Paul Thurrott says Linux is most INSECURE

[Prosidius]

Friend pointed me to an article:

According to a study the British security firm mi2g, Linux is the world's "most breached" OS and is exploited more frequently than Windows. The company recently analyzed more than 235,000 successful attacks against computers that were permanently connected to the Internet during the past year and concluded that Linux was responsible for most of the successful exploits.

 

"For how long can the truth remain hidden, that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day?" DK Matai, mi2g's executive chairman, said in a statement. "Busy professionals ... don't have the time to cope with umpteen flavors of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well-chronicled instances."

 

According to mi2g, Linux-based computers accounted for more than 65 percent of all successful electronic attacks during the past year, whereas Windows-based systems were responsible for only 25 percent. Attacks against Berkeley Software Distribution (BSD)-based systems were successful less than 5 percent of the time. However, it's worth noting--although mi2g didn't--that BSD-based machines make up a small percentage of the installed base of permanently connected machines. In all probability, those machines weren't attacked simply because there was little incentive to do so, not because of any inherent superiority over Linux- or Windows-based systems.

 

The mi2g study also analyzed the impact of malware during the same time period and found that most malware attacks--about 60 percent--successfully targeted small businesses, whereas about 33 percent successfully targeted home users. Only 6 percent of malware attacks successfully targeted midsized businesses, whereas 2.5 percent successfully targeted enterprises, government agencies, and similar firms. According to the company, 459 successful malware attacks occurred during the past year, most of which targeted Windows-based systems. Malware rarely targeted BSD-based and Linux systems.

 

These electronic attacks are taking an economic toll. The firm says that electronic attacks such as Distributed Denial of Service (DDoS) attacks caused as much as $123 billion in damages during the past year. Malware attacks were responsible for $202 billion in damages during the same time period.

http://www.windowsitpro.com/windowspaulthu...rott_44398.html

[Shadrack]

It isn't a question, to me anyway, on if Linux is more secure then Windows. Both are only secure if the user is secure minded enough to secure them, most users aren't in either OS. The real question is: what is more at risk, a hetrogenous network, or a homogenous network. The homogenous network is, as it has been proven again and again.

[n3wt]

The reason for that would be that Linux users rarely bother to install a firewall, the OS isn't inherently insecure, being that UNIX was designed as a multi-user system from the get go, it is in fact inherently MORE secure, the problem is users thinking they are safe because they run an OS with a small market share.

[El_Cu_Guy]

mi2g is not really in good standings. They have on occassion spread news of reports on this and that yet the news outlets that report on it rarely ever read it. Oddly enough mi2g makes its money by selling the reports.

Purchase the report and read it. The simple truth is that mi2g is trying to make headlines. They released a shocking identical report earlier this year (as noted by media coverage as far back as Feb 2004).

The Register has a very interesting article entitled why is mi2g so unpopular and I think you should read it.

He also questions mi2g's credentials and experience in the security industry, arguing that most of its staff appear to be without "significant operational IT security experience". mi2g denies this and states that it employs experienced risk managers.

mi2g started off in the mid-1990s as an e-business enabler focused on operating portal sites (such as Carlounge.Com and Lawlounge.Com) before repositioning itself as a security integrator/consultant specialising in providing "be-spoke security architectures" and security intelligence.

It burst into the IT security scene with a highly controversial, and colourful prediction, in late 1999 that a Y2K virus would cause widespread loses by moving corporate clocks forward. Anti-virus firms dismissed the alert and the subsequent non-appearance of any significant Y2K-related problems cast further doubts on mi2g's initial warnings, which are often the main exhibit in the case against the company.

the problem is users thinking they are safe because they run an OS with a small market share.

I read a REALLY GOOD report on this subject too. Will try to find the link.

Edited November 5, 2004 by El_Cu_Guy

[tuckeratlarge]

Surely if Linux is open source and everyone can examine and alter the source code of most Distro's and apps, it makes the job of writing a virus/trojan/worm for it that much easier. I suspect that when Linux gets a greater market share, those people who find it fun to disrupt and or damage other poeples systems, will find it worth while bringing down whole swathes of Linux based PC's. The media is concentrating on Windows at the moment because of 90 odd percent of computers run it so it's relating to a good many users - making a good story. Reporting a virus for Mr Torvalds finest won't cause enough fuss to for them to bother. Until that is it becomes mainstream with at least 50% of the home/corperate market. The media love a scare story.

