Linux optimize

Cross-platform open source threat: Is open source really more secure?


Sophos has disclosed the existence of a proof-of-concept worm (StarOfficeBadbunny) that attacks through a vulnerability in OpenOffice and other programs using StarBasic macros. According to Sophos, this is a multi-platform threat affecting Windows, Mac OS, and Linux. It is written in several scripting languages, including Perl.

While this particular threat is minor, it does illustrate a growing problem. I am all in favor of open source code, but I have never bought into the idea that it was less vulnerable to attack.

Just to start out on the right foot with open source fans, I like OpenOffice, and I often recommend it to small business clients and individuals who need Microsoft Office-like applications but don't like Microsoft prices. I also like and use Firefox and Linux, and I recommend both as well as other open source software.

Sometimes the more security-savvy of my friends and customers say to me, "Oh, you recommend OpenOffice (Linux, etc.) because you think it is safer!" In a practical, everyday sense, yes -- if you run Linux, you are less likely to be hacked.

But I feel the need to explain that I have no idea whether it is inherently safer. I'm not convinced that Firefox or Linux is actually safer than Microsoft products in any absolute meaning of the term.

We seldom hear of big threats to open source platforms, but that isn't the same thing as saying they are inherently more secure. They may merely be attacked less often. Pointing out that they are "not being targeted as much as Microsoft" doesn't PROVE they are less vulnerable. They may be less vulnerable, but that only PROVES that they are "not being targeted as much as Microsoft."

Open source is certainly cheaper if you don't need much support -- although even that is highly debatable if you need to support a lot of users on open source operating systems or applications, especially if you (or they) are trying to do anything even slightly out of the ordinary. (Don't forget training costs: How many of your new workers learned Linux and OpenOffice in school? Most of the ones I see have been trained -- if badly -- on Microsoft.)

Open source vs. Microsoft security is an OLD argument, but two recent developments have brought a different focus to the question. First is this multi-platform malware I just described. Second is the fact that Dell just announced it would begin selling Linux-loaded computers at Wal-Mart.

An exacerbating circumstance is that home users MAY wake up to the incredible cost of converting to Vista (and the tiny advantage) and begin actively seeking an alternative. Put the Dell name and reputation behind inexpensive Linux-based PCs in a discount setting, and they are going to sell. Add the cost of Vista (including the need for much more powerful hardware), and Wal-Mart Linux Dells may sell A LOT!

Heck, I expect to buy at least one myself. And based on that, I may recommend them to clients, but that doesn't mean there is no potential downside. Currently, I would much rather try to secure a Linux environment mainly running mainstream open source applications, but that may change if Linux becomes more popular outside the controlled business setting.

For example, if Wal-Mart starts selling a lot of Linux boxes to home users who are then open to exploitation as zombies, we can expect a lot more directed attacks. As the target grows larger, it will become more tempting to take an occasional shot at it. And that's when we will begin to see whether open source really is inherently less vulnerable in the real world where Microsoft operates.

Although a lot of businesses and advanced users already have Linux and use non-Microsoft browsers and office applications, I still consider this to be a hothouse environment. That is, it is running (and running very well) in a restricted and relatively safe world.

If you are supporting a Linux office, I BET your network is sitting behind a well-maintained firewall! When Linux is on millions of home user machines connected to cable boxes, it will be out in the jungle where Microsoft users get slashed every day.

So should those of us who actually use and especially support Linux, Firefox, and open source applications really be pleased to see a flood of novice users? Pride aside, is it a good idea from a business standpoint? Am I being selfish to want Linux and great open source applications to remain the favorites of relatively few users and most of them (us) highly security-conscious?

It is far from certain that non-Microsoft platforms and applications will eventually become popular and vulnerable targets for malware producers. I am fairly certain that, unless a lot of them get into the hands of home users and clueless business users, there won't be much incentive for the bad guys to begin to explore potential vulnerabilities.

Today I'd much prefer to be in charge of securing a Linux-based office than a Microsoft office -- just as I prefer strolling around in a nice, safe neighborhood where lots of people aren't prowling the alleys out to mug me. (It's always so annoying having to explain all the muggers' injuries to any cops who don't know me. GRIN.)

Keeping a good thing to yourself can be considered selfish, but in business sometimes it's just a matter of common sense. So, while some will cheer to see Dell and Wal-Mart selling Linux boxes to the masses, I won't be among them. I already know how to load Linux on a bare box -- something that, even today, few home users are able to do for themselves.

219 comments
Fil0403
Fil0403

For me, it's more than obvious since a long time ago that open-source or even Apple products are not necessarily safer than Microsoft products, they are just less targeted because they are also generally less used and the increase of Mac OS X security vulnerabilities as it gets more popular only proves that.

