Following Vnunet’s “Linux hacks hit all-time high” article a few days back, mi2g once again copped criticism from the wider IT security community. Nonetheless, the original data upon which their report was based illustrates that concerns about Open Source security complacency may have some merit.
If everyone’s moving to Linux based servers, then hacking them would become the focus, of course…
Interesting the numbers of defacements for BSD and Solaris…
this is pretty bad considering linux servers have less
“unsafe” features
As less “unsafe” features. If there’s a way out, there’s a way in.
Whoever owns the market is the target, no two ways about it. Linux is getting bigger, so it will get hit harder. There’s always a price for success
I will agree with you. It seems Linux is becoming more and more popular in datacenters, and that is the reason for more attacks thanks due to its popularity. I believe Linux is getting the recognition it diserves and that is being a server oriented operating system. I am guessing that now is a good time for sys admins to learn IDS and in particular snort.
Let us strip down the basics of LINUX v. Windows and what is better or more “safe” in terms of features and security.
What it really comes down to is the systems administrator and what they do to be pro-active and not re-active.
I can build a Windows 2000 server with IIS 5.0 and not run any patches on it and there you go… We all know that the server has a lot of exploits and vulnerabilities. That is why there are Service Packs and hot-fixes to control some of these points-of-entry.
It is exactly the same with LINUX. You get some green admin (or just ignorant) and let him build a LINUX server and have telnet, ftp, http, smtp, pop3, imap, dns and all those other services running by default and then not run any patches on the server and expect it to be “secure”. I don’t think so.
Just as the Windows world requires dilligence and knowledge to keep abreast of the exploits and issues, so to must a LINUX admin be concious of his servers, services, and potential breaches.
It isn’t about the box – it is about the admin.
Peace,
Bill
if there is a redhat patch, it’s for software other than linux the virgin that’s being boundled in RH linux
windows got more exploits, then linux is more secure
windows got fewer exploits, then linux is getting more popular
well since most websites hosted on a linux server actually house somewhere in the hundreds of additional websites. you hack one then you hacked them all. this is not taken in account when doing these sort of statistics.
You know, in scientific works they usually spend about a half of pages describing how and when the measurements were taken. All these companies that sell reports for $100 don’t do that. Instead, they make up scary-soundiong titles and hope that someone would buy their great piece of insight about whatever they “researched” now.
No methodology description == no credibility.
why don’t they mention Apache versus IIS software instead ??
An apache server can be more secure on Windows than on BSD and Linux. This is relative, subjective !
The only organization that has enough authority to solve the dilemma is Zone-H as today is holding the most complete database having access to direct statistics.
The news appeared during the last days in which London based MI2G.com stated that Linux OS is now more attacked then Windows has been reported by media and immediately criticized by the IT Security world.
MI2G is basing part of their research job relying on Zone-H.org databases therefore ??? they based their last press release using the data Zone-H is sending to all its mail subscribers regarding the daily attacks.
I doubt that.
If we also consider that the number of the worldwide Windows installations is presumably higher than the Linux installation it means. …
The results that came out is clear: Linux is in effect the most attacked Operative System, and this already since middle March 2003 as you can check by this graph:
The September 11th anniversary ? and the Iraq war ? have been the reason ?? why the overall number of attacks has increased 500%, hitting this year an amount of targets never seen before.
FUD.
Is it ?
How can they prove that ?
British & Americans are real lunatics !
Is Linux under such a big quantity of attacks ?
I doubt that, I would (as in fiction ! – I don’t do that !) attack a Windows first rather than a Linux system = tracks/logs , so would others.
This is “caca de vaca”, proofs ? (show then public the database) ?
I’ve been studying linux security for years, not cause I wanted to be cool but for some strange reason I found it fun. A majority of the people who ‘think’ they know security always say Linux, BSD [enter your OS here] is more secure. But that is just plain stupid, sorry. All software has bugs (human or not). If you asked me to set up active directory on win2003 id probably open up about 5 security holes just checking things like crazy to get them to work. There goes that $1000 my boss paid for the state of the art ‘secure os’. for every 2 bugs your OS has I can probably point out 5 bugs your admin has.
