Is Your OS Tough Enough? 597
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
Yet again... (Score:5, Insightful)
Even modern linux distros need to be sanitized (Score:5, Insightful)
Lame article. (Score:5, Insightful)
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
Yeah (Score:5, Insightful)
RTFA (Score:3, Insightful)
Windows XP Service Pack 2
Attacks: 16
Results: Survived all attacks
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place? It's simply more logical for those evil people to write software that attacks Windows... secure or not secure, it's going to be the primary target until it loses it's market dominance.
Comment removed (Score:5, Insightful)
"SP 1 is not a current operating system" (Score:5, Insightful)
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
Re:Don't bother reading the article (Score:1, Insightful)
Just seems a little unfair, that's all... (bahaha! Jaguar less secure than SP2!?! What am I thinking!)
SP1 Earns a pass? (Score:5, Insightful)
Ixna (Score:2, Insightful)
firewall.. (Score:5, Insightful)
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
Re:RTFA (Score:5, Insightful)
IIS vs. Apache seems to deny this conclusion.
Re:RTFA (Score:2, Insightful)
Well if Windows was secure then you would.
It doesn't matter how popular an OS is. If it is riddled with holes that scammer can exploit to create DDoS or spam zombies then they will.
Regardless of the marketshare. 15 million Mac boxes would still be a tempting target for these people if there was a known security hole they could exploit. The same with Linux, Redhat or any other OS you care to mention.
Windows gets hit with these worms and virii simply because of the inability (or lack of concern on the part) of Microsoft to patch their OS...not because of any market share numbers
Re:Yet again... (Score:3, Insightful)
My friend had to reinstall his parents computer because it was too infested with virus/spyware and I had to yell at him to put on sp2 which he still didnt do because it wasn't showing up on windows update or something like that.
People with older dell systems pre sp2 just don't know and that scares me.
Re:RTFA (Score:3, Insightful)
3 attacks, no compromises, right out of the box.
So what they're saying is... (Score:5, Insightful)
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6 [secunia.com], or SQL Server [secunia.com] - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
Are you all retarded? (Score:1, Insightful)
I wonder why it tends to be "less secure" in the end... GET A CLUE! This test barely reflects anything other than Microsoft's market share, no matter how hard you want to tilt it in your own direction.
Not to mention the line "The good news is that none of the up-to-date, patched operating systems succumbed to a single attack." That. Includes. The up-to-date. Windows box. Too. Which suffered LOTS more attacks (again, more units, more at stake) and withstood them all- meaning it was technically MORE secure because it withstood harsher testing and came out unscathed.
Re:Lame article. (Score:3, Insightful)
You're right, but it's a fluffy piece targeted at your mom and her friends, not you and me. The fact that this sort of stuff is getting into the news is a good thing. I'd say more than 90% of all Windows users are not protected properly, and they don't really care. Keeping your computer up-to-date is about as high priority as is changing the filter on your furnace.
It's a computer - it should be the job of the operating system to protect itself. It isn't, but it should be.
Re:Lame article. (Score:3, Insightful)
Well, I could think of a *few* things...how about a gate to prevent access to the premises itself? (it's not like a little 4 port NAT/router/firewall is expensive these days). Especially for Joe User who doesn't need all sorts of ports open since he's only browsing and emailing anyway it should work fine, things get a little more complicated if you want to get into gaming, but then again, the kids will likely know which ports to reroute.
Life on the edge (Score:3, Insightful)
Part of the conference was a series of hands-on labs that we were hosting using loaner equipment from major manufactures. The network was provided my a major ISP through a national hotel (where this part of the conference was being held).
The labs were assembled by volunteers, and were pretty much infected beyond use with spyware and viruses within about 10 minutes of coming online. It was the worst thing I'd ever seen. We had 20+ people scrubbing the machines off-line for literally HOURS, only to have them reinfected once they came back online (now behind a firewall).
To compound the issue, we couldn't feasibly reimage the machines because the vendor donating them gave us at least 10 different models with 2-3 variations on each model.
In the end we threw in the towel, refunded people's money, and let the Mac lab (which remained unaffected) continue their presentations.
just my $.023233432322
Outdated Mac OS X (Score:1, Insightful)
There's something to be said about that VS a windows PC with SP1 installed.
Re:Yet again... (Score:1, Insightful)
What bothers me with windows is home use. You know how many home users are out there WITHOUT the latest patches becaue they don't know any better.
My friend had to reinstall his parents computer because it was too infested with virus/spyware and I had to yell at him to put on sp2 which he still didnt do because it wasn't showing up on windows update or something like that.
