assault on linux by windows

I would like very much to compare Internet Explorer, since it is part of the operating system, to linux as a whole. As far as I know there are still several unfixed security holes in IE dating back as far as 2 years. Anyone who says that it takes a long time to repair linux flaws should look at IE and think again. Hopefully these bugs will be fixed for you windows users when Microsoft officially releases Windows XP SP2. Unfortunately SP2 might go as badly for some as SP1.

http://www.pcworld.com/news/article/0,aid,105144,00.asp

Quote:

---

Originally posted here by catch
I am not an admin.
Am I to understand that you are saying a system with lower security potential is better because it comes in a slightly harder state and this creates a minimally higher chance that you'll be able to track back a stupid attacker?

---

If you explain what you mean by 'lower security potential', then I will answer this. I said what I said, if you wish to put words in my mouth over the issue, it is far from being important enough to continue this conversation.

Quote:

---

I honestly hope you have better arguments than that. This whole bit about most other systems being insecure is a good thing, not a bad thing as several of you have tried to spin it.

---

What kind of silliness are you believing that makes insecure systems on the wilds of the 'net a good thing? No offense intended, please leave the administration and such to people who know what they're doing. If you had ever been in a position to maintain a newtork with as little as TWO static IPs on the 'net for a business, you would have half a clue of the dangers that a netadmin has to cope with on a regular basis, both from inside and outside his or her network.

Quote:

---

There is currently no way to defend against all types of DDoS attacks, so why make this a top concern?

---

That is an incredibly ignorant statement -- there are a LOT of post-facto ways to defend against DDoS attacks. Chief among them is contacting your ISP and having them drop routes from the attackers. The most dangerous raw packetflood would be a spoofed DDoS, but even that there are ways of defending against.

Quote:

---

maybe something like access control granularity or perhaps seperation of power should be slightly bigger concerns, but no one ever wants to talk about such things and that should be the point. Not "How many systems of type X were compromised via vulnerabilities that should not exist in production servers and would have been removed if the basic security guidelines had been followed."

---

No competent admins I know ever discuss vulnerabilites that affected them that could have been prevented by basic security guidelines. They generally tend to discuss things like how frustrating it is to deal with people who can't be bothered to secure their machines. Keep in mind, as a netadmin, you look after more than just servers. That may not enter into your equation, but it is a fact. Desktop security is just as important as server security, especially when trying to defend your servers.

Quote:

---

Although I guess I am nearly alone in this viewpoint. I am tarting to remember why I'd been too busy to use this site for the last few months, which is shame.

---

Because experienced professionals vehemently disagree both based on past and present experiences? That is a rather childish reason to take your ball and go home, as it were.

ThePreacher, run MSIE as a less privileged user, all bugs fixed without patching. Gee that was tough.

Quote:

---

If you explain what you mean by 'lower security potential', then I will answer this.

---

So you don't even know what makes a system secure? You think it is just application bugs? No wonder no conversation can be had. Perhaps you should take a gander at some basics like ISO 15408 or DOD-5200.28-STD so you'll have an idea

Quote:

---

What kind of silliness are you believing that makes insecure systems on the wilds of the 'net a good thing?

---

I am sorry but this is a very weak argument if one at all... like organizations will have like security so this is not an issue of effecting insurance or the likes. The only kind of concern this gives you is that it makes DDoS attacks simpler, which you can't defend against anyhow. (some not at all and some not until "post-facto")

Quote:

---

No offense intended, please leave the administration and such to people who know what they're doing.

---

This is of course why at any company with mature IS policy you will not find admins making decisions. Because they "know what they're doing." Admins are very low on the food chain and for good reason. They tend to be less educated and less experienced than those who do make decisions, and admins that spend their career as such tend to just be not very bright. No offense.

Quote:

---

That is an incredibly ignorant statement -- there are a LOT of post-facto ways to defend against DDoS attacks. Chief among them is contacting your ISP and having them drop routes from the attackers. The most dangerous raw packetflood would be a spoofed DDoS, but even that there are ways of defending against.

---

Wow so you can defend against two popular simple types of DDoS, what about one that mimics legit traffic? How are you gonna filter that? Granted such attacks are less common, there is still no good way to defend against one. Secondly even with you post-facto response, the DDoS has still done damage per the cost of resources to fix the issue. Attacks can be damaging without destruction or compromise. You admin types, however don't tend to consider such things.

Quote:

---

No competent admins I know ever discuss vulnerabilites that affected them that could have been prevented by basic security guidelines.

