 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] san rrcom> wrote:
> > (And before anyone says anything, no, Windows is not better. Windows is
> > year after year always at the top of the list of most security flaws found
> > during the year.)
> Is this still true? I think there's more 3rd-party flakey code, but not
> stuff that comes with Windows necessarily. Certainly not as much as it used
> to be.
I don't know. I haven't been reading such reports lately. One would think,
though, that new OS = new bugs (unless Vista isn't really "new").
But I still think it's fair to say that Linux is safer than Windows. Why?
For the simple reason that Linux is not such a popular *target* for attacks
and malware as Windows is. For example, basically 100% of email virii and
http exploits have targetted Windows. I'd bet at least 99.99% of more
traditional virii out there work only on Windows (and the older ones in
DOS). Almost 100% of malware (spyware, adware, trojans, rootkits...) target
Windows. While I have no idea how popular Windows as a target is among
crackers, I bet it's well over half of them for the simple reason that
Windows is way more widespread than Linux. (The only place where other
systems might rival Windows as a target of crackers is in the web servers
and other such servers, because there other systems are more popular than
in desktop computers.)
Of course, Linux is in no way safe from attacks either. In fact, the linux
box of a good friend of mine got hijacked by a hacker some years ago (and it
remained so for a good amount of time, I think it was several weeks or even
months, without my friend noticing). However, usually these cases are direct
attacks by individual hackers, rather than being a massive attack by a
self-spreading program. You are much less likely to get your computer hacked
by someone directly, than by a self-spreading program (assuming you are
running an OS supported by that program). While I don't assume that my
linux box has not been hijacked without me noticing, I'd say it's pretty
unlikely.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> I don't know. I haven't been reading such reports lately.
Same here.
> One would think,
> though, that new OS = new bugs (unless Vista isn't really "new").
Well, it's not really new. It's built on NT, 2000, 2003, etc. And it has a
whole bunch of new security stuff added (Defender, UAC, secure desktops (or
whatever they call the thing that prevents the shatter attack), etc)
I'd have to start taking the SANS stuff out of the junk folder, but my
memory is that most of the attacks are against web-based services, with very
rare root-access on either OS, most of which are privilege escalation. Maybe
one every week or two even attacks on either kernel from outside.
> But I still think it's fair to say that Linux is safer than Windows. Why?
I agree. It used to be Windows had about 2x the code and 2x the attacks found.
> For the simple reason that Linux is not such a popular *target* for attacks
> and malware as Windows is.
Yeah. UNIX had way, way more exploits back before Windows was a popular
internet presence. Every week there would be reports of credit card lists
being stolen from ISPs, viruses attacking sendmail, etc. Then it was
Netscape's servers. *Then* it was Windows, around the '98 timeframe.
And before that, floppy boot-sector viruses ran rampant amongst
microcomputer OSes, but I never heard of any of those being done for money.
> email virii
I saw a great rant from someone who actually knows Latin about "virii".
"Virii" is apparently the plural of some completely unrelated latin word,
like "voice" or "people" or something. "Virus" is apparently already a mass
noun not unlike "stuff".
> I bet it's well over half of them for the simple reason that
> Windows is way more widespread than Linux.
I think it's three things. 1 - There's more Windows desktops. 2 - People
with Linux desktops tend to be more clued and/or have someone administering
them that is clued. 3 - I suspect that most Linux machines are actually
servers that are quite locked down and rarely doing anything not
specifically planned.
I've run Windows servers whose only job was running the database, or answers
calls from credit card terminals, or etc, and it was trivial to lock them
down enough that you didn't have to worry much about exploits. It's when you
actually put someone in front of the keyboard who will surf web pages, run
stuff people email to them, and so on, that you get lots of infections.
Of course there are some break-ins, but I understand that most of them are
patched before they're actually exploited, and it's the people who didn't
patch that are the problem.
> (The only place where other
> systems might rival Windows as a target of crackers is in the web servers
> and other such servers, because there other systems are more popular than
> in desktop computers.)
That, and web servers have value in and of themselves. You can either
disrupt a rival, steal credit cards, etc. Hacking an individual desktop
machine only gives you what's on that machine (i.e., one person's financial
data) or one node of a bot-net.
> However, usually these cases are direct
> attacks by individual hackers, rather than being a massive attack by a
> self-spreading program.
Now, yes. It used to be way more common for even proprietary UNIXes to get
hit by viruses and worms than it is now for Windows, methinks.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp <war### [at] tagpovrayorg> wrote:
> (And before anyone says anything, no, Windows is not better. Windows is
> year after year always at the top of the list of most security flaws found
> during the year.)
True, but the superiority of Linux crumbles in my eyes, if the responsible
people brush aside security holes that easily. I always had expected the Linux
community to have a basic mentality of "oops, right, our mistake; we'll fix
that of course", or at least "oops, right, this is problematic; we'll work
around that of course". But now they show that they, too, are more like "well,
that's not our fault; we won't fix it".
