TagsSecurity of Linux versus Windows
July 11th, 2011 - 11:21 am ET by Kari Laine | Report spam
Create a new topic
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
This is a post from Kelsey Bjarnason year 2003.
We could probably discuss in the lines of it. I think everything he says
in it still holds.
**************************
On Wed, 03 Dec 2003 16:26:17 -0500, cola_moderator wrote:
from
which
Not a very good troll, but it does raise an interesting point.
Specifically, open source tools such as sendmail, apache, postfix, bind
and the like are, if anything, far more prevalent out there than MS
based tools. Hence, one would assume they'd get their fair share of
attacks; even more so precisely because such tools are supposedly harder
to hack - it's a lot more impressive to crack the NSA's systems than,
say, Circuit City's.
Such apps have, indeed, had their share of attacks, some even
successful. What I find interesting, though, is that despite their
supposed bug-ridden status, despite their prevalence, it isn't _them_
that result in the multi-billion dollar losses, the outages of entire
segments of the internet and the creation of entire industries intended
to do nothing but fix the holes in them.
Further, for anyone interested in serious security, there are things
such as SELinux, for which no equivalent seems to exist in the Windows
world.
So how, exactly, do you figure that increasing the popularity even
further is going to make an iota of difference?
Ah, yes - the desktop user. Well, let's consider that for a moment. In
Windows, using the bundled tools, doing something as simple as reading
e-mails can involve executing scripts, loading remote images and even
firing up active x controls. Until recently, it took what, two mouse
clicks to "launch" an attachment, which could well be an executable?
And let's not forget Windows' helpful habit of hiding file extensions by
default, so that file.jpg.exe shows as file.jpg - hence lulling the
unwary user into a false sense of security.
Let's contrast that to Linux tools, such as, say, KMail. Does it
execute scripts when you view mails? No; by default, it doesn't even
render HTML, and warns you that doing so is potentially dangerous.
Unless you intentionally enable such rendering and ignore the warning,
such things simply cannot affect you.
How about attachments? Yup, you can launch associated items such as
images, but you get a security warning. How about executables, though -
the really troublesome items?
I just e-mailed myself an executable. Opening the attachment did,
indeed, open the executable... in a text editor. No running things
here. Not nless I decide it's safe, save it somewhere, mark it
executable and then run it.
So, already, a virus is in trouble - its methods of propagation are
considerably limited compared to Windows. Of course, let's assume one
does manage to execute... what happens? To be "a virus", it really needs
to replicate... which generally means infecting other files. Executables,
to be specific.
Hmm... odd, as a regular user, I don't have permissions to modify
executables. Attempting to do so just results in errors. So the virus
will have to "crack" the system, gain superuser privileges, _then_ infect
things. Without being noticed, say by tripwire or the host of other tools
available in Linux to deal with just such things.
Okay, well, so much for viruses. What about other things, such as hacking
into the system via the web server, ssh server, that sort of thing?
Remote logons, followed by superuser hacks?
Sure, these can happen; they have happened. However, a worm - or a hacker
- attempting such things faces a couple of problems.
First, issues in, say, openssh which allow him to break in generally
apply to one specific version, or to a small range of versions. There's
little guarantee that a given machine even _has_ ssh running, or, if it
does, that it is running a vulnerable version. For that matter, tools
such as this can be further protected by port knocking setups, by only
responding to requests from specific IPs, and so on.
However, let's assume the wily hacker _has_ managed to find a vulnerable
ssh box. He hacks in and he's logged on... but unlikely with superuser
privileges. Now he has to hack the system further, to achieve root
access, in order to do much damage.
This, too, has been done on occasion. However, the attacks for one system
are not likely to be the same as the attacks for another; different kernel
versions, different services, different apps, different versions and patch
levels even of the same apps, and so on.