---

I see them all the time discussing things like IIS and people in this thread discussing MSIE. Yet never any talk about what systems happen to use access control systems that are flawed in design.

Quote:

---

Because experienced professionals vehemently disagree both based on past and present experiences?

---

No, because "experienced professionals" seem unable to discuss anything more advanced than what could be obtained after an hour of reading bugtraq and maybe one or two secondary level CS classes. Not only that be the same conversation all the time.

For example I received my copy of the ACM's "Symposium on Operating Systems Principles" which has several very interesting articles, including one on the secure highly available resource peering (SHARP) architecture, but I hesitate to bring it up in a thread because either A. I'll get no responses at all and it'll be a waste of my effort. B. I'll just get a slew of stupid responses from "experienced professionals" about god alone knows what.

So it's not a matter of disagreement, it's a matter of discussing things, I keep hoping to find more educated members than I do. No offense.

Gore wants me to write a FAQ type thing about why OpenBSD is actually one of the least secure mutil-user systems on the market. Although I know for a cold fact that this is true, I already know that I am gonna get idiots saying things like "well X system has had many exploits in OpenBSD has none in seven years!" or whatever nonsense they decide to regurgitate from the OpenBSD site, and it just gets old after a while.

catch

Quote:

---

Admins are very low on the food chain and for good reason

---

A meaningless truism. Guess what? Computer science engineers don't make policy either.
Neither do salesmen. Business decisions are made by business people, because
the choice of OS on the business's computers will be made based (presumably) on
whichever one makes more money for the business, with all other things considered.

This doesn't mean that the network admin is a fool, deserving to be ignored, only
that the executives have other concerns than purely technical.

If techs and engineers agreed unanimously thas one system was more secure,
the execs would give due consideration to that advice, but have to weigh security
against other valid concerns.

Sellers of software naturally want to convince buyers that their system is the
best over all choice. Since I'm not an engineer, I don't know which system
has technically higher or lower absolute potential for security.

Is this discussion strictly technical and theoretical, or are we discussing
our opinion on what is better business-wise and in general practice?
:cool:

Quote:

---

Originally posted here by catch
Gore wants me to write a FAQ type thing about why OpenBSD is actually one of the least secure mutil-user systems on the market. Although I know for a cold fact that this is true, I already know that I am gonna get idiots saying things like "well X system has had many exploits in OpenBSD has none in seven years!" or whatever nonsense they decide to regurgitate from the OpenBSD site, and it just gets old after a while.

catch

---

Yes I do. I believe that when you and me had our little discussion that you brought up very good valid points that actually made me think. I can be a stubborn bastard sometimes, but I changed my veiws on OpenBSD. Do I think Windows ships buggy and insecure? Yes.

But, Do I think it can be locked down well enough to use without much of a problem? Yes. OpenBSD ships locked down and I'm pretty sure Max OS X does to. Now this is good for someone who knows nothing about security because they don't have to do anything.

But what newbie really starts out with Open BSD? None. Well at least not usually. They start with Windows usually. With the release of XP Microsoft tried getting a new run on their bad track record by having a built in firewall. This was nice and everything, but the firewall only blocks incoming traffic, and goes right back to that false sence of security.

The average user with a bit of knowledge will start the firewall and believe they are secure. I tend to believe that no matter what, nothing is actually secure, their are only steps that can be taken to prevent something from happening.

If something ships that isn't actually locked down but is slightly, and comes with everything you need to lock it down tighter, I think that is good. Learning to secure an OS is a very good lesson in my opinion.

Take Linux for example: Alot of new distros now come with a firewall built in. They have services running usually by default, but you have to tell the service it can accept a connection before it will usually. Slaclware does not do this as I can log in without having to tell it my SuSE box is ok.

Redhat, supprisingly, has a way that you have to tell the firewall too allow these connections. This is a good idea in my opinion. If Windows came with as much software as Linux did, then I can almost asure you that it would have even MORE flaws, because the more software you have, the more code you have that can be exploited.

Just my opinion of coure.

Quote:

---

A meaningless truism.

---

Not meaningless at all. Would you trust your bank teller to give you financial advice? Of course not, but you would trust them to handle you individual transactions. An admin is the same thing, their job is to keep systems running in the manner in which they are supposed to run. Knowledge of why the system should run that way or details about the system's architecture in relation to other systems both fall beyond the scope of their job. I would trust on admin on how to configure a system to a specified configuration or on questions about day to day technical management. It's really a matter of exposure, I know that most admins lack any advanced study or training in security, so they will have a different viewpoint on such topics. issues like applications level exploits and configuration issues are really about the scope of what they see and consequently the most important aspects to them, while in actuality these fall under system use and not system design. When evaluating system design, proper use is assume otherwise you end up with far too many variables to make anything useful. This of course assumes that information regarding proper use is made availible. These are far more interesting points than "What IIS expoit that could have been prevented by following the most basic IIS security checklist is hitting thousands of machines." Which teaches nothing.

