Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
Tell me I'm dreaming. Are these people really testing the old Mac OS X 10.2 (Jaguar)? And it withstood all atacks. Nice kitty.
Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
webpage
So any resolution of this issue has to must be implemented on the OS side.
On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.
When things get complex, multiply by the complex conjugate.
Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.
--That's the point of being root, you can do anything you want, even if it's stupid.
one thing they did not touch on.. if SP1 is taken over in 18 min.. when is there time to install SP2? and they did say that linux and Mac OSX were unpatched.. the we have a bigger market share is not a true statment.. its an excuse.. With Microsofts new test in Active X (yes the same thing we have to turn off in all DoD system ) to see if you have a legit copy of windows will just open more holes to get your updates.. what woudl be intresting is since MS did not release the same patches for sever 2003 saying its already loced down. you have to break most of the "lockdowns" to make it work correctly.... hwo quickly is it going to be attacked. and since there is no SP2 for it.. is it a good choice to use?
I wouldn't say they get a "pass", but lets just be thankfull that Microsft finally got it right by turning the damn firewall on by default with SP2.
Excuse my ignorance about Macs, but does OSX 10.2 come with a firewall turned on by default?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
Check for open ports on your pc. https://www.grc.com/
I have had 2 or 3 bots trying to brute-force my main box's password for months on end. The attacks all come from (likely compromised) server farms. I used to run without a firewall, but now I block every IP that tries to run an attack.
They won't succeed as long as I patch, because root logins through SSH are disallowed, and I don't have any of the usernames they guess.
Keep trying, d00dz!
To get a bigger slice of a smaller pie. Worm authors aren't just writing the things as a form of random vandalism; they're writing them to set up botnets that they can use for other nefarious purposes. The huge volume of Windows malware means that there's serious competetion for infectable hosts. A successful Linux or OSX worm would have the whole field to itself, which would make up for the smaller number of infectable hosts.
There's no point in questioning authority if you aren't going to listen to the answers.
Story about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.
Except, as the article says, WinXP SP1 is still quite common. Hell, I still use Win2k SP4. I wish they'd run the test with that.
Better question: does ANYONE put a box on the internet these days without a router between them and the connection?
(actually, now that I think about it, I can name several. Methinks I need to go have a talk with some friends and family.)
I wonder why the big hosting providers don't use IIS, would it be the prohibitive hardware and software costs, or the known lax security proceedures at MSFT.
09f911029d74e35bd84156c5635688c0
The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
Congratulations on your narrow minded, immature, emotional "M$ is the Devil" reaction. The reverse FUD is working....really. In the meantime, I'll just continue running a Windows network the way it should be run and not lose any sleep over it. So will most other business networks. And so will the workers who want to use the same thing at home that they use at work. All the talk about Windows being insecure out of the box for the home user is now past tense as of SP2. Soon enough, it'll be another outdated argument right up there with "Windows is unstable" and "What about backward compatability with DOS apps? They can't force users to upgrade!"
If the developers of other OSes want to battle with MS for market share, they should focus on developing the product and deliver all the new features that people feel is worth paying for the latest version of Windows. While they stand around shouting about a particular advantage, Microsoft is moving to take that away while creating many more advantages of their own.
-Lucas
The blaster and sasser worms, for example, make no attempt at reconnaissance. They simply blast TCP connections to IP addresses chosen at random. In theory, they have exactly as many chances of attacking the XP/SP1 box as the XP/SP2 box, or for that matter any the Mac or any of the Linux boxes. The attack is much more likely to be successful of tne SP1 box, but that does not mean the other computers were not attacked.
So, what did they actually count? What do those numbers mean?
Putting a box with almost 4 year old unpatched OS is stupid and should not have been included in the test. To include the original XP and not lets say RedHat 7 for example shows a bit of a skewed results.
I guarantee you there are millions of Windows XP SP1 machines on the 'net right now. How many RedHat 7s are out there? Not so many. First off, Linux is much less common in general, and second, Linux is much more likely to be administered by professionals, and thus properly patched.
So sorry, to NOT include Windows XP SP1 would have been the stupid thing to do.
