OT: Linux most breached OS
Fairlight
fairlite at fairlite.com
Sun Nov 21 02:08:24 PST 2004
You'll never BELIEVE what John Esak said here...:
>
> Far be it from me to want this to instigate any firestorms... :-)
*laugh* Riiiiight. :) *poke* :)
> Seriously, I'm only posting this so all can experience the same impact it
> had on me when I read it... I am always the apologist and defense mouthpiece
> for MS around here... usually just listening to all the bashes and bashings
> about the Redmond giant and just well, listening. I think to be "fair and
> balanced" a report such as this certainly has as much right to be viewed
> hear as those same bashes and bashings. Enjoy. :-) Those of you who can...
It doesn't bother me, as it's almost certainly based on skewed data.
> (Please note the _extreme_ number of adorning smileys...) :-) :-)
Oh, so noted. :) :) :) :)
> According to London security analysis and consulting firm mi2g, Linux is the
> most commonly breached operating system on computers connected to the
> Internet 24/7.
And therein may lie the tremendous skew right there. Linux is not a
desktop OS, by and large. Not having that market, that qualification may
be a -very- key part of making this resemble anything near an accurate
statement. In server roles, Linux and FBSD have a huge following (there
was a site somewhere that tracked web site platforms--the OS underneath
based on key bits of how their TCP stack responded...I've since lost the
URL, and several years back Linux was over 53% alone).
So if they're discounting all those MILLIONS (if not a few billion) of
desktops out there, sure, they can skew this data any way they like, as
most people tend to turn off their home systems (why, I don't know, as it
just adds wear to the hardware and it doesn't really save much on the power
bill) at night and when they're not in use for even moderate amounts of
time.
That single qualification could be the basis for the entire claim.
> The findings come from a recent report by the research firm, which analyzed
> almost 240,000 incidents of what it calls "digital breaches" of systems
> connected to the Internet. The firm analyzed these breaches, which included
> manual hacking attacks as well as virus, worm and other malware propagation,
> over a 12-month period from November 2003 to October 2004.
Bah. Sure, there are script kiddies out there, cracking bots, rootkits,
etc. Any system that's decently hardened doesn't generally have a problem.
Let's look at a few factors though...
There are far more viruses for Windows than there are for Linux. That's
just a plain fact. Hundreds, if not thousands more.
There are probably more actual vectors for linux systems, depending on the
role. There's email, web servers, access via ssh or telnet (or rsh for the
very brave or stupid), ftp, etc. Those are all fairly standard, and then
you might have samba, custom server software, etc.
Windows has main vectors: OutLook on most systems (arguably the #1 cause
of infections), and IE on most systems (arguably the #2 vector). Oh,
and file shares are another vector. Then there's that vector known as
The User, who may install God knows what on the system--generally with
administrator privileges. There are goodies like DCOM, etc., that are part
of the newer versions, but by and large, you're looking more or less at
three major vectors for most systems. But those are HUGE vectors--gaping
chasms. They've released SP2 for XP and already one security firm is up to
20 security flaws in IE alone since then that have not yet been rectified
(a claim MS disputes, which is no big surprise).
You want to talk damage potential? I don't think anything since the Morris
Worm has really made it big on *nix anything to this degree--look at the
single example of SQL Slammer that took down at least five of the root
nameservers and a damned good percentage of the net in general last year.
No attack on linux has ever generated something like that.
> According to the research firm's report, Linux accounted for 65% of the
> 154,846 systems that were found to be hacked. Windows-based operating
> systems were second, accounting for 25% of the breached systems examined in
> the study.
-IF- we're talking 24/7 systems, I could buy those numbers perhaps. I'd
also chalk it up to lots of people that get linux because it's free, don't
know their arse from a hole in the ground given two hands and a flashlight,
and who should never EVER be let near anything more complex than a simple
4-function pocket calculator. Actually, I know people that -could- be
better admins that just aren't, and don't bother patching and staying
current. It's sloppy administration, and it's pandemic. And while there
are many more viruses for Windows, they mostly all use the same vectors.
There are more places to actively screw up in *nix of any sort, and Linux
happens to be the (more or less) most popular one. Hence, it also attracts
the biggest percentage of sloppy administrators just by having a larger
slice of the pie in the 24/7 server market.
> The safest systems were those based on BSD Unix, including Apple's Mac OS X
> operating system. These systems accounted for 4% of the breached systems.
Mac OS/X has rarely been targetted. They did just release a security pack
though, and had a close call with a threat a few weeks back. Overall, the
installed base being what it is, most of them being desktops, I'm surprised
the number even hit 4%. In fact, I think it's that high because they
lumped all the *BSD in together.
I wouldn't try to deny that FBSD has more robust security than Linux. I'm
pretty convinced it does. But I'd say Linux isn't much less secure than
say...Solaris. Sun had a boatload of security patches in the last few
years. Linux systems don't -have- to be insecure. If they're insecure,
it's because a sloppy admin left or made them that way, usually. You can
keep things reasonably up to date and never have a problem over years of
24/7 on whole clusters--been there, done that. You can keep Windows fully
patched and never be secure.
