Just read an article from Computerworld.com that saying Linux performs the worst in network security. Full text is here http://www.computerworld.com/securit...,97157,00.html

I thought Linux is an Unix-base system which should have the best security feature, at least better than windows. Anyone has comment??

I automatically ignore any "research" that comes from Mi2g. They're the laughing stock of the analyst industry. I do happen to favor OS X very highly--I personally like OS X much better than any Linux distro that I've seen so far--but I don't put any stock in conclusions drawn by Mi2g; they just don't have any credibility.

Oh well, I read the article just for grins. It's actually a recycle of the very same "test" they did last year. They analyze manually compromised systems (i.e. systems that were broken into by hand, not by worms) and give the results based on based on raw numbers.

Now, given that the data is based on raw numbers, it pretty much stands to reason that the OS with the largest install base is probably the most compromised. In this case Windows wasn't manually compromised as often as Linux, which is slightly surprising. If you think about it for a second though, it's very difficult to write automatic compromises for Linux because there are hundreds of distros (dozens in common use) and some of them have significant differences. This means a lot more compromises must be done by hand rather than by worm.

So the numbers are a little bit skewed, but still for such a small install base Linux has a disturbing security trend. I would attribute this to two things:
1.) Gross lack of QA
2.) User arrogrance/ignorance

The reason why all the commercial OSs, and the BSDs tend to have less problems is that they do a lot of QA. NetBSD and OpenBSD do a lot of code auditing and regression testing, and FreeBSD has a large team dedicated to working on the complete system, as well as rigorous security tests for the imported software packages. This same theme was highlighted recently by Michael Zalewski in his malformed HTML tests (showing that IE handled malformed HTML far, far better than all the Open Source browsers).

A fundamental problem with programs developed by hobbiests is that lots of people love the "fun" aspect of writing the program, but no one likes the grunt work of painstakingly testing every possible branch and input value.

The second problem is that many people who use Linux OSs just automatically assume it's completely secure. You're going to need to pay attention to the security any any OS, and Linux is no exception.

Oh...Mi2g is on my blacklist.

Look @ this survey

http://www.mi2g.com/cgi/mi2g/press/021104.php


Here is a part
"
The study also reveals that Linux has become the most breached 24/7 online computing environment in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours. The number of successful manual hacker attacks against Microsoft Windows based online computers has remained steady and accounts for 25.19% of all breaches recorded, with 59,419 successfully compromised Windows targets of all versions. In sharp contrast, the number of successful hacker attacks against Mac OS X or BSD based online computers has demonstrated a declining trend and accounts for just 4.82% of all breaches recorded, with 11,370 successfully compromised BSD targets of all flavours including Apple.
"

Is this entirely true?

Statistics can be misleading of course. Here's what I'll consider. What defines attacks? Were the attacks recorded because they knew it was happening? Maybe the Linux attacks are recorded because they knew it was happening while the Windows and BSD,Mac attacks are going on oblivious. It could also be that the Linux attacks are more common but less threatening? Personally, I dunno how much I can trust mi2g since I have no experience with it. But those are my thoughts.

Follow the dollar..find out who paied to do the study. That, lots of time, slants the results favorably toward Microsoft, especially when funded by them.

i think those statics just might be true....

in a good linux setup, the only way in would be manual hacking ... vs windows were its easier to just download a stupid script that will do everything for you .......... ask yourself this, would you manually hack windows, or use a script that took 5 minutes to find and download if you wanted to get into a windows based computer ?

Actually, I think it's a combination of things,

1. M$ funded studies don't consider it an attack on the OS if they attack Apache running on a Windoze server. They DO consider an attack on Apache to be an attack on Linux.

2. M$ is funding the studies, they are scewed towards an absurd result.

3. The studies use systems configured on older versions of Linux, generally,... like old 2.2 and 2.4 kernel systems, with known exploits...

4. The prefered attack method on a Windoze machine is automatic, where the prefered attack on a Linux box is a manual crack. Linux defenses are just so much better that a simple script or trojan won't do the trick. The attacker has to actually KNOW something...

5. The studies probably count an attack on Linux successful if any user's account is compromised. Unlike Windoze, a compromised attack on a user's account is not fatal to a Linux system... just a prelude to a more pressing problem.

Well they had me going right up to the point I read the CONCLUSION.
I'm sorry but whomever wrote that conclusion is not "neutral" period.

OS X is nice, it offers the power and stability of FreeBSD with a really nice tuned front end... which is probably responsible for making it so easy to set up.

Linux, on the other hand, suffers from the problem of having an interface for certain services that is just harder for newer sys-admins to work with. Therefore there is a higher probability that a (the average) Linux box is not set up to be as secure. A Linux box in the hands of an experienced sys-admin is as secure as anything proprietary Unix, FreeBSD or OS X has to offer...

As far as M$ being better??? Crap. As V.P. Chenney said in Nazareth, PA recently, "you can put lipstick on a pig, but at the end of the day, it's still a pig." These studies are funded by M$ to use in their FUD campaign. They are utter crap.

I just started using my SUSE Linux 10 operating system so I do not know how vulnerable it is.

What I do know is that Microsft builds multitudes of " holes " in its operating systems so as to enable Microsoft and the computer manufacturers to know what has/is being done on those computers all the time.

With all of the ways built in to get in; it is no wonder why just about any computer programmer can come up with spyware, adware, viruses, trojans, and hijacking software to penetrate the Microsoft operating systems.

I am through having my hard drive reformated because of those many Microsoft " holes ".

I agree completely. I just happen to be a network security engineer with DoD and I can tell you that there is a big push towards linux right now. Solaris is still the most prevalent os for mission critical servers but linux is starting to gain ground. We currently have quite a few linux servers performing basic functions like web serving, dns, nfs, ect. Whenever it is time to purchase new hardware, the decision always comes down to solaris or linux. Hell BSD isn't even an approved os(atleast on the federal/state level) so I would really love to find out what agencies are supposedly switching to a nonapproved os for their servers. Its obvious this person has no idea what he is talking about, atleast when it comes to what the govt is doing and linux.

LOL lets all run to the other end of the row boat since its sinking slower. Oops look what happened. Oh well.