Linux vs MS - Security Debate

[wollensak]

I deliberately left MAC off this post. Since it's a BSD Linux based operating system, I will accept that from a security perspective it's a wash between Linux and MAC.

I am not interested in the cost issue either. This is about security period. If you can afford a MAC, do it. Windows is no bargain if your security is compromised.

I still believe Windows is an unsafe product, even with Anti-Virus software installed. I have seen XP Police and other bogus Russian hacks defeat MacaFee. It'n nice that MalwareBytes is out there fighting the good fight, but that's not the issue.

Fact is, Windows cannot be run safely without Anti Virus loaded and up-to-date. The responsibilty for this is offloaded onto the computer user who may not even be aware of this limitation.

The potential for theft of the users money, or worse, identity, is too serious to be left to the caveat emptor solution.

Additionally, MS allows rogue programs to load themselves into the start menu and degrade the performance of the user's machine. Result: user believes the machine is "worn out", and buys a new machine, with a new Windows OS every couple of years. Nice con-job!

Giant oligopolies like Microsoft, which owns 90% of the market, are not responsive consumer needs, especially when they have an ownership position in Apple and can play both sides of the street.

Even if you are using secured websites like PayPal to do your e-commerce, there is little to stop keylogger scripts from running and compromising your passwords, if you are running under Windows.

People frequently tell me that if Linux were as popular as Microsoft, the same problems would apply. Their view is that a determined hacker can hack anything. To which I respond, maybe, but why leave the door wide open.

Microsofts "free" antivirus offer is pathetic. At the very leat, an AV solution should be packaged with the OS. Better still, why not redeisgn the OS to be saferi, like Kernel-based OSs.

Tell me I'm wrong, that there is no security issue with Windows. I'm listening.

 

[enyaw]

Good post, I eagerly await the responses. For online purchase and banking I use a third party App, which I believe is secure as long as your mach is patched, av and all.

http://www.roboform.com/

And you have the lastest version, there is a free/paid version. I would love to here any other suggests. I think windows server software is more secure but the options/fun factor for using the system is limited.

 

[realthing69]

There will always be security issues with Windows with it's current code base (I'm sure it's large and bloated). Windows has a huge install base, rewriting the OS will break a lot of applications and hardware as we saw with Vista.

I think Vista/Windows 7 is a step in the right direction as I believe the kernel from Windows Server 2008 are the same.

I don't think MS would be allowed to package a FULL AV solution into the OS as that would cause an uproar with other AV solution providers such as Symantec and McAfee (anti-competitive).

 

[Goomer]

Giant oligopolies like Microsoft, which owns 90% of the market, are not responsive consumer needs, especially when they have an ownership position in Apple and can play both sides of the street.

I'm not going to start discussing Macs in this forum, but I do want to make you aware that Microsoft's ownership in Apple was divested a long long time ago (I'm sure they wish they still had shares whenever they see AAPL's performance in the stock market! lol). Microsoft no longer has any ownership in Apple.

"It is well known that in August 1997, Microsoft bought $150 million of Apple stock as part of a lawsuit settlement. Microsoft sold it sometime in 2001 at about a 7% profit, earning about $10 million on the investment, but losing so much more as Apple become a serious and healthy competitor."

http://microsoft.blognewschannel.com/archives/2007/08/22/how-much-did-microsoft-lose-by-selling-apple-stock/

Cheers

Goomer

 

[Goomer]

One of many reports

http://news.techworld.com/security/11184/linux-attack-worse-than-feared/

*off topic*, i'm starting to see a lot of Bank Phishing, the last round was from a Scotia ruse ....becareful people.

Yes, unfortunately, no computer in the world will save you from phishing expeditions. If you give them your personal data, they'll take you to the cleaners, no matter which OS you're running.

Never log in to secure banking/financial sites directly from a link in an email. Always open a new browser page to do this! And for god sakes, never reply to one of these "account information required" emails with your personal data!

I get these kinds of emails from time to time, and it is scary how many people might fall for these kinds of scams. The internet can be a dangerous playground, so make sure you protect yourself from scammers.

 

[The Options Menu]

1. Mac is based on the BSD kernel, with bits of the GNU / BSD / Open Source userland. Linux is just a kernel, and has nothing to do Mac OSX. You'd do better to credit, BSD, GNU, and the maintainers of the other software they've borrowed.

