lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0401162129220.5606@shishi.roaringpenguin.com>
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Re: January 15 is Personal Firewall Day, help
 the cause

On Fri, 16 Jan 2004 jan.muenther@...ns.com wrote:

> It can actually drive me mad to see how many Linux users entirely trust in
> their assumption that they're more secure by default simply because they
> don't run a Windows system.

A Linux user running a default installation of a modern Linux distribution
*IS* more secure by default than someone running a default installation
of Windows XP.

Modern Linux distros don't run many (or even any) services by default,
and they usually implement packet-filtering firewall rules.  WinXP does not.

> However, there are *plenty* incredibly vulnerable Linux boxes exposed to the
> Internet and I know for a fact that quite a few people simply download and
> install binary packages from any given source without a second thought.

With Windows, you have no choice but to do that, because there's very
little open-source software available for Windows.

> Even more ironically, a lot of people just compile and install
> anything with the usual ./configure / make /make install stupor.

This is a problem, I agree.

> ELF infectors do exist, and just because it's not quite so common, doesn't
> mean it doesn't happen.

But unless you run as root, it's not possible to infect system binaries
(without also exploiting a local root hole.)  The barrier to entry is
simply higher in *NIX than Windows.

> Also - wild theory - I'd say that people are less
> likely to notice a malware infected Linux box than a Win32 one, simply
> because of blind trust.

I strongly disagree.  People expect Windows boxes to be slow, cantankerous
and crash-prone.  When a Linux box starts acting wonky, people notice
immediately.  One of my servers started going nuts the other day,
and I noticed very quickly.  (It was a bad hard drive, not an attack,
but still...)

> I also disagree on the note that a single system exposed to the Internet
> doesn't form any type of threat at all. You can always beautifully serve as
> a hop or become a friendly member of a botnet or whatever.

I didn't say that.  I said that if our colocation server got compromised,
it wouldn't compromise our work machines (which are on another network.)

> I'm not saying Linux sucks security-wise,

OK.

> I'm not saying Win32 sucks security-wise.

But it does.

> It's what you do with it, how you handle it, and how much you assume.

Look, I'm sorry, there are fundamental flaws with Windows that make
it practically un-securable.  Linux has its bugs, but they are *bugs*, not
*design flaws*.  So-called "security experts" who don't admit that are
doing a disservice to everyone.

Regards,

David.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