OSNews

"considering microsoft's track record and history of the Windows product line since its beginning i would NOT bank on Vista AKA Longhorn being secure in any sense of the word..."

And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word...

Please don't throw stones at Windows for problems that arguably, Linux suffers from even worse.

Except that your statements are false.

Statistically Linux is not the most cracked into OS. It's still Windows

"Statistically Linux is not the most cracked into OS. It's still Windows "

Not at all. Windows is certainly subject to more annoying worms and such that launch DOS attacks and that kind of thing. But when it comes to downright hacking: ie: gaining root / administrator privileges on a box, Linux is cracked more often than Windows.

Sorry to burst your bubble, but this is simply not true.

I know there was some report some time back by some shady selfapointed securtiy specialist that made this claim without even disclosing what data their findings were based on.

But this certainly wasn't a report one could take seriously unless one is only interested in trolling...

Oh, wait...

I would like to see those statistics. Any links?

Could be interesting to see how they have defined the different categories.

Have they taken into consideration that worms have unrestricted access on most Windows boxes because most people are running with admin-privileges?

Cracking a Windows box to get administrator privileges is so easy people don't want to believe it.

Cracking a Linux box is a lot more difficult. But perhaps the statistics were created on basis of Linspire?

"Cracking a Windows box to get administrator privileges is so easy people don't want to believe it."

I bet you can't do it.

And let's not forget that a lot of this is based on historical problems with Windows. And if you want to compare history, well, Linux has a rather embarassing history itself. It wasn't that long ago that most Linux distros had tons of services enabled by default with no firewalls, and the average Linux out of the box install could be rooted in about 5 to 10 minutes by someone who knew what they were doing.

The first one: Depends on how well the system is protected. A standard XP is easy to get control over. But you really should update such a system

The second one: I've never tried a Linux distro without firewall enabled. The only embarassing linux distros are the Linspire like systems.

Again: Come forth with links to information about these embarrasing situations, and the names of all the many (non-existent) linux distributions shipped with all kind of services turned on and no firewall.

Come on. 6 years ago firewall was standard in all major linux distributions and many smaller ones as well.

I've never hard of a linux system without a firewall. It would be insane (besides that a firewall isn't really needed on linux in the same way as on Windows - unless you are running web services of course).

"I've never hard of a linux system without a firewall. It would be insane (besides that a firewall isn't really needed on linux in the same way as on Windows - unless you are running web services of course)."

They had firewall capability, sure. But out of the box, they were not turned on.

And 6 years ago, firewalls were *MUCH MORE* necessary on Linux than on Windows. Because out of the box, the typical Linux system 6 years ago had telnetd, sshd, sendmail, ftpd, rpc services, and any number of other exploitable services enabled by default.

Have you tried Ubuntu?

Granted, by default it installs with all ports closed from remote access. However, that still isn't the same as having a firewall enabled during init.

Edited 2005-12-13 02:57

I would like to see those statistics. Any links?

I suspect you'd fine those links lead to their butt.
("pulling numbers out of your arse").

Making unbacked statements about one OS being easily compromised over another is no better than being a writer for Marie Clare or Cosmopoliton, with tips of "how to get your partner excited in bed".


Have they taken into consideration that worms have unrestricted access on most Windows boxes because most people are running with admin-privileges?

That's one thing Windows boxes have a problem with, once you compromise them, you get the whole box.

This isn't necessarily true for *nix/BSD/Solaris solutions. You may be able to break it, but there maybe restrictions in place that limit the damage one can do.


Its not what Microsoft says with their PR machine or their trolls that hang out in forums and such...Its what it does. And so far, their security in an overall view, just plain sucks. Their solutions involve "band-aids" to problems. Not actual solutions.


Put it in this context, would you bet your life on a Microsoft solution? If MS developed a jet engine and a digital flight control system, would you sit in that plane?

If you think that way, then you can easily be immune to the PR coming out of Microsoft.

If you do some serious digging, you'd see even Microsoft use Solaris and FreeBSD in some of their critical infrastructure. So what does that say of how trusting is MS of their own products?

(If Windows is really that great, wouldn't the company be using its products for its entire network? How come people just accept what they're given? How come they can't be sold a good SOLID product?)


Microsoft needs to make Vista sell. So they're pulling out all the stops. Its really unfortunate that in this day and age a company like Microsoft can now rely on so -called "tech journalists" to do their advertising for them. About 90% of people will believe them without questioning anything. The other 10% sit back, laugh, and point out the BS being advertised.

(This is no different from Terrorists using Al-Jazzea news services to get their message across).


Not to mention the fact that the US Govt helps them...Think I'm kidding? I'm amazed that MS has connections so high up in the US, that they can request another country conducting an anti-trust case against them to "back off". (US Govt telling South Korea to lay off Microsoft...As if that doesn't raise curiosity!)


Anyway, the point I'm trying to make is...Don't believe anything Microsoft says, especially in the security department. You don't know what they've done under there, that could warrant such PR statements.

Use the "I believe it, when I can see it" approach.

They can say whatever they want, if they don't deliver, well, that becomes a story.

So at this time, just act like their talking to a brick wall.

If MS developed a jet engine and a digital flight control system, would you sit in that plane?

Nooooo... I'm too young to die. I prefer my own gentoo-based plane. And the good part is: It can even read and write the MS plane systems, so it can communicate with them - without being compromised [read: captive-ntfs :p ]

I never believe Microsoft just like that. One has to pick their sentences apart, read between the lines, and compare their statements with earlier statements and earlier behaviour.

