Searching \ for '[OT:] Windows/Linux security' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=windowslinux+security
Search entire site for: 'Windows/Linux security'.

Exact match. Not showing close matches.
PICList Thread
'[OT:] Windows/Linux security'
2004\04\30@195851 by Ken Pergola

flavicon
face
I was hoping someone could educate me on something that I see and hear a lot
of comments about. I hear a lot of claims that Linux is more secure than
Windows, but I don't usually see people elaborate on why this claim is made
after they make it.

Isn't C++ the underlying language that both operating systems are written
in?

And if so, wouldn't both operating systems be *equal* in their
susceptibility to buffer overrun attacks, for example, due to the pitfalls
of C-string functions like 'strcpy', 'strcat' in C++?

Perhaps this is narrowing things down to such a simplistic and specific
example, but I feel it is a fair question to ask. Thank you for sharing any
comments on this.

Best regards,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
spam_OUTpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu

2004\04\30@200102 by Shawn Wilton

flavicon
face
For the most part, security is a matter of the programmer writing the
code.  If the programmer knows what they're doing, then all is well.  If
they don't know how to write secure code, then you get in to problem areas.

-Shawn

Ken Pergola wrote:

{Quote hidden}

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestspamKILLspammitvma.mit.edu

2004\04\30@201138 by Ken Pergola

flavicon
face
Shawn Wilton wrote:

> For the most part, security is a matter of the programmer writing the
> code.  If the programmer knows what they're doing, then all is well.  If
> they don't know how to write secure code, then you get in to
> problem areas.

Hi Shawn,

Thanks for your comments. Do you think people who make this claim are
talking about the OS only, the applications that run on top of the OS, or
both? It's difficult to wade through all these claims. Does the Linux camp
know how to write more secure code than the Microsoft camp? Or is it that
programmers were less hacker-aware when these operating systems were
written?

Best regards,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
.....piclist-unsubscribe-requestKILLspamspam.....mitvma.mit.edu

2004\04\30@203303 by William Chops Westfield

face picon face
On Friday, Apr 30, 2004, at 16:58 US/Pacific, Ken Pergola wrote:

>  I hear a lot of claims that Linux is more secure than Windows, but I
> don't usually see people elaborate on why this claim is made after
> they make it.

I think the main thing that makes unix more secure is the underlying
multi-user privilege and file system structures.  Windows is no less
secure than unix, if you always log into your unix system as root (the
maximum-priv user.)  MOST unix applications run under the privs of a
single "normal" user and can therefore not infect or delete system
files, access privileged resources, etc.  Excepting bugs.  And
excepting that there are an awful lot of things that DO run as root,
installed and "maintained" by people who don't really understand them.

Newer windows operating systems are headed in this direction, of course.

BillW

--
http://www.piclist.com hint: To leave the PICList
EraseMEpiclist-unsubscribe-requestspam_OUTspamTakeThisOuTmitvma.mit.edu

2004\04\30@204345 by John J. McDonough

flavicon
face
----- Original Message -----
From: "Jake Anderson" <grooveeespamspam_OUTOPTUSHOME.COM.AU>
Subject: Re: ] Windows/Linux security


> integrated. linux is also as a rule much quicker at resolving exploits and
> problems that have been found, 24 hours is a long time for a security flaw

The data would indicate otherwise.  I think there is a "feeling" that the
open source community responds more quickly, but a study recently found that
when you look at the actual data, Linux exploits get resolved MUCH more
slowly than Windows.

The Linux crowd claimed this wasn't "fair" in that they fix "serious" bugs
more quickly than M$, although some of the less critical ones do lay around
for a while. And I suspect there is probably some truth to this.  But it's
pretty subjective to try to categorize security problems as important or
unimportant.

One thing that I don't think has been mentioned, though.  Windows code is
astonishingly complex.  I think it is a lot harder to write secure code in a
Windows environment than in Linux.  This is pretty subjective, though.  The
other problem M$ has is a legacy of code that was written at a time when the
giant of Redmond didn't care about security.

In fact, I wonder why M$ cares even now.  Ever since Windows 3.1,
Microsoft's customers have sent Redmond a strong message that pretty colors
and bouncing paper clips are a lot more important than stability and
security.  And Microsoft listens to their customers.  That's why they are so
successful.  We geeks can sit around and whine about how awful that is, but
every day customers send millions of dollars to Microsoft to vote for the
status quo.

72/73 de WB8RCR    http://www.qsl.net/wb8rcr
didileydadidah     QRP-L #1446 Code Warriors #35

--
http://www.piclist.com hint: To leave the PICList
@spam@piclist-unsubscribe-requestKILLspamspammitvma.mit.edu

2004\04\30@211538 by Ken Pergola

flavicon
face
Thanks for taking the time to post your comments Jake Anderson, William
Westfield, and John McDonough. I appreciate everyone's insight.

It's definitely an intriguing topic. My angle of security was from an
outside hacker perspective.

