Post by thread:[OT:] Windows/Linux security

Exact match. Not showing close matches.
PICList Thread
'[OT:] Windows/Linux security'
2004\04\30@195851 by Ken Pergola

I was hoping someone could educate me on something that I see and hear a lot of comments about. I hear a lot of claims that Linux is more secure than Windows, but I don't usually see people elaborate on why this claim is made after they make it. Isn't C++ the underlying language that both operating systems are written in? And if so, wouldn't both operating systems be *equal* in their susceptibility to buffer overrun attacks, for example, due to the pitfalls of C-string functions like 'strcpy', 'strcat' in C++? Perhaps this is narrowing things down to such a simplistic and specific example, but I feel it is a fair question to ask. Thank you for sharing any comments on this. Best regards, Ken Pergola -- http://www.piclist.com hint: To leave the PICList spam_OUTpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

2004\04\30@200102 by Shawn Wilton

For the most part, security is a matter of the programmer writing the code. If the programmer knows what they're doing, then all is well. If they don't know how to write secure code, then you get in to problem areas. -Shawn Ken Pergola wrote: {Quote hidden}> I was hoping someone could educate me on something that I see and hear a lot > of comments about. I hear a lot of claims that Linux is more secure than > Windows, but I don't usually see people elaborate on why this claim is made > after they make it. > > Isn't C++ the underlying language that both operating systems are written > in? > > And if so, wouldn't both operating systems be *equal* in their > susceptibility to buffer overrun attacks, for example, due to the pitfalls > of C-string functions like 'strcpy', 'strcat' in C++? > > Perhaps this is narrowing things down to such a simplistic and specific > example, but I feel it is a fair question to ask. Thank you for sharing any > comments on this. > > Best regards, > > Ken Pergola > > -- > http://www.piclist.com hint: To leave the PICList > .....piclist-unsubscribe-requestKILLspam@spam@mitvma.mit.edu -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestKILLspammitvma.mit.edu

2004\04\30@201138 by Ken Pergola

Shawn Wilton wrote: > For the most part, security is a matter of the programmer writing the > code. If the programmer knows what they're doing, then all is well. If > they don't know how to write secure code, then you get in to > problem areas. Hi Shawn, Thanks for your comments. Do you think people who make this claim are talking about the OS only, the applications that run on top of the OS, or both? It's difficult to wade through all these claims. Does the Linux camp know how to write more secure code than the Microsoft camp? Or is it that programmers were less hacker-aware when these operating systems were written? Best regards, Ken Pergola -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam.....mitvma.mit.edu

2004\04\30@203303 by William Chops Westfield

On Friday, Apr 30, 2004, at 16:58 US/Pacific, Ken Pergola wrote: > I hear a lot of claims that Linux is more secure than Windows, but I > don't usually see people elaborate on why this claim is made after > they make it. I think the main thing that makes unix more secure is the underlying multi-user privilege and file system structures. Windows is no less secure than unix, if you always log into your unix system as root (the maximum-priv user.) MOST unix applications run under the privs of a single "normal" user and can therefore not infect or delete system files, access privileged resources, etc. Excepting bugs. And excepting that there are an awful lot of things that DO run as root, installed and "maintained" by people who don't really understand them. Newer windows operating systems are headed in this direction, of course. BillW -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestspam_OUTTakeThisOuTmitvma.mit.edu

2004\04\30@204345 by John J. McDonough

----- Original Message ----- From: "Jake Anderson" <grooveeespam_OUTOPTUSHOME.COM.AU> Subject: Re: ] Windows/Linux security > integrated. linux is also as a rule much quicker at resolving exploits and > problems that have been found, 24 hours is a long time for a security flaw The data would indicate otherwise. I think there is a "feeling" that the open source community responds more quickly, but a study recently found that when you look at the actual data, Linux exploits get resolved MUCH more slowly than Windows. The Linux crowd claimed this wasn't "fair" in that they fix "serious" bugs more quickly than M$, although some of the less critical ones do lay around for a while. And I suspect there is probably some truth to this. But it's pretty subjective to try to categorize security problems as important or unimportant. One thing that I don't think has been mentioned, though. Windows code is astonishingly complex. I think it is a lot harder to write secure code in a Windows environment than in Linux. This is pretty subjective, though. The other problem M$ has is a legacy of code that was written at a time when the giant of Redmond didn't care about security. In fact, I wonder why M$ cares even now. Ever since Windows 3.1, Microsoft's customers have sent Redmond a strong message that pretty colors and bouncing paper clips are a lot more important than stability and security. And Microsoft listens to their customers. That's why they are so successful. We geeks can sit around and whine about how awful that is, but every day customers send millions of dollars to Microsoft to vote for the status quo. 72/73 de WB8RCR http://www.qsl.net/wb8rcr didileydadidah QRP-L #1446 Code Warriors #35 -- http://www.piclist.com hint: To leave the PICList @spam@piclist-unsubscribe-requestKILLspammitvma.mit.edu

2004\04\30@211538 by Ken Pergola

Thanks for taking the time to post your comments Jake Anderson, William Westfield, and John McDonough. I appreciate everyone's insight. It's definitely an intriguing topic. My angle of security was from an outside hacker perspective. Best regards and thanks again, Ken Pergola -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestKILLspammitvma.mit.edu

