UK based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80% of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks. “Read more” for our take.Without paying, there’s not a lot of information about the methodology used, so the numbers should be taken with a grain of salt. It’s not clear whether the low numbers for BSD and OSX breaches can simply be attributed to the fact that they’re not as common as Linux servers. And as has been noted in the comments mi2g does not have a sterling repulation in the security industry.
This is going to provoke an ugly flame war in here.
Linux is the 2nd most secure there is. Faulty setting up is no argument. And besides, if you set it up correctly, you may be able to get in, but if you chowned something to a directory theres no point in breaking in.
I would like to see how they set up the linux servers.
…considering how many linux servers are out there. Maybe all those updates are doing some good for windows machines. How many Macs are acting as server?
“The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.”
…how convenient, dontcha think?
Looking at OSX you can see that most of the security holes due to configuration are sealed by default. For example, telnetd isn’t configured to run at all. In fact a user can’t get it to run without manually editing the shell scripts. That means they *really* want to get it running. Simple things like this should be the default configuration for any machine.
yeah, I’m sure these security SPECIALISTS didn’t think of this on their own. Or maybe Steve Jobs is behind this – remember Apple’s devious attempt at showing the G5’s superiority. Yeah, what devilish hucksters!
It doesn’t sound very thorough.
If there are very few Mac OSx servers out there and a whole lot of Linux servers, how do they determine that Linuxes are ‘more likely’ to be cracked? Apparently, they just looked at very raw numbers.
Also why do they discount worms, etc. Especially, when recent worms gives hackers enough control of a system to retrieve sensitive data and launch DOS attacks, and send truckloads of spam.
“Company executive chairman DK Matai said: “The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool’s gold without adequate training and understanding of the impact that third party applications have on overall safety and security.”
Two side notes:
1 – This does not have to start a flame war.
2 – Why does the narrowing down to overt attacks make this convenient? People should be aware of what they are doing and if you have a lot of former windows server guys setting up Linux servers improperly, well… what do you expect?
This says nothing about the overall stability of the system or it’s set up. To bad you have to pay to read the actual report.
hi!
guys, take a look at http://uptime.netcraft.com/up/graph/?host=www.mi2g.net
it seems that even mi2g.net runs linux for their web servers (actually, Apache/1.3.28 and 1.3.27 and 1.3.26)
hmm… doesn’t that tell you something?
Glad I use BSD. Seriously. Glad.
That they secured it?
Sorry Fella…I like Linux, but I can honestly agree with this article. Linux is not as secure as it could be, in my experience at least. And no, I’m not a dipshit. I’ve been using UNIX longer than Linux, and most Linux users or admins…so…
Anywho, don’t you think properly adminstered Windows servers would be patched? That’s why worms and viruses aren’t counted in. Pretty simple.
Oh, and about Macs. I’m not too suprised. Anyone remember the old Mac OS was proven as being one of the most secure as well? LOL, funny no one uses them.
The article talks about number of succesful attacks, not *relative* number of succesful attacks. I imagine there aren’t a lot of OS X servers, so it comes as no surprise that there are very few succesful hacks worldwide. I also think there are more Linux servers than Windows servers (though I could be wrong). Would the numbers be the same if the number of attacks was divided by the number of of servers running said OS?
Perhaps Linux could do with better default security settings, though. Lots of distributions start al kinds of servers by default. Debian seems to want to add every darn thing I install to the bootprocess.
Think about it: mydoom turns your windows workstation into a zombie server! Therefore, the study must include the breaches of windows workstations since they become servers.
Think its unfair to suggest workstations be classified as servers? Then discount all those Linux workstations being run as servers by newbies in this study.
Level the playingfield please.
The fact is that, as MyDoom has shown quite cleary, you don’t need to actively attack Windows servers: malware can gain access for you. Meanwhile, Linux servers – being virtually immune to malware – require the intervention of a real hacker to breach.
From the article:
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.
Also, I’m curious about the methodology of the study: the results show absolute numbers, but that is relatively meaningless. For example, 2005 breaches on 3000 total Windows servers would be roughly equivalent to 13,654 breaches on 20,000 total Linux servers. The same goes for OSX servers, which are not very widespread.
in the macworld article it doesnt actually state wether they compensated for less mac os x servers or not , does anyone know if they did . just so i can tout this to my linux using friend
While I’m quite pleased as a freebsd and openbsd user, I’d personally like to see the ratio of cracked machines to installed machines. The linux windows thing is surprising considering both would be highly deployed.
mi2g keeps coming up with the exact same statistics. I think the head of the company has some sort of vendetta against Linux; I can remember 2 or 3 other stories involving mi2g that made the exact same claims. A little googling comes up with plenty of stuff casting doubt on mi2g’s credibility.
I’ll believe these statistics when they come from another company. Otherwise, nothing to see here, move along.
… which server is less dangerous in the hands of a newbie? Windows, Linux, BSD or Mac? After all, all these systems can be locked down completely secure in the hands of an expert.
>> That they secured it?
I was wondering why they, the people who ran the tests,
are using linux from their web servers when they proved, at least that’s what they say, that the linux machines are the weakest (security-wise). and how DID they secure their servers, if they did, and so the linux machines they tested were’t as secured as that???
And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it’s the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-history.html
http://www.theregister.co.uk/content/55/28233.html
http://www.nwfusion.com/news/2002/1107msfoul.html
This is a load of crap. It has nothing to do with the OS, but the people behind the keyboard. The reality is that all of the Linux zealots out there have done such a good job of converting people by using untruths and complete mis-information (much like religious zealots convert the stupid and weak-minded) that everyone and their mama is using Linux. Now the open source crowd is experiencing exactly the same scenario Windows 2000 and XP experienced, namely ubiquity + inexperience = disaster. Everyone is using it, no one really knows how to use it, but it’s really easy to set up by inexperienced people. Welcome to the wonderful world of grown-up operating system land, Linux. You talked the talk for such a long time, but when it finally came down to it, you were just as bad as Windows. Personally, I’m glad to see the Linux zealots have the opportunity to wipe egg from their collective faces. It’s about damn time. And now you all know why the BSD crowd is comprised of arrogant elite users, because we earned our right to use an operating system by learning about it from the inside-out, not from installing it and proclaiming ourselves capable. Here’s to Linux rolling over and dying already. Long Live FreeBSD.
Anyone running a Linux server without the SElinux patches and/or the grsecurity patches should be shoved insided a horse.
And if you are a paranoid desktop/workstation user, like me, you should get those patches and set up your system. The grsecurity patches, in particular contain a security feature called PAX which considered to be even more secure than the security feature OpenBSD uses by default.
Most default Linux installation are by no means secure. You need to take extra arduous methods to install them. Yeah, like setting up ACLs, MACs in addition to patching GCC with the propolice features, recompiling every package on your system and also patching your Linux kernel with the patches I suggested above.
Oh, and one more thing. Never…ever…use binaries which you haven’t compiled yourself. It’s the first rule in securing Linux. Yes, that means don’t use binary distros.
If you think any system is secure by default, you need to wake up from whatever dream land you have been sleeping in. Security by obscurity doesn’t count either. Any box, that goes for *BSDs and Macs can be cracked.
