28 Mar 05
1 edit
Originally posted by WheelyBack in the days, most people knew what they were doing and it's hard to spread viruses when there's only 100 people on the netπ But yes, Unix is build on solid foundation unlike the swamp Windows stands on.
I would like to counter this much quoted argument that the reason Linux doesn't get hacked so much is because it's not as popular.
Firstly, Unix was around when Windows didn't exist and nobody got a virus.
Secondly, Apache is by far ...[text shortened]... it would be replaced in a matter of minutes. Microsoft know this.
I agree that the automagical-execute-everything-features that comes with windows facilitates spread. If I'm not mistaken, the e-mail client bundled with my windoze-box back in the nineties automatically executed attached scripts when you opened an e-mail! -At least they're a little smarter now. I'm sure that the same features would be implemented in Linux mail-clients if it was used on 90% of all desktops though.
I use Pine and have yet to receive a single thing that could biteπ
28 Mar 05
Originally posted by steerpikeJournalism. Only what will sell will people write. We've heard enough cases of Windows being insecure, but seeing someone belittle Linux for a change catches the eye.
One more little trick to watch out for:
"mi2g said its study focused on "overt digital attacks" and did not include other methods of intrusion such as viruses and worms."
Surely a worm or a virus attack is also a digital attack and can cause equal or more damage? So why aren't all attacks recorded - is it because it would give a different headline?
28 Mar 05
Originally posted by WheelyI can't quite agree. The majority of Web Servers are run by amateur web admins running a basic site or web forum, RHP web forums being a good example. There is little/no financial reward in hacking such a site.
I would like to counter this much quoted argument that the reason Linux doesn't get hacked so much is because it's not as popular.
Firstly, Unix was around when Windows didn't exist and nobody got a virus.
Secondly, Apache is by far the most popular web server in use. It is not Linux but generally runs on Linux or some other flavour of unix. It has ...[text shortened]... ow how to use it any more and it would be replaced in a matter of minutes. Microsoft know this.
IIS on the other hand costs money, as such used primarily for commercial purposes. This provides financial remuneration upon successfull hack.
As for hacks during the unix days, fact is since then the popularity of programming and the internet and traffic has significantly added to attacks on servers worldwide. It is unfair to compare the two time periods.
Both IIS and Apache suffers from backdoors, we know that. Should Mr Gates not be one of the most hated man on the planet (by bearded men with pony tails) I bet Linux would suffer similar attentions.
29 Mar 05
Originally posted by pcaspianI can't quite agree there;
Both IIS and Apache suffers from backdoors, we know that. Should Mr Gates not be one of the most hated man on the planet (by bearded men with pony tails) I bet Linux would suffer similar attentions.
I would hazard a guess that IIS is probably far easier to bring down than Apache. IIS depends heavily on it's host, Windows, which is already flaky and full of backdoors. Apache running on a *nix however would require more knowledge and effort, even if it was used more than Windows. The Windows kernel is the same kernel no matter what PC it is on, the holes are common throughout; the Linux kernel only includes what is necessary, so it changes from PC to PC. Then come modules and drivers etc etc
29 Mar 05
Originally posted by pcaspianI would beg to differ on the point about apache being mostly run by amateur admins that have no benefit in being cracked. Practically any application that gets installed on a serious unix machine tends to bundle a copy of apache with it. Looking at one of our hp-ux servers right now shows four different Apache configurations running. Bring down our data warehouse web server and it starts to cost this company lots of money. Further more, most banks have unix servers at the back end, aren't they worth a quick crack?
I can't quite agree. The majority of Web Servers are run by amateur web admins running a basic site or web forum, RHP web forums being a good example. There is little/no financial reward in hacking such a site.
IIS on the other hand costs money, as such used primarily for commercial purposes. This provides financial remuneration upon successfull hack. ...[text shortened]... man on the planet (by bearded men with pony tails) I bet Linux would suffer similar attentions.
It is also worth noting that the virus came into being long before most people had even heard of the internet and were spread via floppy disks. Please further note that CP/M which was the predominant OS before MS/DOS never suffered from any virus that I can remember.
The internet was nearly exclusively unix whilst it was growing up and nobody got any viruses (virii??).
The virus and insecurity are a design decision by Microsoft. It could be argued that it was the correct decision to make too because they built the entire home PC industry nearly. I don't begrudge them this but the ease at which things happen automagically is the reason we have such insecure machines. I used to work on a B2 secure unix with B1 features and boy what a pain it was to work on. You want security you pay for admins.
Linux too has made a similar choice in some instances. For example, the kernel was offered patches to make a non executable stack to avoid stack smashing security breaches. Although you can install it if you want, it's not in the mainline kernel because it's too irritating. Probably a sensible decision.
In summary, the reason people like Windows is the reason it is insecure. Not a problem but factor it in to your costs and also don't think other operating systems are the same.
29 Mar 05
Originally posted by WheelyThe reason that Windows is insecure and Linux is more secure is the nature of the open-source community. The theory is that millions of people examining source code can find backdoors and other insecurities quicker and more efficiently than a hundred guys at MS headquarters. It is the same reason that fewer viruses are written for open-source applications.