No OS is secure. They all, with time and energy, can and will be compromised. The only way you can be completely safe is not connecting to the internet and not installing anything on your PC - where is the fun in that. As long as you prepare you will be fine (almost!) regardless of which OS you use.

[x-byte]

Hmm.. it seems when Linux is attacked about security it's ok, but when Windows is the subject it's the end of the world. And most people say they prefer Linux because it's more secure.

[markwolfe Veteran]

Surely if Linux is open source and everyone can examine and alter the source code of most Distro's and apps, it makes the job of writing a virus/trojan/worm for it that much easier. I suspect that when Linux gets a greater market share, those people who find it fun to disrupt and or damage other poeples systems, will find it worth while bringing down whole swathes of Linux based PC's.

584871073[/snapback]

That is just the other side of "Security through Obscurity" (insecurity through openness?). If Open Source is so simple to crack because of the code being available, then it should be VERY easy to crack the login process and always log into Linux as 'root', right? Every Linux PC uses the login, and it has been out there a long time.

Not true. Having code available doesn't mean that it is more crackable. GPG encryption is another example. The whole encryption algorithm is out there, yet GPG encryption is extremely strong and secure.

Hmm.. it seems when Linux is attacked about security it's ok, but when Windows is the subject it's the end of the world. And most people say they prefer Linux because  it's more secure.

584871127[/snapback]

Security problems should never be "ok". However, sensationalist reports (there are plenty of ridiculous reports on Windows/IE issues, too, that have no reasonable base) are not a valid foundation to make a statement on security. They specifically exclude all sorts of automatic and self-propogating worms and viruses and claim a 'fair comparison'. :no:

The world of Unix has had security (and multi-user systems) at the front for a long time. Windows has started security with NT (not before), and isn't quite yet a true multi-user OS.

It is correct, however, that as Linux becomes more popular, it will be the target more. Any successful attacks on Linux will be for many of the same primary reasons as for exploits on Windows: users not up to date with patches, and users who log in with root/Administrator accounts (which allows damage commensurate with priveleges).

[El_Cu_Guy]

Surely if Linux is open source and everyone can examine and alter the source code of most Distro's and apps, it makes the job of writing a virus/trojan/worm for it that much easier. I suspect that when Linux gets a greater market share, those people who find it fun to disrupt and or damage other poeples systems, will find it worth while bringing down whole swathes of Linux based PC's. blah blah blah.....

Again I point to you an article at The Register

It's called Windows v Linux security: the real facts

Here are the following Myths

Myth Windows only gets attacked most because it's such a big target, and if Linux use (or indeed OS X use) grew then so would the number of attacks.

BUSTED

Myth Open Source Software is inherently dangerous because its source code is widely available, whereas Windows 'blueprints' are carefully guarded by Microsoft.

BUSTED

Myth Statistics 'prove' that Windows has fewer, less serious security issues than Linux, that Windows issues are always fixed, and that they are fixed faster.

BUSTED wide open

As an example due to copyright blah blah here is only a snippet from the article printed per the terms of The Register. Lets examine the widely debunked but for some reason still used by Windows lusers who unwittingly defend their pitifully insecure POS, I mean OS.

Myth Windows only gets attacked most because it's such a big target, and if Linux use (or indeed OS X use) grew then so would the number of attacks.

Fact When it comes to web servers, the biggest target is Apache, the Internet's server of choice. Attacks on Apache are nevertheless far fewer in number, and cause less damage. And in some case Apache-related attacks have the most serious effect on Windows machines. Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.

Edited November 6, 2004 by El_Cu_Guy

[neowin_hipster]

In other news ballmer said windows was the best, bush said kerry flip-flops, and martha stewart bakes cookies to avoid prison rape.

Paul Thurrott is a douche bag.

[DrunkenMaster]

Isn't he also comparing Oranges and Bananas anyways?

