why Linux servers were the most vulnerable compared t others...


http://www.macworld.co.uk/news/top_n...fm?NewsID=7980

any idea???

As I always say... statistics are the double-edged sword of the man who needs to win an arguement.

Obviously Linux servers are going to have more breaches, but that is because there are exponentially more Linux servers in use. That statistic also doesnt indicate the severity of a breach. Linux security systems recognize even the slightest breach or possibility for a breach whether it was infiltrated or not. May other OSes dont recognize a breach until it is too late.

It's like saying that boys are more likely to get injured in sports because little boys are always playing and scraping their knees as opposed to the fewer girls playing the same sports and commonly getting more serious injuries.

Well first of all, mi2g is not what most people would call the world's most credible source... They've been known to have, er, shall we say "interesting" interpretations of things in the past. That being said, in their narrow examination they're probably correct: Linux is the most frequently directly attacked OS, if you exclude automated worms and viruses. I would content that people don't directly exploit Windows because they don't have to, because they can either be trivially compromised by a ready-made worm, or they have already been compromised and have one or more trojan backdoors listening that can be used to gain access.

Still, there is a lot of truth to the following statement and it should serve as a wake-up call to Linux users everywhere. In a nutshell: Linux is not secure by magic, it's secure through hard work--work that the user/admin must do to lock down past the default settings. By the way, I personally have been saying this for months, but most of the readers here tried to argue with me or simply called me stupid.

Now this is pretty warped here:
But the actual tests done, well let's see...
Since they only considered "servers" in their test, and practically none of the Mac OSX users are serving anything from their boxes, and since *BSD has a much smaller install base than *Linux, that's not entirely surprising...

Then we have this gem:
Which is patentedly silly. For one, grouping Mac OSX with OpenBSD/NetBSD/FreeBSD is ludicrous. OSX is pretty much a Mach kernel with a NetBSD userland, more or less... The OS is much proprietary work by Apple that does not appear anywhere in *BSD.

Further (and more importantly) there have been a number of vulnerabilities specifically in Mac OSX that do not exist in the *BSDs (and most security experts I talk to believe there are many more, as yet undiscovered), some of which took weeks to have an upgrade fix available. The only reason serious OSX exploits haven't surfaced in significant numbers is because so few OSX boxes exist, and so many less are actually being used as a server of any type, that it would be like hunting fish in the desert... not a lot of targets.

This is a classic example of how "analysts" will say anything for money, or they really believe their own words, but are totally nuts (much like Gartner, who unfortunately has exponentially more influence than mi2g and thus badly influences many more companies).

The summary version is: Yes Linux has insecurity problems. Don't think you're secure just because you're not running Windows. Mac OSX is not the "most secure server", that was a blatant twisting of words and context in order to arrived at a contrieved result.

More than what, than Mac OSX? In that case you're correct. If you're trying to say there are more Linux servers than Windows, than *BZZZZZT* wrong, do not pass go, do not collect $200.

*BZZZZZT* wrong again. Most Windows servers run Anti-Virus software, most Linux servers do not. Most Linux systems do not come by default with an IDS even installed, let alone configured. Besides, it doesn't even matter at what point the attack was noticed, because they weren't trying to prevent anything, they were just doing after-the-fact "analysis". This is pure hyperbole on your part.

The article is wrong in many ways, but unfortunately you didn't get any of them.

Hey Chort, i think you need to check your little buzzer there. It is well known that what is noticed on Linux as a breech or security issue is commonly missed on windows until it is actually exploited.

As for the first buzzer, yes, I meant compared to OSX servers. Sorry, I should have specified that to avoid any confusion.

I wonder what the comparison would be of all OSes internet-wide. I tried finding one of those nifty maps, but couldnt find one of that data.

Regardless of the issues around this study, it's obviously true that Linux security can be improved.

We can attack the methodology of the study; but surely it is more useful to learn and benefit from it. I would like to know how the Linux attacks break down : where the weaknesses were. Then the community could concentrate those areas.

Because of the big differences in installed numbers of different servers, I doubt it's useful to say that Linux should be more like OS X, BSD or Windows. It is, however, useful to improve problems that exist.

For example, if administrator skill is a big problem (e.g. boxes being poorly configured), the community can look at ways to fix that : more, better and easier to find how-to guides for common tasks; scripts to help people set up servers securely, education courses and so on .

