Just in case you guys havent heard check this out
http://www.techworld.com/news/index....ews&NewsID=643
Not very unlike microsoft though i must add
Printable View
Just in case you guys havent heard check this out
http://www.techworld.com/news/index....ews&NewsID=643
Not very unlike microsoft though i must add
Windows secure (good joke)Quote:
Microsoft’s aim is to undermine critics and place a question mark over Linux’s security by revealing that, on average, Windows poses less of a security risk. By turning attention away from its own software bugs while at the same time launching several security initiatives,
Hmmm, Giving it a read:
Oh! That's nice! They are trying to compare big fixes! When you consider that "redhat had more than Microsoft"....Well, Redhat comes with literally thousands more software packeges than Windows 2000. And they icluded apache I'm sure. Howabout they unclude IIS into that test. IIS has enough holes to qualify as the Moon's surface area, or a form of swiss cheese.
Wait.....He compared Redhat 6 with Windows server 2003....Redhat six has been around longer than I have even owned a computer... This is nothing but social engineering style marketing to make Windows look like a window is something other than a hole in your house with clear glass covering it.
Nice name for an OS.
*Some where in redmond*
Bill: I have it! We will call our OS Windows! It will have the same amount of security too! People can look right inside your house and see all of your private things, and then break in with nothing but a rock!
Steve: Yes! Then after you are a billionair and some woman would actually want your geek ass and you get married, we can let your wife be the one behind two TERRIBLE peices of software know an BOB and Windows ME!
Bill: Let's do it! First things first though. Let's steal the Mac OS look and feel.
____________________________________________________________________________________________________
Now let's compare the REAL Windows vs. Linux:
Windows, when defaulted to install comes with:
The kernel,
An email reader,
A command prompt,
Wordpad,
Notepad,
Internet Explorer...Which has more bugs than any *NIX kernel,
Windows explorer,
Paint,
...Running low, someone help me here.
Now, Linux comes with, on average, enough to fill 3 GBs of HD space.
Now, let's strip Linux down to just what Windows comes with:
The Kernel
Mutt
Bash Shell
Emacs
Vi
Links
Konq
Kpaint
Hmm...Yea, can't you just imagine how secure a system would be this way? Just because I'm atill waking up and slightly cranky, I'm going to be a bastard and throw an IRC client into that too.
Irssi....My absolute favorite client.
Point being, if Linux came with the same amount as Windows 2000 did, I doubt there would be as many fixes as that article states. And as for cost..... I can download and use Linux or BSD easily. And throw it on as many boxes as I want. How exactly is this less money?
I know what TCO is, but WIndows costs more just to buy the OS, not including hardware. LLinux is free.
So far:
Linux: $0.00
Windows: About $3,000.00
Now, hardware:
Windows server 2003 recommended requirements:
550 MHz or higher processor speed
256 MBs RAM
1.25 -2 GBs space on HD
Looking at the MINIMUM requirements is like looking at running Windows 98 on a 386.
Linux:
I'll be fair here and use SuSe as an example because it is a more GUI intence distro:
At least Pentium speed processor
128 MBs RAM
HD space: Honestly it depends. You can use as little as 500 MBs or so. And since 2003 is a SERVER OS, it would not need X.
The MINIMUM for SuSE is less than the RAM I stated. It may run a bit slower if you use X but ****, it isn't 256 MBs RAM and a 550 processor either.
I should have been an ******* and said Slackware. You could damn near run that on a talking wiz kid.
I think I will stick with Tux while they figure out how to reglass the Windows again.
on a side note that this made me think of; has anyone seen the linux commercials trying to entice people into linux use? they were pretty decent... this is prolly why microsoft is feeling threatened.
Now now. Windows CAN be made secure as hell. It's the exploits and buggy code that are hurting them. Windows NT remains as an OS that's old as hell, yet can be locked down like a virgin on a date with her Father as a driver.Quote:
yes, im going to haveto agree with gore on that one. Windows by default is about as secure as my parents whiskey cabinet, but when run by someone who knows Windows and how to secure a computer, it can become a miniature fort knox. i would definently haveto say that achieving that kind of security on windows will probably require at least $200 in software and/or hardware, some real good knowledge of how to work windows, and a lot of time. Meanwhile by default Linux is pretty secure, it doesnt cost hundreds of dollars, doesnt require an absolute Linux guru to be able to make it more secure and it doesnt take tons of time. yes i think it might be because of the recent commercials, but only Windows knows for sure.
