Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled “Is Linux more Secure than Windows?“.Despite the report’s claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users.
As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.
Linux is typically used by people who have a clue about security. Windows is used by the uneducated masses, who simply use their computers for ‘the internet’. These users don’t understand (or care) about keeping their systems secure.
Virus writers target windows because of it’s popularity, not because it is any less secure than Linux.
I believe that Linux would be many times more insecure in the hands of the clueless masses that currently have a windows box.
And before anyone flames me for the above comment: my OS of choice is Linux.
I can’t say I agree with that based on how Linux and Windows are released. If you opened everything up on Linux than it would be just as vulnerable as anything else, but most, if not all, distros are very secure right out of the box (or off the download server). Windows, on the other hand, is not secure out of the box. The really bad thing about that is, like you said, it’s used mostly be people who don’t know or care about security. Microsoft could easily be doing a lot more to make Windows secure from the get-go, but they don’t, so it’s half their fault for not keeping up with competitors.
>>Linux is typically used by people who have a clue about >>security. Windows is used by the uneducated masses, who >>simply use their computers for ‘the internet’. These >>users don’t understand (or care) about keeping their >>systems secure.
So choosing Windows over Linux is a matter of education & nothing to do with hardware/software availability/compatibility.
Linux users are created from the same mould as vegetarians who also can’t deal with the harsh realities of life.
Of course that is a pathetic generalised statement isn’t it?
*cough apache vs IIS
nuff said
It’s a complicated issue, you can’t narrow it to one variable. Windows does come with a lot of usually unused services running for home users, this hurts its security. A good linux distro will come with them off.
I get viruses on Windows and I am a security aware user. To this day I have no clue where most of the little viuses I find come from, but they seem to get their somehow. I don’t read e-mail on it, I rarely browse the web, I just play games. But I have viruses!!!
But really, Windows sounds like it is improving some security issues with SP2, it’s about time. Better late than never though guys. I think if Windows users spent their time cleaning up their security instead of flaming us linux geeks they’d have a lot fewer security issues. And if we would spend our time working on projects instead of flaming Windows users we’d probably have a cooperative gtk/qt theming engine that ran through the GPU.
If it had all the Windows users running it, which means you could get those users to do anything you wanted with social engineering, including giving up the root password at whatever prompt you threw at them?
I’m not saying that it still wouldn’t be more secure than Windows, just saying that looking at it from the prospect of millions of clueless users kind of balances things out more. Hell, I’ve seen Windows users get nailed by the same virus more than once, even when they *knew* better. You’d be surprised at how many people still don’t install any kind of anti-virus software, even when their computer has been hit at least once already.
>Virus writers target windows because of it’s popularity, not because it is any less secure than Linux.
You obviously don’t have a clue.
>I believe that Linux would be many times more insecure in the hands of the clueless masses that currently have a windows box.
The reason why Linux/UNIX are a lot more secured is how they treat a user. In Linux/UNIX world, there is a concept of super user and ordinary user. In Windows (esp. personal/home use), everyone are administrator. So if you’re a virus writer, which one will you pick? regardless of how good you are (virus writing) you need some form access to execute your program with less intervention (like a service on boot up) on linux/UNIX. In windows, this is easy to do.
And before anyone flames me for the above comment: my OS of choice is Linux.
Mine is Linux too….
The reason why Linux/UNIX are a lot more secured is how they treat a user. In Linux/UNIX world, there is a concept of super user and ordinary user. In Windows (esp. personal/home use), everyone are administrator.
You couldn’t be more wrong concering NT based OSES, including 2000 and XP. Windows has more granular security than UNIX but the problem is Microsoft doesn’t force developers to use it. A lot of Windows 3.11/9x developers jumped over to NT without changing the way they think when writing apps. Even Microsoft is guilty of this to a certain degree but it’s a per app basis. Theoretically I could run my system as a normal user, not even a power user, but some developers have it in theirhead to force me to run as admin just to get the app to work. I put my system behind a firewall and run as admin to avoid these hassles but I’d rather not have to run as admin (I’ll still keep the system behind the firewall).