TheTinker
TheTinker

Is open source more secure than Microsoft, by design? Yes, a it is a little more secure by design. Will that gap narrow? Unfortunately, I think it will. I think as demand for features increase, security will have to be compromised for function. Not that features must compromise a system, but they push security more and more into the hands of the user. I think, as many have stated, open source at present is much, much more secure than Microsoft products. Not just because MS makes a larger target, but mainly because the people who use open source are much more likely to take time to secure their machines and practice safer internet and e-mail habits. As more typical users start using open source, the security issues will increase simply because they practice unsafe computing. You can be as healthy as a horse, but if you go playing around unprotected. The chances are you will eventually catch a social disease. Innately robust security design cannot overcome filthy habits.

apotheon
apotheon

1. Open Source Security in General As I pointed out (and explained at some length) in my article [url=http://articles.techrepublic.com.com/5100-10877-6064734.html][b]Security through visibility: The secrets of open source security[/b][/url], there is a security advantage to open source software as compared with closed source software. That advantage is that vulnerability discovery and fixing by the "good guys" is, all else being equal, faster and better with open source software than for closed source software. I could go into the details of why this is so, but I'd basically be repeating huge chunks of that article, so you may want to go read that since I don't like repeating myself. This does not mean that any given piece of open source software is [b]inherently[/b] more secure than a closed source counterpart, however. The piece of software itself is still its own individuated entity, and is a victim of the design decisions behind its development, just as is any closed source software. Each should be evaluated on its own merits for purposes of determining security characteristics. It's worth noting that, based on social forces such as personal investment in the software and the reason the software is created, developed, and maintained by its developers, open source software will on average tend to benefit from greater security improvements over time (or at least a lesser increase in security problems over time) than equivalent closed source software. Remember that the major motivation for developing open source software is to have high-quality software available and/or to nurture a reputation as a high quality developer, while the major motivation for developing closed source software is for a paycheck dependent upon the marketing department's successes and how much the developer's boss likes him or her. 2. Proprietary Closed Source Security in General As I hinted in the previous section, there are some distinct conflicts of interest inherent in proprietary software development circumstances between business success and actual software quality. Additionally, proprietary software vendors and distributors often operate under a more direct conflict of interest with their customers, as proven by the (hopefully still memorable) Sony music CD rootkit fiasco of last year. Not only will proprietary software vendors often sacrifice software quality improvements on the altar of public perception (it's difficult to claim your software has no vulnerabilities and, simultaneously, fix its vulnerabilities), but they will also at times distribute software that [b]intentionally contravenes system security[/b] in some manner deemed beneficial to [b]them[/b], rather than to you (the customer). This is not much of a problem in the open source world, of course, where the source code can be reviewed publicly (and, generally speaking, [b]is[/b] reviewed to varying extents quite often) for any such perfidies on the parts of the the developers and distributors. It's also worth noting specifically that the software "sold" by closed source software vendors are often judged by the vendor's name rather than by the quality of the software itself. Furthermore, the phenomenon of "vendor lock-in" comes into play all too often, where choosing to use a given piece of software can make it difficult to migrate away from that software's vendor's offerings in the future -- and this is an effect specifically pursued and executed with malice aforethought by vendors that attempt to guarantee that a source of revenue today will continue to be a source of revenue tomorrow. Because open source software developers tend to want their various pieces of software to play nicely with each other, they develop software specifically with the opposite of lock-in as a goal: they want to make it all as cross-application compatible as possible. As a result of the difference here, proprietary software can often lead customers by the nose from more-secure versions to less-secure versions of software, and because they are choosing software based on vendor (for compatibility purposes) rather than on other criteria (such as security) they can often find themselves using software that has significantly degraded in quality and security over time, whereas (one would hope) they might be less inclined to cling to a sinking ship so tenaciously if they used open source software that was widely compatible with other open source software. 3. Specific Software Security Examples Where the notion arises that open source software is somehow inherently more secure -- rather than simply tending toward far greater security on average, thanks to the social factors involved in software development, as is actually the case -- is in the specific examples of certain "flagships" of the open source and closed source software worlds. I speak, of course, of such examples of the two camps as Linux and MS Windows. Linux is, at present, more inherently secure than MS Windows simply because of the significant differences in underlying software architecture. Matters such as privilege separation, automatic execution, modularity of kernel architecture, greater admin control over the environment, modularity and customizability of the operating environment, and so on, all play a role in the greater [b]inherent[/b] security of the unixlike architecture of an OS like Linux as compared with that of MS Windows. There are other examples of greater inherent security in several high-profile open source applications than in Microsoft applications. Firefox, while no longer subject to as high development quality as we came to expect from the early days of its development, still enjoys a few architectural benefits -- such as the absence of a browser-standardized remote code execution path like ActiveX, the lack of close integration with the OS on which it is running as in the case of IE's rendering engine's pervasive use in Microsoft applications and MS Windows' GUI functionality, and (there's that word again) Firefox's [b]modularity[/b] (though the benefits of that are waning fast as more and more functionality is incorporated into the core application). These intrinsic security benefits as compared with IE combine with the extrinsic benefits of an open source development model to provide a far less exploited application. More open source software examples exist that are used as examples when people try to say that, simply by nature of being open source software, a given piece of software [b]must[/b] be more secure than a closed source counterpart. These examples do provide a significant numerical weight of evidence in the attempt to draw such a conclusion, but the argument is invalid. Open source software is not necessarily [b]inherently[/b] more secure than closed source software, even if certain popular examples of open source software [b]are[/b] inherently more secure than their comparable closed source counterparts. Given time, Microsoft may finally abandon enough of its poor choices in software architecture for IE that IE will cease to be inherently less secure than Firefox, and with the way Firefox is inscrutably destroying its own security as its development chases after ill-advised goals we may then find that the only benefit Firefox enjoys over IE is a tendency toward more effective vulnerability discovery and fixing because it's open source. That's a tendency -- not an inherent quality. 4. Conclusion As a result of all the above, the ultimate answer is something like this: Open source software is not, by nature of being open source, inherently more secure. On the other hand, all else being equal, a betting man should bet on the open source "horse" for greater security every time. Of course, given the business needs and unknown Linux expertise of Dell, it may be that they'll start shipping computers with security-crippling modifications of the otherwise relatively secure Linux-base OS, effectively limiting its security capabilities to a level of near parity with MS Windows. This is especially possible considering the already security-crippling modifications of the usual unixlike security model of Linux that is imposed by the Ubuntu project. That doesn't prove anything about Linux inherently suffering security problems on a level with MS Windows, however -- it just proves that a malicious or idiotic person can, given the access needed to do so, make a shambles of the security of any OS. The fact that, with effort, one could conceivably reduce the level of security of a Linux system from the standard to the new low of parity with MS Windows' default is not the same as both having the same security characteristics. To claim it is would be to claim that posting your IP address and root password for a Linux system to the World Wide Web is equivalent to a default install of MS Windows, behind a firewall, while keeping all your passwords as safe and secret as possible. (edit: rethought a couple phrases)

