Re: Short List of Security Questions



"BC" wrote:

Right. Linux gets hacked when people start enabling features, like
trying
to use it as a web server. IIS 6 on Windows Server 2003 is hacked far
less
frequently than Apache on Linux. A significant problem in Linux and
Windows
security is the user not knowing how to safely configure and use their
OS.

No: http://www.dgl.com/itinfo/2001/it010723.html

That article is from 2001, before the release of IIS6 which I was
discussing. "Near weekly security patches" doesn't happen, and there are
automated methods to ease pushing patches, including to critical servers.

Instead of opinion, you need to check out the statistics at www.zone-h.org
in their defacements archive section. Oh, and the top story on the home
page is about the debian.org development server getting hacked, again.

Look, absolutely Windows has security problems, and I'm critical of them.
It just irks me when people criticize Windows security for the wrong
reasons, or try to suggest that Linux, its file system, etc. is perfect and
superior in every way, ignoring limitations like lack of granularity in role
based ACLs on files.

The defaults in Windows XP SP2 and 2003 are pretty secure.

No: http://www.security.duke.edu/securepc-xp.html
http://tech.msn.com/guides/itdecision/article.aspx?cp-documentid=103175&HTTP_HOST=tech.msn.com&url=/guides/955450.armx

Again, those articles predate XP SP2 and they don't address 2003, so you
haven't contradicted what I said. How are those short list of
recommendations any different from any other OS? Windows isn't going to
automatically pick a good password for you, that's your job. Even OpenBSD
has a recommended installation checklist, and there are a variety of them
for Linux as well.

Windows XP was
released in 2001 and programmed in the years before that, so for a true
apples to apples comparison, you would have to compare its default
settings
to a *nix distro from five years ago. A lot of the threats we're seeing
today weren't really around back then.

You should go by what you can get *today* rather than 5
years ago.

Which is what I did by mentioning XP SP2. You're the one going back five
years ago for your articles.

The most secure thing you can do
in Windows is immediately download and install Firefox
and/or Opera and avoid the blue "e" as much as possible,
as well as other programs that use it, like Outlook and
Outlook Express.

People are rarely hacked via web browsers.

No:
http://www.pcadvisor.co.uk/blogs/index.cfm?entryid=237&blogid=4
http://www.ciol.com/EnterpriseConnect/content/article.asp?artId=86344&secId=1345

Once you get a number of infections, you let me know what that number is.

Your second article mentions the same download.ject Trojan I mentioned.
Trend Micro counted about 750 people infected worldwide by download.ject
ever, despite the fact there was no Microsoft patch for about a month. Wow,
750 whole people infected. That is a huge number.

www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FJECT%2EA&VSect=S
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FPSYME%2EB&VSect=S
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FSCOB%2EA&VSect=S

It doesn't matter -- the XP Home Administrator account
is blank as the default; and I have had good luck fixing
problem XP PC's with a password-resetting Linux boot
floppy and stuff like Bart PE. Either it prevents you
from accessing stuff or it doesn't. Some of those old
Win3.11/95/98 did a far better job of locking out access
from alternative boot devices.

If you have physical access to any computer running any OS and any partition
format, you can access the hard drive. Linux, Windows, it doesn't matter.

Within just the past couple of days, I had to use
Bart PE to fix a system that wouldn't boot up thanks
to some bad spots on the hard drive. And twice
recently before that I had to use a 3rd party NTFS
data recovery app to recover hard drive files. You
compare that to something like Novell's old server
file system which could almost take a bullet. But
compare NTFS to even poor old FAT32:
http://cquirke.blogspot.com/2006/01/bad-file-system-or-incompetent-os.html

FAT [and various flavors of Linux and Solaris] had/have a much bigger
problem where being shut down in the middle of a write operation could make
the entire partition difficult to rescue. Both FAT and NTFS can become
unbootable if a physcially bad sector makes a critical system file
inconsistent. But that is far easier to fix than an entirely bad partition.
This makes FAT a vulnerable and entirely inappropriate file system for
mission critical servers, and pretty much no one uses FAT for servers
nowadays when NTFS is an option.

File systems, including NTFS and ext2, can protect you when there's a write
operation to a file. I really don't know how you could expect a file system
to keep a system bootable when a system file, just sitting there, without
any write operations, suddenly experiences a physical bad sector. The only
way you could avoid that is to use some form of RAID, which NTFS can do.

"DropMyRights" is no more than another privilege control:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

It's better than nothing, but doesn't at all compare with
the fine grain control that Linux offers

Such as?

And it that wasn't enough, Novell has a nice little freebie app:
http://www.novell.com/linux/security/apparmor

If you go by what system allows for easy security without
a lot of hard work and gotcha's, Windows loses every time.

So you can mention free add-ons like using Novell / SUSE's apparmor, but
you're not allowing consideration of free add-ons for Windows? By that same
token, you probably consider third-party plugins for Firefox part of
Firefox, but Microsoft's add-ons for IE like the one that enables tabbed
browsing aren't part of IE.

People who can't take basic measures to secure their Windows systems would
also have problems securing their Linux systems.

That's an excellent point. No matter how you secure your OS, and
whatever
OS you choose, it's still generally reliant on and vulnerable to the
shortcomings of the aging TCP/IP suite, such as threats like DNS
spoofing,
ARP spoofing, man in the middle session hijacking, SSL, SSH, etc.