PS. sorry for the spelling, i’ve had a sip or two this evening
Run Apache on Linux…hmm. I went to their website and I’d say 80% of it is Marketovision(tm)(R) that has nothing to do with reality. After all, isn’t SMART monitoring a hard drive integrity feature?
Also, a quick Googling shows this:
Internet Security News: Why is mi2g so unpopular?
According to the article, a security consultant for the US DoD is accusing mi2g of spreading FUD and lies about cyberterrorism. I dunno…. And this quote here:
According to mi2g, in November 2002 there have been 57,977 ‘overt digital attacks’ to date, and that such ‘overt’ attacks will cost $7.3 billion worldwide for 2002. Forno scoffs at these figures, pointing out the difficulty of estimating losses resulting from cyber-attacks.
“One wonders how much mathematical masturbation takes place when analysing and generating these numbers,” he writes.
“As less “unsafe” features. If there’s a way out, there’s a way in. ”
Not true…
I’m al little rired of hearing “everything can be hacked”.
Start with a box without a NIC.
Surely it’s safe. – add a NIC. Assuming the NIC is free of errors and the OS driver too so you can’t DoS the box by bombarding it with ethernetpackages the box is still safe.
Add a TCP/IP stack but not listening on any ports. Assuming no bugs, the box is still safe.
Start listening on port 80 but discard requests. .. the box is still safe.
Start serving static content. Assuming no errors in the request handling of the web-server the box is still safe.
Start with small carefully tested CGI scripts… the box is still safe.
I could go on (don’t worry – I wont), but point is that a box only become unsafe the moment you install buggy software or write it yourself in the form of a bad script. Don’t! Keep it simple.
A box doesn’t have to be unsafe.
Who the he-dboule-L are these people? I have never heard of them before this. They do not describe their methodology. Their statistics are suspect. They come to conclusions without fact – “we call this the slammerwhammer-do-dammer effect”. We have no proof, we have no valid statistics, we have nothing to back this up, we will just notice a trend on our data and claim we have an answer.
It is particularly amusing that they claim Windows has a larger marketshare. Um, yes, but not when it comes to public facing internet exposed servers.
Sigh. I am about to give up on what passes for “news” at OS News. I am starting to understand why so many other sites make fun of this one. 🙁
Can we up the standards a bit on what we cite/reference?
Any sufficiently complex program is pretty much statistically guaranteed to have bugs. Bugs can often lead to security problems, so a lot of your assumptions about no bugs are not valid assumptions. Not to mention the limited scope of application that you covered. How many webservers do NOTHING but run the webserver and serve static content and/or use “small carefully tested CGI scripts” (tested != secure)?
So yes “a box only becomes unsafe the moment you install buggy software”, but you simply CANNOT avoid this. Any decently large bit of software is pretty much statistically guaranteed to have bugs in it for its entire lifespan. Not to mention that the tools that BUILD this software can be buggy and introduce binary errors into perfectly bug-free code. The situation is VASTLY too complex to make simple-minded assumptions about building something “bug-free” from the ground up that is of any significant use. Resign yourself to the FACT that you WILL be running buggy software and take a proactive approach at preventing those bugs from being exploited, and you will be better off than you would be trying to invent this nonexistant, bug-free system.
I doubt…
I post a story to this site about the largest bus company in Europe moving to Linux and there is no response and it never posted, yet on the other hand we have some head line, flame throwing headline posted urgently as if to say, “look at all the fools who run Linux”.
“well since most websites hosted on a linux server actually house somewhere in the hundreds of additional websites. you hack one then you hacked them all. this is not taken in account when doing these sort of statistics.”
Nor is the size and importance of the sites (which can be mesured somewhat by the size of the companies -if any – that are behind the sites and the bandwidth used by the server in some kind of index)!
What is more important? Have a server that hosts 200 domains that belong to individual users that don’t derive any profit from the site existence – neither directly or indirectly – or having a corporate web server (hosting its presence and public image, and sometimes also it’s costumer relation and business to business interfaces) cracked, defaced or even turned off?
