Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Pages: 1 ... 3 4 5 
Send Topic Print
Windows as Secure as Linux (Read 64230 times)
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #60 - Aug 28th, 2007 at 8:53am
 
Food for thought . . .

Quote:
The latest figures from consulting firms indicate that although Linux sales are growing by number of servers shipped with the operating system, the software is losing ground to Microsoft's Windows.

Microsoft picked up 2 percentage points, bringing its market share to 67.1% of servers shipped during the second quarter, according to data from Gartner.  Of 2.06 million servers shipped overall, nearly 1.4 million came preloaded with proprietary OS.  That works out to an extra 77,650 Microsoft-based servers sold during the quarter, year over year.

Linux accounted for 22.8% of server shipments, down from 23.1% the year before.  In spite of the lost ground in market share, strong sales of servers created a bigger pie for the slight growth of commercial Linux.
Source:  Microsoft Still Cleaning Up With Windows

Consider:  If Windows is less secure than Linux, and if the marketplace (increasingly) prefers the former over the latter, then the conclusion is that the marketplace does not value security highly when choosing an operating system.  Since this conclusion is patently ‘absurd,’ the premise must be questionable - right?

Wink
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 

nbree
Ex Member




Back to top
Re: Windows as Secure as Linux
Reply #61 - Aug 28th, 2007 at 4:22pm
 
Pleonasm wrote on Aug 28th, 2007 at 8:53am:
then the conclusion is that the marketplace does not value security highly when choosing an operating system.

An entirely reasonable hypothesis, and one I conjecture would survive any test you care to imagine.

An alternative intermediate hypothesis is that these people are in fact emploring a correctly balanced, risk-weighted assessment of the economic and reputational cost of breaches, and are making rational decisions about it (which would not change the outcome much).

Discriminating the above hypotheses is hard, because most discussion of security avoids looking at the actual harm and the actual losses incurred, i.e. taking an actuarial approach. That's with good reason, of course - that means gathering some difficult-to-obtain numbers.

[ However, financial institutitions almost certainly have/are refining precisely such actuarial models, since offering what is effectively insurance makes it important for them to develop such things. A fully developed loss insurance industry would be the next step. ]
 
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #62 - Sep 27th, 2007 at 12:03pm
 
According to the most recent six month period examined by Symantec, the patch development time (“period between the disclosure date of a vulnerability and the release date of an associated patch”) was lower for Windows than for Apple Mac OS X, Hewlett-Packard HP-UX, Red Hat Linux (including enterprise versions and Red Hat Fedora), and Sun Microsystems Solaris.

Details may be found in Symantec Internet Security Threat Report:  Trends for January–June 07 (page 54+).
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #63 - Oct 10th, 2007 at 2:29pm
 
More questions about the security advantages of Linux . . .

Quote:
When it comes to launching online attacks, criminals are getting more organised and branching out from the Windows operating system, says eBay's security chief.

eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. ...

Last week eBay said data on 1,200 eBay members had probably been stolen via an phishing scam.  The members' data was posted to the company's Trust & Safety discussion forum.

Cullinane's experience with phishing goes back to his previous employer, Washington Mutual, which has been one of the top phishing targets in the US.

While there, he noticed an unusual trend when taking down phishing sites.

"The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling.  We expected Microsoft boxes," he said.

Rootkit software covers the tracks of the attackers and can be extremely difficult to detect.  According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. ...

"We see a lot of Linux machines used in phishing," said Alfred Huger, vice president for Symantec Security Response.  "We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots.  Botnets are almost uniformly Windows-based."

Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks, said Iftach Amit, director of security research with Finjan's malicious code research centre.

Capabilities like this make Linux machines highly coveted by online attackers, and they fetch a premium in the underground marketplace for compromised machines, Amit said.
Source:  eBay:  Phishers getting better organised, using Linux
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #64 - Nov 14th, 2007 at 12:50pm
 
Humorous insights into the psychological mind set of Red Hat Linux devotees . . .

