Is Your OS Tough Enough? 597
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
Of course (Score:5, Funny)
Re:Of course (Score:5, Funny)
Re:Of course (Score:3, Funny)
You must be refering to OpenBSD! If only those dogs could understand human language, we could tell them that those gates will never be opened. ; )
Re:Of course (Score:3, Informative)
Re:Of course (Score:5, Insightful)
that anyone selling a box online without putting the most recent patches on the operating system provided should be shot. At a bare minimum making certain that reasonable measures are taken like some sort of firewall and an OS updater running OR a caveat to the buyer should be required.
Putting a box with almost 4 year old unpatched OS is stupid and should not have been included in the test. To include the original XP and not lets say RedHat 7 for example shows a bit of a skewed results.
Windows is already more prone to attacks. There really is no need to offer the original XP in the story EXCEPT to show users how imnportant it is to patch after a format or system recovery.
Re:Of course (Score:5, Interesting)
Re:Of course (Score:3, Insightful)
After all the last one was sold at Xmas.
How in the world can Microsoft say something they were selling two months ago is "out of date"?
Of course the purchaser could turn the firewall on or get a hardware firewall. But they are helpless guppies who don't know any better. If they knew any better they wouldn't have been buying SP1 then.
Re:Of course (Score:4, Insightful)
Yeah, I would say that the comments from MS themselves are pretty damning there - that they would expect an OS they were selling 2 months ago to be completely riddled with holes to the point that it's cracked within 18 minutes of being connected.
Re:Of course (Score:3, Interesting)
Yeah, doesn't help when you get cracked whilest pulling down the updates though does it? (Yes, yes, I know you can ask MS for a SP2 CD but really, shouldn't that be bundled with the OS, even if it's just a CD taped to the outside of the box?)
I thought XP tried to durring install anyways?
Doesn't help if you're on a pay-per-minute dialup connection.
Re:Of course (Score:4, Interesting)
(actually, now that I think about it, I can name several. Methinks I need to go have a talk with some friends and family.)
I do it (Score:4, Interesting)
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
Re:I do it (Score:3, Insightful)
The other thing is, I don't use any Microsoft products other than Windows itself, really. Thir
Re:I do it (Score:3, Interesting)
I am going to assume that: 1. your modem has a firewall built into it (I know some models do). 2. Your internet provider is fire-walling you (I know some that do).
I have several logs on various firewalls that tell me how many intrusions were attempted on different boxes and the numbers are amazingly HIGH. Yo
Re:Of course (Score:4, Insightful)
Only tech savvy people know that there is a reason to spend double (but still as low as 40EUR AFAIR) to buy an ethernet modem/router. The other 95% will simply buy the cheapest (and crappiest) USB modem on the market. Or worse, they'll take the leased one from the telco: they specifically seem to choose the worst models
Sometimes you have no choice (Score:5, Insightful)
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
Re:Sometimes you have no choice (Score:4, Informative)
It is more then enough to keep you safe and secure until you get your windows updates. The time to infection is a heck of a long time with that turned on. That it isn't turned on by default was a mistake but to say that XP out of the box will be infected before you have the ability to update is outright incorrect.
Re:PLEASE MOD PARENT UP! (Score:5, Insightful)
The problem with the security is not that the machine can never be made secure, but that it starts out as a terribly insecure product. This is a problem. Most users are out of the box users. They have no understanding, so they don't know about the firewal etc.. They're told by MS that for security they need to patch using windows update. The point above is that this isn't actually that secure, and while this is happening a compromise can take place.
The main issue here is the slack standards Microsoft use to get their products out the door, and their trade off of complexity to security. They are scared of treating their customers with intelligence, and educating them correctly about the actual process of securing and methods of attack (not necessarily at too technical a level) so good practices are used. For fear of confusing the users the XP SP1 firewall is off, and it's not the only software that has all the security off by default.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
The OS may be securable, but it is not secure by default!. That is the problem, because most users don't do anything but the default (hence Explorer's 90% market share)
Re:PLEASE MOD PARENT UP! (Score:5, Interesting)
I think you are giving many users far too much credit. 90% of the cases where I have to deal with customers who have misconfigured their mail server as a spam relay, I get a response similar to "Yeah, I know that's really insecure and lets spammers use it, but it was [easier to set up]/[only going to be like that for a few weeks]/[not as if I was telling the spammers the open relay was there]" (delete as appropriate).
