Windows vs. Linux Security, Once More 489
TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
HTML and PDF? (Score:5, Funny)
Re:HTML and PDF? (Score:5, Funny)
> What, no macro virus-infected Word file?
Yeah, I don't know why the Register is using that dangerous HTML stuff!!
From the article (MS description of Windows Server 2003):
"Security level for the Internet zone is set to High. This setting
disables scripts, ActiveX controls, Microsoft Java Virtual Machine
(MSJVM), HTML content, and file downloads."
There are a lot of cynics and sneerers on Slashdot who say that
Microsoft and their "Trustworthy Computing Initiative"®
is a lot of hot air and BS. But how many of you with your Linux boxes are
running a browser that renders that dangerous HTML stuff, eh?!
Hats off to MS for shipping a system that can't render HTML is what I say!
If they carry on in the same vein, we can extrapolate that Longhorn
will in fact ship without a TCP/IP stack. Watch the script
kiddies try and break into that!
Microsoft is showing the world how to innovate and move forward as
ever...by....going backwards......errr, wait a minute....
Anyway, I just hope that the "Microsoft Crippled Software and
Environment"® (MCSE) initiative makes more headway and shows you
filthy hippies/commies how things are done in the Real World!
Re:Message to the moderators... (Score:5, Funny)
In
Misleading article (Score:5, Insightful)
Re:Misleading article (Score:2, Insightful)
Re:Misleading article (Score:4, Funny)
*evil grin*
No (Score:5, Insightful)
Now you are right if you want to remind readers to keep that in mind, but dismissing an article not on the base of its merits, but because the author is supposedly biased (mind, you didn't show or prove in any way that he was actually biased, you just wanted us to take it for granted) is a logical fallacy.
If you don't like the findings of the article, please tell us why, simply accusing the author of bias won't change the facts, sorry.
Argumentum ad Hominem
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."
http://www.fallacyfiles.org/adhomin
Re:Why the article is FUD (Score:3, Interesting)
Re:No (Score:5, Insightful)
His point is that Apache is the "most popular"(which it is), and is less likely to be attacked. This argument was in response to the idea that Windows is not more vulnerable simply the most prevalent. His counter example of Apache was used to point out that popularity does not directly lead to more attacks.
Thus it does not follow that as Linux grows in popularity that the number of successful attacks will increase disproportionally.
Re:Ah, but the lack of factual data is the problem (Score:3, Informative)
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Eve
Re:Misleading article (Score:3, Interesting)
Secondly if you read the article at all you would see that Petreley bends over backwards to state that his methodology is one way of doing things and others may be used.
Thirdly, since the point of the comparison was to determine the truth of a broad statement such as "X is more/less vulnerable than Y" it is reasonable to look at the data the way he described.
Lastly, an unstated goal of the paper was to determine if Microsoft's statements regarding Wind
I'd rather see (Score:5, Insightful)
Re:I'd rather see (Score:4, Insightful)
I know of no one brave enough to put a windows server DIRECTLY on the internet microsoft even strongly suggests that a firewall exist between the server and the net.
Yet with the right configuration a linux or BSD box is as safe as that admin can make it.
Re:I'd rather see (Score:5, Insightful)
It's the amount of work needed to keep it updated that means I'd never want to do it.
Re:I'd rather see (Score:5, Informative)
I think (correct me if I'm wrong) they fixed this in Windows XP SP2. The software firewall comes up first, then the network interfaces. If the firewall tries to start and fails, the network interfaces won't start either.
Re:I'd rather see (Score:5, Funny)
Article Summary: (Score:2, Troll)
What I Would Like to See (Score:4, Interesting)
FOSS advocates often whine about MS insecurity, whereas MS advocates often claim MS only gets more break-ins because it's used more. The MS folks are probably not right in the Apache vs IIS case, but what about other cases? Is FOSS really more secure?
Unfortunately, I cannot think of any good way to measure this. Perhaps a little brainstorm on
Re:What I Would Like to See (Score:2)
The only way to really measure relative security is by the number and severi
Re:What I Would Like to See (Score:5, Informative)
He did use the Apache case as a counter-example, because that's one of the few cases where MS and Libre software compete, and Libre is the larger target. In that case, the smaller target comes out looking more vulnerable. Is there something special about Apache which makes you think that it wouldn't work that way for other Libre projects? If you know something we don't, by all means share it.
