Forgot your password?
typodupeerror
Security

WinInformant Says Windows More Secure Than Linux 935

Posted by timothy
from the ho-hum dept.
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
This discussion has been archived. No new comments can be posted.

WinInformant Says Windows More Secure Than Linux

Comments Filter:
  • by Brandon T. (167891) on Monday February 04, 2002 @11:38AM (#2950566) Homepage
    Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).
  • Statistics.... (Score:2, Interesting)

    by Toby Truman (555615) on Monday February 04, 2002 @11:40AM (#2950586) Homepage
    How valid are these statistics?

    Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.

    Microsoft users who finds bugs call Microsoft tech support, who informs them politely that it's a feature, and lets the issue be stored deep in their databases somewhere.

    This is not an issue of who has more issues, but whose issues get reported and publicized more.

  • Lousy research (Score:3, Interesting)

    by JanneM (7445) on Monday February 04, 2002 @11:41AM (#2950594) Homepage
    His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.

    Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.

    Badly researched piece.

    /Janne
  • by Gothmog (21222) <gothmog@ c o n f u s t i cate.com> on Monday February 04, 2002 @11:43AM (#2950621) Homepage
    Pure quantity of security holes really is not the most question. To me there are two factors:

    1. How severe is the hole if exploited.

    Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.

    2. How easy to exploit is the whole.

    Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.

    These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
  • Break it down.. (Score:3, Interesting)

    by iamsure (66666) on Monday February 04, 2002 @11:49AM (#2950677) Homepage
    1. Severity - The issues that exist on Windows platforms are demonstratably larger. There is no administrator/root containment of priveldge (generally), and most of the security issues reported are indeed system-level, remote, and widespread.

    2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.

    3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.

    In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.

    ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.

    No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.

  • by demon-cw (162676) on Monday February 04, 2002 @11:52AM (#2950710) Homepage
    i wonder when was the last time someone found a hole in your firewall by exploiting a hole in your apache to get your sendmail sending the contents of your harddrive to everyone and his hamster?
  • Some explanations??? (Score:5, Interesting)

    by Zwack (27039) on Monday February 04, 2002 @11:53AM (#2950720) Homepage Journal
    Greetings,
    I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
    Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.

    So, given a weighting scheme of :-
    Remote Root = 4
    Remote Denial of Service = 3
    Local Root = 2
    Local Denial of Service = 1
    How would the different OSes stack up?

    My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.

    Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?

    Z.
  • Did this study look at just standard Linux distro? Like standard installs of RH, or did it look at hardened versions designed to be secure? It seems to me that there are certainly extremely secure hardened versions of Linux, while Windows is generally limited to relatively standard installations.
  • Wait a sec... (Score:5, Interesting)

    by saberworks (267163) on Monday February 04, 2002 @11:54AM (#2950724) Homepage
    1. How many of the Linux vulnerabilities are in services that aren't linux? IE: sendmail, apache, ftp servers, and whatnot? Just because something is packaged with linux doesn't make it linux. Do the windows bugs count IE bugs and every other MS software running on the system? What about other packaged software such as AOL and whatever other links they provide?

    2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?

    3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?

    4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").

    5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).
  • Bogus statistics (Score:3, Interesting)

    by coyote-san (38515) on Monday February 04, 2002 @11:55AM (#2950744)
    If this is the same article mentioned on LWN (can't be sure, since it's slashdotted), this article compared the number of bugs reported against Windows against the number of bugs reported against Red Hat. And Debian. And SuSE. And another distro - forgot which one.

    I'm sure it was an honest mistake that most Linux bugs were counted multiple times.

    But I don't buy into the "bug count" argument anyway. It's a lot like that controversy over the "most decorated US veteran" (Hacksworth?) - a lot of people think that you can have a warehouse full of bronze stars and distinguished service medals and it's all scrap metal next to a single Congressional Medal of Honor (post.).

    What was the last remote root exploit for a widely used Unix service? What about local exploit for a widely used Unix application?

    Now ask the same thing about Microsoft.

