Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Linux as Secure as We'd Like to Think?

Cliff posted more than 11 years ago | from the is-the-emperor-wearing-clothes dept.

Security 1091

man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Sorry! There are no comments related to the filter you selected.

Psychology plays a role (4, Insightful)

Brento (26177) | more than 11 years ago | (#6788366)

First, the user base for Linux is inherently more systems-savvy and internet-knowledgable than the Windows user base: it comes back to the old Linux-on-the-desktop argument. As long as you've got less systems-savvy users on a particular operating system, it will be more vulnerable to attack. As a result, people with more tech knowledge tend to also run a more secure system - just like my lawyer friends know not to let the cops search your car.

Anti-establishment psychology also comes into play: for example, you don't see anti-business graffiti on your local coffee shop, you see it at Starbucks. When people want to make a statement about animal cruelty and food, they often picket at McDonald's - not the local Mom & Pop restaurant. Why? Because it's perceived as cool to go after the big business. Writing a Linux virus isn't nearly as cool as taking down Microsoft. The recent viruses attacked Windows Update for a reason: to make a statement. Calling Linux secure because people love DDOS'ing Microsoft is faulty logic.

Re:Psychology plays a role (4, Interesting)

Anonymous Coward | more than 11 years ago | (#6788394)

Maybe skilled users make the difference, but not in and of itself. Otherwise we would expect to see heaps of security problems/viruses with Mac OSX boxes.

Re:Psychology plays a role (2)

javelinco (652113) | more than 11 years ago | (#6788395)

True, at this point. But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

Re:Psychology plays a role (5, Insightful)

Brento (26177) | more than 11 years ago | (#6788440)

But isn't the point that Microsoft IS the biggie out there, and Linux isn't, but we all (well, there is an assumption here) would like to see that reversed? If that's true, then your arguement is effectively null and void.

That's actually the point: there are a ton of anti-Microsoft people out there who would love to see Microsoft go down in flames, and Linux take its place. Those people are more technically inclined. While I would never go so far as to say that Linux people purposely write virii to take down Microsoft, I certainly wouldn't say that Microsoft users are the guys writing virii to take down Windows Update. You don't bite the hand that feeds you, and I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.

Re:Psychology plays a role (1, Redundant)

Hassman (320786) | more than 11 years ago | (#6788478)

How so? The roles would reverse there and Linux would be the target instead.

He's not null and void...he's dead on.

There are so many examples of people attacking one corperation and supporting another...then when the roles are reversed, the people's opinions reverse. No one likes to see someone as successful as Bill Gates or MS...

Re:Psychology plays a role (5, Insightful)

511pf (685691) | more than 11 years ago | (#6788492)

People don't go after big business because it's "cool." People go after big business because it's visible. It gets their message across to more people. Big business is also a target because any change in business practices has a wide effect. If McDonalds increases their food safety standards, the change has a real effect on national food safety because of McD's sheer mass. In addition, other fast food chains will follow suit to avoid bad publicity. Going after McDonalds isn't "cool." It's effective.

Re:Psychology plays a role (1)

imbaczek (690596) | more than 11 years ago | (#6788508)

Yeah, potential buffer overruns sit in places no one would think about (hence all those bind/sendmail/iss/rpc holes...) Except that a buffer overrun in a well-configured unix system won't allow your normal cracker to do rm -rf /.

Re:Psychology plays a role (0)

Anonymous Coward | more than 11 years ago | (#6788541)

Writing a Linux virus isn't nearly as cool as taking down Microsoft.

Writing a Linux virus isn't as easy to write, or more likely easy to distribute widely.
But if someone could, props to them. That would be very cool. Probably pretty funny too.

it's called MSBlaster, not Blaster. (0, Flamebait)

rokzy (687636) | more than 11 years ago | (#6788370)

understand the reason and you'll answer your question.

Hello, son (3, Funny)

Anonymous Coward | more than 11 years ago | (#6788555)

It has come to our attention that not only are you wasting your time posting to slashdot when you should be looking for a job, but you are also a moron. The W32.Blaster worm goes by many names, something you as a geek should know.

Please move out of our basement and take all your Hentai DVDs with you.

Love,

Mum and Dad.

Short answer No, Long answer Maybe (5, Funny)

Anonymous Coward | more than 11 years ago | (#6788371)

Personally I have all my end-users sign on as root. So far so good

I think its the apps (5, Insightful)

tlacicer (515153) | more than 11 years ago | (#6788372)

I think website defacement and Linux security are 2 different issues all together. From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script. This security hole was identified and patched rather quickly but I failed to apply the patch in a timely matter. But the rest of my websites were fine along with the rest of the services running on that box.

My opinion is that there are a lot of free / cheap web hosts out there running OSS and a lot of people publishing web pages and message boards using scripts that someone else wrote and not updating them.

I would like to see a comparison on the types web pages that were defaced and what was actually done, I bet most of them had nothing to do with operating system the website was running on.

Re:I think its the apps (1)

sjwt (161428) | more than 11 years ago | (#6788423)

ok,
but by the same logic runs for
MS too.

IE and Outlook are not the OS,
no matter how much MS winges
about IE being intergrated into the
OS :)

Re:I think its the apps (2, Interesting)

Anonymous Coward | more than 11 years ago | (#6788505)

IE and Outlook are not the OS,
no matter how much MS winges
about IE being intergrated into the
OS :)


Care to enlighten us on how to remove IE from an XP system?

Re:I think its the apps (1)

tlacicer (515153) | more than 11 years ago | (#6788531)

Well not exactly, remember those are Desktop applications that were written by M$ and included in the desktop.

I am speaking about web applications written by third parties. I am pretty sure that if Linux started writting PHP message boards they would be pretty darn secure :)

Just a side note .. I know this is off topic .. but have you ever tried to open an M$ Access DB over a network share from a machine with a FQDN? You get a security error. You have to go into IE and change security settings there for M$ Access to be able to use that share :) ..

