. Hiding source code and vulnerabilities = Security through Obscurity.
I find it morally offensive that Linux hacks are trying to pass of Linux as secure on exactly the same grounds that Microsoft uses to try and keep their own leaky OS as private and secure as they can. Thankfully the author is sensible enough to write a few disclaimers, but as usual, the Slashdot submitter decided to omit that for the sake of sensationalism (and for a quick boot into Microsoft because we all like that).
I bet I could put an unpatched Windows 3.11 box on the internet, too. I bet no-one would hack that. I'd suggest more people are out trying to exploit even Linux or Mac than old Win3.11/DOS. Or how about an OS/2 box? I bet that would last even longer than Linux. Perhaps we should all switch to OS/2?
I am government man, come from the government. The government has sent me. -- G.I.R.
but it seems that no other free unix was used in the test? I would have loved to see how freebsd (or any bsd) would compare.
I left linux for bsd since I consider it more secure. linux is great, but it is a popular attack for kiddies. so far [knock disk] bsd has been spared such, uhm, 'popularity'.
I would bet a similarly configured bsd box would last longer than any of them.
--
"It is now safe to switch off your computer."
you have NAT. that's goodness #1.
/usr/ports and portupgrade-a and I'm done. no worries, and I know its the best set of code for that day, as agreed upon by 'the community' of bsd.
if your cable modem has a firewall, turn that on also.
the less public you make your home box, the less up-to-date it has to be, in terms of security patches.
I still prefer to keep my internal boxes up to date. and it all boils down to how much you trust your vendor and the patch/pkg process (and the reviewers of all the code and patches).
after spending about 5 yrs in the linux world of things, chasing this and that distro, fixing pkgs mostly by hand, tracking things mostly myself - it got old, real fast. then I saw the wonder of the bsd's (freebsd, since I'm still all x86 based). ONE disto. ONE pkg system. ALL eyes are spent on bsd code (ie, all the ones who care about freebsd, review THE freebsd.) that kind of singularity seemed like the best model - especially if you are worried about security.
compare to the linux world where pkg owners update things on their own and vendors are a level between them and you (the user). in bsd, that middle layer (the vendor) is kind of a pass-thru. and when a check-in breaks, its quickly noticed and cvs'd out or fixed in very short order. again, the 'one set of eyes' principle here.
you can fix and secure almost any o/s. but for my money, I daily do a cvsup on my bsd systems, rebuild kernel and world and then updates
quite a diff model than linux. worth looking into.
--
"It is now safe to switch off your computer."
Why do they use unpatched boxes in these types of tests? It just doesn't make a good security test, IMO. Why don't they setup a Linux box and a Windows box, and patch them both. Set up automatic updates in Windows, and a cron job on Linux to download updates nightly. Maybe install a few server processes just for fun (mail, web, ftp, and file shares / samba services for instance). Open the ports for those services, and block everything else with the vendor's firewall. I bet both boxes would stay un-hacked for years.
Unpatched, no virus protection, no firewall, and it just keeps going. Ninnle Linux, the Energizer Bunny of the Internet!
Imagine the nutritional value of Internet2 !
You are being MICROattacked, from various angles, in a SOFT manner.
Last time I moved I set up my laptop running Win2K on my new DSL connection without a firewall. It was just for 5-10 minutes or so, to set up the connection. Within those few minutes, I managed to pick up a worm. This was even with most of the latest patches already installed.
Firewalls/NAT greatly cuts down on your risk. Running firefox pretty much gets rid of the rest. But if you put Windows on the internet without a firewall and you're not a security expert who has done a thorough audit of your machine, you're asking for trouble.
Why doesn't someone put a fully patched windows box on the internet. Because it would last as long as a Linux box, that's why.
This is nice, but the implication that this is evidence that a default install of linux fares better than a default install of Windows is silly. While I'm sure that is the case, this isn't supporting evidence. I hate to continue the broken record of the if-linux-were-as-popular-as-windows-there-would-be -more-$attack-out-there mantra we're all sick of hearing, but in this case it directly applies.