Subject: Re: seti runs better on win or linux
From: AthlonRob
Date: 10/10/2003, 21:05
Newsgroups: alt.sci.seti

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On Fri, 10 Oct 2003 07:06:53 -0700, Rich <someone@someplace.com> wrote:

A big point about Linux and open-source is that problems and exploits 
are widely published and quickly fixed VERY QUICKLY.


Perhaps, but this does not mean that most users know about, or update
their systems. Even unix sys admins don't do a reliable job, as the
last worm demonstrated.


I think things have changed in that regard.  I don't remember a worm 
hitting unix/linux server in the last year.  These days, when a possible 
exploit is found, patches are usually available within hours and within 
a day everybody is aware of the problem and has their systems patched.  
Sure, there are exceptions to this rule, but they're becoming far less 
common these days.


There's many eyes to scrutinize for problems and there's no big 
marketing department to get in the way of _real_ progress.


And no central planning or control, which makes what gets done
somewhat hit or miss.


Central planning or control?  You mean one big company making all the 
software?

Naw, doesn't sound like a good idea, and definitely makes me think 
things would be more hit-or-miss.

It's very easy to follow different servers you're running.  There are 
centralized security mailing lists available.  When a bug is found in, 
say, OpenSSL (just had one found a week or two back)... it gets patched 
ASAP and people running servers with OpenSSL on them find out through 
their distro's security mailing list.

In a sense, the distributions themselves help act as a central 
repository for things like security holes.  The people running the 
projects that make the servers themselves patch bugs after they're 
found.  If they don't, you switch to a different server, as Linux is all 
about choice.


You also have a security model that has survived 30+ years of very 
thorough testing!


I believe that by default, most linux's come with the ftpd running,
etc..., and as a result they are mostly open to attack, especially for
uninformed users. Unix was designed more for an open environment than
security, although of course it's still much better than Windows.


While some do still ship with ftpd running, that isn't opening them up 
for attack.  The ftp server that runs isn't an anonymous FTP server.  It 
isn't one that comes with known security exploits.  It's one the 
distribution maker deemed safe.

Most distros these days seem to ship with a default firewall to close 
off services to the outsid world.  Those that don't tend to be targetted 
at people who have a Clue and can set up a firewall themselves... and 
already know what servers they have listening on what ports.


But I've seen many security problems on unix systems over the years,
usually of the buffer overflow variety that allows a root shell to
be obtained. Unix is no more secure than it's system admin. Now for
home systems this is rarely a big problem. But how many companies have
had credit card numbers stolen by a hacker, from unix based systems?
How many govt agencies have had sensitive information stolen, from
unix systems, by hackers? Check out "The Cuckoo's Egg".

http://www.amazon.com/exec/obidos/tg/detail/-/0743411463/102-9899101-0828923?v=glance


These cases aren't really near as common as you make them out to be.  
And you might be surprised at how many of those credit card numbers are 
stored on Windoze servers.  A recent 'hacking' incident left Valve 
software reeling from the theft of the HalfLife2 source code.  It was 
all Windows involved there.

I think for every Unix/Linux hacking story, you can come up with three 
for Windows.  And Unix/Linux servers are still more common than Windows 
servers.


I'd strongly suggest that you don't just assume that linux is safe.
Hackers could discover a bug tomorrow and everything could change.
I'd still bet that Linux is better than windows, but I also bet that
few Linux owners keep their systems up to date or apply security patches.


Naw, I think most Linux users (I don't think there's such a thing as a 
Linux owner, really) do keep more up to date with security patches than 
that.

And sure, a hacker tomorrow could find a security hole in Linux that 
changes everything, but it would be changed back within a few hours, as 
past examples have shown.


-- 
Rob                                |  If not safe,
Email and Jabber:                  |    one can never be free.
     athlonrob at axpr dot net     |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/hxEYhm6KEoOOAe0RArRtAJ0T6YrEG+5GC8OwEuKATCWBPe33FQCggg3n
AEIWG2yMnyQlsC/qipH3b88=
=0SlJ
-----END PGP SIGNATURE-----