2004\04\30@213027 by David Koski

On Fri, 30 Apr 2004 20:10:51 -0400 Ken Pergola <RemoveMEno_spamTakeThisOuTLOCALNET.COM> wrote: > Shawn Wilton wrote: > > > For the most part, security is a matter of the programmer writing the > > code. If the programmer knows what they're doing, then all is well. If > > they don't know how to write secure code, then you get in to > > problem areas. > > Hi Shawn, > > Thanks for your comments. Do you think people who make this claim are > talking about the OS only, the applications that run on top of the OS, or > both? I don't know what the "people who make this claim are talking about" but it is in fact both. Consider for example the typical virus or worm. It easily infects Windows computers partly because the email cients (applications) make it easy to execute code (programs) that are received by email. And when a virus or worm is executed, a lax security model (the OS) often allows it to take over. > It's difficult to wade through all these claims. Does the Linux camp > know how to write more secure code than the Microsoft camp? Microsoft is driven by their bottom line and people tend to buy what they are used to, has a pretty look, is cool, etc. So why should M$ spend the time (money) to improve Windows security unless the consumer demands it? And I think that may be happening now. > Or is it that programmers were less hacker-aware when these operating systems > were written? I'm not sure what you mean but FYI, Linux is modeled after Unix which has been arround a lot longer than Windows. David -- http://www.piclist.com hint: To leave the PICList spamBeGonepiclist-unsubscribe-requestspamBeGonemitvma.mit.edu

2004\04\30@220128 by Ken Pergola

David Koski wrote: > I'm not sure what you mean but FYI, Linux is modeled after Unix > which has been around a lot longer than Windows. Hi David, Thanks for your comments. Yes, definitely, I'm aware of this fact. What I meant to convey was a mindset: How can one write defensive code or secure code if one does not know what they are defending against? Besides the money factor, there's the possibility that people just didn't anticipate some of these security problems. It appears to be an evolutionary process, and there has been a lot of emphasis on improvement in security recently for obvious reasons. Thanks again, Ken Pergola -- http://www.piclist.com hint: To leave the PICList TakeThisOuTpiclist-unsubscribe-requestEraseMEspam_OUTmitvma.mit.edu

2004\04\30@220338 by Ken Pergola

Hi Carey, Thanks for your comments and for the link -- I'll check that out. Best regards, Ken Pergola -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

2004\04\30@220544 by Carey Fisher - NCS

<Resend with correct [OT:] tag; sorry, MS Outlook don't ya know...> A major aspect of the "better security" claim is that Linux is "open source" meaning the source code is available for anyone to look at. The theory is that since it's open source, security flaws will be found by the many people looking at the code. Proprietary operating systems are not open to such wide scrutiny. There is a good front page article in EETIMES (Mon, Apr 19,2004) that pretty much discredits the idea that "...Linux's development process, which involves thousands of individuals, makes it almost impossible for 'adversarial code' to sneak through." (EETIMES). Carey Fisher, K8VZ Chief Technical Officer New Communications Solutions, LLC website: http://www.ncsradio.com > {Original Message removed}

2004\04\30@220753 by James Caska

I think it has more to do with the fact that people are attacking windows not linux just 'because' I would have thought having access to the source-code would be the perfect thing to use to find security flaws that can be exploited. It's like trying to crack an encryption algorithm while holding the key and the source in your hand. At least hiding the flaws makes them harder to find.. But then windows seems to have a lot of flaws to find! JC {Original Message removed}

2004\04\30@220958 by Jake Anderson

<snip> >Windows computers partly because the email cients (applications) make it easy to >execute code (programs) that are received by email. And when a virus or worm is >executed, a lax security model (the OS) often allows it to take over. uhh no microsoft has made it basically impossible to open any form of attachment in outlook and outlook express. prior to this you still had to manually execute the program you recieved. there was a bug or 2 that allowed malformed mails to cause attached programs to run but this has been fixed for years. all current worms for windows clients opperate in user space. all they do is read the current users mailbox and send mails to all they find, some also scan the hard drive for mail addressess too. There is no possible mechanism of stopping software from doing that as it is perfictally valid operations that some user may want. the reason windows propigates so many worms and virii is a) its the largest single target. b) the users. your average linux user will not randomly execute programs. if your average windows user gets something in their inbox saying hahaha.exe they will click on it. microsoft has been forced to basically remove functionality from their programs to protect the users from their own naievity I write software, I currently have to send that software out to our offices in 3 different formats due to the combinations of virus scanners and outlook restrictions they have. dont blame microsoft for the idjit users -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestEraseME.....mitvma.mit.edu

2004\04\30@223507 by Ken Pergola

Thanks for the comments James -- definitely a polarized topic. Best regards, Ken Pergola -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestmitvma.mit.edu