Best regards and thanks again,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
KILLspampiclist-unsubscribe-requestKILLspamspammitvma.mit.edu

2004\04\30@213027 by David Koski

flavicon
face
On Fri, 30 Apr 2004 20:10:51 -0400
Ken Pergola <RemoveMEno_spamTakeThisOuTspamLOCALNET.COM> wrote:

> Shawn Wilton wrote:
>
> > For the most part, security is a matter of the programmer writing the
> > code.  If the programmer knows what they're doing, then all is well.  If
> > they don't know how to write secure code, then you get in to
> > problem areas.
>
> Hi Shawn,
>
> Thanks for your comments. Do you think people who make this claim are
> talking about the OS only, the applications that run on top of the OS, or
> both?

I don't know what the "people who make this claim are talking about" but it is
in fact both. Consider for example the typical virus or worm. It easily infects
Windows computers partly because the email cients (applications) make it easy to
execute code (programs) that are received by email. And when a virus or worm is
executed, a lax security model (the OS) often allows it to take over.

> It's difficult to wade through all these claims. Does the Linux camp
> know how to write more secure code than the Microsoft camp?

Microsoft is driven by their bottom line and people tend to buy what they are
used to, has a pretty look, is cool, etc.  So why should M$ spend the time
(money) to improve Windows security unless the consumer demands it? And I think
that may be happening now.

> Or is it that programmers were less hacker-aware when these operating systems
> were written?

I'm not sure what you mean but FYI, Linux is modeled after Unix which has been
arround a lot longer than Windows.

David

--
http://www.piclist.com hint: To leave the PICList
spamBeGonepiclist-unsubscribe-requestspamBeGonespammitvma.mit.edu

2004\04\30@220128 by Ken Pergola

flavicon
face
David Koski wrote:

> I'm not sure what you mean but FYI, Linux is modeled after Unix
> which has been around a lot longer than Windows.

Hi David,

Thanks for your comments. Yes, definitely, I'm aware of this fact. What I
meant to convey was a mindset: How can one write defensive code or secure
code if one does not know what they are defending against? Besides the money
factor, there's the possibility that people just didn't anticipate some of
these security problems. It appears to be an evolutionary process, and there
has been a lot of emphasis on improvement in security recently for obvious
reasons.

Thanks again,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
TakeThisOuTpiclist-unsubscribe-requestEraseMEspamspam_OUTmitvma.mit.edu

2004\04\30@220338 by Ken Pergola

flavicon
face
Hi Carey,

Thanks for your comments and for the link -- I'll check that out.

Best regards,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestspamTakeThisOuTmitvma.mit.edu

2004\04\30@220544 by Carey Fisher - NCS

face picon face
<Resend with correct [OT:] tag; sorry, MS Outlook don't ya know...>

A major aspect of the "better security" claim is that Linux is "open source"
meaning the source code is
available for anyone to look at.  The theory is that since it's open source,
security flaws will be found by the many people looking at the code.
Proprietary operating systems are not open to such wide scrutiny.  There is
a good front page article in EETIMES (Mon, Apr 19,2004) that pretty much
discredits the idea that "...Linux's development process, which involves
thousands of individuals, makes it almost impossible for 'adversarial code'
to sneak through." (EETIMES).

Carey Fisher, K8VZ
Chief Technical Officer
New Communications Solutions, LLC
website: http://www.ncsradio.com

  > {Original Message removed}

2004\04\30@220753 by James Caska

flavicon
face
I think it has more to do with the fact that people are attacking
windows not linux just 'because'

I would have thought having access to the source-code would be the
perfect thing to use to find security flaws that can be exploited. It's
like trying to crack an encryption algorithm while holding the key and
the source in your hand.

At least hiding the flaws makes them harder to find.. But then windows
seems to have a lot of flaws to find!

JC


{Original Message removed}

2004\04\30@220958 by Jake Anderson

flavicon
face
<snip>

>Windows computers partly because the email cients (applications) make it
easy to
>execute code (programs) that are received by email. And when a virus or
worm is
>executed, a lax security model (the OS) often allows it to take over.

uhh no
microsoft has made it basically impossible to open any form of attachment in
outlook and outlook express.
prior to this you still had to manually execute the program you recieved.
there was a bug or 2 that allowed malformed mails to cause attached programs
to run but this has been fixed for years.

all current worms for windows clients opperate in user space. all they do is
read the current users mailbox and send mails to all they find, some also
scan the hard drive for mail addressess too.
There is no possible mechanism of stopping software from doing that as it is
perfictally valid operations that some user may want.

the reason windows propigates so many worms and virii is a) its the largest
single target. b) the users.
your average linux user will not randomly execute programs.
if your average windows user gets something in their inbox saying hahaha.exe
they will click on it.
microsoft has been forced to basically remove functionality from their
programs to protect the users from their own naievity
I write software, I currently have to send that software out to our offices
in 3 different formats due to the combinations of virus scanners and outlook
restrictions they have.

dont blame microsoft for the idjit users

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestEraseMEspam.....mitvma.mit.edu

2004\04\30@223507 by Ken Pergola

flavicon
face
Thanks for the comments James -- definitely a polarized topic.