To claim, however, that Windows doesn’t do this is wrong and part of the problem in general. Windows BT based OSes do a whole lot more that Linux geeks know simply because they refuse to try it and base their observations and comments on second or third hand knowledge or on older 9x based Windows OSes. Isn’t this the same thing you hypocritical weenies cry about when people say Linux sucks, basing this off older versions of distributions such as RedHat?
Something that MS is doing (in my opinion, because of Linux) is that they are securing nicely Windows. Windows 2003 have nearly all the services off by default, and with the SP2 of XP there is a nice list of security features. And I share the opinion from the first post, the day normal users start to use Linux, it will be different, very different. But I hope Linux and Windows keep getting more secure every day.
Fact: the average Windows user (please notice the average part) is a short sighted wimp who knows next to nothing about computers and simply uses what was placed in front of him because he is unaware of anything else.
Overall it is true to say that people who have bothered to try other OS than Windows proved to be more inquisitive, broad minded and – eventually – demanding.
If «education» is about teaching one to think critically it is then correct to say than Linux users are more likely to be better «educated» than the plain «never saw & do not know nothing else & in fact I think Windows and computing are the same» Windows user.
>So choosing Windows over Linux is a matter of education & >nothing to do with hardware/software >availability/compatibility.
>
> Linux users are created from the same mould as >vegetarians who also can’t deal with the harsh realities >of life.
>
>Of course that is a pathetic generalised statement isn’t it?
So they do not deny the Linux patches on average took longer…just want us to know they did actually prioritize them. Well duh, I hope they prioritized them, and the better way to respond to this is to say that “we will work to reduce teh response times for the lower priority patches” being the only way to lower their average in line with Microsoft. It’s what they should have said, instead of making half-way excuses like they did.
How do viruses spread? What exploits do they attack?
<p>As long as Windows is a single-user environment grafted onto a multi-user OS, it will be really difficult to secure Windows without confusing the novices. That being said, OE’s “preview pane” and auto-execution of binary attachments alone are half of Windows user’s heartaches as it is.
<p>UNIX itself is pretty much immune to most viruses. You have to get the user to run untrusted code and have that code either ask for the root password or exploit a buffer overrun.
<p>The way Linux gets packaged makes it possible to automatically administer security updates. Windows could for the OS itself, but not those third party applications.
I meant ‘most types of viruses.’ Sorry.
I have had enough of reading: “if more people used linux it would become as vulnerable as Windows”, especially when it is proclaimed by Linux users: do you understand the OS you are using?
I challenge everybody: send me a virus as an email attachment.
I’ll make your life very easy: I’ll open your email as root. I’ll click on the virus: let’s see how much damage it can cause.
“You couldn’t be more wrong concering NT based OSES, including 2000 and XP. Windows has more granular security than UNIX but the problem is…”
Everyone knows that Microsoft’s great advantage in the market
comes from it’s OS being pre-installed with every computer.
Now. Go to your local hardware store. Buy a Dell machine
and take it home.
Now, power it up.
Voila, no login screen. It boots straight into Administrator’s Desktop, doesn’t it?
This is the way most computers are running right now.
Bad default setup + Joe Sixpack = Insecure computer, no matter how secure the Windows is claimed to be.
—
and about the “Windows has more granular security than UNIX” part… I’m not quite sure what you mean by granular, but Windows’ main weakness (the Registry) is also in the way in this respect. Users that shouldn’t have permission to install programs but need a certain application that must write to the registry are the main headache for any sysadmin. I’ve seen several cases myself and (granted, this is more a “badly developed application” problem than an OS problem) in many cases you have no choice but to add it to the Administrators group, which means they en up having a lot of permissions the shouldn’t.
