Quote:
What is linux? Linux is an operating system built back in 1990 by Linus Torvalds as another operating system to Minix (not unix, catch), of which Albert Tanenbaum was a staunch follower of.
This is plain not true. Initially Linux used the Minix filesystem, but Linus throw out the Minix kernel for his own creation. Considering Linux us just what you find at kernel.org and considering that Minix uses a microkernel and Linux a monolithic one (as traditional UNIX does) it cannot be said that Linux is related to Minix really at all.
Quote:
services such as Apache (which, btw catch, the standard startup for apache includes 5 subservers, 10 being the maximum, but that's not really a problem considering it's fully multi-threaded)
Apache 1.x is not multi threaded (on anything other than Windows, but I wasn't counting that since it isn't standard), that is the primary change from 1.3.x to 2.x ( http://httpd.apache.org/docs-2.0/new_features_2_0.html ) or you can read here as well:
http://www.apacheweek.com/issues/97-06-20
This now incorporates multithreading which is necessary for Apache to work on Windows (since Windows does not support the standard Unix methods for creating multiple processes and shared file and socket descriptors). In the 1.3 release Apache will only be multithreaded on Windows systems, with full multithreading for all systems becoming available in the next release (probably 2.0).
Have fun wiggling out of that. :)
Quote:
(there's your secure login, catch, including secure ftp such as vsftp), and others.
Those applications neither provide a secure logon seqence (which is a local issue) nor do they provide a trusted path as the user is connected to the service and not the the kernel (/kernel device).
Quote:
Linux, due to its more complex nature, is inherently more secure than Windows.
Well the good people at the National Computer Security Center disagree with you and I quote:
The class (B3) TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity.
MINIMIZING ITS COMPLEXITY. This is the single most important aspect of computer security. The simpler a system is the easier it is to verify, hence the microkernel design is required by trusted systems.
Quote:
Because of its open source nature, fixes are a lot more faster than anything MS can ever attempt to achieve.
You add no point that I didn't already cover with this.
Quote:
It all comes down to who runs the box.
Then why do DOD-STD-5200.28 and ISO 15408 exist?
Quote:
MS has a long ways to go. A VERY long ways to go and would benefit greatly even if they made a limited open-source attempt.
Why are air traffic control systems not open source? Why is NORAD software not open source? Why is SMG or LOCK software not open source? Do you even know what the CMM is?
http://www.sei.cmu.edu/cmm/
Open source is level 1.
Quote:
IMHO, catch, I would harbor some of those biased opinions you've stated. You blatantly call people out because of their incorrect information when you yourself have done the same thing.
What single piece of bad information have I given? You seem to have put forth a few as well as serveral silly opinions with no back up whatsoever.
Quote:
And before providing a "list" of things that are wrong with linux, I'd look at windows in a very same light because that list I could provide is a lot longer.
I have, and as far as security is concerned NT is superior. Don't believe me? Lets see what the good people at RedHat have to say. :)
http://www.redhat.com/partners/press...r_oracle5.html
http://www.commoncriteria.org/ccc/ep...ail.jsp?id=140
Hmm Imagine that... WIndows got the highest evaluation and Linux with much help from Oracle engineers to write up documentation got the same evaluation as the Tumbleweed Message Manager. ( http://www.commoncriteria.org/ccc/ep...tail.jsp?id=73 ) True the ISO 15408 is not the end all be all to computer security, but it is a good yardstick and no matter how incomplete it is, Linux still socred lower... they fact that they couldn't even max at such an incomplete assurance system...
Quote:
In comparison to your example of a superuser account, let's go back to the Code Red exploit where my linux box (apache driven, of course) got hammered over 86,000 times by 718 individual infected IIS NT-driven boxes. And it's illegal for me to "strike back", but it's legal for them to provide services where their box is infected and trying to infect others on the same subnet. I can't add their ip to the deny list in ipchains because then all traffic on eth0 halts while ipchains (netfilter now) searches through a huge list to see if the originating IP is in there. Ah well.
How is that a comparison? It sounds like you network setup sucks, but this is just from the limited information made availible to me. I am not sure how this relates to one system using an inferior and obsolete super user and the other not. I will say this, I followed MS security guidelines and have not patched any of my systems since SP1 and I had no problems with code red or anything else in that time. The systems in question all run a large number of services. (but not to a large audience, just my personal home network.)
catch