I would agree that linux is more popular os which is cracked for root/administrator rights simply cause there millions of windows boxes that simply do not need craking cause dumb Joe Users all run them with admin rights.

But when it comes to downright hacking: ie: gaining root / administrator privileges on a box, Linux is cracked more often than Windows.

There's one word that's just about right in there - crack.

Re: "And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word."

It's really not that difficult to find detailed reference material by doing a simple Google search which can help educate the misinformed, misguided and those that typically attempt to spread FUD. I've included a few such links.

http://www.theregister.co.uk/security/security_report_windows_vs_li...

http://os.newsforge.com/os/04/05/18/1715247.shtml

Anyone who considers The Register a legitimate source of information also needs to get a clue. It's a joke.

Great sources. An open-source/linux site and a newspaper that runs sensationalist headlines and is often critical of Microsoft. Regardless, theregister's page is at least worth looking at, and coming to your own conclusion at least.

I don't even know that it is worth lookin at. I work in the IT news business. And for the most part, we consider TheRegister to be a tabloid press that is rarely to be taken seriously.

Right. Only read it knowing theregister's history and with a mind that isnt influenced so easily by words.

And given that statistically, Linux is the most cracked into operating system in the world, I would NOT bank on Linux being secure in any sense of the word...

Ok, so let me get this straight: You're comparing an O/S that needs 3rd party software so that it doesn't get cracked by automated scripts written by bored teenagers against an O/S routinely used in a highly secure fashion by the likes of Google and various fortune 500. (Including numerous stock exchanges!)

A virus is an automated "crack". Linux has its share of cracks, but

1) They almost never automated, and

2) They are usually pretty easily defended against, without requiring stupid bandaids like antivirus/antispyware.

So, next time your Norton A/V complains about a virus, relax, and know that you've been cracked! Again...

Proof that, once again, idiocy knows no limits.

This post should be mod'd up.

I am not taking about security. Something that is an on going battle with Microsoft. I know these security loop holes will never go off Microsoft because of vast user base. My main concern is why Microsoft plays with specification like HTML/XML and TCP/IP. They dont have the rights to modify and monopolies them. Specification should be adopted not monopolies illegally. These should be the concern for each and every industry that is not microsoft.

Ah, here is a linguistic misunderstanding, it appears. Microsoft isn't changing the specifications, technically: it's interpreting them in a way to their liking, and is slanging them (this use of "slanging" may be my personal slang ) and adding new meaning to them, much in the same way Eubonics is not a fully documented and approved "language" but more of a slang dialect that's quite unofficial, regardless of the insanity of the California school system... The English language is still English, but it has many different dialects that are still called "English" which have slightly different rules. This is what Microsoft is doing, like it or not: they aren't rewriting the specifications, but rather reinterpreting the specifications, and those that wish to play with them in their group may also need to learn the slang, just like any social group. Everyone else is free to go along and speak "proper English" (whatever that really means, based on discussion above) but if they refuse to acknowledge someone speaking a slanged version of it as being legitimate, they risk being isolated as language purist snobs, much like some actual countries/cultures resist the changing of their language from outside influences. For better and worse, languages change over time, and it comes down to changing interpretations causing the biggest changes that cause incompatibilities.

If you doubt this, look at most long-existing programming languages, such as C, C++, BASIC, and even some of the more modern ones, like Python, Java, Ruby, Perl, etc. and do some cyberarcheology to see how the languages have grown and mutated in syntax and semantics over time.

Jonathan Thompson

Yes I have to agree with you Anon...it is rather difficult for developers to build correct appearing software when MS is playing god with the standards. They are standards and hence by definition should be followed. I can understand the HTML stuff but when it comes to XML are you talking about XAML? If so that is entirely an internal usage of XML for applications based on Avalon. If that is not what you are talking about then please she some light. Also I dont know what you are talking about when it comes to TCP/IP. Is it the all new stack in Vista?

No, I think it's more liekly because their products have a reputation of being second-rate shit flogged at inflated prices to unassuming consumers and managers with the mental capacity of fleas, then shoved down the throats of the masses as "advanced, easy-to-use" and every other adjective that describes exactly what the software ISN'T.

> No, I think it's more liekly because their
> products have a reputation of being second-rate
> shit.

Uh huh... Now let me tell you the reality. The reality is that some of the most brilliant computer scientists in the world are working at Microsoft. The reality is that only about the top 1% of computer sciences graduates will even get an interview as a developer at Microsoft, and probably 1% of those will actually be offered a job. The reality is that Microsoft's pre employment skills tests are some of the toughest and most demanding in the industry. The reality is that I seriously doubt you are smart enough to get a job at Microsoft. Sorry, but I have a problem with people calling other people's work "shit" when the reality is that they almost certainly aren't nearly as skilled, or brilliant as the people who did that work, and probably couldn't even come close to doing as good of a job as they did.

I will have to disagree. If you go around and interview most people, you will see that they are angry at MS because of the security bugs that are so prevalent in their software. That is the problem. You surely cannot convince people that MS software does not work right out of the box or it does not make life easier for the user. I think one of the strongest selling points of MS is that they can make software very easy to use for the layman. They are very good at packaging and marketing. Now if only they were that good when it came to security.

I bet you don't use Windows 2003 Server for surfing.

But, it is comforting to know that if you offer Microsoft some several thousand dollars, they will offer you an operating system that probably cannot be cracked by one out of 10 random OSNews posters. That's *real* security.