Windows or Linux servers are completely different from desktops.

How about a report on wether the Linux desktop is more secure. Eg one w/o Apache, Bind, FTP, or a whole bunch of other services running. I'll bet Linux desktop is a lot more secure than Windows. IE, Trojan, Worm or Active X anyone?

[kyro]

mi2g report is bs.

[markwolfe Veteran]

I'll bet Linux desktop is a lot more secure than Windows.

584871769[/snapback]

I believe that Linux has a slight edge over Windows in security. However, I still firmly believe that it is the user's practices that make the biggest difference.

Linux users running with root priveleges? Hardly ever!

Windows? Quite common.

Linux users not keeping up to date with the latest updates? :o Sacrilege!

Windows? Less common than it was, but still TONS of mom & pops out there that are oblivious.

[El_Cu_Guy]

However, I still firmly believe that it is the user's practices that make the biggest difference.

It's somewhat unfortuante that certain companies, such as Microsoft, have made convenience and features the selling point of computing. The average luser does not have the expertise to secure their systems. Laying blame beyond a small extent squarely on the user's soldier just isn't right. If you insist on producing a dumbed down insecure version of your product (ie XP Home) you should make it a point to educate and warn the user.

Linux users running with root priveleges? Hardly ever!

Windows? Quite common.

Even Linspire makes it a point to suggest that users create at least one additional account. Windows on the other hand almost encourages users to run the OS with admin priveledges.

Linux users not keeping up to date with the latest updates? Sacrilege!

If the posts in this forum are any indication there's a definite need for better education. Perhaps a definitive thread on good security practices? Not saying that it's NeoWin's responsibility but it's worth considering.

Windows? Less common than it was, but still TONS of mom & pops out there that are oblivious.

Unfotuantely Trustworthy Computing is nothing more than a short term PR campaign. Microsoft big wigs including Ballmer have been quoted as saying that right now security is among the top 3 concerns at Microsoft. They hope that one day it won't need to be. Microsoft apparently doesn't realize that secuirty should always be a primary concern.

[sandman45654]

and isn't quite yet a true multi-user OS.

Can you please explain that?

[El_Cu_Guy]

NT is not a true multiuser operating system. :woot: :woot: :woot: :woot: :woot:

At first glance, this statement may seem confusing. Windows NT can multitask, can't it? And it can serve multiple network connections, as well as an interactive console user, can't it? Well, yes, it can. However, NT is not designed to provide more than one interactive session at a time. UNIX machines are often used to allow multiple users to connect using terminal emulators (such as Telnet) and run interactive sessions on the system, to perform their computing tasks. NT is simply not designed to do this; NT machines are designed to allow one user to sit at the console and manage and use the machine for personal computing tasks, and/or to serve files, print queues, and applications to multiple remote users over client/server connections.

[DR_K13]

blah, the person who wrote that article was payed off by Bill Gates :rofl:

[sandman45654]

NT is not a true multiuser operating system.?:woot::?:woot:t::woot:ot::woot:ot::woot:ot:

? ? At first glance, this statement may seem confusing. Windows NT can multitask, can't it? And it can serve multiple network connections, as well as an interactive console user, can't it? Well, yes, it can. However, NT is not designed to provide more than one interactive session at a time. UNIX machines are often used to allow multiple users to connect using terminal emulators (such as Telnet) and run interactive sessions on the system, to perform their computing tasks. NT is simply not designed to do this; NT machines are designed to allow one user to sit at the console and manage and use the machine for personal computing tasks, and/or to serve files, print queues, and applications to multiple remote users over client/server connections.

584872121[/snapback]

Is this any different from a Ms Terminal server? This is what the help and support center says about a terminal server

"Using a terminal server, users in remote locations can run programs, save files, and use network resources as though those resources were installed on the users' own computers. By installing programs on a terminal server, you can ensure that all users are using the same version of a program. If you plan to use this computer to allow multiple users to access a program at the same time from a single point of installation, configure this computer as a terminal server."