People with older dell systems pre sp2 just don't know and that scares me.
While users not knowing is part of the problem there's another aspect: Those that know but refuse to do. You friend is a prime example. It's not just ignorance that's the problem.
Re:Of course (Score:5, Insightful)
that anyone selling a box online without putting the most recent patches on the operating system provided should be shot. At a bare minimum making certain that reasonable measures are taken like some sort of firewall and an OS updater running OR a caveat to the buyer should be required.
Putting a box with almost 4 year old unpatched OS is stupid and should not have been included in the test. To include the original XP and not lets say RedHat 7 for example shows a bit of a skewed results.
Windows is already more prone to attacks. There really is no need to offer the original XP in the story EXCEPT to show users how imnportant it is to patch after a format or system recovery.
Re:Even modern linux distros need to be sanitized (Score:5, Insightful)
While I agree, I was stunned looking at the results of a Nessus scan (default) after completing a default install of Solaris on Sparc (E450). Wow. 9 known security holes and a bunch of services on by default and listening on open ports.
Sure, it's not Windows-bad, though it wasn't what I expected in the latest revision of Solaris (I've used a previous version of SunOS and have installed Solaris 8 & 9 on both x86 and Sparc hardware). Fedora Core does a much better job by default -- though I agree FC3 needs to be purged to make it clean and fully trustworthy.
Re:Even modern linux distros need to be sanitized (Score:4, Insightful)
With fedora, it should take less than two minutes to disable the services that you don't need either through the System Services gui, or through the chkconfig command. Why the above poster even bothers removing packages (unless he has drive space constraints) is beyond me. And I have found that You will spend alot more time fixing a redhat system. is pure B.S. Care to elaborate on that a little bit, back it up with some real-world situations? up2date... with a good mirror, I have all the latest and greatest security patches in 1/50th the time it takes you to recompile all of your packages. Wanna upgrade my distro? Point yum to the new repository... 1/2 hour, done. Over the course of a year, it is obvious that gentoo requires a lot more work than a package based distro.
Riiiiiiiiiight.... (Score:4, Insightful)
So Microsoft get's a pass on viruses because it is popular and has a lot of software written for it? And then those same people use the amount of software available for MS Windows as a reason why Windows is superior. You can't have it both ways: if you think Windows has an advantage because of a larger application base you have to include the malware applications like viruses and spyware as well.
You could wrongly argue that when Linux has a larger installed base it will have the same problems as MS Windows. But even if that were true, it's new popularity would mean that more commercial applications like Photoshop would be written for it also. The blade turns both ways for better and for worse, yet MS Windows apologists try to claim the best of both worlds.
Re:RTFA (Score:3, Insightful)
Compare that to joe-average user who's unknowingly running IIS and getting hacked even there's no incentive for a hacker to 0wn him.
Re:Geeks hate them, but... (Score:4, Insightful)
There should always be a router between any personal system and the Internet. Not a kludgy firewall/filter, mind you, but a simple NAT-translation router that puts your machine in a private address space. Hackers can't hack what they can't get to.
Actually, that's not quite correct; take a peek at rfc2663: http://www.faqs.org/rfcs/rfc2663.html [faqs.org]. In a somewhat roundabout way in the security section (Section 9), it says not to use it as a "Firewall", but rather in conjunction with a firewall.
The reason for this is that if someone spoofs an address in your nat range, it pass through unfiltered. Bottom line is to not rely on NAT alone for a firewall; always use it in conjunction with real filtering. Thankfully most consumer boxes will do this already, so it's practically a moot point.
Re:RTFA (Score:3, Insightful)
Re:Not News (Score:5, Insightful)
It is sad that the internet has become so hostile. At work I connected one of our servers to a connection on the outside of our firewall for some remote support (didn't have the VPN papers signed yet). The moment that I enabled the nic, the server informed me that the RPC Service has failed and the computer will shut down.
I was foolish for not checking the patch levels. I assumed that someone else was on top of that. A mistake I will not make again. But home users have problems of their own. They don't know they have to keep it up patched. If I had my grandma running Linux, I would be the one patching it. What about converting all my friends and family to Linux. I would be so overwhelmed keeping each one current.
As it stands, I format, install XP
At the same time, I have to explain why XP is better than the 98 or ME that came with the computer, what SP2 is and why it takes so long, what a firewall is, what firefox is, why I created a special admin account for them to install stuff with and why the should never surf the web while logged into admin with the red background.