Best regards,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
EraseMEpiclist-unsubscribe-requestspammitvma.mit.edu

2004\04\30@224747 by M. Adam Davis

flavicon
face
There are many different factors, but the primary few issues are:

They each use fundamentally different security models.  Windows is
geared towards  both easy administration and many ease of use features.
The complication arises that something that is 'easy' to administer is
easy to misadminister since it doesn't require any special knowledge.
By default a regular user is an administrator who has direct access to
the computer.  The complicating factor of many ease of use features
means that something that is easy for the user to do is easy for a
script to do.  Since the script has full computer access, and many
programs run scripts without bounds then it's an easy target.  I would
say the Linux has difficult administration (this is changing) and few
ease of use features (this is changing).  As these two change you'll
find it targetted more frequently.  However, the average linux user is
instructed to use root access very infrequently.  Hopefully this will
not change (though it used to be that lindows ran in root, and so maybe
this will eventually happen).

They were built from different perspectives aiming at different users.
Windows is aiming for a person who doesn't share their computer with
other users simultaneously - in fact their business model depends on one
person - one license.  Windows XP has all the features needed for
terminal service, minus some small amount of code and, of course, such
functionality is blocked.  Linux (and unix in general) was designed from
the ground up as a general shared-use computer platform.  As such the
security model was designed from the ground up for multiple, non-root
users.  Furthermore applications are always run in very well defined
user spaces that prevent them from gaining any more priviledges than the
user has.  This model even leads to being logged in as a user, and
running some programs (say email) as a lesser-capable user, and some
programs as a more capable user (administration).  This, and other such
security features, is possible in windows, but it's not simple or
obvious to do because Microsoft doesn't want to make it hard for users.

There are other issues, but the two systems are slowly converging to the
same point since many people want linux to work in the space windows is
so good at, and Microsoft has forever been really trying to crack into
the space that linux works in so well.  As they do so, they will also
learn from their mistakes and I suspect that windows won't become any
more susceptable, and Linux will become slightly more susceptable.  One
of the nice things about linux now is that it's release cycle allows
patches to be used quickly, but only for those users who haven't become
complacent.  Windows patches don't seem to come as quickly, and if they
aren't willing to fix something no one else is going to be able to
without the code.

-Adam

Ken Pergola wrote:

{Quote hidden}

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestspam_OUTspamKILLspammitvma.mit.edu

2004\04\30@230042 by Ken Pergola

flavicon
face
Thank you very much Adam for time and for your comments as well.

Best regards,

Ken Pergola

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestTakeThisOuTspamspammitvma.mit.edu

2004\04\30@230502 by David Koski

flavicon
face
On Sat, 1 May 2004 12:09:32 +1000
Jake Anderson <EraseMEgrooveeespamspamspamBeGoneOPTUSHOME.COM.AU> wrote:

> >Windows computers partly because the email cients (applications) make it
> easy to
> >execute code (programs) that are received by email. And when a virus or
> worm is
> >executed, a lax security model (the OS) often allows it to take over.
>
> uhh no
> microsoft has made it basically impossible to open any form of attachment in

I'm glad to hear M$ has made improvements in Outlook. To be fair, I hardly use
Windows any more. I would like to hear from others how difficult it is to
execute code received from Internet sources, be it email or not, especially
compared to a Linux equivalent

FYI, to execute code received in an email using Sylpheed, my email clinent for
Linux, I have to deliberately select the attachments tab, right click on the
attachemnt, select "save as", then go to the folder where it was saved and then
set the execute bit before I can execute it. I would think the average "idjit"
would have trouble getting that far. Actually, I have never done it so I have
not tested it.

<snip>

David

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestKILLspamspammitvma.mit.edu

2004\04\30@234729 by Jake Anderson

flavicon
face
in outlook you need to edit the registry in order to even have the ability
to save a program out
outlook express you need to find a buried security tab disable it before you
are able to save it out
once you have disabled the security you can run the program from outlook/e
with a few clicks but if sombody is going to run it they will run it wether
they have to save it or not.

microsoft has had patches out for all the major worms that have gone around
recently several months before the exploit.

the problem is the users dont update
windows can be made secure to the point you basically cant use it if your
that way inclined.
windows is roughly as secure as linux when they are both run by compitent
people up to a level good enough for most of the population.

personally i trade a little "security" for the ability to do just about
anything i want with a nice menu, good help system, and widespread hardware
support.

{Original Message removed}


'[OT:] Windows/Linux security'
2004\05\01@001724 by Robert B.
flavicon
face
If windows is roughly equivalent in security to linux, then why are there so
few viruses that break down *nix servers?  Is this merely a function of the
virus-writers targeting the unsusupecting windows non-technical users?  Or
is it because windows does in fact have more exploitable security holes.  I
tend to think it's the latter, because if I were a virus writer and wanted
to do serious damage it would make sense to target the servers which hold
the internet together (i.e. unix variety) as opposed to the end users
windows machines.  Speaking from personal experience, my windows machines
regularly get infected with nuisance viri and the occasional more serious
virus, but I have yet to experience any such nuisance in my freebsd machine.