2004\04\30@224747 by M. Adam Davis

There are many different factors, but the primary few issues are: They each use fundamentally different security models. Windows is geared towards both easy administration and many ease of use features. The complication arises that something that is 'easy' to administer is easy to misadminister since it doesn't require any special knowledge. By default a regular user is an administrator who has direct access to the computer. The complicating factor of many ease of use features means that something that is easy for the user to do is easy for a script to do. Since the script has full computer access, and many programs run scripts without bounds then it's an easy target. I would say the Linux has difficult administration (this is changing) and few ease of use features (this is changing). As these two change you'll find it targetted more frequently. However, the average linux user is instructed to use root access very infrequently. Hopefully this will not change (though it used to be that lindows ran in root, and so maybe this will eventually happen). They were built from different perspectives aiming at different users. Windows is aiming for a person who doesn't share their computer with other users simultaneously - in fact their business model depends on one person - one license. Windows XP has all the features needed for terminal service, minus some small amount of code and, of course, such functionality is blocked. Linux (and unix in general) was designed from the ground up as a general shared-use computer platform. As such the security model was designed from the ground up for multiple, non-root users. Furthermore applications are always run in very well defined user spaces that prevent them from gaining any more priviledges than the user has. This model even leads to being logged in as a user, and running some programs (say email) as a lesser-capable user, and some programs as a more capable user (administration). This, and other such security features, is possible in windows, but it's not simple or obvious to do because Microsoft doesn't want to make it hard for users. There are other issues, but the two systems are slowly converging to the same point since many people want linux to work in the space windows is so good at, and Microsoft has forever been really trying to crack into the space that linux works in so well. As they do so, they will also learn from their mistakes and I suspect that windows won't become any more susceptable, and Linux will become slightly more susceptable. One of the nice things about linux now is that it's release cycle allows patches to be used quickly, but only for those users who haven't become complacent. Windows patches don't seem to come as quickly, and if they aren't willing to fix something no one else is going to be able to without the code. -Adam Ken Pergola wrote: {Quote hidden}>I was hoping someone could educate me on something that I see and hear a lot >of comments about. I hear a lot of claims that Linux is more secure than >Windows, but I don't usually see people elaborate on why this claim is made >after they make it. > >Isn't C++ the underlying language that both operating systems are written >in? > >And if so, wouldn't both operating systems be *equal* in their >susceptibility to buffer overrun attacks, for example, due to the pitfalls >of C-string functions like 'strcpy', 'strcat' in C++? > >Perhaps this is narrowing things down to such a simplistic and specific >example, but I feel it is a fair question to ask. Thank you for sharing any >comments on this. > >Best regards, > >Ken Pergola > >-- >http://www.piclist.com hint: To leave the PICList >RemoveMEpiclist-unsubscribe-requestEraseMEEraseMEmitvma.mit.edu > > > > > -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestspam_OUTKILLspammitvma.mit.edu

2004\04\30@230042 by Ken Pergola

Thank you very much Adam for time and for your comments as well. Best regards, Ken Pergola -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu

2004\04\30@230502 by David Koski

On Sat, 1 May 2004 12:09:32 +1000 Jake Anderson <EraseMEgrooveeespamspamBeGoneOPTUSHOME.COM.AU> wrote: > >Windows computers partly because the email cients (applications) make it > easy to > >execute code (programs) that are received by email. And when a virus or > worm is > >executed, a lax security model (the OS) often allows it to take over. > > uhh no > microsoft has made it basically impossible to open any form of attachment in I'm glad to hear M$ has made improvements in Outlook. To be fair, I hardly use Windows any more. I would like to hear from others how difficult it is to execute code received from Internet sources, be it email or not, especially compared to a Linux equivalent FYI, to execute code received in an email using Sylpheed, my email clinent for Linux, I have to deliberately select the attachments tab, right click on the attachemnt, select "save as", then go to the folder where it was saved and then set the execute bit before I can execute it. I would think the average "idjit" would have trouble getting that far. Actually, I have never done it so I have not tested it. <snip> David -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestKILLspammitvma.mit.edu

2004\04\30@234729 by Jake Anderson

in outlook you need to edit the registry in order to even have the ability to save a program out outlook express you need to find a buried security tab disable it before you are able to save it out once you have disabled the security you can run the program from outlook/e with a few clicks but if sombody is going to run it they will run it wether they have to save it or not. microsoft has had patches out for all the major worms that have gone around recently several months before the exploit. the problem is the users dont update windows can be made secure to the point you basically cant use it if your that way inclined. windows is roughly as secure as linux when they are both run by compitent people up to a level good enough for most of the population. personally i trade a little "security" for the ability to do just about anything i want with a nice menu, good help system, and widespread hardware support. {Original Message removed}

'[OT:] Windows/Linux security'
2004\05\01@001724 by Robert B.