Windows Security Issues:

First of all, Windows has gone a long way to address all of these, mind you all those who ignore POSIX / UNIX are doomed to re-implement it badly

1. A large install base of network facing systems, that often aren't administered well, with a large user base of users that are promiscuous with removable media and email attachments... Let's face it, they are the low hanging fruit for technical and social engineering attacks.
2. Difficult for the average user to actually know what's running and what's listening on what port. If they even know what a port is. The solution is a firewall, the solution to get around the firewall is to disable the firewall, or have an evil bug do it for you.
3. Windows doesn't have a strong history of user / system separation, and they're still coping with that legacy.
4. To get around the DOJ in the 90s Microsoft buried the internal of IE deep into the system space. They've been trying move away from that ever since...
5. Software updates, including security updates, often come from a myriad of sources, and you can't count on automatic installation, the promptness of vendors, or the promptness of users / administrators.
6. To compensate for the above the defences that have been used tend to be passive and ex post facto. Virus scanners and malware scanners.
7. "You never get fired for buying Microsoft." So you combine Windows with Windows Server, use IE and ISS, use Outlook, and let's not forget Office. You've basically just given yourself a highly uniform integrated stack with a dodgy security record, a good chance of a half arsed administrator, and a stack the pretty much guarantees maximum mileage for bad things... Break that stack up for the love of god, even if you go mostly windows.
8. It's always all x86 for the most part. (Minus the Xbox and some windows CE devices.) This is great for propagating things.

Linux security issues:
1. You have a small desktop install base, and many many servers, appliances, and devices. The appliances and devices tend to be well locked down, same goes for the servers... Just not as attractive a target.
2. You have a very strict user / system separation since the dawn of time.
3. Running as root (admin) will result in a sack beating and mocking from friends. If your software must run as root, other developers will do this to you. If you're running as a user (particularly on a virtualized system or a hardened system) you can't really do too much harm.
4. Pretty much all Linux distributions turn off network facing services, these services tend to be configured for safety when they get turned on. It's very easy to figure out what's listening on a Port.
5. Updates are centralized, though you are dependant on the promptness of your distribution getting them to you. Most studies see a rather quick turnaround for security issues getting from project -> distribution (then to users).
6. In addition to the basic UNIX security framework, there are a large list of sandboxing techniques, virtualisation, and extended security frameworks. There are also firewalls (just in case you don't know everything listening on ports), and there is even a good virus scanner in ClamAV (That's mostly for viral mail on servers and making sure you don't pass viruses that can't hurt your on to your windows friends).
7. If you're really paranoid you can encrypt your file system.
8. The most common type of malware in Linux is probably the rootkit-- This is a bit of software that has exploit a bug on a machine to gain 'root' permissions to do something. These are exceedingly rare on a well maintained system, and chkrootkit and rkhunter will hunt most of the known ones down.
9. If you're still worried about you're users causing trouble, you can set disk quotas (and other resource quotas software pending), lockdown hardware and software via groups and / or permissions, and explore other solutions like SELinux and / or policykit and / or whatever. (Plus fun things like port knocking, etc...)

The NIXes were built as multi-user networked OSes designed for massive uptime, and this isn't 1995. Linux thrives in the ubiquitous networking and massively plugable environment of today...

 

[WoodPeckr]

Windows is a sieve for security purposes.
This is one of the main reasons I left M$ for Linux which is by far better in protecting you from all the nasty stuff on the web today that only seems to be getting worse.

 

[The Options Menu]

Windows started as a collection of strip down concepts implemented in serious OS-es, like Unix. For example, Unix implemented security within the kernel, but Windows didn't and that is the main problem with Windows security from the dawn of virueses. At that time, the implementation of Unix on the PC platform was challenging because of lack of sheer processing power. The other serious problem was Unix licensing. Myriad of different incompatible UNIX versions ultimately brought that OS down. Windows was simply something that was technically achievable on the PC platform and financially affordable.

Linux is Unix-like OS and is very secure, but not completely immune to attacks. However, Linux is much more difficult to penetrate than Windows just because of security that's implemented within the kernel.

In my opinion, for any serious server or networking application, there is no comparison - Linux all the way. Windows will never reach that technical level, but no matter how shitty and bloated it is, Microsoft's financial power and influence shouldn't be underestimated. 20 years ago, there was a fantastic OS that lost the battle against primitive Windows. That OS was called UNIX.

