Announcement

Collapse
No announcement yet.

Linux... too many security vulnerabilities for comfort?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • astcell
    replied
    Wow skroo, those words, that attitude. Gunnin' for Priest's job? :D

    Leave a comment:


  • skroo
    replied
    Originally posted by Clp727
    Oops! Sorry Scroo, and Noid as well. I shoulda known this would've already been covered. I did perform a search in this forum. I swear! I hope the forum logs can verify.
    Sorry guys.
    No big. In fact, if you hadn't performed a search, this thread would still be worm food, so we know you did that ;) As a memo to anyone else who may stumble across this, though, for God's sake check to see if the thread has had any recent activity. If not, it's probably best to just let it lie.

    I have always been a windows user, and have recently been playing with BSD and linux within MS Virtual PC '04. I am hoping to make the change. From what I have seen from performing the installations, Linux seems to be more secure from the start.
    I'm going to disagree with you here. Linux (or *BSD, or other OSes) are equally as vulnerable as Windows - it all depends on configuration. I worked as a systems engineer at a colo company for a while, and we had Linux boxes in the same rack that were owned bigtime next to untouched Windows servers. Why? Because the Windows servers had been cranked down properly, whereas the Linux boxes hadn't.

    Neither one is inherently more secure than the other. Neither one is inherently better than the other (though my personal preference is for a non-Windows platform), either. It all boils down to what you intend to do with the machine.

    I have Win 2003 server running on another system at home. I feel that it has some improved security features when compared to 2000 server. But these are features that I see in all of the linux disros that I've played with so far, even RedHat 7.3. I have alot to learn, but my perseption of linux has been that it is at least equal to MS, just not as well known.
    Windows server platforms are very good at doing one thing: backing Windows networks. Samba's a nice alternative, but I'd hate to deploy it (as I've been forced to do) as a domain controller in a heavy Active Directory environment - the integration just is not up to par at this time. My attitude is that you use the Windows servers to build the LAN, but put *nix boxes facing the outside world.

    I'm sure others will disagree (and I admit that I'm somewhat contradicting my earlier statements re: Windows security), but that's okay. One thing that's important to remember is Windows' evolution as a server platform: from day one, it was meant to be a rival to Novell, then the dominant force in LAN networking. It was never intended to be a platform for the Internet - but it later adopted that role as TCP/IP networking became commonplace in both the office and WAN environment.

    What this has left us saddled with is an OS that has (up to 2003) largely assumed that by default it's being run in a 'safe' sandbox - no hostile users, everyone seeking to legitmately share the resources it offers. Now, having said that, *nix has also historically suffered from the same trust model, just not so much in recent years. But the naivete is still there, only it cuts both ways. To sum up: same shit, different interface.

    I know that TCO is something that the corp. execs will look at. But I had always figured that if a network admin and his staff were planning to migrate to a unix/linux platform (or the network had always been a unix/linux network) then TCO would be equal or less expensive.
    Not necessarily. If you have a legion of IT staff who are Windows-capable that suddenly need to learn how to interact with *nix, you're screwed. Not that they can't do it, but that they will need to be trained to handle it. And part of that problem is teaching them how to escape the Windows paradigm and become competent *nix users, if not admins. Linux may be free, but the cost of supporting it may not be.

    Naturally, I would expect that experienced admins would be administering the linux systems. But then again, I have never been in the possition to actually compare the cost.
    There are plenty of Windows admins out there that could be considered to have more experience than *nix admins. Again, it cuts both ways. I've seen brilliant administrative techniques on both halves; I've seen downright shitty administrative techniques on both halves. It basically comes down to whether or not the admin in question knows what they're doing or not.

    Sorry again scroo. Thanks for goin' easy on me.
    No worries. I actually thought it was a valid point, just disagreed with the execution. This is my kinder, gentler machine-gun hand.

    Leave a comment:


  • astcell
    replied
    I knew enough to do a memcheck and see the gfree ram, if the number is not what it ought to be I knew something bad was loaded. With no hard drive to infect only the dual floppies were vulnerable, but it still held dBaseII and other important data. Maybe in those days we did not have crackers?

    Leave a comment:


  • Voltage Spike
    replied
    Talk about digging up old threads... I'm pretty sure you're joking (DOS 3.2?!?!), but just to poke the fire:

    You are asking about vulnerabilities in a (mostly) non-networked, single-threaded operating system. I'm not sure what the goal would be (ruin data/system?), but I'm sure some fun was cooked up using TSRs. I couldn't say for sure, but I was very active in my local BBS community and any "viruses" I encountered were programs that simply misbehaved when executed. Without any sort of memory protection, cracking a DOS box would be simple ... if, that is, you could just get the end-user to do something stupid.