demintid
demintid

Ok so Dell puts Ubuntu on some cheap systems and markets it right and open source begins to grab a larger hold on the market share. good for Dell. The reason that linux is considered safer is because it is not main stream. And it is difficult to write across distros. your not going to have a virus written for Fedora Core run under Debian without running alien to reconfigure the package from source. I am by no means an expert but things are not as simplified and square across the board of distributions. Alien packages are just that Alien. not to mention the fact that the best place to write a windows virus would be in a *nix environment. I say open source should come to the head of the line. Just because of the free software involved. This community could use another couple million people. Got questions ? head to Linux,Unix, Solaris chat #2 on yahoo chat. look for Demintid

Neon Samurai
Neon Samurai

Please, for all our sakes. Learn. Go forth, seek information and shed your ignorance. For all out sakes; it'll make for far more productive conversation. Not to be mistaken as a flagrant attack; I mean ignorance in the sense of one who has information available to them but chooses to ignore it. This is not to be mistaken with stupidity which is the inability to understand information at all. To give you a few directions to start in. Linux is based off the Unix system development model which has been evolving since before Bill first robbed someone for the booterless Dos code. Go read about teh Unix/Linux security model if not the entire OS architecture. osX is based on BSD which is a form of Unix. It runs BSD in the back end and presents the user with Apple's closed source X theme and GUI programs. When people refer to osX as more secure, it's because of an understanding of the security model employed in that Unix back end. Anyone who knows there stuff will also be aware that Apples icing on top has it's own flaws but these are usually limited to user areas and can not touch the BSD kernel at the OS core. No one is saying your an idiot for preferring Windows over other OS. They are saying that based on technical details, Windows architecture could have been designed far better.

Neon Samurai
Neon Samurai

http://news.netcraft.com/archives/web_server_survey.html I bet that high useage of Apache webserver software is not due to the majority of webservers running on MS server software. Seems that would show the majority of servers on the largest possible network are taking the greater beating. Somehow I gotta think that if Unix like OS supporting Apache are in the majority of the servers being beat on and it's standing up ok then that hardening has to be flowing down to the general desktops. Of course, it will vary depending on the distrobution; Ubuntu has intentionally reduced security considerations while other distrobutions retain security as a primary goal.

Tig2
Tig2

You have been given a wealth of information that should, theoretically, stop assinine postings. It would appear that nothing that has been provided to you in terms of refutation has permeated your thinking whatsoever. Let's consider another look, shall we? Microsoft does not provide either the promised uptime (five nines) nor the ROI that it claims unless a couple of things are happening- the server (five nines) has a "maintenance window" during which the server is downed and restarted, and the Enterprise has a significant present investment in Windows (ROI). Both of these factors skew the statistic. FOSS software doesn't seem to see the need to market itself. If you want to use it, do so. If you don't, don't. Oddly we don't see realistic projections on server software- much of which is *nix. To take your "security through obscurity" concept through its lifecycle, shouldn't we be considering server instances? As Apotheon has pointed out, *nix is a dominant force in the server environment. Servers are, by definition, choice targets. Why aren't they being hacked at an equal rate to Microsoft servers? Another interesting note- the OS X vulnerabilities lie outside of it's Unix core. And by default, an OS X user is not root, regardless of permissions. One must sudo to root at the CLI in Terminal. The hacks out there still aren't touching the kernel. Not true on a Windows box. Still, the argument still comes to a definitive point- what will best facilitate the user's needs? If Microsoft, patch and prepare to defend. If OS X, know what you are seeing and be prepared to patch. If FOSS, check the development page. All very simple, really.

Tony Hopkinson
Tony Hopkinson

Statistically you are far less likely to have a crash. Based on your reasoning windows should be radically more secure than nix, because of all those people finding the flaws to exploit.

apotheon
apotheon

It's more than obvious to me, for some time now, that you've latched onto an overly simplistic view of software security based on the old "security through obscurity" fallacy because of a correlative, but not causative, relationship between Mac popularity and Mac security in a very brief time frame, and refuse to actually learn anything more about the subject.

TheTinker
TheTinker

Obscurity is far from the reason FOSS is more secure. It contributes to low amount of successful attacks, and I don't think anyone can reasonably argue otherwise. However, even if market share and number of attempts were equal, I truly believe FOSS is better designed. I was only making the point that security will suffer to some degree with wide spread adoption. See my response to your Myth post for more. . .