As far as ouhouse express works, I have no problem running attachments from
the attachment menu.


----- Original Message -----
From: "Jake Anderson" <grooveeeSTOPspamspamspam_OUTOPTUSHOME.COM.AU>
To: <spamBeGonePICLISTSTOPspamspamEraseMEMITVMA.MIT.EDU>
Sent: Friday, April 30, 2004 10:48 PM
Subject: Re: [OT:] Windows/Linux security


> in outlook you need to edit the registry in order to even have the ability
> to save a program out
> outlook express you need to find a buried security tab disable it before
you
> are able to save it out
> once you have disabled the security you can run the program from outlook/e
> with a few clicks but if sombody is going to run it they will run it
wether
> they have to save it or not.
>
> microsoft has had patches out for all the major worms that have gone
around
> recently several months before the exploit.
>
> the problem is the users dont update
> windows can be made secure to the point you basically cant use it if your
> that way inclined.
> windows is roughly as secure as linux when they are both run by compitent
> people up to a level good enough for most of the population.
>
> personally i trade a little "security" for the ability to do just about
> anything i want with a nice menu, good help system, and widespread
hardware
> support.
>
> {Original Message removed}

2004\05\01@005006 by David Koski

flavicon
face
On Fri, 30 Apr 2004 23:08:03 -0500
"Robert B." <KILLspampiclistspamBeGonespamNERDULATOR.NET> wrote:

> > in outlook you need to edit the registry in order to even have the ability
> > to save a program out
> > outlook express you need to find a buried security tab disable it before
> > you are able to save it out
> > once you have disabled the security you can run the program from outlook/e
> > with a few clicks but if sombody is going to run it they will run it
> > wether they have to save it or not.

<snip>

> Speaking from personal experience, my windows machines
> regularly get infected with nuisance viri and the occasional more serious
> virus, but I have yet to experience any such nuisance in my freebsd machine.

Okay, I'm confused. Surely you are not jumping through the hoops indicated above
just to get "viri". How do you (and every other Windows user connected to
Internet) get them?

<snip>

David

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@013317 by Jake Anderson

flavicon
face
by not patching

i run windows 2k and 2k server on all the machines here.
i virus scan every once in a while.
i have never been infected with a virus.
i get sent on average 15 virus emails a day, same for dad.

If you have patched outlook express or outlook up to date you cannot run
programs without disabling the security.
if you can run programs or hell even save .pif .exe whatever files out of
the program you have either not patched or have disabled the "security".

About the worst that has happened is dads computer was infected with the
scumware "cool web search" looks like i forgot to patch his computer once
and it got in through a JVM vunerability.

by the way before anybody makes any snide remarks about patching linux is
just as bad, it wanted to install 400mb of patches for my mandrake install.

{Original Message removed}

2004\05\01@030151 by Russell McMahon

face
flavicon
face
> if you can ... save .pif .exe whatever files out of
> the program you have either not patched or have disabled the "security".

That would be the "brain dead security" wouldn't it ? :-)

I think it's fine to be able to disable pif/exe/com/... running AND to be
able to stop them being even saved BUT when you can have only both or
neither it's ludicrous. Of course I don't want to have my email program
running exe files  in the current environment - too much chance for a
mistake.  But I certainly want to be able to save exe files I am sent. I
can't imagine why it HAS to be both or neither. Maybe that's been changed
since I last looked at the options.



       RM

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@041744 by Jake Anderson

flavicon
face
you can set the behaviour if you want to
personally i like being able to run the odd program from there
however when you click it it pops up asking you what action you wish to take
and warning that files can have viruses etc if you uncheck "ask me every
time" and click save then from then on it will prompt to save whenever you
click on a file of that type. you must disable the "child lock" security
first.
thats what it is really a child lock.


{Original Message removed}

2004\05\01@093534 by John J. McDonough

flavicon
face
----- Original Message -----
From: "Jake Anderson" <EraseMEgrooveeespamEraseMEOPTUSHOME.COM.AU>
Subject: Re: [OT:] Windows/Linux security


> uhh no
> microsoft has made it basically impossible to open any form of attachment
in
> outlook and outlook express.

uhhhh ... no.

First of all, it has been possible to keep reasonably secure with Outlook
Express for a very long time now.  However, the default settings used to be
just plain bad, and even though they have improved, they are still not what
they need to be.  Interestingly, as best I can tell, Outlook still has some
problems that I don't know that you can work around.

As far as I know, there are three ways someone can nail you with an email.

The first is a buffer overflow vulnerability.  Back when the only computers
on the net were Unix machines, this was the favorite.  The famous "Internet
Worm" that got so much press a few years back worked this way.  This isn't
so popular with Windows.  I don't think it's necessarily harder to do in
Windows, it's just that Windows provides so many easier approaches.

