[LinuxCrusader]

The battle continues where many people argue that Linux is just as vulnerable as windows. Some argue that open source software is more vulnerable to attacks than proprietary software and some argue just the opposite. Suppose linux was to be the main stream OS, would we be having the same kinds of issues that the Windows has? Here is a recent article that discusses the top ten vulnerabilties for both Windows and Linux:
http://www.sans.org/top20/

Please post your opinions.

[Dapper Dan]

[clutch]

I guess I have a different view on this. I am an engineer in a really, really large federal environment (approx 500K users in the US alone) and we have everything out there. One of my jobs is to handle configuration management of domain controllers, which includes patching and security policies. Another part of my job is cross-platform interoperability.

Now, this provides for a really interesting point of view. When we went to Windows Server 2003 out of the box, it broke almost everything for Linux and Mac systems connecting to them. This was because of a few select security settings that were enabled (SMB Service Signing being the primary one). When we actually started cranking up the security settings, we found that SAMBA could no longer be used for the Apples (I recommended ADmitMac, it's pretty cool) or the Linux systems. In addition, most of the patches for Windows Server 2003 (which are much fewer than the previous generations of Windows) don't require reboots, and when using our stronger templates and default (limited) services being installed the box was indeed rather secure. So, I would say that Windows is moving along nicely, especially with the firewall introduction to XP and coming up in SP1 for Windows Server 2003.

Now for Linux. I am a big fan of Linux, and have used it for almost 6 years. In the first couple of years, I didn't find that many patches when compared to Windows at that time. Of course, there weren't that many applications or use for it as a desktop either. As time has passed, and more things are added to it, there have been many more updates needed. All you need to do is keep an eye on this site's homepage to see all of the security updates being released. Many of these updates, however, are for applications and services that have been around for a while. With the increase in popularity of Linux, it has attracted much more attention; the attention of the wrong people. Couple this with bad design decisions (like that of Lindows to have users running around as root, I don't know if that has been remedied) and you can paint a big target on your back.

In my environment, it's easier to see patterns in exploits for applications and services. In my world, the more popular something is, the more likely it is to be exploited. If this wasn't the case, then Novell would have to be considered virtually perfect since I can't recall the last security advisory released for it. Is that the case? Probably not. Why attack something that nobody uses?

As for security of an application when it's open source, it is fundamentally more secure, but isn't in reality. It *should* be more secure since any user could completely evaluate the code and change it as needed to correct imperfections. After this, the change could be submitted back to the project maintainers and updated for everyone. Having said that, how many people (including yourself) do you know that scour through the source such as this? You will wind up with the same team of people working on the application as usual, along with some others. This is much like what a large software company team would do.

So, we have a software team in the closed source company, and a software team for the open source project. It is conceivable that an attacker could either:

1. Read all the code and look for exploits, then mount a large-scale attack to take everyone by surprise or select a specific target for any reason.

2. Alter the source code and then pass of the source and/or compiled binary as legitimate code and "infect" unknowing users (I believe this happened with OpenSSH a long time ago). MD5 usage could possibly negate this (unless the presented MD5 sum was altered as well) but most people don't mess with it.

In summary, both have their faults, and neither is perfect. But don't doubt for a minute that popularity among users equates to popularity among hackers. People don't invest that kind of time into something without expecting a result.

More targets = more incentive.

[LinuxCrusader]

I share the same experience with you Clutch. At my work, we also have windows 2003 server and during the first weeks when we upgraded and mess with Win2003 I had the same thought as you did that this OS seemed to be secured and windows seemed to have done their homework nicely. I was quite impressed I must say, but I also like what Dapper Dan said

Quote:

just because you have a map of the layout of the security of Fort Knox doesn't mean you will be able to easily breach its security

.

I'm a big fan of Linux just as you guys are and for some reason somehow I think that Linux has so much more potential. Time will tell I guess and I think what's stopping Linux from taking over is the defragmentation of the different distros, the concept that it is not so user friendly or Pnp as someone metioned here, and simply that it is just a different beast for the regular windows-psychologically-conditioned users. Personally I like the different flavors that Linux has to offer. Hopefully as time goes by Linux users will get more noticed and the big gaming, software, hardware, and etc. corporations will also include Linux as one of their main elements needed to develop their own products.

[clutch]

Yes, it would seem that the vast selection is also what's hurting it at times. It is already an awesome utility, appliance, and administration OS. Now, if we could get some real power behind the major desktop applications...

[martouf]

the issue of relative vulnerability is interesting for reasons both
personal and corporate.

No one has mentioned SELinux technology in this thread.