Oddly enough, Petreley covered that question, too [theregister.co.uk].
What you would need: (Score:5, Interesting)
Now, take a recent Linux box (the distro doesn't matter) and apply all official patches and upgrades, as released by the distro and the various package maintainers.
Each machine must have directly comparable software installed. Where possible, this should actually be the same software. You don't want to have too many variables in this. You're going to have some, but by keeping things uniform, you should be able to keep things sane. The other thing is that you want SOME closed-source software on Linux and SOME open-source software on Windows.
Before we do the tests, we need some diagnostics software on the machines. Memory bounds checkers, system load monitors, host intrusion detection software, etc. This will tell us what impacts we are having, beyond simply seeing if the servers and/or OS fall over or not.
At this point, we get to the tests themselves. Throw absolutely everything you can at the computers. Use every vulnerability scanner on the planet, every worm or trojan you can locate, use stress-testers, etc. Find DoS and DDoS packages, if any have been openly released.
Now we have some actual data, based on comparable usage and comparable attacks. The data will show that the different OS' respond differently to different attacks. (Surprise there, Sherlock!) We now need to determine which of the remaining variables are important.
The remaining variables are "underlying flaws within the OS", "inherent flaws, due to errors in the design methodology itself" and "unequal reporting of equal errors".
What you want to do then is a four-way analysis of variance. The first of the three components is the different vulnerabilites found within the different applications. The second way is looking at the variation between the different vulnerabilities within the OS' themselves. The third way is the variation of bugs reported for any given application, OS or combination, vs. what actually gets reported by groups such as CERT. The fourth way would be the difference in licensing policy.
The NULL Hypothesis for the applications is that all applications will have roughly the same number of vulnerabilities, regardless of what they do, what they're written for, the philosophy of the programmer, and the company producing the software.
It's doubtful you'd find enough applications, and enough vulnerabilities in each, to split the study in sufficient ways to cover all these points. However, it should be possible to collect enough to do a statistically meaningful study on a few of them.
The problem with AOVs is that you've got to have a lot of data, and that the amount of data you need increases very rapidly. You do get plenty of idiots out there who ignore the confidence level and even the methods of the study, looking for any slight comment that proves whatever they're wanting to say. Other times, even nominally sane people will do this, because they want/need the results too fast or too cheaply to do the work properly.
Let's say, for example, that the number of vulnerabilities found within the applications, when studying the variance between them, is pretty random. There's no discernable pattern. Let's also say that there's no significant variance found between FOSS and Closed Source. Then, let's say that we're in the 1% confidence level for both of these, which means that this will likely hold true 99% of the time.
We could then conclude that Closed Source vs. Open Source is purely a matter of personal choice. The net difference simply isn't significant to warrant going for one and ignoring the other.
Continuing with this fictional scenario, let's say that Linux and Windows showes a VERY signficant level of variance. We know, at this point, that it's not the Closed vs. Open nature,
biased? (Score:2, Interesting)
Windows has only recently evolved from a single-user design to a multi-user model
Windows is Monolithic by Design, not Modular
Windows Depends Too Heavily on the RPC model
Windows focuses on its familiar graphical desktop interface
Linux Design
Linux is based on a long history of well fleshed-out multi-user design
Linux is Modular by Design, not Monolithic
Linux is Not Constrained by an RPC Model
Linux servers are ideal for headless non-local administration
Oh yeah thats unbiased.
Re:biased? (Score:5, Interesting)
1) Windows is not monolithic. If you or the authors of this report knew anything about OS design, you'd know this to be true.
2) They completely forget (or choose to ignore) that Windows was multiuser starting with NT. 2000 was multiuser as well. To say that XP is the first real multiuser Windows is completely false. And they use fast user switching to imply that Windows still isn't a true multi-user OS, which is complete nonsense.
3) From a design perspective, it makes more sense to use the same functionality to communicate with a remote or local machine (ie. it doesn't matter where the other program is).
And Windows is not "constrained" by an RPC model (as they seem to imply by saying that Linux is not).. application programmers can CHOOSE to use RPC, or they can use other methods.