Re:I think its the apps (5, Insightful)

sphealey (2855) | more than 11 years ago | (#6788559)

First, arrogance preceeds a fall, and that is as true of system security as anything else. So Linux users/admins should not become complancent/arrogant

IE and Outlook are not the OS,
no matter how much MS winges
about IE being intergrated into the
OS :)
Still, I have to disagree with you a bit here. Internet Explorer is very deeply embedded into the core OS. And other technologies are quite deep as well (ever try fully removing Windows Media Player from a W2K Server build and keeping it removed across service packs? Not a trivial task - but what the heck is WMP doing in a server build to begin with?).

This intertwing of core functions with much less secure access and presentation functions does IMHO make Microsoft products less secure by design. There is also the issue of Bill Gates deliberately creating a corporate culture where everything has to be reinvented from scratch. Well, sometimes the work done by other people was good work, or done for a resaon. People inside Microsoft seem to miss that thought a lot.

sPh

Re:I think its the apps (1)

deranged unix nut (20524) | more than 11 years ago | (#6788494)

I disagree.

The point of security is to prevent people from doing things that they should not be able to do.
If they shouldn't be able to deface a website, and they do, then there is a security failure somewhere in the system.

Now, the security failure might be due to the Admin, the OS, the user, or the scripts...but it is still a security failure.

If it is due to the Admin, then maybe the OS is too complicated to properly secure.
If it is due to the OS, then it is definately an OS problem.
If it is due to the user, then maybe the OS is too complicated and/or time consuming to secure.
If it is due to the scripts, then perhaps the OS should include some security audited scripts.

Re:I think its the apps (1)

tlacicer (515153) | more than 11 years ago | (#6788580)

Dude .. if the OS is hacked due to admin failure then it is the admins fault not the OS, if its default install is weak then that is a different issue.

The operating system does place limits on what web applications can and can't due to the system, but it would be impossible for it to know when a peice of code was being mis used improperly, cause technically the code is doing exactly what it was supposed to do.

Re:I think its the apps (4, Informative)

BrynM (217883) | more than 11 years ago | (#6788584)

I think website defacement and Linux security are 2 different issues all together.
Exactly! People tend to trust website "packages", like PHP-Nuke [phpnuke.org] or site building applications a little too much. They tend to assume that someone has already fixed whatever security holes may be in it. When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing. Since these sites usually end up being run on Linux and Apache, Linux and Apache get blamed when the site is defaced, when the actual weakness that led to the defacement was in the PHP/HTML pages themselves.

I don't expect everyone to know how to clean up security for a PHP site, but if they decide to use what they don't understand bad things will happen. If you know a novice that wants a site, start them out with some static HTML rather than let them use whatever code strikes their whim as "neat", "shiny" or "cool". Explain to them that they are learning how to eventually do the "shiny" stuff, but they need to learn how to use it safely first.

weakest link (3, Insightful)

macragge (413964) | more than 11 years ago | (#6788376)

A system is only as secure as its most insecure user / service.

Re:weakest link (1, Funny)

Sir Haxalot (693401) | more than 11 years ago | (#6788497)

Not if the most insecure user doesn't have root.

Bollocks!!! (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6788380)

Not first post!!!

Better safe than sorry (0)

Anonymous Coward | more than 11 years ago | (#6788385)

Better go ahead and migrate to OpenBSD.

Re:Better safe than sorry (0)

Anonymous Coward | more than 11 years ago | (#6788571)

For webservers that is an excellent idea.

But are we talking about the same thing?... (5, Insightful)

mrdlcastle (254009) | more than 11 years ago | (#6788387)

I think we are correct in saying that Linux is more secure than Windows. When we are talking about just the operating system, then we can safely say that it is more secure.
Of course as we add applications to any system that system becomes more vunerable.

It's just that Windows starts off vunerable and gets worse as we add more apps (ie, Web server, ftp server, etc.).

Re:But are we talking about the same thing?... (0)

Anonymous Coward | more than 11 years ago | (#6788517)

Why? Are you saying that protocols such as DNS, Telnet and FTP are inherently secure? What about Apache? Run that as root and watch the fun!

Linux is only secure when configured and patched properly as is Windows.

Second Post! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6788391)

Bugger.

more people run linux (-1, Troll)

DoctorCool (700514) | more than 11 years ago | (#6788398)

Of corse there will be more hacked linux server, thats because there are more linux servers then windows! skrew all of you, UNIX ROOLZ!

certainly not. (0)

Anonymous Coward | more than 11 years ago | (#6788402)

Linux is far from secure; just look at all the updates that are on bugtraq or redhat/debian's history. the fact is, all the script hiddies and l33t haxors run linux, and prefer to target microsoft.

linux is ONLY secure because it is free, and the bad guys attack the company that wants their money.

Re:certainly not. (0)

Anonymous Coward | more than 11 years ago | (#6788446)

script kiddies, that is.

points still apply.

Viurs != security (3, Troll)

rsborg (111459) | more than 11 years ago | (#6788404)

I think this article is way off base. Anyone can put an poorly secured box on the net. The big difference between Linux and Win32 is that Win32 is "broken as designed" and that won't change unless Microsoft changes it.

btw, if you want to secure your linux box against viruses, etc... you at least have the option to recompile the distro.

scewed results? (5, Insightful)

iamkrinkle (585605) | more than 11 years ago | (#6788405)

Does this take into account the # of linux servers vs. windows servers? If there are significantly less windows servers, then this isn't all that significant. If there are less windows servers, but just as many break ins as linux, then windows is still more insecure despite the fact that they have the same number. they have more per machine. i hope that made sense =)

The Only... (5, Insightful)

strateego (598207) | more than 11 years ago | (#6788407)

The only real way to secure a computer is to pull the power plug out of the wall. If you spent time mantaining your computer, keeping it up to date, and you know what you are doing their is little chance that you will have major problems. Anybody who puts a linux system on their network and doesn't update it is likly to have their system exploited.