If you need any good reads about securing Windows, message catch on here. He knows ALOT about securing Windows and so on. And as soon as he gets time we are planning on having a discussion on security with Windows and Open BSD. Should be a good talk ;)
Still talking default security and application level bugs?
*cries*
Why does no one ever talk about actual system security, always with the default installs or application level bugs. Who cares? I mean honestly.
There is no truth or deeper understanding to be had talking about how a product's default configuration or what buffer wasn't checked. For some reason there is never any discussion of the actual security mechanisms. The types of access controls, audit trails, etc, etc.
Default configurations are a dead horse that never had anything to offer in the first place, seriously, leave it alone and talk about something worth while. Does it really matter if a system by default has 0 full compromisable exploits or 1 or 3,000? All that matters is if the system can be configured in a manner offering sufficient assurances as justified by your threats and asset values.
All the rest of this is just comparing who reads bugtraq more closely.
catch
Considering that most users don't even know that anything other than theQuote:
Default configurations are a dead horse that never had anything to offer in the first place, seriously, leave it alone and talk about something worth while. Does it really matter if a system by default has 0 full compromisable exploits or 1 or 3,000? All that matters is if the system can be configured in a manner offering sufficient assurances as justified by your threats and asset values.
default configuration exists, yeah, we should take that into consideration.
If car manufacturer A has a track record of X fatal crashes per year, and Manufacturer B
has substantially less, it makes no sense to say that car A would be just
as safe if the stupid driver would just go out and obtain and install his own air bag.
:cool:
Linux unfortunatly forgot to include the fact that there are literally thousands more viruses written for Windows than the Linux operating system. So even though windows fixes holes faster, Linux has a sustancial less threat to attacks than windows.
I've been reading (forget where) that the best way to secure your OS, is NOT to install as default, but to go down the "Experienced Users" route, and install just what you need. As of yet, I wouldn't trust myself to do this, and am therefore stuck with the original package, bugs and all ? Must also confess that I have never seen a Linux box at work, and am a Windoze user 'by default'. My observations on this site, is that Linux has to be considered as a more 'complete' system, and it is a step I will probably take in the following 12 months. Ideally I would be able to build me a seperate box, and have me a room full of different boxes ? But the requirements of family will mean that a biger HDD, a quick read about partitioning, and my new system will await me ? which brings me to the next point. Where do you buy ANY OS apart from the M$ family ? as M$ is not just the only OS most people hear about, it appears to be the only OS, period.
Windows fixes holes faster? I'm still waiting for a damned IE patch. And that was how long ago? I'v seen a Linux patch in 4 hours. Now yes, I know Microsoft has alot more people to deal with when releasing a patch, but come on, months?Quote:
Originally posted here by lpaulgib
Linux unfortunatly forgot to include the fact that there are literally thousands more viruses written for Windows than the Linux operating system. So even though windows fixes holes faster, Linux has a sustancial less threat to attacks than windows.
Catch: When are we goign to have our OpenBSd discussion? ;)
Care to quantify that? AFAIK, there are only a few original pieces of malware written for windows. What there are could be possibly hundreds of variations... but at the core are a relative handful.Quote:
there are literally thousands more viruses written for Windows than the Linux
Where did you come up with that theory?Quote:
windows fixes holes faster
Found here: http://msnbc.msn.com/Default.aspx?id=3831715&p1=0Quote:
Microsoft seems to have taken the hint and is developing a promising update to Windows XP that will fix long-standing flaws in its firewall, network and browser settings, but don't expect to see it before next summer.
I'm not trying to bash windows...I'm quite happy with every version I've ever used, bugs and all. I took it upon myself, though, to learn how to secure my boxes...