The weight is only important to those that use the balance or to those that carry it…
that’s how newsworthy means to this site, IMHO
An interesting point that might be made here is that UNIX/Linux allows for the easy creation of random accounts, as opposed to the Windows Server model, for which it is more difficult. Thus it is likely that when a *n?x machine is attacked, nothing is harmed except a few shell accounts.
Also, what is the definition of “defacement”? Is it any security break or just when some 1337 scriptkiddie hax0rs a company web page to read “We are the Masters of Destruction, the most elite hackers on earth, blah blah blah”?
> How many webservers do NOTHING but run the webserverand serve static content and/or use
> “small carefully tested CGI scripts” (tested != secure)?
Not many, and that’s exactly the problem. People today
expect a web site to act like a remote shell to run
software on, using scripting languages like PHP. You
might as well say that people expect the site to give
the public shell access…but JUST A LITTLE shell access.
It’s rather naive. As soon as you start putting executable
content of any kind on your public site, you’re opening a
regular can of worms the likes of which no Unix system
will save you from. I would say that any site that does
not do exactly the type of minimalistic install of Linux
on their server that the previous poster described is
asking for whatever trouble they get. You can’t have it
both ways — either you run a secure platform like Linux
and serve non-executable content from it and stay secure,
or you start offering your “limited” shell access in the
form of PHP and CGI and wonder later what hit you.
Another thing about reports like this, which has been
mentioned before, is that they seldom compare *severity* of
security holes between platforms. Comparitively few
exploits on Linux (or any Unix) lead to total comprimise of
the system. Many are simple denial of service attacks, or
other script kiddie hooliganisms. Exploits on Windows
tend to almost always allow remote execution of code, and
usually with total administrative priviledge. Or infection
with trojans that replicate themselves through the mailer
system and infected browsers. It’d be nice if sites that
spread these types of statistics would compare apples to
apples once in awhile.
Linux security is a myth.
Opensource software security is a myth.
Closed source software security is a myth.
Commercial software security is a myth.
New holes are discovered every day. New exploits are written every day. Security is an ongoing struggle, not a state of things.
The real reason why Linux servers are getting hacked every day is because of the “Linux is secure” myth. No, it is not. You also need to keep your software up-to-date. You need to apply patches. Most newbish admins just get vanilla Redhat, install it and that’s it. Our school server runs RH 7.3 and it has never been updated. Just another day, I discovered /bin/bash1 on it, which was a planted suid rootshell (backdoor) and there are tons of exploits for such an old system. The latest 2.2 and 2.4 ptrace/kmod local root exploit is an excellent example of this.
Opensource security is a myth as well. Sure, fixes get out there faster and the chance of discovering bugs is greater. But there are also thousands of crackers looking for holes in it that don’t even plan on reporting them.
Closed source security is a myth. The latest “cumulative” patch by Microsoft is a good example. They released a number of fixes at the same time. It’s as stupid as releasing fixes for every bug found during a month at the end of the month. Any patches MUST get out to users as soon as humanly possible. Closed source software probably has more bugs than opensource software since there are less people looking at the sources. The problem is, however, that bugs will not be fixed until the company that wrote the software finds out. If you want an example of how “evil” closed source software can be, then just look at old Microsoft software. They are refusing to release patches for vulnerabilities in older apps forcing people to upgrade.
As for defacement, anyone with half a brain and some knowledge could probably find a server running passwordless Frontpage extensions and deface that in 30 minutes
The point of this rant was simple: if you are competent and you keep your software up to date, the chances of you getting hacked are pretty close to zero. And if you do, you’re prepared, right?
— Someone who recently moved his server to OpenBSD.
You’re right. Too many people today expect things like SERVERS to work out of the box. It’s a SERVER! If you install software on a server, you better at least know what you’re doing! With the ease of Linux installations nowadays, admins think that they’re getting magic crackerproofing with half an hour’s worth of installation–it’s Linux, right? so it has to be secure. Slashdot isn’t helping things either, reporting only on bugs in closed software.
