Linux security is a "myth", claims Microsoft

Grok · February 01, 2005, 07:40 AM

The voice of reason and experience -- tmp. Good reply.

Linux advocates spend 90% of their arguments on supposed (or real) security differences between it and Windows, forgetting that it is only one aspect of a computer's function. The people who buy computers spend 90% of their time doing a particular function, because they bought it as a tool.

Your TV is not secure. Someone can sit across the street and looking at the light reflecting from your living room wall, they can reproduce exactly what your are watching, even that secret porno you and your wife recorded on your honeymoon. But do people care about TV security? Not usually.

Linux has very little comparative usability. On Windows a relative idiot can walk up to it, insert a CD, install a program, and run it to accomplish a job.

iago · February 01, 2005, 11:03 AM

Of course, that same idiot will find their computer rebooting every couple minutes (with a 60 second warning) every time they get Sasser/Blaster. Then you have to teach that idiot how to install a firewall. Then he downloads and runs viruses, so you have to teach him how to use a virus scanner. Then the idiot gets confused, and screws stuff up, and ends up as Yet Another DDoS Zombie.

Idiots shouldn't be using computers without supervision.

But back to Tmp's post, the administrator of a system totally matters. If the admin is an idiot, then they will get exploited regardless of OS. If the admin is clever, and keeps his software updated, and keeps vulnerable services not running, then there is much less of a chance of getting exploited. The admin is one of the keys to good security. I really don't see how you can argue against that.

Grok · February 01, 2005, 12:31 PM

Quote from: iago on February 01, 2005, 11:03 AM
Of course, that same idiot will find their computer rebooting every couple minutes (with a 60 second warning) every time they get Sasser/Blaster. Then you have to teach that idiot how to install a firewall. Then he downloads and runs viruses, so you have to teach him how to use a virus scanner. Then the idiot gets confused, and screws stuff up, and ends up as Yet Another DDoS Zombie.

Idiots shouldn't be using computers without supervision.

But back to Tmp's post, the administrator of a system totally matters. If the admin is an idiot, then they will get exploited regardless of OS. If the admin is clever, and keeps his software updated, and keeps vulnerable services not running, then there is much less of a chance of getting exploited. The admin is one of the keys to good security. I really don't see how you can argue against that.

Did someone argue against that? You seem to have the opinion that there are only two kinds of people in the world -- Linux security-conscious competent geniuses, .... and idiots who use Windows. As wrong as your opinion would then be, you do not seem to explore any other segment of computing. In post after post, your focus seems to be extremely narrow. You're far smarter than to have this myopic view, and I hope you are able to grow into your potential.

Arta · February 01, 2005, 01:10 PM

I didn't get that impression at all. I think he was trying to say that good administration will keep a machine reasonably secure, independent of what OS it runs.

iago · February 01, 2005, 01:28 PM

Quote from: Grok on February 01, 2005, 12:31 PM
Did someone argue against that?

Quote from: mynameistmp on February 01, 2005, 03:01 AM
The theme here is that the OS doesn't matter, the admin doesn't matter, it's the people hacking the OS.

My argument is that the admin does indeed matter

No matter which OS you're on, the admin is probably the most important factor. I'm pretty sure that's what I was arguing in my post. When I say "idiots", I'm not only referring to Windows users (just mostly

)

The part about the "idiot" infected with viruses within minutes, and having to learn a bunch more stuff to be secure, was intended as an argument against windows' ease of use stated here:

QuoteOn Windows a relative idiot can walk up to it, insert a CD, install a program, and run it to accomplish a job.

With security the way it is now, Windows really isn't that simple, at least, not to administrate.

Grok · February 01, 2005, 02:49 PM

Well then again I disagree. The level of knowledge necessary to make Linux as useful a production tool is far more than the level of knowledge necessary to "secure" Windows administratively, even by following a cookbook of instructions.

What tmp so eloquently pointed out is that regardless of the administrator, the hackability of the OS is inherent in the software. I think maybe if you read it from a different context, you will see what he means, and you might even realize he has a good point.

mynameistmp · February 01, 2005, 03:14 PM

QuoteThe theme here is that the OS doesn't matter, the admin doesn't matter, it's the people hacking the OS.

Haha, iago, my good man, I have mistakenly mislead you. Perhaps a bad choice of words on my part. This statement was meant to be applied to a more broad context. I wouldn't care to elaborate for many people other than you ;P

QuoteOne myth we see is that Linux is more secure than Windows. Another is that there are no viruses for Linux," said McGrath.

