Slashdot Mirror
Linux and Windows Security Neck and Neck
Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
"Nothing to see here ... move along"
Now THATS security for you!
It's no longer better, it's now just as good.
Funny, last month people told me it was better. The only quote in the article talks about linux' advantages. Erm. Something's missing.
My little site.
The Pinto dealer down the block said that they have added a couple of air bags on the passenger side doors to get it at par with a Volvo. Coincidence?
Free XBox, PS2
I think there are two main factions here, and the answer for what constitutes better security has slightly different context with significantly different results.
For all of these people their machines are ticking time bombs, and I'm usually the one who gets the call when their world of computer technology explodes. This by itself is reason enough to consider other technologies where by default they are secure. For example, Apple does a good job (not perfect) of making their machines secure... I won't go into great depth -- I'm not a heavy Mac user.
Also, linux by default comes out of the box with decent security. Even if users do try to just use, e.g., KDE an root only, they (as I recall) have to fight off the big red screen background, kind of like the enunciator lights and bells in cars when you don't fasten your seat belts.
So, in the lay community, though Windows carries the popular vote, I think linux out of the box is by far the more secure and safe way to go.
Security in Windows itself had definately improved over the last few years. But almost all of the current and recent vulnerabilities have somehow been related to IE.
Not using IE and using Firefox instead almost completely secures an up-to-date Windows box. Get rid of IE, get rid of 90% of Windows' security problems.
Maybe for servers, but not home users. When was the last time you saw a home Linux machine 0wn3d?
(Granted, most people who use Linux at home are knowledgeable enough to keep even a Windows machine safe.)
"the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
I'd say this is precisely the other way around. More users equals bigger target and more potential fuck-ups.
Natlie Portman and Kathy Bates neck and neck when it comes to hotness.
May or may not be true, but if it would nice if I could run as LUA under Windows without having to jump through a bunch of hoops. I'm not talking about 3rd party apps, I'm talking about explorer.exe. There are a lot of little quirks and workarounds you have to deal with, although it's not impossible. It's clear that even XP was not designed with this in mind. Longhorn should do a better job of it. How good remains to be seen. That said, as an semi-experience Linux user, I still have no idea if I am really safe under Linux. Maybe that's because I have not put much effort into it.
When are we going to see an independently funded research studies that will, without bias, give us realistic statistics that will benefit intelligent buying decisions for the general public when debating over classic "windows v linux" implementation?
They are taking security vuln's for redhat EL 3, or suse 9.1, and comparing them to MS Windows. That is not fair. Now if they compared them to Windows, Office, sharepoint, IIS, Office, Project, all Microsoft games, SQL server, etc.. then it would probably be a little more fair. Linux DISTRIBUTIONS are a little more than an OPERATING SYSTEM.
What are we going to do tonight Brain?
This is just gonna generate one or two flame threads, and a multitude of threads of people agreeing with one another about why Linux > OMGMICRO$UX0R!!!!
The sad part is that this very message is probably going to get repeated several times.
yawn...
Generally, bash is superior to python in those environments where python is not installed.
When you say "out of the box," do you mean if you buy a retail copy and install it, or if you buy a new system with it preinstalled? Most end-users don't upgrade except when buying a new system.
Are the major PC sellers shipping unpatched XP systems? If so, aren't they liable?
Sex with someone with horable burning VD is just as safe as sex with someone ho doesn't have VD... as long as you apply a symantec branded condom and use critical update cream liberally.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Look out! All the slashdotter will have a heart attack reading this one, and miss the point which was : (fromt he article)
"My hunch would be that Linux still has the edge but it's difficult to tell with all this misleading information being pumped out."
FUD is FUD, and its being given by both side. It happenned in the C64 vs Mac, Mac vs PC, Nintendo VS Sega, XBOX vs PS2 wars, and will continue to happen in everything where nerds is involved.
Those wars are Nerd's answer to woman staffed clothes store. (if you don't get that one, go spend 1 hour in there while your girlfriend shop, and listen to the saleslady dispute who got the sale. Sounds like a Linux vs Windoze Slashdot thread).
They have a herd of poorly paid but diligent slaves (a.k.a. graduate students studying for a Ph.D.). They do excellent work in voluminous quantities and would surely produce an accurate analysis of Linux versus Windows.
Dident i read about windows and 12min of safe time before trouble hits.. Beyond that.. I could have sworn the problem with widows becomming a secure OS was the fact that it was not Open.. thus nobody can tell if it is secure or not. correct me if i'm wrong but the advantage to open source is the barrage of people out there who can see errors and report and patch... windows is more of a trial and error process for secuirty... which by definition is just not secure...
Losers whine about their best, Winners go home to fuck the prom queen
when my windows box guys gets owned 20 minutes after an install and when ie installs spyware on my parents computer, and my redhat fedora box has been on for 1 year with no problems, i don't think there is a comparison. this article is from someone who doesn't use linux so it's fine he is ignorant but the fact it made it on slashdot is flamebait
Where are the proactive security systems for Windows? Sure, Windows by default has a fairly rigorous ACL system by default (at least in comparison to classical Linux ACL's), but trying to measure the security of a system solely on how many exploitable bugs it has is just a poor measurement method. With projects like SELinux, GRSecurity, Pax, different implementations of active bounds checkers as well as stack smashers, and good implementations like Hardened Gentoo (Debian has a hardened project but I havn't tried it) I don't particularly see how Windows has a chance in hell.
I don't know of any person with a Windows box who will hand out an admin account, but there are Gentoo Hardened devs who hand out root on their SELinux test rigs. Why? Because the system is secure enough to hand out root.
Clicky for printer-friendly version. It will probably try to print the page as well.
PS The 'perma-link' option does not appear to work yet.
I want to drag this out as long as possible. Bring me my protractor.
...Microsoft had made real progress on security in the past two years..."
:
Yeah, thats real believable considering Microsoft is holding hands with Claria...
--
Check out the Uncyclopedia.org
The only wiki source for politically incorrect non-information about things like Kitten Huffing and Pong! the Movie !
Please allow me to hate the creator of the 120-character limit: *HATES*. Thank you.
I hate these studies. Saying Linux isn't secure is like saying that fruit isn't red... it depends on what you're looking at. Are we talking about kernels? GNU tools? Common server software?
More importantly, which distribution? Windows comes with f*cking notepad and Solitaire. Linux distributions typically come with an order of magnitude more applications.
I'm on the Gentoo Security Mailing List. I get a few messages each day about vulnerabilities in software. Is each of these a ding on Linux? No, certainly not... it's a piece of software that happens to be available via portage.
If they want to be fair, then every ding on every Windows application counts against Windows.
More importantly, why the hell does every one of these boneheaded articles make it on the front page of Slashdot? Just helps spread the FUD.
Right. Whatever you say. Windows is JUST as secure as Linux.
I don't think its that far from the truth, really. It's like painting.. it's the artist, not the brush. A competent system administrator can secure Windows and keep it secure, just as with Linux. An incompetent sysadmin will fail with both.
Of course, it could be said Windows makes it easier to be incompetent.
Girlfriend? Have you wandered onto slashdot by mistake? This site isn't for you, trust me ...
The figures mentioneed by the hosting company seem to indicate that the discussion is focused on Windows security on the server side, where it is fairly true that Windows can be about as secure as Linux when both are competently managed. In both cases, there will be someone who knows about the systems taking care of them and ensuring that they're properly patched, firewalled, etc. I personally find managing Linux boxes easier, but Windows can be kept secure as a server.
Where Windows still falls down security-wise is on the desktop, where the combination of a vulnerable browser/Office Suite along with the fact that the de facto standard way for desktop users to set up their accounts is with administrator priviledges. That turns what would be a non-existant threat on the server (you shouldn't be doing general surfing or office work on a server) into a major issue. Microsoft has made feeble attempts to encourage users and developers to use limited accounts, but the fact remains that reconfiguring poorly written software to work in a limited account is a major headache that the average desktop user is not willing to put up with.
Microsoft also falls behind [most] Linux systems in that the majority of the software on a Linux box can typically be updated from a single tool (apt-get, yast, urpmi et al) while Windows Update only covers the core OS. Microsoft does have a better system in the works, but that will still only cover MS software.
the guys says "Engates added that his company manages 13,000 servers, roughly half of which are open source and half Microsoft. He claims to see little difference between the security on either platform."
Ya so windows servers are about as secure as linux servers, which is about right if you have an experienced admin that knows what he/she is doing
windows is not secure by default for a typical end user that doesn't know much about security there is no argument
WinXP is still a sitting duck out of the box.
I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it. However, if you're buying a PC preloaded with Windows, you are almost certain to find SP2 already installed. SP2 fixes a raft of security holes, turns on automatic updates, and, as a bonus, turns on the firewall that was (by default) off on XP RTM and XP SP1.
I'd wager that the vast, overwhelming majority of (legal) Windows XP installations came on machines preloaded with Windows. Given that, your fears of "unpatched" boxes being loaded today seems a bit of an exaggeration.