By the way, some of us don't use Linux. Despite what you have been told, there are other operating system families than Linux, Windows and Mac.

> they will offer you an operating system that
> probably cannot be cracked by one out of 10
> random OSNews posters. That's *real* security.

That's not really my point. My point is that I find it amusing that of all the people who claim that it is "so easy to get admin access on a Windows box, that most people wouldn't believe it." that I bet not one of them could actually put their money where their mouth is if they were sat down and asked to gain admin privileges on a Windows 2003 box. I bet not a single one of them could do it. Well, why can't they if they claim it is so easy?

Well, why can't they if they claim it is so easy?

Put up some sort of bet and put up a box to be cracked if you're so confident. Until then you are speculating the opposite of what you find objectionable and expecting it to be taken as fact. That, as the Monty Python team said, is not argument but simple contradiction.

> Put up some sort of bet and put up a box to be
> cracked if you're so confident.

Microsoft actually did this as part of their Windows 2000 Server lead up. They put up a box and challenged all comers to try to crack it. Guess what? Not one person succeeded in cracking it. The only time it was brought down was by a DDOS attack using subserver7 or something along those lines. And that's not fair because any box, no matter how secure, is vulnerable to brute force DDOS attacks.

I think your statement is misleading - the server was locked down by a team of experts - this is not behaviour out of the box.

For example, are you trying to say that the infamous IIS and MS Access exploit did not exist in Windows 2000? One of my co-workers, way back then, found that one of the largest banks in Canada was easily broken into using this exploit.

> For example, are you trying to say that the
> infamous IIS and MS Access exploit did not exist
> in Windows 2000?

Do you want to look at how many exploits there have been in sendmail, routed, and bind? I suspect you do not. All three have been plagued by serious security problems in the past. OpenSSH has also had its share of serious vulnerabilities.

Btw, I'm not saying they are completely uncrackable. I'm saying that 99% of the people who spout off the rheotric they have heard that they are so easy to crack, would not actually be capable of cracking one themselves. After all, usually the people who feel the need to make statements like that are the zealots who in reality, have marginal technical skills and are typically wannabe hackers.

It is easy to get admin access to any Windows box you sit down in front of. All you need is a Windows CD and Passware on a floppy.

> It is easy to get admin access to any Windows box
> you sit down in front of. All you need is a Windows
> CD and Passware on a floppy.

And as I already pointed out, it's even easier on Linux, where all I need is a bootable external device, which after booting, I can mount the root filesystem on the hard disk to a mount point on my bootable device. Instant root access.

As was pointed out, this is not an OS specific problem. And it is a problem that is solved by setting the BIOS password and not allowing booting from external devices or floppies. Even that is not 100% secure since someone could reset the BIOS. But that would require fairly noticable activities, like taking the cover off and digging around inside.

How much you wanna bet? /grinz/

This is coming in Dapper Drake. Along with the fancy liveCD gui installer, "ubuntu express", GST 0.10, and so on.

https://launchpad.net/distros/ubuntu/+spec/firewall

Your link says Priority Medium- and that it'll be unlikely to make it into Ubuntu 6.04, maybe 6.10.

To me, this looks like proof that the Ubuntu devs don't consider a default firewall terribly important.

I can play that game too.

A quick search of Secunia's database reveals 2,013 vulunerability reports containing the word "Red Hat", 4,159 containing the word "Linux", but only 594 containing the word "Windows"

But is it still integrated into the OS as IE 6 is in XP?

please dig out the URL?

No you can't. Because you cannot trap Ctrl-Alt-Delete as a non-admin user and have it do what you want it to do. Try it. It won't work.

The code I show for Linux will work when run as any user. It doesn't have to be run as root.

> How could you write a login manager that really
> mimics gdm/kdm?

Basically, the same way. Only difference is that it would require you to load a program that presents a full screen fake login prompt that mimics the gdm / kdm screen. It would require more code, and knowledge of Gtk / Qt programming. But the general idea is the same.

What this all boils down to is the problem that Linux / Unix does not restart the login manager immediately before you login like Windows does when you do Ctrl-Alt-Del. If it did, none of this would be possible to do without having root privileges in advance.

> But you couldn't trick a root admin!

Sure you could. Why not? The prompt looks identical. In X, it should be possible to foil it by doing the Ctrl-Alt-Backspace combination to kill and restart X before the login. But most users won't do that. And none of the gui login managers for Linux enforce it.

> It restarts after you log out. But I could
> Ctrl+alt+del and if there's a user logged in it
> will present the logout screen.

But it needs to be restarted before you login. Not before you log out. Because this is all based on the fact that a malicious user doesn't log out, and instead starts a program that spoofs the login and fools the next person who comes along into thinking it is the real login.

> Also a unix admin won't ever use a public access PC
> as root, not even his own PC, unless he's plain
> stupid.

He doesn't have to. If he is fooled by the fake login and logs in as a normal user, the program that spoofed the login manager can from that point on, log every thing he does--including logging passwords if he uses sudo or su.

> Main difference is in Windows lot of programs
> don't work if you don't use an admin account.
> In unix/linux you certainly don't need
> advanced privileges.

Typically, the same kinds of programs that need admin rights on Windows, also need admin rights on Linux. And usually the "user land" programs on Windows that do need admin rights only need admin rights to install them. After that they can be run as normal users.

You could use "Run As..." on apps that need admin privileges.

> Perhaps you don't know how unix security and
> mail protocols work, but you can't execute a
> mail attachment in linux because attachments
> don't carry the execute bit permission.

