Slashdot Mirror
Linux Is Not As Safe As You Think (betanews.com)
BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."
didn't take no guff
water ought to be clean and free
so he fought the fight and he set things right
with his openBSD
Of course is it really the fault of the operating system when the PUBLISHER'S WEBSITE is hacked and contaminated distros have to be downloaded for it to work?
Seven puppies were harmed during the making of this post.
Baby Timmy grew 300% but Uncle Bob shrunk 5%. Who is bigger?
This isn't a "Linux problem," it's a "proprietary vendors using Linux and not passing on patches in a timely manner because money problem."
Linux is exactly as safe as I think it is, though. That's why I'm careful to lock it down just as I would any other system.
Resistance is futile. Reactance buggers it up.
The DSL router issue was /that/ distro, not linux as a whole. That's like lumping Adobe Flash issues in with WinXP issues.
At least I can see the holes in swiss cheese. Unlike the MSFT "processed" cheese-like product.
Thank you IoT vendors who don't maintain their devices for creating a breeding ground of consumer-grade security holes. Let us all pray that these widgets aren't internet facing in some way and that the consumer grade routers are sufficient at keeping external attack vectors to a minimum. There isn't much we can do for consumers who like to click on internet candy to infect themselves.
I don't know how much swiss cheese Linux is, but I do know that as things like routers get more and more powerful, the desire to attack them will grow and grow.
Back before Win3.1+Winsock and Win95, there were almost weekly CERT advisories about unix-based exploits, but as Windows grew to dominate on the internet (at least by users) it switched to almost weekly CERT advisories about windows-based exploits.
It isnt that any of these things is secure. My money would be on OpenBSD being the most secure, but thats based on data collected in a world where hardly anybody would waste their time attacking BSD (even Apples BSD derivative gets more attention.)
I hope there is a return to ROM rather than FLASH/EEPROM for devices like home routers... but... I also hope the Democrat party disappears the way the Whigs did. Hope doesnt always translate into reality, but on both these issues there might be a chance.
"His name was James Damore."
Stupidest story ever.
that a particular brand of car can be stolen easily if you leave them parked on the street with the door open and the keys in the ignition.
because that's what router and IoT etc manufacturers did with default passwords and backdoors and generally undermining security for the sake of convenience (mostly their own convenience, not their customers')
Nobody will ever hack CP/M
Nobody will ever hack MS-DOS
Nobody will ever hack Windows
Nobody will ever hack Macintosh OS (iOS)
Nobody will ever hack.
Security is not the same as obscurity.
-- Tigger warning: This post may contain tiggers! --
Linux, unlike Windows and Apple's iOS, *can* be made much more secure with a little bit of effort.
How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.
Ditto for added software and apps. Take a look at many of the Linux-based router firmwares out there, both sold by commercial vendors and FOSS projects, and you'll see attempts to compete with high-end Cisco feature sets for home or small business use.
Having that available is great! However, turning all of that on by default, and user thinking they should get something not because it suits their needs but because it supports 10,000 features, gets you a complex, insecure mess.
With Microsoft and Apple you can't remove many of those features. The company controls it and, Enterprise customer with a decade experience or not, you will damn well have Telemetry and like it! And dozens of other "features" that you'll never use, don't want, and just are waiting to get exploited.
Linux gives you the ability to shape much of your own system, including making it much more secure than a run-of-the-mill device. Whether or not you take the time and effort to do that is up to you.
I've seen way to many Linux-based routers and gadgets that are exposed to a network and still have default admin passwords to blame "Linux" for security headaches.
Learning HOW to think is more important than learning WHAT to think.
They have no idea what I think.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
He said "like the whigs did". The Democratic-Republicans opposed the Whigs. If the Democrats fell apart like that, the two parties would be one based on the more popular parts of Republicans and Democrats combined, and another based on the core of the Republicans.
Nothing about that makes a one party system. Our election system guarantees two parties, by game theory. Not one, not three.
Almost all the major infections, back-doors and security problems are the result of the userland, improper implementation of the kernel, bad firmwares, lack of security knowledge, improper development, sloppy implementation and etc... etc... etc..
To say Linux is more insecure then Windows, means that the kernel, as released by Linus, and nothing else, is insecure. Well some security issues are discovered residing in the kernel, almost all other attacks and vectors have nothing to do with the base release kernel.