4) This point makes no sense whatsoever:
"By advocating this type of usage, Microsoft invites administrators to work with Windows Server 2003 at
the server itself, logged in with Administrator privileges. This makes the Windows administrator most vulnerable to
security flaws, because using vulnerable programs such as Internet Explorer expose the server to security risks."
That is a complete load of bull $hit.
Re:biased? (Score:4, Interesting)
Re:biased? (Score:4, Insightful)
OK. Remove IE. Boot without a GUI. Change libraries that are currently in use while the system is running.
So, given any hardware you wish, how many different and unique users can use 1 NT 3.x or 4.x system at the same time? What restrictions do you encounter, if any? Are there differences between desktop and 'server' versions of NT in this respect?
[rpc] -- I'll let someone else address that.
This has been addressed by NoOneInParticular [slashdot.org], so I won't rehash it.
Re:biased? (Score:3, Insightful)
There is a qualitative difference between Unix-like systems and Windows on the issues I mentioned. Details are below...
That's too easy. Ever heard of the Recovery Console?
Not counting GUI intensive applications, Windows does not work completely when the Recovery Console is enabled. Except for limited functions, Windows is crippled without a GUI and most programs (utility,
Re:biased? (Score:3, Informative)
Yet another Pro-Linux, Anti-Windows 'report' (Score:4, Insightful)
Sorry, but as long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are writen by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt. I'm not trying to say Windows is safe, but you can't expect me to believe this when a 'report' like this comes out every other week. If this guy was an ex-Windows programmer I'd be more understanding, but "former lives include editorial director of LinuxWorld"? Somehow I doubt they ran Windows on their machines.
Argumentum ad Hominem (Score:5, Insightful)
http://www.fallacyfiles.org/adhomin
PHB Mode - (*)On ( )Off (Score:5, Funny)
And besides, last night while I was watching $stupid_cable_news_show I saw an ad for Microsoft. It said they were secure. Then I saw that same ad in $idiot_management_magazine. They can't advertise it if it's not true, so we should go with Windows Server 2003 for our new application.
And, besides, I just got Microsoft to sell Windows Server 2003 for $50 per copy by saying we'd switch to Linux. Here's the box, now go install it.
Re:PHB Mode - (*)On ( )Off (Score:3, Insightful)
I work in the advertising devision of a large communications company as their IT manager.
these people know that advertising is lies, lies, a huge stretch of the truth and then a tad more lies.
yet they are suckered in hard by advertising as much as the dolt that believes everything they see in an ad.
if the people that make the ad's are suckered by them then the common manager and CEO has absolutely no hope but to believe every advertisment completely as truth.
And yes,
SELinux (Score:5, Interesting)
A good way to think of MAC or SELinux is as a firewall between processes on your machine and the files and devices etc. on your machine. At the kernel level there is a set of rules, at pretty much as fine a grained level as you care to write, as to what can access what. It's well worth readign the FAQ [nsa.gov] to et a fuller idea of what we're talking about here.
Jedidiah.
Or a better alternative (Score:5, Informative)
Re:Or a better alternative (Score:3, Interesting)
Looking at the list of stuff implemented, I don't really see a vast amount that's different. Both have a great deal on their wish-list, but have stuck almost exclusively to file access. Files are important, but they're not everything.
I'll be impressed by the first
Re:SELinux (Score:3, Informative)
Re:SELinux (Score:3, Insightful)
The tricky part is that there are a lot of affected user applications. These are not part of the standard Linux kerenel (well, duh! :) and I'm unaware of any of the application writers including the SELinux code into their standard projects. For the most part, you need to go to the SELinux website for the user-space stuff.
Articles like this... (Score:2, Insightful)
meh... (Score:5, Insightful)
Basically anyone who knows what a terminal window is isn't likely to run suspect attachments or not configure a firewall
enterprise 03 (Score:3, Insightful)
What people forget to mention is that MS security patches seem to like reboots, do the way filelocking works on Windows. Thus, whenever a "critical" flaw is released, they have to either patch it with a workaround (firewall rules, etc.) or they need to reboot the server.
When I was running an internal-only Enterprise 2003 server (behind several firewalls, no public IP) the only reboots I ever experienced were those related to environmental factors: the power went out for longer than the UPS could keep the server online for; etc.