So I tar it, and tell the user to untar it and run the script inside of it, which will have maintained it's executable bit if I set it before I tarred the file. Same deal. We are banking on the fact here that the user is gullible enough to run something they are told to run. Whether they have to do something additional besides just click on it is not really an issue.

> But I can ctrl+alt+del in an open session in KDE and
> I will get the logout screen, signal that I'm
> already logged in.

Sure. You can. But I bet you never did before this discussion :p And I bet 99% of users out there don't either.

Oh... and depending on how the system is configured (and by default) this will most likely issue a reboot command if you are not in KDE and are actually at the KDM prompt... That's obviously less than desirable behavior, and would require some customizing to stop it from happening. Most Linux distros trap Ctrl-Alt-Del by default and send a reboot command.

Same thing is possible in something like pine which most likely has over 1,000 as of yet undiscovered buffer overflow exploits that would allow someone to push arbitrary executable code onto the stack by just sending a bad email header. No attachment even required. If you are running Pine as root when that happens, the code will run as root as well.

I haven't really changed the topic. Just made a point that you don't necessarily have to knowingly execute something on Linux to have arbitrary code executed.

The point I was making is basically this: If you have dumb users running with root privileges or admin privileges, the probability of bad shit happening is 100% no matter what OS they are running on. And we can safely assume that the Linux user running everything as root is at least as clueless as the average Windows user, if not more so, since the hazards of running as root are so well known.

Oh I'm sure there are more clueless Windows users running as admin. I'm just suggesting that the typical Linux user running as root would likely be even more clueless than the typical WIndows user running as admin. Because said Linux user would pretty much have to ignore the warnings that typical installers provide about how dangerous it is to run as root.

> Well, how can you say undiscovered? I can say the
> same about windows, but I can say billions of
> buffer overflow exploits not yet discovered.
> You know, Windows has a good track record. Sorry.

These are problems in applications. Not the OS itself. They are problems inherant in languages like C and C++ that don't do things like array bounds checking, or check the size of string buffers to see if they are big enough to hold whatever you are trying to shove in there. They will happily just write past the end of an array or buffer if what you try to shove in them won't fit. In otherwords, these problems are the results of mistakes programmers make.

I chose the pine example because pine is an application that is regarded by security experts as being horribly programmed and being subject to tons of security exploits involving buffer overflows.

I don't want to speculate on whether Windows or Linux has more problems here since these are not OS problems, but application problems. Of course, the amount of damage they can potentially do is amplified when running as root or as admin.

> do you work for microsoft? thats the only reason
> why you should be attempting to defend
> the indefensible.

No, I don't work for Microsoft. I just don't like it when people make blanket statements in either direction. And that's what I originally responded to was the blanket statement that Windows is insecure. The original person who said that was only parroting back what they have heard. I also don't like it when people make blanket statements like "It's really easy to crack into", and yet if they were give the opportunity, wouldn't actually be able to crack into it. Again, all they are are doing is parroting what they have heard. They don't even know why they are saying it is easy to crack into, other than "This is what i have heard, so it must be true."

That's the kind of thing I can't stand.

> 20+ years of unix show unix designers really knew
> how to do OS security. Couldn't say the same
> for Microsoft.

Well, not really. After all, lets not forget that early versions of Linux (and most versions of Unix) had no concept of shadow passwords. Passwords were stored using DES encryption (easily cracked) in a world readable file. Also, lets not forget that maximum password length in DES encrypted passwords was only 8 characters. And even after Linux / Unix did start supporting shadow passwords, it was quite some time before they could be used reliably because many programs that needed access to password information didn't support them.

Unix has had more than its share of "This is blatently insecure" issues throughout its 20+ year history.

Ubuntu is the only distro I know of that has the root account totally disabled by default. Maybe I am wrong, but I don't think most other distros do that. At least none of the other ones I have installed do. They all enable the root account on install, but they also all do warn you about the dangers of using it for every day use and prompt you to create a normal user account.

It's not completely disabled. It's there, the password is just set to something random during the install. You can change that with a simple "sudo passwd root" as the user created during the install.

> I can choose OE ir IE, both vital applications in
> any Windows config. And that proves the same point,
> the main difference is you are probably executing
> you windows application with an admin account.

True. It's an issue that is easily solved in Windows. The weakness is that Microsoft has never warned users about the dangers of running as the administrator, and has never prompted users during the setup to create an account for every day use that does not have admin privileges like most Linux installs do. That's something Microsoft should change.

> DES was enough for available computing power.
> What would happend when computers get so powerful
> that are able to crack a MD5 password in a sec?
> Of course shadowing helps a lot and toke time to
> make it default.

Well, the design flaw was not so much in using DES encryption as it was in requiring the passwords to be world readable. If they had used shadow passwords originally, how well they were encrypted would not have been an issue since you could only read them if you had root access. (And with shadow passwords, we can pretty much assume that encryption is largely irrelavent since if someone is able to read /etc/shadow, you've probably already been rooted).

Limitting passwords to only 8 characters was also somewhat of a design flaw. I realize back then saving every bit of memory you could was important. But still.

> Correct me if i'm wrong, but remote clients use
> another X instance, like :1
> So killing the current X instance doesn't affect
> remote clients.

Hmm.. I don't think so. I think the X server itself is shared. Maybe not though.