The second is getting a brain-dead user to open an executable attachment.
Recent versions of OE have made this harder, but not impossible.  What is
really annoying is that M$ has provided a convenient way for a hacker to
make an exe file look like a jpeg.  This "feature" can be turned off, but it
takes mucking around in the registry to do it.  A big difference here is
that many Windows users haven't found the clue bucket.  Linux is such a pain
to install and configure that the totally brain dead user isn't going to be
running Linux in the first place, so it's a safe bet that almost all Linux
users will have enough sense not to do this.

The third avenue is through HTML email.  HTML provides a rich set of tools
for exploiting the target system, although all of them are fairly hard to
use except for ActiveX controls.  Some Linux clients will open email in HTML
and so are susceptible to exploits via JavaScript or Java (don't give me
that crap about the sandbox being secure - it ain't).  But these exploits
are more difficult than ActiveX.  Controlling HTML email and ActiveX are
quite possible in Outlook Express (less so in Outlook), but the settings are
scattered all over, so the average user isn't likely to get them right.
There have also been bugs in the HTML engines from time to time that are
exploitable without active content, although these have been fairly
infrequent.

Other than ActiveX, all of these are available on both Linux and Windows,
although some mail clients will not open HTML mail.  These clients are more
popular on Linux than on Windows.  The HTML is an especially nasty one
since, on clients with a preview pane, this sort of exploit can be activated
without actually opening the email.

Windows is a more popular attack target simply because there are so many
more Windows machines out there.  Over 95% of the machines are Windows, so
Linux/Unix/Mac/VMS are much less appealing targets.

--McD

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@093952 by John J. McDonough

flavicon
face
----- Original Message -----
From: "Robert B." <@spam@piclist@spam@spamspam_OUTNERDULATOR.NET>
Subject: Re: [OT:] Windows/Linux security


> If windows is roughly equivalent in security to linux, then why are there
so
> few viruses that break down *nix servers?

Server attacks are relatively rare anyway.  There are a lot more desktops
out there to atttack, so it's a much more appealing target.  And virtually
all of the desktops are Windows.

However, one place where there is a significant difference is in web
servers.  Until about a year ago, the majority of the web servers were
Apache, with most of the rest being IIS.  (IIS has changed it's name a
couple times in the past few years, but a rose by any other name....)  About
a year or two ago, IIS passed Apache in numbers, but they are still roughly
equivalent.

However, for quite a while almost every day brought a new IIS vulnerability,
while Apache went literally YEARS between exploits.  Recently the Apache
exploits have picked up some, and the IIS exploits have slowed, but this is
one area where the difference is still dramatic.

--McD

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@104709 by Matt Pobursky

flavicon
face
On Sat, 1 May 2004 09:40:14 -0400, John J. McDonough wrote:
> However, one place where there is a significant difference is in web
> servers.  Until about a year ago, the majority of the web servers were
> Apache, with most of the rest being IIS.  (IIS has changed it's name a
> couple times in the past few years, but a rose by any other name....)  About
> a year or two ago, IIS passed Apache in numbers, but they are still roughly
> equivalent.

I'm not sure where you might have gotten data on those numbers, but
Netcraft (probably the most trusted OS neutral data source) says
otherwise:

http://www.serverwatch.com/stats/netcraft/article.php/3336931

These numbers are updated every month and the percentages have been
fairly constant over the past few years. Microsoft likes to make it
sound like they are making major increases in the web server market
share, but the fact is they've hit a plateau and are more or less
staying there.

Matt Pobursky
Maximum Performance Systems

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@110617 by John J. McDonough

flavicon
face
Not hugely surprising.  These things are based on surveys, and the numbers
are going to look different depending on who you survey.  Netcraft is a
European outfit, and likely to end up with a different group of respondents
than a US company.  The data I was basing my comments on was a little stale,
too, just about the time those Netcraft graphs show a drop in Apache
corresponding to a jump in M$.  And it was from PC Week, whose respondents
are likely to be more heavily biased toward corporate types, where M$ is a
little more successful.

In a way it's comforting to see better Apache numbers <g>

Please don't picture me as a cheerleader for IIS.  As a former big corporate
type, I do see a place for it inside the corporate LAN, but when I went
looking for a provider for my own corporate site, Apache was a requirement.
Personally, I think it's irresponsible to expose IIS directly to the
Internet.

--McD

----- Original Message -----
From: "Matt Pobursky" <spamBeGonepiclistspamKILLspamMPS-DESIGN.COM>
Subject: Re: [OT:] Windows/Linux security


> I'm not sure where you might have gotten data on those numbers, but
> Netcraft (probably the most trusted OS neutral data source) says
> otherwise:

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@121618 by Matt Pobursky

flavicon
face
On Sat, 1 May 2004 11:06:21 -0400, John J. McDonough wrote:
> Not hugely surprising.  These things are based on surveys, and the numbers
> are going to look different depending on who you survey.  Netcraft is a
> European outfit, and likely to end up with a different group of respondents
> than a US company.  The data I was basing my comments on was a little stale,
> too, just about the time those Netcraft graphs show a drop in Apache
> corresponding to a jump in M$.  And it was from PC Week, whose respondents
> are likely to be more heavily biased toward corporate types, where M$ is a
> little more successful.