If windows is roughly equivalent in security to linux, then why are there so few viruses that break down *nix servers? Is this merely a function of the virus-writers targeting the unsusupecting windows non-technical users? Or is it because windows does in fact have more exploitable security holes. I tend to think it's the latter, because if I were a virus writer and wanted to do serious damage it would make sense to target the servers which hold the internet together (i.e. unix variety) as opposed to the end users windows machines. Speaking from personal experience, my windows machines regularly get infected with nuisance viri and the occasional more serious virus, but I have yet to experience any such nuisance in my freebsd machine. As far as ouhouse express works, I have no problem running attachments from the attachment menu. ----- Original Message ----- From: "Jake Anderson" <grooveeeSTOPspamspam_OUTOPTUSHOME.COM.AU> To: <spamBeGonePICLISTSTOPspamEraseMEMITVMA.MIT.EDU> Sent: Friday, April 30, 2004 10:48 PM Subject: Re: [OT:] Windows/Linux security > in outlook you need to edit the registry in order to even have the ability > to save a program out > outlook express you need to find a buried security tab disable it before you > are able to save it out > once you have disabled the security you can run the program from outlook/e > with a few clicks but if sombody is going to run it they will run it wether > they have to save it or not. > > microsoft has had patches out for all the major worms that have gone around > recently several months before the exploit. > > the problem is the users dont update > windows can be made secure to the point you basically cant use it if your > that way inclined. > windows is roughly as secure as linux when they are both run by compitent > people up to a level good enough for most of the population. > > personally i trade a little "security" for the ability to do just about > anything i want with a nice menu, good help system, and widespread hardware > support. > > {Original Message removed}

2004\05\01@005006 by David Koski

On Fri, 30 Apr 2004 23:08:03 -0500 "Robert B." <KILLspampiclistspamBeGoneNERDULATOR.NET> wrote: > > in outlook you need to edit the registry in order to even have the ability > > to save a program out > > outlook express you need to find a buried security tab disable it before > > you are able to save it out > > once you have disabled the security you can run the program from outlook/e > > with a few clicks but if sombody is going to run it they will run it > > wether they have to save it or not. <snip> > Speaking from personal experience, my windows machines > regularly get infected with nuisance viri and the occasional more serious > virus, but I have yet to experience any such nuisance in my freebsd machine. Okay, I'm confused. Surely you are not jumping through the hoops indicated above just to get "viri". How do you (and every other Windows user connected to Internet) get them? <snip> David -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@013317 by Jake Anderson

by not patching i run windows 2k and 2k server on all the machines here. i virus scan every once in a while. i have never been infected with a virus. i get sent on average 15 virus emails a day, same for dad. If you have patched outlook express or outlook up to date you cannot run programs without disabling the security. if you can run programs or hell even save .pif .exe whatever files out of the program you have either not patched or have disabled the "security". About the worst that has happened is dads computer was infected with the scumware "cool web search" looks like i forgot to patch his computer once and it got in through a JVM vunerability. by the way before anybody makes any snide remarks about patching linux is just as bad, it wanted to install 400mb of patches for my mandrake install. {Original Message removed}

2004\05\01@030151 by Russell McMahon

> if you can ... save .pif .exe whatever files out of > the program you have either not patched or have disabled the "security". That would be the "brain dead security" wouldn't it ? :-) I think it's fine to be able to disable pif/exe/com/... running AND to be able to stop them being even saved BUT when you can have only both or neither it's ludicrous. Of course I don't want to have my email program running exe files in the current environment - too much chance for a mistake. But I certainly want to be able to save exe files I am sent. I can't imagine why it HAS to be both or neither. Maybe that's been changed since I last looked at the options. RM -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@041744 by Jake Anderson

you can set the behaviour if you want to personally i like being able to run the odd program from there however when you click it it pops up asking you what action you wish to take and warning that files can have viruses etc if you uncheck "ask me every time" and click save then from then on it will prompt to save whenever you click on a file of that type. you must disable the "child lock" security first. thats what it is really a child lock. {Original Message removed}

2004\05\01@093534 by John J. McDonough

----- Original Message ----- From: "Jake Anderson" <EraseMEgrooveeeEraseMEOPTUSHOME.COM.AU> Subject: Re: [OT:] Windows/Linux security > uhh no > microsoft has made it basically impossible to open any form of attachment in > outlook and outlook express. uhhhh ... no. First of all, it has been possible to keep reasonably secure with Outlook Express for a very long time now. However, the default settings used to be just plain bad, and even though they have improved, they are still not what they need to be. Interestingly, as best I can tell, Outlook still has some problems that I don't know that you can work around. As far as I know, there are three ways someone can nail you with an email. The first is a buffer overflow vulnerability. Back when the only computers on the net were Unix machines, this was the favorite. The famous "Internet Worm" that got so much press a few years back worked this way. This isn't so popular with Windows. I don't think it's necessarily harder to do in Windows, it's just that Windows provides so many easier approaches. The second is getting a brain-dead user to open an executable attachment. Recent versions of OE have made this harder, but not impossible. What is really annoying is that M$ has provided a convenient way for a hacker to make an exe file look like a jpeg. This "feature" can be turned off, but it takes mucking around in the registry to do it. A big difference here is that many Windows users haven't found the clue bucket. Linux is such a pain to install and configure that the totally brain dead user isn't going to be running Linux in the first place, so it's a safe bet that almost all Linux users will have enough sense not to do this. The third avenue is through HTML email. HTML provides a rich set of tools for exploiting the target system, although all of them are fairly hard to use except for ActiveX controls. Some Linux clients will open email in HTML and so are susceptible to exploits via JavaScript or Java (don't give me that crap about the sandbox being secure - it ain't). But these exploits are more difficult than ActiveX. Controlling HTML email and ActiveX are quite possible in Outlook Express (less so in Outlook), but the settings are scattered all over, so the average user isn't likely to get them right. There have also been bugs in the HTML engines from time to time that are exploitable without active content, although these have been fairly infrequent. Other than ActiveX, all of these are available on both Linux and Windows, although some mail clients will not open HTML mail. These clients are more popular on Linux than on Windows. The HTML is an especially nasty one since, on clients with a preview pane, this sort of exploit can be activated without actually opening the email. Windows is a more popular attack target simply because there are so many more Windows machines out there. Over 95% of the machines are Windows, so Linux/Unix/Mac/VMS are much less appealing targets. --McD -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@093952 by John J. McDonough

