The World's Safest Operating System
Posted by
CowboyNeal
on Sat Feb 21, 2004 12:21 PM
from the torturing-the-data-until-it-confesses dept.
from the torturing-the-data-until-it-confesses dept.
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
This discussion has been archived.
No new comments can be posted.
The World's Safest Operating System
|
Log In/Create an Account
| Top
| 1014 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Fun and games with statistics (Score:5, Insightful)
This is not the best way to conduct research. When I was doing research at NIH we would say of this sort of thing, "After discarding all data to the contrary, the hypothesis was proven."
While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.
To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions.
Keep Smiling!
Erick
Re:Fun and games with statistics (Score:5, Insightful)
Overt vs Covert (Score:5, Insightful)
(http://www.chriscanfield.net/)
They also don't list their methodology, which I find disturbing. Out of 17k successful, caught, non-automatic hacks, x were against these systems. However, they don't say where those 17k come from, and don't put it in the perspective of the percentage of those systems in use. If you go to their homepage, they list something called a SIPS (Security Intelligence Products and Systems) System. This data comes from "Personal Relationships at CEO, CFO, CIO, CISO level within the banking, insurance, and reinsurance industry... monitoring hacker bulletin boards... and anonymous communication channels." That's a pretty unscientific pool to be pulling data from. Essentially, you're talking about hacks that were either reported by friends in high places, friends in low places, or bragged about by hackers on publicly accessible bbses.
So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.
Re:Overt vs Covert (Score:5, Funny)
Hmmm, lets do some in-depth research of our own, then: Slashdot poll!
The last thing I hacked was:
I'm sure it would be at least as accurate ;)
Re:Overt vs Covert (Score:5, Funny)
Re:Overt vs Covert (Score:5, Funny)
(http://freestateproject.org/ | Last Journal: Tuesday December 27 2005, @02:08AM)
Re:Overt vs Covert (Score:5, Insightful)
(Last Journal: Friday February 21 2003, @08:57PM)
Exactly how would you discover an attack that was so successful as to not leave a trace? By definition such an attack cannot or has not yet been discovered or traced. Leaving them out is both inevitable and fair, because there are attacks against Linux that are similarly undiscovered.
So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.
I understand that anytime somebody publishes a Top N List the urge to compete externally is great, but why not ignore the others and simply use this as a data point to improve oneself?
Re:Overt vs Covert (Score:5, Informative)
(Last Journal: Friday February 21 2003, @08:57PM)
The original post reminded us not to forget that Windows or OS X boxes could have undiscovered exploits. I'm reminding that Linux can also have undiscovered exploits. By definition, we cannot know how many undiscovered exploits there are in each OS, so we cannot quantify and compare them. Therefore, we must ignore them and talk about the known exploits. Flamebait?
If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable. Every choice has a downside. Deciding to leave a service off by default probably makes it more secure, though less convenient. When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users. Flamebait?
Re:The things you seem to not understand. (Score:5, Interesting)
Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure...
Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure.
Re:Overt vs Covert (Score:5, Interesting)
(Last Journal: Thursday October 17 2002, @08:24PM)
Totally agreed. Linux's worst enemy is the Linux boosters who think it's perfect. I'm exhausted, but I'll try and share an anecdote.
I was up all night last night securing a Debian webserver. Maybe I pushed the wrong buttons, but when that box first booted up a port scan lit it up like a christmas tree. SSH was open, but so was RPC, Finger, FTP, time, LPD, SMTP, and Telnet. Frickin' TELNET! OS X doesn't even come with a telnet server!
This was my first Debian box, so it took quite a while to learn the ropes so that I could hunt down and properly squash all of these open ports and set up some firewall rules. Sure, a knowledgeable Linux guy could have done this a lot faster. I came from the OS X world, though, so I had a lot of catching up to do.
The BSDs don't let newbies make those kind of mistakes. Set up a Mac with all of the defaults, and it's secure. OpenBSD and FreeBSD don't have squat enabled by default. Linux is great, but it still contains a LOT of pitfalls for new admins and users. These security issues are going to get worse as Linux becomes more popular.
Re:Overt vs Covert (Score:5, Informative)
(http://honeypot.net/ | Last Journal: Thursday November 15, @11:49AM)
Re:Overt vs Covert (Score:5, Informative)
Re:Overt vs Covert (Score:5, Informative)
Sure it does... It's not enabled by default, and as far as I know, there's no GUI to enable it, but it certainly comes with telnetd preinstalled:
greyfox ~% uname -a /usr/libexec/telnetd /usr/libexec/telnetd* /etc/inetd.conf /usr/libexec/tcpd telnetd
Darwin greyfox.azeotrope.org 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC Power Macintosh powerpc
greyfox ~% ls -l
-r-xr-xr-x 1 root wheel 50012 Jan 18 02:05
greyfox ~% grep telnet
#telnet stream tcp nowait root
Re:Overt vs Covert (Score:5, Interesting)
(http://www.nodachi.net/)
Lots of people will see services such as FTP, MAIL, NFS, SSH, WEB and think "That might be useful," or "That might be fun." They enable a small shitload of services, then never bother to update or use them.
By forcing a person to pay special attention before making a service available to the world (For instance, sendmail will only listen on 127.0.0.1 by default on RedHat) you force them to learn a little somthing about that service. You also make it undesireable for them to enable a lot of things that they have no hope of using.
IMO, "Install Everything" is far too tempting for many people, and far too insecure. The number of linux breakins would go down considerably if distributers would simply force people to enable a service after they install it.
I personally think that the Linux distrobutions avoid it to make things easier, and to improve people's linux experience. "Hey! I have a webserver running after 5 minutes! Neat! This linux stuff is easy." (I sure was that way when I got into Linux.) : \
Re:Overt vs Covert (Score:4, Funny)
Re:Overt vs Covert (Score:5, Informative)
(http://slashdot.org/)
That's one thing that really bugs me about information available to monitor Windows (from log files to dynamic data).
What I can find in depth, by default, and easily on Linux is a real chore to locate or (in the case of the standard log files) typically useless.
It must take an excessive amount of effort and forsight for serious monitoring of a Windows system and even then is it trustworthy? The defaults just don't record/show enough.
Re:Fun and games with statistics (Score:5, Informative)
(http://slashdot.org/)
Furthermore, given how quickly a potential problem can be fixed in Linux, as opposed to the "wait, and wait, and wait some more" approach to the MS Service Packs, I'd have to say that the methodology used to reach at least some of the conclusions in the article is seriously flawed.
Kierthos
Re:Fun and games with statistics (Score:5, Funny)
Re:Fun and games with statistics (Score:4, Informative)
I think nows a good place to post a link to eeye's upcoming advisories page [eeye.com]
Re:Ohmygawd, Root is a Security Flaw in Linux! (Score:4, Informative)
(Last Journal: Wednesday January 21 2004, @09:06PM)
Im not trying to dis your windows knowledge, but if you dont know about run as service, chances are you would never know if you got hacked either. If you really want to see how vulnerable you are, even after the windows updates, I suggest you download the Microsoft Baseline Security Analyzer [microsoft.com] and see just how vulnerable you have been running your machine. I just learned about this program, and it's a real shame they don't advertise it at least. Seems like a real useful one, even if it only has a few tests and probably has a lot of holes it doesn't check. There were at least 4 critical level downloads i needed to fix certain issues that DO NOT show up in windowsupdate for some stupid ass reason. Expect to have to read some technical information about problems and search/find it yourself at microsoft.com for the updates. Something about MDAC, which I'm not too familiar with.
