|
-
October 14th, 2003, 12:50 AM
#41
Let's take a very mitigated look at windows and linux, since the original subject spiraled into yet another "which is a better OS" debate.
Before I do anything like that, I'll state up front that I'm a unix systems administrator of 8 years with a total of 15 years of computer experience. This is neither a pro or a con, just a statement of where I'm going to pull my "knowledge" from. Knowledge, like anything else, can/will be biased, is based on opinions of individuals, and is subject to be wrong, misled, correct, zealous, and any number of other adjective-oriented designs.
Where does windows come from? It comes from Xerox, Apple, IBM, and a myriad of other collections of "what could've been" if the companies that made those products actually pursued and/or better protected them. This is neither here nor there. What is important is that it runs the desktop, pure and simple, and pretty much nothing will ever change that modus operandus. It's in every business, school, and corporate design regardless of the 'tactics' used (extended contracts, no usage of other OS', etc).
What does windows provide? A very user-friendly environment of which any number of applications can and will be used, varying in type from word processing to html markup to spreadsheets, you name it. It attempts to provide major server level applications on a desktop, such as Access (that's very unreliable as a "database"), web serving (IIS), and others. Some of these are bonafide server applications (IIS, Exchange), yet due to the inherent incorporation with these apps to the OS, more holes and bugs and "virii" and exploits have been able to be made and used than on any other operating system known to man. This is a proven fact and it's why I don't use anything windows-related for mail, web browsing, and other things (in my dealings with windows). It still is the KOTH when it comes to desktop usage and hence, has provided the world with idiot users (not necessarily a bad thing since they don't know anything at all) yet that's a whole slew of problems in and of itself. Proven fact is seeing CLI students in Intro to Unix are "smarter" when it comes to figuring out encountered problems than those taking Intro to Windows or whatnot. This is not a cut on windows users, simply a noticed event. I also see unix users who can't use windows at all. That's another noticed event.
What is linux? Linux is an operating system built back in 1990 by Linus Torvalds as another operating system to Minix (not unix, catch), of which Albert Tanenbaum was a staunch follower of. In fact, "writing another operating system for the i286 earns you your second F for this semester" is what Tanenbaum told Torvalds upon completing the base kernel (he had to write his own floppy disk drivers and a ton of other things). Since then, it quickly became part of the "Open Source" movement which stemmed out of the Open Source Foundation (HP, et al) and people started investing time and effort into making a better product. Now, it provides businesses a much cheaper and more stable operating environment for services such as Apache (which, btw catch, the standard startup for apache includes 5 subservers, 10 being the maximum, but that's not really a problem considering it's fully multi-threaded), sendmail (which has undergone many many security exploits...it used to be 'what's the sendmail exploit of the week?'), qmail, perl for text manipulation, cgi/php, ssh (there's your secure login, catch, including secure ftp such as vsftp), and others.
Linux, due to its more complex nature, is inherently more secure than Windows. Because of its open source nature, fixes are a lot more faster than anything MS can ever attempt to achieve. However, it's just as vulnerable to some things, regardless, because security is one divided by convenience (Unix System Administrators Handbook). I've seen linux boxes open to a number of vulnerabilities and I've seen windows boxes that were some of the best secured boxes by any number of standards. It all comes down to who runs the box. MS has a long ways to go. A VERY long ways to go and would benefit greatly even if they made a limited open-source attempt. It can't hurt at all. Linux has breached that gap a long time ago and yet it still has a long ways to go. They all do. AIX has tons to go through, HP has tons, Solaris has tons, Windows is last in line because when you have that many customers, you will have that many exponential problems, especially considering holes are found faster than they can be fixed.
IMHO, catch, I would harbor some of those biased opinions you've stated. You blatantly call people out because of their incorrect information when you yourself have done the same thing. And before providing a "list" of things that are wrong with linux, I'd look at windows in a very same light because that list I could provide is a lot longer. In comparison to your example of a superuser account, let's go back to the Code Red exploit where my linux box (apache driven, of course) got hammered over 86,000 times by 718 individual infected IIS NT-driven boxes. And it's illegal for me to "strike back", but it's legal for them to provide services where their box is infected and trying to infect others on the same subnet. I can't add their ip to the deny list in ipchains because then all traffic on eth0 halts while ipchains (netfilter now) searches through a huge list to see if the originating IP is in there. Ah well.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
October 14th, 2003, 01:34 AM
#42
Vorlin:
It all comes down to who runs the box.
I think I've said this a million times here..... Is _anyone_ listening.... at all??????
let's go back to the Code Red exploit where my linux box (apache driven, of course) got hammered over 86,000 times by 718 individual infected IIS NT-driven boxes
Going back to the above point, and aimed at both you and Catch, you won't see any address from my netblock in that list of machines Vorlin..... My "talented admin" comments earlier in this thread still stand even though it might sound like "horn-blowing"....