I hate the way so many people twist around information to attempt to make a point. I have noticed that many advocates for both sides seem to have to have a difficult time with realism. When you are talking about defacements you are talking about remote exploits. The ability of a Trojan to be installed on the computer with local access is not the same thing and I don’t care if you think it is. As for local security using restricted user accounts; If I can’t install something as a restricted user I just su to root and then install it anyway, as do most other users.
Pray tell, how are you going to su to root on a server? Do you know the root password? Why are you in the wheel group anyway?
It would help if popular distros like RedHat and Mandrake would stop including horribly insecure software like wuftpd and sendmail. These programs have terrible security records and far better alternatives exist. Its nice to see that debian has taken a sane policy and used better alternatives for the default.
The Met Office, one of the largest weather organizations moved hundreds of systems to RedHat and Ximian RedCarpet Enterprise – that was never mentioned either, but maybe that’s because those kind of articles draw in the zealots praising and knocking Linux more than this kind.
I can’t say I’m impressed with mi2g’s way of going about things, but the statistics are still statistics. Why can’t some people just accept Linux is getting hacked, if it was revealed that MS was being hacked more, I’d bet there would be no end of smug little comments from Linux admins/users.
The blurb is misleading; mi2g is FUD and lies. The bottom of the second link is where the real statistics are. Linux is still top, but much closer to Win2k and more realistic.
Not as miss leading as the security stats for Redhat 9. Yes, there are security updates, but there as also updates in general. For example, the latest kernel 2.4.20-18.9 includes an update + a whole upgrade which includes more support devices AND updates to existing device drivers.
When was the last time Microsoft did that? oh, thats right, Windows XP SP1 for hyperthreading, yet, if you look through their knowledge base, their hyperthreads implementation is riddled with bugs causing random locks ups for customers vs. the almost clean transition that FreeBSD and Linux went through to supporting hyperthreading.
Thanks for pointing that out. My post should be altered now to say something along the lines of “the statistics do show though Linux hackings are Almost level with Win2K”, but the main point of it still holds true that people still try to make Linux sound infallible.
Don’t get me wrong, I do like Linux, but I don’t particuarly like the part of it’s community that are so cultish about their OS.
Maybe Windows servers are more secure because Windows admins know that they have to work at it and patch, or else get hit by Slammer? Linux admins don’t have that “problem.”
>> windows got more exploits, then linux is more secure
windows got fewer exploits, then linux is getting more popular
>>>
Hahaha, that’s a funny way to put it. But you are right, some people here are spinning it. Like somebody pointed out, the first thing I want to know is how these folks got their data. They just made a claim, that more linux servers are getting hacked, like its God’s truth, but we ain’t told how this conclusion was arrived. Why should I not regard it as fud designed to improve readership or paid for by someone?
If the claim is true, however, it would be stupid to spin and explain it away as evidence of Linux’s increasing popularity. The linux community would need to examine why this is happening, and can be done to lock things up.
Maybe Windows servers are more secure because Windows admins know that they have to work at it and patch, or else get hit by Slammer? Linux admins don’t have that “problem.”
This “report” doesn’t say that Windows is more secure. It basically says that more high-profile sites are running Linux. To claim that X or Y is the most secure from this report would only work if there were 50% Windows servers and 50% Linux servers and all of the sites were equally popular targets (Ofcourse, none of this is true).
As usual, most people doesn’t understand statistics…
> Maybe Windows servers are more secure because Windows
> admins know that they have to work at it and patch, or
> else get hit by Slammer? Linux admins don’t have
> that “problem.”
I think you have a point there. With all the media attention and Linux prophets, even non-technical people know that Windows has faults. You don’t get a secure server, just because it’s Linux (allthough it helps)
FUD seems to be the key to marketing things these days. Look at the war on terrorism which has become the basis/justification (excuse) for the activities of the U.S. president and his cronies.
In any case, this massive propoganda war that has been initiated against Linux has only really kicked into high gear with the release of Windows 2003 Server. All of a sudden SCO creeps out of the toilet bowl, Ballmer targets Linux as Microsoft’s enemy, and now these questionable reports start to pop up out of nowhere.