After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.) Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again. If I was so inclined, I could tweak this to be lower (1 whole minute is that the web server loads before the network module does, can't find an IP to bind to because IP isn't enabled yet, and fails to load, then waits to retry.)
It's a different design philosophy. My systems don't get "crufty" and crash, but they do have to be rebooted to apply security fixes. However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
Re:enterprise 03 (Score:4, Insightful)
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide
Better revisit those calculations. Six 9s of reliability means that you're down for no more than 30 seconds a year. Unless your reboots take less than 3 seconds, you're already not meeting that metric.
Besides which, five 9s (5 minutes a year) is considered carrier-grade. There isn't as firm a standard for enterprise-grade, but it usually permits occasional scheduled downtime outside business hours, and is usually in the two to four 9s range.
BTW, I couldn't find anywhere that MS claims six nines of reliability; do you have a source?
Re:enterprise 03 (Score:3, Informative)
I'm citing your comment as a "reasonable standard" for enterprise grade equipment in another comment I'm writing, walking through the author's paper and clarifying important points.
Re:enterprise 03 (Score:5, Interesting)
That's sort of the point. You have to reboot a Windows server more often. If rebooting once a month or so is acceptable (see Murphy's Law for schedule), then that's fine.
If you want it to stay up, doing its job, then don't run Windows on it.
This isn't about "hardship". It's about numbers. (Score:5, Informative)
Nope.
Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again.
4 minutes/month == 48 minutes/year.
99.999 availablility means 5.26 minutes of downtime per year.
At best, you've got around 99.99% availability.
However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
It isn't about "hardship". It's about reliability. Getting that last
But for those that require it, it is available. And because it is available to those, it is available to everyone. Even those who do not need it.
Sure, my print server probably doesn't need 99.999% reliability. But because it has it, I don't have to worry about it.
In my experience, it's the reboot that causes the hardware failures. The fewer reboots, the fewer chances for hardware failure.
Trite Political Joke (Score:5, Funny)
Microsoft, official platform of the 2004 presidential campaign.
Re:Trite Political Joke (Score:3, Interesting)
Indeed you are correct [netcraft.com].
Window vs OS X (Score:5, Insightful)
Though this was interesting, it would be nice to see something comparing OS X security to Windows security. When you think about it, they're both relatively proprietary OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin, but really the two would be a better match because of thier commercial status.
Sure, there are enterprise Linux distros from coimpanies like Red Hat, but you can still get a lot of use out of a non-commercial distro. There are so many ways that you can change Linux to make it more secure that comparing it to a rigid commercial OS is a bit inappropriate. I'm not saying that I think the article was pointless, just that we should give equal attentention to systems like OS X or even some of the other commercial UNIX distros for that matter.
Not designed for security (Score:5, Interesting)
http://www.infoworld.com/articles/hn/xml/02/09/05/ 020905hnmssecure.html [infoworld.com]
Nothing to do with linux (Score:2)
The Reg is experiencing a DDOS attack... (Score:2)
I haven't been able to connect to The Register for three days now, BTW. I'm glad that others have been able to.
Windows just might be ahead of *NIX here... (Score:2, Interesting)
I've read about the fact that while XP/SP2 contains numerous changes that present real improvements, it is largely a recompile of XP with a new compiler that enforces buffer size.
While that doesn't fix buffer overrun bugs, it certainly limits their potential negative security implications. When will this buffer enforcement be available for gcc!?!? I know, there are 3rd party apps, but as long as it's a 3rd party app, I won't get these benefits with a t
Re:Windows just might be ahead of *NIX here... (Score:3, Interesting)
Re:Windows just might be ahead of *NIX here... (Score:3, Interesting)
As soon as you do a search for StackGuard http://www.cse.ogi.edu/DISC/projects/immunix/Stac
Re:Windows just might be ahead of *NIX here... (Score:3, Interesting)
Nope. What Windows recently added, OpenBSD had been doing for quite a while. OpenBSD uses GCC, so, yes, there is a way to get GCC to provide the stack protection. Also, both OpenBSD and Solaris can provide execute protections for RAM, at least on SPARC. I'm sure other systems have this too, but I just don't know at the moment.
Again, look to OpenBSD for the cutting edge (OpenSSH, stack protection, good firewall, audited code, clean install, etc.) and see it g
Re:Windows just might be ahead of *NIX here... (Score:3, Interesting)
And, you can go more paranoid from there...