Re:The Only... (1)

A Commentor (459578) | more than 11 years ago | (#6788522)

Cool, all I have to do is pull the power plug out and my system is secure...

I'll just sit with my laptop (unplugged from the wall) and use 802.11b and know that my system is secure ;-) Thanks...

email viruses (2, Insightful)

geeber (520231) | more than 11 years ago | (#6788408)

Email viruses like Sobig are aimed at desktop users. Since most of the desktop users run Windows, it makes sense that most of the viruses would be targeted at them and not Linux users.

Which one are you? (0, Offtopic)

airrage (514164) | more than 11 years ago | (#6788412)

SLASHDOT has various personalities, and I hope to be the first to document them all:

Project Manager - dude was an ex-coder (visual basic 3.0) and now is a low-level bottom-feeder working through slashdot so he has some vague ideo of the issues with technology.

Anonymous - dude is angry. Angry about something but not sure what. Against everything: hates all religions, colors, air.

Modder - points Nazi. God's irony incarnate. Why are those who have the least leadership skills always given a clipboard? Like getting a bathroom pass from the farting-kid.

Grandpa - dude is old. Waaaaayyy old. Like grandpa old. Runs a plain-text website. Talks about the early days of Usenet and punch cards. Senile.

The kid - 13 year old. Thinks coding full-time sounds like a wonderful career. Masturbates at Guiness Record Book pace.

The ranchero - Indian or Pakistani. Got his full-service corporate Internet access in Bombay or Kurachi and his call-center job. Has his PhD in math or science, feels he somehow part of the global village.

The survivalist - bro feels like if you dicuss something over and over somehow it will all be okay -- like Microsoft disappearing. Can't understand the cat is already out the bag and has humped everything in sight.

Her - d00d is a chick. A chick! Runs her blog, thinks she's a programmer.

The speller - d00d is seriously into grammer and spelling. On a site where the debate is around ideas, brother-man likes to make sure the semicolon is in the right place.

The Oz - australian d00d. "I come from the land down under, where women go and make thunder"

The napster - d00d is seriously into alternative-rock and the stealing thereof. Talks intelligently about music like one might discuss a Winslow Homer or the Illiad.

Lost in Translation - d00d cannot for the freaking life of anything find the home-row keys. o ,rsm jpe jstf od yjsy"

The scientist - d00d is seriously into fractals, 3-d Math, fluid dynamics, cutting-edge chaos theory -- allbeit from afar because basic physics and calculus escape him.

The microsoft - d00d is seriously against MS. Can't stand the cursor, the fonts, the windows, the design, the icons, the sounds. Uses it extensively to play games.

The thinker - writes long missives. Attempts at humor, sarcasim, wit, and pun are laudable; posts two-stories ago.

Ben Franklin - d00d loves chaos. Every judicial ruling is "another nail in the coffin of freedom". Has third-grade perspective of common law.

The formater - d00d loves to use *HTML* *TAGS* to *CREATE* posting that are *REALLY* *GHAY*

Heresy I tell you, heresy!! (1, Funny)

Anonymous Coward | more than 11 years ago | (#6788416)

How DARE you criticize Linux? Don't you know that Linux allows me to live a life of smug superiority? If I weighed more and had a wife or girlfriend cheering me on, I'd kick your ass for posting such drivel.

Something to think about: (5, Insightful)

Anonvmous Coward (589068) | more than 11 years ago | (#6788420)

Species of Windows Programmer: Human
Species of Linux Programmer : Human

Chances of human error making it into the code: Equal

Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?

Re:Something to think about: (0)

Anonymous Coward | more than 11 years ago | (#6788513)

Doesn't matter if you're using Linux or Windows, you must be vigilant. You cannot completely secure against a creative human. Instead of debating this shit, how about learning from Microsoft's mistakes and making sure Linux grows from it?

What? No more Karma-Whoring statements and groupthink? The entire slashdot economy will go down the drain!?! Someone silence this man!

Re:Something to think about: (1)

FedeTXF (456407) | more than 11 years ago | (#6788537)

Remember that millons on eyeballs catch more bugs than a few. Some parts of the linux code (not just the kernel) have been around for years and have been reviewed by huge amounts of different kinds people.
OTOH the windows code is only seen by the MS guys and they seem to rewrite big parts of it from time to time. Also they mix kernel stuff with windowsing stuff. I guess all that IIS and IE code inside win nt kernel hides some serious bugs.

Re:Something to think about: (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6788582)

have been reviewed by huge amounts of different kinds people.

Prove it.

Re:Something to think about: (0)

Sir Haxalot (693401) | more than 11 years ago | (#6788579)

Species of Windows Programmer: Human
Uhh? I think you made a mistake somewhere...

Re:Something to think about: (1)

sterno (16320) | more than 11 years ago | (#6788596)

There is a fundamental design difference though that amplifies the nature of windows problems. Linux is designed with hundreds of different components that are loosely connected. Windows, on the other hand, is all integrated. Every windows box has outlook and Internet Explorer, and windows file sharing, so you can use the integration of these things to make any small breach much bigger.

With Linux, it's a far more heterogenous environment. There are hundreds of different systems called "linux" made up of different applications. An attack that works against SuSE may not work against RedHat, or may only work when a certain other application is in use.

These loose connections are what make Linux slightly harder to use and more complex. As always, security is inversely proportional to convenience.

Just give it time... (1)

krymsin01 (700838) | more than 11 years ago | (#6788424)

Wait until more people are using linux on the desktop, then you'll find out exactly how secure your system is.

Also, since Linux is open source, I would imagine that a coder looking for an exploit will have an easier go at it that they would on the windows system, where you are pretty much relying on decompiled binaries and assembly analysis.

