[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0401162129220.5606@shishi.roaringpenguin.com>
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Re: January 15 is Personal Firewall Day, help
the cause
On Fri, 16 Jan 2004 jan.muenther@...ns.com wrote:
> It can actually drive me mad to see how many Linux users entirely trust in
> their assumption that they're more secure by default simply because they
> don't run a Windows system.
A Linux user running a default installation of a modern Linux distribution
*IS* more secure by default than someone running a default installation
of Windows XP.
Modern Linux distros don't run many (or even any) services by default,
and they usually implement packet-filtering firewall rules. WinXP does not.
> However, there are *plenty* incredibly vulnerable Linux boxes exposed to the
> Internet and I know for a fact that quite a few people simply download and
> install binary packages from any given source without a second thought.
With Windows, you have no choice but to do that, because there's very
little open-source software available for Windows.
> Even more ironically, a lot of people just compile and install
> anything with the usual ./configure / make /make install stupor.
This is a problem, I agree.
> ELF infectors do exist, and just because it's not quite so common, doesn't
> mean it doesn't happen.
But unless you run as root, it's not possible to infect system binaries
(without also exploiting a local root hole.) The barrier to entry is
simply higher in *NIX than Windows.
> Also - wild theory - I'd say that people are less
> likely to notice a malware infected Linux box than a Win32 one, simply
> because of blind trust.
I strongly disagree. People expect Windows boxes to be slow, cantankerous
and crash-prone. When a Linux box starts acting wonky, people notice
immediately. One of my servers started going nuts the other day,
and I noticed very quickly. (It was a bad hard drive, not an attack,
but still...)
> I also disagree on the note that a single system exposed to the Internet
> doesn't form any type of threat at all. You can always beautifully serve as
> a hop or become a friendly member of a botnet or whatever.
I didn't say that. I said that if our colocation server got compromised,
it wouldn't compromise our work machines (which are on another network.)
> I'm not saying Linux sucks security-wise,
OK.
> I'm not saying Win32 sucks security-wise.
But it does.
> It's what you do with it, how you handle it, and how much you assume.
Look, I'm sorry, there are fundamental flaws with Windows that make
it practically un-securable. Linux has its bugs, but they are *bugs*, not
*design flaws*. So-called "security experts" who don't admit that are
doing a disservice to everyone.
Regards,
David.
Powered by blists - more mailing lists