The biggest security threat these days is users opening worm-laden attachments, despite mountains of FAQ's, instructions, README.TXT, co-worker horror stories, and other forms of documentation, all warning of the dire implications of opening up that oh-so-inviting attachment claiming to have pictures of Paris Hilton's hoo-ha.
The biggest threat to security these days isn't in the OS anymore, it's mounted between the keyboard and the chair. In this respect, Linux (or any *nix for that matter) can be considered more secure than Windows, but only until a competent administrator restricts local users to non-admin-equivalent accounts. Then things rapidly return to something amazingly close to equality.
The corollary would be to give root-level privileges to common users and see how long the vaunted *nix security model holds up. Hint: it isn't nearly as long as we'd like. You're just one shell-script attachment away from disaster when a user gets an email instructing them to save the attachment off, chmod +x it, and execute it, not knowing it contains the ever-useful "rm -rf" command inside. You don't believe that a user would actually do something so stupid as to execute commands outlined in an email body? What have you been smoking lately...of course they would. If *nix ever became as ubiquitous as Windows is now, it would assuredly happen, I'll set my watch and warrant on it.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
ROFLMAOCOPTER!
The whole "windows gets infected more because more people are targeting it" argument doesn't hold up - otherwise, apache would have more security problems than IIS.
feh. stuff.
If you spend any time at Secunia, you will find all of the leading Operating Systems listed.
One of the things you will notice, is that not all Operating Systems are created equally.
Windows XP is here
http://secunia.com/product/22/
and Redhat 9 is here
http://secunia.com/product/1343/
With the biggest difference being in HOW CRITICAL THE SECURITY DEFECTS ARE and HOW MANY ARE STILL UNPATCHED
Funny, that...
Windows and Linux neck and neck? Not according to these numbers.
--E--
I use Linux on a daily basis for Desktop and server use, and since i'm not a security expert.. I often wonder how the entire process of awareness of exploits and the patching of packages happen. Could someone explain this to me?
Who is the trusted authority?
I'm not the type of guy to bash Microsoft, but I must say I was quite surprised when spyware of some sort infected IE on a fresh and updated install of WinXP. www.google.com was redirected to another site offering spyware removal (What a joke)
you should also remember to evaluate the strength to viruses, non only the number of local/remote root exploits!
Wondering why i am doing so strange posts? I am trying to get a "+5,Flamebait" or "-1,Insightful" rating.
http://science.slashdot.org/article.pl?sid=05/07/1 3/2255243
Studies show that there is a one in three chance this is BS, and a 100% chance we'll see this artical written over and over again in the favor of one or the other. The difference is, the Microsoft are usually the only ones to write articals in which they look better than linux. Perhaps things really are changing.
Go ahead and call me unreliable; reliable is just a synonym for predictable.
A friend's machine is full of spyware. Common users have no knowledge of ad-aware, so what's the point of having your windows "updated" automatically, when you haven't cleaned up the spyware in the first place?
OH, and with the new SP2, you _HAVE_ to connect to the internet to activate your product, so that makes windows CD's either crippled (you can't connect w/o activating, and you can't activate w/o connecting first) or insecure by default. And I bet most of the people haven't gone to the stores to replace their WinXP SP1 CD with SP2.
The *current* build of XP might be more secure, but in general, the whole policies stuff is making that security COMPLETELY USELESS.
A good measure of windows security I'd suggest:
* Percentage of Linux machines in the world infected with spyware? 0.
* Percentage of Windows machines in the world infected with spyware? 80, maybe more.
So which OS is more secure, huh?
I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it.
Having just purchased an OEM copy for a custom built machine, I can answer this question. XP Professional tends to ship with SP2 preinstalled. XP Home, however, only comes with SP1 installed to provide for better compatibility for "home" programs. (read: Programs that didn't behave themselves in the first place.)
Javascript + Nintendo DSi = DSiCade
I'm not sure how this is really different than linux. Once you've loaded it up, there are often a number of patches to apply. You can either connect the box to the internet to get them or download them elsewhere. Do most linux users think to do this?
Neck and neck, but one guy is a midget :|
"If we hit that bullseye, the rest of the dominos will fall like a house of cards. Checkmate." -Zapp Brannigan
I'll start paying attention to the Linux vs. Windows security debate the next time I get a virus on my Linux box. Nuff said.
Let me just preface this by saying that I generally take articles by research firms with a healthy grain of salt. With that said, I wouldn't be surprised if the report is correct. Mod me down if you like but a properly administered Windows box can be as secure as Linux. I think too often we simply rely on the vendor and distributor to come out with a secure product and then never worry about it once its installed. A key factor in security is the administrator who must maintain these boxes. An out-dated Linux or Windows box is not going to be secure. An experienced administrator should be where security starts, not necessarily the product.
Finally, statistics about Linux is too generalized. I would much prefer a breakdown of Linux distributions since I'm sure some are more secure than other. A lot of exploits are found in non-kernel executables and the distribution is responsible for that. It's not all that useful to say Linux is secure or insecure since there is no one Linux distribution.
EvilCON - Made Famous by
Ovum has also said: "Microsoft's .NET technology is at least six months ahead of its rivals" ... "It's more complete, more ready and more widely deployed than any of its web services framework competitors". http://www.aspstreet.com/pr/a.taf/idpr,61991
1 280,21627,00.html
And: "The Common Object Request Broker Architecture (CORBA) is a "doomed" technology that has no hope of matching Microsoft Corp.'s Distributed Common Object Model (DCOM), according to a new report on middleware. "http://www.computerworld.com/news/1997/story/0,1
I'll set my watch and warrant on it
There's a dark tower fan!
sig?
No.
Most users with DSL or cable service have firewalls. People that still use dial-up connections can have problems, but this is becoming less important every day.
SP2 has a firewall that's on by default. Everyone that buys Windows XP today gets SP2 in the box. Every new PC that comes with Windows XP has SP2.
The BSDs (and to a slightly lesser extent, Linux) doesn't compare well against Windows, because the designs they emulate were never desktop operating systems.
You're very trig, my little cully. Long days, pleasant nights to you.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
It's just like a treasure hunt, except you win back the time it would take you to read the article.
The winner is the first to find the word in the following URL that suggests the value of the article it links to:
http://www.vnunet.com/vnunet/news/2139790/surveys
I have been running a mixture of Windows and Linux boxes at home for more than 10 years. I am conscientious about anti-virus and anti-spyware on the Window's boxes. On the Linux (and an occasional BSD) boxen I just take the normal security of the distro install and update packages regularly. I also, of course, do not log in as root. The bottom line is over the years I have had to battle various vermin on the Windows boxes. I have yet to have a virus or anything like it on the Linux/BSD machines. EVER! I use Linux as my normal OS on my laptop. I am surfing everywhere, constantly checking email. I download lots of programs, install things, etc. NEVER a virus, etc. Give me a break!
Some settling may occur during posting.
It will continue to be impossible to secure any version of Microsoft Windows until that company changes their design philosophy of mingling various unrelated tasks directly into the operating system.
The latest example is their plan to integrate RSS feeds into Littlebighorn (due out next near, whether it's ready or not). Lookie, boys and girls, a whole new way to infest Windows with viruses and malware. We haven't got the old holes plugged yet, but here we are planning to make new ones! You gotta love innovation at work.
Until they stop this "I'm OK, you're ok, so let's share" design philosophy, and get a little more paranoid, Windows will always be the easier target for the Internet's criminals and malcontents.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
With 95% of the world's desktop market, they would also have 95% of the available funds for security R&D. With that much funding, no one should even be able to come close to their security. Of course, we all know this is not so.
Average user is too dumb to add execute permission to something. If all they do is use the software that is installed on the machine (or nice user interfaces to install more), then they rely on that software to do it for them. If someone gets a message that tells them save this, type this command, type this command... the odds they actually take the time to do it are tremendously low unless it comes from a friend, and with good explanation. The reason viruses and worms are so deadly on Windows is because the extension assigns something execute permission... all the user must do is click (which they are trained to do) as a result of their curiosity as to the nature of an attachment (which they are born with).
Since you are so obviously willing to denounce this author's article, and claim that you know meaningful data when you see it, could you please write us a more informative article? Rather than launch an "ad hominem"-style attack on the article, write us an article using all your glorious expertise.
Cyric Zndovzny at your service.
A competent system administrator can secure Windows and keep it secure, just as with Linux. An incompetent sysadmin will fail with both.
I'm not sure that is true. I mean sure anything can be secure if you unplug it, but can a Windows machine be as secure while still as functional as a Linux machine? The first suggestions you hear for securing windows are install updates and put it behind a firewall. That's good advice for any system, but a firewall should be an extra layer of security, not a necessary one. If your only solution for securing Windows is put it behind a firewall that is running a different OS, well then that is a pretty big argument against it's security.
P.S. an expert can kill you with a fountain pen from 10 yards, that does not mean the army should not issue guns.
or mostly BS.