Re:Just give it time... (1, Informative)

Anonymous Coward | more than 11 years ago | (#6788548)

you have to take into account that most hacks/web page defacements aren't performed by someone looking through source code but rather someone who's downloaded the lastest exploit from their favorite "hacker" site.

Patches! (1)

silicongodcom (241132) | more than 11 years ago | (#6788425)

Most of these Windows problems are from people not patching their systems. Same thing would happen just as easily on any OS. More Linux users know how to patch, sure, but imagine if it had the desktops that MS had.

Ha - Ha! (Nelson voice) (4, Informative)

Outland Traveller (12138) | more than 11 years ago | (#6788429)

Looks like some of that "defacement" is happening close to home.

view-source:http://www.zone-h.org/

DB connection failed ().

567th post!!!! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6788435)

So I don't have to come back later.

Re:567th post!!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6788570)

Troll? You bastards with your mod points!!!

Social-engineering != Virus (5, Insightful)

RealityProphet (625675) | more than 11 years ago | (#6788438)

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would [be] lower for Linux than Windows?

Absolutely not! These are not viruses that exploit bugs in code. These are socially engineered programs designed to get the user to run them.

You can't make the argument that the "average intelligence of the linux user" is higher than joe-sixpack's because if we are talking about linux-in-the-mainstream, then the "average linux user" will be joe-sixpack! Also, you probably can't talk about the fact that it isn't as mind-numbingly easy to run a scipt in linux as it is in windows, since those arguments contribute to why linux isn't mainstream in the first place!

Re:Social-engineering != Virus (1)

brokencomputer (695672) | more than 11 years ago | (#6788578)

its easy to run a script in linux. just not easy to run a script that will do damage to the whole system. Linux doesnt usually run in root and all programs are fine with that. They dont complain about permisisions like windows "limited user" does. That default root is a problem with windows and the people who make the programs available for it.

It's only as secure as you make it. (5, Insightful)

bartyboy (99076) | more than 11 years ago | (#6788441)

Or your admin makes it.

I used to run an old distro (RH 5.1) for the longest time (it had everything I needed) and it was full of security holes after doing the install. But disable some services, update some packages and presto - you're ok to go.

It's the same thing with Windows - check out the services turned on by default after installing Win 2k. Half of them will never be used by a home user.

So patch your box, remove unnecessary services and you should be alright. If you know what you're doing, you'll be ok.

my penis (0)

Anonymous Coward | more than 11 years ago | (#6788448)

is SoBig

Updates on Linux (5, Funny)

rantenki (66616) | more than 11 years ago | (#6788450)

I just install a vanilla Redhat on all my boxes. They get rooted within a few days, and the hax0rs take care of the security updates for me. Course, I can't log in as root anymore, but hey... that's a feature.

How I see it... (3, Insightful)

rosewood (99925) | more than 11 years ago | (#6788453)

When I say that Linux is more secure then windows, I see it on many levels.

For an end user its obvious since in windows you are always the admin (even in winxp where you can finally really change the power of the user, a lot of shit doesnt work right unless you are the admin). This basic security difference is HUGE.

Then there is the whole open source vs closed source security. I Truely beleive in that. It only makes sense that it is going to be more secure in the long term. This doesn't mean exploits don't exist - its just Im prone to beleive that there is someone using an unknown windows exploit as we speak to do something bad and it might be YEARS before that one is ever found (history backs me up on this one) but yet if there is something as blatent as the RPC exploit in OSS, we tend to see fixes for rather quickly (again history backs me up here).

Don't confuse the idea of inherint security with stupid users and sysadmins or even part time sys admins that aren't paid enough / don't work enough hours to keep a handful of servers updated across town.

Security through obscurity (4, Interesting)

defile (1059) | more than 11 years ago | (#6788454)

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would lower for Linux than Windows?

Anyone can write a worm that leverages a security hole in a default service of a default Red Hat Linux install. Or Windows XP Home Edition.

However, it takes considerably more skill to be able to write a worm that can target vulnerable services across multiple distributions of Linux, multiple versions of each distribution, etc.

As long as Linux evilware continues to exploit C program unchecked boundaries, a single universal worm that can effective exploit every potentially vulnerable Linux system remains highly unlikely.

Well... (1)

RancidBeef (412397) | more than 11 years ago | (#6788455)

60 something percent is running Linux (and I assume Apache). Who the hell is still going to be running Windows with IIS???

No... (0)

Anonymous Coward | more than 11 years ago | (#6788456)

Somehow I'm willing to bet the poster is Carl McBride, trying to throw more Linux FUD around.

man_of_mr_e - Carl McBride.

Coincidence? I think not...

Lots of room to grow; OpenBSD is 1 good example (1, Informative)

Anonymous Coward | more than 11 years ago | (#6788458)

If you want a free, open source Unix like operating system that focuses on security, you can't get much better than OpenBSD (http://www.openbsd.org).

If you really want to stick with Linux, distros such as OWL (www.openwall.com) and Trusteddebian (which uses GRSEC and PaX) are OK too.

Popular distros have only very recently turned their attentions to security - just like M$; and as such they have a long ways to go. Projects like OpenBSD really serve as a model of what can be accomplished over a longer period of time with such a focus, yielding a thoroughly audited code base, many default security settings, and they're still usable from the get go (e.g. not all services are turned off, making it a completely useless piece, though perhaps still more constrained than some are used to).

Outside of some of OpenBSD & security conscious linux distros and OSS security minded projects - I think that the open source community as a whole has a lot of room to grow wrt to security, and really isn't all that different from everyone else be they MS or Oracle.

at the end of the day... (1)

zeruch (547271) | more than 11 years ago | (#6788459)

...one can rely on two truisms: 1. *nix was inherently designed better from a security model perspective 2. most users heads are not

How about this? (5, Insightful)

wadeb (147504) | more than 11 years ago | (#6788462)

Linux is less vulnerable because there are fewer identically configured machines on the internet.

