Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
If you build it, they will come.
Lorem ipsum dolor sit amet
This news isn't news. What's news is this news is in the news!
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm not that surprised, but Windows was the least secure. It should be noted that XP SP2 was installed and then the updates were applied "automatically" while none of the UNIX-ish systems had updates installed, just what came on the CDs. I know, competent admins can make any machine secure, but I wonder how MS can sleep at night knowing that their users are at such a high risk, even if they don't DO anything.
Look at all of the software and services running on a modern linux distro - FC3 for example. I have spent a great deal of time shutting off everything I really don't need and erasing piles of useless rpms installed by the distro (its 2005 - I don't need talk). Any software you don't use or services you do not need are just potential security holes.
Just because people can knock on every door doesn't mean that every door is as insecure as the next. You can knock on every door in a neighborhood, but some will be better constructed and have more secure locks. Still, none prevent one from knocking.
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
These results mirror what I typically see on my workstation. I run a couple of websites on my workstation including our laboratory website, and my blog. Logs are monitored constantly with a nice tool called mkconsole that displays the logs transparently on my desktop. Several times a week, there is an attack. Most however are either scripted or fairly primitive, although last week there was a sophisticated attack that that bounced through a compromised Windows machine on campus. We tracked it back to an AOL user on the East coast and reported his IP address to the sysadmins. They sent an email back to me letting me know that they would follow it up. I've not heard anything else since, but in addition to using a more secure OS, one should also maintain a vigilance of your systems to help keep things under control and if you do use Windows, PLEASE keep it patched with recent security releases.
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Visit Jonesblog and say hello.
I don't think end users can be trusted to protect their computers. At a minimum, providers of Cable and DSL should make customers use modems with built-in NAT/firewall.
I got stuck in the self-checkout line at Walmart once, behind a lady who had this same problem.
"He who throws mud, loses ground." - proverb
TFA tells us that Windows XP SP2 is more secure than Windows XP SP1 (unbelievable!!) and that there are fewer attackers targeting Linux and MacOS than Windows (hmmm - I wonder why ?).
Very thought provoking and innovative information indeed.
" But in the end, none of the attacks were successful."
So... Let's see how many people don't read the article and begin ranking on windows. Startttttinnnng NOW
Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
webpage
Turn. Off. Unused. Services.
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
From what I remember in Tron, this visually looks very cool. Digital warriors fighting on a neon grid, etc.
I'm pretty stumped, though. I tried to get my box pwned eight times, just to see the digital battle. I thought at the least Norton Antivirus would sent a digital probe destroyer bot out to eradicate the trojans. But all that happened was my computer got really slow, and pop-ups kept showing up, advertising herbal virility pills for men.
Come to think of it, Hollywood movies never seem to match up with what my computer does. That's it, I'm going to stop believing them movies and start reading Wikipedia instead.
"SP 1 is not a current operating system," said Sundwall. "It doesn't surprise me that it only took 18 minutes to get infected."
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
Registering accounts later than some other chrisb since 1997
According the article, no one was all that surprised Win XP SP 1 went down in 18 minutes. After all, it is not up to date... it is essentially an old OS, right? So this is expected, right? Old OSs should be broken into, right? And then we have OS X 10.2, aka, Jaguar. No successful attacks. Older OS, check. Not up to date with all the latest security features that are in Panther, check. And not one successful attack. One company makes on OS that still stands after two and a half years... one company makes an OS that only stands after a major major major patch and constant updates that sometimes break software. Now, which company's OS would I choose to build a secure network? Sure, it's a flawed argument, but still I think worth noting.
First of all, you should be behind a firewall that disallows incoming connections to almost everything. Even if you're not, FC3 has a kernel firewall enabled that blocks just about everything.
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
My other first post is car post.
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
Microsoft might have something with Windows Longhorn, since the entire API outside of the kernel will be written in C# completely sandboxed in a CLR, much like Java.