1. Compare WinXP operation system to the whole distribution is stupid.
2. Where from the heck those viruses spread ?
3. Look the secunia lists (www.secunia.com)
WinXP Pro (only OS):
Unpatched 21 of 84 total
Etremely or Highly Critical 30 of 84 total
Remotely exploited 52 of 84 total
Debian Sarge (OS and many, MANY, applications!):
Unpatched 10 of 26 total
Etremely or Highly Critical 4 of 26 total
Remotely exploited 18 of 26 total
Yes, but the reason these studies are absolute horseshit is because they call it 'LINUX' and fail to mention any of the choices. I could run apache, or I could run publicfile. You could choose apache or IIS for Windows.
Windows Server is a solution ENDORSED by Microsoft - they recommend IIS, SQL Server, and Exchange for your enterprise needs.
Apache isn't ENDORSED by Linus Torvalds, or lkml. It's ENDORSED by Red Hat Linux. So if you're going to make the comparison, compare a Linux server distribution (and specify WHICH ONE) to the Microsoft server product.
So yes I would readily say that 80% of new out of box PCs are infected.... If i did all this and I knew what I was doing and still got infected in 30 minutes, could you imagine someone who didnt.
"Slashdot, where telling the truth is overrated but lying is insightful."
Well that's exactly the point isn't it?
Give a novice admin access and you have no security! ( Thus the outrage over Lindows default admin only setup by people who know better.)
Linux cloned the Unix environment which early on was a multi user networked environment, used by many universities where students could wreak havoc. Many design decisions were made to improve security early on.
Microsoft? Hey lets give our browser, email and applications the ability to install any software
at any time from anywhere on the net without the user even knowing about it. That would be cool huh?
Overall it boils down to a corporate culture problem at Microsoft:
What percentage of programmers who "get" linux/unix would ever want to work there?
What percentage of engineering decisions are made by "Pointy Haired Bosses" instead of programmers with real experience?
Sure, now that linux is giving MS hearburn in the security pocketbook, they are changing, but that's what they do well, and why they succeed. Remember how fast Bill Gates switched from "The Internet is for loosers" to "We Invented the Internet" ?
At least with competition MS are forced to start cleaning up the massive mess they have made of network computing.
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
Comment removed based on user account deletion
I don't know if it's still available, but you could get XP Service Pack 2 on a CD. Earlier, Microsoft experimented with putting updates for 98, ME, NT, 2000, and XP on a single CD (and sent it out for free). This kind of CD is great to have in the old kit bag, since you can stay disconnected from the internet until you've applied most of the important patches.
I don't know why Microsoft abandoned the idea of periodic OS updates on CD. Maybe too many people asked for them. I don't think you could buy the resulting good PR that cheaply. Alternately, they could post quarterly the ISO images, and encourage people to spread them around.
Anyway, that's my 1.99856714 cents worth.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Or rather, Windows is easier to use, so may include more incompetents.
I have never *once* had a security issue with Linux. But then again, I've been trying to use various versions of it for 10 years, and I've never gotten a working box. The last Ubuntu install I did, I ended up at a command prompt at the end of the install. Now, *that's* security!
Also, my bicycle has never caught fire, while my car did once. My bicycle is *much* more fireproof than my car is!
I don't respond to AC's.
Theo de Raadt on Linux quality :
re: point 3, why not?
ox -> oxen, why not box-> boxen?
It's not like the "rules" of English are any more consistent elsewhere.
Though I think that boci would be equally appropriate (latin, "vox" -> "voci").
Just thinking, is it really that the Linux OS is more secure or is it that the % of knowledgeable users using windows is lower the % of knowledgeable users using Linux?
IMO Most of "Windows" issues are users: downloading this screen saver, installing that searchbar - running that "Funny" email attachment - Linux users tend to not do stupid stuff like clicking on the "Click here to scan your system!" links....
Bottom line - windows is for the Masses - MS tries to make it user friendly and idiot proof, but I guess they keep coming up with better idiots.
The article reads like this:
Well, I think that Windows security has improved.
There are so many opionions out there, that it's hard to tell what the truth is.
I think that Linux still offers slightly more security.
Microsoft's patches are better...
I think.
It sounds to me like somebody just expressing an opinion that they have. This really isn't news at all, and doesn't even offer any insightful information.
Linux/Open Source/Anti Microsoft News
No, I haven't RTFA, and I don't need to. The claim that Windows and Linux are equal with regards to security doesn't even deserve laughter. A person only needs to use Windows XP online for a few hours, and then compare it with virtually any other Linux distribution available in order to see how this claim is a complete lie.
It's a testament to the complete amorality of many analytical companies that they would even attempt to make a claim like this. Vnunet are obviously completely devoid of any kind of professional integrity, and as such, their analysis can only be considered utterly worthless. Unfortunately however, vnunet are not the only company willing to make such claims. These companies believe that they need to rely on Microsoft's monopoly for their livelihood, and so are willing to go to truly amazing lengths to try to maintain the perception that Microsoft are still on top, despite enormous evidence to the contrary.
"What percentage of engineering decisions are made by "Pointy Haired Bosses" instead of programmers with real experience?"
As we discussed recently here, Microsoft doesn't hire programmers with "real experience". They hire clever greedy problem-solvers who are good at word puzzles.
Like Bill, security is the last thing on their minds.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
" It's funny how people think. Since neither product is 100% secure, they both think they're equally insecure. This logic is as stupid as saying "reading slashdot is just as dangerous as motorcycle racing, because I could get hit by meteor and die either way". Clearly one of the products has more serious exploits than the other and has caused more loss to businesses, but some people just don't want to admint that."
How do you conclude Windows has more serious flaws than Linux. I've seen no evidence to support that claim. In fact a major security flaw in Kerberos was just announced (that isn't in the MS version). Your post is just anti-MS FUD
Vote for Pedro
You can't have an unbiased non-profit organization perform a TCO on Windows vs. Linux. Why? Because every company is different.
They provide different services, products, etc. So the TCO is different for every single company because they are going to use Windows or Linux differently. They have different entrenched processes, they have different skill sets for their employees, it's just all different.
"I'm not sure that is true. I mean sure anything can be secure if you unplug it, but can a Windows machine be as secure while still as functional as a Linux machine? "
Linux isn't secure. Check your assumptions.
Vote for Pedro
I'd agree that a fully patched and protected Windows server is about as secure as a default install of a Slackware server
The difference is the Slackware machinbe won't become a security problem when a user sits down and starts surfing the web.
As many point out, novice users with IE/Outlook are the main entry point for windows viruses.
Hey, perhaps someone could set up a public test:
Set up an internet cafe with say 10 XP machines, fully loaded for virus bear and 10 Linux Machines,
Then keep a live scorecard for how long all 20 machines keep clean and functioning. Let Vegas in on this, and place your bets!
Or hey, do it as a docu-tainment independent video similar to "supersize me"...
Hey Cringely, there's an idea for your new downloadable TV show!
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
Am I missing something? I would not attempt to dispute what he says, but what criteria does he use for that statement? Number of crashes, Technician time to re-boot/reload after an incident. Number of Viruses that get through? How many times the box is hacked?
For an article titled "Linux and Windows Security Neck and Neck", I expect to see more than just "servers....no difference..."
Apparently I am not the only one that thinks security is not just the server level. Nearly all the (on topic) comments talk about win boxes that startup with admin priviledges. The real security problem seems to be at the user level, not the server level. A good admin (or group of admins for 13000 servers) can setup and take either box to maximum security. The home user, (not lazy, not ignorant as one post call them) is not an IT person. If the box comes with a setup that makes it less secure, that is probably the only thing that will ever get setup.
My opinion is that security is not just MS or LINUX. It is based on the person that installs and sets up the OS. I would bet that any good admin can set-up and make either OS very secure or very in-secure. If a secure box is delivered to the home user, it will probably remain secure. Otherwise, it will probably end up helping send SPAM.
I got pissed-off-at-98-enough to get the XP retail upgrade box. And this was back in the winter.
Both upgrade and full install, Home and Professional, had SP2 built right in. The store might have had some old pre-SP2 copies left lying around, but they were advising SP2 for anything connected to the 'net.
And it wasn't install and patch, when the system completed base install, it was already at SP2.
Look at what's actually happening, from http://www.us-cert.gov/cas/bulletins/SB05-194.html #trends;
Top Ten Virus Threats
All Win32 Worms. Pick any security site, and look at the top 10 threats. Then tell me which OS is the most secure. We can argue all day about the reasons, the facts speak for themselves.
I work in a world where I am responsible for about 100 servers, most of which run Windows 2000/2003, but a handful of which run CentOS 4 (RHEL4).
:
I have to say that either operating system is secure in the hands of a knowledgeable administrator. The key difference is simply that Linux can be made more secure by someone with ample experience, whereas Windows can be made moderately secure much more easily.