No one has mentioned data collected from a honeyfarm.

Have a look at this:

Quote:

IT: Linux Getting Harder To Crack

Posted by timothy on Monday January 17, @09:55PM
from the pride-goeth-before-a-fall dept.

AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."

Read More...

[clutch]

Originally posted by martouf:

Quote:

No one has mentioned SELinux technology in this thread.

Probably because one could configure just about any OS in one way or another to be secure. This could be done by stripping services, blocking ports, traffic encryption, proper service account usage, etc. I do like how the NSA illustrates in their FAQ the inherent insecurity of the permissions architecture. The ACL-based architecture (along with roles-based permissions) is something that Novell and Windows have had for quite a while now. It's good to see that various distros are providing this as an option. However, until the majority of distros provide this as a default configuration, it should still be considered a specialized item. Most people bash Windows security because of its defaults and not because of how secure it could be (through the use of templates via local or Group Policy, for instance).

Quote:

No one has mentioned data collected from a honeyfarm.

I know that I haven't had a need for one myself, but I don't know about others here. An interesting point of that article is the use of the default installation configuration. This is where Windows used to get nailed, primarily by IIS being installed and then getting pelted by CodeRed traffic that's still out there. Most Linux distributions try to install very little, but many new users go for the "kitchen sink" install, and then not understand why they have 5 text editors, none of which are easy to use. Apple is finding this to be a good learning experience, since they are merging ease of use with BSD and finding that it isn't as secure as they would like. Just because the kernel is famous for being secure, that doesn't mean that all the other stuff you install is inherently secure.

[danleff]

Just a practical note. Just a few months ago, an e-mail "virus" hijacked the web browsers of 3 family computers, my sister's my Dad's and my mom's system. All three were running Windows XP. After getting my sister's system back to normal, she asked me why my system was not hit. I replied "I'm using Linux."

Today, I received a message from Roadrunner that it's firewall detected a virus attached to an incoming e-mail message. The messaged asked me to contact the sender to inform them that their system was sending out an e-mail with a virus attached. The incoming message was labeled as coming from Roadrunner. You know it was a fake e-mail message, as it asked you to click on the attachment to clean your system of a virus that was detected. It was also signed, "cheers, the Rr team."

So, you have a valid warning of an e-mail with an infected attachment (that was deleted by the firewall/security of Roadrunner), with a fake message from Rr.com as the sender of the infected e-mail.

There are two variables here. Targeting windows users (a large company's OS and it's users) and users of Roadrunner, who are expected to have Windows systems.

Virus issues are likely to affect those who are not experienced users and are less likely to pick such things up, or assure that they have proper security software on their systems, or who are not able to repair their systems easily.

For this reason, security risks are less for Linux users, because the hackers are targeting large companies and users not likely to take many precautions.

Linux developers are making security updates before the attack happens, or as soon as a vulnerability is identified. Microsoft, unfortunately, is in a position where their users are being actively attacked and developing patches and updates once their OS vulnerabilities are exposed.

[OldSpiceAP]

There is another factor in security other than viruses, worms, etc. A larger problem in my opinon is spyware, and malware. These build up on windows based computeres, slowly slowing them to a crawl. A few good utilities to combat these exist, but there so many. And many of these are dataminers. These little programs get on computers, and send back information, user habits, files, etc.. And most if not every one of them is designed for windows. Thus, the myth "You have to do a reinstall of windows every 6 months to restore performance." The real problem is that the registry gets cluttered, and spyware and malware hijack system resources makeing people think their windows install is hosed. This is a security problem that is not often talked about - or considered a security problem. I find that using firefox on windows greatly eliminates the number of spyware programs that make their way into windows. This just goes to show that good programing can make a windows environment safe. The fact that this simply does not happen on linux shows it is inherently safer to use.

Also, unix and linux have more hacking attempts than windows. Consider this, most college campuses use linux or unix servers. What do the computer science and computer engineering students at the college do? Hmmm.... They are constantly trying out the new stuff they learn and teach themselves. Hehe. But the total number of successful hacks on unix and linux is far lower than the successful hacks on windows servers...

Some food for thought - chow down!

[Dapper Dan]

A friend of mine who uses Windows XP Pro recently told me of a very interesting problem he had. He said when he booted the day before his desktop image, icons and toolbar were gone. All he had was a single icon labled, "teeage sex photos!" Having no other way to do anything, he clicked on the icon to see what would happened. When he did, his modem network connection utility came up, dialed, got him on line and took him to a site with a warning that he had porography on his computer. The site featured several articles about people who had been prosecuted for child porn pictures on their machines, followed by an ad pitch that their software could rid his computer of the offending images asking for his credit card numbers!

