Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#128260 - 27/11/2002 07:54 Windows is more secure than Linux?
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
Yesterday's news. I'm not sure what they're smoking.
http://www.wininformant.com/Articles/Index.cfm?ArticleID=27428

Hey Bitt, is unsecure a word?
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#128261 - 27/11/2002 10:01 Re: Windows is more secure than Linux? [Re: robricc]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
Don't know what they're smoking, but I wouldn't be shocked if they bought it with M$ dollars
_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
#128262 - 27/11/2002 10:06 Re: Windows is more secure than Linux? [Re: robricc]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Looking at the tiny bit of information there, they did what so many other reports did in the past. They say that Linux = Microsoft Windows. That is an unfair compairson, as on the Linux side, that typicially binds all the variants togther for thousands of possible programs to have vunerabilities. SuSE Linux alone has 7 CDs now to contain all the software it can install. Now if these reports grouped the Windows vunerabilities with the IIS, SQL, Office, Exchange, IE, and other vunerabilities, it would paint a different picture.

The key thing that tipped me off to this? This part of the article:
First, the Aberdeen Group says that Windows-based Trojan horse attacks peaked in 2001, when CERT released six such advisories, then bottomed out this year, when CERT didn't issue any alerts. However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002.
I personally know of more then 0 Trojan attacks that came out this year for Windows and it's associated programs.

And FYI, any trojan on a Unix based OS (including Mac OS X) will only be able to screw over your personal files without being easy to spot. In Mac OS X, if something requires root access, it pops up an authentication box identifying the program, and asks for your password, even if it's blank. Of course this is similar to the ActiveX warnings that so many Windows IE users ignore.

Top
#128263 - 27/11/2002 10:50 Re: Windows is more secure than Linux? [Re: robricc]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
I've never been one of the people who bought the idea that Windows was less secure than Linux or vice versa.

Any networked operating system is going to have security holes that need to be patched. Windows was a big fat target with more hackers pounding at it. So it had a lot of published exploits. Microsoft has started to get their act together and is getting better about security holes. So it makes sense that Linux is getting more targeted now.

When you're asking the question "how secure is it?", the argument between open-source and proprietary security models is pointless.

The real questions are... How does one take care of the inevitable security problems which will crop up in both OSes? How much work must you do to harden the OS when you first install it? Does the OS come installed with a bunch of unsecure defaults? How easy is it to remove unsecure processes from the box? How easy is it to detect intrusion when it happens? How quickly can you patch the OS when a hole is discovered? How easy is it to track the hacker's damage and repair it?
_________________________
Tony Fabris

Top
#128264 - 27/11/2002 11:06 Re: Windows is more secure than Linux? [Re: tfabris]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Any networked operating system is going to have security holes that need to be patched.

Agreed. No piece of code above a few thousand lines will ever be flawless.

Windows was a big fat target with more hackers pounding at it. So it had a lot of published exploits. Microsoft has started to get their act together and is getting better about security holes. So it makes sense that Linux is getting more targeted now.

Agreed as well. Many people have the perception that market share is the main driving force, and that is a factor. However, exploitability is a bigger factor as MS has quite a few more problems on the Web Server front then Unix with security. MS has never had a majority market share on the web server front.

When you're asking the question "how secure is it?", the argument between open-source and proprietary security models is pointless.

No it's not. With closed source software, you have to wait for the company that made the code to patch it. If they went under, and took their code to the grave, you then either have to live with the problem, or move to new software. Open source software can, and routinely is fixed by others. Plus Open source software is usually patched quicker, as there is no initial need to compile the program to get the fix out. Open source does have the problem that people can just look at the code to find vulnerabilities, but in general there are more people doing this and fixing the code then there are people releasing vulnerabilities.

... Does the OS come installed with a bunch of unsecure defaults? ...

The answer to most of these is that generally MS software is still in the mindset of enable everything at install, disable it later. Patches for problems take longer to obtain on the MS front, and some patches sneak in legal rights changes (IE the Media player security patch that prevented MP3s from running scripts added a note to the EULA granting MS the permission to delete your media at any time if it was deemed in violation of DRM crap). In general, the statement of "Microsoft's future is Unix's past". Most linux distros that I have installed in the past two years default to the proper method of disabling everything, and letting the admin enable what is needed later. Other Unix variants have been doing that even longer. MS is now only thinking that this is a good idea with .Net server.

Top
#128265 - 27/11/2002 11:16 Re: Windows is more secure than Linux? [Re: tfabris]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
    I've never been one of the people who bought the idea that Windows was less secure than Linux or vice versa.