True enough about Netcraft, but I've seen pretty similar numbers in the
half dozen or so other web server statistic report/surveys I've seen so
I tend to believe they are in the right ballpark.

> In a way it's comforting to see better Apache numbers <g>
>
> Please don't picture me as a cheerleader for IIS.  As a former big corporate
> type, I do see a place for it inside the corporate LAN, but when I went
> looking for a provider for my own corporate site, Apache was a requirement.
> Personally, I think it's irresponsible to expose IIS directly to the
> Internet.

I actually agree with you on these points. I'm really neither a
cheerleader or basher for either OS. I run Win2K for my workstations
and Linux (and a few other OS's) on servers and other systems. I think
they both have their place. I'm actually a (more or less) blatant
capitalist and "freedom of choice" guy.

My only real gripes with Microsoft are the manner in which they do
business, not how much money they make or their market share. I vote
with my pocketbook and Win2K is the last OS of theirs I'll buy
willingly unless they change the way they do business, regardless of
their product quality. I do have a copy of WinXP installed on my test
bench, but only because a client required and paid for it.

Matt Pobursky
Maximum Performance Systems

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@144630 by Jason S

flavicon
face
What makes you think it's based on a local region.  It's not like the send
surveys to website owners or hosts.  Netcraft automatically polls the sites
in its survey the same way google automatically crawls sites to search.

I have web sites hosted in Hong Kong and the US (all running on Apache), and
they're all included.

Jason

{Original Message removed}

2004\05\01@153704 by John J. McDonough

flavicon
face
----- Original Message -----
From: "Jason S" <.....picspam_OUTspamCANADASPEAKS.COM>
Subject: Re: [OT:] Windows/Linux security


> What makes you think it's based on a local region.  It's not like the send
> surveys to website owners or hosts.  Netcraft automatically polls the
sites
> in its survey the same way google automatically crawls sites to search.

Well, their web site says they survey -their- clients, so that led me to
suspect that they surveyed their clients.

--McD

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\05\01@160445 by Jason S

flavicon
face
Take a look at the definition of "survey" on the Merriam-Webster site:
http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=survey

It means to examine or appraise data.  Literally asking questions of a real
live person is just one possible way to collect data to appraise.

Property surveyors survey land by collecting the data themselves, not asking
people where they think the exact position of the land is.

"I surveyed my computer" is a correct English statement that means I looked
at it and probably checked to make sure everything is there and working
properly.  It's also likely I made a list of what hardware and software is
present.

In the case of the netcraft survey, they look at the internet themselves,
they don't ask people what they're running.

Jason

{Original Message removed}

2004\05\02@120042 by Alexander Rice

picon face
On Fri, 30 Apr 2004 22:46:55 -0400, M. Adam Davis <TakeThisOuTadampic.....spamTakeThisOuTUBASICS.COM>
wrote:

Ken Wrote:

>  Windows XP has all the features needed for
> terminal service, minus some small amount of code and, of course, such
> functionality is blocked.

Actually all the code is there and all you need is to twiddle a pair of
bits to move between XP Home, Server and Terminal Server (yes, i know it
was never released but it's all there!). I will not elaborate further else
i fall foul of some or other DCMA type law.

Regards

Alex

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\02@164910 by Peter L. Peres

picon face
> If windows is roughly equivalent in security to linux, then why are
> there so few viruses that break down *nix servers?  Is this merely a
> function of the virus-writers targeting the unsusupecting windows
> non-technical users?  Or is it because windows does in fact have more
> exploitable security holes.

1. Hacking Windows boxes gives more bang/buck because the goal of virus
writers is to spread their ilk. A perfect Linux virus would span at most
20% of installed systems now. That does not look attractive ?!

2. Windows libraries have countless undocumented 'shortcuts' meant to
speed up the system. The shortcuts circumvent many system security
features (such as never running any processes that interpret network data
with root privileges). This means that the first breach means a
compromised machine, with immediate root access. This is not the case on
*nix where compartmentation is very strict. A breach on a *nix machine
usually exposes a very small set of features because of this.

3. When you say *nix you actually say one dozen (two dozen ?) different
platforms, operating system versions, and setups. There is no way to write
a virus that efficiently attacks all of these. It would have to be the
size and complexity of Mozilla.

4. *nix users actually do have a clue as to what they are doing most of
the time, as opposed to the competition which is limited to clicking on
message boxes which usually say such tremendously helpful things as 'your
system is on fire. [ok] [cancel]'. This is due to log messages, and access
to tools that can pick the system's brains and tell what's wrong. This
means a capability to react, even if not everyone knows how to use it.