I’m not any security nut myself, obviously, but how I see it, it’s primarily a users fault more so than the OS of choice. But even more than the users, security is an almost impossible task to perfect. Look at the Gnome servers recently, they had a break in, and I’m sure that they took many steps to secure themselves, but it really goes to show how nobody can secure themselves flawlessly, there is always somebody who can think a step ahead, or figure out the next level after it being applied. So can anyone really argue that one is more or less better, when in reality nobody can build a fullproof code?
Also, this is a question, but shouldn’t a “Linux” virus have to be written for some type of Linux app? I don’t understand (or am misunderstaning what I read before)how a Windows code could do anything to a Linux system… I must have misunderstood something, but I’m just curious to know is all.
I challenge everybody: send me a virus as an email attachment.
I’ll make your life very easy: I’ll open your email as root. I’ll click on the virus: let’s see how much damage it can cause.
This is where the short-sightedness comes in. Why do people assume that the only way (or even the best way) to infect a Linux box is through an email attachment? If you’re running Debian and/or apt, how about if I send the file as a .deb package and have you install/run that? Yeah, we’d find out really quickly just how secure your box is, assuming I knew how to write a virus
Look, I ain’t saying Linux is less secure than Windows … I’m saying that until it has been field tested by Joe Sixpack and about 5-10 million of his ilk, it ain’t as secure as you think it is. And I predict that people who have this feeling that Linux is somehow invunerable to this crap are going to be in for a very nasty surprise …
“You couldn’t be more wrong concering NT based OSES, including 2000 and XP. Windows has more granular security than UNIX but the problem is Microsoft doesn’t force developers to use it. A lot of Windows 3.11/9x developers jumped over to NT without changing the way they think when writing apps. Even Microsoft is guilty of this to a certain degree but it’s a per app basis. Theoretically I could run my system as a normal user, not even a power user, but some developers have it in theirhead to force me to run as admin just to get the app to work. I put my system behind a firewall and run as admin to avoid these hassles but I’d rather not have to run as admin (I’ll still keep the system behind the firewall). ”
RPC, nuff said.
RE: “Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.”
I’m sure Microsoft also prioritizes their security issues but their idea of prompt security response is a joke. They rarely release patches if ever with in weeks let alone with in hours even after realizing there is a security risk. It’s either they choose to ignore security flaws or are the last to know about them.
Linux Security Response Teams offer prompt solutions to security issues by releasing patches for the kernel first and 3rd party programs second. This is done with in a matter of a few hours not like Microsoft where you wait a week or more to fix major holes. This is because of the security risks in Linux are found mainly by in-house testing to verify if there are any holes and how to quickly fix them. Does someone know the exact number of buggs found in WinXP when it was released to the market? I can’t remember the exact number but recall it was in the thousands which still have some waiting to be fixed. How many security holes were found when SuSE was first released? Zero is the answer.
Another issue with the way Microsoft deals with security updates is the majority require reboot of the system to complete the installation. In Linux this is not required. I run SuSE 24/7 and when an update occurs the system doesn’t require a reboot. The patch is installed fully with out doing it the Microsoft way.
The other differance is that Linux developers such as SuSE AG work closely with other developers to provide quick security patches to not only the OS but as well the programs installed. SuSE for example comes with an auto-update feature as part of YOU (Yast Online Update) and has SuSE Watcher (notifies when program updates are available). Sure when I had WinXP the OS would update the OS and Windows apps but it choses to ignore the 3rd party programs installed on the Windows system. Also, most times updates for 3rd party applications requires the consumer to purchase the update instead of having it freely available as a security update.
Real-Time security is just one of the reasons I switched to Linux. This article just clarified what Forrester obviously didn’t take into account and because of this Microsoft twisted the info to market their flawed OS.
There are a couple of flaws in your reasoning.
Firstly I wonder how you would manage to get a deb approved that easily, evidently you haven’t got a clue of how Debian works.
Secondly not everybody would download your virus masked as an app: did you know that Debian Sid has around 14,000 of them (apps)?
And finally even if I downloaded and installed your “virus”, I still wonder how much damage you could cause or, even more difficult, how it could be spread.