Vorlin.... You're default install of Apache ain't nothing to write home about from everything I read about it either so your little jibe about "apache driven, of course" may be intended as bait but pointing you back to the statement of yours I quoted first it is meaningless.
Can we please get back to the task at hand here, which, for those of you that are now confused, is computer security.... Can we please get over the fact that good admins make good systems and bad admins make bad systems regardless of the OS in use and help each other help ourselves..... I'm too old to be bickering with the all too many children we have here and fighting with those who clearly actually have a clue but want to play "na na na na na na" with their OS...... There's a whole bunch of kiddie places you can exercise that little muscle.....
Let's try to elevate AO..... not slowly drag it to it's knees with a tonnage of bullshit that exceeds the entire Congress throughout history.......
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 14th, 2003, 01:44 AM
#43
What is linux? Linux is an operating system built back in 1990 by Linus Torvalds as another operating system to Minix (not unix, catch), of which Albert Tanenbaum was a staunch follower of.
This is plain not true. Initially Linux used the Minix filesystem, but Linus throw out the Minix kernel for his own creation. Considering Linux us just what you find at kernel.org and considering that Minix uses a microkernel and Linux a monolithic one (as traditional UNIX does) it cannot be said that Linux is related to Minix really at all.
services such as Apache (which, btw catch, the standard startup for apache includes 5 subservers, 10 being the maximum, but that's not really a problem considering it's fully multi-threaded)
Apache 1.x is not multi threaded (on anything other than Windows, but I wasn't counting that since it isn't standard), that is the primary change from 1.3.x to 2.x ( http://httpd.apache.org/docs-2.0/new_features_2_0.html ) or you can read here as well:
http://www.apacheweek.com/issues/97-06-20
This now incorporates multithreading which is necessary for Apache to work on Windows (since Windows does not support the standard Unix methods for creating multiple processes and shared file and socket descriptors). In the 1.3 release Apache will only be multithreaded on Windows systems, with full multithreading for all systems becoming available in the next release (probably 2.0).
Have fun wiggling out of that. 
(there's your secure login, catch, including secure ftp such as vsftp), and others.
Those applications neither provide a secure logon seqence (which is a local issue) nor do they provide a trusted path as the user is connected to the service and not the the kernel (/kernel device).
Linux, due to its more complex nature, is inherently more secure than Windows.
Well the good people at the National Computer Security Center disagree with you and I quote:
The class (B3) TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity.
MINIMIZING ITS COMPLEXITY. This is the single most important aspect of computer security. The simpler a system is the easier it is to verify, hence the microkernel design is required by trusted systems.
Because of its open source nature, fixes are a lot more faster than anything MS can ever attempt to achieve.
You add no point that I didn't already cover with this.
It all comes down to who runs the box.
Then why do DOD-STD-5200.28 and ISO 15408 exist?
MS has a long ways to go. A VERY long ways to go and would benefit greatly even if they made a limited open-source attempt.
Why are air traffic control systems not open source? Why is NORAD software not open source? Why is SMG or LOCK software not open source? Do you even know what the CMM is?
http://www.sei.cmu.edu/cmm/
Open source is level 1.
IMHO, catch, I would harbor some of those biased opinions you've stated. You blatantly call people out because of their incorrect information when you yourself have done the same thing.
What single piece of bad information have I given? You seem to have put forth a few as well as serveral silly opinions with no back up whatsoever.
And before providing a "list" of things that are wrong with linux, I'd look at windows in a very same light because that list I could provide is a lot longer.
I have, and as far as security is concerned NT is superior. Don't believe me? Lets see what the good people at RedHat have to say.
http://www.redhat.com/partners/press...r_oracle5.html
http://www.commoncriteria.org/ccc/ep...ail.jsp?id=140
Hmm Imagine that... WIndows got the highest evaluation and Linux with much help from Oracle engineers to write up documentation got the same evaluation as the Tumbleweed Message Manager. ( http://www.commoncriteria.org/ccc/ep...tail.jsp?id=73 ) True the ISO 15408 is not the end all be all to computer security, but it is a good yardstick and no matter how incomplete it is, Linux still socred lower... they fact that they couldn't even max at such an incomplete assurance system...
In comparison to your example of a superuser account, let's go back to the Code Red exploit where my linux box (apache driven, of course) got hammered over 86,000 times by 718 individual infected IIS NT-driven boxes. And it's illegal for me to "strike back", but it's legal for them to provide services where their box is infected and trying to infect others on the same subnet. I can't add their ip to the deny list in ipchains because then all traffic on eth0 halts while ipchains (netfilter now) searches through a huge list to see if the originating IP is in there. Ah well.
How is that a comparison? It sounds like you network setup sucks, but this is just from the limited information made availible to me. I am not sure how this relates to one system using an inferior and obsolete super user and the other not. I will say this, I followed MS security guidelines and have not patched any of my systems since SP1 and I had no problems with code red or anything else in that time. The systems in question all run a large number of services. (but not to a large audience, just my personal home network.)
catch
-
October 14th, 2003, 01:52 AM
#44
I think it's bedtime girls and boys...... We can fight in the sandbox and throw our toys outta the pram again tomorrow......
