Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 41

Thread: M$ FUD against Linux security.

  1. #11
    Banned
    Join Date
    May 2003
    Posts
    1,004
    An interesting aside.

    The reason the OS security question goes around and around is because the wrong questions are asked. For example:

    Wanna talk abt the time taken by both the communities to patch critical bugs.
    This question is bad because it is too vague. Vague leads to inconclusive answers, which lead to a lack of conclusive evidence. Why is this question vague? It fails to address and in fact cannot address a number of issues. Which critical bugs? On average? What defines "critical"? What about bugs that were non-issues and became critical as the result of another bug? How do we measure time? From the bug going public? From the bug's discovery? From the bug's creation? All of this ambiguity, results in a pointless discussion.

    Better questions need to be asked. Could the system be realistically configured in a manner to negate or minimalize the bug? Is this configuration information provided by the vendor?

    I know that people scoff at the DOD/MIL standards regarding computer security... however it should be kept in mind that these documents standardize a method of quantifying operating system security that is universal and sane. When spending potentially millions of dollars on what to use... arguments like

    Linux has its advantages
    windows has its advantages
    linux has its downfalls
    windows has its downfalls
    people....its 6 of one, half dozen of another....
    such placating dismissals indicate a clear lack of understanding of quantifiable security.

    Start asking the right questions and you'll find that you don't need to keep asking them.

    cheers,

    catch

  2. #12
    Senior Member
    Join Date
    May 2003
    Posts
    472
    WOW!!! The thread grew overnite...intrsting.

    first things first, this thread is no suppose to be another M$ vs Linux thread.

    Okie i will take on you guyz one by one.

    dmorgan: "I think the guy is just angry because for years, 1,000s of programmers, sys admins, and linux enthusiasts have been bashing windows."

    Nopes man, yiou are under the wrong impression. I am not bashing M$ coz 1000 of people do and i should also draw some milage outta it. I am angry coz it been the years since the inception of M$ attitude to downplay linux. It started out with comparision between windows NT and linux 2.2 kernel.
    (Response to M$ comes here :http://lwn.net/1999/features/MSResponse.php3), Samba comparision windows 2003 comparision, ballmor's low cost of ownership. All this makes me sick. Every time they speak they do some unjustified thing.


    A_Morning_Chill :"Linux's security model does have insecurities and flaws, just like the windows security model. But don't start pointing fingers and throwing mud if you aren't willing to step in and start making things right."

    Agreed that both the design have flaws. But the bigger question is not the flaws but the analomies arising out of those flasw. Along with this i would like to point out the recent study of linux kernel security issues (http://linuxbugs.coverity.com/linuxbugs.htm). This is a know fact that M$ has always scarificed security for the user ease. This has lead to widespead problems. The reason you dont see widespeard viruses for linux is its inhereted security design itself(only very handful are know with very limited effects).

    A_Morning_Chill: "Do you assist in improving the Linux kernel, by sending bug reports, adding code, and the likes?

    No? Then you can't complain about Linux security through the kernel.

    Do you assist in improving the Windows OS by sending error reports, offering workaround suggestions to their development boards, or beta-test products before they are publically released as to offer insight?

    No? Then you can't complain about Windows security."

    Even if i do not contribut, this does not mean i dont have any right to analyze and response to the comments the OS'es i use in my daily life. Your comment in itself is flawed. The straight implications of this comment is l;ike saying, You dont have a webserver of your own, why are you trying to asses the strength/weaknesses of Apache/IIS.

    Computernerd22 : "If Windows was ever to become "open source" A lot of computer geeks would study the "open source code" and find ways to subvert it. If Windows was to ever become open source it would be a national security issue."

    Well one of the reasons for less bugs in linux is becoz its open source many eyes poke around and find bugs and report them.

    Now here comes on more bashing. The guy said the number is in hunderards not thousands (in the original article). Well the no. hundereds might be the person 1. who work on linux kernel contributions.
    But the no. thousdands arise from the unofficial figures who find bugs while poking around or tweaking linux kernel to their own use. NETFILTER version no flow was one such incedent reported by one antusiast who was working on tweaking the kernel for their own use.

    I know many companies whose products use tweaked linux kernel. So the no of people working on linux kernel is essially thousands and not hunderads.

    A_Morning_Chill : "For the same reason linux zealots are gung-ho about Windows being insecure. Fanboi-ism combined with "OMFG WE'RE BETTA". This guy's (in the parent article, not poster) argument and attack is no different than how Linus bashes OpenBSD's model, or how he also bashes Window's security model. It's just another "fanboi" bashing an operating system method that he doesn't fully understand (this applies to both windows and linux bashers)"

    linux zealots go gunvg-ho coz they are forced to go by microsoft policies. one thing morning_chill
    M$ gets bashed for their policied, bad marketing tactic and not for technology. They gets bashed coz the use unfare practices against linux. Someone uses unfare practices against you and you have the full right to go gung-ho. And raising FUD against linux seems to be getting their favroutie of all times now.

    catch :This question is bad because it is too vague.
    catch how many times e-eye and other vulnerability exploring firms has publically bashed M$ for not fixing the issues in time. (alas, if you wud have been reading FD)
    see here : http://eeye.com/html/research/upcoming/index.html
    A bug repoted on Aug 2, 2004 and still not fixed by M$, impact : remotre code execution. This has happened many times.

