Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month. On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user's privileges on all of the company's recent operating systems, including Vista. Update by Thom: Ars thinks the situation is hot air, mostly, something I agree with (a cracker already has to have login credentials for the flaws to be of any use).
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-11-11
//Hmmmm, I don't know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000? //
Why do you feel it necesary to compare un unspecified GNU/Linux with a "properly locked-down and patched Windows >=2000". Why not compare with a "properly locked-down and patched GNU/Linux" ... say with SE Linux extensions installed.
No comparison. Linux is immeasurably more secure than Windows by any measure.
//Or is it just that hackers and big security firms with thousands of engineers focus on Windows because it had more users in many fields?//
Why not just assume the obvious ... hackers attack Windows for two reasons, not one ... the first is that there is a large installed base of Windows machines, but the second is that Windows is immeasurably easier to hack.
//What if 95% of the world ran Linux? Remember when Debian got hacked? //
The Debian hacks to which you refer were weak passwords. Someone managed to log on as a Debian developer by guessing a password. Any OS can be breached in this fundamental way. The hacker did no damage, and did not achieve privelege escallation before he was kicked off the system.
//Like default enabling guest accounts (Windows 2000, I think) and making users Administrators by default.//
Those are bad choices, but not the worst. The worst security decision in Windows is that the execute pemission of files is determined only by the three letters of the file's extension. Files with no pedigree at all on a Windows system (could have come from anywhere) are nevertheless happily executed by Windows. This design choice was made with DOS, and has been maintained ever since for reasons of backwards compatibility. While this remains (and it still does with Vista), Windows security is fundamentally borked. By design.
Member since:2006-07-13
"Those are bad choices, but not the worst. The worst security decision in Windows is that the execute pemission of files is determined only by the three letters of the file's extension. Files with no pedigree at all on a Windows system (could have come from anywhere) are nevertheless happily executed by Windows. This design choice was made with DOS, and has been maintained ever since for reasons of backwards compatibility."
and to protect the innocent customers, MS also decided not to show th extensions because they are not needed by customers. so click... huh ? this was a screensaver that actually was something else ? or that jpeg was an executable ?
Indeed borked by design.
Member since:2005-07-06
Hmmmm, I don't know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000?
There are a few things to factor in to answer that:
1) Theoretical security
2) Practical security
3) Real world users.
If we look at it from the theoretical point of view, Linux is far more secure than any version of windows. The reason for this is that it supports mandatory access control. In such systems anything that is not explicitly allowed is forbidden. E.g. it is totally possible to prevent firefox or something that have been downloaded with or started from firefox, to alter, reed or even see files or folders that have been created with other applications, and that even if firefox run as root (the Unix/Linux equivalent of Administrator in windows).
Then there is also traditional Unix security, such as chrooting, and intlligent use of posix ACLs. As the SELinux mandatory accesscontrol system and traditional
work more or less independently of each other the chance of penetration is lessended significantly
E.g. if you can break SELinux with probability p, and break normal Linux security with probablility q, the probability of getting a penetration will be p*q if you have that extra layer as they are independent events.
If we look at it from a practial point of view, the high level of security available in Linux is quite hard to configure. To get it right you need knowledge that most Linux admins don't have. So chances are, that they resort to traditional Unix security measures.
Some Linux distros like Fedora tries to provide good default SELinux policies, but as they are more or less one size fits all, they have to be more lax than they should, if you were to make full use of the SELinux protection potential, but even so they will offer quite good protection, provided they are turned on.
The last we have the factor of real world users. Real world users will try to make their work as easy as possible. This means that they are going to turn things that asks them for passwords or deny them doing certain things they feel they should be able to do, even if it is an insecure behavior. This will happen regardless if you run some version of Windows or if you run Linux.
The problem with earlier Windows versions was that the easiest way to get things to work was to run as Administrator.
So, in the end, the security of your Linux system will be much more dependent of your sysadmins level of paranoia and level of education than the fact that you are running Linux.
One thing is clear with the right skills you can get very high level of security with Linux. However secure systems usually are a hazzle to use (regardless of what OS that provides the security). So in the end you will need to ask yourself, is the things you want to protect worth all the trouble that the level of security creates.
Member since:
2006-05-11
Hmmmm, I don't know, is GNU/Linux really that much more secure than properly locked-down and patched Windows >=2000? Or is it just that hackers and big security firms with thousands of engineers focus on Windows because it had more users in many fields? What if 95% of the world ran Linux? Remember when Debian got hacked?
One thing is for sure, Microsoft has made some really stupid decisions that aversely affect security, and they should have been obvious. Like default enabling guest accounts (Windows 2000, I think) and making users Administrators by default.