----- Original Message ----- From: "Robert B." <@spam@piclist@spam@spam_OUTNERDULATOR.NET> Subject: Re: [OT:] Windows/Linux security > If windows is roughly equivalent in security to linux, then why are there so > few viruses that break down *nix servers? Server attacks are relatively rare anyway. There are a lot more desktops out there to atttack, so it's a much more appealing target. And virtually all of the desktops are Windows. However, one place where there is a significant difference is in web servers. Until about a year ago, the majority of the web servers were Apache, with most of the rest being IIS. (IIS has changed it's name a couple times in the past few years, but a rose by any other name....) About a year or two ago, IIS passed Apache in numbers, but they are still roughly equivalent. However, for quite a while almost every day brought a new IIS vulnerability, while Apache went literally YEARS between exploits. Recently the Apache exploits have picked up some, and the IIS exploits have slowed, but this is one area where the difference is still dramatic. --McD -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@104709 by Matt Pobursky

On Sat, 1 May 2004 09:40:14 -0400, John J. McDonough wrote: > However, one place where there is a significant difference is in web > servers. Until about a year ago, the majority of the web servers were > Apache, with most of the rest being IIS. (IIS has changed it's name a > couple times in the past few years, but a rose by any other name....) About > a year or two ago, IIS passed Apache in numbers, but they are still roughly > equivalent. I'm not sure where you might have gotten data on those numbers, but Netcraft (probably the most trusted OS neutral data source) says otherwise: http://www.serverwatch.com/stats/netcraft/article.php/3336931 These numbers are updated every month and the percentages have been fairly constant over the past few years. Microsoft likes to make it sound like they are making major increases in the web server market share, but the fact is they've hit a plateau and are more or less staying there. Matt Pobursky Maximum Performance Systems -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@110617 by John J. McDonough

Not hugely surprising. These things are based on surveys, and the numbers are going to look different depending on who you survey. Netcraft is a European outfit, and likely to end up with a different group of respondents than a US company. The data I was basing my comments on was a little stale, too, just about the time those Netcraft graphs show a drop in Apache corresponding to a jump in M$. And it was from PC Week, whose respondents are likely to be more heavily biased toward corporate types, where M$ is a little more successful. In a way it's comforting to see better Apache numbers <g> Please don't picture me as a cheerleader for IIS. As a former big corporate type, I do see a place for it inside the corporate LAN, but when I went looking for a provider for my own corporate site, Apache was a requirement. Personally, I think it's irresponsible to expose IIS directly to the Internet. --McD ----- Original Message ----- From: "Matt Pobursky" <spamBeGonepiclistKILLspamMPS-DESIGN.COM> Subject: Re: [OT:] Windows/Linux security > I'm not sure where you might have gotten data on those numbers, but > Netcraft (probably the most trusted OS neutral data source) says > otherwise: -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@121618 by Matt Pobursky

On Sat, 1 May 2004 11:06:21 -0400, John J. McDonough wrote: > Not hugely surprising. These things are based on surveys, and the numbers > are going to look different depending on who you survey. Netcraft is a > European outfit, and likely to end up with a different group of respondents > than a US company. The data I was basing my comments on was a little stale, > too, just about the time those Netcraft graphs show a drop in Apache > corresponding to a jump in M$. And it was from PC Week, whose respondents > are likely to be more heavily biased toward corporate types, where M$ is a > little more successful. True enough about Netcraft, but I've seen pretty similar numbers in the half dozen or so other web server statistic report/surveys I've seen so I tend to believe they are in the right ballpark. > In a way it's comforting to see better Apache numbers <g> > > Please don't picture me as a cheerleader for IIS. As a former big corporate > type, I do see a place for it inside the corporate LAN, but when I went > looking for a provider for my own corporate site, Apache was a requirement. > Personally, I think it's irresponsible to expose IIS directly to the > Internet. I actually agree with you on these points. I'm really neither a cheerleader or basher for either OS. I run Win2K for my workstations and Linux (and a few other OS's) on servers and other systems. I think they both have their place. I'm actually a (more or less) blatant capitalist and "freedom of choice" guy. My only real gripes with Microsoft are the manner in which they do business, not how much money they make or their market share. I vote with my pocketbook and Win2K is the last OS of theirs I'll buy willingly unless they change the way they do business, regardless of their product quality. I do have a copy of WinXP installed on my test bench, but only because a client required and paid for it. Matt Pobursky Maximum Performance Systems -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@144630 by Jason S

What makes you think it's based on a local region. It's not like the send surveys to website owners or hosts. Netcraft automatically polls the sites in its survey the same way google automatically crawls sites to search. I have web sites hosted in Hong Kong and the US (all running on Apache), and they're all included. Jason {Original Message removed}