With Suse, for instance, virtually any damage, including to the kernel, can be repaired very easily with the “repair” feature if you boot from CD1 or DVD1.
Windows has more granular security than UNIX
Well, when using ACLs with Linux this is not really true anymore.
Meanwhile, about viruses: even if Windows is an easier (and bigger) target, that doesn’t explain why there are 50 times more viruses for Windows than Linux proportionately to market share! You’d figure that there must be at least one virus writer who hates Linux, and who release it in the wild. Yet there have never been any serious Linux virus infections in the wild.
The popularity of Windows doesn’t explain everything. There have been bad design vs. security decisions at Microsoft in the past, and backward compatibility (a must to preserve its 90% market share) makes completely cleaning up the code a gargatuan task, even for a company with such resources.
Top Speed
You missed the point. They’re saying that the study was flawed because it made no difference between high and low priority vulnerabilities. It’s therefore not possible to conclude whether Windows or Linux is safer, because there is no way to tell who solved high-risk bugs faster.
This is where the short-sightedness comes in. Why do people assume that the only way (or even the best way) to infect a Linux box is through an email attachment? If you’re running Debian and/or apt, how about if I send the file as a .deb package and have you install/run that? Yeah, we’d find out really quickly just how secure your box is, assuming I knew how to write a virus
Look, I ain’t saying Linux is less secure than Windows … I’m saying that until it has been field tested by Joe Sixpack and about 5-10 million of his ilk, it ain’t as secure as you think it is. And I predict that people who have this feeling that Linux is somehow invunerable to this crap are going to be in for a very nasty surprise …
BRING IT ON!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://selinux.dev.gentoo.org/
# ssh [email protected]
password is “gentoo”
>BRING IT ON!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Hehhehee!Now , where did I hear that before?
BTW,can’t ssh in your machine
Tried with putty from work can’t go in.Used the link is OK. Now , what I must do? Delete files?
You asking how many bugs was discovered in Win XP. I’m asking how old is Windows XP (3 years), how old is Suse. Better ask how many bugs was in Redhat 6.2 discovered?
You’re saying about viruses. What is really rely on for virus’ author is popularity. That’s why there are so many viruses on Windows. Linux community is much (much) smaller than Windows. You must consider on it. Other thing, if i gave you Linux virus i wouldn’t send you it by email. I’d rather use some exploit and set sth like server on your machine and do it on system from your local network or from nameserver cache. It would work automatic. Exploit would be for, for example, ssh.
“And finally even if I downloaded and installed your “virus”, I still wonder how much damage you could cause or, even more difficult, how it could be spread. ”
If you installed a malicious software and run it as root, you’re doomed, whatever linux you are using.
For the spreading, that’s where the real advantage of linux comes: there are no “network services” widely used on every linux box. But there are worms, trojan on linux, using ssh, bind, etc… Far less than on windows, clearly.
Once again, nothing to do with “design”, much more with good code quality.
Could any one name if they know, any current examples of linux-based viruses at all?? In the wild? Illustrate the rest of us.
How about the argument that most people that try and write ‘virii’ are usually script kiddies and immature windows users that google on over to astalavista.com and download the ‘create your own virus kit’. You dont have that many Linux virii because the writers are too stupid and dont know anything about unix or linux programming languages.
Unless a virus is targeted at a specific business to be used as industrial epsionage for the financial gain of the instigator, a Virus is nothing more than a passing annoyance, much like little boy racers pulling donuts at 2am outside your house.
A great way to halt alot of virii, exploits,trojans and the like would be for Microsoft to actually release a new operating system, rather than rehashing the old ones, lets face it- windowsXP is just windows2000 which was slightly better than windows 98 which was much more unstable than windows 95 which had just a better gui than windows3.1 which is based on dos. WindowsMe was just a mistake or an april fools joke, I cant decide which
…’cause for windows the list is pretty long.