Quote:
A few weeks after my July OS Vulnerability Scorecard posting, I was amused to see a posting about it on truthhhappens.redhatmagazine.com (click to see the post).  I can't even do it justice by paraphrasing, so here is the text:

    A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix more Windows flaws than the number of open software flaws fixed by the major open source companies. Red Hat, having forty times less employees than Microsoft, did the best job, by fixing and closing the most security bugs, also closing even minor bugs - where Microsoft didn’t even fix one minor bug in the same period.
Seriously, I loved this post, it made me laugh out loud!  Fixing more security vulnerabilities is apparently a good thing in the world of Red Hat Truth.

Well, for those who actively support that theory, I have some fantastic news for them!  According to my calculations, in July 2007, the Red Hat Enterprise Linux 4 team fixed their 1000th unique security vulnerability.  Now, 164 of these were Low severity and 479 were Medium severity, but still, that is a ton of work accomplished by that team, especially given that the product only shipped in February of 2005.

To put that in context, (again by my calculations) Microsoft has fixed only 649 security vulnerabilities for all supported products across the company since the year 2000.
Source:  Red Hat Enterprise Linux 4 Passes 1000 Vulnerabilities
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #65 - Jan 24th, 2008 at 2:22pm
 
The Windows Vista One Year Vulnerability Report confirms the findings previously observed in similar 90-day and 6-month investigations:  Windows (XP or Vista) had significantly fewer vulnerabilities than “other operating systems such as Red Hat Enterprise Linux, Ubuntu, and Apple Mac OS X 10.4. “

To his credit, the author acknowledges that “one factor can’t measure the absolute ‘security’” of an operating system, but nonetheless the fact that it is “easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year” is commonsensical.

The author also addresses one of the often repeated criticisms of these analyses:

Quote:
Past analyses have been criticized saying that you don’t count issues that Microsoft finds internally and “silently” fixes, so comparisons are invalid. This is an interesting line of thinking to me. It is true that I don’t know if any vendors’ product updates address more security issues than is documented. There’s no way to know things that haven’t been discussed publicly.

For example, I have no idea how many security vulnerabilities were found by the Apple Quality Assurance team during the release of Leopard and were simply fixed. Further, I don’t know how many “bugs” were found and fixed without anyone, even on their team, knowing their might have been security implications if it had not been found. This is equally true for Linux distributions. I don’t know how many “bugs” fixed during the development process for rhel4 Update 5 might have had a security implication.

In terms of enumerating vulnerabilities though, there are specific examples that I can point to that indicate that silent fixes sometimes happen. Take CVE-2007-5959, for example. It is a single vulnerability identifier, but the description says “multiple unspecified vulnerabilities”. I would count that only a single time in my analyses though, since there is only a single CVE identifier. Similarly, CVE-2004-1057, says that “multiple drivers in Linux kernel” do not properly mark memory and enable a denial of service. I would only count this as a single issue in any analysis, though technically there are an additional number of vulnerabilities silently fixed. These products are getting the “benefit” of the issues that are not detailed in any analysis.

On the other hand, I can say that in Microsoft security updates, the MSRC policy is to document any internally found vulnerabilities that change the risk assessment or severity of an externally found vulnerability, or ones where the mitigations and workarounds listed don’t apply. So, by counting the issues that get publicly disclosed for products I’m using an identifiable set of vulnerabilities that have an increased risk for customers.

More generally, if a theoretical “silent fix” (in any product) actually is easily rediscoverable and is proven to be so for any vendor’s product, then it will join the publicly disclosed set of vulnerabilities in due course and can be measured as well.

Ultimately, I see the so-called “silent fixes” criticism to be a bit of a Red Herring that distracts readers from the core results of the analysis of publicly disclosed vulnerabilities.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 

Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #66 - Feb 8th, 2008 at 5:21pm
 
By way of background, readers of this thead may be interested in reviewing Linus Benedict Torvalds’s original forum post (October, 1991) announcing the creation of Linux.