Ratboy.
The MS take on it (Score:5, Interesting)
I used to wonder at the blinders-on group think of the hidden source folks. The elaborate unreality of their arguments was a puzzle, until I figured it out [healconsulting.com]. Now I understand; it's all about the dream.
While some might dismiss the article because he is a Linux advocate, that's missing the point. His piece is geared toward Linux advocacy, but avoids the usual rhetoric. I kept looking for the usual Gates bashing, but didn't find any.
What I found instead were hard facts, distilled from public data. He didn't say, "I performed some tests which prove Linux is better." He took the publicly available information, analyzed it, and reported the results.
The response by the Microsoft marketing droids and vassal fudmeisters will be instructive to anyone who really thinks about it. Don't take away their dreams of a gold mine, at least not until they've got a Ferrari just like the guy in the next cube.
Microsoft - Standard Oil (Score:5, Insightful)
"Open Source Software is inherently dangerous"
Weasel words like "inherent" are convincing to dumbed-down folks. ./ ain't buying it though. God bless individualism.
"Statistics 'prove'..."
Ahhhh, the old "who can argue with scientific fact" line.
Provide us with "science" to back up this claim. Properly vetted, peer-reviewed science from an unbiased source, unfunded by those with a vested interest in the outcome please.
The psychological use of fear and "scientific" studies to convince the average American is not new. Read carefully the language of Microsoft and you'll hear JD Rockefeller, Andrew Carnegie, JP Morgan, etc. What you have to read carefully to find is their own fear that they are losing monopoly control. Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?
Re:Microsoft - Standard Oil (Score:3, Insightful)
Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?
Was that a rhetorical question, or did you miss the DoJ's dance with Microsoft?
Windows Uses Spheres (Score:5, Funny)
Same old arguments.. (Score:3, Interesting)
For one, they speak at length about the uptime of web servers. While some downtime is related to security flaws, there is not a direct corrospondance between security flaws and uptime. I find this metric completely unreliable as a method of assessing web server security.
This is essentially their only argument for the first two myths.
For the third, they mention that flaws Microsoft will NEVER fix. They don't bother to mention that these flaws only occur in older, "obsolete" operating systems. Does Red Hat issue patches for version 1.0 anymore? The rest of their argument makes much more sense, however.
(Haven't read the rest yet.. but this thus far makes me skeptical that this is an unbiased report.. )
A few clarifications... (Score:5, Insightful)
Note that the purpose of this post is not to say "omg windows >>>> linux all you penguin lovers rot in hell" like a lot of this story will be. I am merely trying to clarify some of the author's points.
"Myth: Safety in Small Numbers"
"Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically."
Running through 3GB of archived log files, from Apache running on 2003 Enterprise Server, I have concluded the following:
54% of attacks against IIS (Unicode traversal, buffer overflow, cgi, alternate data streams, etc.)
46% of attacks against Apache (htpasswd.exe, httpd.conf,
"Precisely the opposite" is hardly the right phrase to use in this situation. Sampling error among different web sites (due to different audiences, traffic rates, etc.) could easily account for the fact that IIS out-edged Apache here.
As for the *successful* part of the author's claim, there was a 0% success rate across all queries directed at servers I either have access to logs on, or directly control. I have also experienced Apache servers being compromised (more often due to user-induced security holes than design flaws.) but in the end, the user leaving a filedrop which allows php scripts to execute, and such, is as dangerous as a buffer overflow. They are each different but functionally equivilant ways to circumvent the security of the system it is running on.
"But it does notexplain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime."
Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel.
I mentioned (with some flawed math) (http://slashdot.org/comments.pl?sid=126724&cid=10 600161) in more detail the reasons Windows servers are often down there on the patches. I did miscalculate availablilty. My servers average in the 99.9952% range. Which means they're down for a few hours a year. Sure, not carrier grade, but not too shabby either. Well within the reasonable expectations of most businesses. (Source: http://slashdot.org/comments.pl?sid=126724&cid=106 00658 by hehman) Note that the situations where Windows is likely to be used probably aren't nuclear power plants, airplane control software, etc. Thus, the additional powers of 9 aren't really a factor.