2004\05\01@153704 by John J. McDonough

----- Original Message ----- From: "Jason S" <.....picspam_OUTCANADASPEAKS.COM> Subject: Re: [OT:] Windows/Linux security > What makes you think it's based on a local region. It's not like the send > surveys to website owners or hosts. Netcraft automatically polls the sites > in its survey the same way google automatically crawls sites to search. Well, their web site says they survey -their- clients, so that led me to suspect that they surveyed their clients. --McD -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@160445 by Jason S

Take a look at the definition of "survey" on the Merriam-Webster site: http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=survey It means to examine or appraise data. Literally asking questions of a real live person is just one possible way to collect data to appraise. Property surveyors survey land by collecting the data themselves, not asking people where they think the exact position of the land is. "I surveyed my computer" is a correct English statement that means I looked at it and probably checked to make sure everything is there and working properly. It's also likely I made a list of what hardware and software is present. In the case of the netcraft survey, they look at the internet themselves, they don't ask people what they're running. Jason {Original Message removed}

2004\05\02@120042 by Alexander Rice

On Fri, 30 Apr 2004 22:46:55 -0400, M. Adam Davis <TakeThisOuTadampic.....TakeThisOuTUBASICS.COM> wrote: Ken Wrote: > Windows XP has all the features needed for > terminal service, minus some small amount of code and, of course, such > functionality is blocked. Actually all the code is there and all you need is to twiddle a pair of bits to move between XP Home, Server and Terminal Server (yes, i know it was never released but it's all there!). I will not elaborate further else i fall foul of some or other DCMA type law. Regards Alex -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\02@164910 by Peter L. Peres

> If windows is roughly equivalent in security to linux, then why are > there so few viruses that break down *nix servers? Is this merely a > function of the virus-writers targeting the unsusupecting windows > non-technical users? Or is it because windows does in fact have more > exploitable security holes. 1. Hacking Windows boxes gives more bang/buck because the goal of virus writers is to spread their ilk. A perfect Linux virus would span at most 20% of installed systems now. That does not look attractive ?! 2. Windows libraries have countless undocumented 'shortcuts' meant to speed up the system. The shortcuts circumvent many system security features (such as never running any processes that interpret network data with root privileges). This means that the first breach means a compromised machine, with immediate root access. This is not the case on *nix where compartmentation is very strict. A breach on a *nix machine usually exposes a very small set of features because of this. 3. When you say *nix you actually say one dozen (two dozen ?) different platforms, operating system versions, and setups. There is no way to write a virus that efficiently attacks all of these. It would have to be the size and complexity of Mozilla. 4. *nix users actually do have a clue as to what they are doing most of the time, as opposed to the competition which is limited to clicking on message boxes which usually say such tremendously helpful things as 'your system is on fire. [ok] [cancel]'. This is due to log messages, and access to tools that can pick the system's brains and tell what's wrong. This means a capability to react, even if not everyone knows how to use it. Peter -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\02@171023 by Howard Winter

On Fri, 30 Apr 2004 20:44:18 -0400, John J. McDonough wrote: > We geeks can sit around and whine about how awful that is, but every day customers send millions of dollars to Microsoft to vote for the status quo. "Jump off cliffs - 10 million lemmings can't be wrong!" :-) Cheers, Howard Winter St.Albans, England -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\03@084956 by cisco J. A. Ares

Well, just my 2 cents, after so much said. Security flaws means opened doors. Windows seems to have been developed for ease of use, so it seems that lots of programs and also the OS keeps several ports opened, listening for other programs to cooperate to each other and be able to, for example, open a program received by mail that will open the presentation program and show you a birthday message from your grandmother in the other side of the country, or even some ads, full of animations and colors :-) The *nix clones tend to close all those doors that do not need to be opened (specially some flavors of BSD they're all closed by default) and the opened doors (or gates, or ports) *HAVE* to have a secure program listening to it. *NO* one else should have the right to make things happen in your computer. So, I think it was a project choice. The BSD project approach (everything closed by default) is not new, so I guess there's no excuse to say that "we could not expect that someone would use those resources for evil things". Security is an issue. Software companies have a limited staff with a long line of projects to be built, and doing some maintenance in a system might have its delays, but the open source community is very large and they're both heavily affected by any security flaw that gets to be known, so I guess that the urge is different. Open source community members are quite often system administrators, AFAIK. Francisco -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\03@103406 by M. Adam Davis

Perhaps you could link to a website, then? Are the terminal server administrative tools also included in these base distributions? Of course, I'm really only interested accessing my own machines remotely. VNC works ok, but rdesktop is faster, even over slow connections. -Adam Alexander Rice wrote: {Quote hidden}> On Fri, 30 Apr 2004 22:46:55 -0400, M. Adam Davis <TakeThisOuTadampicKILLspamspamUBASICS.COM> > wrote: > > Ken Wrote: > >> Windows XP has all the features needed for >> terminal service, minus some small amount of code and, of course, such >> functionality is blocked. > > > Actually all the code is there and all you need is to twiddle a pair of > bits to move between XP Home, Server and Terminal Server (yes, i know it > was never released but it's all there!). I will not elaborate further > else > i fall foul of some or other DCMA type law. > > Regards > > Alex > > -- > http://www.piclist.com hint: The list server can filter out subtopics > (like ads or off topics) for you. See http://www.piclist.com/#topics > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\03@105938 by Neil Cherry