Disclaimer: I am not a MS shill, I just like to play games. (And this is not a sig, this is reference to MS and this security post.)
Re:Ohmygawd, Root is a Security Flaw in Linux! (Score:4, Interesting)
(http://baby.boondock.org/ | Last Journal: Friday August 04 2006, @11:41AM)
Thanks for the reminder. I ran it on my mom's XP box last time I was there, but forgot to run it here until now.
It was kind of funny. First, it wouldn't work because the Server service wasn't started. Well, it's not running because I don't need it, and it's stupid to run it if you don't need it.
It found three security updates I needed (including the MDAC one, which did show up on Windows Update for me, for some reason). So I was a bit out of date. But the other stuff it found was all "Yeah, I know, I set it up that way on purpose." Stuff like:
- One of the accounts has a blank or short password. (That's the Guest account, which is disabled.)
- None of the passwords are set to auto expire.
- Auto-logon is configured for at least one account. (This is my home machine. If my hubby needs to get into my computer account, I don't want to have to give him one of my passwords. If someone breaks into our apartment, I have bigger worries than whether they can get into my Windows box.)
- Automatic Updates is not configured properly. (I'm philosophically opposed to having my computer download things without me telling it to, and I know that in some cases this makes me more vulnerable... it's a risk I chose to take.)
- Not all hard drives are using the NTFS file system. (No, my 8GB 5400 RPM drive that I keep around for backups when I reinstall the OS is still FAT32. I'm lazy. One of these days, I'll get a new SATA hard drive, and my current main drive will become backup. Everything will be all better then. For one thing, I'll probably switch to Linux at that point, unless another cool MMOG comes out.)
- Restrict Anonymous. This is the ONLY surprise that showed up on here. I'd never heard of this before, and have since changed the registry setting.
- Telnet service is installed. But it's disabled, so no worries there.
So, I feel fairly good about how secure my box is. The MBSA served to reassure me in this case. I'll still feel safer when I switch away from Windows, if only because I'll be less of a target.
Re:Fun and games with statistics (Score:5, Insightful)
So every one of those worms required a stupid user to execute it?
Bullshit.
http://securityresponse.symantec.com/avcenter/v
"W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135"
That is not anything near 'rely on TOTAL DIPSHITS'.
This particular worm actively broke into the machine remotely. Discounting it for a study like this is nothing but 'let's throw away data until we've proven what we want', as other posters have noted.
Slashdotters react predictably (Score:4, Insightful)
If it were shown to be Windows, nobody would be arguing, but because there is insane bias around here, we get lots of yimmer-yammer trying to run circles around the data.
How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution? GNU was hacked twice last year, and GNOME, Debian, and Gentoo were all hacked. What gives?
Just my two cents. I'm compiling Gentoo right now...I love Linux. But I'm not so naive to pretend it's the end-all solution. I haven't read all the comments, but I fully expect to read the same, typical, anectdotal bullshit--"Well, where *I* worked..." or "Well, *I* spend more time on Windows patching..." or "Well, if *I* were conducting the study, I would..."
Re:Slashdotters react predictably (Score:4, Insightful)
How many large companies/organizations running Windows where hacked last year? The point is, most companies/organizations don't report IT security breaches, certainly not like GNU did. If you have a high-profile company, and someone with enough skill wants to, you WILL be hacked eventually, regardless of your choice of OS. Most blackhats don't have the skill level that the GNU attack took, and even that probably could have been prevented, but there is a tradeoff between high security and convenience, and a 0day exploit is hard to stop, unless you can stay awake 24/7 and process incoming ethernet frames in your head fast enough to determine their intent before forwarding them.
I personally would rather be attacked once a month and know of the attack instantly than be attacked once a year and not know. Security starts at the power outlet, once you plug a machine in, you're vulnerable. (And no, you can't have my netblock range)
One nit on this... (Score:5, Insightful)
(http://slashdot.org/)
Just one bit that I'd say this is not quite on the mark in this closing statement: Windows makes it easy to patch a machine for the consumer, one box at a time; they make it easy for corporate customers with tools that can push updates onto boxes (although the required reboots are an issue unto themselves). Please correct me if I'm wrong, but I'd venture a guess that the issue is that you don't have these tools because they cost money that isn't easy to justify for the number of Windows servers you have.
The major problem as I see is is exactly what another poster stated -- that vulnerabilities may exist for months before a patch becomes available from Microsoft, and we may not be informed of them in a timely manner. The sheer number of ways that a Windows machine may be vulnerable for variable periods of time seems to me to be orders of magnitude greater than any Open Source package or the Linux kernel itself.
The ease of patching vs. the costs of doing so is a very valid reason (among many, obviously) for choosing one operating system over another. But to me it's far more important to know when a vulnerability exists and when a patch will be available. Windows loses in this regard, hands down.
Disclaimer: IANASBIPTBOOS
- Leo
Re:One nit on this... (Score:5, Informative)
An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.
Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.
Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).
There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.
Cheers
The point the article makes, however, is... (Score:5, Insightful)
(http://www.rpgdl.com/ | Last Journal: Sunday December 19 2004, @11:35PM)
Re:Results of *my* survey... (Score:5, Interesting)
(Last Journal: Monday December 22 2003, @01:52PM)
I disagree with that from personal experience. On Windows - Control Panel, automatic updates - enable. That's it.
Fedora from GUI:
Run up2date
Be told you are not registered. Click ok.
Choose what updates you want. Select all, start the process.
Process freezes either before it starts, during, or near the end, OR you are told a package has been tampered with (when really it's just corrupt). Solution: patch one package at a time (which is a $@ing PAIN in the arse). I have Fedora boxen unpatched simply because the patch system is fsck'd.
Fedora from command line:
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]# rpm --import
[root@dredd root]#
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]#
Yeah - MUCH easier than Windows. Not.
Re:Results of *my* survey... (Score:4, Insightful)
(Last Journal: Monday December 22 2003, @01:52PM)
With any supported redhat, clicking on up2date does the trick - without the paid rhn though, you will not be able to get the same service - but guess what, you use apt or yum and get all the same updates. once apt is installed, just say "apt-get install synaptic", and from then on, you can point and click you way through package installs from the various software repositories available.
Firstly the original poster claimed that all major distros had an easier patch system than Windows. I disagreed and posted my personal experience. This is reinforced by you tellimg me that I now have to PAY to get a reliable easy to use patch system (Windows updates always have been free). Secondly are you now suggesting that the fact people have to work out how to patch the box is easier than Windows Update and automatic updates?
I disagree. Ease of use is the point of this discussion, not that it can be made to work with a lot of pissing around.
