deathadder
10-23-2004, 07:27 AM
Atleast you dont have to pay for this report.
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/
Click to See Complete Forum and Search --> : Windows Vs Linux
Uranus
10-23-2004, 08:41 AM
Heh...
I would really love it when Windows starts saying that it is more secure than OpenBSD :) Those guys think way too good of themselves...
Sam
I would really love it when Windows starts saying that it is more secure than OpenBSD :) Those guys think way too good of themselves...
Sam
infiniphunk
10-23-2004, 09:01 AM
Yes, the report is definitely a good read; very informative.
mmills
10-23-2004, 09:09 AM
im not knocking linux by any means, but MS is not that bad, yes they may want to much for an os, and yes they dont give you enough applications, so then you have to buy ftp apps and so forth, but my system is not so open to the world, a buddie of mine in the IT department is a CEH and hacks on a personal basis, I gave him a run on my XP partition and he couldnt even budge me, the avaerage user doent know what services to leave open and what to close. Microsoft cost's way to much and has to many flaws but if you know what you are doing, you can have a secure system. Even linux has a virus....... and eventually they will have spyware.
just my thoughts
just my thoughts
bwkaz
10-23-2004, 10:47 AM
Originally posted by mmills
Even linux has a virus... Precious few of them. And none of them have ever been able to spread outside the laboratory...
and eventually they will have spyware. I doubt it, personally. From Rick Moen:
There remains one other option: viruses (and similar things) that don't attempt to affect system binaries or take over entire machines, but instead dwell in a particular user's account and attempt to spread to other user accounts, on that or other machines, via inter-user communication mechanisms such as e-mail. One might imagine, for example, a virus written in "elisp", the macro language of GNU emacs and xemacs, and propagating as attachments to e-mail sent to other emacs users.
Such an invention would be at worst a nuisance among a few users, as it could affect only users running the same combinations of user software. Further, the Unix community long ago became wary of auto-executing programs/macros, so ultimately this technique would rely on convincing each additional user to execute (run) the program/macro, to "infect" his files. Also, in the Linux/Unix world, macros tend to be stored as readable plain text (unlike the case with, say, MS-Word), so that untrustworthy code is difficult to conceal from user scrutiny. Bold is mine, italics are his.
Spyware exists on Windows because programs can install themselves without the user knowing about it (or with the user knowing about it, but not knowing enough to see the difference between a spyware's ActiveX dialog and Windows Update's ActiveX dialog -- did I ever mention how much I HATE ActiveX? ;) -- so they click Yes on everything).
Linux does not support ActiveX. No Linux browser that I know of will allow you to automatically execute anything that you download from a web page, save Javascript (and it's very difficult to make spyware out of JS code, because of the other security restrictions inherent in the sandbox that it runs in). Therefore, nothing that anyone can put on a webpage can possibly install software onto a user's machine. That's one of the avenues of infection for spyware.
The other avenue is that the spyware is included in other programs that the user installs (KaZaA was one of these, and I think it still is, but I'm not sure on that). In Linux, this is also not a problem unless you install binary-only packages from sources outside your distro. For example, 4 years ago or so, I installed AIM's binary only Linux package on my first Mandrake system (basically because I didn't know there were native Linux packages that worked on the AIM network -- and I don't care anymore, because I don't use AIM anymore ;)).
It could have been possible for this binary to include spyware code that overwrote the Mozilla (v0.5 or 0.6 IIRC) homepage to be some other homepage, like the IE BHO spywares do every time IE comes up or closes. But how many Linux users used Mozilla v0.5 at the time? Not nearly enough to make this work enough. And Mozilla itself wasn't infected with it, so it would only get overwritten when I ran (or while I was running) AIM. That kind of correlation isn't that hard to see (after I start AIM, my browser's homepage is reset -- every time), and therefore it's not hard to eradicate the culprit.
But even stuff like this is likely to fail in more than half of cases -- the only times where it might succeed are where the systems the spyware writer was writing for are sufficiently close to the system the user's running.
And you'd have to distribute them as binaries, outside the distro channels. Because if you distribute them as source, it's easy for the developers whose reputations are on the line to see that the spyware bit of code needs to be removed. If you try to get a distro to accept your spyware-ridden program into their channels, they'll rightly refuse you, because they see it doing evil things during their testing. And they know that because there's distro competition, if they do something that their users don't like, their users will leave.