He describes Linux as “a program for hackers by a hacker.”  It is ironic that Linux—believed by some to be the most secure operating system—was created “by a hacker” for others of the same ilk.  History is curious, is it not?

Of course, in those days, "hacker" didn't necessarily have the same negative implications as it does today, but...

Smiley
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Windows as Secure as Linux
Reply #67 - Feb 8th, 2008 at 8:24pm
 
In the technical community, hacker does NOT mean someone who breaks into systems without authorization.  That is a cracker.  A hacker is someone who knows how a system works and can "hack" together a solution to nearly any problem.  It is a compliment, and that is how Linus meant it.

The media got a hold of the term and misused it, leading to its popular definition.  Technical people still use it to mean someone who can invent creative solutions to problems.  It has nothing to do with security, and trying to imply such shows the extent of your misunderstanding about Linux.

http://catb.org/~esr/faqs/hacker-howto.html#what_is
http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html

hacker /n./
[originally, someone who makes furniture with an axe] 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
http://www.ccil.org/jargon/jargon_23.html#SEC30
 
WWW  
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #68 - Feb 9th, 2008 at 2:17pm
 
MrMagoo, as I noted in Reply #66, the interpretation of the term “hacker” has certainly evolved over time.  Nonetheless, as the cited Wikipedia article documents, “By 1983, hacking in the sense of breaking computer security had already been in use as computer jargon.”  Thus, the negative connotation of the term was already part of the public lexicon eight years before Linux was announced.

Am I suggesting that Linus Torvalds is involved in, supports, or condones “breaking computer security”?  Of course not.  His description of the Linux audience as “hackers” is just an interesting (and somewhat humerous) historical tidbit, in light of the emphasis that some attribute to Linxus security.  It's nothing more than that, my friend.

Wink
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Windows as Secure as Linux
Reply #69 - Feb 9th, 2008 at 4:20pm
 
Well, Linus meant 'hacker' to mean someone who enjoys solving problems using computers, and still often uses the term in that way, so I don't see any connection to our discussion on security.
 
WWW  
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Windows as Secure as Linux
Reply #70 - Feb 9th, 2008 at 5:18pm
 
MrMagoo, I accept your interpretation of Torvalds’ use of the word “hacker.”  It actually does make sense to me, especially if he is still using the term in its original connotation.

Perhaps it is just a reflection of my own wry sense of humor, but I found the historical connection of “Linux” to “hacker” surprising.  Surely, Torvalds must have been aware of the evolving commonplace and negative understanding of the term at the time, even though it may not have corresponded to his own interpretation.  If I were creating a new software product—even today—and hoped for it to be widely adopted among consumers and businesses, I certainly wouldn’t “advertise” it as a tool “by a hacker for hackers.”  Very bad marketing, at a minimum (!).

Best wishes,
Pleonasm
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 

Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Windows as Secure as Linux
Reply #71 - Feb 9th, 2008 at 7:14pm
 
Great thread, gentlemen.

You might consider continuing your debate in a NEW thread .. (include a link to it at the end of this one,and vice-versa).

From my recent forum upgrade fiasco, it seems all text from each thread goes into a *single* text file (*.txt), despite each thread appearing to be separated into numerous pages (5, in the case of this thread).

For whatever reason, I noticed the server seems to have problems with text files which approach 100-KB.

I just don't want you to lose another.

Memorable quote:  

Quote:
Any thread Pleo joins is likely to see 5 pages


How true. Smiley
 
WWW  
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Windows as Secure as Linux
Reply #72 - Feb 9th, 2008 at 8:47pm
 
Good point.  It seems this thread may go on for a while...  I'll split it into a new thread.
 
WWW  
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Windows as Secure as Linux
Reply #73 - Feb 9th, 2008 at 9:17pm
 
This thread is continued at this link:

http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1202611835
 
WWW  
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Windows as Secure as Linux
Reply #74 - Feb 10th, 2008 at 9:42am
 
Test.
 
WWW  
IP Logged
 
Pages: 1 ... 3 4 5 
Send Topic Print