"Myth: Open Source is Inherently Dangerous"
I agree with the author here. Having the source code doesn't really have an impact as to whether or not a hacker can find an exploit -- there are enough tools to automate exploit finding in streamed data, especially web connections.
"Myth: Conclusions Based on Single Metrics"
Another valid point. One can spin statistics any way you want to, and have the math be perfectly valid, to reach a meaningless conclusion. Anyone who's taken statis
Re:A few clarifications... (Score:5, Insightful)
Yet this is precisely the opposite of what we find, historically."
Running through 3GB of archived log files, from Apache running on 2003 Enterprise Server, I have concluded the following:
54% of attacks against IIS (Unicode traversal, buffer overflow, cgi, alternate data streams, etc.)
46% of attacks against Apache (htpasswd.exe, httpd.conf, .htaccess, some odd batchfile script attacks with args to copy httpd.conf into htdocs, etc.)
"Precisely the opposite" is hardly the right phrase to use in this situation. Sampling error among different web sites (due to different audiences, traffic rates, etc.) could easily account for the fact that IIS out-edged Apache here.
As for the *successful* part of the author's claim, there was a 0% success rate across all queries directed at servers I either have access to logs on, or directly control.
Sorry, your statistical sample is not comparable. You quote Petreley discussing successful attacks, then you provide some figures about attacks on your machines, and then point out that none of them were successful. So, you aren't actually telling us anything about successful attacks, since you haven't seen any.
Don't expect your tools to do you job... (Score:5, Insightful)
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
RPC is good for security (Score:3, Interesting)
Not that Linux is any better. The RPC systems for Linux/UNIX are clunky afterthoughts built on top of sockets.
Up times.... (Score:3, Insightful)
But Bill Gates says it's safe (Score:3, Funny)
Damn, who do I have to buy off to make you people believe that Windows is safer?
Great another one of these. (Score:3, Insightful)
Re:Great another one of these. (Score:3, Interesting)
OK, I'll have to agree that there's a bias there. The language could be better, and there's a few areas that could be broadened: for one example... there are features of the Windows domain model that are neglected in this analysis... but the problem is they're not really given proper credit in pro-Windows white papers either, and the security problems of the single-sign-o
Unpached Windows Vs Linux (Score:3, Informative)
Do the same with XP or W2k and within 20 minutes or less it would become infected and begin zombie operations.
Lets go to a patched server in both cases they're still vulnerable. However there is a clear difference in vulnerabilities with the majority of Linux ones being in the realm of local hacks where in Windows you're still dealing with remote hacks and buffer overflows.
Yes in many cases both problems can be blamed on 3rd party apps but even in kernel to kernel comparisons Windows still is high on the list of being vulnerable.
Firewalls (Score:3, Funny)
Check back here for the answer at 3am...
Does security really matter? (Score:3, Insightful)
The real question should not be which system is more secure, since neither are, the question should more focus on which system is easier to maintain and mak upgrades and patches easy to install. If a system fails at that, no matter how few exploids it has, one unpatched is enough to get you into a hell of a lot of throuble.
Another question would be, what are the real alternatives and what will the future bring? I mean just patching C-bufferoverflow into all enternity is really not something on which I would build 'security', neither is the OpenBSD way of 'no features, no bugs' a real solution, since people will end up using 'features' and thus get bugs.
Re:Does security really matter? (Score:5, Informative)
YES
I mean neither Windows nor Linux are secure, we see new ways to exploid them every few weeks or even days
Um, no, there is a huge difference. UNIX applications are usually designed in an inherently secure manner, UNIX file permissions really do make a difference, and UNIX contains mechanisms that can be used to lock the system down to the point where you can give a user "root" access and they still can't modify anything outside the sandbox you set them up in.
Windows does not, in practice, provide some of these kinds of security at all... and others are purely nominal protections at the same level of asking people "are you going to rob the bank" and letting them into the vault if they say "no".
So where on Linux an error that lets someone break out of a CHROOT environment is listed as an "exploit", Windows doesn't even provide that kind of environment so you don't need an exploit to compromise it. When a Windows exploit is listed, it far more often means there's a way of completely compromising your computer and taking it over, rather than just letting the attacker from one locked room to another.