In summary, the reason people like Windows is the reason it is insecure. Not a problem but factor it in to your costs and also don't think other operating systems are the same.
29 Mar 05
Originally posted by CliffLandinI respectfully disagree. Four million people looking at Ritchie's hacked gcc conundrum would not find the security flaw. That is perhaps a simple example and I generally would agree that a hoard of marauding developers are more likely to find security holes than the quality assurance executives at Microsoft.
The reason that Windows is insecure and Linux is more secure is the nature of the open-source community. The theory is that millions of people examining source code can find backdoors and other insecurities quicker and more efficiently than a hundred guys at MS headquarters. It is the same reason that fewer viruses are written for open-source applications.
However, the most secure operating systems are not open source. The most secure operating systems are designed, generally by corporations, for use in sensitive areas like the military. I have worked on the development of a B2 secure unix with B1 features. I was on a team where one of our jobs was to try and break it. I can assure you that it will not get hacked. However, it will hardly ever get used too because it is an absolute nightmare to administer and use.
My point being that any group of people can design and build for security, even Microsoft if that is their aim. However, security is not Microsofts aim nor is it Linus Torvalds aim (we don't even have mandatory access lists in the mainstream kernel yet). Linux is built on Unix which has some good though somewhat ancient security features built into its design. Linux has all those eyeballs as well and together, I think this helps Linux become relatively secure as commodity operating systems go. Both Linux and Windows MUST trade security for useability. Microsoft have taken this to the extreme and have unleashed the virus upon the earth. I don't believe this caught them by surprise and it is probably too late to do anything about it except get the marketing boys on the job.
So, yes, the open source community helps but I don't think we should be fooled into thinking it is the major reason why Linux appears secure. It is a question of choice as I can assure you, you probably don't want to run a secure operating system.
- Joined
- 03 Sep 03
- Moves
- 87628
29 Mar 05
Originally posted by CliffLandin
The reason that Windows is insecure and Linux is more secure is the nature of the open-source community. The theory is that millions of people examining source code can find backdoors and other insecurities quicker and more efficiently than a hundred guys at MS headquarters. It is the same reason that fewer viruses are written for open-source applications.
First you say the "reason", then you say that is due to a "Theory". Well by definition a Theory is not completely proven.
There are two "reasonable" thoughts to that argument.
Due to the nature of open-source code, millions of people CAN examine the source code, find backdoors and other insecurities that they can then USE to "hack" into open-sores software.
Whereas with closed-source code, it is more like shooting into the dark. In order to find those backdoors and other insecurities the "Hacker" must randomly or educatedly "guess" or "test" for backdoors and other insecurities.
Secondly, how many people are actually familiar enough with the code (or capable enough) to where they can actually FIND such insecurities?
You run linux, could YOU review the code and understand it enough to search for holes? Probably not (as well as the MAJORITY of linux-users), and where is the incentive to do so? MS and any other such software companies will PAY employees to do just that.
These arguments have been hashed out all over the NET, there is no right or wrong. Both are valid arguments.
Linux has had PLENTY of insecurities. The only "Real" argument in the favor of Linux in this regard is the speed of which "fixes" have been released to repair these "holes". The open-source community has generally been quicker in this regard (in the past).
However, MS has improved and gotten quite speedy in the security fix releases. Not too slow when you consider all the levels of testing and such that goes into ANY release by MS.
--tmetzler
29 Mar 05
Originally posted by tmetzlerActually, the "speed" at which Microsoft releases patches is not quite as fast as they would have you believe. The "time to patch" figure is universally taken from the time of the announcement to the time of the patch release. Microsoft tend to "announce" the problem very late.
Linux has had PLENTY of insecurities. The only "Real" argument in the favor of Linux in this regard is the speed of which "fixes" have been released to repair these "holes". The open-source community has generally been quicker in this regard (in the past).
However, MS has improved and gotten quite speedy in the security fix releases. Not too slo ...[text shortened]... ou consider all the levels of testing and such that goes into ANY release by MS.
--tmetzler
Furthermore, many security holes are difficult to find in source code but some are very simple and some projects have automated scripts checking for code looking for things like reads with no bounds checking. Some functions you just shouldn't use. Some people have found hard coded passwords. These things are just as likely, some would argue more likely, to appear in closed source code but nobody will admit to them because they make programming easier (i.e cheaper).
People use brute force attacks, again automated, against closed source software, it's not just pure guess work. In any case, if a bunch of long haired hippy types can decrypt the DVD encryption routines in about ten minutes, don't you think analyzing closed source software is quite easy. We won't even get into the realm of decompilers.
It zseems to me that neither camp should get too smug. Do what you can but the more bells and whistles you want, the less secure you are going to be. It is the way of things π
- Joined
- 03 Sep 03
- Moves
- 87628
29 Mar 05
Originally posted by WheelyLike I said, "Not too slow when you consider all the levels of testing and such that goes into ANY release by MS."