> BRING IT ON!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Hello,
Nice box you got there, after login as root, quite a lot of stuff still cannot execute by root. Can you explain how you did it? Why is it I am unable to do “chmod 777 /root”? Did you changed the kernel or shell? Or you basically change most/all of the commands?
I have just completed a security review for the place where I work. I found that IN PRACTICE Windows (2K AS, 2003 Server) had many more vulnerabilities than Linux (Redhat, Debian).
I think that is due to the fact that there are two ways of being lazy: the windows way (rest now) and the linux way (rest later).
Windows is made to sell to people who are lazy in the “rest now” kind of way, it is really a pleasure to set up, and takes no time or effort. That is using the defaults, which are usually not very secure. Nobody bothers restricting them, or even learning about security on windows before there is a problem. That’s why our state of the art windows data center has a short uptime, we fix problems as we find them.
Linux is made by people who want to work now to save their efforts later (maybe to work on something else). It is a bit of a pain to set it up, as the defaults are restrictive (eg. no smtp relayng from any other host, no weak passwords allowed etc.) and you have to learn about security in order to set it up, at least from the man pages, or the documentation in the config files. On linux you also can’t install applications as easily as on windows, you must set up your apt repositories, import your rpm keys etc, this also helps making things more secure.
On the windows desktop, people always want to download and install an app that requires them to have administrator privileges, or that is more difficult to run without those (say, NERO). You must therefore either sort out all their problems, or let them run as administrator, what do I do as a lazy admin?
Linux on the desktop comes with pretty much all the stuff people need, and is configured to let them run as a lower privileged user. (also because there is not that much of an availability of weird apps that people want for linux).
Once you did make the effort with Linux, then you have life easy: you can save your config files with comments in them detailing what you were thinking, copy them across to other machines, modify them, include them in your reports to the boss, in your technical docs etc. On windows, you need to take screenshots use some weird import/export setting systems, and produce your documetation in with knowledge that you will never use it again, because the new version of the software will do everything differently.
The single concept of antivirus illustrates my idea: it’s a “try to fix it later” attitude that usually does not work. (we run the enterprise versions of both Norton and NOD). I am too lazy to read through my comment to fix the spelling
I spent a while working in admin at a large company (part of a multinational). Patching Windows was always a bit of a pain because
a) You either had to jump through the whole Windows update rigamarole, individually downloading and installing patches
b) Download and install a load of pre-packaged patches individually to apply to several servers
c) Subscribe to Technet (not free like the above) and install a load of patches individually
AND THEN
d) stay in till about half six or seven because you knew you’d be rebooting your server. This usually meant getting home around nine (if you were lucky and all the patches worked, I remember NT4 SP3 being a bit of a pain)
Comparatively, I’m running SuSE Linux at home. Once every week, I fire up the Update program (everything here is graphic), hit next twice, and it brings up a load of patches rated “Security”, “Bugfix” and so on. This means first of all that if I don’t want to, I can avoid non-critical non-security patches (IT admins are fearful creatures ;-)). The next step is to tick all the boxes, hit next, and walk away. Unless I’m downloading a new kernel, the system won’t be rebooted. Individual services may be restarted, but if the user notices it, they will only see a temporary glitch and won’t come running!
One of the main reasons Windows Admins don’t do updates regularly is because it’s time-consuming and fraught with peril (I’ve seen critical services just stop working after an update). All the Linux distributions have easy to use update mechanisms that have no major risks associated and what’s more, have less security holes to patch! A person of MSCE level, administering a Linux system, would be far more likely to keep it up to date. And Linux vendors are damn fast at getting out High-Priority fixes, which are usually the ones you need fixed in a hurry anyway. It’s easier to maintain a secure Linux system.
the balance between functionality and securitu exists. this is not new.
the difference between windows systems and most unix systems is that the unix systems allow you to alter the security to your requirements. you CAN by and large say “i want to be this secure” and you can go ahead and do it. you don’t have that choice with windows. that also includes transparancy … ie… seeing what events are happening on your systems. windows is very opaque.