TheTinker
TheTinker

I understated my faith in the community, yes FOSS is better designed and written, and will continue to be because of the dedication of the community. I simply think that as mainstream adoption occurs, the cattle will, unless some great awakening occurs, demand more features on a quicker development cycle, and expect to continue to practice unsafe computing. If this happens, it will have an result in more successful attacks on FOSS systems. Look at Ubuntu, they made decisions that adversely effected the security of the OS for "ease of use". Most of the people I know, would still be connecting to the internet with MS, w/out anti-virus or firewall protection, if I hadn't mandated otherwise. FOSS will still produce the safest software, but the gap will narrow some because of these issues.

Fil0403
Fil0403

"Is open source more secure than Microsoft, by design? Yes, a it is a little more secure by design." Did you or anyone else ever give an actual proof of that? No, you didn't. "I think, as many have stated, open source at present is much, much more secure than Microsoft products." I think, as any unbiased person would notice, you and anyone who states that has never, ever actually given a proof of that. "Not just because MS makes a larger target, but mainly because the people who use open source are much more likely to take time to secure their machines and practice safer internet and e-mail habits." Users' habbits have nothing to do with how secure a certain product is. "You can be as healthy as a horse, but if you go playing around unprotected. The chances are you will eventually catch a social disease. Innately robust security design cannot overcome filthy habits." How interesting people understand that so well and easily when we're talking about open-source or Apple products, but not when we're talking about Microsoft products.

apotheon
apotheon

I'm always disappointed when I see that people fail to read the other responses to see if there's something already in the discussion that might invalidate their premises when they post something, and fail to allow for the potential presence of such invalidating information when they post something. In your case, you stated the notion that open source software security is entirely based on A) the supposed lack of people attacking it and B) the supposed lack of people with poor computing habits using it, as if what you were saying were indisputable fact. You completely ignored other comments in the discussion that make very a very strong case for other factors coming into play as well, either because you didn't bother to read them or because you didn't bother to understand them. Yeah . . . I find that disappointing.

GhostBrowser
GhostBrowser

Try variations of this Knowing how a lock works Doesn?t mean you know how open it Sorry I was a bit hard on you You may already know this joke It was a while back NASA (I think it was them) Were going to research crash proof computers Microsoft was one of the company?s they were going to include in the project Don?t know if rickk would get that one

Neon Samurai
Neon Samurai

Each distribution being a different OS based on the same commodity parts (for the Windows only educated out there), I can see some becoming flimsy with other's remaining right proper hardened. In the case of Ubuntu, subtle security layers have been removed for the ease of the uneducated computer user. Now that's one example but I think there is enough creativity and methodology in the FOSS community to provide those bell and whistle features that users demand without tearing wide holes in the Unix security model. My guess at the future is even wider variety of OS distributions as some specialize more for the average user and others continue to specialize more for the Deb or Gentoo type user.

apotheon
apotheon

"[i]Did you or anyone else ever give an actual proof of that? No, you didn't.[/i]" I guess you don't know much about things like modular kernels, privilege separation, universal vulnerability patching policy, peer review, and several additional happy side-effects of security models based on visibility rather than obscurity. From what I've seen, all of your statements about security up to this point, both in this discussion and elsewhere, have been based on the myth of [url=http://en.wikipedia.org/wiki/Security_through_obscurity]security through obscurity[/url]. "[i]Users' habbits have nothing to do with how secure a certain product is.[/i]" Amazing! You can say something logically valid and true!

Fil0403
Fil0403

I'm always disappointed too when I see people ignoring and refusing to accept the fact that open-source security is based on the proven lack of people attacking it, a phenomenon we can see with Macs getting more popular are getting more and more hacked.

apotheon
apotheon

I [i]should[/i] be good at this stuff -- I do it for money (among other reasons), and need to be good enough to earn my keep.

~Omega~
~Omega~

I use both Linux and Windows. They get along well and play happily together. Now that I have set the stage (I.E. I am not a Linux or Windows guy) I really get sick of valid points being dismissed with the "You are using the 'Security through obscurity' argument and it isn't valid." If everyone in the world used Linux, every hacker in the world would be focused on trying to turn Linux-based PCs into Bots. The sheer number of attempts would produce results, and then Linux would be branded "The most insecure OS the world had ever seen" Now along comes MS, and a few people start using it. Sure a few people are going to turn there attention here, but for the most part, those zombie nets are still going to be running on a primarily *nix infrastructure. My point? Security through better code? Maybe and even probably. However, "Security through obscurity" doesn't hurt the Linux cause.

TheTinker
TheTinker

You've hit on a possibility that I had not considered, but like very much. Suppose a large scale market shift took place. As Apotheon mentioned, overall computer security stats would get better, while overall linux stats would take bit of a hit. As you stated, ". . .I can see some becoming flimsy with other's remaining right proper hardened." Uneducated users would start with an Ubuntu-like, soft OS. As their skill and confidence grows, the user may gradually adopt more hardened distros.