Please compare apples to apples...
>"At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were "
How many routers run MS-Windows?
> "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices."
How many IOT devices run MS-Windows?
Routers and IOT devices are notorious about having crappy firmware with Linuxes that are hacked up and rarely (or sometimes never) updated. Comparing those to desktops and servers is much less a function of the security of Linux and more about the lack of maintenance and updates with the unusual role of the devices.
Sure, *ALL* operating systems have security risks and vulnerabilities. Anyone that thinks Linux (or any OS) is impervious to malware and safe needs to have their head examined. But the sensationalistic article title isn't really comparing machines of the same class, so it doesn't do the topic much justice.
"...unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down."
Linux. You keep using that word. I do not think it means what you think it means.
It's a absolute joke to lump in devices that most people who who actually use Linux would define as one fucking step above the Internet of Shitty Things from a security perspective.
SystemD?
So rise up, all ye lost ones, as one, we'll claw the clouds.
Going from 1 threat to 3 is a 300% increase. Going from 1000 to 999 is a decrease. (Numbers arbitrary)
Guess which one I'd prefer?
-- Alastair
The "increases in security issues" are not related to Linux. They are related to third-party systems which run on top of Linux. This is in stark contrast to the never ending array of vulnerabilities that are essential parts of the Windows operating system.
Apples and Oranges.
This is a silly write up. There are three times more malware programs targeting Linux systems. That tells us nothing about the number of Linux vulnerabilities, or the number of vulnerable systems, or the general security of the system.
I prefer this story to the political or climate stories that he posts. Had some good moments in the Intel IoT thread earlier, but of late, too many /. stories are about politics or climate (which in itself is a route towards bashing Republicans)
Linux[Redhat[1,537]/Debian[1,120]...2,657 total]
You can't just add them up. Many, if not most, will be the same vulnerabilities.
Red Hat gets a few more because of their long life cycles: 10 years, plus a few years more if paying for extended life cycle support, compared to Debian LTS being five years plus however many months to match the next LTS release.
That means more risk of old software bugs being discovered and patched in Red Hat. Which is not a bad thing.
Some ought to try to exploit the system.
In itself, that is a good reason to start using it.
e retards.
So, first indicator for incompetence already present: Author does not even know basic terminology. Second thing is that Linux is not inherently more secure than, say, Windows, but the mind-set of application developers is better and it is far easier to secure. It is also easy to make completely insecure, but a competent person will find it far easier to have a secure Linux installation than with the competition, because Linux gives you access and allows you to do things, while with, say Windows or OSX you are pretty much at the mercy of the OS vendor.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A router running an OS that probably hasn't been patched in years, thus containing multiple vulnerabilities long ago patched, is hardly the same thing as an OS full of holes. That's like condemning Windows because of unpatched vulnerabilities in Windows XP and Vista.
Here's a tip. Don't buy shitty routers running years' old firmware, and expect that somehow the magic update faerie is going to make the vulnerabilities go away.
The world's burning. Moped Jesus spotted on I50. Details at 11.
"I never turn it off 30 July 2014 12:21:54 AM"
Ever heard of a command called 'uptime' ?
Not to mention many of the holes are in vendor add-on software, not in Linux itself.
There's something to be said about year's old firmware, however. For a device like a router, turning off all unnecessary services, closing everything off and then opening things as needed, and only patching security vulnerabilities... never upgrading anything unless you have to to get the security fix... is actually a good strategy. On commercial routers what you do is stay current on an old release chain.
This is because a very large proportion of bugs are introduced with new features, and you'll never be exposed to them if you never install that feature... meanwhile security on average do increase your security, believe it or not. So the most secure systems end up being the older codebases with up to date security backport patches.
Lately Linux has been dinged a lot for privilege escalation bugs. These are mostly secondary vectors that rely on another vulnerability in a service or client to get on the system in the first place. As transit devices, routers have very low surface area in these categories, if you take care to turn off the crap.
Someone had to do it.
The term "monolithic kernel" doesn't mean modules are statically linked. It means that the kernel contains the full interface to hardware in kernel space. In a microkernel architecture kernel space is used for less, device drivers, file systems etc. operate in user space.
The Linux kernel is modular and monolithic. The modular nature makes it possible to remove parts that aren't needed, but those parts still run in kernel space.
