OT: Linux most breached OS

[Bill Vermillion]

John Esak said:L

> Far be it from me to want this to instigate any firestorms... :-)

> Seriously, I'm only posting this so all can experience the same impact it
> had on me when I read it... I am always the apologist and defense mouthpiece
> for MS around here... usually just listening to all the bashes and bashings
> about the Redmond giant and just well, listening. I think to be "fair and
> balanced" a report such as this certainly has as much right to be viewed
> hear as those same bashes and bashings. Enjoy. :-)  Those of you who can...
> :-)  :-)  :-)
> (Please note the _extreme_ number of adorning smileys...)  :-)  :-)

> Linux is 'most breached' OS on the Net, security research firm
> says Phil Hochmuth, Network World
>
> 11/11/2004 11:56:31
>
> According to London security analysis and consulting firm
> mi2g, Linux is the most commonly breached operating system on
> computers connected to the Internet 24/7.

[rest of the orignal deleted - wjv] 

There were followps on that, or perhaps that report skimmed
somet things that were not in the original.  I saved the original
that I had on that and here is a followup on the orignal 
that explains why Linux is insecure.   One of the major causes
is Admins who don't understand security and fail to keep their
systems patched and multiple distributions.

Note the comment on 'the average' system from the Chairman
of Mi2g, the company who put out the report - which evidentally was
not covered fully by the the PC-Press.

There is a comment on users don't know if they are patched to the
current level, and Mark has noted to me in emails that some 
distributions will patch holes but don't always updte the RPM
so you can know if it was patched. [Please feel free to fill
in the details Mark].

Note also they said the most secure were OS/X and FreeBSD.  The
latter is often used in HUGE installations - so the admins are
going to be a bit more alter.   Verio in Germany is converting
all their servers to FreeBSD to join the 250,000 servers
already in use by other Verio sites.  Yahoo has 300,000.

Last week there were a security hole in fetch.  The regular
security notice sent out - if you subscribe to it - listed
the problem - and several methods on how to correct it.
Since I just automatically runs a cvsup on the source tree
nightly - and on the stable servers the ONLY things that will
change are security fixes, it was as simple as moving
to the directory noted in the security message and typing
'make' followed by 'make install'  [I always make it a two-step
process to check things - many just perform 'make install'.

That process took 1 minute. If you don't run from sources in Linux
you have to wait for the distribution source to patch the RPM and then
download it and install it. 

So it's not the OS that is insecure - but the insecurity is based
upon the administrators who install it.  Linux [in many
distributions] is very easy to install - and that ease make it
easy for anyone to get a system up and running.

The original of the article below on this is on a CMP site, but I
do not have the link, but it is from the Security Pipeline
newsletter.

============================================
   
   November 11, 2004
   Sloppy Admins Leave Linux Security Lacking
   By Tom Dunlap

   Linux has gaping security holes caused by systems administrators who
   either can't or won't keep up with the latest patches, according to a
   report from British security firm mi2g.

   Mi2g last week attracted a firestorm of criticism when it declared
   that Linux trailed Windows in overall security. The most secure
   operating systems are Apple OS X and the open source BSD, according to
   the study, which mi2g said was not funded by any outside party.

   Many of Linux's security flaws are caused by multiple distributions of
   the operating system, and lack of standardized security regimes and
   procedures for applying patches, said mi2g chairman DK Matai.

   Matai said mi2g is not hostile to Linux. He noted that the company
   runs Linux and other open source products, including Apache, MySQL,
   and PHP.

   "We're just simply saying that the average system out there is not
   sufficiently patched up," Matai said. "Users have no clue as to
   whether their system is at the latest level of distribution or not.
   And they don't have adequate administration skills."

   He added, "One of the biggest complaints we hear from our customers
   and contacts is it's very difficult to find a qualified Linux
   administrator."

   John Weathersby, executive director of the Open Source Software
   Institute, said the security problems are just a natural evolution in
   a maturing Linux market.

   "Now that Linux is growing on the desktop, it's becoming a larger
   target," Weathersby said. "You will surely see more attacks on Linux.
   As the market matures you'll have products that come to market that
   make it easier and more convenient to protect against hackers in a
   Linux environment."

   Mi2g found Linux security problems often go unsolved because many
   users of the free operating system refuse to pay for upgrades and
   support, Matai said. Vendors like Red Hat are, increasingly often,
   charging for upgrades and support.

   The most controversial--and confusing--section of the mi2g study was
   the decision to exclude viruses, worms and other malware from the
   comparative ratings of security in operating systems.

   While Windows is more susceptible to viruses and other automatically
   operating malware, Linux is more susceptible to targeted hacker
   attacks--and the hacker attacks are a more serious threat, Matai said.

   Successful manual attacks do much more damage to their targets, even
   if they are far more rare than automated attacks, Matai said.

   If mi2g had included viruses and another automatically operated
   malware in the ratings, Linux would have been rated more secure than
   Windows, Matai said. But BSD and Mac OS X would still be more secure
   than both.

   Matai said BSD and Apple are not protected from attacks just because
   they're relatively rare compared with Windows and Linux, Matai said.
   BSD and Apple are used in many mission-critical applications and
   high-security government and military installations. "There are many
   genuine reasons to attack BSD and Apple," he said.
   
   Copyright © 2004 CMP Media LLC. | SECURITY PIPELINE All rights
   reserved . 


-- 
Bill Vermillion - bv @ wjv . com