> And just issuing a Ctrl+alt+del when you are going
> to login will do nothing if you are in the real
> login screen or show you the, e.g., KDE logout
> screen to let you logout from the current session
> or shutdown the machine if you can.

True. There should be a way to enforce it on public terminals though, such as those in University computer science labs, where CSci seniors with too much time on their hands might decide to give incoming clueless freshmen a harsh lesson in "security by experience" for example.

> About passwords, well, who knows if we are still
> going to use them in a couple of years instead
> of biometrics.

I ain't switching to biometrics. Not giving anyone a reason to cut off my fingers and steal them :p

> And where would the *BSD's be in that respect?
> Near the bottom of the list no doubt.

In what respect? Security? Typically the BSDs come in as some of the most secure operating systems available. That's not necessarily because they are inherantly more secure. But most likely because they are not as popular, so they aren't nearly as often the target of root kits as Linux is. OS/2 also comes in as one of the most secure operating systems available. Since not many people use it, not many people are playing with it and trying to figure out how to crack it.

> it seems very strange that microsoft's servers
> run linux rather than microsofts own.

Stop pulling shit out of your ass! Find me one shread of evidence that Microsoft's servers are running Linux. Netcraft says they are running Windows 2003.

It never ceases to amaze me the kind of downright bullshit that Linux zealots will put out of their ass to attempt to boost their own platform and make Microsoft look bad.

netcraft claim that microsft uses windows you say? now whos pulling shit out of their ass?

"According to a post on the Netcraft Web site, Microsoft changed its DNS settings on Friday so that requests for www.microsoft.com no longer resolve to machines on Microsoft's own network, but instead are handled by the Akamai caching system, which runs Linux. "

"As of this writing, Netcraft reports that www.microsoft.com is still running on Linux, although microsoft.com is reported as running on Windows Server 2003. "
http://castlecops.com/article2811.html

And as of this writing, Netcraft's history report on www.microsoft.com shows it is currently running Windows Server 2003 on IIS, and has been going as far back as Netcraft keeps records. There is not one single Linux entry in there. Same story for microsoft.com, msdn.com, www.msdn.com

Thanks for playing. But you lose. Sorry.

Hotmail ran on linux servers for a bit I think. But of course, Microsoft bought Hotmail and ended up making the transition to windows.

Also, Microsoft sometimes relies on a third-party for content delivery (akamai I think?) which may have servers that run on *nix.

> Hotmail ran on linux servers for a bit I think.

Hotmail ran on FreeBSD when Microsoft bought it. They did finally manage to convert it to Windows though. But they did have problems for a while getting Windows to handle the kinds of loads that FreeBSD handled with relative ease.

Ahh right. I knew it was a unix variant at least

no, i win. you only decided to scratch the surface. you forgot to look a bit deeper into it. you will then discover that MS does indeed use linux on many of its ervers and network equipment.

"no, i win. you only decided to scratch the surface. you forgot to look a bit deeper into it. you will then discover that MS does indeed use linux on many of its servers and network equipment."

Source please. And no, I don't mean a two year old article that you try to pass off as current information. And I don't mean trying to claim that Microsoft's servers are running on Linux, when even that article only claimed their servers were behind a content caching system running on Linux.

so you you know the part about MS using linux for some of its servers. i will grant you your wish of providing the source that MS is even recommending linux above windows for some networks. here is one:


"The next time Bill Gates sends an e-mail through Microsoft's shiny new Wireless LAN it will be passed through a behind-the-scenes Linux-based network appliance.

Earlier this year Microsoft and Aruba Networks jointly announced the two companies will work to replace Microsoft's existing Cisco wireless network with Aruba's centrally-managed infrastructure, which eliminates the need for individual changes on the access points.

Aruba Networks was selected to provide the networking equipment for what is considered to be one of the world's largest next-generation wireless LANs, serving more than 25,000 simultaneous users a day in some 60 countries. According to an Aruba press statement, Microsoft's new WLAN will be deployed in 277 buildings covering more than 17 million square feet using Aruba mobility controllers, mobility software and some 5000 wireless access points.

What the press statement didn't mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its "Get the Facts" marketing campaign.

Mark Robards, Aruba Network's Asia-Pacific vice president, said the company's mobility controller switches provide integrated security, including a firewall, VPN, and hardware encryption, and they are "all Linux-based".

Robards said the network rollout with Microsoft is going well and is likely to take two years to complete and will contain as many as 7000 access points. Indeed, Aruba is recruiting Linux developers to work on its mobility controller software. In an advertisement on the company's Web site, Aruba is seeking a senior Linux software engineer with "expert knowledge of Linux and extensive Linux kernel experience".

Sunjeev Pandey, senior director of Microsoft IT, said the company is "pleased to be partnering with Aruba in the upgrade of Microsoft's next-generation wireless LAN".

"This partnership will allow Microsoft to leverage a cutting-edge wireless and mobility platform that provides us the scalability, performance and security that our environment demands," Pandey said.

Pandey's appraisal of Aruba's technology is in stark contrast to Microsoft's "Get the Facts" rhetoric which places Windows as a more secure, and higher-performing choice over Linux."



http://www.computerworld.com.au/index.php/id;754084996;fp;16;fpid;0

> i will grant you your wish of providing the source
> that MS is even recommending linux above windows
> for some networks. here is one.

Ah... Now the truth comes out. And also the truth that you were spinning it. You claimed that Microsoft was running Linux on their servers. But neither article you have pointed too claims that. So now lets look at your second one:

1: A router is not a server

2: Microsoft has never ever claimed that Windows Server 2003 was for building wireless routers.