Actually, the "speed" at which Microsoft releases patches is not quite as fast as they would have you believe. The "time to patch" figure is universally taken from the time of the announcement to the time of the patch release. Microsoft tend to "announce" the problem very late.
Furthermore, many security holes are difficult to find in source code b ...[text shortened]... ore bells and whistles you want, the less secure you are going to be. It is the way of things π
Once a open-source insecurity is discovered, Anybody can "Make a Fix" and release it on the internet. (The extent of the "release" is a different matter)
MS can't just "make a fix" and release it that day (usually). They must go through a whole lot of QA testing, backwards compatibility, etc before it can be "approved" and released to the public. The reasons they MUST do that are obvious and you seem like a "knowledgable" enough person to understand that.
As far as the other insecurities caused by "Bad Coding" well yes they exist. [Not that I WOULD EVER hardcode a password. π ; but I'm sure some have... ] That is why most GOOD Software companies will do "Code Reviews" and most importantly have "Coding Standards" of which employees MUST follow...but once again you seem like somebody who understands this...and we don't disagree.
--tmetzler
29 Mar 05
Originally posted by tmetzlerYes, I think we agree here but I don't think Microsoft are doing anybody any favours by announcing security issues three months after someone found them, releasing the patch two days later and saying "look at us!! aint we great" I believe Microsoft should just come clean and tell people that if you want a high level of security don't use us, if you want exciting flashy functionality and ease of use, we are the people you want to talk to. Maybe they could produce a secure version of Windows for those that want it (ripping the GUI out of kernel space might be a start).
Like I said, "Not too slow when you consider all the levels of testing and such that goes into ANY release by MS."
Once a open-source insecurity is discovered, Anybody can "Make a Fix" and release it on the internet. (The extent of the "release" is a different matter)
MS can't just "make a fix" and release it that day (usually). They must ...[text shortened]... once again you seem like somebody who understands this...and we don't disagree.
--tmetzler
The virus doesn't bother me as I don't get them. If you want them, it's your lookout but it's a choice you make. I make the choice to worry about Script kiddies attacking the latest buffer overflow in an internet service I haven't updated instead π
29 Mar 05
Originally posted by WheelyYeah, Windows does rely too heavily on a GUI. The kernel is bloated. And the fact that Microsoft release security updates multiple times a week certainly doesn't bring about a reputation for good security.
Yes, I think we agree here but I don't think Microsoft are doing anybody any favours by announcing security issues three months after someone found them, releasing the patch two days later and saying "look at us!! aint we great" I believe Microsoft should just come clean and tell people that if you want a high level of security don't use us, if you want e ...[text shortened]... ies attacking the latest buffer overflow in an internet service I haven't updated instead π
01 Apr 05
1 edit
Originally posted by John GYou assume I don't use those tools? Why?
Why have a dog and bark yourself?
The whole point of a database (ie a database managment system or DBMS) is to mangage data integrity and security. If you don't need that you might as well store your data in text files - performance ca ...[text shortened]... ient ever tries to integrate the database with other systems.
I simply said that I treat the database with respect as a programmer.
It ain't my fault that I wear all the hats when it comes to my customers.
I have really good design AND use all the tools. That is why every night at 2 am I get no errors in my maintainance plans event logs. As I said, I have a twenty gig database that has not reported a single correction or repair in seven years. That is pretty good by any standard. But it is me as the db owner,manager,master that makes it happen. I dare anyone to do that same thing when "20" people program and manage a database. It won't happen.
03 Apr 05
Originally posted by tmetzlerMillions of people do examine the code, and report holes they find, and they are fixed quickly in the next release of the kernel. Security goers can upgrade their kernel as need be, or use an older kernel if they choose.
First you say the "reason", then you say that is due to a "Theory". Well by definition a Theory is not completely proven.
There are two "reasonable" thoughts to that argument.
Due to the nature of open-source code, millions of people CAN examine the source code, find backdoors and other insecurities that they can then USE to "hack" into open- ...[text shortened]... ou consider all the levels of testing and such that goes into ANY release by MS.
--tmetzler
Microsoft on the other hand, must wait until the security hole is exploited before something can be done about it. Then, a group of programmers must find a way to fix the hole, and release the patch, and rely on users to regularly upgrade their system with new patches.
Your idea is completely wrong. Any one programmer of Windows will not know or understand the entire source code of Windows (or Office or whereever the hole is). Windows, like Linux, is programmed by a number of people. People who understand parts of Linux review the code of just those parts, not the whole lot. You don't read all the books in the library; you read only those that interest you. You don't have to know everything in the world, in everyday life, you rely on other people to know things you don't. The incentive for people to search for holes is the same sort of incentive that made Linux in the first place; and just about all software available under the GPL.
09 Apr 05
This entire thread is the best example of a "chimp fight" that I could ever invent or discover.
I say for the thousandth time. "There is no absolute best... there is only what we know and can do and can afford.'
That is just "SO" powerful. snark ... in a very agnostic sort of way.
Who can know the "best" of anything? Who has time? I can name ten OP sys just off the cuff. I Don't have time to play with them. I'm too old and too interested in retiring with MONEY.
Silly me.