I bought a copy of RedHat 9publisher's edition) at a nearby Barnes and Noble, along with a 900 page manual for about $40. Once I got it installed and learned my way around a bit, I downloaded RedHat 9 and installed the "full version"Quote:
Where do you buy ANY OS apart from the M$ family ? as M$ is not just the only OS most people hear about, it appears to be the only OS, period.
There are many places on the internet where one can buy linux distros, if you are so inclined.. or you can download them for free..... Knoppix (there are others) offer a bootable Linux that you can play with..no need to install or partition anything.
User error can be fatalQuote:
BY Wolv
Windows secure (good joke)
Yeah, Ive done the XP install so many times its not even funnyQuote:
Originally posted here by gore
Now now. Windows CAN be made secure as hell. It's the exploits and buggy code that are hurting them. Windows NT remains as an OS that's old as hell, yet can be locked down like a virgin on a date with her Father as a driver.
I can lock a XP box down pretty damn quick with this custom .reg file that I made at www.BLKViper.com
If anyone wants it, here its.
Linux having a larger number of bug fixes is a good thing. It means that the developers are actively trying to make Linux more secure everyday, unlike MS and their patches that are too little, too late.
Linux is bound to have a large number of security holes, due in part to the server/network oriented nature of *NIX itself. But, unlike MS, the Linux holes will be properly fixed quickly.
Quote:
Originally posted here by catch
Default configurations are a dead horse that never had anything to offer in the first place, seriously, leave it alone and talk about something worth while. Does it really matter if a system by default has 0 full compromisable exploits or 1 or 3,000?
Yes, for two reasons:
1. It speaks volumes about the quality of the code underlying the out-of-the-box install.
2. Joe Shmoe who sets up his home webserver is relying on the software to be secure. I'm still logging Code Red I & II hits on my firewall from other machines on the cable network I'm on.
Perhaps that is all that matters to you, however, there are more people out there than just those who think similarly to you. To liken it to flogging a dead horse is rather silly, the horse is clearly not dead, look at even some of the latest Redhat releases or WinXP for that.Quote:
All that matters is if the system can be configured in a manner offering sufficient assurances as justified by your threats and asset values. All the rest of this is just comparing who reads bugtraq more closely.
And still the discussion continues about installs and patches. Seriously, pick up a book an OS security theory, the lot of you... it'll make for more interesting conversations.
"If car manufacturer A has a track record of X fatal crashes per year, and Manufacturer B has substantially less, it makes no sense to say that car A would be just as safe if the stupid driver would just go out and obtain and install his own air bag."
This is deeply flawed in this context, especially since no one ever talks about the functionality! Just default crap and application level issues, which a good OS will defend against.
A Ferrari is far more likely to put your average drive in the ditch than a kia will, does this mean that the Kia is the better handling car? With this data alone, it looks that way... so we need to discuss other things like the types of suspensions used, wheel base, lateral G's, tire width, etc, etc.
If you want to talk about which system is more secure in the hands of an idiot (untrained driver), than yes. OpenBSD is king and NT is the worst OS ever. My parting question is, why do a bunch of security enthusists care what is best for idiots?
catch
Unfortunately, functionality is a two_edged sword. The same feature thatQuote:
no one ever talks about the functionality!
is designed to give you a wonderful "experience" on the web will allow websites to write
new values to your registry, change your home page, install a porn dialer...
If you have to disable half of these wonderful features, what good were they to begin with?
What good is a ferrari that can go 200 mph, when the roads aren't safe at 55?
There is a trade-off between functionality and security, but Microsoft doesn't like
to dull the enthusiasm of newbie users, so they don't tell you that half the features
they sold you are useless because they're insecure. Then it's your fault
for not becoming an expert and locking down your system.
Yes, we are security enthusiasts, but not everyone can live, eat, and breathe security.
Security is a collective endeavor. If other people's machines are insecure, it affects
all of us. The default configuration should be the tighter one. let users loosen
it up if they want to incur more risk in their quest for more functionality.
No, there's no money in that.