That's the problem with the notion of "If Linux gets popular, it'll get
hacked, too"; Linux is too divergent. With Windows, you have a static set
of tools, such as OE and IE and MS Office, which are almost certain to be
on and used on a given Windows box. Further, there's a limited range of
versions of these - most IE users, for example, won't be using IE 4 or 5
anymore, but IE6. Most MS Office users won't be using Office 97, but
Office 2000 or Office XP.
This gives the attacker a very small number of things to focus on. In
Linux, however, there's no real expectation that the user is going to use
a given application. I use KMail, someone else uses Evolution, another
uses Mutt, someone else uses Sylpheed and on and on and on. I use
Konqueror, someone else uses Moz, someone else uses Opera, and on and on
and on. There's abiword and OpenOffice Word and KWord and probably more.
In Windows, if you can target, say, OE6 under WinXP, Win2K and Win98, you
can very likely hit about half the entire Windows user base. What's your
target mail client in Linux? KMail? That *may* account for an eighth of
Linux users *if* you're lucky, and even there, you only get the ones who
enable things they shouldn't and ignore warnings they shouldn't.
Long and short: it's not an issue of popularity, but of mechanics; it is
simply more difficult to attack or infect a given Linux box than a given
Windows box, if for no reason other than the sheer variety of options
available in Linux. The additional factors of not using active scripting,
not exeuting things unless the user goes considerably out of their way to
execute them, simply make an already difficult task that much more
difficult.
Yeah, sure, you can hack _a_ Linux box. That doesn't mean much. To have
the scope of problems Windows experiences, you'll need to automate the
hacking of many Linux boxes, facing the challenges noted above,
and avoiding tools such as tripwire and the various IDS tools.
In principle it could be done; I suspect, however, the resultant "attack
package" would be so large as to stand out like a sore thumb.
**************************
Kari Laine
PICs, Displays,Relays - USB-SPI-I2C http://www.byvac.com
USB and FPGA boards http://www.ztex.de
I am just a happy customer
NotDashEscaped: You need GnuPG to verify this message
This is a post from Kelsey Bjarnason year 2003.
We could probably discuss in the lines of it. I think everything he says
in it still holds.
**************************
On Wed, 03 Dec 2003 16:26:17 -0500, cola_moderator wrote:
> forget your stupid conspiracy theory - once hackers decide to switch
from
> windows to linux, they will beat the crap out your crappy linux os,
which
> has more bugs than a tropical island.
Not a very good troll, but it does raise an interesting point.
Specifically, open source tools such as sendmail, apache, postfix, bind
and the like are, if anything, far more prevalent out there than MS
based tools. Hence, one would assume they'd get their fair share of
attacks; even more so precisely because such tools are supposedly harder
to hack - it's a lot more impressive to crack the NSA's systems than,
say, Circuit City's.
Such apps have, indeed, had their share of attacks, some even
successful. What I find interesting, though, is that despite their
supposed bug-ridden status, despite their prevalence, it isn't _them_
that result in the multi-billion dollar losses, the outages of entire
segments of the internet and the creation of entire industries intended
to do nothing but fix the holes in them.
Further, for anyone interested in serious security, there are things
such as SELinux, for which no equivalent seems to exist in the Windows
world.
So how, exactly, do you figure that increasing the popularity even
further is going to make an iota of difference?
Ah, yes - the desktop user. Well, let's consider that for a moment. In
Windows, using the bundled tools, doing something as simple as reading
e-mails can involve executing scripts, loading remote images and even
firing up active x controls. Until recently, it took what, two mouse
clicks to "launch" an attachment, which could well be an executable?
And let's not forget Windows' helpful habit of hiding file extensions by
default, so that file.jpg.exe shows as file.jpg - hence lulling the
unwary user into a false sense of security.
Let's contrast that to Linux tools, such as, say, KMail. Does it
execute scripts when you view mails? No; by default, it doesn't even
render HTML, and warns you that doing so is potentially dangerous.
Unless you intentionally enable such rendering and ignore the warning,
such things simply cannot affect you.