Ken Pergola wrote: > I was hoping someone could educate me on something that I see and hear a lot > of comments about. I hear a lot of claims that Linux is more secure than > Windows, but I don't usually see people elaborate on why this claim is made > after they make it. > > Isn't C++ the underlying language that both operating systems are written > in? > > And if so, wouldn't both operating systems be *equal* in their > susceptibility to buffer overrun attacks, for example, due to the pitfalls > of C-string functions like 'strcpy', 'strcat' in C++? Yipes Ken, I can't believe you asked this question! ;-) And I can't believe the responses, they have been well behaved! I find this whole security issue to be very confusing from a user, programmer and engineer prospective. I don't know what to believe. As a user: I find that I can get virus, trojan or zombie programs while using MS LookOut but I must use it because that's what my employer requires. I have switched to Firebird as my default browser and that works 98% of the time. The exception is internal web sites who place restrictions on the browser type, usually in the form of MS Java calls that only work with IE (grr, but I guess I can trust them). As a programmer: I need to avoid doing certain things such as buffer over runs. Good! Someone please who me examples of bad programming and ways to avoid them. And I don't mean the simple stuff like arrays (I know this) but how about the more complicated stuff. I want to write better programs. As an engineer/architect: This one drives me really nuts. I need to build a product, in a short time. I need to use standards such as SSH and SSL. But now where do I get the room to add these protocols in. I'm told here is what we want, here is the cost, make it fit. Guess what I have to get rid of first. BTW, before anyone get the wrong impression, the company I work for has shot down products that lack security. If the security isn't up to par with corporate standards then we won't go forward with it. Of course there is a certain 'level of trust'. Also I don't build hardware I build services, I'm in the networking industry. Even with my hobby projects (which I fund myself) I find I end up 'putting together something' simple and growing it out to the more complex. Security tends to be the more complex and the last thing added. One of my current projects is an HA controller. So far the hardware is looking good and the OS I've chosen even has the security components I'll need but how do I make it easy to use, install and maintain while still allowing it to be stand alone? So I now have concerns about the physical, the logical (IP), the OS, the apps and the end user. Hmm, did I miss anything? If I did I could end up with a zombie house. Heck, I wonder how long before my home is part of the computer? -- Linux Home Automation Neil Cherry .....ncherryRemoveMEcomcast.net http://home.comcast.net/~ncherry/ (Text only) http://linuxha.sourceforge.net/ (SourceForge) http://hcs.sourceforge.net/ (HCS II) -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\03@113255 by M. Adam Davis

The first step towards developing a secure system/program is to correctly and strictly define any and all input to the system, and any and all output from the system. Don't trust any input, from any source, including the program itself. This means taking a macro view from the standpooint of the whole system (user input, operatings system input - such as mouse and keyboard, etc) and then drilling down to the input of each module. Once the input is strictly defined then you must bound-check all input. Truncate it if it's too long, remove all invalid characters, reject it if it doesn't lie strictly within specifications. This will take care of the vast majority of security issues that you have control over. Of course if someone hacks into the underlying system and gains access to your program or data memory, or gets access to the jtag module in the microcontroller then all bets are off - you cannot change your program to prevent these types of exploits. A lot of security problems arrise more from bad/changing specifications than from bad programmer practises. And all too many programmers start programming to prove that a solutions is valid, and then plug that solution into the final product without reqriting it, or even validating its security. Since it was written as a test the specs were not well defined, and the project, even with well written specs, may have different input/output. Of course, many (if not most) programmers don't even bother to do input bounds checking. If you start off with this you'll be much closer to developing 'secure' applications. -Adam Neil Cherry wrote: {Quote hidden}> Ken Pergola wrote: > >> I was hoping someone could educate me on something that I see and >> hear a lot >> of comments about. I hear a lot of claims that Linux is more secure than >> Windows, but I don't usually see people elaborate on why this claim >> is made >> after they make it. >> >> Isn't C++ the underlying language that both operating systems are >> written >> in? >> >> And if so, wouldn't both operating systems be *equal* in their >> susceptibility to buffer overrun attacks, for example, due to the >> pitfalls >> of C-string functions like 'strcpy', 'strcat' in C++? > > > Yipes Ken, I can't believe you asked this question! ;-) > > And I can't believe the responses, they have been well behaved! > > I find this whole security issue to be very confusing from a user, > programmer and engineer prospective. I don't know what to believe. > > As a user: > > I find that I can get virus, trojan or zombie programs while using > MS LookOut but I must use it because that's what my employer > requires. I have switched to Firebird as my default browser and > that works 98% of the time. The exception is internal web sites who > place restrictions on the browser type, usually in the form of MS > Java calls that only work with IE (grr, but I guess I can trust > them). > > As a programmer: > > I need to avoid doing certain things such as buffer over runs. Good! > Someone please who me examples of bad programming and ways to avoid > them. And I don't mean the simple stuff like arrays (I know this) but > how about the more complicated stuff. I want to write better programs. > > As an engineer/architect: > > This one drives me really nuts. I need to build a product, in a short > time. I need to use standards such as SSH and SSL. But now where do > I get the room to add these protocols in. I'm told here is what we > want, here is the cost, make it fit. Guess what I have to get rid of > first. BTW, before anyone get the wrong impression, the company I > work for has shot down products that lack security. If the security > isn't up to par with corporate standards then we won't go forward > with it. Of course there is a certain 'level of trust'. Also I don't > build hardware I build services, I'm in the networking industry. > > Even with my hobby projects (which I fund myself) I find I end up > 'putting together something' simple and growing it out to the > more complex. Security tends to be the more complex and the last > thing added. One of my current projects is an HA controller. So > far the hardware is looking good and the OS I've chosen even has > the security components I'll need but how do I make it easy to > use, install and maintain while still allowing it to be stand > alone? > > So I now have concerns about the physical, the logical (IP), the > OS, the apps and the end user. Hmm, did I miss anything? If I did > I could end up with a zombie house. Heck, I wonder how long before > my home is part of the computer? > > -- > Linux Home Automation Neil Cherry RemoveMEncherryspamBeGonecomcast.net > http://home.comcast.net/~ncherry/ (Text only) > http://linuxha.sourceforge.net/ (SourceForge) > http://hcs.sourceforge.net/ (HCS II) > > -- > http://www.piclist.com hint: The PICList is archived three different > ways. See http://www.piclist.com/#archives for details. > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\03@114126 by Ken Pergola