True, but Linux has a huge amount of TCP/IP security
built in, which is why Linux boxes make such dandy
firewalls (just ask Microsoft:
http://www.newsfactor.com/perl/story/22171.html)

Microsoft using Akamai's services is hardly Microsoft using Linux for a
firewall. I don't believe Microsoft uses firewalls in front of their public
web servers. Why do those Akamai Linux web servers need firewalls? Are
they that insecure?

If Microsoft was truly serious about security, they would
have long ago rewritten IE to be a standard, standalone
application with no artificially elevated privileges

What artificially elevated privileges does IE have?

!!!!

Unless you use
DropMyRights, IE by default runs in the context of the logged in user,
only
with a variety of restrictions, so that IE can't do a lot of things the
user
can do.

See: http://www.eweek.com/article2/0,1895,1826269,00.asp

That article doesn't prove your point over mine. You haven't proven that IE
has any greater privileges than the user that's running it. Furthermore,
depending on the security zone the page is coming from, IE is unable to do
certain things the user can do. A prime example is Outlook and Outlook
Express, which use the exact same "IE" code for HTML rendering, but use the
Restricted Sites zone for doing so. This has prevented a lot of IE vulns
from also being Outlook vulns. Also, it's not true that users cannot run IE
with reduced privileges, as your article states. Users can use DropMyRights
if they wish, for example. I never do, though, and I've never been infected
via IE.

If you meant to say that IE has way more privileges than it should have, I
agree totally with that. Those privileges are not exactly "escalated,"
though, because IE under normal conditions has fewer privileges than the
locally logged in user, and under exploit / security bypass conditions has
the same privileges as the locally logged in user. If you were going to say
that Windows and software programmed for Windows could make it easier for
users to run Windows and surf with non-administrator privileges, I might
agree there too.

Microsoft wholly artificial bundling of IE to Windows essentially
gives IE the guys to the system -- exploit IE and you exploit
Windows.

No, when you exploit IE via an unpatched vuln, you get the privileges of the
locally logged in user, not access to the entire system. If a user is
browsing the Internet while logged in as administrator or root, that's only
partially the fault of the OS, and partly user error.

Vulns in Winzip, MS Office, etc. are just
as dangerous as IE vulns, because those apps can do just about anything
IE
can do, without being integrated into Windows.

No. Microsoft apps have always been in a special category
when it comes to risk since they too have excessive
privileges, often via their use of IE.
http://secunia.com/product/23
http://secunia.com/product/2276

Actually, the Trend Micro statistics for download.ject, which was huge news
in the media, shows that the risk of IE vulns are highly overrated compared
to actual risk.

Look, absolutely Windows has security problems, and I'm critical of them.
It just irks me when people criticize Windows security for the wrong
reasons, or try to suggest that Linux, its file system, etc. is perfect and
superior in every way, ignoring limitations like lack of granularity in role
based ACLs on files.



.

Relevant Pages

  • Re: Linux is as buggy as Windows
    ... > gives his opinion and you attack him too. ... Not just Linux, so don't think I'm ... > and details what I've already suspected and stated countless times before- that Micro$oft is playing BigBrother at its Windows Update Sites. ... databases, spread-sheets, games, webservers, ftp servers, secure-shell ...
    (comp.security.misc)
  • Re: OT: LInux stuff again
    ... Not compatible with large systems like Win2003 servers, Novell etc; can't really be used in large networks, doesn't have proper administration of workstations in larger scale (this is what out techies say; the company is running literally thousands of machines and a horde of prorgrams over network and remote access to servers etc...they say even attempting a dozen computers with Linux is a laugh - not meant for serious business use at all. ... I can affirm that I administer lots of Linux servers within the company I work for and they shit all over Windows. ... Despite stable and 'safe' it's easy to screw up the entire system by just doing something like trying to get a soundcard to work (personally e.g. tried to install stuff past Synaptic and pretty soon the whole system crashed personally) ...
    (alt.guitar)
  • Re: Dell sells more Linux servers than Windows at the moment
    ... Indeed, it has been a very rare thing, when I have deployed any heavy server applications on Wintel servers. ... The only difference now is that many former Big Iron from firms like IBM and Sun are now running on x86/x64 boxes that are running Solaris 10 or Linux. ... Windows boxes are used sometimes as file sharing, print servers, Web Servers, or some special Windows operation type boxes. ...
    (borland.public.delphi.non-technical)
  • Re: Future of IT in Lebanon
    ... working knowledge of Indian programmers DNA, nor of their intuitive Java ... > So Longhorn is not an experiment and Linux is an experiment? ... another chapter in the Windows story, and the Microsoft marketing machine is ... > application opens, Check the about, it says Microsoft Visual Basic 6.3. ...
    (soc.culture.lebanon)
  • Re: Brazil Switches from Microsoft to Open Source Software
    ... resources on Open Source development [read Linux of one version or another]. ... The common drawback is lack of support: such that when you go to a newsagent ... stuff again helps Windows win the desktop argument. ... As for servers, this is where most corporation use or build Linux Servers. ...
    (microsoft.public.windowsxp.help_and_support)