It would have been interesting to see what would happen to an older Linux distro, but it would have been trivia compared to what happens to SP1. I'm actually surprised they included any non-Windows OSs at all, though.
-- Hello_World.c: 17 Errors, 31 Warnings
Last time I did it it was 43:8 SP2:XP.
However, let's just say you give default installs of XP SP2 and your choice of recent Linux distro to two equally "non-technical-unable-to-think-run-every-exe-attac hment" users to do with them their usual stuff. Guess which machine will be compromised (virus, spyware, worm, root, whatever) first. I'll call any bet you put down. You?
which big hosting providers would that be? Are they unable to lock down their own pcs? If you're a hosting provider, you lock yourself out of IIS for one of two reasons. Price too high or your customers don't need it. There are many solutions that need IIS to run on, and from what I've seen, the hosting prices for windows web solutions (iis,asp.net,asp,sql server etc) are much high sometimes even double the price of the unix equivalents
did you forget to take your meds?
I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
I remember sigs. Oh, a simpler time!
I'm absolutely not surprised that up-to-date systems survive current attacks. I'd even expect that from the vendor/distributor.
/. readers that tell something different for Fedora). And I think you can safely do a default install on these systems and then pull your patches from the internet.
The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?
My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).
In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about
A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.
Lucas,
That's great that you keep your Windows ship running rightly. I work in IT and we have a 1200 Workstation/30+ server/5 site Windows network with a few *nix boxes here and there. We do SUS, AV, deploy apps via group policy - the whole nine yards - a model windows shop if you ask me, but that doesn't take away from the fact that most Windows admins don't know a *damn* thing about computer/network security.
Let me ask you a question...do you run your computer as a local admin at work? A domain admin? Don't lie! I bet 90% of Windows admins happily run their boxes as domain admins at work. It's just too much trouble for them to shift-click and do a "run as" (or worse, they don't even *know about* "run as") when they want to open up ADUC.
Four years ago, our Exchange 5.5 server suddenly stopped responding. I went in to take a look and it was throwing all kinds of crazy error messages that I had never seen before. I did a virus scan on it and discovered that it was infected with the Klez virus.
Every executable on the machine (thousands of them) was infected. This was our f******g first in site Exchange server for Christ's sake! After hours of researching the virus, and scanning over and over again, I managed to clean the entire server. After getting it clean, tons of executables on the system that had been 'cleaned' were corrupted. I had to reinstall exchange 5.5. It was a nightmare.
Wanna guess how out first in site Exchange 5.5 server got infected with the Klez virus? Our f******g Exchange admin installed Outlook 97 on it and was using it to test out new email accounts while logged on as a domain admin account! Unf*****gbeleivable!!!! He had like 20 drives mapped while he was doing it, and he ended up infecting 3 other servers in the process.
After that I went to our boss, and told her what happened. I demanded that she make everyone who had privledged accounts create new accounts for themselves and start logging onto their machines as regular domain user accounts. After that I felt like the geeky hall monitor everyone hated, walking around asking my coworkers - you're not logged on as an admin are you? They ALL resisted this, but finally I got them to start practicing sane computing.
I've met MANY other windows admins that are the same way. They just don't understand security. We can thank the MCSE boot camps from the 90's for this. They turned out millions of monkeys, who now run many of our nations Windows networks.
The only way Microsoft can fix this is by putting the smack down on their users, and locking things up tight by default. They also need to make thing EASIER to do for the home user. As far as ease of use goes, they need MUCH more separation between their home/pro products.
As far as locking things down, they are starting to do the right thing with with XPSP2, and Server 2003. Another thing they have done that is excellent, is revise ALL of their official curriculum to where lab exercises are done while logged on as a regular user with the "Run as" command. Hopefully the MCSE monkeys from the 90's will slowly be weeded out, and things will get better on the corporate front. I am sent to Microosft training from time to time, and the oeverall security awareness of the people I train with has *slowly* gotten better over the last couple of years.
Anyhow, just because your network is clean doesn't take away from the fact that many corporate networks aren't and even more home Windows boxes aren't.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
While that wasn't a serious post (or at least I hope not), I'll try and offer a true argument in this vein:
/usr.