apotheon
apotheon

"[i]I was thinking of your experience that you described where your screen loaded up blank. In the pc-bsd thread. You had to correct this if I remember correctly by modifying a config file.[/i]" The problem there is in the fact that FreeBSD has issues with certain ATI cards. For some reason, having X load DRI on FreeBSD causes a system with an X300 Mobility Radeon to fail to run the X Window System properly. "[i]My nic has never been found, I have had to go out and buy a cheep card which was supported.[/i]" From the "GENERIC" kernel config: # PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 adapter Gigabit Ethernet Card device ixgb # Intel PRO/10GbE Ethernet Card device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device lge # Level 1 LXT1001 gigabit Ethernet device nge # NatSemi DP83820 gigabit Ethernet device nve # nVidia nForce MCP on-board Ethernet Networking device pcn # AMD Am79C97x PCI 10/100(precedence over 'lnc') device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sis # Silicon Integrated Systems SiS 900/SiS 7016 device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet device ste # Sundance ST201 (D-Link DFE-550TX) device stge # Sundance/Tamarack TC9021 gigabit Ethernet device ti # Alteon Networks Tigon I/II gigabit Ethernet device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # ISA Ethernet NICs. pccard NICs included. device cs # Crystal Semiconductor CS89x0 NIC # 'device ed' requires 'device miibus' device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards device ex # Intel EtherExpress Pro/10 and Pro/10+ device ep # Etherlink III based cards device fe # Fujitsu MB8696x based cards device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc. device lnc # NE2100, NE32-VL Lance Ethernet cards device sn # SMC's 9000 series of Ethernet chips device xe # Xircom pccard Ethernet Any of those NIC chipsets should be supported quite well. "[i]But, because pc-bsd as I understand it is built off the BSD kernal. I would foresee the same issues if I tried building a desktop box.[/i]" Hardware support should be pretty much the same between FreeBSD and PC-BSD -- you're right about that. It's likely, however, that PC-BSD would require less configuration to support stuff that it's capable of supporting.

Neon Samurai
Neon Samurai

Now worries though. I'm still working on configing FreeBSD, installing Plan9 successfully and tracking down a copy of Haiku to see if there's a hope in hell of me getting that running under a VM.

DanLM
DanLM

When I made that statement, I was thinking of your experience that you described where your screen loaded up blank. In the pc-bsd thread. You had to correct this if I remember correctly by modifying a config file. My experience, which comes to mind is in servers. And that is specifically driver support. Every server I have built with a BSD has been built systems where I have purchased lower to mid range boards. These boards always came with nic/vidio/audio hardware on them. Almost always, the nic was a nivida. My nic has never been found, I have had to go out and buy a cheep card which was supported. I have never worried about either the vidio or audio on these machines because in my mind a server is just that. A non desktop machine. Running daemons which support server functions. Ie: apache, samba, backup daemons, ftp, ssh. This is only assumption on my part(I know, never assume). But, because pc-bsd as I understand it is built off the BSD kernal. I would foresee the same issues if I tried building a desktop box. I have not went much further with this with hardware like dbd's or other external media. But, reading various forums. I have seen where others have had some issues. Now.......... If pc-bsd was marketed on a machine that had all supporting hardware. Then ok, but at anytime a person tried to upgrade a peace of hardware. I think there would be issues. Ok, finer touch is probably not the correct term here. And I do not know what is shown during the build when non supported hardware is found. Ie: The interface that says, no driver found for such and such hardware. But, again. I was thinking of my experience when something was not supported. I only found out when I just didn't see that hardware during the selection process. Dan

apotheon
apotheon

"[i]I thought I heard of another distro that did this, but I can't find a reference anyplace for it.[/i]" You probably mean PC-BSD's slightly older cousin, DesktopBSD. How exactly does it need "finer touches"?

DanLM
DanLM

That's what I was talking about. Something built off the BSD kernal, but they took the time to make it easier for people to load. I thought I heard of another distro that did this, but I can't find a reference anyplace for it. Thats all I meant, sorry. Dan

Neon Samurai
Neon Samurai

"I know there are a couple already out there like this, but they need some finer touches for the public to bite." I'll bite. Like what? If it's something freely available it may be a new addition to my collection.

DanLM
DanLM

[i]The time might be ripe at that point for a takeover by a more secure and more free OS, like FreeBSD. Muahahahahahah![/i] sorry, I couldn't get past that part before I had to reply. Or, how about another spawn off the BSD kernal like Mac did? But, unlike MAC. Don't modify the kernal, build on top of it. I know there are a couple already out there like this, but they need some finer touches for the public to bite. Dan

apotheon
apotheon

If Linux distributions end up taking over large percentages of the desktop PC market, with distros like Ubuntu taking the lead, I could see overall computer security statistics getting better while overall Linux statistics get a bit worse. That would potentially put Linux in the position of looking like the weak link in the security chain -- which in some respects, it would be. The time might be ripe at that point for a takeover by a more secure and more free OS, like FreeBSD. Muahahahahahah! Oh, damn, my villain's exposition escaped. Sorry about that. Actually, it might just serve to more effectively separate the various Linux distributions as distinct OSes in the minds of the general public, finally -- as certain distributions are less susceptible to attack than others. At least the window of vulnerability will tend to be much more brief with even the least secure Linux distributions than with MS Windows. Note: All of the above completely ignores the existence of MacOS X or the potential of additional, "dark horse" OSes coming into the picture in some significant fashion. Et cetera.

TheTinker
TheTinker

when the mass perception is based on reported successful attacks, reported, flaws, and number of patches, user habits do inflate the numbers. Yes, Fil. This can also be said of MS products, that poor user habits artificially inflate the reports of successful attacks. The difference is because direct access to FOSS OS kernels is protected and tightly regulated, the damage a user's stupid decision can effect their security is limited.

jmgarvin
jmgarvin

Chad wrote a great paper on this. Not only are you 100% wrong, but also ignoring the server market... I also point you to Apache vs IIS if security through obscurity worked.