Re:Fun and games with statistics (Score:5, Interesting)
Re:Fun and games with statistics (Score:4, Funny)
(http://mooserve.myftp.org:89/)
I don't believe that the majority of the linux hacks were due to flaws in the operating system as much as they were probably caused by misconfigurations by the people setting up those systems. Windows, on the other hand, comes with lots of holes built right in for you; no user intervention required!
Re:Fun and games with statistics (Score:4, Interesting)
"Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."
As others have said, poor configurations caused the most problems for the linux machines.
Re:Fun and games with statistics (Score:5, Insightful)
Re:Fun and games with statistics (Score:5, Interesting)
the same report in 2002.
http://archive.infoworld.com/articles/hn/xml/02
DK Matai is simply trying to spin the same propaganda that he did in 2002 with the pretense that it contains pertinant information. On the whole it doesn't - looking at the bottom line -- the dollar -- it's the MS exploits alone which are having any real effect in the real world.
Sure, to pretend that Linux systems are magically impenetrable is equally not in the real world, but I think things need to be put in perspective.
Also - do sysadmin misconfigurations (e.g. setting anonymous ftp with access to all areas) count as an exploit? It's not the OS's fault if a human has selected a brain-dead configuration.
YAW.
Re:Fun and games with statistics (Score:5, Insightful)
Please. Black and white it most certainly is not. While the information should make us Linux zealots sit up and pay attention, this article doesn't really say anything at all. They didn't tell us the proportions of systems tested, and they threw away automated breaches (and they might have thrown away targeted attacks accomplished through automated/worm means--they didn't give enough information to tell). Without knowing how many systems of each type were present, it's pretty meaningless to give figures based on numbers of systems breached.
For example, the results in the article could be describing a scenario where all machines on their network were breached, and each of those attacks corresponds to a different machine. So they have 13k Linux machines and 2k Windows machines. Would that tell you that Linux is less secure? Not really. It would have been slightly more meaningful to tell us what percentage of attacks on any given system succeeded and failed. It could also be the case that they keep all their important data on the Linux servers, so not many people are trying to break into the Windows boxes. We just don't know, because the article doesn't tell us anything.
Yes, Linux folks should work harder on security. No, this article doesn't really say anything in particular definitively.
P.S. I just looked at the article again, and it says they, "discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide" [emphasis mine]. So yes, from that statement, they actually just discarded all the data on Windows. I kind of doubt that they actually did that, but that's what the article tells us. I guess from that you could say that Linux hackers rely on holes that aren't widely known, whereas Windows hackers just use the same holes that everyone else is using.
Re:Fun and games with statistics (Score:5, Informative)
Re:Fun and games with statistics (Score:5, Informative)
If there was a server on a Linux machine that was started in some obscure shellscript instead of the usual init.d (or whatever your system uses) scripts or inetd, I'd describe it as hidden too.
Re:Exactly what I was thinking (Score:4, Informative)
Re:Fun and games with statistics (Score:5, Insightful)
(http://www.frambooz.com/)
We all know the average Linux user is more likely to tamper with his setup and run non-model-user applications, like their very own webserver. They are likely to know few things about proper server security, and therefore their servers are more vulnerable.
Windows users are less likely to run a webserver, simply because they're not as eager to play with their system as Linux users. Therefore there will be less insecure Windows servers. The same goes for Mac-OS users.
What I want to know is the percentage of professionally installed and maintained servers that was actually vulnerable.
Re:Fun and games with statistics (Score:5, Insightful)
Re:Fun and games with statistics (Score:4, Informative)
(http://www.frambooz.com/)
Re:Fun and games with statistics (Score:5, Insightful)
(http://www.cgore.com/)
First off, as a FreeBSD user, I must quote the venerable Nelson: "Ha, haaa!"
What I want to know is the percentage of professionally installed and maintained servers that was actually vulnerable.
Now, on a more serious note, my belief as to why Linux fared worse than your average BSD is this: Linux is often the first foray into the world of Unix for people these days, including a lot of people not particularly qualified to run a server. BSD is generally viewed as less friendly to new users (a not entirely incorrect view) and therefore sees a lot less MCSE's looking to pad their resume. Given a good administrator, there should be no real difference between a Linux and a BSD server, since most of the stuff past the kernel level is exactly the same anyway.
Re:Fun and games with statistics (Score:4, Funny)
(http://www.usermode.org/ | Last Journal: Tuesday April 17 2007, @09:13PM)
Re:Fun and games with statistics (Score:4, Insightful)
(http://www.earthcomber.com/)
While true, the parent poster's comment is also still true: It is the same software. So, if you're running a server using the Mandrake Desktop, you've either gotta remove 95% of the packages installed or unplug the network cable.
So, my point is this: We're all correct here. Now, let's go out, get a beer, and discuss important things like how we're going to get Mr. Bush out of office.
Re:Fun and games with statistics (Score:4, Insightful)
Not really.
Most Linux systems conceal the configuration behind layers of python scripts and shiney-gooey-croft.
Most BSD systems can be properly configured using any 'UNIX system administration' book published in the last decade, and the vi editor.
Uhhh. eerrr.. what? (Score:4, Insightful)
(http://youtube.com/watch?v=FCDJ0jhWKno | Last Journal: Tuesday November 14 2006, @01:31PM)
Also, some of the scripts are damn useful. For example, the redhat-printer-conf. And I've looked at that baby, and it is some _hardcore_ python. It can handle like seven different printing systems, and detects which ones you have installed. It even comes with "Print Test Page".
Mint!
Actually, the worst offender is SuSE. YaST will completely take over all your configuration files. And YaST is written in C. OTH, YaST is pretty friggin complete, and it has a well documented plugin system so it's not as bad as it seems. Still, you just don't install it (or install it but don't use it). Problem solved.
Wake up call (Score:5, Interesting)
(http://www.esperance-linux.co.uk/)
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert [cert.org] or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
Re:Fun and games with statistics (Score:5, Insightful)
Then again, what this also means is that linux machines are the most likely to be overtly hacked into.
Re:Fun and games with statistics (Score:5, Insightful)
That actually sounds like a fair attack vector to ignore in compiling these, otherwise you couldn't derive any meaningful stats - eg. if I posted my password on to my monitor, and someone hacked my workstation (by using that password), would you be able to say 'that workstation OS is inherently insecure'? If you couldn't, then you can't allow similar user stupidity to feature in these statistics.
I don't think that runnign updates fall into this 'stupid user' catageory, especially as Windows boxes are more likely not to be admin-ed by clued up admins.
Re:Fun and games with statistics (Score:4, Insightful)
Re:Fun and games with statistics (Score:5, Insightful)
You, know, those hundreds of default.ida and scripts/..%252f.. requests you get every day? According to these guys the cracked machines behind those requests don't exist, or at least don't count.
Nevertheless I'm going to take a closer look and see how I can secure my linux boxes better. I'm surprised linux fared so badly, because many of the services running on linux (apache, sshd, ntp) are the very same ones running on the bsd boxes which did better.
Re:Fun and games with statistics (Score:4, Informative)
(http://www.astradyne.co.uk/tet | Last Journal: Friday November 09, @08:34PM)
Not really true. AFAIK, lots offer C1 or C2, but few go up to the B ratings. I know DG/UX did, but that's sadly now discontinued. Trusted Solaris 2.5.1 was rated to B1, but Trusted Solaris 8 isn't. Bull did a secure version of AIX, and HP will sell you SEVMS, but if you're looking for a modern B2 Unix, then your options ar elimited (no Solaris, HP-UX, Tru64, IRIX or Linux, AFAIK).
