Author Topic: Linux security sucks too?  (Read 769 times)

Xeen

  • VIP
  • Member
  • ***
  • Posts: 1,065
  • Kudos: 55
Linux security sucks too?
« on: 22 September 2003, 23:16 »
Someone pointed me to this, claiming that Linux is even more unsecure than Windows:

http://lwn.net/Alerts/

Not exactly sure how to respond.

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
Linux security sucks too?
« Reply #1 on: 23 September 2003, 00:50 »
I don't understand what your point is. That unix software has bugs? Of course it does. Just not as many as Microsoft software.
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Linux security sucks too?
« Reply #2 on: 23 September 2003, 00:53 »
what is their point?

open source software enables people to see and fix bugs and holes quickly. this happens time and again and is free for those who wish to take advantage of the freely donated fixes.

closed source software (we are talking windows, solaris, and so on) does not have this. they still have the holes and bugs but because nobody but the vendors can see the code, those holes never get plugged. the practical evidence shows that *BSD and  linux are a shitload more secure than other big but closed OSs, and this is the reason.
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

jasonlane

  • Member
  • **
  • Posts: 743
  • Kudos: 0
    • http://www.root10.net
Linux security sucks too?
« Reply #3 on: 23 September 2003, 01:23 »
One of Open Sources strong points is that it can be judged (the product, code etc.) by your peers. Proprietary / closed source development does not have that advantage. This means that bugs ARE fewer in Open Source developments and bugs are usually fixed at a quicker pace. It makes sense to involve and engage the community at large, rather than to try and close as many people out as possible.
The MES Anti-Prude Force
*******
"I don

mushrooomprince

  • Member
  • **
  • Posts: 415
  • Kudos: 55
Linux security sucks too?
« Reply #4 on: 23 September 2003, 02:19 »
Heh ... Linux security sucks ... yeah  they would like that wouldn't they ?
All your base are belong to us.

Faust

  • Member
  • **
  • Posts: 1,223
  • Kudos: 0
Linux security sucks too?
« Reply #5 on: 23 September 2003, 20:58 »
woo old thread back to life scary...  like frankenstein!!!

a lot of those security alerts are "possible exploits."  Take these Debian bugs for example:

[21 Sep 2003] DSA-382 ssh - possible remote vulnerability (new revision)
[18 Sep 2003] DSA-386 libmailtools-perl - input validation bug
[17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability
[16 Sep 2003] DSA-382 ssh - possible remote vulnerability

Note the "possibles."  With open source or better possibles can be fixed *BEFORE* they are exploited.  With non free programs you dont know theres an exploit until some fucking bastard in a tiny country you've never heard of is using it to buy kiddy porn with your credit card, and that bug wont be fixed until the vendor sees a commercial benefit to doing so - think about it, Microsoft is a company, they are interested in money not software.  Software is only of use if it gets them money, which is nice to most people but not the be all and end all to those of us with ethics.  If an exploit is not popular enough to piss off enough customers why spend money on fixing it?  In fact why not just spend that money on a newer Office suite to make *MORE* money, because Windows users will not spend $$$ on a new upgrade cycle for "bug fixes."  (well not all of them are that stupid i guess...   although i guess windows 98 etc is a point. ;)  )  In fact, why not just ban users from even publishing those bugs (whice the new EULAs are covering...  you cannot publish benchmarks of .NET code without MS approval.) and have a nice empty exploit report list to give consumers the opinion that you have none?

Also look at the "perl" exploit...  ah perl?  Unless your running cgis with it that bug is only exploitable to local users - not remotely.  With the massive amount of software in say Debian, also note that those exploits arent just "linux" exploits.  They also cover MySQL, Apache, sendmail, wu-ftpd etc.  How much bigger do you think the MS bug report database would be if they like GNU/Linux vendors covered all the bugs in all the software that most commonly runs on their platform?  If Windows like Debian was distribed with 9000+ seperate software packages all "made to work with Windows" by Microsoft how much longer would those MS bug reports be?
Yesterday it worked
Today it is not working
Windows is like that
 -- http://www.gnu.org/fun/jokes/error-haiku.html

M51DPS

  • VIP
  • Member
  • ***
  • Posts: 608
  • Kudos: 30
Linux security sucks too?
« Reply #6 on: 24 September 2003, 00:29 »
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade? Are you aware that the MSBlaster Worm affected people who didn't upgrade months after the patch was released? Or what about how many people don't want to apply patches because it causes more problems? I have this theory that every OS has some bugs, and that maybe some OS are put into the spotlight because a certain evil corporation wants them to look bad. Anyone had a glimpse of a list of Mac OS X security updates? As long as it is, I'm not afraid to apply them and I do it as soon as possible.

