A friend of mine pointed this out to me, (something a subscriber of his wrote in a long, gee-aren’t-I-a-cool-little-coder post) and requested that I dispense with some enlightening tidbits, and I ask you, my friends, to reply with your thoughts as well, as I am far less computer saavy, particularly computer security saavy, than some of you.. I knew this would be long, which is another part of why it’s here.
The other half of that equation is that I wanted something that was actually secure. I read an interesting article about recent security concerns and I was appalled at the responses of so many so called “professionals” who insisted that Unix and Linux were more secure operating systems. It doesn’t take much of a brain to figure out that if you hang the source code out there like a surrender flag – it would be easy for anyone to hack the security of these systems. So why aren’t they targeted with more viruses? Virus writers seek to disable the broadest range of systems where they attract the most attention, and that is simply the Windows platform. I won’t disagree with the response that if you find a security hole in Unix or Linux that you can fix it yourself, which is certainly a plus (but can’t you usually do that in Windows too?). However, since there is no such thing as absolute security (meaning that even when holes are identified and patched, there is always another way to exploit the same flaw), making the source code available increases the risk for security breaches. In the end, no one choice in an OS platform is more secure than any other, so they are at least on level ground.
Okay, let’s get a few things straight here. Unix and Linux are, not, in fact, one and the same. Not all unix (and unixoid) operating systems are open source. Windows didn’t even develop the concept of ‘users’ with authentication and until the mid-to-late 90’s, with windows NT, copied lock stock and barrel from Unix, which I’m pretty sure started on this plan, the most fundamental part of security, in the 70’s. And, idiot, if an operating system isn’t open source, how am I going to figure out the vulnerabilities and fix them when dork-boy down the hall blue screens my system with the hack he picked up from his 1334 friend at a different school, let alone submit them to microsoft? The central idea of an open-source operating system is that it is reviewed by the community of users who then fix the broken bits. The central idea of a vender provided operating system, sans source, is that you don’t have to know what’s happening under the hood. Indeed the hood is welded shut. You need special tools and alot of know-how to get under it. And if it breaks, whether because of the instability of the engine or someone threw something in the exhaust pipe? Well, you’re screwed, reinstall.
There are security exploits for probably every operating system out there. People do hack linux boxes. But, the exploits vary in frequency, ease of exploitation, publication of warnings, mean time to fix, etc. I’d be willing to bet that the open-source OSes come out on top in those evaluations. On the other hand, your absurd statements at the end, which I’ll paraphrase, “you can never really fix a problem, you just have to live with it” and “all operating systems are the same as far as security goes” (which contradicts your thesis, btw) are examples of some of the laziest thinking I’ve seen. Where is your backing for any of this? I’ll just let you know they’re false, and leave it up to the professionals you denigrate to explain the details 😉
circle gets a square.
hm. stephen, you know a bit of what i’ve done in the past and i suppose the future, i believe. i’ll be perfectly clear.
vulnerability is platform independent.
the only reason these things matter (platform wars, linux people, windows people, mac people, aix people, misc.*nix.people) is that people have a native desire to hype what they know. they say “my way or the highway” because they understand the space that they play in and since they’re the center of their own universe (we all are), naturally their way is the best.
the sort of person that rabidly advocates their platform o’ choice over another’s platform o’ choice is no different than someone that drives a dodge truck with a picture of calvin peeing on a chevy symbol. it’s a preference, it’s a lifestyle choice — it’s subjective.
i don’t care to debate the finer points of who codes what better, and why it would matter one way or the other that company a lets misc.geeks see the code while company b does not. right, fine, there will always be code-level mistakes made by programmers or some incredibly arcane way to cause a machine to do something it wasn’t intended to do. that’s not specifically the sort of vulnerability class that most dangerous people exploit.
security is a lot broader than most security people put forward. however, since most security people come from law enforcement backgrounds, they think in tedious, predictable patterns.