Incidentally, that's not to say that those OSes couldn't be made to meet those requirements, just that they haven't been certified as such to date.
Re:Fun and games with statistics (Score:5, Insightful)
(http://www.magnetbox.com/riaa/ | Last Journal: Saturday July 10 2004, @03:34AM)
Linux is over-represented as a target of hacking because there is so much low hanging fruit out there, same reason that Windows is over-represented in the malware depart.
The study chose to not consider malware because that is really a UI and social engineering problem, this study was about attacking servers without an inside patsy and Linux came up short. It is dishonest and dangerous to ignore these sorts of results.
Re:Fun and games with statistics (Score:5, Insightful)
In addition the study only covered successful attacks. How many unsuccessful ones were there? The measure of vulnerability should surely be the ratio of successful/failed attacks, not just a raw number.
Finally how were these attack figures reached? Where these based on government/company IT figures? (in which case factor in maturity of systems/staff and how much easier breaches can be discovered in Linux using free tools like Tripwire [tripwire.org]) Or packet sniffing of certain domains? (Linux is used by more domains, some of which are set up deliberately to be hacked [honeynet.org]).
The only conclusion that can be safely drawn is that Linux appears to be a more popular target for manual attack - whether by necessity (automated attacks being far harder), desire (more of a challenge) or familiarity (easier to learn the internals of a free system, especially if you lack the money/connections needed for commercial counterparts). And security is hardly ignored on Linux either - with tools like ipfilters, tcpwrappers and Bastille [bastille-linux.org], admins have little excuse for running a non-secure system.
Re:Fun and games with statistics (Score:5, Insightful)
(http://support.microsoft.com/ | Last Journal: Sunday June 27 2004, @06:34PM)
What were the majority of attacks? How many were exploits that took advantage of underruns? How many were due to running apache? Did they do any analysis of UML based systems which are built around the eventual breach of security?
I'm at a loss. Whether or not the Linux servers or hell even the Windows servers followed a good security model (rings, single ring, regular auditing etc.) You can secure an operating system only so far, which is why you only portfw certain ports through the firewall.. Did they attack things like NFS and portmapper which shouldn't be on the outside world anyways?
A step by step analysis of THEIR analysis is needed to understand what they did to come to these results.
IMO FUD.
Why there's more overt... (Score:5, Insightful)
(http://www.bigbrother.net/)
You know why there's far more Linux boxes that are being overtly hacked than windows? Because if you are a hacker, what the hell are you going to do with a Windows box? It's just not as interesting or powerful to remotely control a windows box.
I'm not a hacker, but if I was one, I would not waste my time on trying to 0wn windows boxes. I'd go after Linux boxes. Not because they are easier to breach, but because they are more fun to play with when you do.
Re:What if Windows were found most vulnerable? (Score:5, Insightful)
Sure...we've got evidence. You can even (hopefully) find it in your own memory of the day when the whole Internet had major slowdowns and large service outages when SQL-slammer came out.
Or perhaps you just want to take a look at any number of statistics that compare breaches and don't ignore all worms. I'm not going to go link-hunting for you this second, but if you seriously look for any real studies on this subject and make sure they are taking all attacks into consideration, the numbers are tremendously different.
Seriously...just think about it for a second. Have you ever seen someone perform an attack on a Windows box that would be considered for this study? I've seen several hundred Windows breaches now (I've worked in computer repair shops, and now an ISP, for some time) and so far I think every last one of them involved some sort of worm, virus, scripted exploit or trojan. If you leave all this out, what do your numbers mean?
What a dumbass way to conduct a study.
Re:What if Windows were found most vulnerable? (Score:4, Funny)
(http://go.away/)
cabal of liars that masquerade as "researchers" does not alter the facts.
I love that word. Cabal. You see it so rarely in everyday life. I'm going to start using it more.
Re:What if Windows were found most vulnerable? (Score:5, Insightful)
And this is a good example of discarding all the data, coming to any conclusion you wish, and then putting the onus on others to debunk your unsupported premise, which, as it happens, has no logical bearing on the argument you are attacking.
A very popular methodolgy, but not a valid one.
For purposes of bias I will point out my posting history will show that I use Windows 98, Mac System 7, Mac OS8 and various flavors of Linux at the moment, but have a very strong preference for Linux for explicitly stated reasons, some of which relate directly to the deleted data in this study, some of which do not. You'll find that my position is at least unbiased enough that I have been accused of being both an MS lackey and a Linux zealot, although I don't recall that I've ever been accused of being a Mac head. I have never so much as sat at a BSD terminal or an OSX box, although I would have no particular objection to doing so, it would be fun, and I am inclined to believe that BSD is more secure than the majority of Linux distros at the moment.
If you wish to debunk this you will have to do your own homework in finding evidence to the contrary.
Ad hominem strawman arguments will be promptly and cheerfully ignored.
KFG
Re:What if Windows were found most vulnerable? (Score:5, Insightful)
Uh...I haven't read all this other guy's posts. But they don't change the fact that his point here is incontrovertibly correct. Throwing out the most popular method for breaching security is a completely unacceptable way to conduct research that hopes to conclude relative security. That's pretty damn basic.
I mean, do you seriously disagree? You think this study actually shows that Linux is less secure than Windows? Even after you realize that they are ignoring SQL-slammer, Blaster, MyDoom, Nimda, Code Red...............and on and on?This is one of the most bone-headed studies I think I've ever seen. Anybody duped by this has absolutely no concept of either computer security or basic logic.
Overexaggerated (Score:5, Insightful)
(http://seventhcycle.net/)
For all the servers out there, I wonder how many people actually run up2date or apt from time to time. I imagine more people run windows run windows update than any linux equivalent.
Let's face it. Linux isn't for just the uber-geek anymore. So logically, more systems are going to be hacked into when people with no security sense are managing systems.
Don't blame the operating system. Blame everyone who thinks they're a competent sysadmin, but really aren't.
Not to mention that this article doesn't weigh in percentages. There are a *LOT* more linux servers out there than there are BSD, Windows and Mac OS X servers. When one factors in percentages, Linux really isn't *that* bad.
Re:Overexaggerated (Score:5, Insightful)
Seems all those old posts were just flamebait, either that or all the Windows security patches really have made a difference.
Re:Overexaggerated (Score:5, Insightful)
(http://www.howtobeinvisible.com/ | Last Journal: Thursday October 04, @07:42AM)
In short, with Linux, most vulns are due to misconfiguration of apps and NOT an inherent flaw in the system.
Windows has, so far, had a bad track record of SYSTEM LEVEL flaws and not necessarily inherent flaws.
-Charles
Re:Overexaggerated (Score:5, Interesting)
Re:Overexaggerated (Score:4, Insightful)
There are only three variables: how secure is the box
All of these studies miss the point (Score:5, Insightful)
Everytime I see an article like this, I wonder how many users and administrators will get the false impression that if they just switch to another platform they will have done their job.
