lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031022195540.GC4733@adamantix.org>
From: peter at adamantix.org (Peter Busser)
Subject: RE: Linux (in)security

Hi!

> I have never heard of a Linux vendor saying that Linux is "secure out of the
> box."  Maybe Openwall or Engarde Linux, but most distos need to be made
> secure by the user.

More than enough people assert that Linux is secure. Just enter "Linux is
secure" in Google and you see what I mean:

http://www.linuxunlimited.com/why-linux.htm
``Properly configured and maintained, Linux is one of the most secure operating
  systems available today.''

http://www.faqs.org/docs/linux_intro/sect_01_04.html
``The security model used in Linux is based on the UNIX idea of security, which
  is known to be robust and of proven quality. But Linux is not only fit for
  use as a fort against enemy attacks from the Internet: it will adapt equally
  to other situations, utilizing the same high standards for security. Your
  development machine or control station will be as secure as your firewall.''

Note: The UNIX idea of security: You can trust users, especially the
administrator (root).

http://www.usermode.org/docs/whatslinux.html
 
http://news.zdnet.co.uk/software/linuxunix/0,39020390,2075966,00.htm
``Linux is as secure as you can make a computer,''
``First of all, Unix [on which Linux is based] is the paradigm that the
  computer is the network, so Linux is secure from the ground up.''

http://www.suse.co.uk/uk/company/schools/sheet.pdf
``As a desktop operating system Linux is secure, stable and easy to use.''
(SuSE is a vendor BTW)

http://www.bio-itworld.com/news/022503_report2077.html
``The certification is "additional validation" that Linux is secure, ...''

The list goes on and on and on.

> Linux is the hands of someone with no interest or regard for security is the
> same as Windows or any other OS in the hands of the same clueless
> individual.  The main difference between the Linux and Unix variants (i.e.
> BSD, Solaris, HP-UX) is that they have already learned their lesson regarded
> buffer overflows and kernel hardening and allowed the user more control in
> securing their systems.

This is repeated over and over again, but it is simply not entirely true. It
may protect against script kiddies, but not against more sophisticated
crackers. The following URL proves that:
http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it

Both persons in this conversation have a Linux box which:

1) Has the latest security patches installed and
2) Is only running the necessary services.

In other words, boxes that have ``been made secure by their users''.

> M$ has not, and that is unfortunate.

Flaws in other products do not make Linux more secure.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