Linux vs Windows a real life comparison

[piratePenguin]

Hell, why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?

Having to tweak one little thing isn't so bad, but user accounts aren't little things (Okay that sentence and the start of the next is bad. It's not hard to make a user account, I don't mean to say that. I mean to say that they're important. I'm too lazy to restructure it right now.). They're huge motherfuckers and everybody really should make good use of them. Apple and most GNU/Linux distributors took it on themselves to create a user account at installation time, because they knew it was important. Not only is it important for the individual user, it's important for the world of users because once one machine is cracked, the rest are in danger, especially if the rest are using superuser accounts to browse the web. For this reason, I believe that if Mac OS X or GNU/Linux dominated the market, they wouldn't have so much malware as Windows does now. There are other things to consider, ofcourse, and in the end I might be wrong, but I don't see how any non-retard could predict otherwise. IMO, Windows brought it's malware situation on itself more than anything else (the fact that it's a product of an evil corportion that many people have no/little respect for doesn't help much either).

Knowing how important using user accounts is is one thing, I still wouldn't declare anyone insane for releasing an operating system that doesn't setup a user account at installation time because there are other factors to be taken into account. One is the target market. I don't think Patrick Volkerding is insane because the Slackware installer doesn't setup a user account for the user, and probably most people don't. That's because Slackware is targetted towards people with a clue. Windows isn't.

I do think that Microsoft are insane for not having a user account setup at installation time. Did they expect most users to setup user accounts themselves or what? Microsoft were begging for disaster. Windows is/always has been begging for disaster.

[toadlife]

EDIT: Why does muzzy and Aloone_Jonez disable ActiveX if it's not a security issue with their limited accounts?

That's a damn good question, because it's rather pointless. Are you sure alone and muzzy actually use limited accounts?

[piratePenguin]

That's a damn good question, because it's rather pointless.

Then why don't you answer this one?:

why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?

Are you sure alone and muzzy actually use limited accounts?

/me searches for a bit
Nope, got nothing for muzzy and only this for Aloone_Jonez:

I set up all of the user accounts with restricted privileges and to show all file extentions to help gaurd against any infection by fire wall breaches or suspicious downloads.

Those could be accounts for other people though, so he might be browsing the web as root. There is one way to find out...

[toadlife]

Hell, why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?

Good question. The reason is because, even though running as a limited user protects the operating system, remote code execution exploits, if coded properly, can still infect the users space and run. There are more than just ActiveX exploits for IE. There are image rendering buffer overflows, javasripts overflows, etc. Due to it's marktshare, IE is highly targeted and whenever some buffer overflow is detected tons of sites carry the exploit code. I've personally seen adware that is coded to run in the users space. Because it was restricted to the users space, it was very easy to clean up, but it was still malware. The most valuable files on a system are the user's files, so a malware infection restricted the users space can still do really bad things, like steal personal info. Thebig difference is malware stuck in the users space is easier to detect (no rootkits!) and easier to remove (just  log in as a different account and nuke it!).

I got the clue on IE a loooong time ago and have been using mozilla since before version 1.0 and then firefox before version 1.0.

I do think that Microsoft are insane for not having a user account setup at installation time. Did they expect most users to setup user accounts themselves or what? Microsoft were begging for disaster. Windows is/always has been begging for disaster.

A agree. The default admin user account thing is dumb. It was amde to facilitate backward compatibility with programs coded for older versons of Windows that had no security model at all. Their other choice would have been some wierd sandbox/virtual machine type of workaround incompatible programs, which would probably severely degraded performance. It all comes down to what the customer wants. "Average Joe" computers users want, above all, their computers to work and not be slow. That's what Microsoft gave them.

You might be suprised that I think this, but when Vista comes out and it creates limited accounts by default, nothing will change as far as malware on Windows. Micreants will start to code their malware so that it runs in the users space, and people will continue to have their Windows machines infected just like they are today. Most viruses today propogate today by getting naive users to open up zip attachments and execute the files inside, so there is no reason to think that with Vista, malware will simply ask for the admin password - and naive users will type it in.

