Re: Security through wide system use?

From: NeoSadist (neosad1st_at_charter.net)
Date: 12/25/03 

Date: Thu, 25 Dec 2003 09:52:29 -0700

Andrew McCall wrote:

> Hi Folks,
>
> This isn't intended to be a troll, and I am not trying to start a
> flame... but...
>
> I received an email today from my manager pointing me to an article on
> news.com.com[1] that states Windows gets hacked more because its
> popular, and Linux isn't as popular so it doesn't get targeted as
> much.

Statistically, maybe, but that's called "security through obscurity", which
isn't really security at all. These days with the worms running around and
such, no one is safe.

>
> Personally, I think this is a very simplistic view, from both Linux
> and Windows viewpoint, and would like to find references and articles
> discussing this so I can try and highlight this to the manager. One
> source of information I have already identify is the Netcraft[2] web
> server survey but if anyone else can help me gather more information
> please can you post the information for me.

Well any google for "security through obscurity" should lead you to lots of
websites showing that this is a false sense of security. However, there
are tons of variables in security. What if the admin doesn't know how to
use the OS or make it secure? That does no good. What if they aren't
using a firewall? That's not good. What if they're using windows for a
server? Depends on how hardened it is, but I'd say that Linux is more
customizeable. You can put the kernel to the OS on a separate partition
and mount it read-only to protect it. You can fine-tune IPv4 on it (more
than windows can, see the various ipv4 hardening websites). It comes with
IPTables, which is a VERY good firewall. Its filesystem is much more
strict and less "free" and "open" in terms of permissions, which can help
it resist viruses more. Also, only root can install things, unlike
windows, which at times will either allow a program to install itself
without permission (during a non-admin user's session), or allow the
non-admin user themself to install things without being admin.
Windows isn't bad, and it can be customized. I was impressed and still am
impressed with windows 2000. However, I like Linux due to the things I do
with my machine, and I'd say that Linux can be customized more than
windows. However, in the end, it's the admin of the system who is to blame
for security incidents usually, because any admin can learn the OS they're
administering and keep it safe (within reason). But then again, no one is
perfect, and once in a while things will happen that are out of the admin's
control.

>
> I am not trying to prove one system is more secure than the other, and
> I apprieciate that there are many factors in system security.

That's good, because like I said, it's very possible to know your OS well
enough to protect it. Bottom line: windows and linux are different, but
their strenghts will never materialize if the admin doesn't know what they
are doing. I recommend that if you don't know Linux, get a spare computer
and learn Linux, but don't migrate your server until you know how to admin
that system. Stay with what you know, but start learning other things.
That is my opinion.

>
> Thanks,
>
> Andrew McCall
>
> [1] - http://news.com.com/2100-7344-5117271.html?tag=nefd_hed
> [2] - http://news.netcraft.com/archives/web_server_survey.html 

-- 
Mollison's Bureaucracy Hypothesis:
        If an idea can survive a bureaucratic review and be implemented
it wasn't worth doing.

Relevant Pages