Is Linux just as vulnerable as Windows?
Posted 15 January 2005 - 06:04 AM
Please post your opinions.
Posted 15 January 2005 - 08:00 AM
Now, this provides for a really interesting point of view. When we went to Windows Server 2003 out of the box, it broke almost everything for Linux and Mac systems connecting to them. This was because of a few select security settings that were enabled (SMB Service Signing being the primary one). When we actually started cranking up the security settings, we found that SAMBA could no longer be used for the Apples (I recommended ADmitMac, it's pretty cool) or the Linux systems. In addition, most of the patches for Windows Server 2003 (which are much fewer than the previous generations of Windows) don't require reboots, and when using our stronger templates and default (limited) services being installed the box was indeed rather secure. So, I would say that Windows is moving along nicely, especially with the firewall introduction to XP and coming up in SP1 for Windows Server 2003.
Now for Linux. I am a big fan of Linux, and have used it for almost 6 years. In the first couple of years, I didn't find that many patches when compared to Windows at that time. Of course, there weren't that many applications or use for it as a desktop either. As time has passed, and more things are added to it, there have been many more updates needed. All you need to do is keep an eye on this site's homepage to see all of the security updates being released. Many of these updates, however, are for applications and services that have been around for a while. With the increase in popularity of Linux, it has attracted much more attention; the attention of the wrong people. Couple this with bad design decisions (like that of Lindows to have users running around as root, I don't know if that has been remedied) and you can paint a big target on your back.
In my environment, it's easier to see patterns in exploits for applications and services. In my world, the more popular something is, the more likely it is to be exploited. If this wasn't the case, then Novell would have to be considered virtually perfect since I can't recall the last security advisory released for it. Is that the case? Probably not. Why attack something that nobody uses?
As for security of an application when it's open source, it is fundamentally more secure, but isn't in reality. It *should* be more secure since any user could completely evaluate the code and change it as needed to correct imperfections. After this, the change could be submitted back to the project maintainers and updated for everyone. Having said that, how many people (including yourself) do you know that scour through the source such as this? You will wind up with the same team of people working on the application as usual, along with some others. This is much like what a large software company team would do.
So, we have a software team in the closed source company, and a software team for the open source project. It is conceivable that an attacker could either:
1. Read all the code and look for exploits, then mount a large-scale attack to take everyone by surprise or select a specific target for any reason.
2. Alter the source code and then pass of the source and/or compiled binary as legitimate code and "infect" unknowing users (I believe this happened with OpenSSH a long time ago). MD5 usage could possibly negate this (unless the presented MD5 sum was altered as well) but most people don't mess with it.
In summary, both have their faults, and neither is perfect. But don't doubt for a minute that popularity among users equates to popularity among hackers. People don't invest that kind of time into something without expecting a result.
More targets = more incentive.
Posted 15 January 2005 - 11:05 PM
I'm a big fan of Linux just as you guys are and for some reason somehow I think that Linux has so much more potential. Time will tell I guess and I think what's stopping Linux from taking over is the defragmentation of the different distros, the concept that it is not so user friendly or Pnp as someone metioned here, and simply that it is just a different beast for the regular windows-psychologically-conditioned users. Personally I like the different flavors that Linux has to offer. Hopefully as time goes by Linux users will get more noticed and the big gaming, software, hardware, and etc. corporations will also include Linux as one of their main elements needed to develop their own products.
Posted 18 January 2005 - 07:34 PM
personal and corporate.
No one has mentioned SELinux technology in this thread.
No one has mentioned data collected from a honeyfarm.
Have a look at this:
IT: Linux Getting Harder To Crack
Posted by timothy on Monday January 17, @09:55PM
from the pride-goeth-before-a-fall dept.
AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."
Posted 18 January 2005 - 11:49 PM
No one has mentioned SELinux technology in this thread.
Probably because one could configure just about any OS in one way or another to be secure. This could be done by stripping services, blocking ports, traffic encryption, proper service account usage, etc. I do like how the NSA illustrates in their FAQ the inherent insecurity of the permissions architecture. The ACL-based architecture (along with roles-based permissions) is something that Novell and Windows have had for quite a while now. It's good to see that various distros are providing this as an option. However, until the majority of distros provide this as a default configuration, it should still be considered a specialized item. Most people bash Windows security because of its defaults and not because of how secure it could be (through the use of templates via local or Group Policy, for instance).
No one has mentioned data collected from a honeyfarm.
