LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - News (http://www.linuxquestions.org/questions/linux-news-59/)
-   -   Test shows unpatched Windows system's vulnerability (http://www.linuxquestions.org/questions/linux-news-59/test-shows-unpatched-windows-systems-vulnerability-425895/)

shazam75 03-17-2006 08:53 PM

Test shows unpatched Windows system's vulnerability
 
A test has revealed that a Linux server is far less likely to be compromised than a Windows one. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours.

http://www.computerworld.com.au/inde...pid;1968336438

Penguin of Wonder 04-09-2006 10:09 PM

Considering the volume of viruses out for Windows I'm not surprised. Linux is to painful to hack.

sundialsvcs 04-10-2006 10:39 AM

Wait a minute ... I'm no fan of Windows, certainly, but this kind of journalism simply isn't fair. It's the kind of sensationalist crap-writing that I have come to expect from Computerworld, where they are more interested in "impressions" than story. :mad:

The systems are un-patched: This means that the test systems are known to be vulnerable to any previously published exploit. They were sitting ducks.

Users on Windows machines are normally all-powerful Administrators, logging on systems with no passwords, no file protections, an open Registry and so-forth. Linux users normally are not. That can make all the difference in the world: a rogue program not only has to get into the machine and attempt to run, but also it has to succeed.

If Windows security is turned on, it is much more comparable to that of SELinux! Once you succeed in breaking through standard-Linux's defenses, it's rather like a chocolate truffle: crunchy on the outside, smooth in the center. It's "all or nothing." Windows, per contra, has a capability structure that .. if you understand it and use it .. allows the roles and capabilities of a program to be much more finely divided. Obviously, "hardened" Linuxes are the same way, but these are only very-slowly becoming mainstream. We must be very careful not to praise one knight and condemn another only because one prince has commanded his knight to hold his shield while the other prince has instructed his knight to leave his shield at home in his coat-closet...

If you stupidly leave the doors and windows unlocked, don't be surprised to find that someone is in there raiding the refrigerator. But is that realistic? It says much more about the stupid git who left the doors open than it does about the quality of the locks. In fact, it becomes totally meaningless.

Let's give the Devil his due: Windows has its problems, but many of those are simply the company that makes it, not the system itself nor the colleagues who make it. None of them really deserve the "cheap shots" that this article dishes out. Windows is no Linux, :rolleyes: but it is a worthy competitor none the less.

Penguin of Wonder 04-10-2006 12:27 PM

Quote:

Originally Posted by sundialsvcs
The systems are un-patched: This means that the test systems are known to be vulnerable to any previously published exploit. They were sitting ducks.

I almost feel stupid not realizing that when I read it.

J.W. 04-11-2006 03:53 AM

I disagree that the article is taking any cheap shots at Windows. As I see it, the article is simply comparing the "out of the box" security level for each OS, which I think is a valid topic. Granted, I agree 100% with your points that Windows users should keep their systems current, enable the security features, and create and use a non-Admin account, but sadly the fact is that the majority of users just plain don't -- not that they refuse to, but rather that they simply don't know they're supposed to, or don't know how to. As a result, their systems can easily get compromised and get used for malicious purposes such as spam, DDOS attacks, etc, and that is (or at least should be) a concern to all of us.

Thus, the article is calling attention to an important consideration for mainstream consumers, namely that a standard Windows installation by default is not as secure as a standard Linux installation. Giving Windows a free pass by saying "Well, *if* the user does this, and *if* the user does that, then Windows can be made just as secure" is IMHO missing the point. To use an analogy, suppose you were comparing the safety features of two different cars, and "A" came with anti-lock brakes, side impact airbags, stability controls, etc, as standard equipment while "B" only offered that same equipment as optional equipment at additional cost. Would it make sense to claim that both cars were equally safe, knowing that one required major upgrades in order to achieve the same level as the other? I would say No.

sundialsvcs 04-11-2006 09:10 AM

Yes, I've cooled-off now. :rolleyes:

What concerns me about articles like this is that, in a sense, "they cut both ways." They make one OS look worse than it should be ("worse" though it is ;) ...) and it could give the owners of the other OS a false sense of smugness. In that sense, the article seriously mis-represents the issue of security. It's not good journalism. (Although what can one expect from a CoW?)

"Is that door secure?" "Well, did you lock it, or not?"

robogymnast 04-16-2006 08:06 PM

Quote:

Originally Posted by sundialsvcs
Wait a minute ... I'm no fan of Windows, certainly, but this kind of journalism simply isn't fair. It's the kind of sensationalist crap-writing that I have come to expect from Computerworld, where they are more interested in "impressions" than story. :mad:

The systems are un-patched: This means that the test systems are known to be vulnerable to any previously published exploit. They were sitting ducks.

Users on Windows machines are normally all-powerful Administrators, logging on systems with no passwords, no file protections, an open Registry and so-forth. Linux users normally are not. That can make all the difference in the world: a rogue program not only has to get into the machine and attempt to run, but also it has to succeed.