One of the things about Windows is that there are so many copies out there that are all configured the exact same way, if a flaw is found in anything you have an instant worm possibility.

With Linux there are so many distributions, each with their own initial configurations and setup types that a worm would be hard pressed to find a common exploit.

Not that the internet hasn't been shut down by a UNIX worm in the past, that is... :)

It's easy (5, Funny)

brooks_talley (86840) | more than 11 years ago | (#6788465)

Windows web defacements are the fault of a crappy, inherently insecure operating system from a criminal monopoly.

Linux defacements are the fault of stupid admins who can't be bothered to install the latest patches, or who are too incompetent to install the OS and configure it for security.

I thought everyone knew that.

Cheers
-b

The real reason why... (0)

Programmer_In_Traini (566499) | more than 11 years ago | (#6788466)

The real reason why windows gets so many attacks is because most of them comes from

1. wanna-be script kiddies running in windows and practicing some new skills to show off

2. Hardcore hackers/programmers running linus that do it only for the heck of finding, yet, a new hole in windows.

Even if im running windows, I find it amusing to see just how much the linux "society" is determined to prove itself right againt the $oftware giant.

Was there ever a virus exclusively for linux ? Like the article says, I believe linux users just like to believe they're safe, when in reality, no matter its quality, linux is a product made by human, thus flawed, thus opened to attacks.

Re:The real reason why... (1)

mlk (18543) | more than 11 years ago | (#6788499)

> Was there ever a virus exclusively for linux ?

Yes, it went about patching Linux systems.

It had a story on /., but "linux virus patch" is returning way to many results.

Re:The real reason why... (1)

wirelessbuzzers (552513) | more than 11 years ago | (#6788512)

Was there ever a virus exclusively for linux?

Yeah, the Linux Slapper Worm. It used a remote root hole in Apache (IIRC) to cause havoc.

Just my 2c... (5, Interesting)

dark-br (473115) | more than 11 years ago | (#6788469)

I've seen people on Windows machines probed and hacked while they were online on IRC, in real time. Any passably competent cracker should be able to take control of a Windows box in short order. And Microsoft is well known for being slack on security matters. Always has been. And VB and the other tripe they've grafted on to their products multiplies the possibility for hacks by an order of magnitude.

Yes, there are Linux hacks, though far fewer than Windows hacks. And I see the buffer overflow vulnerabilities and such that come out weekly for Linux software. Many of those vulnerabilities are theoretical, found by a perusal of source code and never actually taken advantage of. And the Open Source community fixes these _far_ faster than Microsoft will ever fix theirs.

Oddly, some of the foremost security guys (Bruce Schneier, for example) state very explicitly that Open Source software is far better security-wise than any closed source software (read Windows). And they explain the reasons in great detail. And there are several people on this list who deal with both OSes on security matters on a day to day basis, and I'm pretty sure they'll attest that Linux security is much stronger than Windows.

If nothing else, a Linux user can determine and control open ports, running services, and create firewalling rules. Windows users think a port is something a ship pulls into, and a firewall is something in their cars.

Um... no, you're wrong. (0)

Anonymous Coward | more than 11 years ago | (#6788470)

"While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough."

With Windows, you can get your foot in the door and shut down the system by doing something stupid. You already see what MSBLASTER and SOBIG can do without Administrator access.

You can't do those things on Linux with "foot in the door" attacks. You can't fck up services like BLASTER did or restart the computer. (Remember that the MS kbase article said that BLASTER could cause system shutdown because a RPC failure is configured to automatically restart the system in an attempt to get the service back up again. I know this is true; it happened on my sister's machine.)

Getting your foot in the door is certainly NOT enough to take down services or even the system on Linux.

Well... (0)

Sir Haxalot (693401) | more than 11 years ago | (#6788471)

I'm almost certain that (evem as I'm loath to say it), Windows Server 2003 is more secure than most versions of Linux, but of course it isn't free :)

We *are* in the same boat as Windows, in a way... (0)

Anonymous Coward | more than 11 years ago | (#6788475)

Even if it turns out only old copies of Linux or Apache are being exploited, we still face the
exact same problem as Windows does: how do we
make sure that sysadmins update their systems
when security patches are released?

Social Engineering (4, Interesting)

Ieshan (409693) | more than 11 years ago | (#6788484)

Modern viruses work by two major routes:

A) Exploits
B) Social Engineering

Exploits are hard to stop without patches. Get enough unpatched systems, and your virus spreads. There are a lot of guilty linux users here, I'm sure: people download software all the time without checking it's security. People run software daily without bothering to check for updates. It happens.

Social engineering, however, is by far the most widely used virus tactic. It's easier to fool a user than to fool a well-secured computer, says this adage. The basic premise fails under linux: it's really, really hard to get someone to run malicious code that you want them to run. Most linux users are above-average on the computer-tech-savvy curve - I would say that the mean computing knowledge for an average linux-desktop user is above the 90% mark on a curve of all computer users.

This means linux users don't do stupid things as readily. The subject line RE: DOWNLOAD MY NEW SCREENSAVER with the attached .tar.gz isn't likely to fool many people. I have a hard time believing that most SoBig victims are those who know what Bayesian filtering is; actually, I have a hard time believing that most SoBig victims know what Inbox means.

Furthermore, it's tough to write code that will run without a hitch on everyone's system, as there's so few distro standards. Also, as email virii work, with linux being a small desktop percentage, it's tough to get emails into the boxes of most Linux users.

Last but not least: There are few people who want to see Linux die. The rivalry doesn't work in both directions. There are thousands of anti-MS'ers, but a sad few anti-Linux'ers (SCO not included. =P). What would the protests be? "Hey, assholes! Keep your free operating systems off of our clean hardware! You're ruining good pentium chips by corrupting them with something non-proprietary!" etc.