The point is that these people *knew* that what they were doing was really stupid, but were doing it anyway because they couldn't be bothered to be secure. Of course it always comes back to bite them in the ass when their server falls over with several million spams in the mail relay queue and a completely saturated ADSL connection.
Re:Of course (Score:3, Insightful)
I don't think it's stupid to do this, but it should only be done if you're doing the same with other systems. I find a lot of these honeypot test reports do not test comparable operating systems. What they should be including in the test is:
1. Fully patched up Windows against fully patched up Linux
2. Windows against linux, both patched to the latest patches that were around 3 months ago.
3. Windows
Re:Of course (Score:3, Interesting)
Of course reading is very difficult and all.. but still..
The fact is that they were testing what people are using TODAY, not what shops should be selling and people might be using in the future.
With regards to SP1, the following quote from the article seems somewhat relevant:
Not News (Score:5, Funny)
This news isn't news. What's news is this news is in the news!
Re:Not News (Score:5, Funny)
So then it is news. Otherwise the news that it's in the news couldn't be news.
Re:Not News (Score:3, Insightful)
Re:Not News (Score:5, Insightful)
It is sad that the internet has become so hostile. At work I connected one of our servers to a connection on the outside of our firewall for some remote support (didn't have the VPN papers signed yet). The moment that I enabled the nic, the server informed me that the RPC Service has failed and the computer will shut down.
I was foolish for not checking the patch levels. I assumed that someone else was on top of that. A mistake I will not make again. But home users have problems of their own. They don't know they have to keep it up patched. If I had my grandma running Linux, I would be the one patching it. What about converting all my friends and family to Linux. I would be so overwhelmed keeping each one current.
As it stands, I format, install XP
At the same time, I have to explain why XP is better than the 98 or ME that came with the computer, what SP2 is and why it takes so long, what a firewall is, what firefox is, why I created a special admin account for them to install stuff with and why the should never surf the web while logged into admin with the red background.
And if you are a slashdot regular, I am not telling you anything new. I should release this as a news story, but as we all know, this is not news. Its just the way it is.
--
Kevin Marquette [blogspot.com]
antispyware [blogspot.com]
Internet Auditing Project (Score:5, Insightful)
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
Re:Internet Auditing Project (Score:3, Informative)
Yet again... (Score:5, Insightful)
Re:Yet again... (Score:5, Funny)
Obligatory: On piles and piles of money. :-)
Re:Yet again... (Score:3)
Re:Yet again... (Score:3, Insightful)
My friend had to reinstall his parents computer because it was too infested with virus/spyware and I had to yell at him to put on sp2 which he still didnt do because it wasn't showing up on windows update or something like that.
People with older dell systems pre sp2 just don't know and that scares me.
Yes, Yet again... (Score:3, Informative)
SP2 was such a large step forward in terms of user security that I'm sure they sleep quite well. This is yet more proof that these three OSs are now on even footing in terms of security.
Re:idiot... (Score:5, Interesting)
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
Re:idiot... (Score:3, Informative)
This isn't an entirely stupid thing to do - if someone is on a pay-per-minute dialup connection, they don't *want* to be automatically downloading hundreds of megabytes of updates. (Especially if a lot of those updates are to add stuff they don't need/want - i.e. DRM for Media Player, etc).
Re:idiot... (Score:5, Interesting)
Re:What I'm not surprised about (Score:5, Informative)
Which OS is propagating the viruses/trojans/malware?
Windows.
Which OS does it infect?
Windows.
Yes, other oses were attacked - [by windows zombies] - but not compromised, in fact there are very limited examples of exploits propagating through other oses aside from windows [I can find 7 linux viruses, all of which do not propagate nor are effective to any measurable extent].
It is likely in the future that one may find a way to compromise a linux/mac in the same way, but that day has yet to come.
And that is why we question findings that windows is more secure than linux. It is GLARINGLY obvious that this is untrue to anyone sane.
Re:What I'm not surprised about (Score:3, Insightful)
Only windows propagates the viruses, and only windows gets them.
No propagating virus etc has been written for *nix. Yet.
No matter your level of objectivity, the FACTS speak loudest.