    <snip>

    When you're asking the question "how secure is it?", the argument between open-source and proprietary security models is pointless.
But the security implications surrounding Linux have little to do with open-source software development. They have to do with the basic security model of Unix. For example, many of the security issues that have come out about Linux have also come out about Solaris, HPUX, Tru64, etc., all of which are not much more open-source than Windows.

Regardless, I think that you're wrong in your statement. There have been any number of closed-source products that have had back doors in them intentionally placed there by the developers. Years later, someone stumbled onto them and reported it. No one knows how long disreputable people sat on it and used it. If such a thing existed in an open-source program, it would be discovered very quickly.

In addition, are you going to trust some cryptographic process for which you don't know the algorithm or implementation? If you are, you're a sucker.

There are a number of other similar issues. The problem being that there may well be and probably are as many security issues in closed-source software as in open-source, but the only way to find them in closed-source software is to stumble on them, possibly by taking educated guesses about where something might go wrong. Not knowing about security problems in a product does not make those problems nonexistant.
_________________________
Bitt Faulk

Top
#128266 - 27/11/2002 11:17 Re: Windows is more secure than Linux? [Re: drakino]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
    No piece of code above a few thousand lines will ever be flawless.
I submit TeX as the exception that proves the rule.
_________________________
Bitt Faulk

Top
#128267 - 27/11/2002 11:18 Re: Windows is more secure than Linux? [Re: drakino]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
With closed source software, you have to wait for the company that made the code to patch it.

Right, which is what I consider to be the more critical question (as I implied in the remainder of the message). And which I consider to be a different question than "is open or closed source inherently more secure?"
_________________________
Tony Fabris

Top
#128268 - 27/11/2002 11:51 Re: Windows is more secure than Linux? [Re: drakino]
Tim
veteran

Registered: 25/04/2000
Posts: 1525
Loc: Arizona
Most linux distros that I have installed in the past two years default to the proper method of disabling everything

This must be a real recent development. A couple of years ago my brother installed Red Hat (which was rapidly gaining popularity at the time - might've been 6 or 7). He called me up to have me walk through locking it down for him. I was appalled at how many services were running by default. Every single one of them (it was the first experience I had with Red Hat since not getting RH4 to install and giving up on it).

The 'more secure by default' argument has always been a sore point with me. Some (most?) Linux zealots (not necessarily advocates, but definately the zealots) would argue until the end of the world that Linux was more secure by default, even though every service was turned on (I never could figure out what use the single workstation had for Bind anyway).

How secure a system is depends a great amount on the sysadmin of that system. You can have OBSD installed, and with a bad admin, it could be more vulnerable than a stock install of W98. Thats just scary. The only way to really, truly have a secure system is to unplug it from the network, turn it off, lock it in a safe, and bury it in a concrete vault 20 feet under the earth. Of course, that just shoots the useability of the system straight to hell

Top
#128269 - 27/11/2002 12:37 Re: Windows is more secure than Linux? [Re: Tim]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
My ISP codes his wireless routers using Debian, he says it's the most secure distro. I don't know anything about that myself...
_________________________
Tony Fabris

Top
#128270 - 27/11/2002 12:53 Re: Windows is more secure than Linux? [Re: tfabris]
Tim
veteran

Registered: 25/04/2000
Posts: 1525
Loc: Arizona
Debian is also maintained by a bazillion people who contribute individual packages. These people who contribute the packages could have their own agendas, and deliberately create backdoors. Does that happen? I don't know, but the possibility is there. I'd submit that based on their development model, Debian isn't the most secure

Top
#128271 - 27/11/2002 13:12 Re: Windows is more secure than Linux? [Re: Tim]
Daria
carpal tunnel

Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
You assume that no one else is overseeing anyone else's packages.

I'm not currently using Debian, but that's not at all why.

Top
#128272 - 27/11/2002 13:14 Re: Windows is more secure than Linux? [Re: Tim]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
Well, since he's using a stripped down version of Debian to run from flash (much like another product we know), perhaps he's just referring to the base kernel and a few packages he's approved himself. Like I said, I dunno exactly what he's doing with it.
_________________________
Tony Fabris

Top
#128273 - 27/11/2002 13:15 Re: Windows is more secure than Linux? [Re: Daria]
Tim
veteran

Registered: 25/04/2000
Posts: 1525
Loc: Arizona
You are probably right, but the possibility exists. That is why I use to swear by Slackware though, all the packages were looked at by a single person (who had the biggest/best reason for wanting the best possible distro - it was his own).

Top
#128274 - 27/11/2002 15:25 Re: Windows is more secure than Linux? [Re: Daria]
SuperQ
addict

Registered: 13/06/2000
Posts: 429
Loc: Berlin, DE
I've been runing debian as a server, and on my desktops for years now.. I have never heard of a case of a backdoor being put in a debian package.. the debian security team is very thurough, and the structure of the group provides a great way for things to get checked out before they hit release.