:cool:
Because whether you like it or not, idiots have machines that can potentially damage yours. It may not bother you if people are still sending out CRI&II attempts and so forth, but the fact of the matter is, anyone can hijack a CRII machine rather easily and create a DDoS net. When someone DDoSes you, tell me it isn't your problem or care. On the internet, you do not have only your systems to worry about, but also the systems of your neighbours, countrymen, and foreigners.Quote:
Originally posted here by catch
And still the discussion continues about installs and patches. Seriously, pick up a book an OS security theory, the lot of you... it'll make for more interesting conversations.
[.. snippage of irrelevant useless examples..]
If you want to talk about which system is more secure in the hands of an idiot (untrained driver), than yes. OpenBSD is king and NT is the worst OS ever. My parting question is, why do a bunch of security enthusists care what is best for idiots?
The system we have in place is a far cry from mediocre, let alone perfect. Wherever you practice systems/network administration, I applaud your convictions, however in the real world internet-connected boxes are vulnerable to attack not only from a hacker, but also any boxes a hacker is able to root, making tracking back and so forth a LOT more difficult, if not impossible. You may not consider default installs an important thing, but any vendor who makes an effort is in my books better. Microsoft is making strides (Windows 2003 Server seems relateively secure, compared to Windows 2000 Pro/Server/etc), and there are several nix distributions doing similar things.
The long and the short of it is, you asked a question and I don't care if you don't like the answer I gave you -- it is at least an honest one based on observation.
rcgreen, _SECURITY_ functionality, the subject here is security, not fancy web browsing stuff.
I am not an admin.Quote:
Wherever you practice systems/network administration
Am I to understand that you are saying a system with lower security potential is better because it comes in a slightly harder state and this creates a minimally higher chance that you'll be able to track back a stupid attacker?
I honestly hope you have better arguments than that. This whole bit about most other systems being insecure is a good thing, not a bad thing as several of you have tried to spin it. There is currently no way to defend against all types of DDoS attacks, so why make this a top concern? maybe something like access control granularity or perhaps seperation of power should be slightly bigger concerns, but no one ever wants to talk about such things and that should be the point. Not "How many systems of type X were compromised via vulnerabilities that should not exist in production servers and would have been removed if the basic security guidelines had been followed."
Although I guess I am nearly alone in this viewpoint. I am tarting to remember why I'd been too busy to use this site for the last few months, which is shame.
catch
I would like very much to compare Internet Explorer, since it is part of the operating system, to linux as a whole. As far as I know there are still several unfixed security holes in IE dating back as far as 2 years. Anyone who says that it takes a long time to repair linux flaws should look at IE and think again. Hopefully these bugs will be fixed for you windows users when Microsoft officially releases Windows XP SP2. Unfortunately SP2 might go as badly for some as SP1.
http://www.pcworld.com/news/article/0,aid,105144,00.asp
If you explain what you mean by 'lower security potential', then I will answer this. I said what I said, if you wish to put words in my mouth over the issue, it is far from being important enough to continue this conversation.Quote:
Originally posted here by catch
I am not an admin.
Am I to understand that you are saying a system with lower security potential is better because it comes in a slightly harder state and this creates a minimally higher chance that you'll be able to track back a stupid attacker?
What kind of silliness are you believing that makes insecure systems on the wilds of the 'net a good thing? No offense intended, please leave the administration and such to people who know what they're doing. If you had ever been in a position to maintain a newtork with as little as TWO static IPs on the 'net for a business, you would have half a clue of the dangers that a netadmin has to cope with on a regular basis, both from inside and outside his or her network.Quote:
I honestly hope you have better arguments than that. This whole bit about most other systems being insecure is a good thing, not a bad thing as several of you have tried to spin it.
That is an incredibly ignorant statement -- there are a LOT of post-facto ways to defend against DDoS attacks. Chief among them is contacting your ISP and having them drop routes from the attackers. The most dangerous raw packetflood would be a spoofed DDoS, but even that there are ways of defending against.Quote:
There is currently no way to defend against all types of DDoS attacks, so why make this a top concern?