That is, if I was running an "anonymous FTP server", and the server application has a buffer overflow in it, on Windows that exploit would let them inject a backdoor and take over my machine at will, and modify the boot sequence to restart the backdoor if the computer is rebooted. On Linux, they would be able to run the backdoor as an unprivileged user, they wouldn't be able to even see any executable files that could be used to restart the backdoor, and in some configurations they wouldn't even have network access. They would need to find and run two more exploits... one to break out of the CHROOT environment and one to get root privileges... before they could do anything.
This is called "defense in depth". UNIX systems and applications, developed in an environment where you had to give mutually untrusting users access to the same computer at the same time in a timesharing environment, don't break down and give up with one attack.
SO...
Linux, like all UNIX systems, is built around inherent security and defense in depth, which means that it's MUCH harder to get in and MUCH harder to do anything once you are in.
AND...
It's not just a matter of relative popularity... for one example: back when 2/3 of the domains out there were running Apache on Linux, the less than 1/3 remaining IIS servers still represented 2/3 of the domains on the "defaced sites" list.
Then again, Lindows / Linspire (Score:3, Insightful)
Perhaps Unices haven't had as much security capability, but we've had the culture to at least understand separation between root and users. We've also had the open exchange that gets bugs reported and fixed, another cultural aspect.
But then again, now we have run-as-root Lindows / Linspire. This distribution REALLY SCARES ME, especially when they sell it into the novice market - the ones least likely to do proper maintenance and most likely to click on silly attachements. (as root, no less)
I understand Lindows / Linspire is trying to make something simple for the novice. But IMHO, they've done it in entirely the wrong way. Far better than running the user as root would be to have standard setup of "user" and make the new user that. Then make a comprehensive set of sudu scripts, with extensive error checking, to administer the system.
BTW, the Linux security model isn't standing still, either.
Re:Then again, Lindows / Linspire (Score:3, Informative)
Re:Geez.. (Score:3, Informative)
I think the "mysterious future" feature available to subscribers allowing them to see upcoming stories ahead of the rest of us is meant to be an ironic joke: you've got to read the stories whilst they are still there, because whether or not the links will be accessible in the future is a mystery...
Re:Geez.. (Score:2)
Re:Geez.. (Score:3, Informative)
Re:Make Sure That You Only Present... (Score:5, Funny)
Re:Make Sure That You Only Present... (Score:3, Informative)
They work well.
Re:Make Sure That You Only Present... (Score:5, Funny)
Slashdot doesn't serve XHTML.
Technically, Slashdot doesn't serve HTML, either. Slashdot serves some markup language that is sufficiently similar to HTML that most browsers can find a reasonable way to render it if they squint at it hard enough.
Of course, the same is true of 99% of the web. Still, you'd think this bastion of geekdom would dare to be different.
Re:Make Sure That You Only Present... (Score:5, Interesting)
Why don't we look instead at security vulnerabilities in a Server OS that are relative to functions a server should be performing. How many vulnerabilities has IIS 6.0 had versus Apache in the year and a half Server 2003 has been out?
Hmmm one of those has had zero, and it sure the hell ain't Apache.
Re:Make Sure That You Only Present... (Score:5, Interesting)
The Apache group [apache.org] is much more forthcoming about security problems and I don't trust Windows as a server platform.
Re:Make Sure That You Only Present... (Score:4, Interesting)
There are so many things wrong with that statement in the real world. Perhaps the most important one conceptually, and one that none of the other replies have touched on, is that you don't actually have to intentionally run IE in order for it to get invoked! I hear all the time how if people run Mozilla instead, all the worries with IE are gone, but that's not entirely true. It's a security risk just sitting on the disk, never intentionally used by anyone.
Second, as has already been mentioned, patches and updates? Sure, on a server you probably shouldn't be running a web browser, but you shouldn't have a videocard and monitor on a server either. In the windows world, however, both are required. There is no apt-get, there is no console-only mode.
Re:Make Sure That You Only Present... (Score:5, Insightful)
Certainly not by downloading them directly to the server via IE, that's for sure.
In small shops, you would download the patches with your workstation, and then copy them to the server over the network or using a CD-R, and install them manually.
In larger shops, you would set up a Software Update Services (SUS) server or SMS server to deploy the patches to the servers exactly when you're ready to do so (after testing in your lab first, of course).