Hula. YOu know it. You love it. It's installed on your PC right now. Did you audit the code? No. Did you install it as someone other than root? No.
You have it sitting there, since it's not packaged yet, as a daemon, which is running as root, in
Totally safe!
(Before we go further, this is true of any software package. Hula's just been popular lately and thus helps to underline the point more clearly. I do not believe Hula is evil spyware, nor that anyone involve with it is now, nor has been, a member of the communist party.)
Except if it where spyware it could have wrote over who-knows-what and now is sending each shell command and bit of network activity to whomever. And it's root. So we've now a root server running on port 80 which has not been audited. Thank God sendmail taught us all our lesson, right?
Linux is no safer than any other OS at the moment. Hell, if we look at the fact that strlcat/cpy have been turned down for inclusion multiple times to the GNU libc because it would be "slower" when preventing a buffer vuln, if anything it's getting worse, and will continue down that slope.
It's as if we've forgotten all we know, and we're ignoring those who try to remind us.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
I think you are giving many users far too much credit. 90% of the cases where I have to deal with customers who have misconfigured their mail server as a spam relay, I get a response similar to "Yeah, I know that's really insecure and lets spammers use it, but it was [easier to set up]/[only going to be like that for a few weeks]/[not as if I was telling the spammers the open relay was there]" (delete as appropriate).
The point is that these people *knew* that what they were doing was really stupid, but were doing it anyway because they couldn't be bothered to be secure. Of course it always comes back to bite them in the ass when their server falls over with several million spams in the mail relay queue and a completely saturated ADSL connection.
http://blog.nexusuk.org
Of course reading is very difficult and all.. but still..
The fact is that they were testing what people are using TODAY, not what shops should be selling and people might be using in the future.
With regards to SP1, the following quote from the article seems somewhat relevant:
So, while you are right that people should be running SP2 if they use Windows at all, many people are not doign so, and are extremely unlikely to start doing so in a reasonable amount of time. Hence looking at what a substantial part of the users is running is a very good idea. With regards to this, Win2k SP4 should have been tested as well.
Yeah, I would say that the comments from MS themselves are pretty damning there - that they would expect an OS they were selling 2 months ago to be completely riddled with holes to the point that it's cracked within 18 minutes of being connected.
The ability to exploit it within 18 minutes isn't a function of how many vulnerabilities Windows XP has. It's a function of a huge number of systems continually trying to exploit two known vulnerabilities. If Linux had the same number of systems trying to exploit two of its known vulnerabilities it would probably have a similar infection time.
I think you're missing the point
I think it is you who are missing the point.
if I don't apply updates to a machine for 2 months I don't expect it to suddenly be *that* vulnerable to attack,
It's not *that* vulnerable. If you've applied all the latest patches except those from the past two months pre-SP2 versions of XP would not have succumbed to the two worms mentioned in the article.
Blaster was first discovered 8/11/2003. The patch for the vulnerability that Blaster exploits was released on 7/16/2003.
Sasser was first discovered 4/30/2004. The patch for the vulnerability that Sasser exploits was released on 4/13/2004.
Now I don't know about how they calculate time in your world but in this world both of those are easily more than two months old.
In addition XP SP1 became out of date the moment that XP SP2 was released. The fact that pre-SP2 versions were still being sold up until a couple of months ago doesn't mean that SP1 was out of date. Thus SP1 has been out of date since August 2004...over six months ago. People need to accept that Windows XP SP2 is the current version of Windows. If you're going to discuss the current state of Windows' security you'll have to use it as the reference point. Anything else is being disingenuous.
I still say, you buy an OS, you pull down the latest updates
Yeah, doesn't help when you get cracked whilest pulling down the updates though does it? (Yes, yes, I know you can ask MS for a SP2 CD but really, shouldn't that be bundled with the OS, even if it's just a CD taped to the outside of the box?)
I thought XP tried to durring install anyways?
Doesn't help if you're on a pay-per-minute dialup connection.
http://blog.nexusuk.org