So mi2g may be saying this to draw publicity? Considering you have to pay nearly 3 pounds for access to their actual publication, that may be right.
Just out of curiosity – how much creedence do you put in the veracity of the claims of mi2g Intelligence Unit?
Perhaps – you might look at this background information:
http://www.attrition.org/errata/charlatan/mi2g-history.html
or:
http://www.landfield.com/isn/mail-archive/2002/Nov/0103.html
or:
http://cert.uni-stuttgart.de/archive/isn/2003/09/msg00051.html
or:
http://www.vmyths.com/rant.cfm?id=36&page=4
A simple Google search such as this:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mi2g&btnG=Go…
reveals 13,100 articles/postings/links to information concerning these people.
In some circles they are considered ‘net-kooks’, as their prognostications
seem be quite often off-the-deep-end.
It would be really interesting to see the test cases. Withought them, it is very premature to determine the quality of the report and consider the results very seriously. In my opinion if BSD can be more secure so would be the Linux. I dont want to even talk about security in window$.
Can’t people just face the fact.
Linux might be good and all that, but it’s very similar to winodws 95. Full of holes and need A LOT of time to mature, as in a couple of years.
If you wanna be secure and aim for stability, either you go for Unix which is secure by default or you have to be in that 1% of the Linux user group whicn REALLY know how to secure a server.
That means less than half of you here….
The majority of Windows worms are passed through e-mail. If you are receiving and opening e-mail (let alone executing attachments) then you deserve what you get.
It seems they counted the number of servers hacked.
But there are not an equal number of servers of each type deployed.
Perhaps more Linux servers hacked means Linux servers are gaining in promenence… while Mac servers are rare.
[I can give you statistics to prove anything in my interest]
Okay I’m really beginning to have second thoughts. I actually went to their website to analyse their reports. But they are telling me I have to purchase it. Now that’s shady.
I love Linux, but I’ll be the first to admit it is lacking in security. When compared to FreeBSD and Solaris, most Linux distro’s are completely lacking security features. Other OS offer Security Levels, chroots, a myriad of file system permissions, and stress design over features. Linux distro’s tend to be a jumbled mass of applications loosely glued together. The focus is on providing a service that works, not a service that is secure. However, now that Linux is pretty caught up compared to other OS, I see more and more distro’s start focusing on getting a well integrated, secure product out. Already, RedHat and Debian are integrating LinuxSE, and other distributions are going to follow shortly. So Linux is getting it’s act together, but people who say it already is secure are in denial.
> secure by default
(OpenBSD troll?)
There is nothing like “secure by default”. Security is not a one-shot magic you can apply to your server and RIP. Remember, a big deal of security issues lies behind the keyboard…
>> Linux might be good and all that, but it’s very similar
>> to winodws 95. Full of holes and need A LOT of time to
>> mature, as in a couple of years.
what? you obviously never ran linux.
>> If you wanna be secure and aim for stability, either you
>> go for Unix which is secure by default or you have to be
>> n that 1% of the Linux user group whicn REALLY know how
>> to secure a server.
>> That means less than half of you here….
a looooot of bull… you obviously don’t know what you’re talking about, you’re just posting to post. did YOU ever administer a linux server/machine? are you sure?
With some of the other posters here; there are a lot of sysadmins out there setting up Linux boxes without the knowledge to secure them. Not that this is unique to Linux, but since it is free anyone who cares to download it can install and set it up. It scares me how many distros leave uneeded services runningm particulary the ones aimed at new users.
Oh and just in case anyone has the wrong impression; I am not a Linux basher; in fact I administrate Linux, HP-UX OSX and Windows boxen for a living. However that doesn’t stop the fact that no matter how secure the OS if the admin is too damn lazy to apply patches/learn about the OS/take time to secure the system then it is going to be hacked regardless of being Linux, windows or any other OS.
i’m no admin, the only proper admin experience i have is with my desktop which runs debian but when referring to “default setups” and such, isn’t this the distro’s department? since distros vary quite a bit in how they do things, i’d imagine that some distros are more secure than others.
… childish 🙂
amen.
-2501
I believe this is more the result of psychology than anything else.
Everybody knows that Windows is insecure. It is likely that a lot of users patch their systems on a regular basis because of it. Actually we have a policy here at my company which requires every employee to patch his Windows system once a month. It is also very easy to patch Windows using Windows Update. Every idiot can do it.
Linux on the other hand is known to be secure. It is less likely that users will patch their system. And it is usually much more difficult to patch since it involves installing a new kernel or updating a particular package.
Now, this does not say anything about how many holes there are in total. I am quite sure that technically Linux is more secure. But in the end what counts is how many will actually patch their system when a hole is found.
<< It doesn’t sound very thorough. >>
Actually it seems very thorough, just because you dont like the results doesnt mean these guys are complete idiots. these guys do a yearly audit of operating Systems and now that their report doesnt show linux on top, they dont seem very thorough
<< If there are very few Mac OSx servers out there and a whole lot of Linux servers, how do they determine that Linuxes are ‘more likely’ to be cracked? Apparently, they just looked at very raw numbers. >>
Yes and they do this because Linux is Linux, it doesnt matter which one you run. If you wish to have a war over which distrobution was least attacked email them, i did because like you I was curious about which Linux distribution was the most hacked, I have the answer, now its your turn.
<< Also why do they discount worms, etc. Especially, when recent worms gives hackers enough control of a system to retrieve sensitive data and launch DOS attacks, and send truckloads of spam. >>
Because believe it or not with MyDoom there were only 300,000 Windows computers compromised in the world, that is a small number compared to actual Windows deployments and it probably would have been less than that if some Linux zealots had not purposely infected their machines to “join in the fun”. I work as a consultant and none of my clients that deployed Windows were infected with MyDoom and I only had 20 that picked up the Blaster worm, 20 out of 400 Windows deployed customers is not a bad number. people are starting to take security seriously its no longer a joke punchline anymore and it stopped being cute. As for why I think the Linux numbers went up is because Linux zealots and advocates tend to pass the message that Linux users are invulnerable and you can spread that message so much and people start to believe it. Im sorry Linux is not invulnerable and it can be hacked. Im not saying Windows is the best and Im not saying BSD and OS X Server are the best but it all comes down to Security Maintenance. Servers and PC’s are like cars, they have to be maintained. if you let it go and not do regular maintenance then its going to come back and bite ya. After all, I have never seen someone who neglects their vehicles to be in top condition all the time, they always wind up on the side of the road or on the back of a Triple A truck eventually.
MacOSX still has less vulnerabilities and viruses. Also with so much hate torwards Apple why has no one been able to hack or take down Apple or the iTunes sites? Not high profile enough?
There are also arguments that no one uses or buys Macs so of course they are not hacked. Thats bullshit too. If a hacker wanted to find a server running MacOSX they can find it. Apple did have security in mind when building MacOSX.
It’s simply the truth. Just have a look at the number of vulnerabilities for different operating systems summarized over the last years (i.e. at the SecurityFocus web site).
BSDs and Mac OS X are very secure. It’s just a fact, no trolling.