If distro bloat is a problem (i.e. Linux boxes tended to have a lot more software installed on them and security bugs were exploited in this software), that that could be tackled by distros giving clearer advice during installation to go for minimal install for a server. Tools could also be developed to look at installed systems and make suggestions where unnecessary software is needed. Or maybe a pre-hardened web-server or file-server distro (probably already exists somewhere) so anyone running a web server should use that .

If lack of patching is a problem, the community can tackle that (e.g. Mandrake 9.2 doesn't notify me when there are patches and doesn't even give me the option of installing them automatically (though I guess I could knock up a script that would do it) - I have to go through a semi-manual process of checking for security updates, selecting the ones I want and then downloading/installing them.

I agree with Chort. The study may or may not have value; but the knee-jerk reaction that Linux is intrinsically secure doesn't do anyone any favours.

That is "well known" only in the community of Linux home users, not in any community that deals with enterprise or carrier installations. The Linux community at large is doing itself a huge disservice by propagandizing so much that their users aren't allowed to believe anything that is not ravingly positive about Linux.. Besides, the mi2g survey was of already compromised machines, not a survey of watching machines be attacked, so your comments aren't even relevant to the discussion (if you don't see why, then you should probably do a lot more reading and significantly less posting of "facts").

In fact, without substantial modifications it's not any easier to notice things going wrong on Linux than on other OSs. I'll point you to this article on SecurityFocus where a Linux admin was trying to reverse engineer an exploit of his Linux server. The only reason he found the problem in the first place was because his bandwidth usage looked odd (all OSs have common bandwidth reporting tools, this isn't unique to Linux) and in fact, he only discovered the root cause because he was running a kernel with grsec extentions*. If he had been running a stock Linux kernel, he probably wouldn't have noticed the specific problem without a lot more work.

This administrator was clearly far more skilled than most Linux admins, as attested to by the fact that he knew how to use several reversing tools to observe the behavior of the exploit on his system. Your ordinary Linux user would not know how to do these things. In addition, the debuggers for GCC ELF binaries are so bad that it actually makes reversing significantly harder than on Win32 (see Security Warrior, by Peikari & Chuvakin, published by O'Reilly).

I've observed the Linux community for quite some time. I was an early Linux adopter myself (Red Hat 5.2 was my first distro) and I even used it on production systems for a giant e-mail carrier (Red Hat 6.x and 7.x). While the Linux crowd has done a great job of evangelizing and brining in new users, it's done a horrible job of alerting those users to potential dangers of their system and how to properly secure it. This is evident by the prevailing belief that you cannot get a worm or virus with Linux, which is not all all true from a technical perspective.

In fact, much of the Linux advice I've seen to new users has been down right scary. Telling users to log in as root, telling them to suid programs so they won't require root privileges, creating software that requires /var to be 0777 (it's true, I couldn't believe it either!), etc... There are a lot of UNIX neophytes using Linux now that just don't understand how security works in a UNIX-like environment and simply buy-in to the belief that it's impossible for Linux to have security problems like Windows.

In fairness, LQ is better than most places and the Security Forum in particular is rather useful, but that's largely due to the efforts of unSpawn and Capt_Caveman, and not the community as a whole. I've also seen my share of bad advice here, so even LQ isn't immune from the "Linux is bulletproof, do whatever you want" syndrom.

Even some of the commonly downloaded and implemented iptables firewall scripts that so many people are running have bad practices in them, like not logging spoofed packets at all. This is what I call "the Telephone Game applied to Linux Security". You probably remember the game from grade school where you all sit in a circle and the first person whispers something into the ear of the second person. The second person than whispers the same thing (at least, what they thought they heard) to the second person, etc until it goes all the way around the circle back to the first person. At that point the first person bursts into laughter because what they have just been told is nothing like what they whispered to start the chain.

Because Linux is such a community, it operates the same way as the Telephone Game. One person tells another person something. Since the first person "knows about Linux" the second person will just blindly accept it. The next time they hear a similar question, they will try to repeat what the first person told them, and it just grows exponentially from there. At no point are there sanity checks to make sure the first person was actually giving good advice, because novice Linux users do not have the knowledge and skill to be able to tell the difference between good and bad advice. Not only that, but the message gets so warped and distored after it's been handed down a few times, that it's not even what the first person said any more.

This is why I challenge people so often and why it may appear like I'm a jerk. I'm not trying to be a jerk, I'm trying to get people to see that they can't just blindly do what someone tells them without understanding why. Don't just accept an answer and do it--make sure you get a good answer, first! When someone posts garbage, I correct it so that the Telephone Game doesn't get out of control.