You mean like this?
ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
https://www.itwire.com/open-sa...
Linux has been attacked for years, there have been rootkits and exploits out there since the early days of slackware... Linux has had a significant presence on servers almost since its inception, and is now starting to make inroads in many other markets.
On the other hand, what people think of as "linux" in this context is a multitude of different versions of the linux kernel with various modifications and all manner of different userlands running on top. Literally anyone can build a linux-based system and pile whatever garbage software they like on top of an ancient version of the kernel.
Windows on the other hand comes from one place, in a small set of versions, and all of the vulnerabilities attributed to windows are present in this version and usually in a default configuration.
Microsoft fully control the versions of windows being released, and if a third party produces a device that bundles a windows install but has some additional vulnerable software running on top of it or a stupid default configuration (eg default passwords) that vulnerability is blamed on the device vendor and not on windows.
There are no shortage of such devices, and they routinely get compromised not only due to their own poor configuration but also because of vulnerabilities in windows itself (eg eternalblue).
When it comes to embedded devices, Linux is massively more widespread than windows, most people are likely to have more linux devices than windows and usually don't even realise it, only a subset of these devices are getting compromised because the manufacturers of those devices make stupid mistakes when building them and then fail to either provide updates, or provide a user-friendly way to apply them.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Could we please stop referring to it as an operating system? Of cause all the Linux/GNU/etc distributions that shove every beta/alpha software into their distributions are unsafe. There is no way to secure millions of lines of new code. Look at an seasoned distro (who does not use avahi/wayland/systemd/other crap code.) and you will se a much securer OS which has actually had a DECREASE in vulnerabilities.
Technically speaking, the data is skewed by malware numbers for IoT devices. Actual Linux boxes may be quite secure if you don't strip them down to a few libraries like the OS versions that ship with IOT crap.
So you'd like a potentially exploitable version of the router software burned into an unpatchable ROM.
I'd agree with you if you wanted to go for user replaceable ROM. Still doesn't stop RAM resident malware. Sure, a restart would work, but that's usually only done when the wifi drops out.
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
Is it Microsoft's fault for making such a good product, people still want to use it 15 years after release and 2 years after support has ended? It's rare to see something so beloved come from Redmond. It's probably second only to 7 with Hotmail trailing in 3rd
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
"such a good product"? In usability terms yes, it was great and still is. As a measure of "good", however, usability is not the only one I pay my money for. I tend to include security alongside it with the same weighting. Oh, Linux is winning now by my scoring. Surprise.
Couple this with the fact that the only reason the world is using is it in such volume is good marketing and grotesque hog-tie deals with manufacturers leaving the consumer no other choice.
Let's be careful with "good" and not devalue it, please.
There are two kinds of company: those who know their servers have been compromised, and those who don't know.
(We used to say this in the security group at a big company in New York that almost certainly has better security than your company.)
It's not that XP is a good product, it's that it was followed by Vista, and having learned from that fiasco, people avoided Windows 7 until it was proven that it wasn't simply another Vista.
Unfortunately, just as people were starting to plan the switch to Windows 7, Microsoft started promising that Windows 9 would be much better, and people decided to wait.
Then when people saw that Windows 10 was another fiasco, and started considering Windows 7 once more, Microsoft started forcing Windows 10 upon Windows 7 users, and decided that XP was the safer choice.
Is Windows XP really less secure than any of it's successors, if you consider all the people who came home to find Windows 10 installed without their consent as malware attacks, along with all the spyware in Windows 10?
Anyone can easily reduce the attack surface of the linux instances you choose to deploy by simply
a) only compiling in the drivers/kernel features required
b) only installing just enough in userspace to do the job, and
c) running shit with least privilege
Not so easy with windows...
The fact so much cheap crap out there was pushed out by manufacturers that give zero fucks towards basically securing their provided OS is not a reflection on the kernel/OS as a whole.
I can disprove that.
It's much safer than Windows. 'Nuff said.
We'll stop lumping userland issues with Linux when everyone else stops lumping idiot users executing randsomware and then clicking the yes box in the UAC prompt in with Windows.
When you cliick on mail links, they do not run.
That by itself is why Linux has avoids the main entry point that Microsoft refuses to close.
Life is not as safe as you think!! News at 11...