Re:Yet again... (Score:3, Funny)
You must be new here.
Even modern linux distros need to be sanitized (Score:5, Insightful)
firewall.. (Score:5, Insightful)
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
Re:firewall.. (Score:3, Informative)
Everybody should for two reasons:
One: Minimizing your configuration to have only what you need is a basic security principle. Software that isn't installed doesn't have to be patched, configured, audited, and otherwise watched. This is more important considered in light of item two.
Two: You should use good security practices on all systems / devices to establish a defense in depth. You are begging for trouble if your entire security plan is: use a firewall. Al
Re:Even modern linux distros need to be sanitized (Score:5, Informative)
FC3's firewall is also set up very well and has been noted to have one of the best default setups out of many of the linux distros. Some of the other protections included in FC3 are SElinux which has policies for all major services and exec-shield is also extensively used. All major services connecting out are compiled with switches that randomize the memory allocation, which may have the negative side affect of taking a little longer to start because it can't prelink, but it really helps against many attacks because every machine has its memory mapped in different locations. The amount of security that Red Hat puts into FC3 while still leaving it so functional is pretty amazing. Most of the vulnerabilities found usually can't do much harm after you consider the layers of security and the other standard security measures, i.e. users and setting up perms correctly. Its nice to know though that the latest outbreak of [insert worm here] *probably* won't affect you.
Regards,
Steve
Re:Even modern linux distros need to be sanitized (Score:5, Insightful)
While I agree, I was stunned looking at the results of a Nessus scan (default) after completing a default install of Solaris on Sparc (E450). Wow. 9 known security holes and a bunch of services on by default and listening on open ports.
Sure, it's not Windows-bad, though it wasn't what I expected in the latest revision of Solaris (I've used a previous version of SunOS and have installed Solaris 8 & 9 on both x86 and Sparc hardware). Fedora Core does a much better job by default -- though I agree FC3 needs to be purged to make it clean and fully trustworthy.
Re:Even modern linux distros need to be sanitized (Score:4, Insightful)
With fedora, it should take less than two minutes to disable the services that you don't need either through the System Services gui, or through the chkconfig command. Why the above poster even bothers removing packages (unless he has drive space constraints) is beyond me. And I have found that You will spend alot more time fixing a redhat system. is pure B.S. Care to elaborate on that a little bit, back it up with some real-world situations? up2date... with a good mirror, I have all the latest and greatest security patches in 1/50th the time it takes you to recompile all of your packages. Wanna upgrade my distro? Point yum to the new repository... 1/2 hour, done. Over the course of a year, it is obvious that gentoo requires a lot more work than a package based distro.
Re:Even modern linux distros need to be sanitized (Score:4, Insightful)
Also, the very nature of Gentoo (building packages from source) implies that you'll end up installing pretty much what you need, and what you need alone. I've found a lot of other distributions end up installing a lot of unneeded services on a default install - which is what the article discussed. My first Linux experience (early RedHat) was awful because of this - the default install had everything running, including Apache IIRC. My PII crawled.
So, before the flaming begins. Yes, i like Gentoo. No, i don't think it's the ultimate Linux distro, and i don't think it's for everyone - for example, i wouldn't really trust Gentoo on a server. But what it does, it does damn well. It's not a popular distro only because you compile packages from source - there's a couple others that do the same.
And yes, i've learned a lot from Gentoo. I learned a damn lot from Slackware as well - not because you compile, but because they force you to have atleast a slight idea of what you're doing. OTOH, you can install a modern release of, say, Mandrake, and use it pretty much as a Windows machine, zero issues. Not better, not worst. Just different.
Lame article. (Score:5, Insightful)
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
Re:Lame article. (Score:5, Informative)
The attacks are more than just pinging/scanning, which was separately tracked.
Re:Lame article. (Score:3, Insightful)
You're right, but it's a fluffy piece targeted at your mom and her friends, not you and me. The fact that this sort of stuff is getting into the news is a good thing. I'd say more than 90% of all Windows users are not protected properly, and they don't reall
Re:Lame article. (Score:3, Insightful)
Well, I could think of a *few* things...how about a gate to prevent access to the premises itself? (it's not like a little 4 port NAT/router/firewall is expensive these days). Especially for Joe User who doesn't need all sorts of ports open since he's only bro
Re:Lame article. (Score:4, Insightful)
Mmmm... sentry guns.