This machine is Hardened Gentoo’s SELinux demo machine. The primary use of it is to test and audit SELinux integration, and policy.
more info:
http://selinux.dev.gentoo.org/
Distributions Incorporating SELinux
This section of the website is devoted to those who simply want to use SELinux, as opposed to develop SELinux or applications for SELinux.
As distributed by NSA, SELinux is designed to work with Fedora Core 2 test1. Various people have worked on integrating SELinux into other distributions. The work on the Debian distribution and Gentoo distribution are perhaps the most complete. Separate pages are available here for the distributions which are known to work with SELinux or for which work is being done to make SELinux work. There is also a page for “other” distributions which provides general information on what has to be done to incorporate SELinux into a distribution.
more info:
http://selinux.sourceforge.net/
>>Fact: the average Windows user (please notice the average part) is a short sighted wimp who knows next to nothing about computers and simply uses what was placed in front of him because he is unaware of anything else.
Of course written this way this a perfectly reasonable statement to make, which btw I would agree with.
Firstly I wonder how you would manage to get a deb approved that easily, evidently you haven’t got a clue of how Debian works.
Maybe I don’t .. I was assuming you could get a .deb package from anywhere and install it?
Secondly not everybody would download your virus masked as an app: did you know that Debian Sid has around 14,000 of them (apps)?
They’ll download it if you promise them nude pics …
And finally even if I downloaded and installed your “virus”, I still wonder how much damage you could cause or, even more difficult, how it could be spread.
Who knows? I suppose you could just keep a process running and use it as a zombie, such as with Windows. Hell, you don’t even need root access to send out spam from a Linux box, so long as you have outbound access to the SMTP port (else how would you send any email?). I don’t know if you could install a process to run at start up, but considering most Linux pundets will tell you that you only have to reboot a Linux box once every 30 years, that wouldn’t really matter.
“BRING IT ON!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!”
Hello,
Nice box you got there, after login as root, quite a lot of stuff still cannot execute by root. Can you explain how you did it? Why is it I am unable to do “chmod 777 /root”? Did you changed the kernel or shell? Or you basically change most/all of the commands?
It is called SELinux which patches the kernel and a few other bits ‘n pieces, it provides a much finer grain of security, and best of all, there is no über administrator meaning, there is no one account where people can get full access to the whole system.
IIRC, it was developed by the NSA: http://www.nsa.gov/selinux/
Reality?
How in the heck do you relate vegetarianism with linux. Sort of the same cyclical logic of relating politics with linux.
Good lord. Grow up. Move forward.
Republican Linux v. Democratic Linux. Meat-eating v. Vegetarian Linux. Educated Linux v. Non-educated Linux.
The “black-box” operating system doesn’t count.
Troy
http://banther-trx.homeunix.com
I’ve been searching the net and having a difficult time finding any Linux viruses that weren’t created in-house for testing purposes. The viruses on databases I searched such as Symantec, McAfee and the Virus Library lists thousands of viruses for Windows but only a handful for Linux dating back to 2002. See links below.
McAfee Virus Calendar:
http://ca.mcafee.com/root/genericURL_genericLeftNav.asp?genericURL=…
Symantec Virus Database:
http://www.symantec.com/avcenter/
Virus Library:
http://www.viruslibrary.com/
Security Focus Bug Track:
http://www.securityfocus.com/archive/1
Files aren’t designed as executables by their extensions in Linux, and e-mail attachments never have the execute bit set on IIRC. You can change a file’s permissions from the file manager in both KDE and Gnome, but in each case (again, if I’m not mistaken) it’s at least a tab away.
Malware can exploit flaws in services, which can make flaws in software that run Linux susceptible to worms when a new exploit is discovered, but on a typical workstations there usually aren’t many services running in the first place.
The fact is that e-mail remains one of the most efficient ways of spreading viruses, through a combination of bad design and good old human engineering. Linux isn’t immune to malware, but its design makes it harder for viruses to spread. In this sense alone, it is much more secure than Windows.