I’ve been testing 2003 server and comparing it to Windows 2000. Looking at the changes and projecting into the future I can tell you that if you want to see what Windows Server will look like 10 years from now, pickup a copy of Linux today.
Stop Microsoft from holding you back and hijacking your IT budget.
First, people often say that closed source software probably has more bugs because they are fewer people to look at the code…. this statement makes a huge assumption, that there are always going to be more people looking at open source code… this is simply an invalid assumption. Not to mention the fact that just because more people are looking at the code does not mean that more bugs will be found.
Now, you could say that closed source software can potentially have more bugs because, potentially, more developers are scanning the open source code for bugs.
To be honest though, I’d say it’s MUCH easier to find a bug from actually using the software, not just looking at the code.
Anon:
So are you saying that Saddam was not a threat to his surrounding countries, and possibily the rest of the world (through funding, and such)?
Are you saying that Bush was wrong in ordering an attack on Saddam’s regime, a regime who has repressed his people, and controlled them through sheer terror the entirety of his political career (before, when Saddam’s cousin was in power, Saddam was still in control, working as the puppet master in the posistion of head of security)… terrorized his people so much that they can not even resist the government that oppresses them?
Offer from mi2g’s Chairman – DK Matai (16:18pm GMT Sat Jun 07 2003)
If you have issues with mi2g’s research or methodology please make a list of your legitimate concerns, get them OK’d on your forum and submit a copy to us on the hyperlink below and we will respond:
<http://www.mi2g.net/cgi/mi2g/moreinfo.php>
Please note that our methodology can be best understood if you read the following document:
<http://www.mi2g.net/cgi/mi2g/press/faq.pdf>
Thank you
DK Matai, mi2g
>> Looking at the changes and projecting into the future I can tell you that if you want to see what Windows Server will look like 10 years from now, pickup a copy of Linux today.
>>
You have a good point here. Actually, it isn’t so much microsoft wanting to look like Linux. Its more like MS trying to also get the advantages and features that has made the unix platform so robust. Think of it as Microsoft getting better at the server thing. Its one huge reason why Unix Vendors should also be looking to implement the advantages that Microsoft Servers currently enjoy over unix systems. Otherwise, the server platform will be another piece in MS’s monopoly.
Re CPU Guy:
>> So are you saying that Saddam was not a threat to his surrounding countries, and possibily the rest of the world (through funding, and such)?
>>
“Funding”, and “such” eh?? Drop the remote control
I suppose they will start saying Linux crashes more than MS Windows too!
Okay, let’s assume that we have two situations.
Team of 10 people developing a commercial server daemon. Any daemon. Doesn’t really matter what it does. There are 10 people who have access to the source code. If they are not security conscious, they are going to use something stupid. Like fixed length arrays for strings. I’ve seen tons of “tutorial” code that does this. These 10 people are concerned about deadlines and number of features. They have clients who want this software on time. They are under A LOT of pressure usually. They just want the damn thing done and that’s all.
Now, a team of 5 people working on a piece of opensource software. For the sake of comparison, make it a server daemon as well. Opensource developers usually work of their own free will. Nearly every piece of opensource software starts by scratching the developer’s own itch. Basically, opensource guys are making the software for themselves and thus want it to do exactly what they need it for. And they will make sure, it’s bugfree and secure. Simply because they do not have deadlines, pressure from clients or managers, etc. If their software finds it’s way onto some servers, people will find bugs in it. They’ll report the bugs. Pretty often, the hacker(ish) crowd will also look at the source code to find the bug, maybe even fix it. If they find something, they don’t like, they’ll report that as well. Or fix it. And submit the bug report / fix. Once this piece of opensource software is more widely adopted, the user base will grow. The number of people working on it will grow. The number of people that are concerned about bugs will grow. And most importantly, the number of people that will actually FIND and FIX things will grow.
To be honest though, I’d say it’s MUCH easier to find a bug from actually using the software, not just looking at the code.
Not always so. You don’t usually “push” the software by simply using it. You need to push it and see where it breaks.