But seriously (just a little OT), the response to a knock can be tuned easily enough:
- Firewall. Your bouncer only lets in whoever he's been taught to trust. Or you can give it a guest list. Many broadband interfaces can also present a "false" front door thanks to IP Masquerading. Neither is 100% foolproof, but they do make life harder, especially for bulk tools used by script kiddies.
- Silently DROP incoming SYN packets on unused ports. Like having a trapdoor under the doormat - what knock?
- Something I liken to Neighbourhood Watch - at the first sign of a port scanner, broadcast to your friends and concerned neighbours of the attempt so they'll be wary of the stranger.
- Use your own bot army to DoS the attempted intruder. Something like a Claymore on the doorstep?
Then there's antivirus, groupware... the difference as I see it is the tools to do these are freely available with basically anything *n[iu]x*, while you tend to have to pay for a decent solution that runs on your favourite monopolistic vendor's OS. Not always, mind, but typically. Since I payed for XP (keeping it up to date), no software but games have cost me anything - AVG/OpenOffice/Mozilla + extensions/software that comes with purchased hardware... etc etc... it's pretty easy to meet license terms when you're not putting things to commercial use. This also means I'm not running any networked services publicly, so this box never accepts an incoming connection from the cloud.As for the stuff that does matter - web, database etc services... I leave that to my Linux box, running just what it needs to, and I take a little time semi-regularly to ensure it stays close enough to up-to-date. It hasn't let me down as yet (neither did FreeBSD while I was running that too), and this is year 13...
Disclaimer: I don't know everything, but I know what ideas I like. And just because I like the idea, doesn't necessarily mean I implement it.
Re:Lame article. (Score:4, Interesting)
The blaster and sasser worms, for example, make no attempt at reconnaissance. They simply blast TCP connections to IP addresses chosen at random. In theory, they have exactly as many chances of attacking the XP/SP1 box as the XP/SP2 box, or for that matter any the Mac or any of the Linux boxes. The attack is much more likely to be successful of tne SP1 box, but that does not mean the other computers were not attacked.
So, what did they actually count? What do those numbers mean?
Security (Score:5, Informative)
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Re:Security (Score:3, Informative)
Not to be picky, but securing physical access is the first line of defense.
I don't care what OS you use or how up to date it is, if someone can physically touch the computer they can break into it.
Re:Security (Score:4, Interesting)
They won't succeed as long as I patch, because root logins through SSH are disallowed, and I don't have any of the usernames they guess.
Keep trying, d00dz!
Now open sendmail (Score:2, Funny)
Re:Now open sendmail (Score:2, Informative)
Re:Now open sendmail and config it. (Score:5, Interesting)
Yeah (Score:5, Insightful)
Re:Yeah (Score:3, Insightful)
-1 Off topic (Score:5, Funny)
I got stuck in the self-checkout line at Walmart once, behind a lady who had this same problem.
Jaguar? (Score:2, Interesting)
Don't bother reading the article (Score:5, Funny)
Very thought provoking and innovative information indeed.
RTFA (Score:3, Insightful)
Windows XP Service Pack 2
Attacks: 16
Results: Survived all attacks
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place? It's simply more logical for those evil people to write software that attacks Windows... secure or not secure, it's going to be the primary target until it loses it's market dominance.
Re:RTFA (Score:5, Insightful)
IIS vs. Apache seems to deny this conclusion.
Re:RTFA (Score:3, Insightful)
Compare that to joe-average user who's unknowingly running IIS and getting hacked even there's no incentive for a hacker to 0wn him.
Re:RTFA (Score:3, Interesting)
Re:RTFA (Score:3, Interesting)
Re:RTFA (Score:3, Insightful)
Re:RTFA (Score:4, Interesting)
To get a bigger slice of a smaller pie. Worm authors aren't just writing the things as a form of random vandalism; they're writing them to set up botnets that they can use for other nefarious purposes. The huge volume of Windows malware means that there's serious competetion for infectable hosts. A successful Linux or OSX worm would have the whole field to itself, which would make up for the smaller number of infectable hosts.
Re:RTFA (Score:3, Insightful)
3 attacks, no compromises, right out of the box.