How about attachments? Yup, you can launch associated items such as
images, but you get a security warning. How about executables, though -
the really troublesome items?
I just e-mailed myself an executable. Opening the attachment did,
indeed, open the executable... in a text editor. No running things
here. Not nless I decide it's safe, save it somewhere, mark it
executable and then run it.
So, already, a virus is in trouble - its methods of propagation are
considerably limited compared to Windows. Of course, let's assume one
does manage to execute... what happens? To be "a virus", it really needs
to replicate... which generally means infecting other files. Executables,
to be specific.
Hmm... odd, as a regular user, I don't have permissions to modify
executables. Attempting to do so just results in errors. So the virus
will have to "crack" the system, gain superuser privileges, _then_ infect
things. Without being noticed, say by tripwire or the host of other tools
available in Linux to deal with just such things.
Okay, well, so much for viruses. What about other things, such as hacking
into the system via the web server, ssh server, that sort of thing?
Remote logons, followed by superuser hacks?
Sure, these can happen; they have happened. However, a worm - or a hacker
- attempting such things faces a couple of problems.
First, issues in, say, openssh which allow him to break in generally
apply to one specific version, or to a small range of versions. There's
little guarantee that a given machine even _has_ ssh running, or, if it
does, that it is running a vulnerable version. For that matter, tools
such as this can be further protected by port knocking setups, by only
responding to requests from specific IPs, and so on.
However, let's assume the wily hacker _has_ managed to find a vulnerable
ssh box. He hacks in and he's logged on... but unlikely with superuser
privileges. Now he has to hack the system further, to achieve root
access, in order to do much damage.
This, too, has been done on occasion. However, the attacks for one system
are not likely to be the same as the attacks for another; different kernel
versions, different services, different apps, different versions and patch
levels even of the same apps, and so on.
That's the problem with the notion of "If Linux gets popular, it'll get
hacked, too"; Linux is too divergent. With Windows, you have a static set
of tools, such as OE and IE and MS Office, which are almost certain to be
on and used on a given Windows box. Further, there's a limited range of
versions of these - most IE users, for example, won't be using IE 4 or 5
anymore, but IE6. Most MS Office users won't be using Office 97, but
Office 2000 or Office XP.
This gives the attacker a very small number of things to focus on. In
Linux, however, there's no real expectation that the user is going to use
a given application. I use KMail, someone else uses Evolution, another
uses Mutt, someone else uses Sylpheed and on and on and on. I use
Konqueror, someone else uses Moz, someone else uses Opera, and on and on
and on. There's abiword and OpenOffice Word and KWord and probably more.
In Windows, if you can target, say, OE6 under WinXP, Win2K and Win98, you
can very likely hit about half the entire Windows user base. What's your
target mail client in Linux? KMail? That *may* account for an eighth of
Linux users *if* you're lucky, and even there, you only get the ones who
enable things they shouldn't and ignore warnings they shouldn't.
Long and short: it's not an issue of popularity, but of mechanics; it is
simply more difficult to attack or infect a given Linux box than a given
Windows box, if for no reason other than the sheer variety of options
available in Linux. The additional factors of not using active scripting,
not exeuting things unless the user goes considerably out of their way to
execute them, simply make an already difficult task that much more
difficult.
Yeah, sure, you can hack _a_ Linux box. That doesn't mean much. To have
the scope of problems Windows experiences, you'll need to automate the
hacking of many Linux boxes, facing the challenges noted above,
and avoiding tools such as tripwire and the various IDS tools.
In principle it could be done; I suspect, however, the resultant "attack
package" would be so large as to stand out like a sore thumb.
**************************
Kari Laine
PICs, Displays,Relays - USB-SPI-I2C http://www.byvac.com
USB and FPGA boards http://www.ztex.de
I am just a happy customer
Follow the discussion
16 replies
Make a replySimilar topics
Make your own search :
May 18th, 2013 - 4:03 PM ET
Join now
Replies