No competent admins I know ever discuss vulnerabilites that affected them that could have been prevented by basic security guidelines. They generally tend to discuss things like how frustrating it is to deal with people who can't be bothered to secure their machines. Keep in mind, as a netadmin, you look after more than just servers. That may not enter into your equation, but it is a fact. Desktop security is just as important as server security, especially when trying to defend your servers.Quote:
maybe something like access control granularity or perhaps seperation of power should be slightly bigger concerns, but no one ever wants to talk about such things and that should be the point. Not "How many systems of type X were compromised via vulnerabilities that should not exist in production servers and would have been removed if the basic security guidelines had been followed."
Because experienced professionals vehemently disagree both based on past and present experiences? That is a rather childish reason to take your ball and go home, as it were.Quote:
Although I guess I am nearly alone in this viewpoint. I am tarting to remember why I'd been too busy to use this site for the last few months, which is shame.
ThePreacher, run MSIE as a less privileged user, all bugs fixed without patching. Gee that was tough.
So you don't even know what makes a system secure? You think it is just application bugs? No wonder no conversation can be had. Perhaps you should take a gander at some basics like ISO 15408 or DOD-5200.28-STD so you'll have an ideaQuote:
If you explain what you mean by 'lower security potential', then I will answer this.
I am sorry but this is a very weak argument if one at all... like organizations will have like security so this is not an issue of effecting insurance or the likes. The only kind of concern this gives you is that it makes DDoS attacks simpler, which you can't defend against anyhow. (some not at all and some not until "post-facto")Quote:
What kind of silliness are you believing that makes insecure systems on the wilds of the 'net a good thing?
This is of course why at any company with mature IS policy you will not find admins making decisions. Because they "know what they're doing." Admins are very low on the food chain and for good reason. They tend to be less educated and less experienced than those who do make decisions, and admins that spend their career as such tend to just be not very bright. No offense.Quote:
No offense intended, please leave the administration and such to people who know what they're doing.
Wow so you can defend against two popular simple types of DDoS, what about one that mimics legit traffic? How are you gonna filter that? Granted such attacks are less common, there is still no good way to defend against one. Secondly even with you post-facto response, the DDoS has still done damage per the cost of resources to fix the issue. Attacks can be damaging without destruction or compromise. You admin types, however don't tend to consider such things.Quote:
That is an incredibly ignorant statement -- there are a LOT of post-facto ways to defend against DDoS attacks. Chief among them is contacting your ISP and having them drop routes from the attackers. The most dangerous raw packetflood would be a spoofed DDoS, but even that there are ways of defending against.
I see them all the time discussing things like IIS and people in this thread discussing MSIE. Yet never any talk about what systems happen to use access control systems that are flawed in design.Quote:
No competent admins I know ever discuss vulnerabilites that affected them that could have been prevented by basic security guidelines.
No, because "experienced professionals" seem unable to discuss anything more advanced than what could be obtained after an hour of reading bugtraq and maybe one or two secondary level CS classes. Not only that be the same conversation all the time.Quote:
Because experienced professionals vehemently disagree both based on past and present experiences?
For example I received my copy of the ACM's "Symposium on Operating Systems Principles" which has several very interesting articles, including one on the secure highly available resource peering (SHARP) architecture, but I hesitate to bring it up in a thread because either A. I'll get no responses at all and it'll be a waste of my effort. B. I'll just get a slew of stupid responses from "experienced professionals" about god alone knows what.
So it's not a matter of disagreement, it's a matter of discussing things, I keep hoping to find more educated members than I do. No offense.
Gore wants me to write a FAQ type thing about why OpenBSD is actually one of the least secure mutil-user systems on the market. Although I know for a cold fact that this is true, I already know that I am gonna get idiots saying things like "well X system has had many exploits in OpenBSD has none in seven years!" or whatever nonsense they decide to regurgitate from the OpenBSD site, and it just gets old after a while.
catch
A meaningless truism. Guess what? Computer science engineers don't make policy either.Quote:
Admins are very low on the food chain and for good reason
Neither do salesmen. Business decisions are made by business people, because
the choice of OS on the business's computers will be made based (presumably) on
whichever one makes more money for the business, with all other things considered.
This doesn't mean that the network admin is a fool, deserving to be ignored, only
that the executives have other concerns than purely technical.