    I hope i have cleared a lot many things. The one point which i would love to insist again is this thread is not suppose to Windows vs Linux thread, and i never hoped it wud turn out like this. What arouses me is not 1000 people who have bashed M$ in past but what i seen myself, M$ starting FUD to downplay linux.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  3. #13
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    Microsoft is at a disadvantage because their entire existence depends
    on obfuscation. If they really tell you anything about how their OS works,
    and how to secure it, you will no longer be dependent on them, and their
    income dries up.

    They have a vested interest in keeping users ignorant, so they can dazzle
    them with GUI candy at the expense of value and functionality.

    Their OS is a series of kludges and backward compatibility features and incompatible
    protocols that have no other purpose than to muddy the waters and stay ahead
    of the grim reaper.

    They're obviously running scared, because linux is not just more secure
    against all of the irritants that most users care about (viruses, spam, browser popups)
    but it is more functional (you can get more work done), easier to install and maintain,
    more compatible with the real world (internet and networking protocols; like what
    the hell
    is this netbios bullshit still doing in a so-called modern OS?)

    I don't have to go, hat in hand, to linus to get "validation" in order to get
    the priviledge to install and use linux.

    Bah! Humbug!
    I came in to the world with nothing. I still have most of it.

  4. #14
    Even if i do not contribut, this does not mean i dont have any right to analyze and response to the comments the OS'es i use in my daily life. Your comment in itself is flawed. The straight implications of this comment is l;ike saying, You dont have a webserver of your own, why are you trying to asses the strength/weaknesses of Apache/IIS.
    Assessing is one thing, complaining is another. Your origonal post and this post isn't about accessing the facts and figures of insecurity. It's about typical MS bashing that everyone has heard before. If you don't help improve the operating system, don't complain about the sections of security that you refuse to help with.

    linux zealots go gunvg-ho coz they are forced to go by microsoft policies.
    That is the most uninformed thing I've heard today. Fanboi bashers are not forced to do anything. Fanboi bashers insult Linux/Windows because they do not understand the otherside of the technology veil. Did you know some of the top MS employees use Linux reguarly, ad assist in Linux development? Did you know Linus activley sends bug reports and insight to the developer boards to quickly improve upon possible security bugs? People who are mature enough to want to learn and assist in the security of an operating system are not "forced" to bash OS differences. They instead spend their time helping. In there eyes, be it an OS they enjoy or not, it still has a bug that needs to be addressed because a lot of people are going to become vulnerable because of it. And THAT is the reason.

    M$ gets bashed for their policied, bad marketing tactic and not for technology. They gets bashed coz the use unfare practices against linux. Someone uses unfare practices against you and you have the full right to go gung-ho. And raising FUD against linux seems to be getting their favroutie of all times now.
    Odd, I see as much MS bashing as I do Linux bashing. So is this MSes cue to start going gung-ho against all the whiney Linux kids? Should MS start openly attacking all the whiners on IRC or Antionline? Microsoft's marketing defence against Linux is no different thant Linux fanboi's defence against Windows. One bashes the other, the other bashes in return, and only the smarter of both sides actually try and help one another.

    http://bugzilla.kernel.org/

    Ever been there? It's the buglist for the Linux kernel. Notice how they have their own plethora of bugs that are never ending, just like Windows. Notice how some of the bugs , security and non security, are a few months old.. even 7 - 8 months. Notice how some of the names there are very well known Windows users on the net but are assisting in bug reporting and resolution. Don't try and kid yourself, because all you've done is say "patch time bug time how many bugs tons of bugs insecure bad patching policy" when in fact Linux has the same thing. They have slow patch times with certain areas. They have numerous bugs reported each and every day. They can't fix everything in one night.

    Stop throwing useless ammo around. Lick your wounds and hold in your pride. Bashing an MS employee beecause he bashed Linux isn't going to solve it. Start helping us impove the linux kernel so we can directly influence the capability of linux and shut down any possible aspects that man didn't enjoy. You want Linux to shine? Help us code the kernel, fix the kernel, and test the kernel. Want Windows secure? Help us beta-test new products, send off those error reports in Windows.

    Help us out, and stop spending your time complaining when you could be changing someone's opinion of Linux with facts and capability than just a rant.

  5. #15
    Senior Member
    Join Date
    Jul 2002
    Posts
    386
    a morning chill wrote: "Tell that same thing to the millions of users that want to switch to Linux, but when attempting to convert they are met with README and COMPILE_INSTR files that require them to learn far more than they should. Why should an accountant lawyer want to spend a few months worrying about the proper methods for .configure so that it won't conflict with kernel modules? He shouldn't, but that's how it would work for the crossover."

    I'm one of those people. I'm concerned about MS security. My livelihood depends on it and, if I were 30 or 40 yrs younger, I'd probably be running a Linux box.