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
Linux security sucks too?
« Reply #7 on: 24 September 2003, 01:58 »
quote:
Originally posted by M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade?


I have openssh active, i didn't upgrade it. I probably won't. I dont have anything important that isn't backed up, and i'm on dialup so people will probably use me alone. it's not like i go handing out my ip address to everyone.

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
Linux security sucks too?
« Reply #8 on: 24 September 2003, 02:16 »
why bother running sshd if you're on dial-up? Or if it's only for your internal network why not block it (and everything else) at the firewall?
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


mobrien_12

  • VIP
  • Member
  • ***
  • Posts: 2,138
  • Kudos: 711
    • http://www.geocities.com/mobrien_12
Linux security sucks too?
« Reply #9 on: 24 September 2003, 05:57 »
I patched openssh within the same day as the flaw was announced.  OpenSSH is one of the few services that I leave open to a relatively large number of IP addresses, and I learned long ago that if you choose to have an open service you must commit to patching it regularly.  

I might have waited longer (within a week), but

1) My Linux boxes are in a "war zone" (numerous probes every day, systems other than mine on the subnet are compromised on a regular basis, and the network admins refuse to firewall the network).

2) The OpenSSH hole was one of the few OSS flaws that was being exploited before the programmers found it.

I patched MSRPC within a couple of days.
In brightest day, in darkest night, no evil shall escape my sight....

solarismka

  • Member
  • **
  • Posts: 598
  • Kudos: 0
Linux security sucks too?
« Reply #10 on: 2 October 2003, 23:32 »
quote:
Originally posted by M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade? Are you aware that the MSBlaster Worm affected people who didn't upgrade months after the patch was released? Or what about how many people don't want to apply patches because it causes more problems? I have this theory that every OS has some bugs, and that maybe some OS are put into the spotlight because a certain evil corporation wants them to look bad. Anyone had a glimpse of a list of Mac OS X security updates? As long as it is, I'm not afraid to apply them and I do it as soon as possible.


Yup I've got openssh active, running a server.  Updated after a few minutes after the patch was posted.  

No curruption, loss, and/or downtime  :D
"Regime Change" starts at home!<p>Islam IS NOT the enemy! Against American Terrorism since Sept/11/2001<p>Jihad:<p>http://www.islamanswers.net/jihad/meaning.htm <p>new SuSE Linux User!<p><p>If your gonna point a finger at someone then at least have the proof to back you up!<p>trolls are idiots that demand attention by posting whatever is opposite to the theme to ruffle feathers to make people upset!<p>Often these same trolls always mention grammar/spelling since they have no intelligence of their own.

Windows_SuX_@$$

  • Member
  • **
  • Posts: 233
  • Kudos: 0
Linux security sucks too?
« Reply #11 on: 2 October 2003, 23:42 »
M$ IS YEARS BEHIND LINUX, But it supports gaming

Linux is more stable
Signatures can appear at the bottom of your posts. This option may be disabled by the message board administrators at any time, however. You may use UBB Code in your signature, but not HTML. UBBCode Images are permitted.

SAJChurchey

  • Member
  • **
  • Posts: 246
  • Kudos: 0
    • http://sajchurchey.htmlplanet.com
Linux security sucks too?
« Reply #12 on: 3 October 2003, 02:00 »
Actually the first instance of the bug was found in OpenSSL on Sept. 29, and on Sept. 30 OpenSSL released the patch.  It was patched up fairly quickly.  It would have probably taken a week or two for M$ to patch a publicly announced security bug.
SAJChurchey                    

mushrooomprince

  • Member
  • **
  • Posts: 415
  • Kudos: 55
Linux security sucks too?
« Reply #13 on: 3 October 2003, 04:07 »
I don't see any articles on how million of dollars was lost due to a vulnerability in linux exploited by hackers.  Until i see one, I'm assuming linux security is good, and far better than windows.
All your base are belong to us.