3: You are talking about an embedded kernel here being used to power a network appliance. Which is VASTLY different than a full blown server.

I can spin numbers too. One of the most respected Security sites, Secunia, looks something like the following when it comes to security advisories:

Windows: 594
Linux: 4159
FreeBSD: 90
Solaris: 231

Oops.... So much for your idea that Linux is more secure than Windows. In fact, it is the worst by far.

yeah, right. we believe you.

You don't have to believe me. You can look it up yourself.

Oh, and just to better match CERT study you quoted, I ran the searches again, but this time only reporting the number of vulnerabilities marked "highly critical" and "extremely critical":

Linux: 884
Windows: 141
FreeBSD: 18
Solaris: 37

Even when it comes to only highly critical and extremely critical vulnerabilities, Linux is still the worst by far.

Oh. And guess what? IIS is more secure than Apache too. One again, only highly critical and extremely critical vulnerabilities:

IIS: 13
Apache: 53

But if you were really following this stuff, you would know that there hasn't been a single highly critical or extremely critical security vulnerability reported in IIS 6 for over a year. The last one was in November of 2004. The most recent one in Apache, however, was October 5th of this year.

source please?


you forgot to read this:
"But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions"

> source please?

I told you the source. Secunia.

"But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions"

No, I did read that. Which is why I re-ran the searches and searched for only vulnerabilities classified as highly critical and extremely critical. Even after doing that, Windows came out with only 141 compared compared to Linux's 884. That pretty much rejects the findings of the article you quoted because I only recorded very critical vulnerabilties when I obtained those numbers.

"I told you the source. Secunia. "

thats not good enough. link, please?

> thats not good enough. link, please?

god you are lame.

Did it ever occur to you that it just might be www.secunia.com?

I love people who claim to know what they are talking about, but don't even know how to use a Web browser. Or did it ever occur to you that entering Secunia in google might turn up something?

And by the way, given that Secunia is a *very* prominant source for security information and often the first to report new vulnerabilities, I would have thought you would have already know what I was talking about.

dearest IP: 24.118.179

selective reading won't get you very far. you also forgot to read this:

"Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?"

dearest IP: 81.76.38

Please tell me how uptime and hacking have any relationship to each other whatsoever? To suggest they do is a complete logical falacy. And anyone who would suggest that is either intentionally spinning the argument, or doesn't even understand logic 101.

And if you want to play that game, not one of the top 50 sites with the longest uptime is running your precious Linux either.

I'm gonna get dizzy if you try to put anymore spin on that.

FreeBSD is open source too. And it has a mere fraction of the reported vulnerabilities that Linux does. Solaris recently went open source as well. And still only has a mere fraction.

Sorry, but your argument doesn't hold water. If what you suggest is true, FreeBSD and Solaris should have a much higher number of reported vulnerabilities thant they do. But they don't.

"Please, Linux is way more popular on the desktop front, and has way more hackers going at it then BSD or Solaris."

Doesn't matter. Is till doesn't make up for the vast descrepency of 90 vs more than 4,000. Even when weighed proportionally with the number of users.

"The worst that can happen with FireFox in 99% of all cases is that FireFox goes down. With IE they ruin your system."

Not even remotely true. Firefox has been plagued recently with a string of exploitable vulnerabilities that allowed execution of arbitrary code.

And vulnerabilities on Secunia do not get classifed as highly critical or extremely critical unless they are capable of doing serious damage to your system. So again, your argument doesn't hold up cause Linux has far more of them then any other operating system I compared it to.

"And it's true it's the more common web server in the whole internet. So why is not the most hacked? "

Ah, but it *is* the most cracked.

The vast majority of Web site defacings occur on Web sites running Apache. Not Web sites running IIS.

"Your arguments are invalid, if I can say you are argumenting"

My arguments are not invalid. I have given you hard data. You have given me nothing and backed up nothing.

"Those who know cannot be fooled."

Except you can't provide a source for your knowledge. You don't know. you buy into FOSS rhetoric without doing any real research of your own. And then when I point out the real facts to you, you deny them and don't want to accept the truth.

"And you said uptime is irrelevant, but it IS relevant. In the event of a crack/compromise, what a system admin would do is reinstall the whole OS. So, there you have your uptime telling you for how long they were running without problems."

Uptime is related to OS reinstalls? Oh now you are really digging deep to try to suppor your position... Lets see... The last time I rebooted my Web server it had nothing to do with a being cracked, or even with an OS problem... It was a drive replacement... So much for your uptime meaning shit when it comes to OS reliabilitiy / Web server reliability.

"Hard data my ass!! I haven't seen a single significant link. Just accusations."

Bullshit. I provided statistics taken from Secunia, and a link to the Secunia site so you can verify them yourself. The simple fact is that Linux has a much higher reported number of highly critical and extremely critical vulnerabilities than Windows or even other versions Of Unix do, open source or not. and that it has those vulnerabilities reported more often than Windows and other versions of Unix. I only brought that up to discredit the bullshit article quoting the Cern stuff that was mentioned here. (And this was originally about Linux vs. Windows btw, not Apache vs. IIS. So don't accuse me of trying to change the subject by bringing it back to Windows vs. Linux).

You can spin this however you want. Doesn't change the numbers. Linux has a much higher numbewr of reported highly critical and extremely critical vulnerabilities. And they are reported more often.

"Public knowledge. Everyone knows. There isn't FOSS rhetoric, there is a lot of Commercial Software rhetoric, I don't need to point that."

