lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 10 Jun 2012 19:58:05 -0400
From: Dan Cross <crossd@...il.com>
To: Benjamin Kreuter <ben.kreuter@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Obama Order Sped Up Wave of Cyberattacks
 Against Iran

On Sun, Jun 10, 2012 at 7:22 PM, Benjamin Kreuter <ben.kreuter@...il.com> wrote:
>> I am a bit surprised by the direction of this conversation and I have
>> been waiting for someone to say the obvious in regards to protecting
>> yourself from .gov malware, it really is quite simple if you think
>> about it. Stuxnet, duqu, flame, ect.. all only run on windows
>> platforms. If the people you are protecting are concerned about that
>> kind of malware (and they should be) it would be a great time to tell
>> them about GNU/Linux, BSD, ect..
>
> Which would do little to protect anyone.  Do you really think that
> GNU/Linux would be a more difficult target for the NSA (or whichever
> agencies were responsible -- I would guess the NSA, but there may be
> others)?  GNU/Linux machines are compromised by criminals all the time,
> and the majority of people would not be willing to put in the effort
> needed to keep their system secure.
>
> There are probably a bunch of remote exploits in the Linux kernel, in
> Firefox and Chrome, in OpenSSL and NSS, in Ghostscript, and in any of
> the thousands of other packages that will be installed on a typical
> GNU/Linux system.
>
> There is no magic bullet here.  Security is not about running the right
> OS, it is about running your OS the right way (and more).  Telling
> people that using GNU/Linux will make them safe is silly.

Fundamentally I agree with you, security isn't about running the right
OS, etc, we should acknowledge that not all operating systems are the
same.  Windows is fabulously complex, with a really large number of
system calls, many of which take a large number of arguments that in
turn change the semantics of the call greatly.  Together, these
represent a very large surface area for potential attacks.  In turn,
many of the Unix variants are simpler; they may not be any more
secure, but at a minimum, they have less attack surface area.  Of
course, it's been my impression over the last couple of decades that
they're trying as hard as they can to fill the gap.  To put it in
military terms, the Unix variants have traditionally had more surfaces
and fewer gaps than Windows.

Anyway, this isn't to say that Unix or some variant is inherently more
secure, but all other things being equal, I'd rather put my money on
the simpler thing, since simpler is often easier to get right.
Whether that's really the case or not is another matter; I simply
wanted to point out that there are other arguments beside the flawed,
"security through obscurity" that may come into play when deciding
between operating systems with respect to security.

        - Dan C.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