OT: Linux most breached OS
Bill Vermillion
fp at wjv.com
Sun Nov 21 07:52:14 PST 2004
John Esak said:L
> Far be it from me to want this to instigate any firestorms... :-)
> Seriously, I'm only posting this so all can experience the same impact it
> had on me when I read it... I am always the apologist and defense mouthpiece
> for MS around here... usually just listening to all the bashes and bashings
> about the Redmond giant and just well, listening. I think to be "fair and
> balanced" a report such as this certainly has as much right to be viewed
> hear as those same bashes and bashings. Enjoy. :-) Those of you who can...
> :-) :-) :-)
> (Please note the _extreme_ number of adorning smileys...) :-) :-)
> Linux is 'most breached' OS on the Net, security research firm
> says Phil Hochmuth, Network World
>
> 11/11/2004 11:56:31
>
> According to London security analysis and consulting firm
> mi2g, Linux is the most commonly breached operating system on
> computers connected to the Internet 24/7.
[rest of the orignal deleted - wjv]
There were followps on that, or perhaps that report skimmed
somet things that were not in the original. I saved the original
that I had on that and here is a followup on the orignal
that explains why Linux is insecure. One of the major causes
is Admins who don't understand security and fail to keep their
systems patched and multiple distributions.
Note the comment on 'the average' system from the Chairman
of Mi2g, the company who put out the report - which evidentally was
not covered fully by the the PC-Press.
There is a comment on users don't know if they are patched to the
current level, and Mark has noted to me in emails that some
distributions will patch holes but don't always updte the RPM
so you can know if it was patched. [Please feel free to fill
in the details Mark].
Note also they said the most secure were OS/X and FreeBSD. The
latter is often used in HUGE installations - so the admins are
going to be a bit more alter. Verio in Germany is converting
all their servers to FreeBSD to join the 250,000 servers
already in use by other Verio sites. Yahoo has 300,000.
Last week there were a security hole in fetch. The regular
security notice sent out - if you subscribe to it - listed
the problem - and several methods on how to correct it.
Since I just automatically runs a cvsup on the source tree
nightly - and on the stable servers the ONLY things that will
change are security fixes, it was as simple as moving
to the directory noted in the security message and typing
'make' followed by 'make install' [I always make it a two-step
process to check things - many just perform 'make install'.
That process took 1 minute. If you don't run from sources in Linux
you have to wait for the distribution source to patch the RPM and then
download it and install it.
So it's not the OS that is insecure - but the insecurity is based
upon the administrators who install it. Linux [in many
distributions] is very easy to install - and that ease make it
easy for anyone to get a system up and running.
The original of the article below on this is on a CMP site, but I
do not have the link, but it is from the Security Pipeline
newsletter.
============================================
November 11, 2004
Sloppy Admins Leave Linux Security Lacking
By Tom Dunlap
Linux has gaping security holes caused by systems administrators who
either can't or won't keep up with the latest patches, according to a
report from British security firm mi2g.
Mi2g last week attracted a firestorm of criticism when it declared
that Linux trailed Windows in overall security. The most secure
operating systems are Apple OS X and the open source BSD, according to
the study, which mi2g said was not funded by any outside party.
Many of Linux's security flaws are caused by multiple distributions of
the operating system, and lack of standardized security regimes and
procedures for applying patches, said mi2g chairman DK Matai.
Matai said mi2g is not hostile to Linux. He noted that the company
runs Linux and other open source products, including Apache, MySQL,
and PHP.
"We're just simply saying that the average system out there is not
sufficiently patched up," Matai said. "Users have no clue as to
whether their system is at the latest level of distribution or not.
And they don't have adequate administration skills."
He added, "One of the biggest complaints we hear from our customers
and contacts is it's very difficult to find a qualified Linux
administrator."
John Weathersby, executive director of the Open Source Software
Institute, said the security problems are just a natural evolution in
a maturing Linux market.
"Now that Linux is growing on the desktop, it's becoming a larger
target," Weathersby said. "You will surely see more attacks on Linux.
As the market matures you'll have products that come to market that
make it easier and more convenient to protect against hackers in a
Linux environment."
Mi2g found Linux security problems often go unsolved because many
users of the free operating system refuse to pay for upgrades and
support, Matai said. Vendors like Red Hat are, increasingly often,
charging for upgrades and support.
The most controversial--and confusing--section of the mi2g study was
the decision to exclude viruses, worms and other malware from the
comparative ratings of security in operating systems.
While Windows is more susceptible to viruses and other automatically
operating malware, Linux is more susceptible to targeted hacker
attacks--and the hacker attacks are a more serious threat, Matai said.
Successful manual attacks do much more damage to their targets, even
if they are far more rare than automated attacks, Matai said.
If mi2g had included viruses and another automatically operated
malware in the ratings, Linux would have been rated more secure than
Windows, Matai said. But BSD and Mac OS X would still be more secure
than both.
Matai said BSD and Apple are not protected from attacks just because
they're relatively rare compared with Windows and Linux, Matai said.
BSD and Apple are used in many mission-critical applications and
high-security government and military installations. "There are many
genuine reasons to attack BSD and Apple," he said.
Copyright © 2004 CMP Media LLC. | SECURITY PIPELINE All rights
reserved .
--
Bill Vermillion - bv @ wjv . com
More information about the Filepro-list
mailing list