If techs and engineers agreed unanimously thas one system was more secure,
the execs would give due consideration to that advice, but have to weigh security
against other valid concerns.
Sellers of software naturally want to convince buyers that their system is the
best over all choice. Since I'm not an engineer, I don't know which system
has technically higher or lower absolute potential for security.
Is this discussion strictly technical and theoretical, or are we discussing
our opinion on what is better business-wise and in general practice?
:cool:
Yes I do. I believe that when you and me had our little discussion that you brought up very good valid points that actually made me think. I can be a stubborn bastard sometimes, but I changed my veiws on OpenBSD. Do I think Windows ships buggy and insecure? Yes.Quote:
Originally posted here by catch
Gore wants me to write a FAQ type thing about why OpenBSD is actually one of the least secure mutil-user systems on the market. Although I know for a cold fact that this is true, I already know that I am gonna get idiots saying things like "well X system has had many exploits in OpenBSD has none in seven years!" or whatever nonsense they decide to regurgitate from the OpenBSD site, and it just gets old after a while.
catch
But, Do I think it can be locked down well enough to use without much of a problem? Yes. OpenBSD ships locked down and I'm pretty sure Max OS X does to. Now this is good for someone who knows nothing about security because they don't have to do anything.
But what newbie really starts out with Open BSD? None. Well at least not usually. They start with Windows usually. With the release of XP Microsoft tried getting a new run on their bad track record by having a built in firewall. This was nice and everything, but the firewall only blocks incoming traffic, and goes right back to that false sence of security.
The average user with a bit of knowledge will start the firewall and believe they are secure. I tend to believe that no matter what, nothing is actually secure, their are only steps that can be taken to prevent something from happening.
If something ships that isn't actually locked down but is slightly, and comes with everything you need to lock it down tighter, I think that is good. Learning to secure an OS is a very good lesson in my opinion.
Take Linux for example: Alot of new distros now come with a firewall built in. They have services running usually by default, but you have to tell the service it can accept a connection before it will usually. Slaclware does not do this as I can log in without having to tell it my SuSE box is ok.
Redhat, supprisingly, has a way that you have to tell the firewall too allow these connections. This is a good idea in my opinion. If Windows came with as much software as Linux did, then I can almost asure you that it would have even MORE flaws, because the more software you have, the more code you have that can be exploited.
Just my opinion of coure.
Not meaningless at all. Would you trust your bank teller to give you financial advice? Of course not, but you would trust them to handle you individual transactions. An admin is the same thing, their job is to keep systems running in the manner in which they are supposed to run. Knowledge of why the system should run that way or details about the system's architecture in relation to other systems both fall beyond the scope of their job. I would trust on admin on how to configure a system to a specified configuration or on questions about day to day technical management. It's really a matter of exposure, I know that most admins lack any advanced study or training in security, so they will have a different viewpoint on such topics. issues like applications level exploits and configuration issues are really about the scope of what they see and consequently the most important aspects to them, while in actuality these fall under system use and not system design. When evaluating system design, proper use is assume otherwise you end up with far too many variables to make anything useful. This of course assumes that information regarding proper use is made availible. These are far more interesting points than "What IIS expoit that could have been prevented by following the most basic IIS security checklist is hitting thousands of machines." Which teaches nothing.Quote:
A meaningless truism.
Absolutely perfect.Quote:
Is this discussion strictly technical and theoretical, or are we discussing our opinion on what is better business-wise and in general practice?
Sadly discussions about published exploits against default configurations is really neother of these. It is just one little tiny subsection of the latter with general disregard for many other important points. That is why the conversation has topic has so little value. It's scope is too small to be useful and its topic too simplistic and frequently regurgitated to be educational.