Just a few points. I'm sure there are better ones.

From considerable experience lately, (4, Insightful)

Sevn (12012) | more than 11 years ago | (#6788486)

I do contract work. A HUGE bulk of it lately has been doing security audits on companys running old redhat, old plesk, or both that have been hacked by shit brazilian hacker groups like "Hidden Wrestle" and "Securinos". They hang out on irc.brasnet.org all day looking for webhosts using old plesk and old redhat. It's an awesome excuse to migrate people to FreeBSD and webmin. I've done quite a lot of that lately. They freak when they see the cost of the latest plesk and enterprise redhat. It makes selling them on FreeBSD and webmin/horde/squirrelmail/usermin/virtualmin/etc. very easy. So as long as people insist on installing 2 year old redhat and plesk 2.5 and never updating it, I'll have plenty of work removing eggdrop and psybnc from machines, and migrating people to FreeBSD. I'm starting to look at BMW's again.

Zone-h now defaced (1)

teyu (170456) | more than 11 years ago | (#6788487)

Not sure if they're running linux, but it looks like their defacement archive just got defaced.

DB connection failed ().

Questions.Question->Answer

Missing the point entirely (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6788498)

A careless admin running Linux is just as insecure as a careless admin running windows. I've seen the practices put in place by many hosting companies running Linux, and if they could be doing one thing better, it's security. For a careless admin, the only real advantage of using Linux and other OSS is price, and the fact that the openness gives them an edge over closed source software in bug hunting/vuln finding. Also, the Linux defacement number could be inflated, as a higher percentage of hosting companies may be running Linux, and attackers may target Linux over windows.

Defacement != Hack (3, Interesting)

RT Alec (608475) | more than 11 years ago | (#6788501)

At least, not always

IMHO, the single greatest threat to having a site defaced is the use of insecure protocols for publishing. Let me be more specific: FTP. Most web development tools use FTP for their "publish" feature (e.g. Dreamweaver, just to pick on them). Securing FTP is a nightmare, with all the ports randomly popping up and so forth. You have to dumb down a firewall quite a bit, and having it tunnel over SSH only partialy secures it (and you still have to deal with the firewall woes).

So, an employee goes home at night, and updates his company's web site over her cable modem connection, and the 12 year old down the block running a sniffer captures the user ID and password. She then passes this information on in a chat room, and viola! The site is defaced shortly thereafter. It does not matter what OS the site is on.

Having said that, some systems are more prone to social engineering. If the server goes down due to numerous patches being applied (and the requisite reboots), a web developer might get used to the IS department resetting her password and thus more suceptable to that phone call asking for the login info. But my point is, web site defacements do not necessarily indicate the security of the OS. It is a combination of protocols used (how about only allowing SFTP?), policies, and implementation by knowledgeable admins. Unix (Linux, BSD, etc.) admins tend to be better at implementation and policy development then their Windows brethren, perhaps that is the causal connection.

Garbage in Garbage out (3, Insightful)

Brahmastra (685988) | more than 11 years ago | (#6788506)

The OS is only as secure as the user. If a lame Linux user does everything as root, he's going to be more vulnerable than someone using Windows 2000 with a firewall. If a lame Windows administrator doesn't have a decent firewall and keeps all kinds of ports open, he's going to get hit too. It's about users knowing what they are using. But I have to say that a default Windows installation does appear to be less secure than most default Linux installations.

It's more complicated than all that. (4, Insightful)

dwheeler (321049) | more than 11 years ago | (#6788509)

The arguments are all far more complicated.

An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.

But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.

The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".

I recently had this discussion (1)

Lane.exe (672783) | more than 11 years ago | (#6788511)

With several friends of mine. One of them, despite his better knowledge, is a big Windows fan "because it does what I need it to do, it's secure if you patch it, and I can run my BF1492 server off of it."

The rest of us are OSS fans, and had a hard time convincing him that while he could use gobs of 3rd party software and his own knowledge to secure a Windows box as well as any of us could secure our machines, Windows was not "just as safe" because it has security holes you have to patch when you buy it. There are at least 5 processes that leave ports open in the background on any XP box when you install it. You don't get that with something like Linux.

He did make a good point that it's easy for typical users to secure Windows by buying a firewall, shutting off Messenger and running virus scans, but in order to make something really secure, you need a good, secure OS. It's hard to do anything that harmful in *nix without root access, and that requires things like password sniffers and keyloggers... things an educated computer user should be able to avoid.

It goes back to the fact that *nix is more secure for mainly two reasons -- design and the knowledge of its typical user.

Website defacements (1)

FrostedWheat (172733) | more than 11 years ago | (#6788519)

I'd say the majority of those defacements are because of mistakes or bad design by the websites developer. I've made a few of those mistakes myself, but caught them before anyone else did.

If it was a vulnerability caused by Apache or the Linux kernel, you'd soon hear about it!

2x Linux servers (0)

Anonymous Coward | more than 11 years ago | (#6788520)

That's because there are twice as many Linux (apache) servers as Microsoft. How long did it take you to come up with this anti-linux angle?

Numbers! (3, Insightful)

Quasar1999 (520073) | more than 11 years ago | (#6788523)

Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?Obviously Honda, as there are more of them on the road... so...

Linux may or may not be as bad for security, but when Windows gets exploited, it's felt... and it's felt HUGE!

Re:Numbers! (5, Funny)

Brento (26177) | more than 11 years ago | (#6788575)

Hey, if I told you that one in every two Ferrari F-40's explode for no reason, but only 1 in every 1000 Honda Civics explode for no reason, which explosions are going to be more noticed?

The Ferraris, because nobody important drives a Civic.

Knock off balding middle-aged, filthy rich tycoon, and that'll get more press than offing a bunch of morons who put rear spoilers on front-wheel-drive cars.

But I digress...