Re:RTFA (Score:4, Insightful)
So yes, for useless systems, Windows XP SP2 is right at the top, but if you're going to just install an OS and let the computer just sit there, never to be used, why pay $100 to license the OS?
Warez (Score:2, Funny)
New reality show (Score:3, Funny)
"Coming up, we'll have Windows eat a big bowl of fried portscans!!!"
*circus music*
"And after the break, Linux will jump off of the gigantic Mount Exploit!"
*dark piano music*
(Reality check): It would probably fall off the air for requiring someone to think, though...
Comment removed (Score:5, Insightful)
Re:The Article in one sentence (Score:3, Informative)
Attacks: 4,857
Results: Attacked successfully within 18 minutes by the Blaster and Sasser worms. Within an hour, the computer was taken over and began attacking other Windows machines."
Conclusion summary: (Score:5, Interesting)
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
Scan with Impunity (Score:3, Interesting)
So any resolution of this issue has to must be implemented on the OS side.
On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.
4 simple words: (Score:5, Informative)
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Virus Scan (Score:5, Funny)
From what I remember in Tron, this visually looks very cool. Digital warriors fighting on a neon grid, etc.
I'm pretty stumped, though. I tried to get my box pwned eight times, just to see the digital battle. I thought at the least Norton Antivirus would sent a digital probe destroyer bot out to eradicate the trojans. But all that happened was my computer got really slow, and pop-ups kept showing up, advertising herbal virility pills for men.
Come to think of it, Hollywood movies never seem to match up with what my computer does. That's it, I'm going to stop believing them movies and start reading Wikipedia instead.
"SP 1 is not a current operating system" (Score:5, Insightful)
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
SP1 Earns a pass? (Score:5, Insightful)
Geeks hate them, but... (Score:5, Informative)
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
Re:Geeks hate them, but... (Score:4, Insightful)
There should always be a router between any personal system and the Internet. Not a kludgy firewall/filter, mind you, but a simple NAT-translation router that puts your machine in a private address space. Hackers can't hack what they can't get to.
Actually, that's not quite correct; take a peek at rfc2663: http://www.faqs.org/rfcs/rfc2663.html [faqs.org]. In a somewhat roundabout way in the security section (Section 9), it says not to use it as a "Firewall", but rather in conjunction with a firewall.
The reason for this is that if someone spoofs an address in your nat range, it pass through unfiltered. Bottom line is to not rely on NAT alone for a firewall; always use it in conjunction with real filtering. Thankfully most consumer boxes will do this already, so it's practically a moot point.
Re:Geeks hate them, but... (Score:5, Informative)
Assuming your router doesn't have an undocumented backdoor password like the NetGear WG602. Or a no-password remote administration interface on port 1900 like SMC used to have (fixed in June 2004 firmware). Or remote administration on port 5678 even when you disable remote administration (Linksys, 2002). Or a Telnet interface with a password of "private" (DLink ADSL routers as of 2002). Or a remote backdoor on port 254 (any DSL router with the Conexant CX82310-14 chipset with firmware 3.21). Or remote web administration with a factory default password (X-Micro WLAN).
And assuming the firmware doesn't have any subtler bugs than that.
And assuming you don't open a "DMZ" which in reality doesn't segment your LAN.
Of course, your point was that routers are a necessity, which is generally correct. But there have been too many scandals for comfort. A Soekris box or some other small box running pf offers code you can trust and the flexibility to offer services to the world.
99% of incoming attacks... (Score:3, Informative)
I've seen Linksys BEFW's go for $10 on E-Bay.
Or go whole hog and get the Motorola SURFboard SBG900, combination DOCSIS 2.0 cable modem/wireless-G AP/firewall.
-Charles
*nix will be a major target of worms in the future (Score:5, Funny)
Microsoft might have something with Windows Longhorn, since the entire API outside of the kernel will be written in C# completely sandboxed in a CLR, much like Java.
Combined with a monolithic auto-update system, Microsoft has no intentions of repeating the problems of Windows 2000/XP when they release Longhorn, much like they had no intention of repeating the problems of stability they had with Windows 95/98/ME when they designed Windows 2000/XP. For as much as they do, they mostly won with stability in 2000/XP, and they could win again, despite their market share, by sacrificing RAM (480MB commit charge, 1GB recommended) and processing power by implementing the .NET framework for their entire API.
