On Wed, 2002-07-17 at 09:14, SCRIMSHER,JOHN (HP-Corvallis,ex1) wrote: > Very good reading.. However, while I would agree with his basic conclusions, > that a linux virus would be harder to propagate than a Windows virus, his > arguments are flawed. Mr. Skoll tries to claim that because more attacks > occur against MS Based systems, then MS systems have more security flaws. > While it may or may not be true, the number of attacks does not indicate the > number of flaws. A system could have only 1 major flaw that is easily > exploitable and 10 minor flaws, while a competitor has 200 minor flaws and 5 > major flaws that require expert knowledge to exploit. The one that will > most likely be attacked is the one with the single flaw that is easiest to > exploit. This flaw will be exploited again and again until it no longer > exists. > > Fortunately for Mr. Skoll, he is correct in stating that MS does have more > vulnerabilities. In looking at the vulnerability database maintained by > SecurityFocus (http://online.securityfocus.com/cgi-bin/sfonline/vulns.pl) > you can plainly see that since Jan 1, 2001 MS has had 290 published > vulnerabilities while most linux vendors are at 40 and below, a large > difference. However, this fact has no bearing on his conclusions. MS > systems are defaced more because their flaws are more easily exploited. > Script Kiddies are lazy and go for the easy targets. You are confusing viruses and script kiddies. Different things. Different methods of attack. The reason that viruses are difficult to spread under Linux/Unix/BSD is that the user does not normally have superuser privileges on the machine. Windows 9x is by nature a single user machine. Every user is a superuser and can infect system binaries. Even under NT this can be a problem. (Under NT Terminal Server 4.x, to get Microsoft Office to work correctly, you have to give users write access to the system directory!) Microsoft has been trying (slowly) to correct this. There are problems though. You have to get users to think of "root" v.s. "user" modes of operation. Very hard to do for home users. (Home users tend to be lazy.) They also have a bunch of legacy applications that do not do well with any sort of separation of privileges. (Microsoft apps especially. Microsoft has a habit of making rules for developers that they will not follow themselves. Ask any NT Terminal Server admin about running Frontpage on servers for more opinions on that.) As for attacks against Linux v.s. attacks against Windows... Attacks against Linux tend to get fixed MUCH faster. A big reason for this is that security issues are seen as bugs, not as a public relations problem. Microsoft (and many other large closed source companies) see any security issue as a PR problem that must be handled with spin and marketing, not with actual coding. Another problem is one of responsibility for code. Most Open Source projects have a single point of contact. You know who is responsible for a project. The name is right there on the package. Microsoft is a large entity where it is very rare to see a name associated with the project. One of the problems with any large coding shop is that of "over the wall coding". You finish your part, hand it over the wall to someone else and never see or hear from it again. Usually the problems with Linux boxes being attacked is the same with Microsoft boxes. The laziness of administrators and the demands up continuous uptime. If the patches do not get installed, they are of no help. This is especially difficult for Windows users however. Most patches that get performed on a Unix box can be performed without restarting the box. (The only exception is a kernel patch or testing if all services get started correctly after a reboot.) Windows boxes tend to need to be rebooted after each and every patch. (I know that was true of Windows NT. I am not certain if they have fixed this with Win2k.) This causes a great deal of downtime. Also, Microsoft service packs tend to muck with registry settings, so you have to go back and verify that everything is correct after the service pack. You also tend to have to reinstall the service pack after any hardware modifications. (If you remember.) This causes additional complications and reboots. In these days of long uptimes and "five nines" demands from management, admins no longer seem to have periods of scheduled maintenance. There needs to be a scheduled time each week for the admin to find any patches that need to be applied and make sure they get installed. Nowadays, getting that time is next to impossible. With users demanding help with their systems, projects that need to be completed, and all of the work piled on since they laid-off most of the rest of the IS staff, there is less and less time to pay attention to security and system maintenance. And it is going to only get worse... It is not just a Windows problem though. Certain Linux distributions still ship with everything turned on. (They are getting better about it, but it is taking time.) Some "secure versions" have a problem getting patches out for their distributions. Even worse, some "secure distributions" have security features they are not using to the fullest. (I am not going to name any names here. You know who you are.) Part of that is time, staff and money. Instead of building better operating systems in this country, the emphasis seems to be on protecting the unprotectable and snooping on everything in sight. (Having a secure OS means that it is secure from *everyone*, not just those on the official enemies list.) Not that that is going to get fixed anytime soon...
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 13:59:15 PDT