Of course it’s possible to make any system insecure by misconfiguration – but that’s not the point here [btw.
this would mean that Linux users admit they are too stupid to configure their systems – and any Linux user would flame against this conclusion, too]
I wonder how many of you who think your OS is secure have actually tried to “test” that assumption. Hmm? Try to learn some things from the other side of security. It really is too easy with most of the systems out there running Linux (I’m talking minutes easy). The last BSD I can think of as easy to get into as Joe Schmoe’s Linux was BSD/OS…Like 10 years ago. If you’re Joe Schmoe, learn something. And not about administration, but security. Windows has other ways of getting to which aren’t counted in this article, but who cares? It’s irrelevant.
Migration to Open Source can be fool’s gold without adequate training and understanding of the impact that third party applications have on overall safety and security
the only conclusion is that if you are running linux make sure you don’t have idiots behind the wheel. nothing to piss yourselves over
and not including worms makes sense because they are interested in how easy it is to breach a server if someone choose to attack you and not just accidently infect a bunch of dimwitted home users running an ftp or so.
Well the exploitability of systems is largely related to the software used. Most software used under Linux is the same as the BSD family. Especially the daemons.
Because many administrators don’t keep themselves too busy with constant maintenance and config-reviews it largely gets down to the default distribution used.
Especially under linux it doesn’t really help that there are some many different distributions. They all have their weaknesses and strongpoints, but not a single one has all good default configurations *and* well documented (from the admin’s standpoint).
I do believe BSD’s (with their main distributions and a few derived) have much better defaults (learned the hard way).
ps. Most people (conveniently?) forget that Linux is a only a kernel. The other OS’s are complete packaged systems. Not a fair comparison.
Not just BSD distros in and of themselves tho…I’d have to agree with the other poster: BSD’ers are elite =D
I’ve never had a linux box infected with anything just by connecting it to the net. That’s more than I can say for windows…
Well, going just by experience, I can say the Windows defaults are pretty bad. I have a design shop with three computers that used to run Windows (ME and then 2000), and I can tell you that they’ve been hacked 4-5 times *that I know of* by amateurs scanning TCP/IP addresses for insecure systems. By hacked, I mean hackers changing background images, having conversations with each other via text files in C:, and in one instance, renaming the Windows directory for fun.
I once had a friend with Windows 2000 laptop that had 30 worms and trojans on it (no kidding), when she asked me to “fix” it. It was broadcasting her IP address to various IRC channels, and people were hacking it at will each time she booted. You’ll never see *that* on a Linux machine!
Since I switched my own machines to Linux, by the way, it’s been bullet-proof. No matter what these selective statistics say, Windows out of the box is a sieve compared to Linux.
Paul
…and some people have mentioned this, is that the report shows raw numbers and not percentages. I am not only distrustful of these results – I am outright stunned at mi2g’s willingness to interpret and publish meaningless data. I can only think of two reasons why they would publish such numbers: 1) they really don’t know that raw numbers can’t be interpreted, and truly believe their implications correct. 2) They are willingly spreading FUD by using the statistics to lie for them. We have no evidence that mi2g is lying, so it isn’t fair to say its #2 for sure. But either #1 or #2 severely damages mi2g’s credibility as a “security firm”, and they may be doing a greater harm to themselves by publishing a report with such a simple statistical confound in it.
The real issue has very little to do with statistics, or an unavailable secret report from a suspicious supposed security firm. The real issue is with users who think their system is secure by default because they use Mac OS X or *BSD. The real issue is with users who take security for granted. The real issue is computer and security illiteracy prevalent among a significant percentage of computer users.
Most of the comments on this comment section are frighten me. I have seen mainframes used by well established Corporations hijacked, talk little of *BSD. (Citibank today has the most sophisticated security system in the world today because their mainframe was hijacked by a group of hackers in Russia) I have seen hackers use social engineering to take over proprietary, supposedly secure Unix, talk little of Mac OS X. We are not talking about script kiddies here. We are talking about mafia-like organizations, who spend months/years planning and designing attacks on well established corporations. These guys crack web servers for practice.
They will take over your *BSD, Mac, or Linux box in minutes, forget windows– it is cursed. All they need is your IP address. Except you have taken extra ordinary measures to secure your box, it can easily be cracked. And even when you have fortified your box it will only take longer to crack. How often do any of you read your logs? Yeah, I can see the responses coming.
I just want to second Justin’s comments. I’m not a security expert AND I didn’t read the original report but without knowing what daemons/services were running on these boxes it’s pretty damn hard to compare apples to apples. i.e. Were the Linux boxes running wu-ftpd?
For non-production workstations/servers simply using tools like nmap/Nessus and applying patches regularly should tighten your system enough without adversely affecting features and/or ease of use.
Cheers
Suse linux is running freebsd
http://uptime.netcraft.com/up/graph?site=www.suse.com
Or you *could* just use a *firewall*. Linux isn’t “bullet-proof” and a Linux machine used as a workstation should most certainly be operating behind a firewall – just like Windows. So should any UNIX machine used in that fashion, frankly. Ever seen the default vulnerability list for IRIX?
Your Linux boxes may very well have been hacked – you just haven’t noticed.
This is just pure FUD and that’s obvious. But it makes me pist off because that’s a sort of thing that people usually trust.
The site http://www.suse.com is running Apache/1.3.26 (UnitedLinux) mod_ssl/2.8.10 OpenSSL/0.9.6g on Linux
What?
I wonder if those OSs are even includet in this report.
The site http://www.suse.com is running Apache/1.3.26 (UnitedLinux) mod_ssl/2.8.10 OpenSSL/0.9.6g on Linux.
Isn’t that wierd…clustered maybe? I also noticed them still using the “UnitedLinux” thing…Whatever happened to that initiative?
Anyway, that’s what netcraft spit back to me…
http://uptime.netcraft.com/up/graph?site=www.suse.com
I just checked the site with the White House and NSA. The first is running Linux, while the later is running Windows 2000.
http://uptime.netcraft.com/up/graph?site=www.whitehouse.gov
http://uptime.netcraft.com/up/graph?site=www.nsa.gov
No surprise to see BSD up there, these guys have always kept their heads down & quietly got things done, worthy winners!
Amazing how many ways people can find to fuel their denial isn’t it.
Maybe now some of these guys will stop screaming about an OS they apparantly don’t use and get their own house in order.
Paul,
You did not get hacked by “hackers”, you got hacked by script kiddies. If you would have gotten hacked by “hackers”, you would still not know it. :->
root,
You’re scary-right on man.
The most intelligent post I’ve seen in years.
… .edu – no wonder.
Still they won’t wake up.
For the alarmed: a knowledge site. Dig?
http://www.searchlores.org/
Righteo folks. I’ve been in the information technology security business since 1972. (Well ok that’s when I was born but it’s convenient to say so). Our site is at me2.com
Actually it isn’t but it will be but it’s ok. It’ll be great and real professional. Very glitzy, you’ll be well impressed.
I can tell you without a doubt that FreeBSD is the most insecure OS out there because it has 2 ‘e’s in the name. In fact there have been forty nine billion attacks on FreeBSD boxes in the last 2 hours alone, each one of them breaking through and turning a small Chinese man’s hair purple.
