Anyone seen this?

  • Thread starter Thread starter Guest
  • Start date Start date
WRONG !

While Linux is targeted less that Win32, it still has *many* vulnerabilities and has its own
set of viruses, worms and Trojans. As more and more people choose Linux, more and more
VX'ers will target Linux as well.

--
Dave




| http://www.theregister.co.uk/security/security_report_windows_vs_linux/#myth2
| Looks fairly reliable and fair, at least it wasn't sponsored by one the
| products being looked at. Ever try Linux? No more worms, no more virus, no
| more $190 upgrades. : )
| --
| Use Linux and WinXp
 
FALSE, FALSE, FALSE, see the myth number one. Read the thing before you
answer. If a virus or trojan does not have administrator privileges, it
cannot set up house keeping on the computer. If you login as a restricted
user on WinXP, you will be as safe, but how many people actually do that?
That is the default linux setup. Try it and you will see, you have two
accounts from the get-go.
 
FALSE, FALSE, FALSE, see the myth number one. Read the thing before you
answer. If a virus or trojan does not have administrator privileges, it
cannot set up house keeping on the computer. If you login as a restricted
user on WinXP, you will be as safe, but how many people actually do that?
That is the default linux setup. Try it and you will see, you have two
accounts from the get-go.
Click to expand...

Have you read about root kits? How about the users that operate a Linux
install the same way they do a Windows install - always root, install
everything, put it directly on the net.... Seems to me, while Linux has
a very good means to restrict compromises when you follow the normal
security measures, ignorant users will always do their own thing and end
up with compromised systems on ANY OS.
 
Yes, I have heard about root kits, and I have heard about people cruising the
net as root. But that is not the default as it is in WinXP. Like I said, you
can secure WinXP if you work at it and accept the SP2 defaults.
And getting back to Myth number one, how about the point of Apache which is
2/3 of the servers being run, being far less vulnerable than Windows Server
2003?
Also, the fact that IE6 is so integrated into the windows kernel and user
space leads to some scary possibilities as to the potential trojans and
viruses have to exploit Windows Outlook and SQL. I can get a bad java script
in Mozilla or Firefox in Linux and that is where it stays, it doesn't affect
Thunderbird or Evolution.
If you are curious, a live cd of Ubuntu Linux can be downloaded or ordered
free, they even pay shipping charges. It will boot up and run your computer
without even installing anything or affecting any other OS already installed.
And you can use it as to do pretty much anything until the computer is shut
down. Does not write to the hard disk unless you specifically ask it to do
so. Also, installation cd's are free as well (including shipping)
http://www.ubuntulinux.org/
 
Forgot to show this:
"The Ubuntu community is built on the ideas enshrined in the Ubuntu
Manifesto: that software should be available free of charge, that software
tools should be usable by people in their local language and despite any
disabilities, and that people should have the freedom to customise and alter
their software in whatever way they see fit." Free as in "free beer" and
also free as in "free speech". : )
 
And getting back to Myth number one, how about the point of Apache which is
2/3 of the servers being run, being far less vulnerable than Windows Server
2003?
Click to expand...

I read the entire article and found that the one seriously flawed part
of their argument. The rest of it was mostly spot on (mostly).

Since IIS is included with Windows 2000, 2000 server, 2003, and XP
Professional, and since many HOME users install it without knowing,
there is a LARGE base of ignorant people running IIS.

I've seen many companies running IIS as their web server and have never
even patches the server, never run the BSA, never looked at permissions,
and the root cause is ignorant people managing the servers.

There are very large companies running IIS as their production web
servers for Plant control, for Public web sites, etc... When I worked
for a design company we did work for a LARGE company that based 40+
sites out of 150+ sites on IIS 5, and then moved to IIS 6 - not one of
their sites had ever been compromised and all were the publics interface
to the company and it's products (thousands of doctors, patients,
mothers, counselors, etc... per week used the sites).

If you remove the installs of IIS by ignorant users, and setup IIS with
someone on the same technical level as those installing Apache, you end
us with both being stable and secure and as prone to being hacked as the
other.

SQL Slammer was another issue of ignorant users installing SQL server
again - once the idiots exposed the SQL data or management ports the
game was over. I have never seen a valid reason to expose the SQL data
or management ports to the PUBLIC. Sure, through a VPN or IP:IP
restriction at he very least, but not just open ports to it. If the
servers had been secured the worm would have not done anything.

What it really comes down to is that ignorant users and wanna-be's
should not be installing services until AFTER they learn about security
of ANY OS / Service. All systems, even Apache, should be behind a
firewall and not just one of those cheap routers that provides NAT only.
 
True, and hopefully SP2 is a step in the right direction as far a "making"
users secure (even if they are kicking and screaming : ) ). And hopefully
Microsoft dropped the idea of integrating the SQL server in Longhorn, maybe
that's why the new file system was "delayed".
 
That is a real good idea.
Some unknown person or entity determining someone else should not get paid
for their work.
A great way to quickly dry up the vast quantity of available software.

Do you believe and support the "Ubuntu Manifesto"?
What do you do for a living?
Perhaps it should be decreed that the product or service you provide should
be free and thus you not be paid for whatever you do?

Free as in "free beer"
It seems you also believe beer should be free.

Good of you to choose the essentials of life such as beer and software for
free instead of the luxuries such as food, clothing and shelter.
 