Plus what is the point in discussing opinions? I've yet to see anyone even defend why they think what they think and no one here has any assurances as an expert, so they cannot be trusted on credentials alone.
catch
To be quite honest, this is the best thing I'v seen on the front page in quite some time. Wheil you were gone man, there was basically nothing but tech support questions on the main page. I knew dragging your ass back would spark an actual good discussion. So far it's going well I think. Opinions and facts are being stated, AND NO ONES FLAMING.Quote:
Originally posted here by catch
Plus what is the point in discussing opinions? I've yet to see anyone even defend why they think what they think and no one here has any assurances as an expert, so they cannot be trusted on credentials alone.
catch
Now catch, I like you, and I like Chris, I think you're both intelligent people. If you're not then you sure know how to bullshit better than me lol. ;)
Now we need to get that OpenBSD thread going :)
Yep, I'm definitely over with this conversation. It's too bad that your ego has turned to insulting someone else in a discussion rather than attempting to have a discourse on it. Insulting someone because they have a different opinion or knowledge than you is very childish. Indeed, you could probably use a vacation from the boards.Quote:
Originally posted here by catch
So you don't even know what makes a system secure? You think it is just application bugs? No wonder no conversation can be had. Perhaps you should take a gander at some basics like ISO 15408 or DOD-5200.28-STD so you'll have an idea
No insult intended, you will just need a different knowledge set to talk about actual system security. If you have this knowledge and are just hold back, then the question is "why?" if you don't have it, you add no value to the conversation in your current state and I've kindly provided reading material for you. I'll be available for any questions you may have on the subject.Quote:
Yep, I'm definitely over with this conversation. It's too bad that your ego has turned to insulting someone else in a discussion rather than attempting to have a discourse on it. Insulting someone because they have a different opinion or knowledge than you is very childish. Indeed, you could probably use a vacation from the boards.
It really bugs me when people try to spin someone making an objective statement about their level of knowledge as an insult, but whatever makes you feel better about the situation I guess. I merely ask that you try and take what I say at face value.
*benefit of the doubt*
How do you feel that Linux's access control system compares to NT's? Do you have any thoughts on how these differences may vary as systems get more and more distributed with concepts like ASP and whatnot?
It is my belief that Linux's lack of both modular and centralized granularity of not only access controls but privileges as well will continually force security controls further and further away from the security kernel itself leading to a lower level of assurance across the enterprise resulting in a greater chance of inside compromise and a greater reliance on secure applications. All though this may make specific aspects of development and administration simpler, such that different admins can be responsible for different applications and development is simpler as fewer centralized security restrictions are in place.
The only correction I can see to this situation is the removal of the concept of "root" in Linux and the addition of more Harrison, Ruzzo, Ullman influenced access controls allowing greater control of specific resources while ensuring those rights are not propagated beyond their original design.
Now obviously if the Linux security model is followed application bugs will be even more critical than the currently are. I for one feel this is a bad situation as explained above. Naturally the migration to centralized trusted operating systems as access control servers would be ideal, but this would tend to be an impractical and unjustified expense for most organizations.
As an experienced professional, nore in the trenches as I were than myself, I'd love to hear your thoughts on the subject.
catch
edited to add:
Woohoo my 300th post and already maxed out on greens, why go on living? hahah ;)
This is slighly off topic, but how (in general terms) does the Harrison, Ruzzo, Ullman security model (which, if I understand correctly, is discretionary access control) differ from Role Based Access Control?
I can find tons of documentation for both, but nothing that is explaining it in a"general" sense. (other than in mathematical terms)
I already have this one:http://csrc.nist.gov/rbac/ , its info on the HRU model I'm having difficulty finding.
Different models are used for different aspects... you have access control models governing policy (DAC, DBAC, MAC, RBAC, etc), models (Bell-LaPadula, Biba, etc), and mechanisms. (*-property, least privilege, etc)
Rather than reinventing the wheel, here is a document that covers pretty much everything with access controls that starts at a non-expert level but will give you a greater knowledge of access controls that damn near anyone you will come across. ;)
In short RBAC is used to define access controls by required tasks, typically utilizing least privilege and need to know concepts. harrison, Ruzzo, Ullman model deals with access control modification, and propigation as well as subject and object creation and deletion.
catch
Cool, some light reading to go along with my Sunday morning coffee.. :D
Because apparently it is wasting my time and effort to bother to try and discuss the topic. I prefer to speak with people who have open minds, you do not appear at first to be one such person. I may be mistaken, but I am not the one combating an idea of something I have no experience of.Quote:
Originally posted here by catch
No insult intended, you will just need a different knowledge set to talk about actual system security. If you have this knowledge and are just hold back, then the question is "why?"