You should never be using IE on a critical production server. End of story.
Re:Make Sure That You Only Present... (Score:3, Interesting)
Internet Explorer has never been, isn't now and never will be integrated into the kernel. It does not run in kernel mode. The only thing that IE is integrated in is the shell environment and what Microsoft calls the "Windows Expierence". This integration with the 'expierence is the excuse they used to say that it had to be a part of Windows; it's a marketing reason, not a technical one.
The Windows shell environment is like what KD
Re:Make Sure That You Only Present... (Score:5, Insightful)
Fair enough - I'll modify my question then. If IE should never be used on production servers, why is IE so heavily integrated into the shell environment in which the server runs?
BTW, to say that the integration of IE in Windows is somehow equivalent to the integration of Konquerer in KDE is rather ridiculous. It is trivial to entirely replace one browser with another on a GNU/Linux system. Eradicating all traces of IE on MS Windows machines is nowhere near as simple.
Re:Make Sure That You Only Present... (Score:3, Interesting)
There really isn't a good reason, but there is an explination. It goes back to the very first version of NT: 3.1. Since then and up to Win2k, the server and workstation versions of Windows use exactly the same binaries, with a few extras for server and a flag in the registry. This meant that the same exact patches could be applied to both. It was convenient because the server
Re:Make Sure That You Only Present... (Score:5, Insightful)
I don't use KDE so I can't answer that for certain, but I would be very surprised if you couldn't. It is certainly possible to remove all traces of a web browser from the alternative desktop environment: GNOME.
Then again, why would you even want to run KDE or GNOME on a server? You can have a fully functional, graphical GNU/Linux machine without running those extra desktop applications.
Of course, for a server, there is probably no need to run any graphical stuff at all. It is perfectly possible (and common) to have a GNU/Linux server without installing X11 - all configuration can be performed via the command line, or remotely if you prefer a graphical configuration interface.
Re:Make Sure That You Only Present... (Score:3, Insightful)
20 server boxes, 20 monitors, 20 keyboards, 20 mice. Or using extepensive and error prone KVM setups which may only reduce the clutter by a third or so practically.
More cable clutter, more power requirements, reduced efficiency."
Geez. How long has it been since you've touched a windows server? Every one of the benefits you listed for Linux is not only possible on windows, it's common practice. It's very easy to run a windows server totally headless. The GUI will be there i
Re:Make Sure That You Only Present... (Score:3, Informative)
D:\ResKit>su.exe
UserName required!
above available from nt4.
or "run as" available from win2k?
Look, you'd better to educate yourself before posting.
Re:Make Sure That You Only Present... (Score:4, Insightful)
Re:Make Sure That You Only Present... (Score:3, Informative)
Yup.....and it makes it a pain in the ass if you have to do any Oracle DBA work on a win.box. We used to have at least the oracle acct. that had local admin..or enough special privs. when we needed it. Now, they've got new rules...and we have to bug the SA to come fucking sit with us, to log us in to ru
Re:Make Sure That You Only Present... (Score:3, Informative)
While the Reg likely won't be
Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:
1. The severity of security vulnerabilities, derived from the following me
Re:Linux is more secure. Once more. (Score:2, Informative)
Re:Linux is more secure. Once more. (Score:3, Insightful)
Holes are holes, no doubt about that. Linux just has fewer of them because of good design principles.
Re:Linux is more secure. Once more. (Score:5, Informative)
Will be exploited? Download the metasploit framework [metasploit.com] sometime; there are more exploits for Linux than for Solaris or Windows. But this is where the guy's point becomes important: because of how Windows deals with security tokens (here [wiley.com] is a good place to start if you're curious), any exploit that gains access can probably execute code in the SYSTEM context.
So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can. That's not this one guy's opinion, that's just how the operating systems work.
Re:Linux is more secure. Once more. (Score:4, Insightful)
But the problem is (if you read the article...) that there are far more processes in Windows that run with privilege than those that are restricted.
To quote TFA:
THAT is what makes Windows different from any other OS and thus more vulnerable.Re:So... (Score:5, Funny)
We already knew this. This report is for them.
Re:So... (Score:5, Interesting)
Re:So... (Score:5, Insightful)
Then your Linux admins don't know what they're doing.
Re:So... (Score:4, Insightful)