OT: Linux most breached OS

Bill Vermillion fp at wjv.com
Sun Nov 21 14:57:45 PST 2004 

Shakespeare wrote plays and sonnets that will last an eternity, 
but on Sun, Nov 21 05:08 , Fairlight wrote:" 

> You'll never BELIEVE what John Esak said here...:

> > Far be it from me to want this to instigate any firestorms... :-)

> *laugh*  Riiiiight.  :)  *poke*  :)

[much deleted - wjv]

...

> You want to talk damage potential? I don't think anything since
> the Morris Worm has really made it big on *nix anything to this
> degree--look at the single example of SQL Slammer that took
> down at least five of the root nameservers and a damned good
> percentage of the net in general last year. No attack on linux
> has ever generated something like that.

The Lion virus gave users root access on Linux systems.  That was
the last really major hole I recall.  On the BSD systems DNS just
stopped working.

The Morris worm worked on if you were running Sendmail and a Vax.

And a lot of the FUD about Sendmail security dates from then.

> > The safest systems were those based on BSD Unix, including
> > Apple's Mac OS X operating system. These systems accounted
> > for 4% of the breached systems.

> Mac OS/X has rarely been targetted. They did just release a
> security pack though, and had a close call with a threat a few
> weeks back.

You make it sound like there was one security patch.  There have
actually been quite a few.  But you do get notices when they come
out and a single click will install the fixes.  

>..

> I wouldn't try to deny that FBSD has more robust security than
> Linux. I'm pretty convinced it does. But I'd say Linux isn't
> much less secure than say...Solaris. Sun had a boatload of
> security patches in the last few years. Linux systems don't
> -have- to be insecure. If they're insecure, it's because a
> sloppy admin left or made them that way, usually.

....

That was the whole thrust of the original article - which seemed to
get lost as publications filtered it to meet their needs.  

The actual title of the artice in Security Pipeline Newsletter
was "Sloppy Admins Leave Linux Security Lacking".

Here is the relevant paragraph from that article.  It was
the LEAD paragraph.

--------------------------
   Linux has gaping security holes caused by systems administrators who
   either can't or won't keep up with the latest patches, according to a
   report from British security firm mi2g.
--------------------------

If the PC mags wouldn't perform editorial commentaries by editing
the raw data to suit their needs this mis-understanding would not
have occured.

> This just -reeks- of skewed and cooked data. As they say, you
> can make statistics say anything you like.

> It also wouldn't surprise me if this was an MS- or SCO-funded
> study. It needn't be, but it wouldn't surprise me.

Let's not start another conspiracy theory.  I think I sent you 
the Security Pipeline newsletter last week that covered this - and
in more detail than most trade mags did.

And I accidentally trimmed a bit too much as you said you had
lost the link on what servers are doing what.

That is www.netcraft.com.

Apache is up to almost 70%, MS is about 25%.  The latter 
keeps slipping.

What is really telling is the list of the top-50 sites based
on uptime.

Of the top-50 the only OSes are BSD/OS and FreeBSD.   [BSD/OS
is/was the commercial version sold by BSDI - the people who
fought AT&T [along with The Regents] to certify it was AT&T
code free.

And all but three are running Apache.

But don't count MS.  Both the LinuxWorld and Mac Expos were 
running the servers on Windows 2003.  [I can't confirm the date -
but that was in a Netcraft article.  You could spend a lifetime
looking at everything on that sites].

-- 
Bill Vermillion - bv @ wjv . com

More information about the Filepro-list mailing list