Well to be fair the commercial UNIXes spent a great deal of time shooting themselves in the foot, gut, and face. In some ways Linux was the great uniter in that every UNIX sought to be 'Linux Compatable' as a lowest common denominator.

 

[Anynym]

It has been mentioned before that the *nix community learned early on from their mistakes and from the mistakes of others to control what you allow other systems to do to your own system.

There was a time, for example, when the "Unix-to-Unix Copy" program (uucp), an early forerunner to networked computing as we see it today, was used to rapidly spread malware among unix hosts. Systems administrators and developers quickly learned to restrict the permissions on their uucp client and to apply the lesson of "minimal permissions" across their system.

Windows developers continue to encourage the installation of software into the "C:\Windows" directory without a user's knowledge or consent, including on-the-fly, providing wide open permissions for rogue software to take over a system at will.

 

[WoodPeckr]

Windows developers continue to encourage the installation of software into the "C:\Windows" directory without a user's knowledge or consent, including on-the-fly, providing wide open permissions for rogue software to take over a system at will.

It's hard to understand why M$ still does this.

 

[NiceShoes]

If you are behind firewall or router where your true local IP is not advertised to public then risk of someone try to hack into your computer is not trivial task to do. I am using both Snow Leopard and Windows 7 64bit on my PC and I noticed that Win7 warns you if an application is trying make connection to the internet. I think those things make Win7 more secure to use than before.

 

[Anynym]

It's hard to understand why M$ still does this.

The file system which Microsoft has chosen doesn't have the best permissions-control, and I'm sure the advocates for improvement have a difficult time convincing the powers that be of the need for a new file system (after having taken so long to move from FAT to FAT32 to NTFS).

Then, there's the legacy problem: all sorts of decent applications have grown accustomed to the poor practice of placing or updating executables in the C:\Windows\System32 directory, and placing temp files in C:\Windows\Temp.

Any change has a high likelihood of breaking such programs and damaging the reputation of Microsoft as a general, easy-to-use platform for a broad range of development.

But we can hope that one day they'll create a simple enhancement to their file system to "register" and "lock" directories: a Locked directory could maintain a SHA sum of each file in the directory for easy comparison against a certified version, and could maintain certain controls over writing to such a Locked directory. It wouldn't solve the problem, but it might help provide tools in the fight.

 

[Cassini]

Then, there's the legacy problem: all sorts of decent applications have grown accustomed to the poor practice of placing or updating executables in the C:\Windows\System32 directory, and placing temp files in C:\Windows\Temp.

Microsoft recommended this practice, and threatened to pull your "Designed for Windows" certifications if you didn't follow Microsoft's recommendations.

Incidentally, placing temp files in a hidden subdirectory in the users home directory isn't a good idea either:
1. It prevents saving temporary files on fast local disk devices.
2. Hiding the temporary directory creates a handy hideout for malevolent programs like malware, viruses, key-loggers, and trojans.
3. You still need a temp directory, because the system processes need a place to store temporary files.
Having a central temporary directory isn't a security flaw, and having a temporary files in a user-based hidden subdirectory isn't a security solution. Fundamentally, on a single user operating system, the issue is that Windows does not support a good secure method for storing temporary files. Temporary files are a hole in Microsoft's security infrastructure.

But we can hope that one day they'll create a simple enhancement to their file system to "register" and "lock" directories: a Locked directory could maintain a SHA sum of each file in the directory for easy comparison against a certified version, and could maintain certain controls over writing to such a Locked directory. It wouldn't solve the problem, but it might help provide tools in the fight.

Microsoft has done this. Sort of. This is another example of a not-quite fully thought out security solution. Specifically, to be effective:
1. The security solution must cover all sources of executable code on the system, and not only code compiled with the latest Microsoft developer tools.
2. The Microsoft solution is vulnerable to someone tampering with the manifest files.
3. It creates a new hidden directory, that does not get backed up, and still causes DLL conflicts.
Again, Microsoft's solution does not quite work as well as a properly thought out solution.

If you want a secure O/S, follow the NSA's advice and run Linux, ideally with SELinux extensions. It might not be perfect, but at least the authors have thought about many of these problems.