Peter

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\02@171023 by Howard Winter
face
flavicon
picon face
On Fri, 30 Apr 2004 20:44:18 -0400, John J. McDonough wrote:

> We geeks can sit around and whine about how awful that is, but every day customers send millions of dollars
to Microsoft to vote for the status quo.

"Jump off cliffs - 10 million lemmings can't be wrong!"  :-)

Cheers,

Howard Winter
St.Albans, England

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\05\03@084956 by cisco J. A. Ares

flavicon
face
Well,  just my 2 cents, after so much said.


Security flaws means opened doors.

Windows seems to have been developed for ease of use, so it seems that
lots of programs and also the OS keeps several ports opened, listening
for other programs to cooperate to each other and be able to, for
example, open a program received by mail that will open the presentation
program and show you a birthday message from your grandmother in the
other side of the country, or even some ads, full of animations and
colors :-)

The *nix clones tend to close all those doors that do not need to be
opened (specially some flavors of BSD they're all closed by default) and
the opened doors (or gates, or ports) *HAVE* to have a secure program
listening to it. *NO* one else should have the right to make things
happen in your computer.

So, I think it was a project choice. The BSD project approach
(everything closed by default) is not new, so I guess there's no excuse
to say that "we could not expect that someone would use those resources
for evil things".

Security is an issue. Software companies have a limited staff with a
long line of projects to be built, and doing some maintenance in a
system might have its delays, but the open source community is very
large and they're both heavily affected by any security flaw that gets
to be known, so I guess that the urge is different. Open source
community members are quite often system administrators, AFAIK.

Francisco

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\03@103406 by M. Adam Davis

flavicon
face
Perhaps you could link to a website, then?  Are the terminal server
administrative tools also included in these base distributions?  Of
course, I'm really only interested accessing my own machines remotely.
VNC works ok, but rdesktop is faster, even over slow connections.

-Adam

Alexander Rice wrote:

{Quote hidden}

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\03@105938 by Neil Cherry

picon face
Ken Pergola wrote:
> I was hoping someone could educate me on something that I see and hear a lot
> of comments about. I hear a lot of claims that Linux is more secure than
> Windows, but I don't usually see people elaborate on why this claim is made
> after they make it.
>
> Isn't C++ the underlying language that both operating systems are written
> in?
>
> And if so, wouldn't both operating systems be *equal* in their
> susceptibility to buffer overrun attacks, for example, due to the pitfalls
> of C-string functions like 'strcpy', 'strcat' in C++?

Yipes Ken, I can't believe you asked this question! ;-)

And I can't believe the responses, they have been well behaved!

I find this whole security issue to be very confusing from a user,
programmer and engineer prospective. I don't know what to believe.

As a user:

I find that I can get virus, trojan or zombie programs while using
MS LookOut but I must use it because that's what my employer
requires. I have switched to Firebird as my default browser and
that works 98% of the time. The exception is internal web sites who
place restrictions on the browser type, usually in the form of MS
Java calls that only work with IE (grr, but I guess I can trust
them).

As a programmer:

I need to avoid doing certain things such as buffer over runs. Good!
Someone please who me examples of bad programming and ways to avoid
them. And I don't mean the simple stuff like arrays (I know this) but
how about the more complicated stuff. I want to write better programs.

As an engineer/architect:

This one drives me really nuts. I need to build a product, in a short
time. I need to use standards such as SSH and SSL. But now where do
I get the room to add these protocols in. I'm told here is what we
want, here is the cost, make it fit. Guess what I have to get rid of
first. BTW, before anyone get the wrong impression, the company I
work for has shot down products that lack security. If the security
isn't up to par with corporate standards then we won't go forward
with it. Of course there is a certain 'level of trust'. Also I don't
build hardware I build services, I'm in the networking industry.

Even with my hobby projects (which I fund myself) I find I end up
'putting together something' simple and growing it out to the
more complex. Security tends to be the more complex and the last
thing added. One of my current projects is an HA controller. So
far the hardware is looking good and the OS I've chosen even has
the security components I'll need but how do I make it easy to
use, install and maintain while still allowing it to be stand
alone?

So I now have concerns about the physical, the logical (IP), the
OS, the apps and the end user. Hmm, did I miss anything? If I did
I could end up with a zombie house. Heck, I wonder how long before
my home is part of the computer?

--
Linux Home Automation         Neil Cherry        .....ncherryspamRemoveMEcomcast.net
http://home.comcast.net/~ncherry/               (Text only)
http://linuxha.sourceforge.net/                 (SourceForge)
http://hcs.sourceforge.net/                     (HCS II)

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\03@113255 by M. Adam Davis

flavicon
face
The first step towards developing a secure system/program is to
correctly and strictly define any and all input to the system, and any
and all output from the system.  Don't trust any input, from any source,
including the program itself.