    Finally, "NTBugTraq" may be respected but that doesn't mean it never publishes crap -- sometimes for the purpose of shooting it down. I've seen this happen on comp.risks and elsewhere.
  • by Anonymous Coward on Monday February 04, 2002 @12:06PM (#2950842)
    ... and it should be ridiculed. The article compares Windows +bundled services with Linux +all possible services. Add in the security holes by all Windows ISVs, and the number will be astronomical. You can't compare Linux +8 MTAs and 5 HTTP servers with 12 embedded scripting languages with NT+IIS+ASP. Add holes for Cold Fusion and all the other "Server" role exploits under Windows and you'd have a far more valid comparison.
  • by Drestin (82768) on Monday February 04, 2002 @12:12PM (#2950868)
    Actually, IIS hasn't had a hole since last August and IIS 5.1 hasn't had one, period. XP has only had the UPnP hole (new technology, consider it a version 1.00 bug).

    There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.

    People need to understand something, we know MS almost never get's it right the first time (see version 1.00 bug) and may not the second but eventually they do. OK, they sucked at security to begin but with all those resources and the pressure from the top and from outside - did you really think they'd sit still or get worse? Nope - ask Netscape what happens when you become their focus of attention. Tux comes out and smokes IIS 5 and everyone laughs... according to the results of my beta tests with IIS6, we'll see who's laughing when it's publically benched.

    Your lesson is: MS learns. It's almost never right the first time but... it learns.
  • by Malc (1751) on Monday February 04, 2002 @12:18PM (#2950913)
    If you're going to look at hardened Linux installs, why not look at a hardened Windows install too? You know: one that has been locked properly to meet its C2 certification, e.g. via the resource kit tool c2config.exe or from this page [microsoft.com]. As it stands, the most common distros of Linux do not install with good security, and that is why things like Bastille Linux exists.
  • by blazerw11 (68928) <blazerw&bigfoot,com> on Monday February 04, 2002 @12:23PM (#2950961) Homepage
    Linux (aggr.) has more, but each individual distribution does not. Simply put, if you add up every security issue with every OEM release of Windows (Compaq, Dell, HP, etc.), Windows would aggregate to a much, much higher number. The worst Linux distribution, RedHat, had 95 compared to W2k/NT's 97 (in 2000). And while Redhat was worse in 2001, the Windows numbers don't include XP. (Before you bitch at me about the "single" RedHat vs. the "aggregate" W2k/NT, RedHat had multiple versions out these years.

    What is the Linux (aggr.) anyway? The individual distribution numbers don't add up to that aggregate total. Does bugtraq not even know the Linux distros?

  • by prisoner-of-enigma (535770) on Monday February 04, 2002 @12:25PM (#2950977) Homepage
    Microsoft certainly does little to help those of us trying to secure their systems. The knowledgebase is confusing when it comes to system hardening, and MS loves to ship their products with absolutely every feature and doo-dad turned on. It makes setting up a Win2k webserver such a pain in the ass, but over time we've compiled a checklist that makes things much easier. Much like Linux, we made the checklist with the input and experience of many others.

    Contrast this with a typical RedHat install. Sure, you can elect to not install a ton of stuff, but the dependencies can and will drive you nuts if you need widget-1.12-i386.rpm, which conflicts with Perl, glibc, and about ten thousand other things you don't want to fool with. Then couple that with the overwhelmingly nonexistent or conflicting/out-of-date documentation that is (isn't?) available for some Linux modules, and you're reduced to playing Sherlock Holmes again. And what do you do when the HOWTO doesn't answer your question? Posting in a newsgroup results in about 50% of the responses being "read the HOWTO you fucking l00ser", 40% being wrong/misinformed/don't-know-either responses, and only 10% being useful and helpful.

    What both Windows and Linux need is a "Secure" install option that by default has nearly everything turned OFF, and then a simple way to add/enable functionality as needed. Templates for webservers, DNS, FTP, mail servers, and such would be great, and they should keep pace with patches and updates for the OS and related applications. Why no one has bother to do this is beyond me, but I think this laziness has resulted in 90% of the exploits seen in ALL OS's on the web.
  • by thsths (31372) on Monday February 04, 2002 @12:25PM (#2950979)
    There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS.

    Ok, if you tell me how to install W2K without IE, I would even accept this argument.

    Even IIS has been tighted up a great deal.