[piratePenguin]

Good question. The reason is because, even though running as a limited user protects the operating system, remote code execution exploits, if coded properly, can still infect the users space and run. There are more than just ActiveX exploits for IE. There are image rendering buffer overflows, javasripts overflows, etc. Due to it's marktshare, IE is highly targeted and whenever some buffer overflow is detected tons of sites carry the exploit code. I've personally seen adware that is coded to run in the users space. Because it was restricted to the users space, it was very easy to clean up, but it was still malware. The most valuable files on a system are the user's files, so a malware infection restricted the users space can still do really bad things, like steal personal info. Thebig difference is malware stuck in the users space is easier to detect (no rootkits!) and easier to remove (just  log in as a different account and nuke it!).

Okay but just one thing:

Due to it's marktshare, IE is highly targeted

There's more to it than market share. Just to make sure you're aware of that.

A agree. The default admin user account thing is dumb. It was amde to facilitate backward compatibility with programs coded for older versons of Windows that had no security model at all. Their other choice would have been some wierd sandbox/virtual machine type of workaround incompatible programs, which would probably severely degraded performance. It all comes down to what the customer wants. "Average Joe" computers users want, above all, their computers to work and not be slow. That's what Microsoft gave them.

They also got seriously messed up security. Microsoft (or should I say Windows) got themselves into their own mess anyhow.

You might be suprised that I think this, but when Vista comes out and it creates limited accounts by default, nothing will change as far as malware on Windows. Micreants will start to code their malware so that it runs in the users space, and people will continue to have their Windows machines infected just like they are today. Most viruses today propogate today by getting naive users to open up zip attachments and execute the files inside, so there is no reason to think that with Vista, malware will simply ask for the admin password - and naive users will type it in.

Good think Linux has working MAC (SELinux). Is there work going on to get MAC on Windows (A quick google search doesn't seem to think so... MS really should do be getting MAC on Windows I think...)?

# What does Security-enhanced Linux give me that standard Linux can't?

The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

Kinda cool if you ask me.

[toadlife]

Dude....

Almost all of the features in SELinux have been a part of Windows since WindowsNT 4.0.

See what Im saying when I say you Widnows bashers dont know much about Windows?

[piratePenguin]

Dude....

Almost all of the features in SELinux have been a part of Windows since WindowsNT 4.0.

Really? How well do they work? Why isn't it being used (or is it/where is it being used?)?

See what Im saying when I say you Widnows bashers dont know much about Windows?

Yea, maybe I should go to university and study Windows.

[toadlife]

Well SELinux is more flexible than Windows, and very well might be a bit more advanced, but the concepts are the same. SELinux has ACL's for file permissions instead of the stadard rwx permissions. Windows has had since NT 3.5. SElinux uses policies which determind what actions what users can perform and I also think they can set ACL's. Again, Widnows has had system polcies forever.

There is a good discussion in Slashdot I had while back about the SELinux and it's comparison to Windows security model.

You can check it out it here.

The big problem with these advanaced security models, us that they can get really complicated really fast. Most Windows users who have grown accustomed to Windows security features are shocked when they move over to UNIX, as the stadard UNIX seecuirty model is MUCH simpler, and therefore much less flexible. On the other hand, seasoned UNIX dudes who move into the windows world are known to curse the Windows security model because of the are accustomed to the simplicity of standard UNIX security and the complexity of ACL's and polcies are annoying to them, as they view the complexity it brings as a weakness - because the more complex something is, the easier it is the screw up.

[piratePenguin]

Well SELinux is more flexible than Windows, and very well might be a bit more advanced, but the concepts are the same. SELinux has ACL's for file permissions instead of the stadard rwx permissions. Windows has had since NT 3.5. SElinux uses policies which determind what actions what users can perform and I also think they can set ACL's. Again, Widnows has had system polcies forever.

There is a good discussion in Slashdot I had while back about the SELinux and it's comparison to Windows security model.

You can check it out it here.

The big problem with these advanaced security models, us that they can get really complicated really fast. Most Windows users who have grown accustomed to Windows security features are shocked when they move over to UNIX, as the stadard UNIX seecuirty model is MUCH simpler, and therefore much less flexible. On the other hand, seasoned UNIX dudes who move into the windows world are known to curse the Windows security model because of the are accustomed to the simplicity of standard UNIX security and the complexity of ACL's and polcies are annoying to them, as they view the complexity it brings as a weakness - because the more complex something is, the easier it is the screw up.