The bottom line is that user education must be improved. Too many people feel secure behind their default Linux installations and that is only going to cause astonishment and pain in the long run.

*

You're quite right of course; but something tells me that this is not enough.

I've worked in mainstream UNIX administration for nearly ten years. I've worked with organisations including a big IT company, the military, a power utility,an oil company and a major bank. In that time I've worked with maybe a hundred UNIX administrators. Now these aren't the boss's son; these are full time professional administrators. Of all those, I can count the ones who had a good understand of security on the fingers of two hands. Quite a few had a very basic understanding but a shocking number saw security as something a security team sorted out with perimeter firewalls - nothing to do with them; or simply as a hindrance, making their jobs more difficult.

The problem with sites such as LinuxQuestions is that it self-selects people who have an active interest in computers and, for this forum, in security. The vast majority of admins who have no real interest in computers beyond picking up their pay at the end of the month, people who will follow the path of least resistance. People who will never get trained up in security unless management makes it happen.

It's no use saying that there's something wrong with these people. I don't expect the check-out girl at the supermarket to have a deep personal interest in the retail industry - why should I expect a computer admin guy to have a deep interest in computing? I shouldn't.

If Linux is to be secure, it needs to be secure despite these folks, not because of them. I don't think any OS is close to that stage (certainly AIX, Solaris and HP-UX are not) which is why nearly every organsation relies on a strong perimeter - breach that and it's game over.

That's the challenge. If Open Source could develop a server OS which is reasonably secure out of the box and remains reasonably secure despite lazy and ignorant admin. people; but still runs the software businesses need and performs well, that would be a big breakthrough.

Yep, all your points a quite accurate.

It will be interesting to see if Red Hat's endevours around SELinux go well. If Red Hat proves that you can add meaningful security to an OS without encumbering it too much, that could start a whole new trend... Hopefully other Linux distros are taking note.

Also, www.openbsd.org/papers/pacsec03/e/ has some very interesting information on hardening a UNIX system in the way that it handles binary executable files and dynamic libraries.

Quote:

Originally posted by chort Now this is pretty warped here: But the actual tests done, well let's see... Since they only considered "servers" in their test, and practically none of the Mac OSX users are serving anything from their boxes, and since *BSD has a much smaller install base than *Linux, that's not entirely surprising... Then we have this gem: Which is patentedly silly. For one, grouping Mac OSX with OpenBSD/NetBSD/FreeBSD is ludicrous. OSX is pretty much a Mach kernel with a NetBSD userland, more or less... The OS is much proprietary work by Apple that does not appear anywhere in *BSD. Further (and more importantly) there have been a number of vulnerabilities specifically in Mac OSX that do not exist in the *BSDs (and most security experts I talk to believe there are many more, as yet undiscovered), some of which took weeks to have an upgrade fix available. The only reason serious OSX exploits haven't surfaced in significant numbers is because so far OSX boxes exist, and so many less are actually being used as a server of any type, that it would be like hunting fish in the desert... not a lot of targets. This is a classic example of how "analysts" will say anything for money, or really believe what they're saying be are totally nuts (much like Gartner, who unfortunately has exponentially more influence than mi2g and thus badly influences many more companies). The summary version is: Yes Linux has insecurity problems. Don't think you're secure just because you're not running Windows. Mac OSX is not the "most secure server", that was a blatant twisting of words and context in order to arrived at a contrieved result.

This is all extremely well thought out. As a matter of fact, I would go as far as to say these are true statements. It's a very Apple slanted article, and I use a Mac myself! But I never assumed that I am totally secure because of it. I'm on line, so I'm not. But I'm reasonably safe... and in most OS's, common sense and care is enough.

Agreed, the biggest vulnerability is certainly ignorance. The items that the article mentions about vulnerabilities from 3rd party applications is certainly very accurate, and is probably the strongest point. Many users think that the inherent securities of their Linux operating system will keep them safe regardless of what they do or install.

In a way, yes, they are. The comments are relative to the discussion because they are relative to the interpretation of the article. The article is written in a "draw your own conclusion" fashion, which is what our friend Nazmin has done by referring to Linux servers as the "most vulnerable". Without more information on what exactly happened in the tests, the article is actually pretty much useless other than to serve as a reminder that ignorance is indeed the biggest threat.