When he exited his browser, he had his desktop back but in the background was a black screen followed by a big warning about pornography on his computer and a link back to the site. He asked if I could help him.

The first thing I did was download Firefox Web browser and Ad-Aware. Ad-Aware found 144 spyware, malware, miningware etc. and I deleted them all and got him set up with Firefox.

I went into the desktop manager and tried to re-establish his desktop background image, but the black screen and add would not go away. I traced the image to a file located in C:\Windows called "desktop.html" I commented out the image's name which made it go away but now, all he has is a white screen and you cannot put his desktop image of preference back.

What a pile of crap! How invasive can you get!

I didn't rub it in or anything, but the whole time I was working on his box I was saying silent "thank you's" that I don't have these problems anymore.

[clutch]

Strange, I have been a Windows user for the last 10 years, and haven't had these issues. Must be the user.

Remember, the average Linux admin is more knowledgeable of his/her OS than the average Windows admin.

Also, I used RH 7.3 in college, and the main reasons we did were because:

1. Cheap (read: free)
2. Supported Java, which is what we were learning

Also, having the source code freely available to modify, such as the kernel, makes learning development of kernels and compilers much easier. As for security, well let's say that the administrative procedures of the lab weren't that great...

[LinuxCrusader]

Quote:

Strange, I have been a Windows user for the last 10 years, and haven't had these issues. Must be the user.

This is what most security professionals will usually say also that it is usually a user mistake that will get your windows boxes infected by viruses, spyware, or malware. I have been a windows user for quite sometime also and never had a problem such as the ones described above but I think probably because we are most of the time very aware of the security risks involved. When I took my first hacking class back in college we experimented in trying to hack different OSs including RH as one of them, and it was always the case that the teams with windows boxes were always the ones who wouldn't take that long to break their boxes.

In any case, I think that the ordinary users just love to click left and right whenever they receive anything by email or go anywhere online and if I wasn't computer-educated I probably would just do the same thing. This has just been my experience, so I agree with Dapper Dan and OldSpiceAP that it seems as though M$ have usually been reactive instead of proactive to every case, well until recently, and that's a maybe.

[clutch]

IE for Server 2003 is quite a bit different, much like its installed configuration. By default, IE will not let you do anything, including download stuff, unless you manually list those sites as "trusted" or remove the IE enhanced security configuration.

When deploying Windows clients in a work environment, we use Group Policy to strictly control what the machines can do. You can completely remove ActiveX, along with various zones for IE and varying levels of IE security within each zone. MS is slowly limiting the default configuration out of the box, but it's hard to do when so many people want convenience in place of security.

Having said that, I prefer Firefox myself for most web browsing because it's faster and has tabbed navigation. I have been using it since it was Phoenix 0.4 in Linux, and went to it on both platforms with 0.5. I do keep IE around with ActiveX enabled mostly for Virtual Server, as the consoles and management interfaces use ActiveX controls (until I can go to ESX server all around, then this will no longer be an issue).

What has been interesting, is that with the introduction of a firewall in XP (actually, there was one already but nobody wanted to use it) many places are implementing Group Policy just to turn it OFF. Rather strange, since everybody complains about the seeming lack of security in XP only to go through more effort to completely disable security features ("my car isn't safe, but let's disable the airbags and ABS in the new one because I don't understand them and they are in my way").

[Dapper Dan]

Originally posted by clutch:

Quote:

Strange, I have been a Windows user for the last 10 years, and haven't had these issues. Must be the user.

Actually he's probably an above average user because he told me he was paying for McAaffe, and had his computer setup to download the latest virus definitions and do a scan once a week. He didn't know what spyware was though.

The average computer user out there is just not going to be aware of all the things thay need to do, (and pay for) to make their Windows boxes secure enough to be able to sleep at night. Unfortunately, the market takes advantage of these very people. "Got a virus or spyware? We can help for $$$."

This is the very reason I considered changing my radio station over to Linux to begin with. Even though I had what I believed were pretty dang good security measures under Windows 98 SE, I still couldn't sleep at night.

If we had gotten a virus that locked up our boxes we would be seriously out of commission for a while, even after having backed up everything important.

Now that all our boxes run Linux, I can get a good night's sleep again!

[clutch]

Um, I think it was a legal requirement that anybody who ran Win9x/ME was not allowed to sleep at night. Well, unless the machine was disconnected from the network, and off, and encased in cement. Even then, it's touch-and-go...