G'nite John Boy.......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 14th, 2003, 01:56 AM
#45
Can we please get back to the task at hand here, which, for those of you that are now confused, is computer security.... Can we please get over the fact that good admins make good systems and bad admins make bad systems regardless of the OS in use
Ok... I'll setup AITOS6 server and you setup a Win98 server.
I will run every service under the sun that you want of any version and configuration of your choice. I'll give you the SA, SO, and ISSO passwords (System Administrator, System Operator, Information Systems Security Operator what root gets broken up into) in fact I'll give you all the passwords for every account on the system. I'll install any trojans you want. I will run no firewall or any third party protection software.
Could I be a worse admin than this?
You can lock the system down as much as you like but you must run at least one standard service. (ftp, rpc, http, ssh, https, sql, smtp, etc) in as locked down but functional state as you wish.
How do you think will win a capture the flag tourny? I'll even give you a 6 month head start. Even not Win98, you can run Linux or Solaris or AIX... it won't change the results. You can have as many people help you as you want.
Administrators are important, but know their place... and know that they can be (and should be) obsoleted as far as security is concerned. Yes most of us lack this ability due to limited resources and ill organizational structures already in place. That doesn't change the fact.
catch
-
October 14th, 2003, 03:01 AM
#46
Member
Grow up
It seems this is beggining to get out of hand. Do we really need to start challenging one another? Let's just settle the difference of opinions here. People like Windows. People like Linux. That's ok. People can have whatever ideas they want here. This seems like it's just getting to vendettas here. Let's act our age now.
--Kristoph
-
October 14th, 2003, 03:23 AM
#47
Let's just settle the difference of opinions here. People like Windows. People like Linux.
I am not involved in a conversation about my opinions. I don't really care for either system. I am merely attempting to correct misinformation so that people can be better informed. For me to agree would be to say "Yes, all of those things you said that are wrong, well they are actually right, making me just as ill informed as you."
This seems like it's just getting to vendettas here.
Again, I have no vendetta. People can use whatever they want and it matters not to me.
People come to this site for information, what kind of information do you think they want?
Peoples' opinions and tastes about which operating system they like with no objective, quantifiable reasons?
Or...
Perhaps something a little more useful? The correction of misinformation (with links to the product's own site to verify it as misinformation), objective arguments backed up by leading standards organizations and security evaluation criteria?
Let me know what you want and I'll act accordingly.
catch
PS. Both NT and UN*X/Linux are utter garbage as far as security is concerned, just linux more so. :-P
-
October 14th, 2003, 04:21 AM
#48
Originally posted here by Vorlin
What does windows provide? A very user-friendly environment of which any number of applications can and will be used, varying in type from word processing to html markup to spreadsheets, you name it. It attempts to provide major server level applications on a desktop, such as Access (that's very unreliable as a "database"), web serving (IIS), and others. Some of these are bonafide server applications (IIS, Exchange), yet due to the inherent incorporation with these apps to the OS, more holes and bugs and "virii" and exploits have been able to be made and used than on any other operating system known to man. This is a proven fact and it's why I don't use anything windows-related for mail, web browsing, and other things (in my dealings with windows).
Exchange is not at all ridden with exploits. In fact, there are very few exploits specifically for exchange. There are a lot for IIS and a lot of stupid user things in outlook. But the exchange server itself is an incredibly good email server when configured correctly. It isn't even in the top ten with that latest cert report.
If linux was the desktop OS of choice, we would be plagued by linux virii.
If you want to talk about trusted OS'es neither linux or windows stand a chance. Nobody is trying to argue that, and if they do, they are just ignorant. It is just that those type of OS'es are not at all applicable in a business environment that requires flexibility and adaptability.
-
October 14th, 2003, 04:41 AM
#49
If you want to talk about trusted OS'es neither linux or windows stand a chance. Nobody is trying to argue that, and if they do, they are just ignorant. It is just that those type of OS'es are not at all applicable in a business environment that requires flexibility and adaptability.
Actually trusted systems are quite frequently used by large corporation, though on limited servers. Rarely will you see an entire multi level subnet.
I know for a fact that nearly ever major bank uses them as well as many technology companies, (IBM, HP, HDS, Intel, SUN, and SGI to name a few) and of course all secure US government/DoD systems.
My point is that TOS ideals should be applied to lower level systems as far as evalautions and security mechanism understanding is concerned. In the real world however most people don't even know what trusted systems are. I think that users need to understand high security before then can understand low security. Otherwise how do they know what is closer to high security and thus more secure?
And I am not talking about default configurations or application exploits, but things like the virtues of the microkernel architecture, the importance of assurances, which access control models are fundementally flawed, and so forth.
catch
-
October 14th, 2003, 11:32 AM
#50
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