I know that I haven't had a need for one myself, but I don't know about others here. An interesting point of that article is the use of the default installation configuration. This is where Windows used to get nailed, primarily by IIS being installed and then getting pelted by CodeRed traffic that's still out there. Most Linux distributions try to install very little, but many new users go for the "kitchen sink" install, and then not understand why they have 5 text editors, none of which are easy to use. Apple is finding this to be a good learning experience, since they are merging ease of use with BSD and finding that it isn't as secure as they would like. Just because the kernel is famous for being secure, that doesn't mean that all the other stuff you install is inherently secure.
Posted 19 January 2005 - 03:33 AM
Today, I received a message from Roadrunner that it's firewall detected a virus attached to an incoming e-mail message. The messaged asked me to contact the sender to inform them that their system was sending out an e-mail with a virus attached. The incoming message was labeled as coming from Roadrunner. You know it was a fake e-mail message, as it asked you to click on the attachment to clean your system of a virus that was detected. It was also signed, "cheers, the Rr team."
So, you have a valid warning of an e-mail with an infected attachment (that was deleted by the firewall/security of Roadrunner), with a fake message from Rr.com as the sender of the infected e-mail.
There are two variables here. Targeting windows users (a large company's OS and it's users) and users of Roadrunner, who are expected to have Windows systems.
Virus issues are likely to affect those who are not experienced users and are less likely to pick such things up, or assure that they have proper security software on their systems, or who are not able to repair their systems easily.
For this reason, security risks are less for Linux users, because the hackers are targeting large companies and users not likely to take many precautions.
Linux developers are making security updates before the attack happens, or as soon as a vulnerability is identified. Microsoft, unfortunately, is in a position where their users are being actively attacked and developing patches and updates once their OS vulnerabilities are exposed.
Posted 19 January 2005 - 06:34 AM
Also, unix and linux have more hacking attempts than windows. Consider this, most college campuses use linux or unix servers. What do the computer science and computer engineering students at the college do? Hmmm.... They are constantly trying out the new stuff they learn and teach themselves. Hehe. But the total number of successful hacks on unix and linux is far lower than the successful hacks on windows servers...
Some food for thought - chow down!
Posted 19 January 2005 - 08:07 AM
When he exited his browser, he had his desktop back but in the background was a black screen followed by a big warning about pornography on his computer and a link back to the site. He asked if I could help him.
The first thing I did was download Firefox Web browser and Ad-Aware. Ad-Aware found 144 spyware, malware, miningware etc. and I deleted them all and got him set up with Firefox.
I went into the desktop manager and tried to re-establish his desktop background image, but the black screen and add would not go away. I traced the image to a file located in C:\Windows called "desktop.html" I commented out the image's name which made it go away but now, all he has is a white screen and you cannot put his desktop image of preference back.
What a pile of crap! How invasive can you get!
I didn't rub it in or anything, but the whole time I was working on his box I was saying silent "thank you's" that I don't have these problems anymore.
Posted 19 January 2005 - 09:05 AM
Remember, the average Linux admin is more knowledgeable of his/her OS than the average Windows admin.
Also, I used RH 7.3 in college, and the main reasons we did were because:
1. Cheap (read: free)
2. Supported Java, which is what we were learning
Also, having the source code freely available to modify, such as the kernel, makes learning development of kernels and compilers much easier. As for security, well let's say that the administrative procedures of the lab weren't that great...
Posted 19 January 2005 - 10:22 AM
This is what most security professionals will usually say also that it is usually a user mistake that will get your windows boxes infected by viruses, spyware, or malware. I have been a windows user for quite sometime also and never had a problem such as the ones described above but I think probably because we are most of the time very aware of the security risks involved. When I took my first hacking class back in college we experimented in trying to hack different OSs including RH as one of them, and it was always the case that the teams with windows boxes were always the ones who wouldn't take that long to break their boxes.
In any case, I think that the ordinary users just love to click left and right whenever they receive anything by email or go anywhere online and if I wasn't computer-educated I probably would just do the same thing. This has just been my experience, so I agree with Dapper Dan and OldSpiceAP that it seems as though M$ have usually been reactive instead of proactive to every case, well until recently, and that's a maybe.
Posted 19 January 2005 - 08:30 PM
When deploying Windows clients in a work environment, we use Group Policy to strictly control what the machines can do. You can completely remove ActiveX, along with various zones for IE and varying levels of IE security within each zone. MS is slowly limiting the default configuration out of the box, but it's hard to do when so many people want convenience in place of security.
Having said that, I prefer Firefox myself for most web browsing because it's faster and has tabbed navigation. I have been using it since it was Phoenix 0.4 in Linux, and went to it on both platforms with 0.5. I do keep IE around with ActiveX enabled mostly for Virtual Server, as the consoles and management interfaces use ActiveX controls (until I can go to ESX server all around, then this will no longer be an issue).
