Reality Check: How Safe Is Linux?

[Zombie9920]

By Vincent Ryan
NewsFactor Network
June 11, 2003

Many of the programs included in Linux distros have programming errors that lead to things like privilege escalation, whereby a common user tricks a program into thinking it has more privileges than it does, says Guardian Digital CEO Dave Wreski.  

--------------------------------------------------------------------------------

You want to think outside the box. Your budget calls for out of the box. Don't you wish you could have both? With Remedy, you can. Remedy's Service Management solutions, including Help Desk and Customer Support, deliver results quickly, easily, within your budget. Remedy. Your Business, Your Way.(tm)
--------------------------------------------------------------------------------
 


It is not enough for an operating system to be low cost, reliable and capable of handling mission-critical applications. At some point in every OS's cycle of life, the question comes down to security and safety.

Ever since the entry of Linux into mainstream business computing, security gurus have been trying to measure its vulnerability to security breaches  and attacks. They have even gone so far as to count the number of security alerts issued by Linux distributors to see how the numbers compare with those issued by Microsoft (Nasdaq: MSFT)  for Windows servers.

A definitive answered has eluded the experts, but that has not prevented them from taking sides in what usually devolves into a religious war over open-source versus closed-source operating systems.

Still, the crucial question plagues companies considering whether to go the open-source route: Is Linux a safe, secure operating system that you can bet your business on? And if it does have flaws, where are they?


View the entire article

[Bazoukas]

Here is the thing.
 Security issues are in all programs no matter the OS. Period.
  You can select what applications you want to install in Linux. If a distro comes with 100 additional programs, that does not mean that you need to install all of them.  Why would you wanna do that?
  Of course that would increase your risks, running programs that you dont need.
  Beyond that, the Linux community issues its warnings and fixes the problems in a way much faster pace than MS does. MS doesnt do that.
  Example? Apache fixed its wurm security issue in 24 hours. It took MS a month or so.

  Its not that Linux is bulletproof. What is different with Linux is that when problems come up, its brought to everyones attention really fast and its fixed right away.

  The backend of the industry runs on Unix and Linux. Microsoft has the frontend but the way they are going they will lose that too and its too bad and am saying that as a 101% windows free user. The more OS there are out there, the better for the consumer.
  And its not because their programers are not good. For me its the policies of MS that criples the OS and their programmers.

[KernelPanic]

Well at least problems get recongnised more in the open-source world that's how I see it anyway. Maybe Bill Gates is like Hoover hoping for some 'rugged individualism' on the sysadmins part? Although with Microsoft there is little room to customise.

I think for a lot of business physical security and social engineering are probably greater risks to them than OS security.
Some people in the Linux world need to understand that Linux is not impregnable and Windows people should start to appreciate that most corporate level Linux users know that.

A lot is down to sys/netadmins but at the end of the day I'd feel happier with a well set up Linux server than an equivalent Windows one.
 It doesn't matter too much what figures say anyway, as Win and Lin start to have less of a popularity difference  small businesses will start to be able to see achievements of the respective OSs in working environment. That, as opposed to hearing some Microsoft FUD or some half-story they have heard about this 'Lynux' from a friend of a friend of some Solaris admin.

Zombie, how come you only post articles nowadays, lost an opinion?

[Faust]

quote:
"The number of exploits [is] lower with open-source software, as is the response time until the exploits get fixed," Hichert agreed.

Speaks for itself really.

 

quote:
Distributors constantly are working on ways to improve the security of out-of-box Linux distributions, Shankar pointed out. Niche distributions focused on security include EnGarde Secure Linux from Guardian Digital, which provides multi-layered access control, a ready-to-build intrusion detection device, and a network gateway firewall. The distro also prevents Trojan Horse attacks and limits exposure to buffer overflows.

Some distros are designed for simple non server use.  You would be a fool to use them in a server role.  OTOH, distros like Debian are superb for server usage - and quite a lot more secure than Windows.  Do people use Windows for firewall boxes by the way or do they use BSD / specialized Linux distros like Smoothwall?

[Faust]

quote:
By and large, however, primary Linux distributions are roughly equal, Shankar said, because they all work off the same code base. There is always a trade-off in security, Wreski said. "Off-the-shelf Linux distros try to appeal to the largest mass audience possible." These distributors cannot add tighter security measures because they may adversely impact some part of their audience, he explained.

At the end of the day I'm sure we agree that security is largely dependent on the admin - and an admin with power will be able to secure a system better than a neutered one.  So which OS gives the admin more power?  Plus most security breaches come from within your network (employees), so you need to be able to comprehensively secure what they can and can't access - with Debian I can deny a user access to any part of my OS.  In fact the default behaviour in Debian is to deny a user access to the sound - following such sound advice as "if they don't need it they don't get it" can provide maximum security.

[Faust]

quote:
Additionally, many of the programs included in Linux distros have programming errors that lead to things like privilege escalation, whereby a common user tricks a program into thinking it has more privileges than it does, Wreski said.

SUID programs really.  A good admin will keep SUID access to a minimum.  And if it's not installed, you cant exploit it, so which OS enables you more choice over what you do and dont install?  *cough* Internet Explorer *cough*  At the end of a day a good admin is the crucial point, which brings us to:

[ June 13, 2003: Message edited by: Faust ]

[Faust]

quote:
Linux networks can be more insecure than Windows or Macintosh networks for the simple reason that the management and configuration of Linux is more complex. "A firewall is only as good as its administrators," Hichert said. "This is why people are running into security issues." Programs such as Astaro Security Linux make it easier to configure Linux networks by providing a GUI interface in place of a command line.

Well there we go.    Administrating a secure server should *not* be left to the incompetent.  This is obvious - and if an incompetent admin feels they can secure a server of *any* OS then they are fooling themselves.

[Faust]

[offtopic]
now that that's all done why cant i post over a certain word limit?  :confused:  
[/offtopic]

Oh and being more easily modifiable wouldnt Linux systems be better able to be changed in order to face new threats?

[Faust]

quote:
is to deny a user access to the sound - following such sound advice as

Hey wow I made a pun!  I feel so special.  

[Calum]

any system administrated by an idiot (or even someone ignorant in a lot of cases) can be incredibly insecure, and of course the system relies on the security of all the applications as well as the firewall stuff and all that, however the *IX setup has a lot of good failsafes and limiters built in like permissions etc, that systems such as windows do not have, or do have as an arbitrary afterthought. also the open source nature of the linux system and many of its applications and utilities (by comparison with the closed nature of mswindows and most of its software) means potential exploits (holes) get spotted and fixed very quickly, while a simple, easy and dangerous exploit in a closed source piece of software often can and does go unnoticed for years, and is not fixed for weeks after knowledge of it is made public.

However i agree the best computer security by far comes from sense, knowledge and intelligence.

[ June 13, 2003: Message edited by: Calum ]

[preacher]

quote:Originally posted by Faust:

Well there we go.     Administrating a secure server should *not* be left to the incompetent.  This is obvious - and if an incompetent admin feels they can secure a server of *any* OS then they are fooling themselves.

Security is extremely difficult in linux.

[Fett101]

More to security then just blocking net access.