Combined with a monolithic auto-update system, Microsoft has no intentions of repeating the problems of Windows 2000/XP when they release Longhorn, much like they had no intention of repeating the problems of stability they had with Windows 95/98/ME when they designed Windows 2000/XP. For as much as they do, they mostly won with stability in 2000/XP, and they could win again, despite their market share, by sacrificing RAM (480MB commit charge, 1GB recommended) and processing power by implementing the .NET framework for their entire API.
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
- - - - - Fear not the reaper, but my shiny white teeth.
From TFA: "Experts say spyware programs are also necessary for Windows users. Microsoft is offering a free beta version of its spyware program at www.microsoft.com/athome , and Webroot is offering its spyware program free to Colorado residents through April 15 at www.webroot.com Free spyware programs are available at www.download.com"
Of course Claria/Gator is also offering a free version of their spyware program, and it's not beta - it's an official, stable release, available to users from all over the world, and with no date limits!!
There are also other known spyware providers out there, all you have to do is to search the web for some pr0n and warez, and there you go.
Articulos para gente geek: Poleras, linux, libros y mas
If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place?
IIS vs. Apache seems to deny this conclusion.
Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.
--That's the point of being root, you can do anything you want, even if it's stupid.
If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
Don't forget that their idea of being "attacked" included regular-old port scans and pings. Looks like they they just plum configured the network badly...
Or it means that RH9 wasn't logging portscans and pings... which, AFIK, it didn't do with any of the default firewalls. It is only newer distros that log potentially malicious traffic.
I drink to make other people interesting!
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
Story about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.
Ok, I'm responding to an ac, but oh well -
Which OS is propagating the viruses/trojans/malware?
Windows.
Which OS does it infect?
Windows.
Yes, other oses were attacked - [by windows zombies] - but not compromised, in fact there are very limited examples of exploits propagating through other oses aside from windows [I can find 7 linux viruses, all of which do not propagate nor are effective to any measurable extent].
It is likely in the future that one may find a way to compromise a linux/mac in the same way, but that day has yet to come.
And that is why we question findings that windows is more secure than linux. It is GLARINGLY obvious that this is untrue to anyone sane.
ymmv
The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
While I agree that it might have been instructive to include, say, RedHat 7 in the lineup, security of original XP is still an important consideration. First, to hear MS at the time, XP-SP1 should have been more solid then and should be more solid now. But far more importantly, we see how vital it is to fully patch your XP system before connecting it to the internet. And where do I get those patches from? Oops...
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
"There are hundreds of game theorists at the gates, sir, and they want to hold an election!"
I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
I remember sigs. Oh, a simpler time!
I agree that this is a secure thing. The problem is, nowhere does it tell a novice user that you should enable the firewall, connect to the net then, download patches, then you're secure
The problem with the security is not that the machine can never be made secure, but that it starts out as a terribly insecure product. This is a problem. Most users are out of the box users. They have no understanding, so they don't know about the firewal etc.. They're told by MS that for security they need to patch using windows update. The point above is that this isn't actually that secure, and while this is happening a compromise can take place.
The main issue here is the slack standards Microsoft use to get their products out the door, and their trade off of complexity to security. They are scared of treating their customers with intelligence, and educating them correctly about the actual process of securing and methods of attack (not necessarily at too technical a level) so good practices are used. For fear of confusing the users the XP SP1 firewall is off, and it's not the only software that has all the security off by default.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
The OS may be securable, but it is not secure by default!. That is the problem, because most users don't do anything but the default (hence Explorer's 90% market share)
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
I think you are giving many users far too much credit. 90% of the cases where I have to deal with customers who have misconfigured their mail server as a spam relay, I get a response similar to "Yeah, I know that's really insecure and lets spammers use it, but it was [easier to set up]/[only going to be like that for a few weeks]/[not as if I was telling the spammers the open relay was there]" (delete as appropriate).
The point is that these people *knew* that what they were doing was really stupid, but were doing it anyway because they couldn't be bothered to be secure. Of course it always comes back to bite them in the ass when their server falls over with several million spams in the mail relay queue and a completely saturated ADSL connection.
http://blog.nexusuk.org