What has been interesting, is that with the introduction of a firewall in XP (actually, there was one already but nobody wanted to use it) many places are implementing Group Policy just to turn it OFF. Rather strange, since everybody complains about the seeming lack of security in XP only to go through more effort to completely disable security features ("my car isn't safe, but let's disable the airbags and ABS in the new one because I don't understand them and they are in my way").
Posted 19 January 2005 - 09:04 PM
Actually he's probably an above average user because he told me he was paying for McAaffe, and had his computer setup to download the latest virus definitions and do a scan once a week. He didn't know what spyware was though.
The average computer user out there is just not going to be aware of all the things thay need to do, (and pay for) to make their Windows boxes secure enough to be able to sleep at night. Unfortunately, the market takes advantage of these very people. "Got a virus or spyware? We can help for $$$."
This is the very reason I considered changing my radio station over to Linux to begin with. Even though I had what I believed were pretty dang good security measures under Windows 98 SE, I still couldn't sleep at night.
If we had gotten a virus that locked up our boxes we would be seriously out of commission for a while, even after having backed up everything important.
Now that all our boxes run Linux, I can get a good night's sleep again!
Posted 19 January 2005 - 10:57 PM
Posted 20 January 2005 - 02:34 AM
Posted 22 January 2005 - 04:38 AM
Business - BusinessWeek Online
By Steve Hamm
full text of the article...
..and the paragraph which caught my eye:
Posted 22 January 2005 - 08:01 AM
Posted 22 January 2005 - 09:18 PM
and engineering agency (not a research agency), too much faith is sometimes put
in outside consultants.
the food for thought is supposed to generate discussion and analysis,
not a simple dismissal.
assuming for the moment the person quoted is a competent professional working
for a competent government agency (in this case: not the Department of Interior),
then upon what basis might this person say what is quoted?
Departmental configuration guidelines?
Required use of SELinux policies?
The number of configuration elements and the number of methods needed to adjust
Posted 23 January 2005 - 07:03 AM
For example, when reviewing the DISA guidance set forth for the Windows OS, it is possible to completely break communication between it and practically every other OS out there, including Windows. We have to file waivers to correct various settings just to get them to work. This is not isolated to Windows, as there are waivers for just about every OS out there.
As for the dismissal, it seemed more like the quote was put there to show that a government agency feels that Linux is more secure than Windows, therefore it must be. I see things like this all the time at work with comparisons between Windows and Linux, Windows and Apple, Apple and Linux, the usage of Samba vs. ADmitMac, and so on. When you see what happens to all of these things in a day-to-day basis, it almost doesn't matter what the opinion is any more since they can all be secured and they can all be broken. Many groups that are supposed to represent the paramount of security (governments, banks, major online retailers, etc) around the world have had all the various operating systems and applications compromised at one time or another.
The question of the thread was "which is more secure?", and the answer is "neither". As I am the only one here that is either willing or able to put forth what Windows can do, that has been my role. I was hoping to see more balanced discussion regarding both operating systems, but the only "food for thought" postings held Linux in high regard, and no so much for Windows. Yes, this is a Linux newsgroup and yes opinions are freely available. But, try not to be put off when one dismisses a quote that:
1. Has no qualifiers asking for discussion, but rather listed as "another vote for Linux"
2. Is from an agency known for security vulnerabilities
3. Is not being presented with alternate perspectives, such as a "pro Windows" quote or article
However, to further the discussion along the points asked in your reponse:
Departmental configuration guidelines?
I didn't see anything listed in the article, but I did mention the use of DISA STIGs (here is one public site for them: http://csrc.nist.gov/pcig/cig.html if you are in a .gov or .mil domain then try http://iase.disa.mil...guid/index.html)
Required use of SELinux policies?
I checked the STIG for UNIX with Linux additions, and I didn't see any mention of SELinux, so I doubt there is any requirement for it. Not entirely shocking that one government agency isn't aware of the work of another.
The number of configuration elements and the number of methods needed to adjust the configuration?
Without a STIG to work with, or any information to be gleened from the article, it would be hard to tell. To me, it just looks like another one of those "it's got to be more secure because it isn't Windows" statements rather than anything of quantitative merit.
So there you have it, I believe that both OSs are awesome, but have their drawbacks. What I would like to see are opinions of Windows Server 2003 and/or Windows XP SP2 vs. modern Linux distributions, rather than comparisons of older Windows distributions (such as 9x) in this thread. I'll post this in the www.ntcompatible.com forum and see if that can be arranged.