And if you are a slashdot regular, I am not telling you anything new. I should release this as a news story, but as we all know, this is not news. Its just the way it is.
--
Kevin Marquette [blogspot.com]
antispyware [blogspot.com]
Re:Lame article. (Score:4, Insightful)
Mmmm... sentry guns.
But seriously (just a little OT), the response to a knock can be tuned easily enough:
- Firewall. Your bouncer only lets in whoever he's been taught to trust. Or you can give it a guest list. Many broadband interfaces can also present a "false" front door thanks to IP Masquerading. Neither is 100% foolproof, but they do make life harder, especially for bulk tools used by script kiddies.
- Silently DROP incoming SYN packets on unused ports. Like having a trapdoor under the doormat - what knock?
- Something I liken to Neighbourhood Watch - at the first sign of a port scanner, broadcast to your friends and concerned neighbours of the attempt so they'll be wary of the stranger.
- Use your own bot army to DoS the attempted intruder. Something like a Claymore on the doorstep?
Then there's antivirus, groupware... the difference as I see it is the tools to do these are freely available with basically anything *n[iu]x*, while you tend to have to pay for a decent solution that runs on your favourite monopolistic vendor's OS. Not always, mind, but typically. Since I payed for XP (keeping it up to date), no software but games have cost me anything - AVG/OpenOffice/Mozilla + extensions/software that comes with purchased hardware... etc etc... it's pretty easy to meet license terms when you're not putting things to commercial use. This also means I'm not running any networked services publicly, so this box never accepts an incoming connection from the cloud.As for the stuff that does matter - web, database etc services... I leave that to my Linux box, running just what it needs to, and I take a little time semi-regularly to ensure it stays close enough to up-to-date. It hasn't let me down as yet (neither did FreeBSD while I was running that too), and this is year 13...
Disclaimer: I don't know everything, but I know what ideas I like. And just because I like the idea, doesn't necessarily mean I implement it.
Re:RTFA (Score:4, Insightful)
So yes, for useless systems, Windows XP SP2 is right at the top, but if you're going to just install an OS and let the computer just sit there, never to be used, why pay $100 to license the OS?
Re:Not News (Score:3, Insightful)
Re:What I'm not surprised about (Score:3, Insightful)
Only windows propagates the viruses, and only windows gets them.
No propagating virus etc has been written for *nix. Yet.
No matter your level of objectivity, the FACTS speak loudest.
Re:Program to count scan hits? (Score:2, Insightful)
Internet Auditing Project (Score:5, Insightful)
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
Sometimes you have no choice (Score:5, Insightful)
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
Re:Even modern linux distros need to be sanitized (Score:2, Insightful)
Gentoo is not more secure, it just gives you the ability not to build stuff you don't want. That's entirely possible with other systems too, and the difference is that some of those (Fedora, for example) will set up a nice firewall etc before you get around to doing it yourself.
Re:Yeah (Score:3, Insightful)
Re:Of course (Score:4, Insightful)
Only tech savvy people know that there is a reason to spend double (but still as low as 40EUR AFAIR) to buy an ethernet modem/router. The other 95% will simply buy the cheapest (and crappiest) USB modem on the market. Or worse, they'll take the leased one from the telco: they specifically seem to choose the worst models
I would like to make 2 points... (Score:2, Insightful)
Some of these people time to time MIGHT see something on TV about viruses, but other then that, they have no idea about patches.
The flip side to that is the people the see the AOL tv ad's. I feel really sorry form them, and for us that have to fix there computer afterwords.
2: Most of the "UNIX" community respects one another, and doesn't want to trash someone else's box "just for the fun of it".
That and its a lot harder to "hack" it because there is a lot more of a diverse range of programs and version of those programs.
The attack might only work for one version, but there is only a small percentage of computers out there that even run that version.
Re:Even modern linux distros need to be sanitized (Score:4, Insightful)
Also, the very nature of Gentoo (building packages from source) implies that you'll end up installing pretty much what you need, and what you need alone. I've found a lot of other distributions end up installing a lot of unneeded services on a default install - which is what the article discussed. My first Linux experience (early RedHat) was awful because of this - the default install had everything running, including Apache IIRC. My PII crawled.
So, before the flaming begins. Yes, i like Gentoo. No, i don't think it's the ultimate Linux distro, and i don't think it's for everyone - for example, i wouldn't really trust Gentoo on a server. But what it does, it does damn well. It's not a popular distro only because you compile packages from source - there's a couple others that do the same.