Neon Samurai
Neon Samurai

I'd actually like to see FOSS distributions take the same beating that the marketing monoliths take; call it masochistic curiosity. I think the thousands of self motivated FOSS developers would continue to respond to found bugs as quickly as they do now. It?s just the way FOSS development methodology works; anyone spots software flaw or has comment, they submit it (bugzilla or the project website) and the developers iron out the wrinkle if applicable or consider the suggestion. The difference of motivation is that both Apple and Microsoft benefit from the public perception of invulnerability. ?Our products are not weak and flawed; look at the shiny new paint on them after all. Spend your hard earned money on our bulletproof product rather than that Swiss cheese from the other guy.? They both are motivated and regularly do withhold software flaw information while a small under-budgeted team eventually get?s to making a patch or critical fix. Both choose to protect there customers through obscurity rather than notify the customer base and provide a fix ASAP. The more recent and public example being Apple?s network stack that wasn?t critically vulnerable until a network stack patch suddenly appeared and that was after running the two researchers who found the flaw into the ground. The motivation is to ?fix it in-house? rather than loose perceived ?face? in front of the public customer base. The motivation is primarily monetary with quality being a sub-motivation because it affects the monetary motivator. The motivation of FOSS is the open production of better software. Bug reports are welcomed as is any other suggestion or issue with a project. The motivation is primarily quality not monetary. Quality and functionality are the monetary currency that keeps a project alive in a Darwinist evolutionary process. FOSS is continually motivated to evolve the current version of the program where proprietary development of the current version is only good until sales profits drop or the next new version due date is announced and the motivation shifts to readying that as the new profit driver. It?s a different mind set with different importance of goals and outcome. This is all to be considered in the desktop market where Windows does get the bigger beating. On the server side, *nix is the bigger slice of the pie and already enjoying the bigger beating as I understand it.

apotheon
apotheon

[url=http://techrepublic.com.com/5100-10877-6064734.html][b]Security through visibility: The secrets of open source security[/b][/url] [url=http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=223951&messageID=2249435][b]success rate vs. success rate[/b][/url] (re: possible effects of market dominance by free unices) Finally . . . I recommend you learn something about software architecture before you go running your mouth about things obviously beyond your understanding again.

apotheon
apotheon

I both do computer stuff and write for money -- and when I write for money, it's generally computer stuff that I write. I really appreciate the kind words, in any case. Thank you.

Dumphrey
Dumphrey

"I should be good at this stuff -- I do it for money" Should I assume that you mean computers by this statement? If I work from that assumption, then your post is still good, because familiarity with computers does not translate into an ability to communicate. If I take your statement to mean that you write for a living, then your post is also still good, because you presented real content in a clear manner. I could make assumptions all day, but I have stuff that needs doing..

Dumphrey
Dumphrey

I see what you mean about accuracy of free unices vs linux/bsd. Ill have to think about this more. Not that there is any great need to abbreviate.

Dumphrey
Dumphrey

thought about this, "The key here is that, yes, if free unices "ruled the world", most security crackers would target free unices -- but that doesn't take into account the fact that there would surely be fewer security crackers, too." But it makes a lot of sense. Your right, script kiddies would basicly be done for, as unix attacks do require more skill and personal attention on the part of the cracker. If anything, it would lead to a weeding out of the hacker/cracker community, so there would be fewer, but better, hackers. The mere thought of no more bot-nets sending out their spam makes me feel a little warm and fuzzy...I think I need to be alone now.

apotheon
apotheon

"[i]On a random note, is there a good way to shorten linux/bsd?[/i]" I know of people who use *nix or 'nix to refer to all unixlike OSes, but that includes proprietary Unix implementations, and some consider it to include MacOS X as well. I tend to use "free unices" to refer to free/libre/open source unixlike OSes, especially since what I'm usually talking about is free unices. Linux distributions, open source *BSDs, and Darwin each qualify as a free unix OS. While it's not shorter than "Linux/BSD", it's certainly more precise in defining the intended scope of a statement. It also helps to ensure that I'm not forgetting something. (edit: fixed italics)