C’mon people, because they have a website and say they are experts, does not them experts make.
They’re pulled this rubbish before I believe: Linux is the most insecure because it has had more attacks on it than Windows not even attempting to pro rata the rate to amount of boxes and also conveniently leaving out the worms, trojans, viruses also.
Why do they even bother?
“Everyone is using it, no one really knows how to use it, but it’s really easy to set up by inexperienced people. ”
You know, I just wanted this clip for the irony factor. Remember all those arguments that linux is hard this, and hard that, and not kid tested, mom approved. And now we have the “easy to set up by inexperienced people”. We have arrived.
[Roberto]
<< It doesn’t sound very thorough. >>
Actually it seems very thorough, just because you dont like the results doesnt mean these guys are complete idiots. these guys do a yearly audit of operating Systems and now that their report doesnt show linux on top, they dont seem very thorough
Alright give, since your making the above from the strength of having seen the report (money well spent I hope). I’m all ears.
Maxamoto (IP: —.ph.ph.cox.net) insightfully noted:
“(much like religious zealots convert the stupid and weak-minded)”
How very true! It does remind of the atheistic zealots that mislead the stupid and weak-minded village idiots with their religious misinformation and untruths.
Macworld (UK) that ran one of the pieces covering the operating system security tests and the superiority of the BSD family OS’s and Darwin OS (Mac OSX) hosts its site on Microscoft-IIS/5.0
Fascinating. Watch what they do, not what they say.
http://www.macworld.co.uk/
I’ve not ever had one desktop system of mine or server I’ve administrated cracked. Not once, not ever.
In spite of this, I know that linux isn’t the most secure thing out there. I’m always afraid there’s some little “feature” turned on I don’t know about that will lead to a compromised system. Not because it’s linux, I just tend to be paranoid. While Linux distributions in general overall aren’t the most secure out of the box, any competent admin can and should be able to rectify that.
And knowing that linux doesn’t automagically equate security, I still find it hard to believe that its track record is worse than windows. The information here is pretty sparse. I remember that Linux was #1 in security breaches before. Turns out the same holes were counted more than once as the total holes for each separate distribution were added together.
Not to mention all the worms..
Not a flame/troll, I just find this pretty questionable.
<< I’ve never had a linux box infected with anything just by connecting it to the net. That’s more than I can say for windows… >>
Neither have I and I run Windows. Before you go around spreading untruths maybe you should use the product.
Hey, I don’t like linux, but my HP runs on Suse.
Maybe you have enough money to run your own server, with your own fix IP, registered Domain, and have enough time to administrate it.
But there are enough people like me who just rent a little bit of Webspace from a company.
And what OS they use is up to them and not you.
What more is there to say, You dont like the report results. One thing I will respond to anyway is the money comment you made. In this world nothing is free, you criticize Microsoft for funding studies, well guess what, no one is going to run a benchmark or do a research project for free and the ones that you do find that will do it for free are ussually fans of a certain OS anyway so they are biased. People criticize Microsoft and SCO for paying expert witnesses well guess what, they need to get paid for their time. if you find free expert witnesses they ussually have skeletons in their closet. Its a no win scenario, even the “Free as in beer” analogy that a lot of Linux zealots preach is foolish because beer is not free, someone had to pay for and buy the beer to give it to you for free.
Well, I see noone has actually mentioned the linux security initiatives including
Hardened Gentoo http://hardened.gentoo.org
Adamantix http://www.adamantix.org
Immunix http://www.immunix.org
and more….
Russell Coker is also involved with selinux integration in Debian and Fedora/Redhat ES.
Both Coker and Gentoo have an SELinux demo machine with root password given, maybe they could try those 13000 successful linux attacks against those machines.
Numbers, operations, and reasoning can be tricky concepts and sometimes mishandled.
see: http://www.attrition.org/errata/charlatan/mi2g-history.html
I thought MacWorld was a trustable publication, even if intended for the e-artsy/e-fartsy.
Roberto, just by curiosity, have you checked out the links provided by bozo_the_clone? I don’t know about you, but mi2g seems to be somewhat controversial, and not only with regards to Linux.
these guys do a yearly audit of operating Systems and now that their report doesnt show linux on top, they dont seem very thorough
Actually, it’s at least the second year in a row that they make this claim.
In any case, you seem pretty quick to accept these facts as solid, despite the various questions that linger about the study’s methodology.
“If there are very few Mac OSx servers out there and a whole lot of Linux servers, how do they determine that Linuxes are ‘more likely’ to be cracked? Apparently, they just looked at very raw numbers.”
Yes and they do this because Linux is Linux, it doesnt matter which one you run.
I don’t think that was the point. What they’re saying is that if there are twenty times more Linux servers than OS X servers, then it’s only natural that Linux servers should be attacked twenty times more.
Because believe it or not with MyDoom there were only 300,000 Windows computers compromised in the world, that is a small number compared to actual Windows deployments and it probably would have been less than that if some Linux zealots had not purposely infected their machines to “join in the fun”.
It’s unlikely that “Linux zealots” infecting their own machines contributed significantly to the number of MyDoom infections, and for two reasons:
a) If they’re “Linux zealots”, it’s unlikely that their machines run Windows, and therefore they can’t infect them with MyDoom.
b) No matter how zealotous a Linux users, he’s not going to be as dumb to leave a machine infected with a backdoor for Russian spammers connected to the Internet.
There might only have been 300,000 Windows computers infected (sources for this statistic would be nice), but ever since MyDoom hit my spam has about doubled – at home and at work.
As for why I think the Linux numbers went up is because Linux zealots and advocates tend to pass the message that Linux users are invulnerable and you can spread that message so much and people start to believe it.
Roberto, your personal war against so-called “Linux zealots” is becoming a bit old. It’s bordering on obsession and is affecting your credibility. I’ve never heard anyone claim that Linux is “invulnerable.” I have heard people say that Linux is immune to viruses, which is partially true: it is in fact immune to nearly all viruses in the wild. And since malware is the number one computer security issue, both in number of occurences and damages incurres (far ahead of overt hacking attacks), then it is correct to say that Linux is indeed more secure than Windows.
Im sorry Linux is not invulnerable and it can be hacked. Im not saying Windows is the best and Im not saying BSD and OS X Server are the best but it all comes down to Security Maintenance. Servers and PC’s are like cars, they have to be maintained. if you let it go and not do regular maintenance then its going to come back and bite ya.
Well, here I’m all with you. As far as intrusion goes, differences between OSes are less important than a good understanding of security policies. One can make a Windows or Linux or BSD server very hard to hack – or a sitting duck. Fortunately, most recent distros come with the possibility to select higher security settings during installation. Unfortunately, not everyone cares…
“I’ve never had a linux box infected with anything just by connecting it to the net. That’s more than I can say for windows…”
Neither have I and I run Windows. Before you go around spreading untruths maybe you should use the product.
So you’d have no problems connecting an unpatched Windows machine directly to the Internet?