Also, there are many non-obvious holes that do not reveal themselves unless you check the sources. A great example of this would be backdoors in commercial software
How can you know that closed source software does not have backdoors? Although, it would be stupid to suggest that you download the sources and scan them for backdoors before compiling everything. That is not humanly possible. You could run various source code checkers on it, but it’s an awful lot of work. But if you ever have doubts, you CAN.
If you ever have doubts about which is more secure: closed source or open source, then just look at the track record of pre-security-policy-change Microsoft and any major opensource product out there. There are still tons of Win9x machines out there with their entire drives shared to the outside world
To sum things up:
99% of the time, closed source software is engineered for the marketing department, who can make a huge list of features, a nice logo and a large marketing campaign. Emphasis is usually not put on security.
Opensource software is engineered for the community by the community. People who write it are the people who use it. They can’t afford to take risks.
The REAL reason behind Linux getting hacked more is the growing adoption by people who don’t know jack shit about it. Spend some money on competent admins, folks! It’ll pay off! (P.S: I’m looking for a job right now
Are you saying that Bush was wrong in ordering an attack on Saddam’s regime, a regime who has repressed his people, and controlled them through sheer terror the entirety of his political career (before, when Saddam’s cousin was in power, Saddam was still in control, working as the puppet master in the posistion of head of security)… terrorized his people so much that they can not even resist the government that oppresses them?
Are you saying Bush was right in funding and helping Al Qaida to attack his own citizens, and that killing 3000 innocent Americans is okay if it persuades the people to bomb a known terrorist for economic interests?
Where are the WMD?
This zone-h.org maintains a database of notifications and public announcements. I would venture a guess that more than half of the web site owners in the world have never heard of zone-h.org. Their database appears to expose no information to validate how many site admins would notify them. Plus how many defacements go totally unreported to the public? Since most Windows web hosts are commercial they are more likely to keep up with a notification database, but the vast majority of the public web is on BSD and Linux and probably not notifying anyone. This zone-h.org information is completely useless.
RE: Offer from mi2g’s Chairman –
The links don’t even work. Maybe you’ve been hacked yourself. I wonder if it is a Windows box? I’ll have to buy the report to find out.
just ask Eugenia 😎
sure, Linux wouldn’t show a blue screen, however a KDE or GNOME session wouldn’t hesitate to dump you to a command prompt or a stressed system will lockup.
As one example, the other day I was running synaptics on a lowly 64 MB system with 96 MB swap space. It ran out of memory and linux couldn’t kill the synaptic process without a reboot – here is the stupid log
May 27 01:40:32 bash kernel: Out of Memory: Killed process 5388 (synaptic).
May 27 01:41:05 bash kernel: Out of Memory: Killed process 5388 (synaptic).
May 27 01:42:17 bash last message repeated 4 times
May 27 01:42:55 bash last message repeated 3 times
May 27 01:43:55 bash shutdown: shutting down for system reboot
If the process had been killed, the messages that followed should not need to be repeated
Take out the closing > from his links as it hyperlinked.
Inspires confidence, doesn’t it?
Well at least, my dear linux trolls seem to stay rock stable. Old mantra repetition again and again. Clearly, they don’t need rehearsal ;-)))
The basic stuff here is, one more time, an old mantra shown as false propaganda : open-source system, including Linux, are _more_ secure than the other one.
Obviously the linux trolls are surprised. Eventually, the linux troll are no more secured than Linux ;-)))
This doesn’t matter.
The main point is : open-source systems are at the same security level ( some times a little bit over, some times under ) than the other one.
An outstanding result for $0 priced systems.