Security is a process. It is not all about the technology, and it requires educating users and managers to be effective.
Re:Overexaggerated (Score:5, Insightful)
It's true, Linux is not just for geeks anymore. But because of that, we need pre-hardened distros (including ACLs, IDS, and stack protection) and automated security updates for systems run by idiots. The ultimate answer (educating people) is unfortunately not feasible. As much as possible, security needs to be idiot-friendly on every OS.
Re:Overexaggerated (Score:5, Insightful)
For all the desktops out there, I wonder how many people actually run Windows Update from time to time.
Let's face it. Windows has never been for the uber-geek. So logically, more systems are going to be hacked into when people with no security sense are managing systems.
Don't blame the operating system. Blame everyone who thinks they're a competent sysadmin, but really aren't.
You know your argument is invalid when you can make the exact same point for the other side.
Of course (Score:4, Funny)
What do they mean by "Linux" anyway? (Score:5, Insightful)
Consider the source (Score:4, Funny)
This is not news, it's a troll (Score:5, Insightful)
(http://davidmorgan.org/)
To be news, they need to say what proportion of computers use each OS, and what apps were hacked. It even says third party software accounts for a lot of the Linux hacks.
Nothing to see here except some meaningless statistics. Yawn.
Lies, damn lies, and statistics... (Score:5, Insightful)
When it comes to servers, selecting a bad choice of a password or forgetting to properly set file permissions is still the easiest way to get hacked, and that will always be operating system independent. And, that accounts for the majority of security weaknesses. Worms and viri are a client-side issue, servers don't often get hit with those.
So, good work OSX fans. You finally found a metric by which having the fewest number of servers in actual use makes you look good...
Re:Lies, damn lies, and statistics... (Score:5, Insightful)
So how come every time there's an article/rant about how insecure Windows is and someone says the exact same thing about Windows (i.e., "Windows has more viruses/attacks because it is the most widely used desktop operating system"), it's considered nonsense or a copout by so many Slashdotters?
Re:easy way to fix linux (Score:5, Insightful)
Stupidity runs on any OS...
it makes sense (Score:5, Insightful)
Linux is made up of _many_ distributions, who hack together systems out of many disparate apps. Each is slightly different. This diversity means none can Q.A. their systems as well as a unified project like FreeBSD does. I've seen some unbelievable bugs in a very well-known Linux distro, there for no reason there than their resources are stretched too thin.
Linux is also a Unix. People who put up *BSD servers are Unix hacks. People who put up Linux servers are oftentimes ordinary people who are trying to cut costs from not going with Windows. Unix is powerful, if you don't know how to handle that power, you put your systems at real risk.
From Greg over @ OS-News (Score:5, Informative)
(http://www.ti-news.com/)
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
Absolute numbers do not absolute truth make (Score:5, Insightful)
(Last Journal: Friday April 27 2007, @02:20PM)
In other words, it's the same story as Windows on the desktop - there are more attacks because there are more servers. Since they don't give us percentages of installed vs breached, the data is essentially useless. Rule #1: Normalise your data before comparison....
Simon.
Re:Absolute numbers do not absolute truth make (Score:5, Insightful)
(http://www.livejournal.com/users/sinistertim101 | Last Journal: Saturday March 24 2007, @12:32PM)
Thats what I love about open and FreeBSD.
All the file permissions are set to maximize security while most Linux distros are setup to maximize usability.
Remember guys we are talking about 2 different unixes. We can make Linux just as secure.
Its just that BSD is more minimalist by default and super secure before its given the go ahead to declare the distribution stable. Linux by default has more services running. The ports tend to install the most secure options when installing things like apache.
What this means is that Linux distro's and users need to make things more minimal and secure by default. Many admins are too lazy or incompetant to properly lock down a Linux box. Unix is hard and a pain to setup which is part of the problem.
I think having more linux servers is part but NOT THE WHOLE reason for this.
Longest uptimes, too (Score:3, Interesting)
(http://www.houseofwebb.com/)
And I run linux. You'd think I would learn...
Re:Longest uptimes, too (Score:4, Informative)
Re:Longest uptimes, too (Score:5, Informative)
As seen in the netcraft FAQ : Since the last server of the top 50 have an uptime of 1073 days, there's no way a Linux box could be in the list.
Not to surprising (Score:5, Interesting)
(Last Journal: Friday January 23 2004, @04:49AM)
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
Linux is the most widely cracked because... (Score:4, Insightful)
(http://dcemulation.com/)
let me just be the first to say (Score:5, Insightful)
(http://www.freshraisins.com/)
armed with this statistic and the age old mathematical operation of *division* one could make these results meaningful.
in other news, a new study finds that red heads are much less likely to commit violent crimes. Data for left-handed people is also encouraging.
Do you google? (Score:5, Informative)
Second link leads to this page [attrition.org] which shows what a crock this (company/report) is.
Terribly, blatantly flawed study (Score:5, Insightful)
"When we ignore most of the break-ins that windows had, it had less than linux!"
followed by BSD and Mac OS X with 555 breaches
This completely ignores the proportion of these OS's that got hacked. If there are only 556 of them deployed, then this is a terrible break-in rate. Obviously there are more than 556, but there are fewer BSD servers than linux servers.
Can you say "liars"... (Score:5, Interesting)
Thats not how it works. There are also many [attrition.org] other [theregister.co.uk] reasons [nwfusion.com] not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
And in unrelated news (Score:4, Funny)
Why is MI2G given air to breathe? (Score:5, Informative)
(http://robotterror.com/slashdot | Last Journal: Thursday November 04 2004, @05:48PM)
Read Why is mi2g so unpopular? [theregister.co.uk]
Then read this complete debunking [vmyths.com] of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
mi2g love to FUD (Score:5, Informative)
(http://eridanus.net/ | Last Journal: Monday September 15 2003, @07:39AM)
Automatic Update (Score:4, Insightful)
While I'll admit that I find these behaviors pretty annoying, you can bet that Linux would enjoy a somewhat better security record if it were that hard to forget updates. It's a shame more Linuxes don't ship with at least the option of turning this on for desktop and small server folks.
At SCO, we offer increased security by running our website with Linux and only connecting the SCO machines to McDonald's cash registers and machines too old and slow to run root toolkits.
Re:Automatic Update (Score:5, Interesting)
Doesn't do that on mine. Turn off automatic updating.
"
There's no "cancel" option because it's unnecessary. Just keep working. You can "re" boot tomorrow, like I do. (most updates dont' require a reboot at all, by the way. But if they do, fuggetaboutit. Get some work done).
I suppose you could sit there and watch the update progress. I don't; I launch all my apps first thing; one of them is software update. If one is available, I click to install, enter my password, and then do something else (there's one installing right now. Or maybe it's done. Who knows? Who cares? Use the damn computer, SW Update doesn't need any attention from you).
A check for security-relevant update should probably be part of a Linux admin's daily routine. Kernel updates can be ignored; there's no need to update a perfectly good Linux install just because you can. Rookie error.
As for Windows update, I did a clean install of Win98SE about 2 weeks ago. 61 updates required, though mercifully only about 24 were "critical". And yes, you do need to stop everything and reboot every time with that OS.