My father did, and he got infected with SoBig. I had to clean up the mess and then give him a basic security course. Now he uses a hardware firewall and updates his anti-Virus definition lists.
Note that I wouldn’t connect an uprotected Linux box directly to the Internet either, but at least I’d be pretty sure that it wouldn’t get infected by malware!
In this world nothing is free, you criticize Microsoft for funding studies, well guess what, no one is going to run a benchmark or do a research project for free and the ones that you do find that will do it for free are ussually fans of a certain OS anyway so they are biased. People criticize Microsoft and SCO for paying expert witnesses well guess what, they need to get paid for their time.
It seems as if you are defending the concept of biased reports by researchers-for-hire. Doesn’t the concept of integrity count anymore? The way you describe it, it’s impossible to get an honest opinion.
Fine. It still doesn’t mean that we should take Microsoft’s studies seriously – because they’re never going to say anything MS doesn’t want them to say. If MS pays for a study, either it’s going to pick a friendly (i.e. easily-bought) researcher to get the figures it wants, or it’s only going to show the parts of the studies that support its interests, or else it’s just not going to publish the study at all. Knowing that this is how it works, can’t we just agree that, by definition, a study paid for a company on its competition will be worthless?
and it probably would have been less than that if some Linux zealots had not purposely infected their machines to “join in the fun”.
————
Dude. That claim is way into “tinfoil hat” territory.
And where the hell are these Linux zealots claiming “Linux is teh invulnerableness?” Robert, it is not good argumentative style to keep referring to the claims of people who aren’t actually involved in the current discussion.
Apparently the breaches are specifically webserver breaches. The article does not disclose that. The article also does not disclose how many of each system they surveyed. This skews the information terribley. When a majority of the web is run on Apache/*nix it is quite obvious that Windows would not rank very high in number of breaches. Linux by far outpaces any of the other operating systems surveyed in the webserver market. The results therefor show nothing. Put into perspective they can be of some value, but unfortunately they are not.
“What more is there to say, You dont like the report results”
In a black and white world maybe. However if you’ve been reading both the article and the comments posted? I have serious doubts (skeptical). How you got from the fuzzy (questionable) to the hard (“don’t like”) is beyond me.
I think “A nun, he moos” nailed it pretty much. If you’re going to use words like “Actually it seems very thorough” in light of everything posted so far, then it’s quite fair to assume (dangerous that) that you have a source that we don’t have. Most likely the “unseen portion” of the study. I gave you an opportunity to enlighten the community and show why this study is “thorough”.
“I love Linux, but I’ll be the first to admit it is lacking in security. When compared to FreeBSD and Solaris, most Linux distro’s are completely lacking security features.”
Please define which security features.
Also is the Linux distribution i’m using counted as the same as a different ones? What about Linux being just a kernel? Is the security of my Linux computer correlate with that of another Linux distribution whom developers decided to include a FTP server which i know is not well written? Compared with *BSD there’s not a hell of a lot installed on *BSD. Is the fact my Linux distribution DOES NOT enable all kinds of servers by default correlated with the security of a Linux distribution who chose to? Most FLOSS programs which run on Linux run on a BSD too. If one is insecure, the other one is so too.
When comparing kernels the last year there were 4 local vulnerabilities in the Linux kernel. There were _at least_ 4 in Free- and NetBSD too.
Oh, and yes, imo 4 is a damn lot…
“It’s simply the truth. Just have a look at the number of vulnerabilities for different operating systems summarized over the last years (i.e. at the SecurityFocus web site).”
If it’s so simple you can enlighten us easily with your sources, right?
I’m looking forward to smash all claims “mooftpd” [which is multiplatform] vulnerable to remote compromise to /dev/null. So what will it be. Kernel? Woah, i already investigated that and will happy link to my earlier analysis on OSnews (don’t have time now, gtg to Fosdem). Userland utilities? Well please point it out then with sources!
It is incredible how on this site discussions are being held with wild assertions which are highly doubtable and futher COMPLETELY not backed up with any analysis, sources, url’s. Plain sickening.
Are one of the last people you should ever listen to about security. In fact this OSNEWS thread probably contains more security info than they have knowledge of.
>It’s unlikely that “Linux zealots” infecting their own machines contributed significantly to the number of MyDoom infections
Well, “Linux zealots” either can’t or don’t want to manage their Windows desktops forced on them by their boss, manager, teacher or parent.
>b) No matter how zealotous a Linux users, he’s not going to be as dumb to leave a machine infected with a backdoor
So, any given Linux user has intellectual superiority to any given Windows user. Wow! That is very objective.
Now, how could you explain Linux user rootkited, or default standard Linux installation connected to the Internet hacked in 45 seconds? Yes, the year was 1999, but we are only told about it today, so wait 4 years to learn the state of Linux in 2004.
>for Russian spammers connected to the Internet.
He-he. How many Russian friends do YOU have to make that statement? Overzealous a little, aren’t we?
>I’ve never heard anyone claim that Linux is “invulnerable.”
I did. Many times. It went to the point of a person writing an article “Linux has bugs. Get over it.” Search in Google for that title and you should be able to find it.
The title itself says it all.
>I have heard people say that Linux is immune to viruses, which is partially true: it is in fact immune to nearly all viruses in the wild.
It is immune to all Windows viruses, that’s true. MyDoom could be written for Linux: it does not use any Windows vulnerability. It tricks user to save email attachment on disk and execute it from disk- sure can be done in Linux.
>And since malware is the number one computer security issue, both in number of occurences and damages incurres (far ahead of overt hacking attacks), then it is correct to say that Linux is indeed more secure than Windows.
That would be true if number of home users running Linux would be equal to Windows users, and if Linux users were all superior intellectuals for the simple fact they embraced Linux.
Right now most Linux-es are running as servers by people who know better than save email attachment on disk and run it from the disk. Wait until Linux makes significant gains on desktop.
Until then- comparisons like in that article are correct, because they compare hacked servers that are served by profesisonals and people who call themselves professionals.
By the way, Linux is mostly managed by former UNIX admins, not Windows admins.
>Well, here I’m all with you. As far as intrusion goes, differences between OSes are less important than a good understanding of security policies.
I am with all of you too on that. It is great to see Linux mature to the level where it is enough Linux servers to make meaningful research and come with numbers showing that OS does not matter that much: standard security policies do.
It is great improvement from “Linux- the solution for every problem” which was prevalent in 1999-2001.
“Well, “Linux zealots” either can’t or don’t want to manage their Windows desktops forced on them by their boss, manager, teacher or parent.”
Taking a guided tour in the “Tin-foil-land” or what? Obviously I cant’t put a number on those individuals who take such measures to get rid of windows, but then on the other hand you can’t either. But I’d bet that, if they indeed exist, they are few. Sounds INCREDIBLY far fetched.
“So, any given Linux user has intellectual superiority to any given Windows user.”
Of course! The user has just showed him/herself a human beeing, not a sheep, by making a pre-meditated choice, rather than to “go with the flow”. 🙂
“Now, how could you explain Linux user rootkited, or default standard Linux installation connected to the Internet hacked in 45 seconds? Yes, the year was 1999, but we are only told about it today, so wait 4 years to learn the state of Linux in 2004.”