Let me explain. In the Linux world, because everything is open source, a very knowledgeable person can strip away `features` from the operating system, leaving fewer areas which could possibility contain security holes. In doesn't matter whether the NFS server has a security hole, if the NFS server isn't running, or even installed. To be more specific, a very knowledgeable person could even recompile their kernel, etc, such that the only things that will run on the box is that which is intended. A box configured for single use is easy to secure because then there are only a handful of areas which can be exploited. Because of this limited number, there are then only a handful of lists/newsgroups that need to be monitored for security updates.
Windows on the other hand posseses the advantage that Microsoft stands behind their product, and says apply these patches, and your secure. Therefore, to make a `relatively` secure machine is very easy. Just run auto-update regularly, and your secure. On the other hand, taking security to the next level. The level described above is almost imposible. You can't eliminate features from the Windows kernel by recompiling. Nor is it easy to pick and choose which DLL's get installed with the operating system. The result is a bigger window of opertunity for an exploit to be discovered which can then be used on your system. Now it is still possible to disable services, etc, but that is a more difficult task in Windows because of the interconnectivity. In the Linux world, because most components are developed by different people, they have few dependancies. This isn't true in the Windows world, and that makes it more difficult to lock down.
My point is that if there are three security levels, secure, very secure, and air tight. It is easier to get to the first level with Windows, but easier to get past the first level, to the second level and third levels with Linux. Granted large corporations can afford to modify Windows to get the other levels of security, but its more difficult because Windows is such a closed environment.
I've rambled enough. A good article on locking down a Linux box can be found here
http://www.puschitz.com/SecuringLinux.shtml
"Most users with DSL or cable service have firewalls."
Bullshit.
"People that still use dial-up connections can have problems, but this is becoming less important every day."
Yeah, right, in the time it takes them to connect via dialup, they get infected over that 28.8Kbps connection.
Your crack is sub-optimal. Get a better dealer, Windows troll.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
100% of the vulnerabilities on my linux box that I know about are Unreal Tournament. I think a reasonable rough-and-ready approximation is count the bugs per megabyte.
I am trolling
"...designs they emulate..." = http://web.cortland.edu/lacomb79/minipro3/confused .jpg
/. is good for you.
Average user is too dumb to add execute permission to something.
Oh really? Is the average user too dumb to follow this simple email below?
----------------
"Hello there. We have attempted to process your payment but there appears to be a problem with your account. We've attached a brief presentation to this email explaining how to rectify these problems with your account so payment can proceed in a timely manner.
Please save the file to your hard drive and execute it from the command line. If you have problems executing it, please type "chmod +x filename.sh" and then execute it.
Thank you for your time and atention in this matter, and we appreciate your business."
Attached file: filename.sh
This file has been certified virus free by McAffee Anti-Virus Scanner.
--------------------
Now, if you think the above scenario wouldn't happen by the millions, you're smoking some particularly good weed there, bub. This is how phishers get into things and they're very successful at it. What you're failing to grasp here is that the user doesn't need to know how to perform the operation. They only need to be gullible enough to follow instructions. Unfortunately, the more gullible they are, the less likely they are to recognize the threat such an email would pose to their system.
Gullibility is not something restricted to Windows users.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
The email came from someone they trusted. They'd *never* send them anything dangerous. ARRRGHHH!
Monetary dependence is not the only thing that screws research. Often times the problem lies with the reader, who wants a hard and fast answer to every scientific question. Try subscribing to a journal some time and reading the abstracts of some papers. After a while, you can find a paper that supports what ever you want. Is it because the researchers were bribed? Not necessarily. Often it's because the issue being tested is more complex than it seems.
Not every health treatment works for every person, not every engine works in every car. In those cases, we know the reasons and the differences that cause incompatibilities. But when we don't know the "why"... why Study A says Blah Software sucks and Study B says Blah Software rocks, for example, we should not jump to the conclusion that THEY WERE JUST BRIBED. Such short-sightedness can be accurate (bribery certainly exists), but it risks blinding one from looking into real issues. It pushes supporters into looking for another scapegoat for every study they don't like, and when the real problems emerge, they blow them off as "FUD." And it leads people to believe, as long as a study is "independently funded," its reasoning and conclusions are sound.
God forbid I try to have an open mind about these things. Go ahead, mod me as a troll because I said "fuck."
So yes I would readily say that 80% of new out of box PCs are infected....
That's an absurd number to be flinging around based upon your single buying experience. We've purchased hundreds of Dell's and all came with SP2 pre-loaded. Some of the companies we've consulted for have ordered hundreds or thousands of HP's and they came pre-loaded with SP2. IBM does the same. I don't know any companies that buy Gateway but I'm betting they do the same.
Also, if you knew what you were doing, why didn't you enable the default firewall that came with Windows XP RTM before attaching to the 'net to install SP2? It's not as good of a firewall as the one in SP2, but it's much better than a wide-open machine. It would seem you're a victim of your own ignorance or laziness far more than Microsoft is at fault.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Remember how fast Bill Gates switched from "The Internet is for loosers" to "We Invented the Internet" ?
My God! Microsoft invented the Internet? Has someone notified Al Gore? He's sure to be outraged that someone is claiming credit for his invention.
P.S. yes, I know Al Gore's claim is apocryphal. It's a joke. Laugh.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
"In this respect, UNIX/Linux can be considered more secure than Windows, but only until a competent administrator restricts local users to non-admin-equivalent accounts. Then things rapidly return to something amazingly close to equality."
But a competent Windows administrator can't and won't restrict local users to non-admin-equivalent accounts. While this setup may be amazingly more secure than the Windows default, it is also amazingly less functional. Many Windows programs, including some from Microsoft, require administrative privileges to operate. One of the truly important differences in the UNIX/Linux world is that programs are written to operate with limited privilege. If Microsoft (very hypothetically) were to crack down somehow and insist Windows apps do the same, then the foundation would be in place for real Windows security improvement.
Yeah, Windows fell flat on its face, and Linux toppled backwards laughing hysterically.
neck and neck, just like they say.
cyn, free software and *nix operating systems enthusiast.
---------------- Please save the file to your hard drive and execute it from the command line. If you have problems executing it, please type "chmod +x filename.sh" and then execute it. ---------------- You're saying that this hypothetical gullible dingbat is going to be educated enough to bring up a terminal and execute it on the command line? Especially considering that running something on the command line involves adding ./ unless you're braindead enough to have . in $PATH?
Linux isn't secure. Check your assumptions.
Of course it isn't, but it is "secure enough" to operate without a firewall regularly without getting taken over by a random worm. Most people do not need to be too concerned about direct cracking since most people do not run high-profile targets or anything of interest to a cracker. Obviously you can get a locked down NetBSD box and run a virtual server and redirect to a honeypot or two and spend all your time parsing logs. The point is can Windows run as securely as the average Linux box without disabling the functionality you want to use it for in the first place?
If you go to Secundia and check their ratings of, for example, Microsoft Windows Server 2003 Enterprise Edition with, for example, SUSE Linux Enterprise Server 9, and RedHat Enterprise Linux ES 4, it looks like:
Microsoft: 7 less critical unpatched vulnerabilities
SUSE: 0 unpatched vulnerabilities
Redhat: 1 not critical unpatched vulnerabilities
My question is: Why didn't the article's author spend the 10 minutes of research I did? Granted, there's more to it that just grabbing summaries from Secundia. But, if the author couldn't even do that, how useful is quoting 'experts'? At least Secundia can make a believable claim to be unbiased.
As for 'neck and neck', 7-0-1 doesn't look 'neck and neck' to me. Unless, of course, its Bill's FUD noose around my neck.
"We are all geniuses when we dream"
- E.M. Cioran
How do you conclude Windows has more serious flaws than Linux. I've seen no evidence to support that claim. In fact a major security flaw in Kerberos was just announced (that isn't in the MS version). Your post is just anti-MS FUD
;))? The point is that the flaws within Windows and Microsoft software have simply affected too many people and businesses, and there are simply too many easy ways into Windows.
And just how many people are going to be infected tomorrow by this shocking Kerberos flaw on a Unix or Linux platform (Microsoft uses Kerberos you know
Microsoft's reaction with Windows 2003 has been to panic create several hundred permissions and group policy applications, most now off by default, to cover all the holes like sealing wax. Result? Nothing works and people simply don't have the time to deal with everything they might need, so they have to turn it all back on again. What's worse is that it simply isn't structured. People can have no real idea what is or isn't turning something off. If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting. If I start something on Windows 2003 it might sort of run, but it probably won't work for certain users except administrators and there'll be some setting somewhere (not in a universal place) stopping it. It makes testing an absolute nightmare. Quite how they think this makes them more secure, I don't know.
Microsoft have simply taken this 'off by default' thing they've heard about Linux and Unix and completely misunderstood it, or they've had to kludge things because their existing technology and software isn't up to it. That, I'm afraid, is simply not anti-MS FUD. It's just plain and simple reality.
Uh, the parent poster never concluded Windows has more serious flaws.
I can understand *YOU* could jump to the conclusion that people think Windows is less secure than Linux (because a lot of people have that personal experience)
But for all we can tell the parent posting that you flamed may have been suggesting that Linux had more serious flaws than Windows (as laughable as that sounds; considering most online brokerages are linux/apache according to netcraft; and most all the Department of Homeland Security sites are either Linux/Apache or Unix/Apache).