Well, ok, you need 6 month and good IT knowledge to reasonnabily secure a Linux box ;-)))
This is the main reason for the current internet hacking centered on linux box. Hackers target the so called “linux geek” ( in fact the autoexec.bat+ level … ), which are the same than the linux trolls. If you want to fully realize the phenomena, just give a look to the gentoo forum ( only a sample, if you prefer another “geek” distro, change for it’s forum ), a good place to collect “linux geek” speech, and just try to imagine those clowns “securing” anything ;-)))
Please, have some mercy, those guy can’t spend their times shouting “linux, it’s rock”, and the same time to study IT. They had to make a choice… and they had choose ;-))))))))))
Anyway, only vicious want to hack this poor kernel whithout even a decent threading capabilities. That doesn’t make any sense, what could they expect to do once the system is hacked ? a ICQ party ? ;-))))))))))))))))))
Two solutions:
http://www.forescout.com/products.html
http://i.nl02.net/fscout/Data/15_Minutes.pdf
http://www.thirdpig.com/brickserver.htm
Meanwhile:
http://www.csm.ornl.gov/~dunigan/security.html
http://all.net/
http://www.honeypots.net/
Yes, please try without < and >; these should work:
http://www.mi2g.net/cgi/mi2g/press/faq.pdf
http://www.mi2g.net/cgi/mi2g/moreinfo.php
If not, please post on this forum, we will get back to you.
Regards
mi2g Intelligence Unit
London, UK
It would be entirely wrong if it were true…. do you have ANY sort of proof for such a haneous accusation?
That, my friend, is slander, and quite evil at that.
Quick question. How do you evaluate what OS and software the server is running? Very often, people have things behind a firewall that runs Linux and forwards port 80. And very often, people fake their server version info in http headers.
There have been lots of such OS mixups in the past.
By the way, have you ever counted how many times microsoft.com or one of their other pages have been defaced and then compared that to the number of Linux vendor site defacements?
No operating system can be more secure then the admin makes it. The graphs basically say that Linux admins are getting more stupid. It means that more non-technical users are using Linux. When done correctly, I garentee no Linux box could be hacked. Just go into a Linux IRC help channel, look at some of the questions asked, then tell me many of those people are intelligent.
These serveys are moronic. What distro are they using for the test? What firwall rules are being used on these boxes? What services are being used? Linux is only a kernel. Its the distro that makes it secure, the kernel supports features that allow you to make it secure, but its only a kernel. This is simply a joke to me.
Why do OSNews readers waste time arguing the merits of a report from mi2g when they offer only buzzwords (in ridiculously clumsy phrases) and hyperbole to back up their claims? I wonder why this article wasn’t researched a little more carefully before it was posted.
http://216.239.39.100/search?q=cache:18ReBq8YPdsJ:www.infowarrior.o…
http://vmyths.com/resource.cfm?id=64&page=1
From the first link:
Scouring the web, we find that in the mid-1990s, mi2g started off as an e-business enabler focused on operating portal sites (such as Carlounge.Com and Lawlounge.Com) under the corporate motto “Bringing The Web To The World.” Suddenly, in 1999 with the digital apocalypse of Y2K looming ahead, the firm morphed into an internet security company that “by integrating state-of-the-art software engineering technology with super computing capability is revolutionising the world of eCommerce and for the first time maximising the return from the internet whilst minimising the risk.” This was the same time when internet security companies were sprouting up faster than the kudzu in my backyard, bringing them to where they are today, as a provider of ‘security intelligence’ and other security-related products. One wonders what new market mi2g will be exploiting three years from now.
The firm’s current website reveals little about the background of its staff; most appear to be folks without significant operational IT security experience. It’s interesting that only DK Matai, mi2g’s founder and CEO, seems to speak or write publicly on security topics (few if any mi2g folks are active in the security discussion community, it seems) and although a seemingly talented academic, apparently has never been involved in the trenches of day-to-day IT security in the real corporate world.
Gems like “information is verified to +/- 10%” and that they “screen the attack” to verify the hacker’s identity and country of origin. What kind of scriptkiddie lets that stuff be known by a simple “screening”? Pshaw.
The reasons they give for attacks seem to be all of the format “damn hippies and anarchists.” Their reason for counting each attack on a virtual hosting site (i.e. one IP) seems to be that money is lost more. Money is not the issue here, the ACTUAL security is.
Also according to this June03 document, Linux leads Windows by only 7% and the news article says something like 19,342:3343. Someone is lying here. The percentages (Linux, Windows, BSD, Solaris), amusingly, add up to 95%–maybe the other commercial Unices are a better choice.
“Poorly configured or updated third party applications and server running on a Linux system are often a bigger threat to server security than up-to-date Microsoft applications and server running on a Microsoft Windows platform.” Wait, someone in their right mind still runs IIS?