... Suitability and purpose ...? (1)

plasmaroo (687475) | more than 11 years ago | (#6788525)

I think that the important thing here is the suitability of the application: If you set up a web server and want it to be secure [and are a savvy user] people would often go for secure/stable distros [e.g. Debian] because they are usually stabler to start with and the level of exploits from nothingness-level is very low. However, most people use the standard distro which is quicker for them: remember, [most] ISPs care about making $$$ first, and their security second unless they need security to keep the first [$$$].

However, the OS is often not the case: If you have the most stable OS ever , and you are running something as setuid or a stray *inetd service is running loose with root access, you have every right to be screwed: a stable system with stable software but a big gaping hole is going nowhere other than getting penetrated unless it is patched in time before somebody comes along and kills it.

So why does this happen with the M-company more? Well, this is because of the design [the code is just layered and layered and layered from old buggy versions: it gets less stable unless you add more code to stabilize it and of course, gets less secure and more prone to buffer overflows and the likes]. However, the user is also to blame: Users often install innocent software [which is designed by developers who write for an 'innocent' operating system...]... And the loop goes on. And when one thing falls out, the rest do. Like that stacking and pull a thing out game, whatever it's called.

Its in the code.... (1)

ItaliaMatt (581886) | more than 11 years ago | (#6788528)

I would like to think that linux is as secure.... the difference between Microsoft and Linux is the peer review of code in Linux. Microsoft can continually ship beta code and wait for their customers to test it for them. Linux has a more robust peer review of code that has many programmers with different takes on coding look at the code to see if it can be cleaned up/more secure. Microsoft is unwilling to stand up to such a review. Simple as that.

Kernel security is key (0)

Anonymous Coward | more than 11 years ago | (#6788529)

Most service vulnerabilities can be worked around... if anything, by replacing the software that provides the service. Not so with kernel holes. I for one run a couple of firewalls that I'd love to 'freeze' and switch over to CD booting and RAM disks. Unfortunately, I'm not confident enough in the invulnerability of the stable kernel. So I just upgraded both to 2.4.22 this morning, and will have to keep doing so until someone convinces me otherwise, even though I don't need any new features.

Server vs OS? (1)

dj961 (660026) | more than 11 years ago | (#6788534)

Comparing Linux server defacements and Window's viruses is like comparing apples and oranges. In one case we are talking about exploiting applications that run on top of Linux ie. a web server, in the other faults within the actual operating system that can potentially be devastating to the end user. Either way no piece of software is secure as long as someone decides to use it.

popularity (1)

bongholio (609944) | more than 11 years ago | (#6788536)

I think that the most popular OS, whatever it may be, will always have the most visible and damaging virii, worms, cracks... Not only will the media be more interested in problems that affect many people, but those who cause the problems are also more interested in affecting the most systems/people as possible. That doesn't mean that the other OSes are better or more secure, just less interesting to the troublemakers.

You have the right to choose (1)

Smartcowboy (679871) | more than 11 years ago | (#6788538)

Any OS maybe secure but are often not secure by default (ala OpenBSD). The most popular distro (RedHat, Suse, Mandrake, ect) want to be user friendly but there is always a tradeoff between security and usability.

It's up to the sysadmin to make sure his server is secure. If his Windows or Linux or BSD server is defaced he can't blame anyone but himself because he is the one who made the choice to use Windows or Linux or BSD and he is the one who made the configuration.

Some links to learn how to increase the security on your linux box:

Linux Security HOWTO [linux.org]

Security Quick-Start HOWTO for Linux [linux.org]

Security Quick-Start HOWTO for Red Hat Linux [linux.org]

Computers > Software > Operating Systems > Linux > Security [google.com]

Website defacement is not a good measure (1)

sterno (16320) | more than 11 years ago | (#6788542)

Linux is a kernel, upon which you can run a number of applications. To say that Linux is insecure because somebody runs a buggy web application is ridiculous. If the defacement happens because of a exploit against the OS itself, fine, but that number doesn't reflect that.

A better measure would be to calculate the approximate economic damage created by a given security breach, and then adjust the figure to acommodate for the installed base. That is, if a Linux hack costs $1,000,000 and there are 20 times as many Windows boxes, then it's equivalent to a $20,000,000 hit in Windows terms.

Isn't it obvious... (1)

pyrrhonist (701154) | more than 11 years ago | (#6788546)

...BSD^H^H^HLinux is dying!

Windows comparisons are silly.. (0)

Anonymous Coward | more than 11 years ago | (#6788547)

No good will come from comparing Linux security to Windows. We should be comparing it to OpenBSD. That gives us something to strive for, and will lead to improved Linux security. We will always be able to just sit smugly on our laurels if we make comparisions to Windows -- it just isn't much of a standard.

Number of deployed systems (1)

motha_chucker (592192) | more than 11 years ago | (#6788549)

I think the answer lies in the number of installed systems running linux at home. Most viruses/worms today seem to recruit zombie machines to carry out larger attacks. The easiest machines to compromise are those installed at the home without firewalls. Nearly all of those machines are Windows based. That being the case, those who are taking advantage of security holes to carry out attacks focus on creating windows based worms/viruses since machines running windows are more numerous and accessible.

I also believe that if the majority of unfirewalled machines were Linux based, we would see more linux security holes exploited via worm/virus. I believe there is evidence to backup this claim in that there is a higher percentage of viruses/worms per security hole on average, written to exploit windows.

Linux worms (3, Interesting)

ZorbaTHut (126196) | more than 11 years ago | (#6788560)

I've actually gotten irritated enough with "Linux is more secure than anything!" zealots that I've considered writing a Linux worm. I seriously doubt it would be hard. Go find some old security advisories for Apache, SSL, and anything else you want. Hook together a Linux-killer worm that tries all of the exploits, installs a rootkit on the compromised system, and sets that one up to probe. If you wanted to be really evil, you could code it to start doing subtle damage after a week - wiping random passwords, deleting random files in user's directories, and so forth. After a few months it could start causing kernel panics if you wanted.