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
Gotta love your spyware programs for Windows (Score:5, Funny)
Of course Claria/Gator [claria.com] is also offering a free version of their spyware program, and it's not beta - it's an official, stable release, available to users from all over the world, and with no date limits!!
There are also other known spyware providers out there, all you have to do is to search the web for some pr0n and warez, and there you go.
So what they're saying is... (Score:5, Insightful)
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6 [secunia.com], or SQL Server [secunia.com] - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
Paying for patches (Score:3, Informative)
My golden rule:
apt-get update
apt-get upgrade
Once a week. For free.
Life on the edge (Score:3, Insightful)
Part of the conference was a series of hands-on labs that we were hosting using loaner equipment from major manufactures. The network was provided my a major ISP through a national hotel (where this part of the conference was being held).
The labs were assembled by volunteers, and were pretty much infected beyond use with spyware and viruses within about 10 minutes of coming online. It was the worst thing I'd ever seen. We had 20+ people scrubbing the machines off-line for literally HOURS, only to have them reinfected once they came back online (now behind a firewall).
To compound the issue, we couldn't feasibly reimage the machines because the vendor donating them gave us at least 10 different models with 2-3 variations on each model.
In the end we threw in the towel, refunded people's money, and let the Mac lab (which remained unaffected) continue their presentations.
just my $.023233432322
Shields Up! (Score:3, Interesting)
Riiiiiiiiiight.... (Score:4, Insightful)
So Microsoft get's a pass on viruses because it is popular and has a lot of software written for it? And then those same people use the amount of software available for MS Windows as a reason why Windows is superior. You can't have it both ways: if you think Windows has an advantage because of a larger application base you have to include the malware applications like viruses and spyware as well.
You could wrongly argue that when Linux has a larger installed base it will have the same problems as MS Windows. But even if that were true, it's new popularity would mean that more commercial applications like Photoshop would be written for it also. The blade turns both ways for better and for worse, yet MS Windows apologists try to claim the best of both worlds.
Whats an attack? (Score:5, Interesting)
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
Useful link (Score:3, Informative)
truer words were never spoken.... (Score:4, Funny)
How about older distros? (Score:3, Interesting)
The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?
My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).
In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about
A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.
FUD? (Score:3, Informative)
"Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
No. They KINDA show that only Microsoft products are vulnerable when not patched.
For what it's worth, IMHO, I think that SOME of the home users that don't patch their installs of MSXP are afraid that MS is trying to slip in some software that would automagically inventory thier MP3 collection, hacked software, etc and somehow "break" thier computer. I think many people think of MS operating systems as a "deal with the devil". They really DON'T want to use Windows, but isn't that Linux thing for computer gurus and really hard to use? It's really hard to combat that kind of FUD. If it wasn't, a HUGE number of corporate users would be using a *nix based solution, if only to shrink desktop support staff.
As a networking professional, I can tell you that the constant rolling out of virus and OS patching to our user base DOES impact network traffic and "regular job" throughput, but the top brass sees this as a necessary evil. But of course my corporation has MS stock in it's portfolio....
PR before performance, I always say (Score:3, Insightful)
Hey Steve Ballmer - why don't you get a good fucking product out the door then you wouldn't have to spend a coupla hundred million bucks spinning shit into gold, now would you?
Don't 'give me the facts' I know what the damn facts are. Just make Windows more secure. And here's a tip, Microsoft, just a thought....
Instead of carrying on about the animated 3D Video crushing interface in Longhorn THAT IS ALREADY 2 YEARS LATE....Why don't you spend that effort on making Windows more secure?
Or isn't that sexy enough for your PR guys. I swear you MS morons must go to sleep every night dreaming of new ways to be useless.
Re:redhat 9 super secure? (Score:5, Informative)
Or it means that RH9 wasn't logging portscans and pings... which, AFIK, it didn't do with any of the default firewalls. It is only newer distros that log potentially malicious traffic.
Re:Are you all retarded? (Score:3, Interesting)
Re:Are you all retarded? (Score:3)
Because the majority of Windows boxes are run with Admin level privileges full time, by people who have a difficult time setting their microwave to the 'popcorn' setting. Does SP2 come slipstreamed in the box that I can buy at Walmart? Will the old 10.0 OS X be a