Quote:

---

Is this discussion strictly technical and theoretical, or are we discussing our opinion on what is better business-wise and in general practice?

---

Absolutely perfect.

Sadly discussions about published exploits against default configurations is really neother of these. It is just one little tiny subsection of the latter with general disregard for many other important points. That is why the conversation has topic has so little value. It's scope is too small to be useful and its topic too simplistic and frequently regurgitated to be educational.

Plus what is the point in discussing opinions? I've yet to see anyone even defend why they think what they think and no one here has any assurances as an expert, so they cannot be trusted on credentials alone.

catch

Quote:

---

Originally posted here by catch
Plus what is the point in discussing opinions? I've yet to see anyone even defend why they think what they think and no one here has any assurances as an expert, so they cannot be trusted on credentials alone.

catch

---

To be quite honest, this is the best thing I'v seen on the front page in quite some time. Wheil you were gone man, there was basically nothing but tech support questions on the main page. I knew dragging your ass back would spark an actual good discussion. So far it's going well I think. Opinions and facts are being stated, AND NO ONES FLAMING.

Now catch, I like you, and I like Chris, I think you're both intelligent people. If you're not then you sure know how to bullshit better than me lol. ;)

Now we need to get that OpenBSD thread going :)

Quote:

---

Originally posted here by catch
So you don't even know what makes a system secure? You think it is just application bugs? No wonder no conversation can be had. Perhaps you should take a gander at some basics like ISO 15408 or DOD-5200.28-STD so you'll have an idea

---

Yep, I'm definitely over with this conversation. It's too bad that your ego has turned to insulting someone else in a discussion rather than attempting to have a discourse on it. Insulting someone because they have a different opinion or knowledge than you is very childish. Indeed, you could probably use a vacation from the boards.

Quote:

---

Yep, I'm definitely over with this conversation. It's too bad that your ego has turned to insulting someone else in a discussion rather than attempting to have a discourse on it. Insulting someone because they have a different opinion or knowledge than you is very childish. Indeed, you could probably use a vacation from the boards.

---

No insult intended, you will just need a different knowledge set to talk about actual system security. If you have this knowledge and are just hold back, then the question is "why?" if you don't have it, you add no value to the conversation in your current state and I've kindly provided reading material for you. I'll be available for any questions you may have on the subject.

It really bugs me when people try to spin someone making an objective statement about their level of knowledge as an insult, but whatever makes you feel better about the situation I guess. I merely ask that you try and take what I say at face value.

*benefit of the doubt*
How do you feel that Linux's access control system compares to NT's? Do you have any thoughts on how these differences may vary as systems get more and more distributed with concepts like ASP and whatnot?
It is my belief that Linux's lack of both modular and centralized granularity of not only access controls but privileges as well will continually force security controls further and further away from the security kernel itself leading to a lower level of assurance across the enterprise resulting in a greater chance of inside compromise and a greater reliance on secure applications. All though this may make specific aspects of development and administration simpler, such that different admins can be responsible for different applications and development is simpler as fewer centralized security restrictions are in place.
The only correction I can see to this situation is the removal of the concept of "root" in Linux and the addition of more Harrison, Ruzzo, Ullman influenced access controls allowing greater control of specific resources while ensuring those rights are not propagated beyond their original design.
Now obviously if the Linux security model is followed application bugs will be even more critical than the currently are. I for one feel this is a bad situation as explained above. Naturally the migration to centralized trusted operating systems as access control servers would be ideal, but this would tend to be an impractical and unjustified expense for most organizations.

As an experienced professional, nore in the trenches as I were than myself, I'd love to hear your thoughts on the subject.

catch

edited to add:
Woohoo my 300th post and already maxed out on greens, why go on living? hahah ;)

This is slighly off topic, but how (in general terms) does the Harrison, Ruzzo, Ullman security model (which, if I understand correctly, is discretionary access control) differ from Role Based Access Control?

I can find tons of documentation for both, but nothing that is explaining it in a"general" sense. (other than in mathematical terms)

I already have this one:http://csrc.nist.gov/rbac/ , its info on the HRU model I'm having difficulty finding.