Neil Cherry wrote: > Yipes Ken, I can't believe you asked this question! ;-) > > And I can't believe the responses, they have been well behaved! Hi Neil, I'm not sure if you can't believe I asked this because I should know better (dumb question) or because it might incite a riot? :) If it was the former, perhaps it was a dumb question, but not to me. I asked this question since I have never used Linux so I do not have any first-hand experience with it. I also asked it here because I like the people on the PICLIST and respect their opinions. I hear a lot of Microsoft bashing and that Linux is more secure, but as I had said, I rarely hear the person making that claim back up their statement. Thanks to everyone's responses, I'm definitely more educated about this topic. On another note, I recently attended a Microsoft security seminar to better educate myself as well. The upcoming release of Windows XP Service Pack 2 sounds like it will address some security issues, but from what I gathered, it also sounds like it might break some existing applications because of this. I was thinking to myself, oh no, does this mean that Microchip's MPLAB IDE might no longer work? I got the impression from the presenter that I should approach Windows XP Service Pack 2 with caution. I guess I'll soon find out. :) Thanks for your comments Neil. Best regards, Ken Pergola -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\03@120239 by Denny Esterline

> IDE might no longer work? I got the impression from the presenter that I > should approach Windows XP Service Pack 2 with caution. I guess I'll soon > find out. :) > > > Ken Pergola I spent some time administrating a network a few years back, if I learned anything it's to approach *every* M$ service pack with caution. I don't think I ever installed one that lived up to the promise. -Denny -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2004\05\04@015557 by Nate Duehr

Jake Anderson wrote: b) the users. > your average linux user will not randomly execute programs. > if your average windows user gets something in their inbox saying hahaha.exe > they will click on it. > microsoft has been forced to basically remove functionality from their > programs to protect the users from their own naievity > I write software, I currently have to send that software out to our offices > in 3 different formats due to the combinations of virus scanners and outlook > restrictions they have. > > dont blame microsoft for the idjit users I can't think of a single Linux MUA that ever executes ANYTHING that arrives in mail. In 99% of Linux MUA's you have to save the file, start up a shell and forcibly tell the machine to execute the program. The user-interface design flaw of having programs launch directly from an icon in the GUI when they arrived as a mail attachment was flawed from the beginning. Furthermore, Outlook and ilk were plagued for a long time with the ability to execute various things that could arrive in e-mail's without the user's knowledge. That was even worse. Netscape, Eudora, and others never did this on Windows machines. It was considered a "feature" of Outlook and OE. That "feature" was known by thousands of people to be a bad design choice as soon as it hit the streets. So yes, today maybe SOME of the problems are caused by stupid users, but the problems themselves were perpetuated first by poor design. There are still too many hooks (MAPI for example) in the average user's desktop that they're completely unaware of that allow malicious code to do things with your mail program even if it's "not running". (Try turning MAPI completely off sometime... completely off. In all versions of Windows, and in a way that sticks so hundreds of corporate users can't turn it back on... but they still want Outlook to work properly. Ha... Good luck.) The latest versions of Office XP now pop up annoying warning boxes everytime some legitimate application (Palm Desktop, for example) accesses your Outlook Address Book. Band-aids on top of band-aids. Unix philosophy is: Write small programs that do one thing well and integrate them via the shell... meaning that one monster integrated Office Suite doesn't make all sorts of assumptions about how you want to use your computer. Thus... you have to LAUNCH the file attachment after saving it first. Oh, the horrors... two more mouse clicks! Nate Duehr, spamBeGonenate@spam@spam_OUTnatetech.com -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email TakeThisOuTlistservspammitvma.mit.edu with SET PICList DIGEST in the body

More... (looser matching)
- Last day of these posts
- In 2004 , 2005 only
- Today
- New search...