I use Linux, Windows 98 & XP and OSX every day. It gives you a little perspective.
What's Wrong With This Picture? (Score:3, Interesting)
What about normalized numbers? (Score:5, Insightful)
(http://www.axiom-developer.org/)
Also, a useful study would look at how machines are maintained, password policies, etc.
Now before I come off sounding like a Linux apologist, it is quite possible there are some serious weaknesses that need to be addressed. If so, I hope they give us full info on the attacks so we can fix the problems. But these numbers as they stand don't tell us a darn thing.
If a dedicated admin configures Selinux and heavy duty firewalls, and puts Klingon password policies in place, I'd personally still be confident to match that system against anything out there. Default Redhat installs, on the other hand, are something else again. So again we need more info. It's all in how things are set up and maintained. The question actually being asked here - which OS is strongest, all other things being equal - is a really really tough one to answer. There are many other issues that must be addressed first.
So, as far as any useful information is concerned, this article doesn't appear to have any. What if the Linux machines simply had the best intrusion detection in place? (I'm not saying they did, but it's a fair question.) Need More Information!
Before people start ranting and raving (Score:3, Insightful)
I think this paragraph says it all - it comes down to poor admins. If you have a bajillion-dollar lock made out of unobtainuim, but leave the key under the doormat, you're less secure than if you have a 2-dollar master lock but aren't dumb about the key.
Wrong conclusion (Score:5, Insightful)
They say how many attacks they analyzed, but they didn't mention the pool of hosts that these attacks were taken from.
Were there 1000000 linux hosts, 200 Windows hosts, and 6 Mac OS hosts? If so, that would radically change the conclusion that is implied.
Also, it's interesting to note that they did NOT count automated attacks by viruses, etc.
I'm sure there are interesting conclusions in their study of attacks, but given the lack of data, this study doesn't provide enough data to conclude that one OS is safer than other.
Oh, not again (Score:5, Interesting)
(http://www.vanitydomainsarelikeso20thcentury.org/)
Did they figure in the "stupid factor" ? (Score:3, Flamebait)
Well, let's see here.
1. Government. Stupid is as stupid does.
2. Inadequate training.
3. Inadequate knowledge.
Three strikes and you're out. The VAST majority of government workers are NOT highly educated people, and as a matter of fact, most of them are former welfare workers placed into government jobs to get them off the welfare log books.
When you factor in all these things you should expect the results they came up with.
But I say this, you put a GOOD, trained, educated, and skilled sys admin behind those same Linux systems and those numbers will flip.
Missing (Score:4, Interesting)
What percentage of servers over all use what operating system? If only.1% use Mac then actually it would show that Macs are MORE vulnerable because they account for more than
How did they get these statistics? For them to record a breach two things have to happen. You have to notice the breach and you have to report it. Is there a higher percentage of Windows users who don't notice the breach? Is there a higher percentage that don't report a breach? Linux users would tend to be more open to sharing the information imho since they are already users of open source which by nature is a choice to share information.
Although there are other things too the most relevant seems to be their sampling. What portion of their sample was running Linux? They definately did not use an equal sample size of each OS. Taking result numbers alone is not good enough to make a conclusion.
mig2 security company = charlatans (Score:5, Informative)
Gift-horse halitosis (Score:3, Informative)
(http://www.tagish.co.uk)
But it is instructive to read some prior comment on mi2g, such as "Iraq will destroy us by computer" the experts screamed [vmyths.com], or a more general index of mi2g myths [vmyths.com], or a search for mi2g at NTK [ntk.net] or even their own reasonably barking mad press releases [mi2g.com].
I'm not uncomfortable with a finding that Linus boxes leak like sieves whilst windows boxes immitate Fort Knox; I'm by no means in security denial here. But I simply don't believe a word mi2g say.
No, VMS, Multics, and VIC-20 are more secure (Score:5, Funny)
(http://www.microsoft.com/)
The problem (Score:3, Interesting)
(Last Journal: Tuesday March 09 2004, @06:38PM)
Most of these people don't know how or why they should lock down their boxes and keep their packages up to date.
Part of the problem is that many distros enable a lot of services by default, and over time, they become vulnerable to the latest buffer overflows and get rooted eventually by people who don't know about them.
The blame really doesn't go to Linux for its design. It just happens to be popular amongst people who don't know squat about security, though it would help if more distros would lock things down by default.
One unconsidered factor (Score:4, Insightful)
(Last Journal: Sunday October 03 2004, @04:03AM)
It's generally not too bad to secure a workstation against remove attacks-- you can just rip out anything listening. On a server, you *have* to be running some sort of server software, and if that has holes, you are open to attack.
They are wrong... (Score:5, Funny)
(Last Journal: Wednesday November 10 2004, @06:46PM)
What's in an OS? (Score:5, Interesting)
(http://www.cordula.ws/)
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
I say this (Score:5, Informative)
(http://czyanglican.blogspot.com/)
We are 100% Macintosh on the desktop because I can then spend time on billable hour projects, not internal stuff. But generally speaking, I really just like how BSD, especially the ports system, is organized and managed. Linux has always been scattered brained with more distros that you can count, where as I like the core development teams in both Free & Open BSD.
When I used to run an online browser-based game system, we often had more people trying to beat the system than the game. Led to problems under Linux and since it was a hobby site that I maintianed on my spare time, I didn't have time to mess with keeping everything 100% uptodate. So I reset up the game on an OpenBSD platform. Sure it didn't scale as well, but had no sucessful breaches from the script kiddies.
Now that I work as a consultant with small and medium sized companies in this area, security has become a staple of my business. Most of my work is in Policy advising because we still see a lot of network breachs, a vast majority, having some kind of internal proceedure issue. Aka, someone calls saying they are from branch y and forgot a password and someone gives it to them or a disgruntled employee sells information to a competitor. Or worse yet, employee fired/let go and no one removes accesss to the system until after they're gone if at all. I have seen some companies that still have user accounts for people that haven't worked there in over 3 years.
Still these are mainly small businesses with less than 10 people that are in real estate or some service business where they might have a website, POS, Email, MS Office, and Quickbooks more than larger companies that have an actual IT guy or department (even then...I am amazed at the total lack of intelligence of some of the people with MSCE at the end of their business cards)
Still, the biggest threats are comming not on the server side, but client side with viruses and trojans galore. Its the average joe blow that opens every attachment they are sent that causes the bulk of problems from my perpective.
Re:I say this (Score:4, Interesting)
So it comes down to NON-UNIX people have made Linux popular because that was their FIRST exposure to UNIX.
Is there ANYONE here that was HEAVILY into BSD and switched to a Redhat or any other Linux distro? I would imagine those numbers be few to none. I've known Solaris admins switching to Linux on x86 based servers for cost savings, but none of them really ever played with BSD before choosing Linux ... I would imagine had they been exposed to BSD first, they would have chosen BSD over Linux.
Security is a Process. (Score:3, Insightful)
(http://www.watters.ws/)
While it's the the multi-user nature of unix makes locking things down a bit easier, it's also up to the admin of the machine to make things are set up securely, and stay that way.