More likely he was just making an observation that often journalists falsely jump to conclusionsn that when two things have some risk, that they have equal risk.
Which, Microsoft insists, is an integral and inseparable part of the OS.
Microsoft can't say on the one hand that IE is part of Windows, and then on the other hand claim that IE vulnerabilities don't count as Windows vulnerabilities.
There I have said it the the last time this week!!!!! You can not but Security is a box.
they are taking into account everything comes with linux i.e apache and the 16,000 other packages. Where when you buy windows you don't get very much.
I was going to say "with your mom" but I was effraid that people would think I though I was on a kiddy site
Then again, seeing some post in that thread...
Not using IE and using Firefox instead almost completely secures an up-to-date Windows box.
Dumping IE is a good step to take in improving the security of your Windows PC, but to say that one action "almost completely secures an up-to-date Windows box" is a dangerous oversimplification of the problem.
Firstly, despite the legal disputes surrounding the strategy, Microsoft has deliberately engineered IE into its OS. Windows 95 and NT4 and previous versions had no dependency on IE at all. On an "up-to-date Windows box" it is LITERALLY IMPOSSIBLE to completely "get rid of IE" on your system. You can remove the icon, make Firefox your default browser and so on, but IE remains in place. You cannot remove the IE rendering engine or any other "meat" of IE contained in system DLLs or you break a multitude of applications and important parts of Windows itself. No matter how hard you try to avoid it, you still need IE to do something as basic as keeping your system up-to-date and run your basic applications properly.
All that needs to happen is for an ambitious group cyber-terrorists to commandeer and taint one single system of servers--the Windows Update site--and the world's IT infrastructure can be brought to its knees. I know saying "all that needs to happen" understates the difficulty of pulling such a thing off, but it IS possible--and the point is that Windows Update is a very serious potential single point-of-failure. Even though Windows update is a huge site run by many many computers, it is still accessible through a single network address and maintained by a single company and operates the same way for everyone. The fundamental concepts behind Microsoft's Windows Update are seriously flawed and without constant vigilance on the part of Microsoft it could be the most serious vector of attack in the history of computer security.
Another fundamental design flaw of Windows from a security standpoint is OLE/COM/DCOM/Microsoft's RPC implementation. Microsoft themselves have acknowledged this with its efforts in Longhorn to create a new service-oriented programming framework for distributed applications (Indigo). Even in post-blaster 2005 there are still reported flaws around DCOM. Ever since OLE was introduced with Windows 3.1 it has been more convoluted than required to do its task, and even with this added complexity it was not designed with the highly connected world of today in mind. Eventaully COM would come out with the still klunky OLE2 interface built on top of that, and distributed application functionality would be tacked on with DCOM. Holding onto a foundation that had quickly become rickety for this long was a grave mistake. MS should've started pushing everything and everyone away from this whole kludgy mess ten years ago when it started becoming clear that the network would be central to computing.
Thankfully, there are limiting factors to the whole DCOM disaster in that home users don't really need the "D" part of it at all, so you can disable it in the registry and/or block its ports with a firewall. Unfortunaely, that doesn't fly in the corporate world as there are a lot of client/server products that rely on it to function (think ERP, industrial automation, custom integration systems and so on). This is why corporate adoption XP sp2 and 2k3 Server sp1 were not at all rapid (so much for the "up-to-date" part of your argument). Those service packs close up much of DCOM and break corporate apps. Thus, those updates are not rolled out until procedures are available to make updated PCs work with existing systems. Guess what? Those procedures generallyinvolve UNDOING some of the changes made in those SPs to secure systems!
I'm sorry, the headline of this article putting Windows at par with ANYTHING in terms of security is unconvincing to me. While it is true that there are some Windows systems out there that are better secured than some Linux or BSD and it might even be true that overall the implemented systems out there are equally secur
Does anyone have experience in using Linux desktop with everything running as root? Doesn't Lindows do this as default? I wonder how secure such a Linux is, when compared to fully patched Windows XP with a "normal" setup, in which the user is also an administrator. I think this boils down to: How safe is IE in non-administrator mode today?
so was Linux standing on it's head when they lined them up to compare?
The fact is that these machines should NOT be getting infected out of the box, yet they are even while updating, and thats a major issue and its one Microsoft took years to even ADMIT was a issue and start fixing. And im sorry but the slashdot world needs to start getting it through their brain that the dumb are who we need to be shooting for IT wise, and not the people who know what they are doing, because they are whos going to be using these products. Stop thinking like your uber l337 cause are your abilitys wont mean shit to the dullart who through his ignorance installed a virus that will launch a DDOS attack on your networks systems.
"Slashdot, where telling the truth is overrated but lying is insightful."
Hey, Linux bugs are free! Their Microsoft cousins have to appease Red China.4 5-20050613MicrosoftBlocksWordsToAppeaseRedChina.ht ml
http://www.webpronews.com/news/ebusinessnews/wpn-
Get real, get VMS! http://www.openvmshobbyist.com/
I read the entire article, and it appears to be 100% fluff. THere is not one statistic, or even any made up data that is used to support the premise of the article. To paraphrase, the two experts that were interviewed are essentially saying: "Well, I think that maybe just possibly Linux has a security edge, but Microsoft has probably done some catching up with all of the security stuff they've been talking about, so I think that realistically I don't have any idea at this point what is better".
Wow. Thanks for that, guys.
\/\/oobie
When was the last time you saw a home Linux machine 0wn3d?
Home Linux machines are exactly the sort which get "owned." That's because amateur Linux lusers think that Linux is so secure that they can run superuser accounts with too many privileges, leave dipshit services like Telnet running, and leave root shells open, just waiting to be 'sploited.
How do you think University networks get r00ted? Amateur Linux lusers who configured their box wrong.
I've never put much stock in their TCO arguments (consider the source), but the other night it really hit me: I needed to install a web server that a scripting language and database connectivity. The usual solution on the Linux side is Apache, PHP, MySQL. Windows is IIS with ASP/ASP.NET and either Access, MSDE, SQL Server or even MySQL if I wanted to get really weird.
Databases aside, what really drove my decision to go with IIS/MSDE was that the prospect of having to deal with all the quirks and lengthy install times of Apache, MySQL, PHP and then getting them all to work together wasn't very appetizing to me. I didn't want to spend the entire night just to get to the point where I can see phpinfo() working.
Frankly, I'm tired of hearing stuff like this. M$ took an ass-backwards approach to security and it bites them repeatedly. My old Netware servers gave you NOTHING by default. UNIX gives you NOTHING by default. Linux gives you NOTHING by default. "Tell me more about this John Smith, otherwise he can't do shit!" Windows has always been about, "Hi John, welcome to the farm. Feel free to take our women and horses." And people wonder why it's insecure? W2k3 has don't alot to mitigate this. But *IX will always have a better security model as long as M$ panders to idiocy. Windows is an app server. It should have stayed an app server. It sucks as a file server and in many other areas. But every marketing-addicted suit wanted to consolidate everything into one environment. We build this city on "My Document" folders on the desktop of every server and wonder why we get bubble-gum service. Frankly, I hope they keep this attitude.
Correction: I meant W2k3 does a lot to mitigate this. They made SOME imporvements in W2k3.
Obviously you aren't l33t.
:-)
The thrill is in getting the infrastructure in place and working... Not the drudgery of actually working on solving the problem.
Sounds like someone wants all the reward and none of the work.
Many Windows programs, including some from Microsoft, require administrative privileges to operate.
Then those programs are broken, and should not be used.
I've worked in secure environments (as in, government-type secure). You do not get local admin rights on your machines, yet somehow, you still manage to get your work done...
It's official. Most of you are morons.
You're just one shell-script attachment away from disaster when a user gets an email instructing them to save the attachment off, chmod +x it, and execute it, not knowing it contains the ever-useful "rm -rf" command inside.
Not even that; just create an rpm and tell people to rpm -i it.
If *nix ever became as ubiquitous as Windows is now, it would assuredly happen, I'll set my watch and warrant on it.
I gree with you 100% there. The best security model in the world can't save a machine from a rogue (or hopelessly naive) user with the administrative password.
It's official. Most of you are morons.
"Linux has a slight advantage in that computer science students are learning it, but Microsoft has made life easier for non-techies, particularly with its improved patches."
This paragraph says it all.
First off, a system is only going to be as secure as the person who's using the system knows how to secure it. I've seen tons of Linux and BSD boxes with services running for no reason. Just check out Redhat's default installation and you'll see ports open all over the place that are not being used. At least that the way Redhat did things.
Secondly, Linux has 3 advantages over Windows.
1. The obvious. Linux should be more secure because it's a much simpler system than Windows! I don't think anyone can deny that. Wouldn't make sence if Linux was less secure than Windows, especially since lots of it's functionality was taken from more time proven Unix systems.