he’s intelligent but inexperienced. his pattern indicates . . . two-dimensional thinking.
security is many things:
– it is an architecture issue (where does my machine touch the world, where can someone access it remotely or locally)
– it is a service issue (what can my machine do, how does it access the resources (not the code, the resources) it needs to do it, and who has access control to make it happen)
– it is a necessity issue (why can my machine do these things, what business or personal need does that function serve).
every exploit that i’ve been a part of hasn’t involved using the weakness of a platform. it’s involved using weakness of services and weaknesses of people.
we are the weakest link. goodbye.
next time you’re surrounded by geeks, stephen, think to yourself “how many of these geeks are lazy? are any of these geeks lazy enough to have not turned off all the services they don’t use? are all of these geeks the kind of people that want to make it inconvenient for themselves to log onto their local machines? did some of these geeks cut corners on the last project that i worked on them with?”
it has nothing to do with linux. it has nothing to do with open source, with encryption, with having a tough to guess password that isn’t vulnerable to a dictionary attack. anyone that touts their platform as the most secure because of reason x is likely more vulnerable than someone that just keeps quiet about it. their time would be better spent trying to understand how their network is connected to everyone else, how authentication works in general, and considering who else has access to information on their configurations.
i could go on about this for a month, but i’m done now. if this doesn’t make sense to someone .. try leveling up back in town before wandering out into the wild to fight goblins.
Security foo
So, I partially do and partially don’t agree with you.
First, background: I’m not a rabidly pro-open-source guy.
I choose my operating systems based primarily on what they let me do. Under *nix, I’ve found it relatively easy to swap caps lock and control. Under macos/windows, I can play my favorite games. (Though I must admit, it’s been a long time since I played spellcast, or ADOM, my favorite angband/rogue knockoff). Under *nix, I find it easier to do without a mouse. At my two temp jobs thus far, they seem to blanch at the sight of the windows control panel, and have no notion of unix. I love the concepts of command line shells, pipes, process control, and the apparent relative stability of *nix. If I could play my pretty computer games (master of orion2, blizzard games, etc) under linux or freebsd, I probably wouldn’t have windows installed at home. I use emacs as my default windows text editor.
Ideologically, I prefer open source, and I will tout its virtues while playing warcraft3 on a windows2k box.
It saddens me that my resumes are in word format, rather than latex (or thus dvi or ps) because that’s what I’ve heard employers want. (not that I couldn’t adapt them fairly quickly, but still…) Anyway, I’m digressing.
Second, agreement: The most important security decisions you make are not ‘which platform’, but ‘what am I going to do with this box?’. This could also determine which platform. I suspect it’s easier to run an Exchange server on a win box than a *nix box.
How can it be reached, physically or electronically? What sort of access restrictions are in place? How on top of security is the sysadmin (ie, have they patched the security holes, is the root password something other than “hackmeplz”?)
Most of the boxes my mail and sensitive data are on, are in locked, guarded rooms, and have regular backups. (Thank you, cmu =). The sysadmins are paranoid, responsible, and proactive about network security, so I feel fairly confident about their security. I connect with ssh, and scp, and have different cr4ck3rApPr0V3D!!! passwords, (more secure than that string, duh). Not a 100% guarantee of system security, but good enough for me.
Though, based on my limited knowledge, having seen tons of windows boxes get infected with this or that virus, it makes me wary. I’ve heard of unixoid systems being compromised, but orders of magnitude less frequently and fewer than the win boxes. (at a university with a major unixoid presence).
People like the chick who wasn’t getting her email from her friends, and gave her password out to her jealous boyfriend, well, that’s just stupidity. Probably the biggest source of compromised security, but truly operating system independent.
Redarius makes some good points, but just so it’s been said: it’s not about how secure the OS is, granted, anybody can screw that up and it tends to come pre-screwed up. It’s about how securable the OS is.