And yes, i've learned a lot from Gentoo. I learned a damn lot from Slackware as well - not because you compile, but because they force you to have atleast a slight idea of what you're doing. OTOH, you can install a modern release of, say, Mandrake, and use it pretty much as a Windows machine, zero issues. Not better, not worst. Just different.
Re:PLEASE MOD PARENT UP! (Score:5, Insightful)
The problem with the security is not that the machine can never be made secure, but that it starts out as a terribly insecure product. This is a problem. Most users are out of the box users. They have no understanding, so they don't know about the firewal etc.. They're told by MS that for security they need to patch using windows update. The point above is that this isn't actually that secure, and while this is happening a compromise can take place.
The main issue here is the slack standards Microsoft use to get their products out the door, and their trade off of complexity to security. They are scared of treating their customers with intelligence, and educating them correctly about the actual process of securing and methods of attack (not necessarily at too technical a level) so good practices are used. For fear of confusing the users the XP SP1 firewall is off, and it's not the only software that has all the security off by default.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
The OS may be securable, but it is not secure by default!. That is the problem, because most users don't do anything but the default (hence Explorer's 90% market share)
Re:Of course (Score:3, Insightful)
After all the last one was sold at Xmas.
How in the world can Microsoft say something they were selling two months ago is "out of date"?
Of course the purchaser could turn the firewall on or get a hardware firewall. But they are helpless guppies who don't know any better. If they knew any better they wouldn't have been buying SP1 then.
Re:Security through obscurity (Score:1, Insightful)
Perhaps it's not that Windows is a bigger target, just an easier one? Strange, that with full source code and documentation available, nobody has
"...you stand to compromise a lot more Windows machines than Mac OS X machines, or Linux machines"
Given the disproportionate number of Linux boxen hosting web sites & FTP servers (ref. netcraft) compared to market penetration, and the fact that most servers operate 24/7, wouldn't it actually be more efficient to use Linux machines to attack Windows?
"Using Mac OS X (or any other OS) because it's attacked less often is another form of security by obscurity, and it's no security at all."
Many of the attack vectors that exist in Windows simply do not exist in OS X or Linux. Those exploits are mostly due to poor decisions on MS's part (rushing to develop ActiveX rather than just sucking it up and using Java, for one example).
"You are only (reasonably) secure if you run a patched box, regardless of OS."
One of the major changes in SP 2 is closing unused ports by default; in other words, mirroring the default state of the Unixs. If the Unix security model is so poor, why is MS using it as their reference?
Re:Of course (Score:3, Insightful)
I don't think it's stupid to do this, but it should only be done if you're doing the same with other systems. I find a lot of these honeypot test reports do not test comparable operating systems. What they should be including in the test is:
1. Fully patched up Windows against fully patched up Linux
2. Windows against linux, both patched to the latest patches that were around 3 months ago.
3. Windows vs. Linux patched up to 6 month old patch level.
4. 1 year old
5. 2 years old
6. 4 years old
7. 8 years old
By doing this you are comparing systems from identical eras (and yes, I think you do need to go to 8 years old, like it or not there are some morons who are using 8 year old unpatched systems... and also it'll be kinda interesting to see if they're actually still getting attacked).
I do still think, however, that Linux will come out way less vulnerable than the windows from the same era for 2 reasons: 1. the userbase (or maybe the number of clueless users) is larger on Windows, so it attracts more cracks, especially (semi)automated ones. 2. Open systems tend to get patches released reasonably soon after an exploit is found whereas microsoft have a habit of leaving it until it's actually being exploited in the wild before releasing a patch - again, not much point in writing a worm for linux systems if 99% of them are already patched anyway.
Re:Of course (Score:4, Insightful)
Yeah, I would say that the comments from MS themselves are pretty damning there - that they would expect an OS they were selling 2 months ago to be completely riddled with holes to the point that it's cracked within 18 minutes of being connected.
Re:I do it (Score:3, Insightful)
The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc.
I'm not seeing anything here that can't be done as well or better under Linux - why use Windows at all?
PR before performance, I always say (Score:3, Insightful)
Hey Steve Ballmer - why don't you get a good fucking product out the door then you wouldn't have to spend a coupla hundred million bucks spinning shit into gold, now would you?
Don't 'give me the facts' I know what the damn facts are. Just make Windows more secure. And here's a tip, Microsoft, just a thought....
Instead of carrying on about the animated 3D Video crushing interface in Longhorn THAT IS ALREADY 2 YEARS LATE....Why don't you spend that effort on making Windows more secure?
Or isn't that sexy enough for your PR guys. I swear you MS morons must go to sleep every night dreaming of new ways to be useless.