If Windows security is turned on, it is much more comparable to that of SELinux! Once you succeed in breaking through standard-Linux's defenses, it's rather like a chocolate truffle: crunchy on the outside, smooth in the center. It's "all or nothing." Windows, per contra, has a capability structure that .. if you understand it and use it .. allows the roles and capabilities of a program to be much more finely divided. Obviously, "hardened" Linuxes are the same way, but these are only very-slowly becoming mainstream. We must be very careful not to praise one knight and condemn another only because one prince has commanded his knight to hold his shield while the other prince has instructed his knight to leave his shield at home in his coat-closet...

If you stupidly leave the doors and windows unlocked, don't be surprised to find that someone is in there raiding the refrigerator. But is that realistic? It says much more about the stupid git who left the doors open than it does about the quality of the locks. In fact, it becomes totally meaningless.

Let's give the Devil his due: Windows has its problems, but many of those are simply the company that makes it, not the system itself nor the colleagues who make it. None of them really deserve the "cheap shots" that this article dishes out. Windows is no Linux, :rolleyes: but it is a worthy competitor none the less.

I don't think this is all that unfair. If my father/uncle/random joe who knows nothing about computers gets a default install, not even knowing that such a thing as a patch exists, then all of their security settings would be left at the default. The fact that normal rights are limited in Linux is by design, and not some unfair advantage that the test set up. Windows has no problem with letting everyone have administrator rights for some reason, which in my opinion is quite a security hole. I agree that in the hands of a knowledgeable user like most of the people on this site that the systems will be comparable in terms of security, but Windows is marketed towards people who have no idea what they are doing, so having it tested straight out of the box is not really all that unfair IMHO

the_darkside_986 04-19-2006 02:21 PM

That is a good point. Since Windows is supposed to be all usr-friendly, then Windows should somehow try to help avg joe keep his system secure, even if it is just a simple warning that he should not do daily tasks in Adminstrator mode. But Windows has a lot of programs in it so there will always be someone finding a security hole.

tormented_one 04-19-2006 03:41 PM

Did anyone notice the date? 10/03/06??

Penguin of Wonder 04-19-2006 06:10 PM

I don't see that date anywhere?

rkelsen 04-19-2006 06:38 PM

Quote:

Originally Posted by tormented_one
Did anyone notice the date? 10/03/06??

That's Australian notation for 10th March 2006.
Quote:

Originally Posted by Penguin of Wonder
I don't see that date anywhere?

Its right under the author's name (under the headline).

Penguin of Wonder 04-19-2006 09:11 PM

Quote:

Originally Posted by rkelsen
Its right under the author's name (under the headline).

:laughs: i know where the dates at, i just didn't see the date he listed

sgoen1986 04-20-2006 02:15 AM

Quote:

Originally Posted by robogymnast
I don't think this is all that unfair. If my father/uncle/random joe who knows nothing about computers gets a default install, not even knowing that such a thing as a patch exists, then all of their security settings would be left at the default. The fact that normal rights are limited in Linux is by design, and not some unfair advantage that the test set up. Windows has no problem with letting everyone have administrator rights for some reason, which in my opinion is quite a security hole. I agree that in the hands of a knowledgeable user like most of the people on this site that the systems will be comparable in terms of security, but Windows is marketed towards people who have no idea what they are doing, so having it tested straight out of the box is not really all that unfair IMHO

And you suspect someone who doesn't know what a patch is, does know how to set up and runs an entire server..? :confused:

You cant really judge an out-of-the-box OS, certainly not a server edition, because bugs are discovered everyday and patching is just necessary. And like I said before, someone who installs and controls a server DOES know how to patch.

But, maybe thats just my opinion. :)

robogymnast 04-21-2006 12:09 PM

Quote:

Originally Posted by sgoen1986
And you suspect someone who doesn't know what a patch is, does know how to set up and runs an entire server..? :confused:

You cant really judge an out-of-the-box OS, certainly not a server edition, because bugs are discovered everyday and patching is just necessary. And like I said before, someone who installs and controls a server DOES know how to patch.

But, maybe thats just my opinion. :)

Lol good point, it didn't click that they were talking about servers. :p

jiml8 04-23-2006 10:47 AM

Quote:

Windows has no problem with letting everyone have administrator rights for some reason, which in my opinion is quite a security hole.
It is actually worse than that. Many commercial products for Windows won't run out of the box unless the user has administrative rights.

This particularly includes electronic arts games. My daughter had me install a Harry Potter game on our one and only XP Pro system and she couldn't run it because she was a user and it wouldn't start.

Now, in Linux, I would have merely set some file permissions to let her in. In Windows XP, I had to create a service that would, when started, run the Harry Potter game. I then had to establish a security policy that allowed her as a user to start or stop that service, and I had to set up a batch file on her desktop so that she could start it by double-clicking.

This, after contactin EA to ask them why the game wouldn't run except for an admnistrator. Their response was that you had to be an admin to play the game.


All times are GMT -5. The time now is 12:29 AM.