Yes, I have. You made the assumptive remarks about my level of knowledge. It is not 'spin' to believe it to be intended as an insult, nor was it presented in any way as objective.Quote:
It really bugs me when people try to spin someone making an objective statement about their level of knowledge as an insult, but whatever makes you feel better about the situation I guess. I merely ask that you try and take what I say at face value.
For any sized network, the relative simplicity of Linux's access control system makes maintenance of such a network much much simpler. On a single host basis, this is infinitely more evident. On a multi-host basis, it requires a few additional steps (setting up an NIS server and creating your user lists), but essentially remains the simplistic matter. NT (or Rather, Windows 2000 Server) has an interesting idea of an AC system, and it does have some benefits such as being able to more finely control what a user is capable of doing (in an easier fashion). I believe that Linux's access control lists scale well, and that Win2K's tends to get difficult to manage. In essence, they can both be broken down to the same functionality, with Win2K having more direct control over operating-system level privileges (such as preventing them from installing any software, making registry entries, and etc), however that is a byproduct of the very nature of the operating system, and as such isn't necessarily good for comparison purposes.Quote:
How do you feel that Linux's access control system compares to NT's?
It really depends on how you view an operating system. If you feel that the operating system should be utterly in control of every single layer, then I suppose you are at a disadvantage using any unix, or indeed, even older versions of Windows to an extent. If however, you believe an operating system should focus merely on servicing the tasks it is required to do, and have simpler permissions systems in place to handle access control. From a straight security standpoint, the latter is better IMO. It is more flexible, while permitting restrictions as needed, and can more readily start from a "deny everything, then allow what you need" perspective. The former requires much more administrative time to merely setup, let alone maintain, and your ROI on that will be rather low.Quote:
Do you have any thoughts on how these differences may vary as systems get more and more distributed with concepts like ASP and whatnot?
Nice belief but you are mistaken. Unix has long dominated the massive multi-user network, and if you are foolish enough to compare a standard linux machine lacking NIS hooks to a full Windows 2000 domain then you are not performing a proper comparison. I assume you are well aware of NIS' capabilities, which leads me to wonder where the asusmption that Linux lacks 'modular and centralized' privileges.Quote:
It is my belief that Linux's lack of both modular and centralized granularity of not only access controls but privileges as well will continually force security controls further and further away from the security kernel itself leading to a lower level of assurance across the enterprise resulting in a greater chance of inside compromise and a greater reliance on secure applications.
The removal of the superuser account is irrelevant to maintaining proper access controls on a linux (or indeed most unixes) box. If default security measures are irrelevant (as you say) this issue disappears, simply because no system anywhere in a corporation should have any setuid binaries. The superuser access still becomes a valuable tool to admins. Indeed, on such a large network of linux boxes, you would only have a superuser account and any service accounts needed on a machine, you would not bother with user accounts existing on the machine at all, and rely instead of NIS and so forth to provide those services.Quote:
[...]
The only correction I can see to this situation is the removal of the concept of "root" in Linux and the addition of more Harrison, Ruzzo, Ullman influenced access controls allowing greater control of specific resources while ensuring those rights are not propagated beyond their original design.
Then perhaps a piece of advice: next time don't leap to insulting someone's experiences and/or intelligence because you disagree with them or they you. The key to learning is to keep an open mind and be willing to listen to everyone -- especially people in a position to have half a clue.Quote:
[...]
As an experienced professional, nore in the trenches as I were than myself, I'd love to hear your thoughts on the subject.
Actually it is tough Catch. Many normal users run everything in windows as root, or admin. They don't even have a less privileged user. In a comparison of how Microsoft fixes its bugs, this is 100% relevant. Many normal users are vulnerable because of these problems never being fixed.Quote:
Originally posted here by catch
ThePreacher, run MSIE as a less privileged user, all bugs fixed without patching. Gee that was tough.