OT: Nix less secure than Windows. - Page 2

Fyron · #11 January 7th, 2006, 02:34 AM

Quote:

NullAshton said:
Linux just isn't hacked because Windows is a bigger target. If you hack linux, so what? Windows holds the market share.

If you hack *nix, you get crucial information on lots of huge corporate web sites. Nowhere near as many with Windows.

And yeah, the list does seem to include a lot of beta fixes and the same fix for the same problem in multiple distributions needlessly... Not that useful of a list for basing any claims, other than software is insecure.

And I'd like to know who Thermodyne is talking to that says Linux is secure because it is Linux. Any competent user of Linux is aware of vulnerabilities cropping up. Its insecurities are rarely as severe as Windows ones, but it of course it still has them...

Thermodyne · #12 January 7th, 2006, 11:33 AM

Quote:

Jack Simth said:

Are they? Or is it just a matter of the first fix not really addressing the issue? If so, you'd expect an open source project to have a lot more of them - simply due to the nature of open source; someone thinks they have it down, and publish for testing; a security expert republishes the fix, then testing comes back and says it doesn't work; so an update is needed. Meanwhile, MS tests in-house before publishing, and only rarely does the fix not stop that attack on the first published try.

Likewise, I'd also expect more originals on *nix than on MS; partially because *nix is open for people hunting for exploits (more eyes see more holes), partially because an exploit must be reported fairly publicly to be resolved (it's commonly other people looking for a plug to fit), and partially because it seems like it'd be a tad embarrassing to MS when they admit a mistake, so they might consolidate solutions and thereby sweep a few under the rug... or not tell anyone about some of the ones with the "Currently we are not aware of any exploits for this vulnerability" tag.

Without going into great detail, it�s a management issue, or lack there of.

Windows is the target of choice for botting and datamining for cc numbers and bank accounts. And while the people who do this are good, their resources are usually limited.

Nix is more of a two fold target. The Apache side of it draws a lot of industrial attention and UNIX FreeBSD side is methodically under attack by foreign governments as well as the industrial regulars. Of late, one government in particular has been spending lots of time inside US computer systems.

The main point of this post is not which is better, the point is that none of the Nix exploits ever get brought to the attention of the general public.

Thermodyne · #13 January 7th, 2006, 12:01 PM

Quote:

Imperator Fyron said:

And yeah, the list does seem to include a lot of beta fixes and the same fix for the same problem in multiple distributions needlessly... Not that useful of a list for basing any claims, other than software is insecure.

Anytime a patch is released, it gets an entry. If you release 10 patches, you get 10 events. Only the final patch will be listed, this is because the purpose of the list is to index exploits against patches. Nix gets more multiple entries because of the structure of the Nix industry. Lots of very small shops and single people, all working on the same problem. It should also be noted that the bad guys patch their work too. So you get some back and forth sometimes.

Quote:

And I'd like to know who Thermodyne is talking to that says Linux is secure because it is Linux. Any competent user of Linux is aware of vulnerabilities cropping up. Its insecurities are rarely as severe as Windows ones, but it of course it still has them...

The myth is that Nix is not attacked because the installed base is too small to be of interest. That statement is often made on this very board.

I also noticed some posts about the data being tainted to make Nix look bad. Perhaps you should do some research and then make an informed statement. CERT could care less about who had how many hacks. They just report them. Nix looks worse because of the way the community is organized.

Fyron · #14 January 7th, 2006, 02:47 PM

Quote:

I also noticed some posts about the data being tainted to make Nix look bad.

I don't know that Cert was trying to intentionally taint the data to make *nix look bad, but if you are just trying to use numbers to draw the conclusions you are drawing, the data on the site is indeed not valid for that purpose due to the duplications.

Quote:

The myth is that Nix is not attacked because the installed base is too small to be of interest. That statement is often made on this very board.

I rarely see anyone post a never or a "*nix is not attacked" as an absolute, and I can't recall a single recent instance on this board; it usually is more akin to being attacked far less frequently, as concerning home desktop use.

Baron Munchausen · #15 January 7th, 2006, 04:25 PM

Quote:

Thermodyne said:
Do your home work, if it gets past one version, it gets past most of them. Take out the Unix and osX and you still have a lot of flaws. The thing that needs to be known here is that Nix is not in and of itself safe. You need to take the same steps as windows users.

No one has claimed that *IX is inherently 'safe'. Many have claimed that it is more secure than Windows. Which is not very difficult to achieve.

But I think it's the authors of this study who need to 'do their homework'...

http://news.zdnet.com/2100-1009_22-6021867.html

"The study is confusing and misleading. When you look at the list, the vulnerabilities are miscategorized," Mark Cox, a consulting software engineer at Red Hat, said. "For example, Firefox is categorized as a Unix/Linux operating-system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics."

In addition, Steven Christey, an editor for Common Vulnerabilities and Exposures, an organization that maintains a common vulnerability database, said that the statistics were no basis for comparison of the relative security of Windows and Linux/Unix, because they had been collected from different sources with different criteria for the collection of flaws.

...

Secunia thought that the nature of the reported vulnerabilities also made it difficult to compare security on the platforms, as Linux/Unix researchers concentrate on vulnerabilities in local privilege separation, while Windows researchers look at possible remote vulnerabilities.