Ah yes... the "Public knowledge" defense to back up claims you can't prove. Another typical defense of a FOSS zealot. And yes, there is FOSS rhetoric. That's about all people like RSS and ESR spew is rhetoric.

"I have pointed out real facts"

No, you haven't. You haven't provided a single piece of data to support your claims. Not one. You can't call them facts when you can't even support them with data. So I call your facts rhetoric. You haven't provided a single piece of data to back them up.

I have provided you with security vulnerability numbers from a highly prominant security site to back up my claims. Which is far more data than you have provided.

"The point is how much damage caused those vulnerabilities. Prove I'm wrong."

Prove you are right. So far you haven't provided any data to support your claims. Again, I have provided data that shows Linux has a much higher number of highly critical and extremely critical vulnerabilities than Windows does. That's raw, hard data. You have provided me with nothing except rhetoric that when I ask you to prove you say "It's public knowledge. I don't need to prove it."

"I don't buy your anti-foss propaganda."

No anti-foss propeganda. Just facts.

My data also showed that FreeBSD (a foss project) fared the best of all. I didn't try to dispute those numbers. All I did was refute the claim posted that Windows had a much higher rate of critical vulnerabilities than Linux did. The numbers show that simply isn't true. The truth is quite the opposite in fact.

Oh, and if you don't want take Secunia as a reliable source, check out the plugin database for the Nessus network security vulnerabilty scanner. I can tell you in advance what you will find though cause I have set up Nessus on networks before: The number of plugins scanning for vulnerabilities that affect Linux systmes is much higher than the number of plugins scanning for vulnerabilities that affect Windows systems. Because quite simply, there are more vulnerabilities to scan for on Linux systems than on Windows systems.

Um.. check zone-h.org

There ARE more defacements on apache servers than IIS servers. Why, I won't get into. But don't spout your crap that IIS is cracked more when you have no data to back it up at ALL and there is hard data to the contrary.

I am not trolling. The people who claim that Windows is "so insecure you won't believe it" are the ones trolling. Because as I pointed out, the data tells a very different story. Sorry. That's the truth. I'm not trolling for pointing out the truth. I'm trolling in your mind because you don't like the truth.

and wheres the link to this truth? or are you going to continue to pull figures outta your ass forever?

No. I DID NOT forget about it, as I already pointed out.

This is specifically why I ran the the search using only vulnerabilities classified as highly critical and extremely critical. Windows still came out looking way better than Linux.

But I pointed that out already a few posts back, which apparnently you decided to ignore since you don't like what it implies.

> yet another example showing the unyeilding failing
> of microsoft technology.

Ah yes... Linux zealot strategy number 36: "Keep trying to change the focus to one product that is particuarily troubled. That way we can take the focus off the fact that Microsoft's overall security track record is way better than Linux".

This was never about IE vs. Firefox. It was about Linux vs. Windows, and a bit of a side thread about IIS vs. Apache.

NOW WHO IS DOING SELECTIVE READING? HOW MANY TIMES DO I HAVE TO POINT OUT THAT I HAVE ADDRESSED THAT ISSUE THREE TIMES ALREADY BEFORE IT SINKS INTO YOUR DENSE SKULL?

TO ADDRESS THAT CLAIM, I RAN THE SEARCH ONLY LOOKING FOR HIGHLY CRITICAL AND EXTREMELY CRITICAL VULNERABILITIES. EVEN WHEN HIGHLY AND EXTREMELY CRITICAL (READ, MORE SEVERE) LINUX FARES 10 TIMES WORSE THAN LINUX! DEAL WITH IT! AND STOP ACCUSING ME OF IGNORING THAT PART WHEN I HAVE ADDRESSED IT THREE TIMES ALREADY! YOU KEEP BRINGING IT BACK UP DESPITE THE FACT THAT I HAVE ADDRESSED IT THREE TIMES!

Linux fares 10 times worse than Windows that is of course. Even with ONLY extremely critical and highly critical vulnerabilities (read as more severe vulnerabilities). Now stop ignoring the fact that I have already addressed that 3 fscking times, and you keep bringing it back up!

those figures from secuna don't show anything at all. to reiterate, they only show the presence of malware, not whether they have had ANY EFFECT WHATSOEVER on the respective OS's. and that, my dear friend, is the bottom line.
now to further add to your misery, here are some more pieces of evidence for you to glower over concerning how, while there are far more systems running apache on linux and other *nix systems than there are running windows server, the number of SUCCESSFUL ATTACKS and vulnerabilities is significantly more on windows servers (much of the evidence has been gathered from netcraft):



"Perhaps the most oft-repeated myth regarding Windows vs. Linux security is the claim that Windows has more incidents of viruses, worms, Trojans and other problems because malicious hackers tend to confine their activities to breaking into the software with the largest installed base. This reasoning is applied to defend Windows and Windows applications. Windows dominates the desktop; therefore Windows and Windows applications are the focus of the most attacks, which is why you don't see viruses, worms and Trojans for Linux. While this may be true, at least in part, the intentional implication is not necessarily true: That Linux and Linux applications are no more secure than Windows and Windows applications, but Linux is simply too trifling a target to bother attacking.

This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.

Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful. The Code Red worm that exploited a buffer overrun in an IIS service to gain control of the web servers infected some 300,000 servers, and the number of infections only stopped because the worm was deliberately written to stop spreading. Code Red.A had an even faster rate of infection, although it too self-terminated after three weeks. Another worm, IISWorm, had a limited impact only because the worm was badly written, not because IIS successfully protected itself.