In short, it may exist eventually, but it will do roughly nothing and infect almost nobody.
And I'm not sure, but if your "it will eventually have spyware" comment is because you think more users make it a better target, then why aren't Apache websites defaced nearly as much as IIS websites, when Apache serves up at least 60% of the Web?
--
I'm not saying that securing Windows is impossible, either, I'm saying that because the Linux programmers are a lot more sensitive to security issues (and there are orders of magnitude more of them), it's a lot easier to secure a Linux installation. Open source development changes the practices of developers, to the point where security is a lot more prevalent in their thinking.
Even linux has a virus... Precious few of them. And none of them have ever been able to spread outside the laboratory...
and eventually they will have spyware. I doubt it, personally. From Rick Moen:
There remains one other option: viruses (and similar things) that don't attempt to affect system binaries or take over entire machines, but instead dwell in a particular user's account and attempt to spread to other user accounts, on that or other machines, via inter-user communication mechanisms such as e-mail. One might imagine, for example, a virus written in "elisp", the macro language of GNU emacs and xemacs, and propagating as attachments to e-mail sent to other emacs users.
Such an invention would be at worst a nuisance among a few users, as it could affect only users running the same combinations of user software. Further, the Unix community long ago became wary of auto-executing programs/macros, so ultimately this technique would rely on convincing each additional user to execute (run) the program/macro, to "infect" his files. Also, in the Linux/Unix world, macros tend to be stored as readable plain text (unlike the case with, say, MS-Word), so that untrustworthy code is difficult to conceal from user scrutiny. Bold is mine, italics are his.
Spyware exists on Windows because programs can install themselves without the user knowing about it (or with the user knowing about it, but not knowing enough to see the difference between a spyware's ActiveX dialog and Windows Update's ActiveX dialog -- did I ever mention how much I HATE ActiveX? ;) -- so they click Yes on everything).
Linux does not support ActiveX. No Linux browser that I know of will allow you to automatically execute anything that you download from a web page, save Javascript (and it's very difficult to make spyware out of JS code, because of the other security restrictions inherent in the sandbox that it runs in). Therefore, nothing that anyone can put on a webpage can possibly install software onto a user's machine. That's one of the avenues of infection for spyware.
The other avenue is that the spyware is included in other programs that the user installs (KaZaA was one of these, and I think it still is, but I'm not sure on that). In Linux, this is also not a problem unless you install binary-only packages from sources outside your distro. For example, 4 years ago or so, I installed AIM's binary only Linux package on my first Mandrake system (basically because I didn't know there were native Linux packages that worked on the AIM network -- and I don't care anymore, because I don't use AIM anymore ;)).
It could have been possible for this binary to include spyware code that overwrote the Mozilla (v0.5 or 0.6 IIRC) homepage to be some other homepage, like the IE BHO spywares do every time IE comes up or closes. But how many Linux users used Mozilla v0.5 at the time? Not nearly enough to make this work enough. And Mozilla itself wasn't infected with it, so it would only get overwritten when I ran (or while I was running) AIM. That kind of correlation isn't that hard to see (after I start AIM, my browser's homepage is reset -- every time), and therefore it's not hard to eradicate the culprit.
But even stuff like this is likely to fail in more than half of cases -- the only times where it might succeed are where the systems the spyware writer was writing for are sufficiently close to the system the user's running.
And you'd have to distribute them as binaries, outside the distro channels. Because if you distribute them as source, it's easy for the developers whose reputations are on the line to see that the spyware bit of code needs to be removed. If you try to get a distro to accept your spyware-ridden program into their channels, they'll rightly refuse you, because they see it doing evil things during their testing. And they know that because there's distro competition, if they do something that their users don't like, their users will leave.
In short, it may exist eventually, but it will do roughly nothing and infect almost nobody.
And I'm not sure, but if your "it will eventually have spyware" comment is because you think more users make it a better target, then why aren't Apache websites defaced nearly as much as IIS websites, when Apache serves up at least 60% of the Web?
--
I'm not saying that securing Windows is impossible, either, I'm saying that because the Linux programmers are a lot more sensitive to security issues (and there are orders of magnitude more of them), it's a lot easier to secure a Linux installation. Open source development changes the practices of developers, to the point where security is a lot more prevalent in their thinking.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.