Would it work? Of course it would work. For all the "Linux is secure!" talk going on, what they really mean is "Linux is secure if it's patched up to the most recent versions" (curiously enough, this is the same as Windows). I'll bet you cold hard cash that there are plenty of old unmodified Redhat 5.0 systems out there. How many root exploits have been found in the last few years? How many holes have there been in Apache, SSL, Samba, any other program that's installed by default?

Nobody's done it yet - but that doesn't mean it's not possible.

The only reason I haven't written the worm is because, in the end, I'd cause a whole lot of financial problems and headaches for a lot of people who didn't deserve it. I'd love to prove Linux doesn't have intrinsic perfect security, but I don't want to actually do damage to prove it.

But just wait - someone's going to do this someday. In fact, for all you know, somebody already *has* - they've just programmed it to be unbelievably stealthy and only target systems that the admin hasn't logged onto in months.

Go on - prove it's impossible. I dare you.

Linux Security (4, Insightful)

FsG (648587) | more than 11 years ago | (#6788566)

Linux isn't secure; it's securable, and if you simply throw a default RedHat install onto the web, then you're missing the whole point and effectively negating all of the security potential that Linux has to offer.

Both Linux and Windows must first be properly patched and locked down; the differences between the two are:
1. Linux's security model, when properly used, makes it harder for an intruder to go from "foot in the door" to "root access."
2. In the case of Linux, you won't have a whole new set of remote root exploits that need patching 6 hours later.

Webmasters are not security geeks. (1)

symbolset (646467) | more than 11 years ago | (#6788574)

Most of the people who run websites think html formatting is "programming". It should surprise noone that given a pistol they make holes in their feet.

OTOH, IIS servers are insecure by design, as a quick glance at your logs will tell you. Where else would all those requests for /c/windows/cmd.exe? come from?

Let's face it. The web is always going to be the Wild Wild West.

Email Virii are different.. (1)

mrmud (219198) | more than 11 years ago | (#6788583)

Email virii usually rely on stupid, sleepy, or _____ people to click on the attachment. Since most of these people are usually on desktops, which means windows, they get propigated out quickly.

Of course, security wise, there will always be buffer overflows as long as coders are allowed to decide what kind of data to put in their own buckets. Right now, windows is the OS that people love to hate and has most of the desktop share, and a good chunk of server, so naturally there is more attention paid to it then with Linux. I imagine as Linux becomes ever more popular, there will be more exploits out for it and it's applications. (See: current Sendmail exploit.)

Just because you don't see many exploits out for CP/M doesn't mean it's the most securely coded OS.

The answer is simple. (1)

miffo.swe (547642) | more than 11 years ago | (#6788587)

The linux distributors is the ones that should adress security in linux. Developers also have a big part but for the user it more important that the dist he is using is secure out of the box. No unwarranted ports or services should run from scratch. If nothing vulnarable is running not much can be broken into right?

Developers need to make it easier to secure the systems. Often people tend to open up every port and setting things too loose when they try to get things working. Better documentation and better configuration systems should help a great deal in those cases. Many times its not linux that is insecure but the admins dont know how to secure their systems. With more and more MCSE's using linux it need to be simpler to secure.

User level privilages (3, Interesting)

miketang16 (585602) | more than 11 years ago | (#6788589)

Personally, I think Linux will always be more secure as long as Windows doesn't implement users and groups correctly. In XP, the default login is Administrator, which allows for access to EVERY single file on the system. The installation doesn't tell you this either, it just uses it if you setup only one account. With Linux, even if someone were to break your user password, or exploit their way into a user account, they can't do nearly as much damage as in Windows. Of course if they get the root password, you're just as screwed, but at least there's a barrier of protection between levels.

Linux/Windows Security (1, Interesting)

Anonymous Coward | more than 11 years ago | (#6788591)

I always find this a laughable subject.

1. NT and it's descendants are SUPPOSED to have granular security model. However, it does no good at all to have a granular security model if you don't use it. Most every application I see either runs as Administrator OR must be installed as Administrator.

2. Linux may not have a granular security model, but in many ways this has been not as big an exposure since most admins have finally wised up and stopped running applications as root. As soon as a granular security model is globally available, I imagine pushback will quickly occur on application vendors to vanquish root access requirements (or at least they SHOULD stop requiring ROOT access).

Frankly, if end users and administrators had been demanding this early on, the exposures today would have been reduced many times. The easy road is not neccesarily the best road.

There are coming POSIX standards and other security measures that will make Linux a very ROBUST solution and the easy equal of NT's security model. If vendors will just support those models, then we will all be better off.

One example would be MAC (Mandatory Access Controls).

I would just be happy once the ability to assign privilaged operations to specific users/groups is widely available. I should never require a "root" account with all access abilities. More so, I should be able to have an account called "root" that by default has all access, and remove or re-assign them as needed.

Only As Secure As The Person Running It (4, Insightful)

nuintari (47926) | more than 11 years ago | (#6788595)

Linux itself, and any OS can be very secure, in the hands of a competant admin. Its when you get a moron in command that the integrity of the system goes down the pooper. Even OpenBSD can get owned if a moron is running the show.

And remember: Website defacements are often a level above owning the actual server, PHP Nuke has an awful track record, with new holes found all the time, and other site management software is vulnerable as well. Crois site scriptingm, cgi exploits may allow a level fo access to a site, or even compromise a user level account, but in the hands of a skilled admin, this is nothing compared to a fully suvccessful root exploit, and can eb dealt with.

And fo course, no matter how good you arem, if you allow remote root ssh conenctions, and your password is "demiguru" for every account you have anywhere, well then, your just a dumbass. Yeah Nick, I am talking about you.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?