I was talking about MAC, which at least in SELinux, if I understand correctly, I can setup so that when the user "piratepenguin" runs gaim, the gaim process can only write to ~/.gaim. AFAIK SELinux can do that through MAC (I've never looked much into SELinux), can Windows do the same thing through these "policies"?

While we're talking about security, while I was googling for "windows "mandatory access control" selinux", I came accross this article comparing the security capabilities of GNU/Linux and Windows. Damn there's alot of security stuff out there I never knew much about... Anyhow, it concludes that GNU/Linux is best in almost all areas (seven tested). It mentioned MAC for Linux through SELinux, and nothing about a Windows equivilent to it. Is this "policy" stuff I hear the same idea as MAC? It's well over a year old, but I don't know if much has changed since, maybe you do.

[cymon]

If the only reason Windows is attacked more is it's higher marketshare, then why is IIS attacked more than Apache httpd?

Also, consider this. While the Macintosh has a low market share, one common use for them is pro film editing. Since they dominate that market, someone with an axe to grind against the MPAA could put together a virus for OSX, and kill the movie studios. So if the Mac doesn't have better security, then why hasn't this happened?

Could it be that Unix systems are more secure? This so called Windows Firewall is a joke. Does it have HIPS, or any of the other things that you pay for in a real firewall? One thing I would like to see is a firewall that automatically gets a list of MAC addresses used by crackers, and automatically blocks them, sort of like PeerGuardian. Now, since Unix systems are open-source, at least the kernels, one could easily add this to Slackware or Debian or FreeBSD. But since Windows is closed source, you can't add it to the system.

Another issue is not just IE, but Outlook. They both use the same rendering engine, so a VB script will execute automatically in both IE or OE. And since there's no way to remove either, and IE is the file browser, that's a big hole. Now I know you can get the patches, but isn't a secure system supposed to hold it's own against crackers WITHOUT relying on a patching mechanism?

Now will Windows' stellar security features encrypt my entire disk drive, or my home folder, like MacOSX. You won't get code sharing, you'll just get a shoddy DLL, which can be replaced with one with malicious code. The only thing stopping this from happening is File Protection Services, which just checks the name. The fix for the .WMF hole was a DLL of the same name.

Now you could have a secure Windows box as long as you don't use IE, don't run as root, have a virus scanner, don't use Outlook, etc....
But the fact that all that is required to run Windows safely is proof that Windows is NOT secure, that it is a breaking dam, and that all those virus scanners are just delaying it's inevitable collapse.

[WMD]

If the only reason Windows is attacked more is it's higher marketshare, then why is IIS attacked more than Apache httpd?

It's not.  Arguably, IIS has has the more famous attacks, but not as many.

[toadlife]

If the only reason Windows is attacked more is it's higher marketshare, then why is IIS attacked more than Apache httpd?

It's not. Website defancements nowadays pretty much reflect marketshare numbers, with 65% hitting linux and 25% hitting windows. Check out Zone-H.org's 2003-2004 report on website defacements.

Also, consider this. While the Macintosh has a low market share, one common use for them is pro film editing. Since they dominate that market, someone with an axe to grind against the MPAA could put together a virus for OSX, and kill the movie studios.
So if the Mac doesn't have better security, then why hasn't this happened?

Herd Immunity. There are simply not enough Macs out there.

Could it be that Unix systems are more secure?

No, they are more obscrure - though this type of obscurity can lead to higher 'security'

This so called Windows Firewall is a joke.

Actually it does exactly what it was designed to do - protect computers from network worms. Microsoft wanted to protect customers computers, not enter the firewall market.

Does it have HIPS, or any of the other things that you pay for in a real firewall?

Again....It's not meant to be an advanced firewall.

One thing I would like to see is a firewall that automatically gets a list of MAC addresses used by crackers, and automatically blocks them, sort of like PeerGuardian. Now, since Unix systems are open-source, at least the kernels, one could easily add this to Slackware or Debian or FreeBSD. But since Windows is closed source, you can't add it to the system.