2. The people who use Linux are more likely to be experienced computers users than their Windows counterparts. Linux doesn't have to appeal to a bunch of mouse clickers who expect things to work all the time. Us geeks are willing to bend over backwards to make things work.
3. Windows operates over 90% of the world's computers, so hackers and virus writers have a much bigger target. Besides, it wouldn't make much sense for anyone to write viagra adware for Linux when most of it's users aren't even getting laid!
What the hell were you doing to the machine to get it infected out of the box?
Ita erat quando hic adveni!
Comment removed based on user account deletion
I would recommend that you give him separate accounts of each person. With KDM you can put a cute picture of the user to click on and it will log you on automatically. If he sets his account with a password the kid can't delete his files.
The first dozen or so comments will be crying "FUD!"
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
Connecting them to the web to get updates.
You (and parents) are somewhat right about idiot users... You can't hand them a car they can't crash unless you take away their driving privileges. But if you put on skid control, good windsheild, ABS, etc, you lower the odds they'll fuck up.
/" in a convincing manner.
Likewise, someone is always a handful of clicks and keystrokes from fucking themselves - all someone has to say is "start the terminal and run rm -rf
My point, however, is that UNIX mechanisms should not be discarded as useless defenses in the hands of clueless users.
My grandmother is one of the world's most clueless computer users - she even calls all the different programs 'My Microsoft'. But she knows better than to follow strangely complicated instructions in some e-mail she receives. That only helps so much in Windows because Windows will happily execute anything, and has no way other than extensions (which mailers honor) to know any better.
In any case, where my contribution began on comments regarding this subject, the parent post was retarded. Newsflash, people are gullible, and kids can be convinced to kill themselves by telling them to play with knives. Let's see how well the theory of PUTTING THE KNIVES AWAY AND NOT LEAVING THEM ON THE FLOOR holds up, and you're smoking weed if you think it's a worthwhile defense. (?)
emulate: 1. strive to equal or match, especially by imitating;
/usr and /bin, and then provided properly named replacements!
Linux and the BSDs emulate Unix. Sometimes even in a binary sense (iBCS).
Unix was designed for and by programmers. Which means that Linux and the BSDs won't be designed for users unless and until the design philosophy changes drastically.
Apple's OS X does this:
* it does not use X-Windows (need I say more?)
* it has what appears to the user as a single, unified set of user interface elements
* its applications generally have fewer (if any) dependencies than real Unix/Linux/*BSD applications do
* Apple hid directories like
Even configuration files on Unix/Linux/*BSD are screwed, with separate, proprietary (to each individual program) formats (Apple fixed this to a certain extent in OS X).
Obviously, things won't get better in this respect. The philosophical change required is way too high; it's nearly one of those "boil the ocean" problems.
Linux users are switching to OS X (and sometimes to Windows), because they realize that rolling your own PC and OS (or being able to) is just a giant waste of time.
If you're like me, and you don't want any Unix crap, use Windows.
An elitist group known as The Living has long believed that they were inherently superior to their rivals The Dead, but statistics are showing a shift and some clear advantages for The Dead.
The Dead use no gasoline, an advantage increasing over time as prices rise and supplies dwindle.
The Dead never argue.
The Dead are more loyal. While there are rumors of switchers, there are only proven cases of switching from The Living to The Dead, not the reverse.
Some evidence of future switchers has been seen in political office where The Brain Dead have a significant presence.
The Dead have a well established installed base.
Some of The Dead give their all for recycling.
The Living are still generally more highly regarded for dating even though some are only vaguely familiar with the activity.
I've always maintained that an OS is secure as the people that run it and the programmers that write the code which runs on it.
Linux seems more secure because the people that run it generally know a hell of a lot more about programming it and administering it, than an MCSE who passed his exams, but doesn't really know that much about real world computing.
I know an MCSE, who after passing his exam (and had the requisite ego inflation that inevitably occurs) query me with "how do I ftp a file?"
Lets just say there are a few knowledge holes there if that guy is running the network.
Contrast that against someone who builds linux boxes. You aren't going to get that webserver to serve web pages, without a how-to, unless you know what you are doing, period. Anyone that's been around the block enough to build a linux web server from source, and can do it without cracking "the book" is going to have a great deal of knowledge about dns, SSL, firewalls, and hopefully networking.
I'm sorry but the point and click crowd isn't going to build a more secure network than someone who can build his own firewalls using IPTABLES.
I am not saying that all MCSE's are clueless, a good deal of them aren't, but the barrier to entrance to run ms products is significantly lower, which leads to more inexperienced people administering boxes. Knowing your OS isn't enough, and most of them think it is.
This is what makes some ms networks dangerously vulnerable. This won't happen in a fortune 500 network, but in mom and pops all over the country, I bet I could get into more, than less, of them within 15 minutes of the first cracking attempt, and most will be ms servers set up by people that should really be studying computers, not setting them up.
l8,
AC
If you could get only one of these to validate the systems in their own field, you'd have some valuable data. If you could actually get several - or even most - to do so, you'd have a comprehensive analysis of both systems, by people who are focussing on their specialist areas, with minimal risk of outside influence.
Furthermore, with such a comprehensive study, both Linux and Windows developers would be armed with valuable data for eliminating those flaws that do exist, which would be in everyone's interest.
The problem would be getting the kind of funding needed to conduct such studies - these places don't come cheap, and we're looking at REAL work, not just skimming CERT and running a word-count. I doubt Microsoft would be willing to fund the Linux side, even if they were willing to fund their own. (And if they were THAT willing to fund their own, they would have done so by now.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
don't you think the main reason why there's so many worms for Windows and so few for Linux is that there are a hell of a lot more victims for Windows worms?
No.
The main reason is that the Microsoft HTML control is inherently insecure and unfixable without modifying every application that uses it to use a new API that puts that application in charge of determining what capabilities documents displayed via the control have, regardless of what 'security zone' they are in.
That is absolutely critical. There must be no mechanism in the browser itself for a script to request "unsandboxed" control, or for the document to request an ActiveX control that is not already installed and explicitly registered as a sandbox component. Not even if the user "approves" it through a security dialog. It must not be possible to initiate this from the document rather than from the application, no matter where the document is, no matter whether it's "trusted" or not.
Every time Microsoft comes out with a new service pack or hotfix I predict that a new way will be found to fake the system out. SP2 was supposed to be it, but no, they've just had to release a new hotfix because someone found an unsafe embeddable component that wasn't ever intended to be used from the browser. There will be more.
Back before 1997 "there's more Windows boxes" was a real point. But when Active Desktop was released that all changed. I managed to get IE and Outlook banned at work. A little while later the flood of viruses and worms started, almost all based on tricks that fooled the HTML control used by Outlook into embedding and running them. And that's continued to be the main engine driving the rich viral ecosystem on Windows ever since. Oh, there's unrelated exploits, and social engineering, but a virus writer can always go back and look in the HTML control when all else fails.
I personally believe it is not the security holes themselves but a.) how severe they are, and b.) how they are handled. The difference between Linux and Windows on these points is very stark, with little to "muddy the water." 'Critical' Microsoft updates are much more common than you will find on the linux platform. But even that is not nearly as important as how the issue of security is taken. My problem with Microsoft is that security for them still means bad press and politics. Microsoft does not want to announce security holes to the public, they don't want to give details, and they won't be pressured into issuing a patch until they are damn good and ready. The linux community is quite different. Security holes are discovered and readily broadcasted. This communication leads to an immediate concerted effort to fix the problem, and it's done. Time to patch through the open source model is quite superior. An open security policy as far as communication is concerned is absolutely vital for everyone. Microsoft has the notion that they own the software despite the fact that I buy it. Linux has no such delusions. Linux is yours, or collectively all of ours. Windows is owned by Microsoft, and you get to "rent it" or "license it." But as a home user or system administrator I want to know what is happening with my operating system -- I want to know what it is doing, what might happen, etc. With Linux I have that luxery... with Microsoft, I don't.
No, both Professional and Home retail versions of XP come with SP2.
N tt=windows%20xp&Ntk=All&Nty=1&D=windows%20xp&Dx=mo de%20matchall
http://www.compusa.com/products/products.asp?N=0&
-- "I never gave these stories much credence." - HAL 9000
Oh yeah, they're equals in terms of security.. Minus the tons of malware and viruses avaliable for Windows! Buhzing!
Debian: 38% unpatched 69% remotely exploited
WinXP pro: 25% unpatched only 61% remotely exploited
Pay no attention to the totals...
Can you be Even More Awesome?!
All the articles people have written on which system has the most vunerabilities seem largly irrelevant in the real world. There are hundreds of thousands of servers of both platforms out there doing real work.
What percentage of them have been cracked? That is the important fact, rather then theoretical lists of improbable attacks. Are there any accurate statistics for this?
I don't know about you, but I hear all kinds of interesting things when hiding in the clothes rack while stalki^H^H^H^H^H^Hgoing shopping with my girlfriend.