    I come from the age of the manual typewriter, and simply want a system I can start and do work on. There are certainly people my age who enjoy experimenting with operating systems. I want and need one that works for me immediately on startup, with as few keystrokes as possible. Windows and Apple do that.

    If Linux ever reaches point and click simplicity such as Windows and Apple, I might reconsider. I, and I think tens or maybe hundreds of millions like me, have no desire to learn the intricacies of an OS. We just want it to work for us. The Linux experts could still go in and play with it, and those of us who just want to use it for our work could have the simplicity that Windows and Apple computers offer. To me, it would be the best of both worlds.

    For now, I rely on a good firewall, antivirus, and other tools to, hopefully, keep me and my work safe.

  6. #16
    Socialist Utopia Donkey Punch's Avatar
    Join Date
    Sep 2004
    Location
    In the basement
    Posts
    319
    There is something to make all of this easier.

    1. Any OS advocate will tout that his/her OS is superior over the other OS. That's advertising, no matter how annoying it is.

    2. Your OS is not better than the other OS. It is just different. (Oh, edit... your OS is only better if the person running it knows how to use it. Any OS can be worse than the other OS when not properly patched, administrated or whatever. Sure, you can run BSD, Novell, Windows or whatever other OS and still be wide open.)

    3. The OS wars are as old as the sun, and will never go away.

    4. Just because you use Windows or America Online does not make you stupid.

    In loving memory of my step daughter 1987-2006

    Liberty In North Korea

  7. #17
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Catch, I would add that what we need is almost to rebuild the OS from the ground up, as has been mentioned Operating systems need to afford a high level of security out of the box. The accountant that has already been mention does not need to know how to secure his computer, merely that when he sends of an email or surfs the web that it is safe and he is not about to be infected, hacked etc...... Security tends to be a process of applying band aid to broken things (windows, Linux, Solaris et al...) maybe if we had user friendly, reliable, secure OS's then we could all save ourselves some of the vast expense required to secure our infrastructures.

    As for the rest...yawn city once more on the OS front. I guess to make one statement, Windows is more user friendly then Linux, at a cost of security (it can be secured, but you sacrifice functionality, any questions?if so please apply C2 settings to a desktop and play away...and Linux is less user friendly (any questions? ask your mum to use Linux and log on to AOL etc...with no help from you) but more secure. Thats it. I don`t think I am a Windows or a Linux zealot, like them both, and I think a realization of the good and bad of each one is what helps you to do a good job in the security world. The less security functionality in Windows does not neccessarily preclude it from use in production systems, you just protect it with firewalls, IDS/IPS, ACL and so on (the bandaids) , and Linux tends to suffer from being implemented by folks who don`t know what they are doing so leave their servers wide open (they just heard that its secure so think they should roll it out).

    It all comes down to what you know, but technically Windows has a less secure architecture, all that good stuff thrown into the kernel does not make for a safe world.

    I do think we all get caught up in this which is better stuff to no avail, figure out how to secure the stuff and get it to do what you want and make it so.

    Oh and my OS of choice is whatever I need to get the job done, so I am an "OS of choice" zealot then, oh no!!!
    Quis custodiet ipsos custodes

  8. #18
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Shipping an OS secure out of the box is very risky... the system would not be configurable by the simple users the no configuration required OS would be targeting.

    It is a far simpler task (also more verifiable and thus affords greater assurance for correctness) to provide a system configuration guide that indicates how to lock down specific things rather than how to loosen up the system to add functionality.

    Perhaps the reason for this lies in current auditing principals, in that the check things are done, not undone. An illustration of this would be, Application 1 requires A,B,C to operate and X,Y,Z to be secure.

    Open out of the box: Set and audit X,Y,Z

    Secure out of the box: Set A,B,C and then audit for X,Y,Z

    As you can see the first option requires a repetition of information, resulting in a lower skill set required by the system custodian (and we're supposed to be targeting the unskilled user?) and fewer checks on the same item, aka less assurance.

    Now as to addressing ease of use and security... these things need to be defined. Ease of use is very vague... of course someone who has been using windows for 10 years will find Windows easier to use than switching to Linux.

    Security is even harder to compare in this case, hell what constitutes Linux security? The Linux security model is nebulous at best. All you can do is select a specific vendor and an agreed upon configuration, as some will argue that altering the kernel or loading different kernel mods falls under mere configuration. Once you've done all that, then you need to find a yardstick with which to compare the two. ISO-15408 is the current one, but most people that get involved in such conversations don't understand or don't agree with this standard.

    My point, start asking new questions and then start making new statements, because the statements found in this thread (original author's point aside) are unoriginal, unproductive, regurgitated "maybes".

    cheers,

    catch

  9. #19
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Catch, I guess my point was that rather then figure out a way to secure the system, or unsecure it I have this dream that we will have Operating systems that are usable and secure out of the box, as the average home user does not need to spend time applying settings to his/her computer so he can surf the web and send email, but I fear this may be something of an unobtainable utopia.
    Quis custodiet ipsos custodes

  10. #20
    Junior Member
    Join Date
    Jan 2005
    Posts
    1
    OS'es are secure enough , it is time to make sure people using 'em are secure...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •