So is nix really safe?

[Malak]

For a very long time we've had that one arguement going everywhere. Windows is a security pothole and any nix-based system is safe.

I want the truth, because I don't believe either point. My research on the subject has shown very little in the way of threats to Windows users and it has shown me the same level of vulnerability in MacOS, Unix, Linux, and FreeBSD. It seems to me most attacks on Windows systems are post-patch, which means anyone who keeps windows updated and follows common sense can't be hurt, you don't even need anti-virus running. For example, I don't run anti-virus except maybe once every few months for a quick scan. Of course, I'd know if I had a virus before the scan, but I check anyway.

Personally I think it's all paranoia brought on in 1999 by Melissa and 2000 by the I Love You virus. I think AV companies are making a fortune on ignorance. I also think if people who used nix systems were as ignorant as many who use Windows, then nix people would be seeing the same deal. 99% of the worms affecting windows systems require the user to download and run them, which is also possible on nix systems.

So really, is the OS more secure, or is the user more secure?

 

[CycloWizard]

I'm no expert by any means, but it seems to me that Windows is probably targeted more because of its broader user base. That, and the people using nix are typically more knowledgeable about computers in general, which means they'll be safer in their practices and get less viruses naturally. That said, the only thing I've heard that might concretely make Windows more vulnerable is that it leaves the RPC port open.

 

[Codewiz]

Originally posted by: Malak
For a very long time we've had that one arguement going everywhere. Windows is a security pothole and any nix-based system is safe.

I want the truth, because I don't believe either point. My research on the subject has shown very little in the way of threats to Windows users and it has shown me the same level of vulnerability in MacOS, Unix, Linux, and FreeBSD. It seems to me most attacks on Windows systems are post-patch, which means anyone who keeps windows updated and follows common sense can't be hurt, you don't even need anti-virus running. For example, I don't run anti-virus except maybe once every few months for a quick scan. Of course, I'd know if I had a virus before the scan, but I check anyway.

Personally I think it's all paranoia brought on in 1999 by Melissa and 2000 by the I Love You virus. I think AV companies are making a fortune on ignorance. I also think if people who used nix systems were as ignorant as many who use Windows, then nix people would be seeing the same deal. 99% of the worms affecting windows systems require the user to download and run them, which is also possible on nix systems.

So really, is the OS more secure, or is the user more secure?

You aren't going to get a clear answer here.

On Unix most every person using the computer has their own account with limited rights to make changes to the system.

This is possible with Windows but it is not part of the mindset of most windows users. You should not be running everything as root or administrator regardless if you are using Unix or Windows.

It is a culture thing. The other issue is security patches. When vulnerabilities are found in Windows, Microsoft is typically not very quick to release the patch. Linux especially is quick to fix it.

As for your virus scanning, I think that it is silly not to run one. Considering that trojans can be written in java, you can get infected just by visiting a website. Yes, if your firewall is configured correctly, you should have personal information getting out via a trojan. However, why not run a simple app that can detect simple things like a virus/trojan?

 

[klocwerk]

As for your statement about users, I agree completely. The perception of *nix being more secure is based on the fact that most windows users are either idiots, uneducated about how to secure their machines, or simply don't care about it. *nix users on the other hand tend to be more savvy, proactive in security matters, and just generally less apt to "punch the monkey", or click ok to every message that pops up without reading it.
A large chunk of *nix's superiority is based on user awareness.

However.
Read this: http://it.slashdot.org/article.pl?sid=05/12/01/1259253&tid=113&tid=172
That illustrates the other major difference between *nix and windows. *nix gets patched quicker when something's broken.
*nix folks and the open source community tend to take security more seriously than microsoft does. MS leaves security holes unpatched for long periods of time, while *nix patches are usually available within 24-48 hours of the vulnerability being found. The recent 0-day exploit of IE that made the mainstream news was due to a security hole in IE that MS had known about for months and hadn't gotten around to fixing. Compare that to the last time a security hole was found in OpenSSH, and a patch was available for all the major *nix distros within 4 hours.
No exadgeration.

But it all really comes down to the users.
- Most paranoid security freaks that I know run some variant of BSD, usually NetBSD. It's not bleeding edge, and as a result the code is far more picked-over.
- For a smart and savvy desktop user, *nix will be more secure, due to less exploits, quicker patching, and less chance of a PEBKAC issue.
- For a stupid user who has windows set to auto-update, *nix may be LESS secure, although you're splitting hairs. A stupid user is the greatest security risk, period.

*edit* wrong slashdot link. fixed.

 

[pm]

I work as a lead engineer on a project that, among other things, has a larger pool of engineers who log in sporatically into a smaller pool of workstations. In the past, we used Unix-based workstations for this, but we are trying it now with Windows-based workstations. For administrative and security (but mostly administrative - we wanted to keep the machines similar) reasons, initially we had two people who were designated administrators on all the Windows machines and the larger group of engineers had restricted access - similar to how we set up our Unix workstations. But we discovered that it is very hard to set up Windows workstations as tester hosts with the users not having admin. We've run into a handful of issues that we haven't found a good workaround for aside from granting all users administrator privledges. Most of these are due to poor drivers - a lot of drivers for high-end test equipment require that the user be admin. In Unix land, I can't remember a single situation in which, in order to capture data through a data-acquisition card, I need to grant the users "root" privledges, but it's come up on 3 of the 5 data capture cards that we use. In addition, there have been a handful of other problematic things that we haven't found a good workaround for involving remote access. There's also a general lack of traceability in Windows - either that or we aren't skilled enough in Windows security to know where to look - but it seems hard to find out what user did what action.

So far, I'd say that using Windows-based workstations has been an interesting experiment but I'm not sure that I'll recommend to other teams within my company that they replicate our set up. Surprisingly, the machines have had a remarkable level of "uptime" - our problem has not been stability - but I don't if it's a mindset thing with driver authors or if there really is a fundamental limitation to Windows that if you want to do large-scale real-time data acquisition of large amounts of data, you need to be "admin" to get around some driver limitation. But whatever the cause, at least in our case, we had to grant admin to all users to allow the use of most of our equipment and this opened the door to individual users doing a variety of things on these high-end test systems that we would rather that they hadn't.

This reply dances around the issue of security - the original poster is asking if Windows is inherently less secure to viruses and such compared to Unix. I don't know the answer to that question, and I would imagine that any reply is going to have a lot of supposition to it (eg. "If Linux market share were the same as..." or "If Apple sold as many systems as Dell..."). But to me, the heart of security is to lock down access to a machine - to prevent users (malicious or otherwise) from doing things that break, compromise or generally mess up, a machine. And the start of that is to limit what users can do, and what they can't do... and we haven't been able to do that with Windows to anywhere near the level that we could under Unix.

 

[the splat in the hat]

sounds to me like you answered your own question , the most used , the most hacked.....

 

[Malak]

So then in all honesty, the most secure way to work in any OS is to limit the user, and you limit the user because it's the user that can get you in trouble, not necessarily the OS.

I completely understand the point that it's more difficult to restrict a user in Windows but still allow him to do many things, compared to Unix. I have heard some talk of features in Vista that will make this more flexible, but it seems this is years too late.

How bad do you think it would be if we didn't have windows? Say 90% of the current windows users were actually using Mac OSX? I would think that if Windows wasn't around, people would be using Macs, so this would be the most likely possibility. Do you suppose that we would see just as many worms being written? There have been a few for Mac OS in the past, but it's pretty rare. I don't necessarily find Mac OS users much brighter than Windows users, but I follow the line of thinking that virus writers target the bigger pool of users to really see how effective they are.

 

[Hyperblaze]

It is both a case of limiting the user in what they can do, and the speed that patches are to be applied.

Windows was designed for ease of use first, and then security later (after they got bitched at by their clients and several of them threatening to leave Microsoft space)

Unix/Linux was designed for security first, and then ease of use. The ease of use is stil being worked on.

Each operating system (Windows vs Unix/Linux) follow completely different philosophies in the way they evolve.

The real question is, which one caters more to you needs.

 

[Hyperblaze]

Originally posted by: the splat in the hat
sounds to me like you answered your own question , the most used , the most hacked.....

with all due respect, that reasoning doesn't always apply. if that was true, then apache would be getting "hacked" a lot more frequently then IIS.

http://news.netcraft.com/archives/web_server_survey.html

Apache is at 70.98 percent. Microsoft is at 20.24 percent.

You can't really tell for sure until both sides of the equation are used.

Ie, scenerio where there are 80 percent unix based machines vs 20 percent windows based machines

And the scenerio we face on a daily basis, 80 percent windows based machines vs 20 percent unix based machines.

 

[Malak]

Originally posted by: Hyperblaze

Originally posted by: the splat in the hat
sounds to me like you answered your own question , the most used , the most hacked.....

with all due respect, that reasoning doesn't always apply. if that was true, then apache would be getting "hacked" a lot more frequently then IIS.

http://news.netcraft.com/archives/web_server_survey.html

Apache is at 70.98 percent. Microsoft is at 20.24 percent.

You can't really tell for sure until both sides of the equation are used.

Ie, scenerio where there are 80 percent unix based machines vs 20 percent windows based machines

And the scenerio we face on a daily basis, 80 percent windows based machines vs 20 percent unix based machines.

Apache has had many vulnerabilities that have been exploited to affect any and all systems running it, even *nix systems.

 

[Peter]

pm's got the problem in keeping Windows secure spot on. Yes Windows lets you have rights restrictions, but there is way too much crap software out there that can't keep the data it's producing in the user's private directories.
This mostly is inherited from earlier Windows legacy, where it was perfectly fine e.g. for Netscape to store user profiles inside its program (!) directory. WHAT DO YOU THINK USER HOME DIRECTORIES ARE FOR, FFS?!? I mean, the same Netscape for Linux got it perfectly right.

In *nix and *nux, you don't see that problem because the file system architecture has ever been like that - normal users can't write anywhere but their home directory, and things they've explicitly been granted access to. This applies to devices just as well as files.

 

[Hyperblaze]

Originally posted by: Malak

Originally posted by: Hyperblaze

Originally posted by: the splat in the hat
sounds to me like you answered your own question , the most used , the most hacked.....

with all due respect, that reasoning doesn't always apply. if that was true, then apache would be getting "hacked" a lot more frequently then IIS.

http://news.netcraft.com/archives/web_server_survey.html

Apache is at 70.98 percent. Microsoft is at 20.24 percent.

You can't really tell for sure until both sides of the equation are used.

Ie, scenerio where there are 80 percent unix based machines vs 20 percent windows based machines

And the scenerio we face on a daily basis, 80 percent windows based machines vs 20 percent unix based machines.

Apache has had many vulnerabilities that have been exploited to affect any and all systems running it, even *nix systems.

of that I have no doubt. No software is 100 percent secure. But like a user said above, any vulnerability found in open source product tend to be have a fix ready within days.

and it is also up to the administrator to patch the software as soon as possible to. (ie, you also need a competant admin to make things work).

if you are really curious about apache. You can check how many IIS exploits there have been annonced/how long did it take for a fix to be released/ vs how many exploits there have been annonced in apache/how long did it take for a fix to be released.

You might also find that there have been many exploits found in apache. But something else to realize is that the code is open to all correct? Which means there are many many more folks in the QA department, looking at the code, searching for whatever problems might occur in the apache community. Can we say the same about IIS? (with regards to the amount of folks working with IIS).

 

[Hyperblaze]

Originally posted by: Peter
pm's got the problem in keeping Windows secure spot on. Yes Windows lets you have rights restrictions, but there is way too much crap software out there that can't keep the data it's producing in the user's private directories.
This mostly is inherited from earlier Windows legacy, where it was perfectly fine e.g. for Netscape to store user profiles inside its program (!) directory. WHAT DO YOU THINK USER HOME DIRECTORIES ARE FOR, FFS?!? I mean, the same Netscape for Linux got it perfectly right.

In *nix and *nux, you don't see that problem because the file system architecture has ever been like that - normal users can't write anywhere but their home directory, and things they've explicitly been granted access to. This applies to devices just as well as files.

the ironic part in many of those who are new to the unix based os coming from windows find the unix file system structure all disorganized and scary (myself and others). Once I caught on to how the file system worked, I found the windows file system rather disorganized lol.

 

[dwcal]

Secrets and Lies, by Bruce Schneier, is a good book to read about this. Chapter 8 is about Computer Security, and it has a diagram showing the relationship between the different subsystems of Windows vs. *nix OS. A lot more boxes and arrows on the Windows side. The sheer complexity of it means more potential bugs and more paths to exploit vulnerabilities. I have the book at home, so I can fill in more details if anyone cares.

 

[Malak]

Originally posted by: dwcal
Secrets and Lies, by Bruce Schneier, is a good book to read about this. Chapter 8 is about Computer Security, and it has a diagram showing the relationship between the different subsystems of Windows vs. *nix OS. A lot more boxes and arrows on the Windows side. The sheer complexity of it means more potential bugs and more paths to exploit vulnerabilities. I have the book at home, so I can fill in more details if anyone cares.

Do you think it's more complex because it is designed as a jack of all OSes, able to do everything but not great at anything in particular?

 

[dwcal]

Originally posted by: Malak

Originally posted by: dwcal
Secrets and Lies, by Bruce Schneier, is a good book to read about this. Chapter 8 is about Computer Security, and it has a diagram showing the relationship between the different subsystems of Windows vs. *nix OS. A lot more boxes and arrows on the Windows side. The sheer complexity of it means more potential bugs and more paths to exploit vulnerabilities. I have the book at home, so I can fill in more details if anyone cares.

Do you think it's more complex because it is designed as a jack of all OSes, able to do everything but not great at anything in particular?

I think it was a conscious design decision to favor features over security, but to be fair, Linux + X11 + KDE is probably just as complex. The difference is that you can run Linux without X11 and KDE if you want a stripped-down server.

BTW I just looked in the book. It's figure 10.3 in Chapter 10. This page has a similar diagram. Look at Figure 2.27. Link

 

[mattspierce]

Security is a mind set more than feature. Unix societies ingrain the mind set into there administrators, and you typicaly will learn Unix from another Unix admin. That give a lot of exposure from generation to generation. Unix admins tend to be more conservative about what should run, and how resorces are utilized because they were typically more expensive. If someone dorked up your box it cost a lot of time and money to fix so do it right. As Linux becomes more prevalent may disapate that trend as it is easier for uninformed solo folks to install and run it poorly. Windows puts the user in the admin seat from day one. I always viewed it as letting the patients run the asylum. But with a competent administrator, and a well planned out installation Windows can be just as secure.

 

[Malak]

Another question: How much of a threat are hackers? It seems like viruses don't post much of a threat these days, with most being mass-mailing worms that do very little if any real damage to the machine. I would think hackers are not much of a concern for home users except those infected to the point they can be used as zombies.

Are hackers a big threat to corporate users, or is it only specific corporations that would ever really be threatened? Papa Johns getting hacked kind of threw me for a loop, why would you bother unless you were a disgruntled employee?

 

[Xyo II]

Originally posted by: Malak
Another question: How much of a threat are hackers? It seems like viruses don't post much of a threat these days, with most being mass-mailing worms that do very little if any real damage to the machine. I would think hackers are not much of a concern for home users except those infected to the point they can be used as zombies.

Are hackers a big threat to corporate users, or is it only specific corporations that would ever really be threatened? Papa Johns getting hacked kind of threw me for a loop, why would you bother unless you were a disgruntled employee?

You would really be surprised at how much online companies have lost to crackers. I believe that 60% of online companies report information being compromised at least once a month, according to some surveys. The majority of "hackers" are just script kiddies, and that is where most viruses come from- either bad code, an unintentional thing, or stupid kids that think they're hackers if they try and get by a password-protected site with a bruteforcer. Every company out there has a real threat from crackers. (read: black-hat hackers) We ask and google provides

 

[Malak]

How do you lose money to hackers?

 

[Xyo II]

Originally posted by: Malak
How do you lose money to hackers?

Ever heard of credit card fraud? DOS attacks? Phishing? I've heard that plenty are going after stocks now, too, but that's mostly in Europe, I think.

 

[xtknight]

I'd lean toward the user being more secure. It is also a smaller target, and many hackers themselves probably love it too much to want to break into it, lol.