Thats just FUD. No facts, no specifics, just a dire forcast.. Useless. AND as I have pointed out before but a lot of windows users refuse to grasp, there is no operating system called “Linux”. It’s the bloody kernel. I’m sure you know but the piont is that it’s a big difference between different distributions. If you could hack a redhat in 1999 in 45 sec, I’d guess a correctly configured SELinux of today would give you food for thought some more time. Note: I do NOT claim that it’s impossible, but I belive it’s a harder nut than windows, unless it’s operated by someone gullieble.
“He-he. How many Russian friends do YOU have to make that statement? Overzealous a little, aren’t we?”
Well, make it just spammers, and I opt in on the description.
“I did. Many times.”
Then my friend, it’s your mistake. Don’t put your words in other peoples mouths. (That’s gross!)
“MyDoom could be written for Linux: it does not use any Windows vulnerability. It tricks user to save email attachment on disk and execute it from disk- sure can be done in Linux.”
But sucess is not as garanted as in windows. I could run the “wrong” version of the kernel, or the program you are relying on may not be running, or even on the computer!
“I am with all of you too on that. It is great to see Linux mature to the level where it is enough Linux servers to make meaningful research and come with numbers showing that OS does not matter that much: standard security policies do.”
Right on spot, old chap. That, however, does not change the fact that a lot of distros are more secure than you are implying, and that you have to be ignorant/careless to decend into the abyss of windows.
To sum it up, as I have stated earlier, nothing has ever happened to any linux box I’ve connected unshielded to the net for any reason. When I accidentaly did the same to a freshly installed windows (didn’t know it was fresh..), I got blasted during boot-up!
Another slightly amusing anecdot is a friend of mine who had to deactivate his firewall. He figured he’d be safe if he pulled the plug on the net before he did so. So he pulls the plug, and deactivates ZA. Guess what? Why, Blaster of course!
So from my point of view there isn’t any debate. I’ve personally got hit once in 10 years, and that was on windows, in a way that would have been hard to pull off in another os.
So, forgive me if I’m hard to convince.
I wouldent believe anything from mi2g but.. they have a point.
>With some of the other posters here; there are a lot of
>sysadmins out there setting up Linux boxes without the >knowledge to secure them. Not that this is unique to >Linux, but since it is free anyone who cares to download >it can install and set it up. It scares me how many >distros leave uneeded services runningm particulary the >ones aimed at new users.
Yep, you hit the nail on the head. Ive been trying to get distro’s to keep services disabled upon install for a long time. so far Gentoo is the only one that does this that I know of.
The Linux comunity REALLY dosent want the Windows 2003 “it works by default” stigma.
If you want to know more about the company that published the review, check this link: http://www.attrition.org/errata/charlatan/mi2g-history.html
Well, “Linux zealots” either can’t or don’t want to manage their Windows desktops forced on them by their boss, manager, teacher or parent.
Huh? What does this have to do with anything? I’m a Linux enthusiast – enough for anti-Linux advocates to call me a zealot – and I wouldn’t dream of putting a virus on my Windows station at work! What you’re suggesting is so far-fetched as to not in any statistically meaningful way.
BTW, I do have a Windows computer on my LAN at home. And yes, it is up-to-date. I can’t see any reasons why I’d infect it with MyDoom.
As I have said even though I primarily use Linux, MyDoom has affected me through the amount of spam I receive, which has doubled. No matter what even the most die-hard Linux fans think, no ones likes spam, or the Internet slowing down. There is no real motivation for Linux users to spread MyDoom and variants, therefore I agree with others here that it’s just unjustified paranoia.
So, any given Linux user has intellectual superiority to any given Windows user. Wow! That is very objective.
That’s not what I said. A little intellectual honesty, please! I said that no Linux user is going to knowingly keep a backdoor-infected computer conneted to the Internet. From there you assumed that I also meant that Windows users would, but that’s not the case. Let me rephrase it: no reasonable user, whatever OS they use, is going to keep a backdoor-infected machine connected to the Internet.
Don’t jump so quickly to conclusions: it only makes you appear as if you’re looking for a flamewar.
Now, how could you explain Linux user rootkited, or default standard Linux installation connected to the Internet hacked in 45 seconds?
Sources, please?
He-he. How many Russian friends do YOU have to make that statement? Overzealous a little, aren’t we?
Most security experts now agree that MyDoom was probably the product of spammers related to criminal Russian gangs. The numbers of Russian friends I may or may not have is completely irrelevant.
I did. Many times. It went to the point of a person writing an article “Linux has bugs. Get over it.” Search in Google for that title and you should be able to find it.
Well, to my recollection I haven’t heard anyone say that Linux is invulnerable – and certainly not in OSNews comments sections. This is not a prevalent view among Linux users – although it is virtually invulnerable to malware (I’m talking about viruses, worms and trojans that actually exists, not “malware that could exist” – let’s not cloud this issue about what could be, and rather stay focused on what is).
That would be true if number of home users running Linux would be equal to Windows users, and if Linux users were all superior intellectuals for the simple fact they embraced Linux.
Again, bad argument. The fact is that malware is a serious security problem, more serious than overt attacks in number of occurences and damages. Linux is not affected by malware. Ergo, Linux is more secure. It has nothing to do with Linux users’ intellectual superiority. Stop flogging this dead horse.
Right now most Linux-es are running as servers by people who know better than save email attachment on disk and run it from the disk.
It’s not only that. In Windows, I can infect my system even though I am not opening attachments with Administrator privileges. This is a really bad thing from a security point of view.
Until then- comparisons like in that article are correct, because they compare hacked servers that are served by profesisonals and people who call themselves professionals.
Okay, same question as for Roberto: have you read the study? How do you know what type of servers they surveyed? What do you know about the study’s methodology. Like many others, you automatically take the study’s result at face value, because you agree with them in the first place! Personally, I feel that there are too many questions left unanswered for these statistics to be useful. I’m sorry, but I smell MS-sponsored FUD.
In any case, at least we agree that the most important element of computer security is the administrator setting it up, not the actual OS used. Which is another reason why such a study is useless.
“To sum it up, as I have stated earlier, nothing has ever happened to any linux box I’ve connected unshielded to the net for any reason. When I accidentaly did the same to a freshly installed windows (didn’t know it was fresh..), I got blasted during boot-up! ”
I’m sure you get blasted the moment you select windows in your bootmanager
The next time you try such a stupid thing, at least erase everything exept TCP/IP from your net-preferences.
<quote>Fine. It still doesn’t mean that we should take Microsoft’s studies seriously – because they’re never going to say anything MS doesn’t want them to say. If MS pays for a study, either it’s going to pick a friendly (i.e. easily-bought) researcher to get the figures it wants, or it’s only going to show the parts of the studies that support its interests, or else it’s just not going to publish the study at all. Knowing that this is how it works, can’t we just agree that, by definition, a study paid for a company on its competition will be worthless?</quote>
Very enlightened statement, Though I do hope we can still agree next time IBM does a Win V Linux comparison.
We all do stupid things all the time.