Linux is composed entirely of donated code. Their are some binaries that are
released to work work with linux that are privatly owned. Linux does not mean
people do not get paid for their work unless they decide to doante their
code/work/etc to the community. These folks do this for fun, pride, sense of
duty, etc. They seem to have paying jobs so they do not believe everything
should be free. Ubuntu itself is free but if a company wants to purchase a
service contract they may do so. Same as RedHat, they make their money off
the service contracts not the software.
"A great way to quickly dry up the vast quantity of available software."
there are more programs available for free than for sale. Look at linux, BSD,
and http://www.techsupportalert.com/best_46_free_utilities.htm has windows
programs for free that work as well as or better than the commercial
versions.
I work in a field, health care, that has free and for-profit versions. It
makes plenty of money and there have been no layoffs for the last 15 years
where I llive. Look at all the software programmers laid off from the
commercial world not due to free software but due to companies moving to
cheaper climates and locales. Where was the protection of for-a-profit
products for them?
And I do believe in the Ubuntu Manifesto, and I am not planning on losing
my job because of it. It creates new opportunities. And you know what? The
fastest growing computere certification program in the computer world right
now is Linux Certified Engineer, from free software comes new jobs, new
careers. Who would have thought that could happen?
 
Also, http://www.lpi.org/ take a look at this site. And I am impressed by
your background as shown on your website. You do have a lot of experience.
Boot up some linux and see what it's like, what's the harm? And looking back
Linux is composed entirely of donated code. Their are some binaries that are
released to work work with linux that are privatly owned. Linux does not mean
people do not get paid for their work unless they decide to doante their
code/work/etc to the community. These folks do this for fun, pride, sense of
duty, etc. They seem to have paying jobs so they do not believe everything
should be free. Ubuntu itself is free but if a company wants to purchase a
service contract they may do so. Same as RedHat, they make their money off
the service contracts not the software.
"A great way to quickly dry up the vast quantity of available software."
there are more programs available for free than for sale. Look at linux, BSD,
and http://www.techsupportalert.com/best_46_free_utilities.htm has windows
programs for free that work as well as or better than the commercial
versions.
I work in a field, health care, that has free and for-profit versions. It
makes plenty of money and there have been no layoffs for the last 15 years
where I llive. Look at all the software programmers laid off from the
commercial world not due to free software but due to companies moving to
cheaper climates and locales. Where was the protection of for-a-profit
products for them?
And I do believe in the Ubuntu Manifesto, and I am not planning on losing
my job because of it. It creates new opportunities. And you know what? The
fastest growing computere certification program in the computer world right
now is Linux Certified Engineer, from free software comes new jobs, new
careers. Who would have thought that could happen?
Click to expand...
 
hardcandy said:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/#myth2
Looks fairly reliable and fair, at least it wasn't sponsored by one the
products being looked at. Ever try Linux? No more worms, no more virus, no
more $190 upgrades. : )
Click to expand...


If any article in The Register, particularly any article about
computers, contains a single fact, you can be sure that it was either
unintentional, or the writer got canned the next day.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
Leythos said:
SQL Slammer was another issue of ignorant users installing SQL server
Click to expand...
again - once the idiots exposed the SQL data or management ports the
game was over. I have never seen a valid reason to expose the SQL data
or management ports to the PUBLIC. Sure, through a VPN or IP:IP
restriction at he very least, but not just open ports to it. If the
servers had been secured the worm would have not done anything.

What it really comes down to is that ignorant users and wanna-be's
should not be installing services until AFTER they learn about security
of ANY OS / Service. All systems, even Apache, should be behind a
firewall and not just one of those cheap routers that provides NAT only.
Click to expand...

SQL Slammer had as much impact as fast as it did because of
applications people had installed that used the MSDE engine without
them even knowing it.

MSDE's default installation was to keep everything open to the world.
Microsoft has a nasty habit of that. Otherwise the "cool" demos they
use to lure pointy hair types don't work very well.
Let's place blame where it belongs.
 
SQL Slammer had as much impact as fast as it did because of
applications people had installed that used the MSDE engine without
them even knowing it.

MSDE's default installation was to keep everything open to the world.
Microsoft has a nasty habit of that. Otherwise the "cool" demos they
use to lure pointy hair types don't work very well.
Let's place blame where it belongs.
Click to expand...

Ok, lets, think about this - if you own a computer/server and have
anything installed on it, and it's exposed to the live internet without
any form of protection, no matter what OS, then you've made a big
mistake - the OS vendor has nothing to do with it.

Now, lets talk about points of blame, in order of precedence:

1) ISP's - they have the ability to setup their residential service
devices with NAT enabled by default, this would prevent much of the
problem with any Worm. They can allow users to request a Non-NAT address
without any question, but NAT would be the default at the ISP's device.

2) Users - Ignorant ones especially. I can't tell you how many 1433/1434
probes we get per day. At one time I would open enterprise manager and
see if I could connect and then do a shell to NET SEND * YOUR SQL SERVER
IS EXPOSED TO THE INTERNET, PLEASE SECURE IT if it was unprotected -
but, after consideration, I stopped doing that. Most users do not update
their systems and few know anything about security - that's where #1
would help.

3) OS Vendors - Instead of maintaining the backwards compatible crap,
just start pushing out secured OS's that don't allow users to run as
root/administrator without warnings each time. Change the security
structure entirely (for MS) and give us something that's secure first,
easy to connect with other systems second.

4) Service vendors - ones that design applications that run as a
service. They should be self securing or mandate a password at the very
least.

5) Application vendors - making software that won't install and won't
run unless the users are Administrator level users. QuickBooks, MS
Office 2003, etc.....

6) Stupid users - this covers the rest. See #1 for these users.
 
Back
Top