This means taking a macro view from the standpooint of the whole system
(user input, operatings system input - such as mouse and keyboard, etc)
and then drilling down to the input of each module.  Once the input is
strictly defined then you must bound-check all input.  Truncate it if
it's too long, remove all invalid characters, reject it if it doesn't
lie strictly within specifications.

This will take care of the vast majority of security issues that you
have control over.  Of course if someone hacks into the underlying
system and gains access to your program or data memory, or gets access
to the jtag module in the microcontroller then all bets are off - you
cannot change your program to prevent these types of exploits.

A lot of security problems arrise more from bad/changing specifications
than from bad programmer practises.  And all too many programmers start
programming to prove that a solutions is valid, and then plug that
solution into the final product without reqriting it, or even validating
its security.  Since it was written as a test the specs were not well
defined, and the project, even with well written specs, may have
different input/output.

Of course, many (if not most) programmers don't even bother to do input
bounds checking.

If you start off with this you'll be much closer to developing 'secure'
applications.

-Adam

Neil Cherry wrote:

{Quote hidden}

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\03@114126 by Ken Pergola

flavicon
face
Neil Cherry wrote:

> Yipes Ken, I can't believe you asked this question! ;-)
>
> And I can't believe the responses, they have been well behaved!


Hi Neil,

I'm not sure if you can't believe I asked this because I should know better
(dumb question) or because it might incite a riot? :)

If it was the former, perhaps it was a dumb question, but not to me. I asked
this question since I have never used Linux so I do not have any first-hand
experience with it. I also asked it here because I like the people on the
PICLIST and respect their opinions. I hear a lot of Microsoft bashing and
that Linux is more secure, but as I had said, I rarely hear the person
making that claim back up their statement.

Thanks to everyone's responses, I'm definitely more educated about this
topic.

On another note, I recently attended a Microsoft security seminar to better
educate myself as well. The upcoming release of Windows XP Service Pack 2
sounds like it will address some security issues, but from what I gathered,
it also sounds like it might break some existing applications because of
this. I was thinking to myself, oh no, does this mean that Microchip's MPLAB
IDE might no longer work? I got the impression from the presenter that I
should approach Windows XP Service Pack 2 with caution. I guess I'll soon
find out. :)

Thanks for your comments Neil.

Best regards,

Ken Pergola

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\03@120239 by Denny Esterline

picon face
> IDE might no longer work? I got the impression from the presenter that I
> should approach Windows XP Service Pack 2 with caution. I guess I'll soon
> find out. :)
>
>
> Ken Pergola

I spent some time administrating a network a few years back, if I learned
anything it's to approach *every* M$ service pack with caution. I don't
think I ever installed one that lived up to the promise.

-Denny

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

2004\05\04@015557 by Nate Duehr

face
flavicon
face
Jake Anderson wrote:

b) the users.
> your average linux user will not randomly execute programs.
> if your average windows user gets something in their inbox saying hahaha.exe
> they will click on it.
> microsoft has been forced to basically remove functionality from their
> programs to protect the users from their own naievity
> I write software, I currently have to send that software out to our offices
> in 3 different formats due to the combinations of virus scanners and outlook
> restrictions they have.
>
> dont blame microsoft for the idjit users

I can't think of a single Linux MUA that ever executes ANYTHING that
arrives in mail.  In 99% of Linux MUA's you have to save the file, start
up a shell and forcibly tell the machine to execute the program.

The user-interface design flaw of having programs launch directly from
an icon in the GUI when they arrived as a mail attachment was flawed
from the beginning.

Furthermore, Outlook and ilk were plagued for a long time with the
ability to execute various things that could arrive in e-mail's without
the user's knowledge.  That was even worse.

Netscape, Eudora, and others never did this on Windows machines.  It was
considered a "feature" of Outlook and OE.

That "feature" was known by thousands of people to be a bad design
choice as soon as it hit the streets.

So yes, today maybe SOME of the problems are caused by stupid users, but
the problems themselves were perpetuated first by poor design.

There are still too many hooks (MAPI for example) in the average user's
desktop that they're completely unaware of that allow malicious code to
do things with your mail program even if it's "not running".  (Try
turning MAPI completely off sometime... completely off.  In all versions
of Windows, and in a way that sticks so hundreds of corporate users
can't turn it back on... but they still want Outlook to work properly.
Ha...  Good luck.)  The latest versions of Office XP now pop up annoying
warning boxes everytime some legitimate application (Palm Desktop, for
example) accesses your Outlook Address Book.

Band-aids on top of band-aids.  Unix philosophy is: Write small programs
that do one thing well and integrate them via the shell... meaning that
one monster integrated Office Suite doesn't make all sorts of
assumptions about how you want to use your computer.  Thus... you have
to LAUNCH the file attachment after saving it first.

Oh, the horrors... two more mouse clicks!

Nate Duehr, spamBeGonenate@spam@spamspam_OUTnatetech.com

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email TakeThisOuTlistservspamspammitvma.mit.edu with SET PICList DIGEST in the body

More... (looser matching)
- Last day of these posts
- In 2004 , 2005 only
- Today
- New search...