Linux != single OS (Score:5, Insightful)
Conclusion (Score:5, Insightful)
(http://slashdot.org/)
Numbers, Numbers, Numbers... (Score:5, Interesting)
(http://penopticon.com/)
* that most of these 17,074 were web servers
* that all or most of these servers were production boxes (worthy of being investigated after a break-in)
* that at least 20% of these were running Winodws/IIS (Netcraft
then all things being equal, there SHOULD have been at least 3400 Windows break-ins. Since there were about 2005 successful Windows attacks, MS and Windows admins must be doing something right. Many Windows admin ensure their boxes are patched. They follow NTBugTraq. They run lockdown tools or subscribe to security monitoring services. They are aware of potential breaches and most importantly THEY ARE NOT AS AROGANT AND SMUG as some of their Linux counterparts.
Mmmm -- nothing like the sweet smell of Karma burning on a cold February afternoon!
How the tables have turned (Score:3, Insightful)
Re:How the tables have turned (Score:4, Insightful)
(Last Journal: Tuesday November 29 2005, @05:15PM)
Linux was never more or less secure than Microsoft. It's "security" was based on it's obscurity.
While that may be the typical joe sixpack understanding of the matter, it's completely wrong. The fact is, unix was a multiuser, networked OS decades ago, and many of the baby steps that microsoft is now beginning to take represent steps towards the type of sophistication unix has enjoyed since the early 80s. Linux, as a modern unixlike OS, inherited a rather sophisticated security model which is in stark contrast to the microsoft culture of "personal computer", where things like networking, security, multiple users etc were afterthoughts.
As to the so-called surver, do yourself a favor and see if you can actually find out the data behind this mileading headline - and I must caution you that you are most likley in for a rude awakening if you expect to have your beliefs bolstered.
Mi2g (Score:5, Interesting)
(Last Journal: Friday December 01 2006, @10:51AM)
I suspect that shortly they will be reporting that Linux is more loaded with Viruses that Windows, to be followed with their new anti-viral software.
Something doesn't sit right with this "study"... (Score:3, Insightful)
Mac OS X 'most secure servers' (Score:3, Insightful)
Lies, Damned Lies and Mi2g's "Report" (Score:5, Interesting)
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
And what server do THEY use? (Score:3, Funny)
Apache/1.3.28 (Unix) FrontPage/5.0.2.2510 on Linux
Time for honesty and modesty from all camps (Score:5, Insightful)
We all know Windows has bugs, becuase people revel in revealing Microsoft's weaknesses. Hackers love to attack Windows because it is ubiquitous and so it is also the most attacked.
What this report points out, with all its flaws, is the the Linux system has problems too. Linux supporters have turned a blind eye to this and have loudly trumpted Linux as secure, while Windows is not. This simply wasn't true, but made Linux supporters feel goos about themselves. And even if it is a bit better, that isn't the point.
There will be bugs in Linux and Windows and other OS'es as long as new development continues. Further, as long as humans adminster the boxes, admins will do silly things and create vulnerabilities.
The real question is... (Score:3, Insightful)
(http://michael.bacarella.com/ | Last Journal: Friday November 01 2002, @06:19PM)
What does this study actually prove?
Nothing we didn't already know. Regardless of its conclusions, it's useless for anything but an excuse to argue and troll about the same points as always.
Before we start mi2g bashing... (Score:3, Insightful)
(http://www.topdoggps.com/ | Last Journal: Friday November 02, @03:38AM)
1. mi2g notes that hackers they anonymously interviewed preferred attacking Linux systems, NOT because they're inherently less secure - but because of configuration errors that run rampant from poor sysadmining.
1b. Unfortunately, this immediately invalidates any analysis of the security of the actual operating systems. Not to be redundant, but the system is only as good as the administrator.
2. I don't know where I saw someone ask this, but if you look at section two: "Multiple website attacks resulting from a single system breach" do actually count as many. For instance: if foo.com and bar.com are being hosted off the same server, and that server is breached, they count it as two attacks. Their reasoning is that from an insurance perspective, the industry is shelling out twice as many bucks they would've if it had only been a single page.
====
Okay. This article tells us one thing: Linux systems breached are simply victims of poor sysadmining. This should spur us on to do one thing. LEARN.
Shoot, if you're doing this informally, then get a good friend and learn to hack linux systems together; spend spare time hacking each other's systems. If you're doing this professionally, then *learn*. Readreadread. Patch. Patch. Read some more. Patch again. Retouch the basics; shut down unneeded services; configure permissions correctly. Go drop a hundred bucks at Barnes and Noble and buy a 12 pound book on Linux sysadmining. Or security. Above all, no matter how you do it, or even on what platform you do it...
Learn.
Research design = worthless results (Score:5, Interesting)
(http://www.abbamouse.com/)
Not surprising (Score:5, Interesting)
(http://www.icarusindie.com/)
So what do people do? They install it, throw it directly on the line and assume it's secure "out of the box." So they don't worry about it.
I know Windows isn't secure. There's no way in hell I'm putting ANY OS directly on the line. I run a hardware firewall between every computer and the outside. Very few ports are open and I know exactly what's running on each of those ports.
For my IcarusIndie.com server it's logged in as an Administrator 24/7 365 days a year. Guess how many times it's been hacked?
Once someone erased all the usernames and passwords out of MySQL. They did it through a PHP page that uses MySQL. Nothing was actually damaged because they couldn't get anywhere. There is no way to remotely connect to MySQL. It's pretty lame that a semicolon can allow arbitrary commands to be issued to MySQL. And yes I'm running the latest version.
Another time someone I know decided to demonstrate a nearly server crashing bug GuildFTPd has. I updated to the latest version that claimed to have fixed the problem (ignoring your settings for not allowing more than X connections from a single IP) and it wasn't actually fixed. I now run BulletProof FTP server and it isn't affected by that DoS bug and has no known remote exploits.
I also run WinVNC. Except it's modified to use a whitelist. Only when you connect with given IPs do you even get the password prompt. And there's no way to remotely change the IP list unless you already have a whitelisted IP. So when my Cox IP changes I have to go down to the ISP to get physical access to update the whitelist.
No one has ever managed to hack Windows. Even though I'm running as "root." Only some very flaky software handling the above mentioned hacked services. But they've never managed to cause any real damage.
My web-site has been running logged in as Admin for going on 4 years. That's a very stellar record. And not hard to achieve if you're not blinded by propoganda. I even ran my server on WinME to start with and never got hacked.
It's an attitude problem. Not a hardware or software problem if your systems are being hacked into.
Ben
Divergent usage patterns (Score:5, Insightful)
The usage patterns and target market/audience for these operating systems are very different.
There are huge variations in security between
- a Linux box set up by a novice student
- a Solaris system participating in a cluster serving a major consumer website
- a Mac OS X Server machine running stock network services for a graphic design firm
I'd like to hear more about how they accounted for these differences before I make up my mind.Study is a joke, results are not normalised (Score:5, Interesting)
(http://dvd-hq.info/)
It sounds very impressive that "the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004", but then you look at the number of government servers actually running OS X, and it becomes pretty clear why they weren't attacked. There are simply very few government servers running OS X (less than 3%).
So this "study" is a joke. I only wonder who comissioned it, Apple or Microsoft...?