apotheon
apotheon

There are two different ways that immediately spring to mind for measuring the rate of success on attacks on free unices. 1. Measure the successful attacks for the number of free unix systems out there. 2. Measure the successful attacks for the number of attempts. Trying to measure number 2 is almost impossible, because many unsuccessful attacks don't just go unreported -- they go unnoticed. Some successful attacks also go unnoticed, but that doesn't have nearly the same detrimental effect on accuracy for measuring the number of attempts (and, thus, the success rate in terms of attempts). The successful attack rate for the number of systems is the one that makes the most difference to those of us trying to choose a secure system, of course. How would that change if the desktop market share of free unices and MS Windows were reversed? It's an interesting question, and one that people tend to debate over a lot. Unfortunately, most people are pretty dense when it comes to such speculations, and leap to overly simplistic conclusions -- such as the conclusion that obscurity is the only security benefit of Linux (or any other OS) over MS Windows. Anyone that knows something about system architecture as it applies to security, and about vulnerability discovery and patch issues as they relate to practical security, knows that's a load of hogwash. Of course, with a much greater market share on the desktop, free unix systems would suffer more attention by those looking to crack security on free unix systems. Assuming reasonable security practices (meaning something like FreeBSD's defaults, and not so much like Ubuntu's defaults), I think the attack rate per number of systems in use (regardless of success or failure) would actually drop significantly. With a vast majority of desktops running a more architecturally secure OS, it would be less rewarding to attack desktop systems because the ease of compromise would be greatly reduced. Sure, we might assume there were still low-security OSes out there (maybe MS Windows still hangs on to a small percentage of the desktop in this hypothetical world), but when the majority of systems out there do not share the same ease of compromise you lose a lot of ease of choosing targets, and ease of distributing attack effort. Think about this: most of the attacks that occur are actually automated from systems that have already been compromised. Those already compromised systems are MS Windows systems, because they were easily compromised in the first place. Free unices tend to require more personal attention, and an actual human being only has so much time to spend in trying to compromise individual systems. More viruses and other security cracking mechanisms that are automatically propagated would "die on the vine" because they could not achieve widespread distribution, which means that, in turn, fewer systems would be turned into automated attackers to compromise yet more systems. Furthermore, patches for discovered vulnerabilities would be much faster on average because the majority of systems would be served by the open source developer community, which develops, tests, and issues patches much faster than proprietary vendors like Microsoft. This means that windows of opportunity for widespread vulnerability are closed very quickly. Even worse for the malicious security cracker, script kiddies would be far less successful because greater knowledge of security cracking theory would be necessary to succeed non-trivially as a security cracker. Servers would become a much more enticing target, as compared with desktops. They're already much more valuable targets, but with the drop in number of security crackers who can even survive in a desktop security market, and the last hopes of easy creation of DDOS botnets evaporating, servers would be all the value that's left. There might be a slight increase in the number of security crackers targeting server systems, but overall I think the major difference in comparative targeting percentages would be simply due to the number of people targeting desktops dropping off, while the number of people targeting servers remained nearly the same. The key here is that, yes, if free unices "ruled the world", most security crackers would target free unices -- but that doesn't take into account the fact that there would surely be fewer security crackers, too. After all, the fact that free unices are the only real targets doesn't change the fact that many security crackers haven't developed the skills necessary to be successful in a world that revolves around free unices. Many, in fact, wouldn't care to, or even simply don't have the talent (or whatever) necessary to do so.

Dumphrey
Dumphrey

on this "I'm very curious though. Part of me would love to see Linux take enough market share to get pounded just to test if the FOSS development model is that much better than the proprietary closed development model." It would do me good to have linux/bsd get a much larger adoption ratio. On a random note, is there a good way to shorten linux/bsd?

Dumphrey
Dumphrey

We will have to agree to disagree on the success vs attack rate on linux for now simply because there is no evidence one way or the other. It could be that linux really is more secure then I think it is (which is several larg notches above Windows (TM)), and it could also be that better rootkits/exploits will come along to circumvent this, or to make significant damage possible under normal user space (and no I have no examples of this, its just a passing thought). In all honesty, I hope you are right =)

Neon Samurai
Neon Samurai

My theory is that the developer community would act faster on those found exploits and like BSD, the system would harden quite nicely. It always comes back to severity of software flaw and time between discovery and fix. With FOSS, anybody can check to code and and submit an updated bit. ;) I'm very curious though. Part of me would love to see Linux take enough market share to get pounded just to test if the FOSS development model is that much better than the proprietary closed development model.

Absolutely
Absolutely

[i]with his post Abso is not the "security through obscurity" implication, but the fact that the argument is irrelevant.[/i] I agree. [i]"and then Linux would be branded "The most insecure OS the world had ever seen" But what would be the point of branding it such, if everyone was using it? For every computer user to choose a single OS would imply it was perfect, or as close as humanly possible. Not even MS can calim it has that type of following, no OS can or (most likely) ever will.[/i] I agree, chuckling. [i]But his post does point out that if Linux had more of a market share, there would be more attacks against it, and probably more success than at present.[/i] I disagree. I do not believe that there are only few attempts to crack Linux, just because there are fewer successful attempts. I think we don't hear about failed exploits, but that crackers give up on Linux (servers!) and move onto the weak link in the chain. Simply put, I think lack of exploits means only that, and that we cannot deduce lack of attempts based on this "market share" data which does not account for the greater value, per Linux system on average, in comparison to the average home user's desktop Internet appliance, which effectively is what most Windows machines end up being.

Dumphrey
Dumphrey

title my post "I think I missed something." though apparently the fact that we were talking about what a previous person had said was not so obvious to you. Sheesh, relax, heart atatcks are not fun. You must still be worked up from ghost.

Dumphrey
Dumphrey

with his post Abso is not the "security through obscurity" implication, but the fact that the argument is irelevant. "If everyone in the world used Linux, every hacker in the world would be focused on trying to turn Linux-based PCs into Bots." Well, umm, Duhhh? If everyone was using linux, there would be no other target. "The sheer number of attempts would produce results," Once again, given the nature of people and perfection, this is a no brainer. "and then Linux would be branded "The most insecure OS the world had ever seen" But what would be the point of branding it such, if everyone was using it? For every computer user to choose a single OS would imply it was perfect, or as close as humanly possible. Not even MS can calim it has that type of following, no OS can or (most likely) ever will. But his post does point out that if linux had more of a market share, there would be more attacks against it, and probaly more sucess then at present.

jmgarvin
jmgarvin

Windows is insecure to the very core. It has too many holes and too many legacy issues that go from version to version for it ever to be secure as it currently stands. I suggest you re-read that "one liner" article and see what Chad is really saying.

Dumphrey
Dumphrey

it at any point... My words were "Why assume the two are mutualy exclusive" Notice the usage of the word "assume"....I do not feel that in any argument on obscurity vs coding, that a bystander could easily assume the two points to be mutualy exclusive, actually, I would be willing to bet a bystander would assume just such a point. "Since nobody said it here, he's just refuting a straw man." So, this means intelligence can not be found in a wrong statement? (ie We can not learn from mistakes, errors, history) That if the target is false, the result does not count? (oops i just bombed your village, sorry, thought you were members of foo, now that I see that you are not, it doesn't count. Pretend no one died.) Unless the object is a concrete fact, no knowledge can be found? This is just they type of thinking that ghost used to get you all wound up.