In short, a piece of marketurbation of the purest sort.
They claim that their research does not reflect market share because it “fluctuates” too much. Has anyone else been following the Netcraft surveys? Things change by maybe a couple percent max.
There has been a shift in the emphasis of OSNews articles in the last six months to be more “pro” MS, be publishing FUD generating articles such as this. Check out this analysis of mi2g:
http://www.theregister.co.uk/content/55/28233.html
We would appreciate it if OSNews would disclose any commercial bias that may now exist. Much of the editorial comment associated wth posted news items now reads more like “advatorials” than anything else. To suggest that the MS NOS net stacks are regarded with anything other than disdain in the professional networking/IT community is to risk a loss of credibility.
The actual facts that are hidden in this marketing exercise of a report are too vague to draw any conclusions in the Windows vs Linux debate. Security starts with the admin. Interesting comments though, keep it up =) One of the better articles/threads I’ve read here in a little while.
elver:
Microsoft.com has never, at least never that I’ve heard of, been defaced… now the UK division, and other foriegn divisions have been.
I remember one time someone hacked into an internal server a couple years ago… if this is what you are talking about?
CPUGuy:
Didn’t the windows update servers get hit by nimda ?
“windows got more exploits, then linux is more secure
windows got fewer exploits, then linux is getting more popular”
Exactly. When windows has more exploits then it is a buggy piece of insecure shit. When linux has more exploits or attacks it is just getting more popular so it is “natural” for it to be exploited more. Yeah, OSNews is just full of a bunch of Linux nazis. Props to the person that brought up the admin issue.
>Exactly. When windows has more exploits then it is a >buggy piece of insecure shit. When linux has more >exploits or attacks it is just getting more popular so >it is “natural” for it to be exploited more.
And also, when Windows doesn’t get bad press, Linux nazis will just bitch and whinge that Microsoft bought all of their products and never write much of their own software anyway.
Bugs -> Microsoft wrote it, their fault
No Bugs -> Microsoft bought it, their evilness
>Yeah, OSNews is just full of a bunch of Linux nazis.
Most OS related sites are though – MS people don’t care about their OS so much, I think.
>Props to the person that brought up the admin issue.
That is exactly what the figures from zone-h.org show, I think.
There is a lot of hype out there about how great Open Source security is, and the hype isn’t actually going to help Linux or Open Source in the long run, IMO.
There is essentially no guarantee that properly trained security experts will actually review Open Source software. The chances of this go up greatly if you have a really big popular project (like the Linux kernel for example), but if you don’t have the same interest in a lesser project, then there is not much to be gained from showing everyone the code.
If you have financial resources you can pay people to do this work of course, rather than cross your fingers and pray.
It’s certainly not like every open source project in the world has trained security pros looking for bugs out of the goodness of their hearts. The Linux hypesters ought to be shot down by the rest of the community whenever they start spouting off about how secure Linux is.
css:
Props to the person that brought up the admin issue.
Thanks! Don’t be in such a hurry to prop me though — I am of the firm belief that OSS has the potential to be much more secure. However, it’s up to the user to exploit this potential.
David:
It’s certainly not like every open source project in the world has trained security pros looking for bugs out of the goodness of their hearts.
Prehaps not — but recent studies have shown very VERY strong circumstantial evidence that OSS can produce markedly better code than CSS. Refs available upon request, but I won’t bother looking here because I’m lazy and this discussion will probably fall off the OSNews front page sometime tomorrow. The one that most sticks out in my mind was a comparison of the Windows and Linux network stacks, comparing bugs per 10 000 lines of code, IIRC.
The Linux hypesters ought to be shot down by the rest of the community whenever they start spouting off about how secure Linux is.
Agreed — provided they are indeed ‘spouting’
Cheers,
GG
I’ve seen those reports as well, and understand what they show, but the impression I have at the moment is that the results are only really likely in the case of high profile software. I’m just skeptical of the lower profile software which doesn’t have so many eyes on it.
Also my university education has probably biased me somewhat into believing in more rigid development processes than appear to be present in a lot of OSS projects.