I personally would love to see the Tea party split off, and then the moderate centrist Republicans and Democrats create a new party, and the liberal left fold into its own party. with 2 or 3 centrist parties, we might finally get to a point where we have reasonable politics again, and a big error like Trump would not happen again.
The cesspool just got a check and balance.
Its a turd and I keep finding bugs in it and relatively obvious ways to break it. Apparently no one writing systemd actually tests their code before checking it in.
For a device like a router, turning off all unnecessary services, closing everything off and then opening things as needed, and only patching security vulnerabilities...
Is actually the correct answer for any device. Services that you don't need, like about 80% of those on a windows box, are just additional vectors begging for an incursion. Even XP can be locked down pretty tight to about 8 services. In that mode, and not running any MS applications, you're actually relatively secure for a windows system. But MS is about everything and the kitchen sink, now enforced in Win10, along with a forced new feature acceptance schedule. That's the opposite of being able to secure your system.
The cesspool just got a check and balance.
This is not a news article, it is a propaganda piece. It is written with the angle of getting certain sequences of word to be read by the largest number of people possible.
The summary starts out using a term that I have never heard before and I work in that specific industry. In specific, what is the term "threat methods"? Each word is sensible and combined they are also deceptively sensible. They are measuring "threat methods" but do not give a definition for what they are measuring so we can determine the accuracy of the statement. They then go on to say that a Microsoft based operating system has seen a decline in these "threat methods" while Linux has seen an increase of them.
The article writer has not even defined what is being measured here. How can such claims be of "seeing an increase" or "seeing a decrease" be validated if there is no definition of what "threat methods" are?
Why are most "news" articles of the same nature? They seem like they are saying something but when investigation occurs, it all disappears like fog on a Sunday morning; however, some incredible claims are made based on this "fog".
TL;DR This is a puff piece designed to make you fearful of using Linux and supporting your decision to use a Microsoft product instead. Nothing more.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
MS targets declined by 13%, yet total threats still went up.
Implications are that MS targets did, in fact, go up, too, yet, not as much.
10% of 20,000,000 is a much larger number than 10% of 200,000!
Does anyone get a sense of the real affect of targeted percentages?
I know my android phone suddenly gets very sluggish lately. And I do not use it for secure personal stuff.
Self-importance and self-indulgence is the root of ALL evil.
There may not be a question mark at the end, but it's an obviously implied question. "I don't get it, would someone please explain it to me?"
There is no application, OS, interface, etc that is immune to tampering.
This is why we have defense in depth strategies on the enterprise side. You put layers between a potential attacker and the data he may want, and you pray that one of those layers is something he can't crack yet.
If modern Linux distros have greater known vulnerability, it only means one thing: Microsoft is finally delivering on their promise to make Windows more secure. It's certainly taken long enough.
The increase in attacks on Linux is partly the result of its adoption as the platform-of-choice for IoT devices, which makes Linux exploits more valuable due to the increased number of devices and the longevity of those devices.
Worms and botnets target mismanaged devices because they intend to use them as resources. Well-managed and audited devices will get wiped, or else the malware will be turned over to security experts and AV companies---both cases are bad for the malware operator.
Now that Linux is running on this "unmanaged" hardware, it is low-hanging fruit too---and therefore a valuable target.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Please, just fucking stop. "See subject". Jesus fucking Christ. WE know how to read and write, you don't. "P.S=>" again, WE know how to read and write, you don't. Stop, stop, stop fucking spamming us with your nonsensical drivel. Learn what the rest of us learned in grade 2 about basic writing. I pity any of your family members. I wouldn't be able to deal with your issues.
Meh... With some work, you can secure XP well enough. Depending on your security needs, there are a variety of products, methods, and services. I've been using Linux exclusively, for years, and I still have some fond memories of XP.
"So long and thanks for all the fish."
> one terrible outlook, to the next.
See? You should use Thunderbird.
"So long and thanks for all the fish."
No, you're flat out wrong. Just because you misunderstand something, doesn't mean it has dual meaning, it just means you're wrong. But go ahead and argue with Linus Torvalds, who has made this distinction specific to kernel, not OS.
Microsoft sells PC'S and laptops without bloat ware (Signature line) and have these images available to OEM'S. It's HP who bundles the trial software in that case. Other Linux distributions have default browsers and search pages, not sure your point.