    Leave a comment:


  • astcell
    replied
    Speaking of security vulnerabilities (it is the topic), I wonder about the good old days of DOS 3.2. Sure there were viruses, but no Internet as we have today to assist in the spread. Were there any real vulnerabilities with DOS back in the day? Seems everyone is searching out or creating 32-bit Windows vulnerabilities.

    Leave a comment:


  • Clp727
    replied
    Oops! Sorry Scroo, and Noid as well. I shoulda known this would've already been covered. I did perform a search in this forum. I swear! I hope the forum logs can verify.
    Sorry guys.

    I had just read that article and it left me feeling a bit angry. I have always been a windows user, and have recently been playing with BSD and linux within MS Virtual PC '04. I am hoping to make the change. From what I have seen from performing the installations, Linux seems to be more secure from the start. I have Win 2003 server running on another system at home. I feel that it has some improved security features when compared to 2000 server. But these are features that I see in all of the linux disros that I've played with so far, even RedHat 7.3. I have alot to learn, but my perseption of linux has been that it is at least equal to MS, just not as well known.

    I know that TCO is something that the corp. execs will look at. But I had always figured that if a network admin and his staff were planning to migrate to a unix/linux platform (or the network had always been a unix/linux network) then TCO would be equal or less expensive. Naturally, I would expect that experienced admins would be administering the linux systems. But then again, I have never been in the possition to actually compare the cost.

    Sorry again scroo. Thanks for goin' easy on me.

    Leave a comment:


  • skroo
    replied
    Originally posted by Clp727
    I think this article is a bit slanted myself....
    Check out the comment from Noid four up from your post.

    Leave a comment:


  • Chris
    replied
    Originally posted by Clp727
    Microsoft seems to be claiming victory against Linux.

    http://www.microsoft.com/windowsserv...s/default.mspx


    I think this article is a bit slanted myself....

    Well...it is true that Windows has a lower Total Cost of 0wnership:
    http://www.immunitysec.com/downloads/tc0.pdf

    Leave a comment:


  • Clp727
    replied
    Microsoft seems to be claiming victory against Linux.

    http://www.microsoft.com/windowsserv...s/default.mspx


    I think this article is a bit slanted myself....

    Leave a comment:


  • kree
    replied
    Originally posted by astcell
    Maybe it took him 5 months to come up with an intelligent reply. :p
    Ok, now that was funny.

    Leave a comment:


  • astcell
    replied
    Maybe it took him 5 months to come up with an intelligent reply. :p

    Leave a comment:


  • noid
    replied
    Rather than resurecting old threads, how bout you lurk a bit and get up to speed.

    Leave a comment:


  • mr_g
    replied
    "the vulnerabilities are just as likely. what may differ is how likely people are to find them. the problem is that either way, the people most likely to find vulnerabilities are the people looking for them.."

    Anybody here doubt that all OS's, open-source or proprietary, will eventually
    suffer vulnerabilties and exploitations of same as long as there is someone
    willing to take the time necessary?
    Skipping the 'security = process' and kernel bigotry, I agree with simple3 above:

    give me the armor with holes in it that I can patch, not the stuff I have to wait
    for someone else to 'fix' when they see fit.

    Leave a comment:


  • bascule
    replied
    Originally posted by 0versight
    i dont mind applying security patches.......I can apply these things all day, its kind of fun. Thing is, in Windows.....when I apply a patch, reboot. That shit gets fuckin annoying after awhile.
    As opposed to Linux kernel vulnerabilities, where you download the kernel source, reconfigure, recompile, reinstall, and reboot...

    Leave a comment:


  • skroo
    replied
    Originally posted by bascule
    Yes, and this has a known attack vector for 2.6 series kernels.
    Not to mention as far back as the 2.2-series kernels as well. Granted, this could be happening to any OS, but the rash of not-entirely-unrelated vulnerabilities spanning several major kernel revisions has me rather less than happy with the (lack of) extensive code review of kernel source submissions.

    ...which is, of course, vulnerable to the three system level compromises I linked in my original post.
    To be fair: that's depending on the patchlevel and architecture.

    Leave a comment:

Working...
X