    You mean it is a lot less insecure now than it used to be? :-)

    BTW, are "user gains access he shouldn't have" really considered on an W2K system? The majority of "linux" bugs seem to be of this type (symlink attack allowing to read some log file or something). Since W2K is still basically a single user system, I would imagine these are not taken to seriously.
  • by Phoenix Rising (28955) on Monday February 04, 2002 @12:28PM (#2950996) Homepage
    Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too;


    Linux DOES have this - there are various and sundry programs which will scan your code for you - even kernel code. And if you don't want to rely on the programmer, there are libraries available for Linux which prevent a number of these holes - automatically.


    My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP


    Of all the boxes I've had to monitor, only a disused Windows box has ever been compromised. I am constantly bombarded with virii and worm attacks from compromised Windows boxes; most of the Linux boxes "attacking" my network are owned by the hackers.


    I'd stand by my Linux install just as soon as I'd stand by any Windows box I've had a hand in hardening.

  • Re:Lousy research (Score:3, Interesting)

    by Asic Eng (193332) on Monday February 04, 2002 @12:29PM (#2951006)
    What I don't get is this: this exact same miscalculation was already in an article referred to by slashdot, about a year ago. Neither slashdot nor the writer of the article seem to have learned anything... I'm somewhat surprised that the slashdot editors didn't point out that mistake right away. It also seems strange that Security Focus would still publish these "aggregate" numbers - they seem to only confuse people, and I don't see what sense these numbers would make?

    Anyway, what I found interesting is that Redhat faires so badly - about as bad as Win2k, and about twice as bad as any other Linux distribution. If SuSE has only 21 tracked bugs, and comes with a lot of software (7 CDs now, I think) is Redhat with 54 entries doing something wrong?

  • by Enahs (1606) on Monday February 04, 2002 @01:03PM (#2951214) Journal
    Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year."



    I'm still a little unclear on what you mean by "unique bugs." So if there's a glibc vulnerability in all distributions, it gets counted only once in the aggregate?



    If so, I'll consider the numbers a little less suspect.



    Thanks in advance.

  • by Lumpy (12016) on Monday February 04, 2002 @01:05PM (#2951220) Homepage
    There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.

    EXACTLY!!!!!! Sorry you cant count any BIND holes on linux. Or any sendmail, ssh,telnet,ftp,etc...

    so after removing all holes that are for software that runs on the OS, linux has what 1 maybe 2?

    This is why I pitch a royal bitch about most certification and security analyses... they are testing things that are not a part of the CORE OS. and therefore are meking everything a mess.

    Let't take NT4.0 and a slackware linux with packages A and N installed. no software other than what the base os allows. (no ftp, not BIND, no sendmail, no servers of any kind.)

    then let's look at the holes... the number of problems on both sides will dwindle to almost nothing. with NT losing because of the silly run all services as the system account bungle.

    if you were to apply a daemon mindset to Nt, and able to run most of the services as a almost-no-access user, over 1/2 the trouble would evaporate.
  • by Locutus (9039) on Monday February 04, 2002 @01:33PM (#2951250)
    I wonder if these stats would look the same if a count of the bugs in the fix packages were counted and not just the BugTrax ones..... hummmm.

    >
    > This is not an issue of who has more issues, but whose issues get reported and publicized more.
    >

    Well said. The best defense to this FUD I've seen so far. Be sure that there are 100's of Microsoft employees who's only job is to figure out holes in the Linux model such that it makes Windows look better. There was the re-surgence of communism and the GPL cracks the foundation of our economy to name 2 off the top of my head.

    The Microsoft model is to hide the bugs because it makes the product "look" more flawed. Having flown the BSOD flag over Redmond for the last few years shows they NEED to hide the bugs because perception is that the product IS FLAWED. Now the flag is SECURITY and they need to hide the bugs again.... Linux and opensource on the other hand, project reliability and security through openness. So like always, Microsoft uses manipulated statistics to ATTEMPT to show Windows is better. Remember in 1995 when NT sould 100% explosive growth of NT?....

    Your one-liner blows the thousands of dollars spent on that report right out of the water. IMHO.

    LoB
  • by berzerke (319205) on Monday February 04, 2002 @01:51PM (#2951351) Homepage

    while Windows is generally limited to relatively standard installations



    I once got my hands on the oem installation kit and read through the licensing and instructions. Although I didn't understand everything, one thing I did understand is the OEMs, with a few very minor exceptions, must do a default install. They are prohibited, for instance, from removing or disabling IIS. I bet that'll make a big difference in the exploitablity of any bug and hence security.

  • by bwt (68845) on Monday February 04, 2002 @01:51PM (#2951352) Homepage
    As a former quality supervisor, I have to say that the conclusions drawn from this data are badly flawed. Interpreting the results of a measurement, even something as simple as a count, without giving due attention to the measurement process itself, is a classic way to reach wrong conclusions.

    For any measurement to be meaningful, a mechanism of calibration must exist. In the context of counting software defects of any type, some questions immediately arise:
    1. Severity: is there a threshold for including a bug in the count. Is it the same across systems? EG: do each count "privacy bugs"?
    2. Scope of measurement: are the measurements made for comparable functionality of code. EG: If "MS Backoffice" is tallied separately to WinNT is this an apples-to-apples comparison to a linux disto?
    3. Timing: does each measurement count vulnerabilities at the same point in the identification process? EG: Do "theoretical" bugs with no known exploit count? Do bugs in beta versions of particular applications count?
    4. Completeness: are all vulnerabilities reported? are separable vulnerabilities reported separately? EG: if MS internally ID's a bug and fixes it, does it remain secret or will it make its way into the tally? Can three separate bugs be counted as only 1 because the details are kept hidden?

    I believe that linux distros include a lot more functionality, have a higher standard on what constitutes a bug, report bugs early and visibly, and fix bugs much earlier in the vulnerability lifecycle. Every one of these traits would penalize a linux distro on a defect count metric.

    Reported defect counts are generally a lousy measure of quality, because they drive bad behavior: they can be decreased by lowering the quality of identification process instead of improving the quality of the product. Moreover, to draw conclusions about overall system security, I would be more interested in the aggregate lifetime-until-patch of known working exploits.
  • by SilentChris (452960) on Monday February 04, 2002 @01:52PM (#2951354) Homepage
    "linux has always been very open about what is wrong with linux."

    Open, maybe. Willing to change, rarely. Just look at the recent code rift between pre-release forks and the slowly growing consensus that Linux isn't up to the task. Something as simple as a paging system has to be debated endlessly (in the meantime, having different systems with different potential vulnerabilities). We may not be able to look at the MS code, but we can be pretty sure what doesn't work on one machine shouldn't work on another.

  • In order to meet C2, the NT box can't be connected to a network, a serial connection, or a modem. Well, you can, but you can't allow anybody access to it, same thing. What the hell good is it? I remember this from when an employer bribed me to go to a NT class by letting me keep the FreeBSD 1.7 box as the webserver/dns. Heh. I'm not sure about Win2k and C2, though.
  • by uucpbrain (541924) on Monday February 04, 2002 @02:04PM (#2951452)
    The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.

    Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.

    The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.

    I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
  • Glass half full... (Score:5, Interesting)

    by gnovos (447128) <gnovos.chipped@net> on Monday February 04, 2002 @02:13PM (#2951516) Homepage Journal
    They are looking at this from the wrong perspective. Instead of saying "Linux had more bugs than Windows in 2001" it should say "Linux *fixed* more bugs than Windows in 2001". Simply becuase those Windows bugs haven't been found yet does *NOT* mean tha they are not there waiting to be exploited (or are already being exploited).
  • by C0vardeAn0nim0 (232451) on Monday February 04, 2002 @02:34PM (#2951638) Journal
    requires some methods, and since I'm too lazy today to look for the mothods they used to compile all that data, I'll create my own.

    1- let's stablish what's a windows OS and what's a Linux OS (and the nots too)

    1.1 Windows 3.1 is NOT an operational system. is a graphic user interface (GUI) for DOS. let's assume win 95/98/me and NT 3.5/4.0/2000/XP are OSes.

    1.2 Linux is NOT an OS. Is a KERNEL. the combination between Linux and GNU OS makes the operational system we know as GNU/Linux

    2 Let's determine the minimum instalation of each one that's capable of doing usefull work, including user tasks such as reading e-mail and browsing the web and server tasks such as serving web pages, sharing files, routing e-mail, et al.

    2.1 Both in Windows and GNU/Linux you'll have to select all the packages neccessary to the proposed tasks using the minimum ofered by the standard install CD. If the CD doesn't ofer some of the functionalities they must be downloaded from the manufacturer's site.

    2.2.1 for windows you'll keep only:
    - networking drivers;
    - the standard MS file sharing;
    - Internet Explorer;
    - Outlook express/MS mail;
    - IIS/personal web server
    - Exchange server;

    2.2.1 For GNU/Linux:
    - Network modules and associated tools;
    - NFS or Samba;
    - Mutt os pine (remember, in GNU/Linux you can read e-mail/browse from command line, so XFree is not installed);
    - Lynx or Links
    - Apache;
    - Sendmail;

    3 count the number of security holes in the test systems, including:
    - vulnerabilities to e-mail virii;
    - vulnerabilities to malicious web-pages;
    - remote exploits that grant root/administrator access;
    - local exploits that grant root/administrator access;
    - holes that allows an atacker to succesfully launch a DoS atack, freezing the machine;
    - unauthorized read and/or write access to files;
    - any other vulnerability you can think of;

    In a test like this who do you think'll win ? please post your comments.
  • by peripatetic_bum (211859) on Monday February 04, 2002 @03:56PM (#2952135) Homepage Journal
    Hmmmm,

    I guess I can take you up on two points

    1. Paging debates: Yes, I agree it seems that there has been a lot of talk about it, but it has been out in the open AND the potential vulnerabilities are well known AND if you need security you cant Beat the stable debian kernel 2.2, which I geuss is another way of saying that you Know Very Well that you can have can have problems as you are told up front

    2, We are talking about Pre-Release forks here (which i geuss is part of point 1) and we are talking about MS releaseing Release canidates, but know about Huge Security Holes like the plug and play

    No?

    Thanks
  • Thurrott (Score:2, Interesting)

    by IsoRashi (556454) on Monday February 04, 2002 @04:15PM (#2952223)
    www.WinInformant.com came back up a little while ago, the text of the "article" is basically what was quoted for the topic subject. I tried to do a little digging to find out if the author or the company he works for is affiliated/owned by MS, but wasn't able to really turn up a lot. However, I did find this little rant [radsoft.net] at one site talking about how the credibility of the author is pretty much nil. Can anyone else turn up other info?
  • Oh yeah. (Score:3, Interesting)

    by ikekrull (59661) on Monday February 04, 2002 @04:33PM (#2952309) Homepage
    All the servers infected with a virus hitting my web server requesting http://www/root.exe are UNIX machines, uh huh.

    Why not try this.
    With any of the following IPs, type 'smbclient -L 207.88.220.61'

    If you're more of a cracker than I am, you might then try smbclient //WORKGROUP/C\$ -I 207.88.220.61

    and just hit return when prompted for a password.

    this also works with:

    203.228.232.188
    203.231.119.70
    203.231.166.49
    203.233.20.86
    203.231.216.208
    203.199.54.26
    203.231.217.5
    203.231.122.227
    203.244.13.72

    and countless others.

    These machines (all Win2K) have their entire filesystems exposed over the internet, and are promiscuously advertising their presence because they are infected by a virus that leaves a clear trail in the logs of any web server they attempt to infect.

    These machines are engaged in abuse of my web services, and I hold Microsoft at least partly responsible for this situation.

    Presumably the virus itself is responsible for opening their shares with guest access, but maybe it's M$'s lame out-of-the-box security.

    If your machine's IP is on this (small fragment of my) list of machines banned from accessing my web server due to virus infection, then i suggest you replace your hopelessly insecure OS with a decent one.

    I was incredulous when i analysed my web-servers logfiles and found the sheer number of virus-infected hosts, all Windows NT and 2000, and most of which were sharing the entire contents of their hard-drives over the public internet.

    I know Windows can be secure as the admin is competent, but the ease with which it's security is breached through Outlook/IE is breathtaking.