[Dapper Dan]

Originally posted by clutch:

Quote:

Um, I think it was a legal requirement that anybody who ran Win9x/ME was not allowed to sleep at night. Well, unless the machine was disconnected from the network, and off, and encased in cement. Even then, it's touch-and-go...

LOL!

[martouf]

more food for thought?

Business - BusinessWeek Online
BusinessWeek Online
"Linux Inc."
By Steve Hamm

full text of the article...

..and the paragraph which caught my eye:

Quote:

These collaborations are turning Linux into an all-purpose operating system. It's secure enough that Lawrence Livermore National Laboratory loads it not only on desktop and server computers but also on supercomputers it uses to simulate the aging of nuclear materials. "Linux is definitely more secure than Windows," says Mark Seager, the lab's assistant department head for advanced technology. "There aren't as many ways to break the system." With the latest improvements, Linux now works on servers with more than 128 processors and can run the largest databases. The newest versions also have features, such as power management, that make them more suitable for laptop PCs.

[clutch]

Well, considering the problems that they have had with security in the past (and currently), you'll have to forgive me for not having faith in their opinion on anything. Google it. I work with government agencies, and too much faith gets put into their opinion on what's safe.

[martouf]

having been a civil servant responsible for NT, VMS, and Unix systems for a science
and engineering agency (not a research agency), too much faith is sometimes put
in outside consultants.

the food for thought is supposed to generate discussion and analysis,
not a simple dismissal.

assuming for the moment the person quoted is a competent professional working
for a competent government agency (in this case: not the Department of Interior),
then upon what basis might this person say what is quoted?

Departmental configuration guidelines?
Required use of SELinux policies?
The number of configuration elements and the number of methods needed to adjust
the configuration?

[clutch]

Typically, most security configration items fall under DISA STIGs. These are essentially the "rules of the road" when deploying an OS, service, application, etc into a government environment. However, the GS personnel (configuration items are under final review by government civillians, not contractors and especially not vendors or outside consultants) that came up with some of them have not necessarily implemented them to their fullest extent.

For example, when reviewing the DISA guidance set forth for the Windows OS, it is possible to completely break communication between it and practically every other OS out there, including Windows. We have to file waivers to correct various settings just to get them to work. This is not isolated to Windows, as there are waivers for just about every OS out there.

As for the dismissal, it seemed more like the quote was put there to show that a government agency feels that Linux is more secure than Windows, therefore it must be. I see things like this all the time at work with comparisons between Windows and Linux, Windows and Apple, Apple and Linux, the usage of Samba vs. ADmitMac, and so on. When you see what happens to all of these things in a day-to-day basis, it almost doesn't matter what the opinion is any more since they can all be secured and they can all be broken. Many groups that are supposed to represent the paramount of security (governments, banks, major online retailers, etc) around the world have had all the various operating systems and applications compromised at one time or another.

The question of the thread was "which is more secure?", and the answer is "neither". As I am the only one here that is either willing or able to put forth what Windows can do, that has been my role. I was hoping to see more balanced discussion regarding both operating systems, but the only "food for thought" postings held Linux in high regard, and no so much for Windows. Yes, this is a Linux newsgroup and yes opinions are freely available. But, try not to be put off when one dismisses a quote that:

1. Has no qualifiers asking for discussion, but rather listed as "another vote for Linux"
2. Is from an agency known for security vulnerabilities
3. Is not being presented with alternate perspectives, such as a "pro Windows" quote or article

However, to further the discussion along the points asked in your reponse:

Departmental configuration guidelines?
I didn't see anything listed in the article, but I did mention the use of DISA STIGs (here is one public site for them: http://csrc.nist.gov/pcig/cig.html if you are in a .gov or .mil domain then try http://iase.disa.mil...guid/index.html)

Required use of SELinux policies?
I checked the STIG for UNIX with Linux additions, and I didn't see any mention of SELinux, so I doubt there is any requirement for it. Not entirely shocking that one government agency isn't aware of the work of another.

The number of configuration elements and the number of methods needed to adjust the configuration?
Without a STIG to work with, or any information to be gleened from the article, it would be hard to tell. To me, it just looks like another one of those "it's got to be more secure because it isn't Windows" statements rather than anything of quantitative merit.

So there you have it, I believe that both OSs are awesome, but have their drawbacks. What I would like to see are opinions of Windows Server 2003 and/or Windows XP SP2 vs. modern Linux distributions, rather than comparisons of older Windows distributions (such as 9x) in this thread. I'll post this in the www.ntcompatible.com forum and see if that can be arranged.