Mr. McGrath is displaying Microsoft's frustration with the fact that the number of viruses targeting Microsoft lately is higher than the number targeting Linux causing some users to believe that Microsoft software must be less secure than Linux software. My point (and I think Mr.McGrath's) is that the overall security of Microsoft software is not what's causing the overwhelming number of viruses, and it is not the improperly (or properly) trained admins of the OS. The viruses are being written by hackers taking the time and due dilligence to target the OS. The number of viruses will not sway because Microsoft admins become better at what they do, or because Windows becomes more secure (http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm). This number will sway when the people designing the viruses become interested in another platform and turn focus.

QuoteBut back to Tmp's post, the administrator of a system totally matters.

The competence of the administrators of the OS is not the topic that the Microsoft rep is speaking about. The topic he is discussing is which OS is more secure. A good admin can make a system more secure, but having a knowledgable user base does not make a product itself secure. If a software product designed for home users to be used for convenience or leisure (how about Windows XP Home Ed., or Novell Linux Desktop 9) requires the admin (in this case, user) to be highly trained in order for it to be functional and safe, that would imply that the software is insecure or poorly designed.

To sum it up, by saying that the admin does not matter I meant that administrators are not an important factor in this discussion. I did not mean to imply that administrators don't make a difference on a system-to-system basis.

iago · February 01, 2005, 03:28 PM

Grok - If I didn't know any better, I think you're trying to attack my view points in general, not in the context of this thread, while at the same time not giving any facts or arguments to back it up. My posts here have been basically, "The OS is only as secure as its user (or administrator)" -- do you deny that? If you want to have an argument, at least reply with some kind of arguments, or agree with me

And this:

Quote from: Grok on February 01, 2005, 02:49 PM
What tmp so eloquently pointed out is that regardless of the administrator, the hackability of the OS is inherent in the software.

I went back and I haven't got a clue where Tmp said that. In any case, I agree -- but the software on a computer is what is installed by its users, which still fits with what I said -- the OS is as strong as its user (or administrator)

Grok · February 02, 2005, 07:02 AM

From Slashdot discussion.

QuoteWorking on my own DS_Linux (Score:3, Interesting)
by Dancin_Santa (265275) <[email protected]> on Wednesday February 02, @06:55AM (#11549393)
(Last Journal: Friday December 24, @08:49PM)
On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

TehUser · February 02, 2005, 07:26 AM

Just to kind of clarify, I think (and correct me if I'm wrong, tmp) the point that tmp was trying to make is that no matter who the admin is, regardless of how much security he has in place, if the hacker going after your network is dedicated and knowledgable, it will eventually fall. And in that sense, how competent the administrator is just does not matter.

iago · February 02, 2005, 08:19 AM

Quote from: Grok on February 02, 2005, 07:02 AM
From Slashdot discussion.

QuoteWorking on my own DS_Linux (Score:3, Interesting)
by Dancin_Santa (265275) <[email protected]> on Wednesday February 02, @06:55AM (#11549393)
(Last Journal: Friday December 24, @08:49PM)
On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

Ok, are you going to attack my position yet, or just post completely irrelevant stuff?

Adron · February 02, 2005, 09:45 AM

Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.

EpicOfTimeWasted · February 02, 2005, 12:05 PM

Quote from: Adron on February 02, 2005, 09:45 AM
Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.

Nothing in the computer world pisses me off more than when I try to kill a process in Windows, while logged in as Administrator, and Windows flatly tells me "No!" Instead of arguing with me, it should kill the process and let me, the Administrator, deal with any of the after effects. My FreeBSD box will let me do whatever I damned well please when I'm logged in as root.

I suppose some could argue that that's part of the reason they consider linux to be insecure, but I'd argue that it gives the level of control required to ensure that your box is as secure as it can be.

dxoigmn · February 02, 2005, 03:04 PM

Quote from: EpicOfTimeWasted on February 02, 2005, 12:05 PM
Quote from: Adron on February 02, 2005, 09:45 AM
Linux is actually more securable than Windows for the simple reason that with Windows you're in the hands of Microsoft. Until Microsoft decide to offer you the option to turn off a service, you cannot do it yourself. With linux, you have, and always have had all the options. If Microsoft decides to stop supporting a certain version of a product, you're out of luck.

Nothing in the computer world pisses me off more than when I try to kill a process in Windows, while logged in as Administrator, and Windows flatly tells me "No!" Instead of arguing with me, it should kill the process and let me, the Administrator, deal with any of the after effects. My FreeBSD box will let me do whatever I damned well please when I'm logged in as root.

I suppose some could argue that that's part of the reason they consider linux to be insecure, but I'd argue that it gives the level of control required to ensure that your box is as secure as it can be.

Example of this happening?

Edit: Clarification, examples of not being able to kill a process in windows.

iago · February 02, 2005, 03:05 PM

Example of what?

If you mean of the full control creating less security, the only real problem is that if a service running with root privilidges is exploited, the attacker gets full control. Of course, services shouldn't be running with root privilidges in the first place.