    The idea that Windows is somehow more secure than Linux/UNIX is laughable to me.
  • by Nailer (69468) on Monday February 04, 2002 @04:41PM (#2952352)
    I'm not really surprised by this. Following the recent long Microsoft DNS outage when it was revealed that quite a few of Micrposoft's own DNS servers were running Linux (not to mention they use akamai for their downloads), Paul Thurrot came out with the classic report that although this might be true `its proves Open Source zealots wrong as Linux wasn't being used for anything mission critical'

    What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.

  • by Oliver Defacszio (550941) on Monday February 04, 2002 @05:25PM (#2952562)
    Because, in the Win2000 30k bugs article, there were immediately 100,000 zealots slobbering to jump in and agree with the "Slashdot opinion".

    It happens all the time around here so, yes, accusing Slashdot of hypocrisy is most often also correct on an individual user basis.

  • by marktwain (523893) on Monday February 04, 2002 @08:06PM (#2953169)
    I happened to be using a Mac running OS X and Classic (OS9).

    I wanted to comment on the article (I still think it's some sort of joke) and use of I.E. (X), Mozilla (X), iCab (X), WannaBe (9), Mozilla (9), and iCab (9) all crashed on the "add comment link."

    Well, at least it was a good exercise in net-non-compatibility and the non-coder who wrote the html for that pop up window you get clearly knows what he's doing.....coding html exclusively for a Windoze world.
  • by billstewart (78916) on Tuesday February 05, 2002 @01:02AM (#2953933) Journal
    I had a DSL line in my lab, and several machines on it, including out-of-the-box Redhat 6.2 and somewhat-modified Win95 or Win98 (running an out-of-date virus scanner, but not running a MS mail client). Nobody appears to have bothered the Windoze machine, probably because there's not much useful you can do with it. Meanwhile, I named the Linux box "Kenny" because every week it was killed brutally and senselessly :-) Some weeks it was just installing DDOS clients, but at one point they wiped the machine after I'd thrown them off a couple of times in a row.


    Later I upgraded Kenny to a recent Redhat release, either 7.1 or maybe 7.2, running in a medium-security configuration. I didn't notice any problems after that - whatever the popular security holes were had been patched or they were in services I hadn't turned on. I had some other serious problems with those distributions - basically they're not made to be installed on small machines unless you do one big partition or a lot of hand-tuning, and you can't netinstall from a single CDROM drive any more, so you'd better have at least one machine with a lot of disk space. But the security was much improved.


    By the way, a couple of the intrusion detection techniques I used were:

    • Keep a machine on the lan running tcpdump and look at it occasionally. That's how I noticed all the ping-responses to a university in Sweden during the first DDOS round.
    • Don't trust ls or ps to tell you about all of your files or processes. Crackers with rootkits will install friendly replacements - but somehow they didn't think to change /proc, so there were processes that /proc showed that weren't in ps, and there were files that "find" found that ls didn't list. I don't remember if they replaced "top", but the hidden processes were using some hidden files as well as CPU time.
    • If a given network or tcp/udp port keeps bothering you, it's easy to set a router to filter it out.
  • by Anonymous Coward on Tuesday February 05, 2002 @07:29AM (#2954629)

    According to the beginning Bugtrack statements, the WinInfo article is completely backwards. I quote:

    There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

    This means that all of the Outlook and Internet Explorer vunerabilities are not included in the Win 2000 numbers, but appearently, any Sendmail, Apache, or Modzilla numbers are included with Linux.

    Unless I am reading this wrong, the article is not comparing apples to apples, and shows that there are about as many bugs in the Win 2000 kernel as there are in all of Linuxdom!

  • Re:Waste of time? (Score:1, Interesting)

    by LinSux (554676) on Tuesday February 05, 2002 @09:10AM (#2955031) Homepage Journal
    Why would I want to do that? If I read it at +5 then it will almost completely be pro-linux.

    This is a good article. It's controversial, only because it goes against the grain of the normal /. mentality. And that's a good thing!

    What you're asking me to do is against my viewpoint. I'd prefer to read every discussion raw and uncut, and make my decision based on what I see. Not what the /. editors want me to see.

    But, that's just me.

    (Trying to stay outta trouble. Hand slaps hurt, folks.)

New crypt. See /usr/news/crypt.

Working...