I neither said I *left* those computers unprotected, nor that I wasn’t aware of the risks. Somtimes safety is just more hassle than it’s worth, in my opinion. Stupid? I guess anyone is entiteld to opinion, but calling someone stupid with so little information is, I think, jumping the gun.
Perhaps I was unclear. It wasn’t me who rigged the box, it came from somewhere more protected (behind firewall). I was just the person who pressed “POWER ON”. Yeah. Really dumb move. I knew there was windows on it. :-
Or did your sore ego just ache with happiness to find somone to call names?
If I got you all wrong, my apologies, and for the record, I fully agree that booting up an unpatched, unprotected windows box, connected to anything even remotely dangerous, is a highly dubious practice.
>BTW, I do have a Windows computer on my LAN at home. And yes, it is up-to-date. I can’t see any reasons why I’d infect it with MyDoom.
Thank you for proving my point that it is not Windows inherent fault gets it to virus infection- users who don’t know how to manage *any* OS get infected. Users who do- stay not infected.
>Let me rephrase it: no reasonable user, whatever OS they use, is going to keep a backdoor-infected machine connected to the Internet.
Excellent. Next time be specific at the beginning, because when you compare Linux to Windows and then say “no Linux user is going to” it is hard to be sure if you meant “no Linux AND Windows user is going to” or not.:)
>Well, to my recollection I haven’t heard anyone say that Linux is invulnerable – and certainly not in OSNews comments sections.
Well, you can hear it from people saying that “Every Linux user intellectually superior because the user has just showed him/herself a human beeing, not a sheep, by making a pre-meditated choice, rather than to “go with the flow””
Once again, if everyone were sober and not high on Linux, what would be the point of very controversial article named “Linux has bugs. Get over it.”- which resulted in a heated discussion if it is the truth and valid statement.
How about “BeOS has bugs. Get over it”- sounds silly, is not it?
>The fact is that malware is a serious security problem, more serious than overt attacks in number of occurences and damages. Linux is not affected by malware. Ergo, Linux is more secure.
The fact is that malware targets home users who are not very computer advanced. Linux is not (yet) very popular among home users. Ergo, Linux is more secure.
It is your logic, after all! See the flaw in it now?
>Okay, same question as for Roberto: have you read the study?
How about you?
>Like many others, you automatically take the study’s result at face value, because you agree with them in the first place!
Like many other Linux supporters, you automatically discount the study’s result, because you do not agree with them in the first place!
How do you like that assesment?
Yes, you like Linux and you can manage to stay malware-free on Windows without any outstanding efforts, just like me. Surprisingly, we both draw different conclusions from our experience. Quite opposite conclusions, I must say.
This is stupid. Why is this becoming a Linux vs Windows thread? Another good subject turned into an OS war..Some of you obviously don’t care about Linux security in it’s own right, or have the slighest clue about hacking since these kind of arguments are going on.
I keep reading malware this, virus that — But that isn’t what the article is about. This is not about malicious programs (most of which require assistance), it’s about hackers gaining entrance into a system. And since there are Linux vulnerabilities, what is the point in whether it’s better than _______? That doesn’t take away from the fact that you can be f*cked! Sheesh
When talking about security, what is the point if it’s worse or better than Windows?
Excellent. Next time be specific at the beginning, because when you compare Linux to Windows and then say “no Linux user is going to” it is hard to be sure if you meant “no Linux AND Windows user is going to” or not.:)
Actually you quote him as saying “No matter how zealotous a Linux users, he’s not going to be as dumb to leave a machine infected with a backdoor”. It is obvious to ANYONE reading that quote that he is saying despite the zeal of some Linux users they are not going to leave a machine infected with a backdoor on the internet. YOU assumed and YOU were wrong.
Well, you can hear it from people saying that “Every Linux user intellectually superior because the user has just showed him/herself a human beeing, not a sheep, by making a pre-meditated choice, rather than to “go with the flow””
It’s rather telling that you left out the “:-)” at the end of that statement.
Like many other Linux supporters, you automatically discount the study’s result, because you do not agree with them in the first place!
How do you like that assesment?
That’s a terrible assesment. He did not discount the study because he is a Linux supporter but because they do not provide adequate information. I thought that was quite clear. There are no statistics at all, only raw numbers. You tell me how that is useful?
“If it’s so simple you can enlighten us easily with your sources, right? ”
It would take at least a whole article to proof this thoroughly. At http://www.securityfocus.com/bid/title/ it’s possible to get a quick impression by counting and comparing vulnerabilities for “kernel”, “FreeBSD”, “OpenBSD” …
i.e. you can easily count the last 50 Linux kernel vulnerabilities since May 2001. In the same timespan there were about 63 vulnerabilites for the whole OpenBSD OS and 76 for the whole FreeBSD. If you add the common vulnerabilities for sendmail, apache,… (this is already included in the OpenBSD summary!) there are far more vulnerabilities for all common Linux distros than for FreeBSD/OpenBSD…
Furthermore the proactive security approach from OpenBSD (W^X, ProPolice…) makes stack overflows less dangerous than on other operating systems and many daemons run in a chroot environment, too…
Like I said before – it’s always possible to make a system insecure by misconfiguration or by using the wrong apps. And I know my numbers aren’t 100% water proof (different kernel versions, remote/local vulnerabilities, severity of a vulnerability…) – anyway – I think the tendency is clear.
@Gonzo: thanks for the link
And now the interresting part:
How do 50 vulnerabilities for linux, or ~70 for the *BSDs compare to 3 for OpenVMS (since 1999-06-01,none of the 3 is remotely)?
@Never Mind:
I hope you didn’t get too upset because of my bad english.
At least we agree that booting an unchecked system, with a connection to the net, is (2nd try
) not the wisest thing you can do.
Very enlightened statement, Though I do hope we can still agree next time IBM does a Win V Linux comparison.
Sure. I don’t expect IBM to be totally objective either. The difference is that IBM has no monopoly to lose, and doesn’t own Linux. The stakes aren’t as high for IBM; yes, Linux can make them a lot of money, but they can survived without it. MS, on the other hand, cannot survive without Windows, and losing monopoly status would mean big trouble for its business model.
You’ll also notice that IBM doesn’t sponsor a lot of Windows vs. Linux studies. Rather than indulge in negative publicity, it prefers to concentrate on the strenghts of Linux.
Thank you for proving my point that it is not Windows inherent fault gets it to virus infection- users who don’t know how to manage *any* OS get infected.
Uh, that wasn’t the point. In fact, there are some inherent security flaws in some MS setup. IE and MS Outlook are security liabilities in a lot of computers.
Also, one should not underestimate the impact of piracy here: a lot of people have bootleg versions of Windows. Unless I’m mistaken, these people can’t just upgrade to the latest service pack, can they? (I wouldn’t know, my copies of Windows are all paid for, but I doubt you can use Windows Update with a pirated copy).
Excellent. Next time be specific at the beginning, because when you compare Linux to Windows and then say “no Linux user is going to” it is hard to be sure if you meant “no Linux AND Windows user is going to” or not.
I suggest that you simply avoid jumping to conclusions instead. My initial statement is still valid – if you felt attacked, that’s your problem.
Well, you can hear it from people saying that “Every Linux user intellectually superior because the user has just showed him/herself a human beeing, not a sheep, by making a pre-meditated choice, rather than to “go with the flow””
Ahem. This is not the equivalent of saying that “Linux is invulnerable”. Again, you seem to read too much into what other people say.
We’re being quite specific here – try not to lose focus. The point was whether Linux advocates claim that Linux is invulnerable. Not more secure, but invulnerable, i.e. immune to all attacks. Again, I’ve never heard anyone claim this.
Once again, if everyone were sober and not high on Linux, what would be the point of very controversial article named “Linux has bugs. Get over it.”
Of course Linux has bugs. All software has bugs. Believe me, working for a game developer, I know this! And since we can’t issue patches for PS2/Xbox/Gamecube games, we can’t have any bugs in our software. And yet it still happens (though rarely major ones).
The point here is that a lot of people (MS above all) will try to use any problems with Linux as arguments against its adoption – willfully ignoring the similar (and sometimes worse) flaws in its own product. So it’s important to put these kind of biased studies in their proper context.
The fact is that malware targets home users who are not very computer advanced. Linux is not (yet) very popular among home users. Ergo, Linux is more secure.
It is your logic, after all! See the flaw in it now?
Malware targets systems that are not properly protected. A new worm or virus, exploiting a previously-unknown bug, can cause a lot of damage, even with experience computer users. SoBig and Slammer are good examples. These caused a lot of damage, and among servers as well, not only home users.
Linux is quite popular as a server, with about one-third to one-half of MS’s market share. And yet Linux servers are unaffected by malware. Again, this shows that Linux is indeed more secure with regards to malware. There is no flaw in this argument!
Another thing to consider: if the “proportional use” argument held true, then Linux viruses would be about 1/40th of the number of Windows viruses (90% vs. 2.5%). As it is, the ration is a lot closer to 2000:1. As it is, the “proportional use” argument doesn’t work here.
How about you? […] Like many other Linux supporters, you automatically discount the study’s result, because you do not agree with them in the first place!
How do you like that assesment?
I haven’t read the study, but I don’t need to read it to figure out that the methodology seems deficient, nor do I need to read it to know that mi2g is a controversial study group who has greatly exaggerated their credentials. That’s enough for me to doubt the validity of the study.
We have a bunch of absolute numbers, but we don’t know what these numbers represent in comparison with total numbers of overt attacks, with total numbers of servers, with the type of server surveyed (Web servers being more likely to be attacked than, say print servers and so on).
Finally, the fact that they don’t include malware in their study yet claim that Linux is less “secure” indicates that there is a not-so-hidden agenda here.
Yes, you like Linux and you can manage to stay malware-free on Windows without any outstanding efforts, just like me. Surprisingly, we both draw different conclusions from our experience. Quite opposite conclusions, I must say.
Well, it’s not clear what your conclusions are. Here’s mine: there is not sufficient data to show that mi2g’s study is accurate or not (and the burden of proof is on them, since they are making the assertion). Furthermore, one cannot gauge computer security on overt attacks alone, when in fact security problems cause by malware are much more important. With this in mind, it seems highly dubious to claim that Windows is more secure than Linux, and in fact the whole thing smells as it’s part of the current MS-sponsored FUD offensive against Linux and OSS in general.
“If you wanna be secure and aim for stability, either you go for Unix which is secure by default or you have to be in that 1% of the Linux user group whicn REALLY know how to secure a server.”
Unfortunately, you have to be in that group if you go for Unix as well. Most commersial Unixes are just as full of holes as Linux. If you belong to that group, an open source system would probably be better, as it will give you more options to fix things.
In fact most currently available OSes are insecure in their default state. Somehow OS developers doesn’t seam to live in the internet age.
So far only Microsoft seam to have a clue.They address security on a theoretical level by adopting TCPA. But unfortunately TCPA have serious flaws, Firtsly whats the use of a secure computer if it doesn’t let even the owner in. Secondly, if we rely on some chryptography key not being compromized, according to Murphy, we can be sure it will.
But one thing is clear, so far Linux and other Unixlike systems have relied on the fact that it is much easier to find bugs in small programs with a well defined purpose than in large chunks of code that you often find in Microsoft land.
To be really secure we need some kind of theory on how to maintain security. The fact that Linux/Unix have bin much more secure than windows in the past is more a result of bad programming at Microsoft than a valid security model in the Unix world.
Now Microsoft will use TCPA to cover up all their programming flaw in the hope that users will accept not having acces to their hardware if they just could get rid of all those viruses and worms windows users have bin plauged with for a long time.
So whats needed is a theoretical framwork for security in the Unix world. We need OSes that can detect and prevent buffer overflows, and if they occur anyway, we need to limit the effects of attack. The inclusion of the NSA SELinux patches in Linux 2.6 kernel is a step in the right direction, but it needs a wider application support.
This is the SECOND study to come out showing Linux as the top insecure operating system on the Internet. GNU was hacked twice, and Debian, GNOME, and Gentoo were all hacked–all within the span of six months.
Read it and weep, boys. It’s all up to the admin. Linux is not the magic security solution…though it’s hilarious to read close to a 100 comments of people in denial, dancing circles around the data with anecdotal justifications, essentially putting their fingers in their ears and chanting, “Lalalalalalala…”
AFAIK, the Savannah, Gentoo, and Debian servers all got compromised because of a the _same_ unknown local root exploit in the linux kernel, after logging using a sniffed password.
see http://www.debian.org/News/2003/20031202 for more details and references.
I don’t know the details of the GNOME story.
Nobody said linux is the magic security solution, and no, it’s not all up to the admin. A properly securized OS, while being _very_ far from sufficient is better than one with no security policy. You need both: OS, and man.
As to the article, I’m afraid that absolute numbers have no meaning.
As to the rest of the thread, I would like to thank A nun, he moos for his calm & clear headed answers amidst this fairly ridiculous little war.
I agree, A nun, he moos has calm and clear headed. So are you lordofthemoose.
//I said that no Linux user is going to knowingly keep a backdoor-infected computer conneted to the Internet//
Really? Even all those grandmas out there, whose Penguinsta grandsons installed Linux on their machines? Yah, I’m sure they’re all about keeping things patched. I’d say MANY Linux desktop users are just as clueless as Windows desktop users
Talk about blanket statements.
This will probably be modded down by the OSNazis
And just check my previous post! You will see what is the background of these “security experts”. http://www.osnews.com/comment.php?news_id=6098&offset=75&rows=90#20…
//I said that no Linux user is going to knowingly keep a backdoor-infected computer conneted to the Internet//
Really? Even all those grandmas out there, whose Penguinsta grandsons installed Linux on their machines? Yah, I’m sure they’re all about keeping things patched. I’d say MANY Linux desktop users are just as clueless as Windows desktop users
What part of “knowingly” did you not understand? 🙂
Also: Linux machines cannot get infected with MyDoom, so they cannot have the MyDoom backdoor (this was the original point). So even if the “penguinistas” (I love that name!) would install Linux on their grandmas’ computer, they’d still be fine.
Talk about blanket statements.
Please read before you criticize. Thank you.