OS X not worth hacking (Score:3, Funny)
(http://www.verspeelt.com/)
Now why would a real hacker want to steal from those losers... where's the money, where's the challenge.
In the same vein it really surprised me that FreeBSD - an effort to make an extremely secure environment - is so secure.
Re:Why is this a surprise? (Score:5, Funny)
(http://www.joestoner.com/ | Last Journal: Thursday July 24 2003, @10:47AM)
Take with 30mG salt (Score:3, Interesting)
(http://cuba.calyx.nl/ | Last Journal: Wednesday August 13 2003, @11:12PM)
Who doesn't know an unpublished exploit of Windows? Perhaps because it is so easy, script kiddies have turned their noses up to Windows? More likely Micro$oft just paid someone off and this is just another example of FUD? I've used all flavours of BSD for years and certainly won't switch. I've used (and still do) use Linux and certainly it can be more trusted than anything from M$.
Others have described the mayhem Microsoft does to the Internet, the worms and all that stuff. Perhaps Linux should review security a bit, but Linux is actually just the kernel and that has been top line for years. Just watch the added and unknown software you add. Same for Windows, but the fundemental basis of that kernel is flawed and without any true 'division of priviliges' its a piece of cake to exploit.
Linux = Good, Difficult (Score:5, Insightful)
(Last Journal: Tuesday September 14 2004, @03:59PM)
I like how the very first post discounts the point of this article right off by saying, sure, maybe linux got attacked successfully a lot, but what about all the other attacks that would've succeeded on Windows?
Come on, people. The fact is, the linux boxes got attacked successfully. That's a Bad Thing, regardless of what happened to Windows. It's an embarrassing thing for us linux people. Here's the real rub...
I've read studies over several years saying that linux boxes are nearly as secure as FreeBSD installations if the administrator sets up the environment properly . The results of the slashdotted study here is the result of the RTFM culture...hard to operate and administer, very little respect for the user in the design of the OS as a whole. I mean "respect" in the sense of "let's make this trivially easy to use because it's possible and respect the user's time" rather than "let's respect the user's intellect by reasoning they'll figure out how to work this thing no matter how ridiculously complicated we make it."
This study ought to convince all the people out there that don't worry about linux being too hard to use...it's affecting everyone, not just newbies. Not just dummies. Even admins can't set up a secure box. We have to keep working on usability folks. Fact is linux is more potentially secure than Windows--but not in practice because no one can figure out how to lock it down.
sev
OSX most secure? No, most *obscure* (Score:5, Interesting)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
Failed Paradigm? (Score:5, Interesting)
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
Windows insecurity (Score:3, Insightful)
OS X is secure right now, but for how long? (Score:3, Insightful)
Re:OS X is secure right now, but for how long? (Score:4, Informative)
>>The automatic software updates feature is the perfect distribution system for some buggy code, it seems.
Apple addressed a security vulnerability with Software Update back in 2002. It now connects on an encrypted channel and confirms encrypted signatures before accepting a download. This makes the application very difficult to crack. Let's just put it this way--if it were cracked then Apple wouldn't be the only company in trouble since most of the internet commerce and secure connections these days depend on the same technology.
Linux Security (Score:5, Insightful)
(http://inglorion.net/ | Last Journal: Thursday October 06 2005, @07:17AM)
A lot of vulnerabilities are found in programs that are part of typical GNU/Linux installations. Although patches are typically made available swiftly, it's still the admins' responsibility to apply them. A system is only as secure as you keep it, and with all the wannabees running Linux c0z 1tz 1337, I don't have very high expectations. Also, keep in mind that Linux has been a small target, which makes it less popular with crackers, and that attacks against it don't affect J. Windows Luser's system, so the chances that you'll here about them are significantly reduced.
I run Debian GNU/Linux [debian.org] myself and I am completely in love with it, because it provides a system that Just Works and that I can understand the workings of. Debian puts a lot of effort in quality and security, however, I won't make any claims about how secure it is until I have trustworthy data about it.
shocking (Score:4, Funny)
Quite frankly I was shocked to see that OpenBSD was so secure. I was certain Linux was the most secure OS.
probably all been said already (Score:4, Insightful)
(http://www.thecatflap.co.uk/)
ii) BSD is not a buzzword like linux. No clueless middle manager ever asked his clueless admin to set up an OpenBSD server because he saw an item on TV about it. Again, if BSD is there, it's probably there for a reason.
iii) the average
iv) the herd's reaction is "it says something negative about linux, which is perfect, ergo it's FUD"
v) why do linux vendors (and also Sun) feel bundling as much freely downloadable crap as possible adds value to the product, rather than just making more of a PITA to manage properly?
The old "obscurity".. (Score:3, Insightful)
(http://www.frognet.net/~chris)
As Linux comes to be more and more ubiquitous I predict that we will see viruses and worms written for linux that will actually spread. This is not to say that linux is any more or less secure than windows, but all operating systems have weaknesses that can be exploited. Windows main weakness is clueless users in my opinion. Linux doesn't have that problem, but it may have the problem of having over confident users.
I have the most secure system in the world sitting in my den. It is a windows 95 box with no modem and no network card. I will give anyone $1000 if they can even do a port scan on it. Oh and the power supply is bad. Ultimate security! Almost as obscure er..secure as OSX!
Linux is not inherently insecure (Score:4, Insightful)
(http://ghazan.hazara.org/)
But I dont think Linux is at fault. I did not use iptables to block unneeded ports on the outside and I did not patch sendmail ( I shouldve used qmail). I shouldve taken close care of suid files, used ssh instead of telnet, jailed most servers, never used root and generally kept checksums of the important binaries. Thats what real security takes, thats whats easily possible on Linux, thats what Windows lacks and THATS what I didnt do.
Altho our firewall now is a single openbsd (which does most of the above by default), I still recommend Linux, but with patches applied, services disabled, ports blocked and servers run in jails. If they compare default installs, Windows isnt running much, older redhats are running too much with no patching of daemons whose sources are available online, and the results are biased. Just give me a server to secure, give the same to a Microsoft representative, some time for us and then attack the two servers all you want.
Just as tomshardware maxes out their test PC's specs to compare video cards properly(radeon and geforcefx will both be about the same on a pentium2 with 64mb ram, 4gb hdd), OS security tests should rule out technician incompetency.
Stop your whining (Score:4, Insightful)
This "study" is bullshit. (Score:3, Interesting)
What about statistics on unreported or covert attacks?
The SIPS database and EVEDA do not contain any specific information on attacks that are covert, not reported, validated or witnessed by any reliable source. We do, however, often receive notification on individual security breaches from our partners and clients across the globe, which are included.
In other words, the sample they are using is self-selecting: only the attacks that have been systematically reported and verified are included. The problems associated with a self-selecting sample are obvious.
What if Linux attacks far outweigh Windows attacks, because Linux administrators tend to report the attacks more often, whereas Windows and other OS administrators do not report attacks so often because it makes them look bad? I'm not trying to troll, I'm merely pointing out why the results of this study are absolutely meaningless.
DETECTED ATTACKS... (Score:4, Insightful)
(http://www.layt.net/john/)