Your ignorance of networking is showing here. It impossible to get the MAC address of a computer which is not on your local network. This feature is not in PeerGuardian or any other firewall products because it's impossible to do.

Another issue is not just IE, but Outlook. They both use the same rendering engine, so a VB script will execute automatically in both IE or OE. And since there's no way to remove either, and IE is the file browser, that's a big hole. Now I know you can get the patches, but isn't a secure system supposed to hold it's own against crackers WITHOUT relying on a patching mechanism?

Holy shit, the ingorance train keeps rolling! First of all, firefox and thunderbird both use the same engine. IN KDE Koneror is also the filebrowser - and contrary to what you think, IE is not Widnows filebrowser. Explorer jsut has the ability to call IE's html engine to display web pages. Konqeror does this too.

Now will Windows' stellar security features encrypt my entire disk drive, or my home folder, like MacOSX.

Yes, windows can encrypt data, and the encrpytion cannot be cracked any easier than any other OS's file encryption. Full drive encryption is not available yet, but that is overratted IMO. The users file are  what is important.

You won't get code sharing, you'll just get a shoddy DLL, which can be replaced with one with malicious code. The only thing stopping this from happening is File Protection Services, which just checks the name. The fix for the .WMF hole was a DLL of the same name./quote]

Not sure sure WTF you are talking about here. Windows file encryption is jsut as secure as other OS's file encryption.

Now you could have a secure Windows box as long as you don't use IE, don't run as root, have a virus scanner, don't use Outlook, etc....
But the fact that all that is required to run Windows safely is proof that Windows is NOT secure, that it is a breaking dam, and that all those virus scanners are just delaying it's inevitable collapse.

I'm still waiting for that collaspe. I'll let you know when it happens.

[cymon]

Again....It's not meant to be an advanced firewall.

But if Windows computers are the most attacked, perhaps an advanced firewall is necessary. Since after all, Microsoft want's to secure their PC's, right?

Holy shit, the ingorance train keeps rolling! First of all, firefox and thunderbird both use the same engine. IN KDE Koneror is also the filebrowser - and contrary to what you think, IE is not Widnows filebrowser. Explorer jsut has the ability to call IE's html engine to display web pages. Konqeror does this too.

My point wasn't to slam MS for using the same engine, it was to point out that Outlook is as insecure as IE.

[piratePenguin]

It's not. Website defancements nowadays pretty much reflect marketshare numbers, with 65% hitting linux and 25% hitting windows. Check out Zone-H.org's 2003-2004 report on website defacements.



Herd Immunity. There are simply not enough Macs out there.

 No, they are more obscrure - though this type of obscurity can lead to higher 'security'

There are other important factors to take into account other than market share. Apache has proved this (whether it still holds true, I don't care). Whether the application was designed to be secure is one of them. NEVER FORGET than Windows doesn't setup a user account. As a result of that, there are HUNDREDS OF MILLIONS more super-Windows-users on the internet. Who do you THINK the crackers will target? Windows was asking for it, Mac OS X/many GNU/Linux distributions aren't.

Actually it does exactly what it was designed to do - protect computers from network worms. Microsoft wanted to protect customers computers, not enter the firewall market.




Again....It's not meant to be an advanced firewall.

Still, Linux has an excellent firewall, so does the BSDs and Mac OS X. Why doesn't Windows? It's the most used OS, it MUST be secure and it MUST have a REALLY good firewall to stop attackers.

Your ignorance of networking is showing here. It impossible to get the MAC address of a computer which is not on your local network. This feature is not in PeerGuardian or any other firewall products because it's impossible to do.

Can't iptables do it? Or does it only work for the local network?
http://www.cyberciti.biz/nixcraft/vivek/blogger/2005/12/iptables-mac-address-filtering.php

[cymon]

Besides, with MS Anti-Spyware, it looks like they're going into security. Why not go for an advanced firewall?

One thing that would be nice is something like OSX, when you go to do something that needs admin permissions, you supply an admin username and pass, just like sudo. That would be great. Even better, use bundles, then you don't have to install anything besides the bundle, just put that into a folder with rwx all around.