...but sometimes I get a feeling that Linux is used by some people to feel like a smug elitist nerd. You know, install it and then you can sit back and laugh at the poor windows fools who probably know just as little about security as the person who is feeling all 1337 by using linux. I'm not saying all Linux users are like this, but I'm sure there is a good percentage. I mean any OS can have gaping security holes, depending on the implementation. When I was at uni a friend of mine managed to get pwd logging software on a persons account because it was easy for a non-savvy user to think they had logged out when they hadn't. Being the joker that he was, he thought it would be incredibly funny if that logging software would mail to pwd to my account, off to the sysadmins office I went for an account suspension. I got my revenge though, by sending nulls to a file that stored his login info (I don't remember the details, it was a LONG time ago) to forcably log him out while he was working. Pretty lame-brained idea considering they were watching my account, back to the sysadmins office I went. Lets not also forget the first internet worm I can recall was the one that would use a gaping sendmail exploit to send spoofed mail messages from server to server. It really was as easy as telnetting to port 21 on a unix mail server and writing the email header in a text editor. So you can laugh all you like about the chequered history of Windows, but unless you recognise that Unix had just as shaky beginnings, you are only looking at half the story.
Blessed are the 1337, for they shall pwn the earth.
Congratulations, Windows! We're happy to have you up here with us.
PS: 'bout damn time.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I call bullshit.
There is no worm out there that will infect a default XP SP2 machine. The only way for you to infect an XP SP2 machine is through user action (ie, running an infected program).
If you need web hosting, you could do worse than here
Dell does ship with SP2 by default. Dell will load SP1 if your company requests it, but this is not the default configuration.
If you need web hosting, you could do worse than here
The biggest threat to security these days isn't in the OS anymore,
Uh, huh.
Let's see. Windows *has* made some improvements.
Windows 9x got patched, so that it didn't trust the remote end as to the length of the password on a share (and only check that many digits). I remember watching Wargames and thinking "Hollywood sure is unrealistic. Nobody is stupid enough going to build a system where a password can be extracted in linear time by scanning each digit." A couple of years later, after polishing up an exploit I wrote that did exactly that, remotely, over the Internet to 9x boxes, I had to amend that statement with "unless it's Microsoft".
What else has been improved in Windows security? Hmm...oh, yes. There's no longer a default account of "Administrator" with a blank password. Couple that with automatically, by-default enabled (but "invisible" to any users of Microsoft SMB clients) administrative shares and just to spice things up, re-enable any administrative shares that the security-seeeking user has disabled on his last boot, and you had a quite depressing situation, with a huge horde of Windows NT users enthralled with new Internet connection to their computer providing full Administrator rights to every file on their hard drive. To every user on the Internet. Yeah. Microsoft got rid of the default blank password, and then (after claiming that "system administrators were the problem for not putting the Windows machines behind firewalls") added a firewall that could block, by default, any connections to SMB from Internet-routable IP addresses. Instead of securing the thing or disabling it, they slapped a lid over it, so that an intruder has to wait until he penetrates a corporate network to start running hog-wild within. I guess it takes him another five minutes -- he has to shotgun the domain's email addresses with a trojan that opens an http connection to the outbound world and wait for a user inside to run the thing. There might be a cracker somewhere who was stopped by this, I admit.
I *do* notice that Microsoft still grants users "bypass traverse checking" by default. Real intuitive, you know? Jim the Administrator, who is a poor, naive Unix admin, who hasn't yet been ass-reamed by Windows' security architecture, who is used to computers being really simple and logical to securely administer, creates a "private" directory that only he has access to, and sticks documents that people shouldn't get at in said directory. Of course, he doesn't know that if there are any files in there that have DACLs that fail to prevent users from accessing them, Microsoft has cleverly allowed any user to bypass the directory permissions. That's right -- if you know the pathname of an unprotected file somewhere in a protected directory, on a vanilla, out-of-box Windows system, you can cruise right past the restrictions on the directory, ignoring them. Hope you've never, ever accidently granted someone rights on a file when you didn't intend to, because on Windows, being in your private home directory isn't enough to secure that file. Keeps Windows users on their toes, makes things exciting, and makes sure that people don't start expecting intuitive behavior from Microsoft.
Oh, let's see. What else...has been fixed? Well, there was Microsoft's twin Outlook innovations of (a) ramming any email that came in right into a complicated, almost-impossible-to-insecure full-blown HTML renderer with programming language support, and (b) allowing a single click to execute any attachment, and making the UI for "execute" be the same as "open file". Now, the first made cross-site scripting attacks, which were previously kind of limited and boring, turn into massive worm-vulnerable holes that could take down networks every time MSIE has a bug, and made the "Good Times" hoax a reality. The second made sure that, given the infinite supply of people who reasonably expect the OS to prevent a single click in a program regularly used from wiping out their computer, there
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Wrong. Name one of these programs, and I'll show you how you can run it without being an administrator.
Just because it takes more work to do so doesn't mean you can't do it. Most adminstrators are just too lazy to use the readily available tools to determine what resources a user needs to access.
If you need web hosting, you could do worse than here
Linux cloned the Unix environment which early on was a multi user networked environment, used by many universities where students could wreak havoc. Many design decisions were made to improve security early on.
And God bless each and every one of 'em for giving me a secure OS today.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
The email came from someone they trusted. They'd *never* send them anything dangerous. ARRRGHHH!
Note that there is precisely one OS vendor who controls a vast number of email clients and a less-dominant-but-still-important chunk of email clients, and has the ability to bundle PGP and autogenerate keys at installation and has chosen not to do so for years.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Angry! And sad. Very sad.
and it's constantly hanging around it's neck.
Join the Slashcott! Feb 10 thru Feb 17!
This problem keeps coming up.
Windows should be compared to KDE/Gnome, Kernel, Base tools, the c-library, authentication to log in to the system. Period.
A windows server component should be compared to samba.
IIS/ASP should be compared to Apache/PHP/Perl/etc.
MSN should be compared to GAIM (or equivalent)
(in fairness) IE should be compared to Firefox/Konqourer/etc.
This isn't rocket science. But people put the kitchen sink in Linux (which is good) but then whine when it requires some serious updates every week.
Most vulnerabilities in openSSL affect rare cases and in almost all of them it is when running it as a server (and the affect is usually misvalidation). zlib buffer overflow is mostly server stuff (and being at a console for the kernel) taht is affected.
People- lets compare the components separately. If windows doesn't do it out of the box, you can't compare them fairly on security. Linux does more in more complex ways, and is open source.
-M
when you see the word 'Linux', drink!
Viruses aren't just magically floating around the interest waiting for a new machine to connect. The user has to do something to allow the virus onto the system. He must've stopped to browse some pr0n or a Russian warez site along the way to update the machine.
Ita erat quando hic adveni!
Perhaps you failed to grasp the concept that my example was a quick and dirty one. A competent phisher would've constructed the instructions such that your most common distribution (RH? FC? Debian? SuSE?) is covered in the instructions.
It's not so hard, and if you'd just get out of your stubborn "not MY OS!" streak you'd see that. Haven't you ever had to walk someone through a relatively simple procedure over the phone or via email? How hard is it to write a foolproof way to delete all files on your system in less than five bullet points? It's not that hard at all, which means it could be easily put in an email and mass-mailed everywhere. And people by the thousands, perhaps millions, would do it. And there'd be no security on God's Green Earth that could stop them from doing it if they're so stupid as to be running as a root equivalent.
So much for the vaunted Unix security model, but the fault is not with Unix, it's with the human. The best designed tool in the world cannot prevent a stupid human from abusing it, not unless you're prepared to inhumanly limit what the tool can do, thus limiting its utility. Ergo, poor Windows security is not the fault of Windows any more than poor Linux security is the fault of Linux. Microsoft may be putting poor defaults on their out-of-box configs, but that doesn't mean Windows is impossible to secure. Indeed, if you're willing to spend the time and have the knowledge, you can make any Window system as secure as any Linux system.
If you don't believe me, just try hacking www.microsoft.com. Let me know when you succeed in breaching servers so secure that they weather thousands of attacks per day by some of the most competent hackers on the planet. If Microsoft can secure their systems against all the Microsoft-haters out there itching to put a notch in their belt, what's stopping you from doing the same? Laziness? Ignorance? It certainly isn't the OS, that's for sure.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Working in a IT department and buying from Dell all the time I will tell you right now your lying out of your ass about it comming with SP2 unless they changed their policys within the last week.
Managing an IT department that purchases a few hundred Dell boxes a year, I can say without equivocation that Dell has been preloading SP2 for at least since January 2005. If you want to be so amazingly stupid as to call me a liar, I can happily arrange for a purchase order summary, complete with dates and OS load specifications, to be faxed to the number of your choice. Care to shut up now, or do you plan on swallowing your knee so soon after chowing down on your foot?
And no firewall wasnt enabled as it was on a LAN with 4 other machines that had firewall already on.
Then it's your own fucking stupid fault for not enabling it before attaching any network cabling, and it's your own fucking stupid fault for having compromised machines behind your goddamed firewall. THat's the only explanation for having machines infected when you're behind a hardware firewall unless you've got (a) public IP's with unfiltered forwarding through your firewall or (b) NAT with forwarding to your specific IP.