Debian is very well known for it's security and stability. The only thing people complain about is the old-style text installer.. and it's slow release cycle (stability is favored over bleeding edge software)

To become a debian maintainer, you must prove yourself by building your packages to some fairly high standards, submiting them for review, and then waiting for them to be aproved. this isn't an easy process.. I know several debian developers, and they are very talented people.

as far as the previously commented redhat security, the security in redhat 7.x and newer comes from a set of good default firewall rules.. the services are running, but unless you explicitly turn off the firewall, the only inbound connections allowed is DHCP.. even ssh is defaulted to not allow from outside.

and with current redhat 7.2 and later, you get redhat update, which is very similar to windows update, and provides an icon that shows you the status of the security patches.. a nice little red exclamation point is shown when things need updating.
_________________________
80gig red mk2 -- 080000125
(No, I don't actually hate Alan Cox)

Top
#128275 - 27/11/2002 15:33 Re: Windows is more secure than Linux? [Re: tfabris]
SuperQ
addict

Registered: 13/06/2000
Posts: 429
Loc: Berlin, DE
From my point of view, open source is more secure. Here's my reasoning.. Bug fixing requires exposure, and the best exposure is to do source code reviews. Most commercial development is done with just enough code review to make the program usable. Open source has the possibility to be reviewed by many times more people. Especialy true for popular projects.

I also find the number of back-doors, and other intentional flaws in open source to be fewer. My observation only. Tho the source-tainting problem with serveral pieces of open source code have worried me lately. Sometimes it is found quickly, sometimes it takes a while. but atleast the problems are out in the open, and not hidden away by the PR department of some company.
_________________________
80gig red mk2 -- 080000125
(No, I don't actually hate Alan Cox)

Top
#128276 - 28/11/2002 05:02 Re: Windows is more secure than Linux? [Re: SuperQ]
frog51
pooh-bah

Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
I would also like to add that by numbers, in my experience, Microsoft type networks/machines are the hardest to secure for many reasons. Certainly, a well configured Windows2000-only network can be pretty secure, but for the same amount of effort a Solaris, Linux, HPUX . . . . network can be hardened so much more.

From the IT Security Audit point of view it is also a lot easier to grab the specifics which need fixing - with a MS environment there can be so many hidden flaws that a little "ethical hacking" is often the only way to get a good feel for the vulnerable areas.

As far as disclosure of holes/vulns goes - open source wins hands down. The fights I have had with vendors like MS to get increased notification, faster patch cycles etc is so tedious. With open source products, the contributors seem to fight to be the first to fix any issue - which makes for a speedy fix.
_________________________
Rory
MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi
MkII, 240Gb in Mark Lord dock
MkII, 80Gb SSD in dock

Top
#128277 - 28/11/2002 14:11 Re: Windows is more secure than Linux? [Re: wfaulk]
fvgestel
old hand

Registered: 12/08/2000
Posts: 702
Loc: Netherlands
In addition, are you going to trust some cryptographic process for which you don't know the algorithm or implementation? If you are, you're a sucker.
I agree if you mean it is used to secure confidential account information; ie passwords, which are used over a network. I don't mind if an application is password protected and stores it's password garbled with it's own algorithm.
When I started using linux, there wasn't a shadow file. Encrypted password hashes were clearly visible in the password file.The machine was connected to a corporate network. When more people started using the machine(+/- 50 accounts) I started worrying. I knew some people liked the challenge to beat the security of this thing, so I thought I should beat them at their own game. I modified the crypt function to substract one from the salt and modified the password file. It took about 3 months before one of my collueges noticed. He found out by encrypting his own password, which resulted, as expected, in different results. I think it is still in use for .htacces files on one my friends webservers. This shows just one advantage of using open source software.

I think that the security of the system also relies on the implementation taken. I know that there are probably very little people wich could break into a mainframe running MVS, which results in only the few most obvious security holes found. This can be evaluated in 2 contexts :
1 - the system is very secure. There are probably about 100 men who have the knowledge to get to the system that far
2 - The system is very insecure. The biggest security holes are still unexplored. Any mayor hacker could get in.
Personally I'm not sure which one of the above is true. It's a fact that there has been an explosive grow in security reports lately, but I can also remember the security exploits for novell 3/Solaris/. . Back then it was information that was only available to a small group of people, but now everyone's informed there's a mayor problem coming our way if you don't patch your system regularly.

BTW the guy sitting behind me at work is the IT-security officer. We've had some good fun snooping wireless keyboards.
_________________________
Frank van Gestel

Top