Dumphrey
Dumphrey

he said this on the yahoo post I havent bothered to read? I read his post "Feisty Fawn" and while I can see how you could extrapolate "only through obscurity" that is not how I read the post.

Absolutely
Absolutely

"Why assume the two are mutualy exclusive. If you have better code, AND are more obscure, you win 2xs." Let's recap: somebody called 'demented' claimed that Linux is more secure [u]only[/u] because it is "not main stream". Apotheon refuted that, supplying a link to a carefully written article showing he had done substantial research on the subject, and which describes how peer review, not obscurity, is the principle used to keep Linux secure. ~Omega~ replied with an argument that Linux is obscure, which, although true within some audiences (including "main stream" audiences outside the IT profession), doesn't [u]really[/u] apply to actual security risks, because, I guarantee you, [u]dedicated[/u] malware writers not only "know about" Linux, they know that it is running on a lot of servers that transact some potentially very lucrative heists. Breaching [u]one[/u] of those is worth [u]hundreds or thousands[/u] of home-users' Windows machines. Gaining access to Joe Shmoe's one bank account on a Windows workstation is just not in the same league as breaking into a Linux server hosting, for example, secure transactions of banks and governments. Therefore, the "security through obscurity" argument should be dismissed. If I were a better prose writer, perhaps I could even do that in a one-liner!

Absolutely
Absolutely

Did you read it? http://articles.techrepublic.com.com/5100-10877-6064734.html Now, to part of your post that I can counter without waiting for you to do your homework: [i]If everyone in the world used Linux, every hacker in the world would be focused on trying to turn Linux-based PCs into Bots. The sheer number of attempts would produce results, and then Linux would be branded "The most insecure OS the world had ever seen"[/i] That argument is fallacious, because it compares only the numbers of computers using Linux and Windows, ignoring the fact that not all computers are equally desirable targets. Linux is already a popular choice for the most lucrative types of targets, "server" computers, which are computers that connect to many "client" machines, and many of those are running Windows. Consider that every website is "hosted" on such a "server", and that Linux is running on a substantial number of those. The market share of Linux on servers, as a percentage? Google it, and calculate how many Windows machines would be accessible for each Linux server infiltrated. "Security through obscurity" is a myth, perpetrated to distract from the fact that certain operating systems are more secure inherently, because they were better written.

apotheon
apotheon

Who ever said the two were mutually exclusive? It was only well-said, the way he said it, if he actually refuted something someone said. Since nobody said it here, he's just refuting a straw man.

apotheon
apotheon

"[i]I do remember him saying something along the lines of; Better code? Probably, but obscurity doesn't hurt.[/i]" Yes -- which indicates that he was referring to something I said [b]to someone else[/b]. By referring to what I said [b]to someone else[/b], I was staying [b]on-topic[/b], and thus addressing his [b]actual point[/b], which was an attempt to say that my statement [b]to someone else[/b] wasn't accurate. Please, read the comments that came before that one, and understand the context of the discussion. The previous person to whom I responded basically said that the greater security of Linux was based solely on obscurity. I was pointing out that this wasn't the case. Let me break it down for you: 1. Person foo said that obscurity was the reason for Linux security. 2. I said that wasn't the case -- that there were other, more important, reasons for Linux security. 3. Person bar said that obscurity doesn't hurt, as if that somehow refuted what I said. 4. I said that it's true obscurity doesn't hurt, but that obscurity is not the whole story. 5. You said that person bar never said obscurity was the whole story -- which is obvious to everyone, including me, though apparently the fact that we were talking about what a previous person had said was not so obvious to you.

Dumphrey
Dumphrey

where he says anything like "Any time someone suggests that obscurity is the only reason that a Linux system is "more secure", I feel it incumbent upon me to correct that misconception." I do remember him saying something along the lines of; Better code? Probably, but obscurity doesn't hurt.

Dumphrey
Dumphrey

Why assume the two are mutualy exclusive. If you have better code, AND are more obscure, you win 2xs.

apotheon
apotheon

"[i]However, 'Security through obscurity' doesn't hurt the Linux cause.[/i]" No, it doesn't. The idea that Linux is more secure because of its relative obscurity is not 100% without merit. While its intrinsic security characteristics as contrasted with MS Windows are not directly affected by its relative obscurity, that obscurity would suggest that fewer people attack it. On the other hand, I never said "security through obscurity" [b]does[/b] hurt the Linux cause. I pointed out that the statement that obscurity is the only reason for Linux security is nonsense. Perhaps you should have a look at the link I referenced, while you're at it, so you'll understand more of what's relevant to the discussion of statements based on principles of security through obscurity. Keep in mind that, in fact, Linux is [b]not[/b] that obscure. It's popular as a server platform, for instance. Also keep in mind that obscurity only has an effect [b]to a point[/b], and Linux has become well-known enough that such an effect is being rapidly eroded -- so that the "security through obscurity" argument is beginning to look even less relevant. If someone pointed out that there were fewer attacks on Linux desktops because of its relative rarity, but acknowledged that obscurity was not the only factor, I'd agree. Any time someone suggests that obscurity is the [b]only reason[/b] that a Linux system is "more secure", I feel it incumbent upon me to correct that misconception. (edit: added more information)