For instance, I’m sorry, but an older version of Linux running Apache with old, known security flaws is less secure than a newer version with more patches, assuming the current version of Apache hasn’t done anything too braindead. OpenBSD comes more secure than just about anything, at least right out of the box, and all the stuff you don’t use is turned off by default, so you have to explicitly turn it on. Saying there’s no security difference there is silly.
I’m intentionally not mentioning Windows on the above argument, just to keep the religious warring slightly more contained.
Similarly, the idea that you can’t see the code so it’s more secure is like saying “if the hood is welded shut, less goes wrong with the car.” Sure, you can’t see it, and sure, there are problems you don’t mess with because they haven’t been pointed out (“What funny noise? Besides, I couldn’t fix it even if it were a problem, and FordChevrolet-AOL claims it’s not a problem!”). The hackers, like mechanical problems, don’t restrict themselves to the published specs or code so they’ll happen to any OS regardless. The fact that you can’t *fix* the problem doesn’t mean there *isn’t* a problem.
Okay, back on the “securable” front for a sec, then I’m done: back in the way when it was, say, Win3.1 versus Linux, there was a serious difference in vulnerability to viruses: memory protection, file protection, and the other things that kept J Random Virus from overwriting your resources without a serious fight. Sure there are vulnerabilities in most any OS, but they take some exploiting, especially if you want to run on most versions. It’s as hard as building any other robust software. Win3.1, because it didn’t require building additional robust hacks, had simpler, smaller, more potent viruses. The fact that it was also the predominant OS also helped explain why Linux had literally no known viruses from that period, but nonetheless, if it were easy then some smartass would have written and released one. Linux made writing viruses a real pain, so no viruses got written. It made writing apps much less of a pain, so some apps got written.
The differences in modern OSes are a lot less dramatic, but still certainly exist. Sure, Win2k has memory protection, and (mostly) protects files from unauthorized users, but it’s not as vigorous about protecting stuff from non-root users as most Unix-alikes, mainly because having lots of stuff protected from non-root users is a pain. The Unixoid OSes usually err more on the side of “more securable but a pain in the ass”, which is fine. But it’s also a difference. Sorry, but it is.
(small topics, less authoritative)
I’m going to stick to points i’m sure are accurate and that you can find supported in endless well-dissected real-world examples.
1) Most tactics of finding breakages in software do not require source; object code is enough. Flaws have a much smaller scope than their associated fixes. Thus open source does not (significantly) help attackers, but it does significantly help defenders.
2) There is mention of unfixable holes. Sometimes the API, protocol, or entire approach taken by a program shows up to be insecure, but of coures, the lion’s share of the time, an insecurity comes from sloppy errors, small-scale logic flaws, and other relatively local problems. Your associate’s suggestion that these can be exploited once fixed is simply fatuous. If they can still be exploited, they clearly were not fixed.
Comments that it’s the types of services you deploy, the procedures you use, the thoroughness of your preparedness, and so on are of coures more on-target than any of the above.
At SuSE we had some ridiculous setup where only certain IPs were allowed to try to talk to the SSH bastion host followed by a second login into the main branch office network. This was simply more of a barrier than made sense for the people who had to use it. One famous player ended up with an icon on the desktop labelled ‘root on‘ on their laptop sitting out at a trade show. Oops.
The only serious security beef I have with big ‘ole windows is the restriction of information about security problems after they have been identified and patched. “You don’t need to know,” doesn’t help motivated, thorough, and trained staff to make good security decisions.
-josh
“you say tomato, i say potato…”
Personally I find that just about any system can be pushed to the edge of destruction regardless of its code source by placing it on an open flat surface and driving an SUV right over it…. Mac, PC, Linux, Unix…. they all seem to kind of fall apart after that. ;p
Re: “you say tomato, i say potato…”
Mmmmm, steel-reinforced concrete computer cases. Slight overheating problems. =) Or, otoh, the eniac 😉 The eniac probably wouldn’t retain much more functionality than a computer of today, but it would probably cause an SUV to think twice. =)