> The research firm says those who maintain security code for Linux are
> challenged by the splintering of the operating system into "umpteen"
> different flavors [mi2g said "flavours," actually, being a British outfit].
> The firm also said the widespread use of Windows, weaknesses in Windows XP,
> and delays in the Longhorn operating system were responsible for the
> security faults in Windows systems.
Microsoft is responsible for the security faults in Windows, period.
Flavours of linux doesn't really enter into the equation. At the base of
it, most distributions run damned near the same things anyway--which
originate from the same authors of the same packages. The only point at
which this really enters into it is when half-arsed back-ports of security
patches are done by places like Red Hat, and they foul the patches.
They've gotten to be a little like MS in having patches for patches in the
last two years.
> Most of the "digital breaches" mi2g examined came from what it calls
> "micro," and "small" entities. These include individuals with home PCs
> connected to the Internet, and small businesses, respectively. These
> accounted for over 80% of the incidents mi2g looked at. Mid and large-sized
> organizations made up only 8.5% of the incidents.
When they say "came from" are they referring to "originated from"? Yeah,
no kidding. Individual wastes of space with nothing better to do than
crack systems, or rogue Windows boxes turned into DDoS/cracking slaves
without anyone's knowledge. The latter accounts for a -lot- of what goes
on.
> Mi2g says it gets its data from "personal relationships" with C-level
> executives in the banking and insurance industries in North America, Europe
> and Asia. Other data sources come from monitoring hacker bulletin boards, as
> well as infiltration by mi2g employees into online hacker groups.
*laugh* This is just sad. Really, really sad. If they've managed to
infiltrate the cracking groups, why the hell haven't they turned state's
evidence and gotten the bastards shut -down- by the authorities? They're
bloody accomplices then, for not having done so. Yeah, I'm trusting these
people more and more by the second...how about you guys? :) You can't
even trust their ethics--what makes you think you can trust their data?
> While it all sounds very cloak-and-dagger, and a bit damning to Linux, it
> seems the "take-away" from mi2g's report may just be common sense: home
> Linux users and small businesses - download your operating system patches
> and update your firewall software.
I don't think it sounds damning to Linux. I think it sheds light on some
poor administration by many. I also think it's skewed. Put together TOTAL
SYSTEMS--total installations of Linux vs Windows vs whatever, and -THEN-
run the numbers. I'm betting you'd find 75%+ of compromised systems are
suddenly Windows, not Linux. I think it goes back to that 24/7 clause.
This just -reeks- of skewed and cooked data. As they say, you can make
statistics say anything you like.
It also wouldn't surprise me if this was an MS- or SCO-funded study. It
needn't be, but it wouldn't surprise me.
People taking it at face value...*shrug* Let them. Those of us that
actually know what we're doing with the platforms in question know the
solidity of their respective components. IOW, we know the truth. I don't
need a bunch of people that appear to have less ethics than your ordinary
garden slug telling me how lousily other people run the systems they
carefully hand-picked to select for comparison. If one sits down and
thinks about what they're saying, and upon what they're basing it, it
starts to fall apart quite rapidly, IMHO.
FWIW, I've run some high-profile/high-traffic sites--clusters of Linux
servers for multiple firms. Any system I've had -sole- discretion over has
never been breached. Even the ones that I've only had partial jurisdiction
over weren't breached, excepting the one employee that was the "other
admin" at one site that changed all subsystem and root passwords on both
Linux and Windows and then left. I regained full control of the Linux
systems inside 10 minutes, once I was told what transpired and asked to get
control and lock him out. It pays to have more (authorised) back doors
into the system than a rogue employee. He went up against me, he lost. :)
The record for ones I've administrated entirely myself also includes
an ISP that I ran for 1.5+ years that was a pretty large target. Three
-unfirewalled- Linux servers that were up 24/7 and were never breached.
Couldn't say the same for their NT boxes though--but those weren't my
responsibility, they were another contractor's.
And it's not bragging...it's -not- just me that has had no real problems.
Not by a long shot. It's any admin that cares enough to actually do their
work. I'd be -very- surprised if Bill Campbell's ever had a system that he
had sole control that was over breached. I'm guessing he's got a flawless
security record on his systems, regardless of what vendor he's using at
any given point in time. Just a guess, but an educated one. Really, so
much depends on the knowledge and experience of the person in charge of
the system. And there are a lot of people out there that went for a few
days/weeks/months to get a Linux certification from somewhere and think
they can handle it, and they overlook the most obvious things. This is
something that takes years to get experience with, and you're -never- done
learning it. When they think they know everything, it's time to worry.
It's a constant learning curve, and constant vigilence. Those that put
their mind to it tend to succeed, just as in any other endeavor.
It's all in the wrist, man. :) :) :) :) :)
I'm off to knock on some wood. :) ^ 128
mark->
--
Bring the web-enabling power of OneGate to -your- filePro applications today!
Try the live filePro-based, OneGate-enabled demo at the following URL:
http://www2.onnik.com/~fairlite/flfssindex.html
More information about the Filepro-list
mailing list