Yes, worms for Apache have been known to exist, such as the Slapper worm. (Slapper actually exploited a known vulnerability in OpenSSL, not Apache). But Apache worms rarely make headlines because they have such a limited range of effect, and are easily eradicated. Target sites were already plugging the known OpenSSL hole. It was also trivially easy to clean and restore infected site with a few commands, and without as much as a reboot, thanks to the modular nature of Linux and UNIX.

Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?

Astute observers who examine the Netcraft web site URL will note that all 50 servers in the Netcraft uptime list are running a form of BSD, mostly BSD/OS. None of them are running Windows, and none of them are running Linux. The longest uptime in the top 50 is 1,768 consecutive days, or almost 5 years.

This appears to make BSD look superior to all operating systems in terms of reliability, but the Netcraft information is unintentionally misleading. Netcraft monitors the uptime of operating systems based on how those operating systems keep track of uptime. Linux, Solaris, HP-UX, and some versions of FreeBSD only record up to 497 days of uptime, after which their uptime counters are reset to zero and start again. So all web sites based on machines running Linux, Solaris, HP-UX and in some cases FreeBSD "appear" to reboot every 497 days even if they run for years. The Netcraft survey can never record a longer uptime than 497 days for any of these operating systems, even if they have been running for years without a reboot, which is why they never appear in the top 50.

That may explain why it is impossible for Linux, Solaris and HP-UX to show up with as impressive numbers of consecutive days of uptime as BSD -- even if these operating systems actually run for years without a reboot. But it does not explain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime.

Given the 497-rollover quirk, it is difficult to compare Linux uptimes vs. Windows uptimes from publicly available Netcraft data. Two data points are statistically insignificant, but they are somewhat telling, given that one of them concerns the Microsoft website. As of September 2004, the average uptime of the Windows web servers that run Microsoft's own web site (www.microsoft.com) is roughly 59 days. The maximum uptime for Windows Server 2003 at the same site is 111 days, and the minimum is 5 days. Compare this to www.linux.com (a sample site that runs on Linux), which has had both an average and maximum uptime of 348 days. Since the average uptime is exactly equal to the maximum uptime, either these servers reached 497 days of uptime and reset to zero 348 days ago, or these servers were first put on-line or rebooted 348 days ago.

The bottom line is that quality, not quantity, is the determining factor when evaluating the number of successful attacks against software."
http://www.theregister.co.uk/security/security_report_windows_vs_li...

> those figures from secuna don't show anything at
> all. to reiterate, they only show the presence
> of malware

Wrong. Viruses / worms are recorded seperately from vulnerabilities. When it comes to highly critical / extremely critical vulnerabilities, Linux fares 10 times worse than its nearest competitor (Windows).

"Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful"

You are pulling that out of your ass. The data shows otherwise. Apache has more than 50 highly critical and extremely critical vulnerabilities reported, compared to IIS's 15. In addition, Apache averages two vulnerabilities reported every month. IIS has not had a vulnerability reported in over a year. Apache's last vulnerability was reported in October of this year.

All you are using to base you claims on is the fact that IIS vulnerabilities get more press because of the fact that CNN, etc. follows what's happening with Microsoft a lot more than they follow what is happening with Linux. You are also basing it on the fact that the OSS biased news sites like newsforge, slashdot, etc., all jump on the latest IIS vulnerabilities and make then big news, while quietly sweeping the vulnerabilities of Apache under the rug. Basically, Apache has vulnerabilities reported so often, that it is not even considered news. IIS averages one every six months, so when it happens, it is news.

"Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache. [2] None of the top 50 web sites runs Windows or Microsoft IIS"

Hah! you fell into the uptime trap! Again proof you don't have a clue about what you are talking about!

Clue factory: Windows uptime rolls over to 0 after approximately 49 days (according to MSDN). Linux kernel 2.4 uptime rolls over to 0 after approximately 200 days, and kernel 2.6 rolls over to 0 approximately every 50 days.

Which means that your uptime figures are 100% fscking worthless! There is absolutely no way to reliably track uptime!

Sorry. You lose. Thanks for playing. Try again when you have a clue about how the various operating systems reset their uptime.

> The bottom line is that quality, not quantity,
> is the determining factor when evaluating the
> number of successful attacks against software."

Again, My data shows otherwise. And TheRegister is widely regarded to be an unreliable source. You are going to have to find something else.

"Again, My data shows otherwise."

your data doesn't show the number of successful attacks, whereas mine do. yours merely show the presence of the number of malware. please learn to interpret correctly.
next?

"your data doesn't show the number of successful attacks, whereas mine do. yours merely show the presence of the number of malware. please learn to interpret correctly."

Your data is junk data. Because most of the people didn't even know the Linux system was there. It was behind a steal firewall. The Windows system was behind no firewall. That is a 100% garbage comparision.

And please learn the difference between malware, and vulnerabilites. How many times do I have to tell you that that what I was comparing was NOT NOT NOT malware?!?!

stealth firewall even

"Your data is junk data. "

wishful thinking on your behalf. you still haven't understood it. come back when you have. bye bye.

Unfair comparision. The Linux system was behind a stealth firewall. The Windows system was not. In other words, most people didn't even try to attach the Linux system because they didn't know it was there.

Sorry. You can't slip obviously flawed studies past my scientific eye when the Windows system was at a major disadvantage because it had no firewall, while the Linux system did.