Edited November 6, 2004 by sandman45654

[Ryan V]

NT is not a true multiuser operating system.  :woot:  :woot:  :woot:  :woot:  :woot:

    At first glance, this statement may seem confusing. Windows NT can multitask, can't it? And it can serve multiple network connections, as well as an interactive console user, can't it? Well, yes, it can. However, NT is not designed to provide more than one interactive session at a time. UNIX machines are often used to allow multiple users to connect using terminal emulators (such as Telnet) and run interactive sessions on the system, to perform their computing tasks. NT is simply not designed to do this; NT machines are designed to allow one user to sit at the console and manage and use the machine for personal computing tasks, and/or to serve files, print queues, and applications to multiple remote users over client/server connections.

584872121[/snapback]

Well, if we go by what you call multi-tasking [Which may or may not be right] NT is a true multi-user operating system. Look @ Windows Server 2003. It's built off of the NT Code. ;) It does everything you have defined that a multi-user operating system should do.

[markwolfe Veteran]

Well, if we go by what you call multi-tasking [Which may or may not be right] NT is a true multi-user operating system. Look @ Windows Server 2003. It's built off of the NT Code. ;) It does everything you have defined that a multi-user operating system should do.

584872147[/snapback]

Except that serving users webpages, mail, etc. isn't the same. Those are all SYSTEM tasks, handled by user SYSTEM (I believe that is the Windows way).

Multi-tasking and serving are different than multi-user.

[markwolfe Veteran]

Is this any different from a Ms Terminal server? This is what the help and support center says about a terminal server

"Using a terminal server, users in remote locations can run programs, save files, and use network resources as though those resources were installed on the users' own computers. By installing programs on a terminal server, you can ensure that all users are using the same version of a program. If you plan to use this computer to allow multiple users to access a program at the same time from a single point of installation, configure this computer as a terminal server."

584872143[/snapback]

I am not familiar with MS Terminal Server. It sounds like it might be true multi-user, though.

When did that come out? If it is multi-user, like it sounds, I will just have to modify my original statements to say that the Windows that 99.9% of users have installed is not mulit-user. :p :shifty:

EDIT: According to the Microsoft page on this

Terminal Services delivers the Windows desktop and applications through terminal emulation.

it may be a hack to emulate multi-user on a system that is still handling all the processes as one user (and internally trying to track sub-tasks). I really don't know about this product, though.

[sandman45654]

Terminal services are included in Windows Server 2003. I don't know if Xp has TS but I am pretty sure Win2000 does. I haven't used either Win200 or Xp in a long time so I cannot say for sure.

EDIT: Xp can connect to a TS but cannot be one itself.

Edited November 6, 2004 by sandman45654

[Ryan V]

Except that serving users webpages, mail, etc. isn't the same.  Those are all SYSTEM tasks, handled by user SYSTEM (I believe that is the Windows way).

Multi-tasking and serving are different than multi-user.

584872195[/snapback]

Ahw my bad...lolz...So what does a Operatong System have to have to be consider a truly multi-user system :huh: ?

[pikachu010101]

BECAUSE....it is opensource. any hacker can get the source code and hack it. this thread it stupid. dont we all know about that ?

[El_Cu_Guy]

Well, if we go by what you call multi-tasking [Which may or may not be right]NT is a true multi-user operating system.

If we go by what I call multitasking that defines what multi-user means? Huh? Multi-tasking and multi-user are not inheratly one and the same and the ability to do one does not define the ability to do the other. Various versions of Windows have used various types of multi-tasking (cooperative and pre-emptive, and so forth). Is Windows 95 a multi-user operating system? Most definitely not. The point was not to define multi-tasking but to define what is a multi-user system.

When did that come out?

Windows NT 4.0 Terminal Server Edition. Terminal Server or terminal service is required to allow multiple users to connect concurrently to Windows in their own sessions. Terminal service client is now called Remote Desktop Connection.

Edited November 6, 2004 by El_Cu_Guy

[noyb]

BECAUSE....it is opensource. any hacker can get the source code and hack it. this thread it stupid. dont we all know about that ?

584872371[/snapback]

That the sort of nonsense you would expect to be uttered from the lips of Ballmer or some 12 year old MS fanboy.

Of course the code is there to be seen, but it comes with the advantage of honest people (the majority) being able to find holes and patch them quicker.