And knowing (through obvious proof) that the Linux kernel code isn't checked
with professional tools (or rather, probably is, but the results seem to be
brushed off and not taken seriously unless proven to be exploitable) doesn't
convince me of Linux' alleged superior security either.
I'm not saying "they're worse than Microsoft" - all I'm saying is "they're no
better".
Which is to say, "they're worse than what they claim and are percieved to
be". And as we all know, overestimating a system's security is a bad thing. If
you run two systems which are equally secure from a technical point of view but
one is percieved as more secure, that one will actually pose the higher security
threat.
(And what I'm also saying is that I think the commercial approach is
*potentially* better suited to produce secure software.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp <war### [at] tagpovrayorg> wrote:
> But I still think it's fair to say that Linux is safer than Windows. Why?
> For the simple reason that Linux is not such a popular *target* for attacks
> and malware as Windows is. For example, basically 100% of email virii and
> http exploits have targetted Windows. I'd bet at least 99.99% of more
> traditional virii out there work only on Windows (and the older ones in
> DOS). Almost 100% of malware (spyware, adware, trojans, rootkits...) target
> Windows. While I have no idea how popular Windows as a target is among
> crackers, I bet it's well over half of them for the simple reason that
> Windows is way more widespread than Linux. (The only place where other
> systems might rival Windows as a target of crackers is in the web servers
> and other such servers, because there other systems are more popular than
> in desktop computers.)
I dare to disagree - I'd even postulate that Linux poses a *higher* security
risk than Windows.
Why?
Because Windows has its highest popularity on Desktops. Yeah, that makes great
targets, and a great number of them to set up bot networks.
But Linux systems, being the more popular among Web servers and such, are
typically a good deal closer to the infrastructure.
If you can infiltrate the very infrastrucuture of the web, this makes
infiltrating the end-user computers much easier.
So if some infiltrated Windows systems would be an inflammation, I'd liken some
infiltrated Linux systems to a sepsis.
Note that Web servers have already been infiltrated as meta-targets in order to
infiltrate end-user computers; if these attacks become more common and
sophisticated (and I expect they will), I'd care more about a secure Linux
kernel than I'd do about a secure Windows kernel.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
clipka wrote:
> So if some infiltrated Windows systems would be an inflammation, I'd liken some
> infiltrated Linux systems to a sepsis.
Plus, it's generally a lot easier to infiltrate a web server using code
injection or something than it is to infiltrate a kernel. :-)
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] sanrrcom> wrote:
> This happened to be some mips-specific assembly. Not exactly exotic, but
> then why are you changing that file if you don't have a mips chip to test it
> on in the first place?
In a commercial project, I'd say maybe because the developing company doesn't
have a mips system to test it on, and has made an agreement with one of its
customers who needs this fix. But still the change should not be included in
the main branch before the customer has confirmed that it does compile and fix
the issue.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
clipka <nomail@nomail> wrote:
> I dare to disagree - I'd even postulate that Linux poses a *higher* security
> risk than Windows.
> Why?
> Because Windows has its highest popularity on Desktops. Yeah, that makes great
> targets, and a great number of them to set up bot networks.
You are twisting the whole thing in a really strange way.
It doesn't change the fact that Linux is more secure for the average
user than Windows is, for the simple reason that Linux is not targetted
as much as Windows is.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
clipka <nomail@nomail> wrote:
> Warp <war### [at] tagpovrayorg> wrote:
> > (And before anyone says anything, no, Windows is not better. Windows is
> > year after year always at the top of the list of most security flaws found
> > during the year.)
> True, but the superiority of Linux crumbles in my eyes, if the responsible
> people brush aside security holes that easily.
Then the answer is rather simple, isn't it: Don't use Linux.
> And knowing (through obvious proof) that the Linux kernel code isn't checked
> with professional tools
Define "professional tool".
> I'm not saying "they're worse than Microsoft" - all I'm saying is "they're no
> better".
That's BS. Basically every time a security hole is found in the linux kernel,
a patch appears in a matter of *hours*.
How soon do you get security patches for Windows when security flaws are
found? Certainly not within hours. At best within days, at worst within
months (yes, it has happened).
So yes, the linux community *is* better in security than MS is.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> It doesn't change the fact that Linux is more secure for the average
> user than Windows is, for the simple reason that Linux is not targetted
> as much as Windows is.
I think he's saying the average Linux user isn't the same as the average
Windows user, and the average Linux's user's machine is more valuable to
attack. You're just measuring two different ways.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
clipka wrote:
> Darren New <dne### [at] sanrrcom> wrote:
>> This happened to be some mips-specific assembly. Not exactly exotic, but
>> then why are you changing that file if you don't have a mips chip to test it
>> on in the first place?
>
> In a commercial project,
Sure. This isn't a commercial project, tho.
Actually, in my experience, it's really hard to find help with getting
consulting on Linux open source projects. There's just nobody willing to
rent you their experience with some piece of software, when they could
instead sell you some other software they wrote that's proprietary. The
whole idea that you'll make money with FOSS by selling consulting services
seems to not be very common at all.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