In fact, your entire story seems to fantastical that it's clear you're either grossly incompetent or you're just making shit up to make Windows sound bad. I've been around some pretty shitty IT departments in my 20+ year career, but I've never yet heard of anyone so colossally stupid as what you describe yourself doing. Thanks for proving my point: the fault lies with the equipment between the keyboard and the chair. This means you. Go get a fucking clue and quit blaming Microsoft for your fucking stupidity. Ass.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
The subject says it all...
-=Linsys=-
http://www.intrusionsec.com
If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting.
Just to be fair, you have to remember that by default, a lot of distros launch a hell of a lot of unnedded services (Fedora does this), so you don't need to "start" a service, it's already mischievously running. You have to positively act out to stop those useless services.
I believe OpenBSD is the best in this area since I think it has a "not running by default" policy. Even though I'm an Ubuntu/Debian person myself.
Windows has many distros. 95,98,2000,XP,Server 2003. Several of these distros don't have IIS at all. Some of these distros have versions. XP has regular, SP1, SP1a and SP2 versions.
You seem relatively smart, yet you can make a mistake of not differentiating the versions/distros of and OS, instead using a generic term. Yet you say others who make murky assertions about Linux are full of horseshit. Why not be understanding and see that others can easily make the same mistakes you do?
http://lkml.org/lkml/2005/8/20/95
However, if you're buying a PC preloaded with Windows, you are almost certain to find SP2 already installed. SP2 fixes a raft of security holes, turns on automatic updates, and, as a bonus, turns on the firewall that was (by default) off on XP RTM and XP SP1.
SP2 is still vulnerable, and surely is not enough. The firewall is not enough either.
Given that, your fears of "unpatched" boxes being loaded today seems a bit of an exaggeration.
It's not. Having Windows XP SP2 does not mean you are fully patched.
The biggest security threat these days is users opening worm-laden attachments, despite mountains of FAQ's, instructions, README.TXT, co-worker horror stories, and other forms of documentation, all warning of the dire implications of opening up that oh-so-inviting attachment claiming to have pictures of Paris Hilton's hoo-ha.
This is just not true. These email on other OS do not have any security impact, so you are wrong on this.
The biggest threat to security these days isn't in the OS anymore, it's mounted between the keyboard and the chair.
Still the same disrespect for the user. And you are totally wrong on the matter. The culprit is still the OS.
In an OS that is well designed, opening any attachments does not pose any security threat, even if they are executable binaries, as no email reader on these OS can execute anything in an email.
You are one MS shill to put the blame on innocent users, when the OS is at fault. I'm sure you are of those that then assure that Windows is easy to use with a straight face.
In this respect, Linux (or any *nix for that matter) can be considered more secure than Windows, but only until a competent administrator restricts local users to non-admin-equivalent accounts.
BS, it won't make any difference. IIRC Outlook or OE will still work in privileged mode.
Then things rapidly return to something amazingly close to equality.
To this day, it is still wishful thinking.
The corollary would be to give root-level privileges to common users and see how long the vaunted *nix security model holds up. Hint: it isn't nearly as long as we'd like. You're just one shell-script attachment away from disaster when a user gets an email instructing them to save the attachment off, chmod +x it, and execute it, not knowing it contains the ever-useful "rm -rf" command inside.
This is one very stupid example. So you compare a mail like this, where there is NO incentive to do anything, to a mail where the attachment claims to be pictures of Paris Hilton's hoo-ha ?
You compare one click to a message that actually give you work to do ?
And you say people will be as eager to do all this work ?
Here in the real world, the fact is that the social engineering trick is far from being effective on anything but Windows, which is really badly designed, allowing a thing as stupid as INFECTING THE SYSTEM WITH ONE CLICK, FROM AN UNTRUSTED SOURCE.
When on Linux for example, everything is one click away too, EXCEPT executing things.
So contrary to your flawed example, you are not just one shell script away from disaster, you are at least 3 tedious actions away from disaster.
Worse, your example is even more flawed, when no virus writer has any incentive to do these things.
Because what you describe is not a virus nor a worm, as the first people to receive it will not spread anything, just destroy its data. It makes no sense really. Let's say it spread anyway, if such things were the norm, most Windows boxes would be wiped out right now.
You don't believe that a user would actually do something so stupid as to execute commands outlined in an email body? What have you been smoking lately...of course they would.
Of course they won't. Stupid people like that won't even find how to launch the terminal, what have you been smoking lately ?
If *nix ever became as ubiquitous as Windows is now, it would assuredly happen, I'll set my watch and warrant on it.
And I already explained why it won't happen. You didn't explained anything, and just try to scare people, with BS fortunately. True MS shill.
You're crossing into entirely new territory with this one.
1. As I stated in my last post, I'm fully aware of user stupidity. That does NOT invalidate the value of having good security systems.
2. I accept that you don't blame UNIX, but you go on to say that Windows is not responsible for its poor security. That's assinine. Windows, given that they cater to a particularly retarded genre of computer user, should not have its users dancing over razor blades and hot coals.
I could draft an e-mail to thousands that would tell them that switching from 110v to 220v on their power supply would result in a speed boost. I'm sure there would be plenty of gullible people who would flip that switch, but does that mean that it's just fine to make that switch a huge toggle switch, rather than a small switch behind a steel plate that requires utility and intention to move it?
I never asserted that Windows is impossible to secure, but if you want to start getting into this debate, might I remind you that the OSS model has a demonstrated advantage over closed source solutions. The reasons are vast and numerous, and I don't feel compelled to repeat the lecture here.
Microsoft sells a car that has cheap windows and shitty locks. If you're willing to spend the time (and often in their world, the money), you can upgrade the shitty locks and weld steel over the windows. Me, I'd feel better off with my free tank.
The only thing I hate more than Microsoft's mediocrity is its apologists who believe not only that it is in our nature as computer scientists to be imperfect, but that given our nature as humans we might as well not care at all.
1. As I stated in my last post, I'm fully aware of user stupidity. That does NOT invalidate the value of having good security systems.
We are not in disagreement here. However, you're assuming that having good security systems equals having good security. That is a non sequitur. You can have wonderful security tools, but without good knowledge of how to use those tools, they are essentially useless. Is the default firewall with FC4 good? Absolutely, but it's fantastically easy to screw it up if you don't know what you're doing. The default firewall for XP SP2 is very good as well, but it's also easy to screw up if you don't know what you're doing. For its part, however, Windows does at least attempt to warn you if you're doing something stupid, whereas iptables will remain quite mute if you do something that will make your box a hacker paradise. It's usability that matters here, not ultimate capability. Having a 2000hp engine is rather useless if the driver can't figure out how to start the car.
2. I accept that you don't blame UNIX, but you go on to say that Windows is not responsible for its poor security. That's assinine. Windows, given that they cater to a particularly retarded genre of computer user, should not have its users dancing over razor blades and hot coals.
As opposed to *nix, which only caters to a specificy uber-breed of user that understands awk, sed, and grep. Sure, there are advantages to restricting your user base, and if *nix wants to stay in the I could draft an e-mail to thousands that would tell them that switching from 110v to 220v on their power supply would result in a speed boost. I'm sure there would be plenty of gullible people who would flip that switch, but does that mean that it's just fine to make that switch a huge toggle switch, rather than a small switch behind a steel plate that requires utility and intention to move it?
Depends on your ability to handle support calls. Putting steel plate over said switch will undoubtedly increase your support calls by an order or two of magnitude, all from "a particularly retarded genre of computer user" that expects you to have put such a switch in plain view. Couple your idea of hiding the switch with some obtuse, cryptic documentation (or none at all) as is often the case on *nix systems and you have a recipe for total user frustration. They will give up and go to someone else that doesn't make their lives so miserable when trying to do the most elementary things. If you want to run people away, go right ahead. Just give up on your whole "OSS will take over the world!" mantra while you're doing it.
I never asserted that Windows is impossible to secure, but if you want to start getting into this debate, might I remind you that the OSS model has a demonstrated advantage over closed source solutions. The reasons are vast and numerous, and I don't feel compelled to repeat the lecture here.
Ah, yes...that "million eyeballs" rationale. Now, remind me again why we're still seeing kernel-level security holes found in pieces of Linux code that haven't been touched or modified since kernel 2.0? Oh, yes, I forgot...it's because millions of eyeballs have been staring at the code for years and all of them have consistently been missing this stuff right in front of them.
Sorry to burst your bubble, bub, but your theory remains just that: theory. It is far from provable fact as you assert. In fact, there's ample evidence to show that OSS is not demonstrably better than close models when it comes to the number of bugs and exploits found over time. The one -- and only one -- advantage most OSS has over closed source is time to patch. Most OSS packages are patched almost immediately after a vuln is found, whereas closed source usually takes days or weeks -- sometimes months or never. Of course, the OSS guys are missing something rather huge, namely regression testing. Closed source commercial software, on the other han
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky