On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote: > It can actually drive me mad to see how many Linux users entirely trust in > their assumption that they're more secure by default simply because they > don't run a Windows system.
A Linux user running a default installation of a modern Linux distribution *IS* more secure by default than someone running a default installation of Windows XP. Modern Linux distros don't run many (or even any) services by default, and they usually implement packet-filtering firewall rules. WinXP does not. > However, there are *plenty* incredibly vulnerable Linux boxes exposed to the > Internet and I know for a fact that quite a few people simply download and > install binary packages from any given source without a second thought. With Windows, you have no choice but to do that, because there's very little open-source software available for Windows. > Even more ironically, a lot of people just compile and install > anything with the usual ./configure / make /make install stupor. This is a problem, I agree. > ELF infectors do exist, and just because it's not quite so common, doesn't > mean it doesn't happen. But unless you run as root, it's not possible to infect system binaries (without also exploiting a local root hole.) The barrier to entry is simply higher in *NIX than Windows. > Also - wild theory - I'd say that people are less > likely to notice a malware infected Linux box than a Win32 one, simply > because of blind trust. I strongly disagree. People expect Windows boxes to be slow, cantankerous and crash-prone. When a Linux box starts acting wonky, people notice immediately. One of my servers started going nuts the other day, and I noticed very quickly. (It was a bad hard drive, not an attack, but still...) > I also disagree on the note that a single system exposed to the Internet > doesn't form any type of threat at all. You can always beautifully serve as > a hop or become a friendly member of a botnet or whatever. I didn't say that. I said that if our colocation server got compromised, it wouldn't compromise our work machines (which are on another network.) > I'm not saying Linux sucks security-wise, OK. > I'm not saying Win32 sucks security-wise. But it does. > It's what you do with it, how you handle it, and how much you assume. Look, I'm sorry, there are fundamental flaws with Windows that make it practically un-securable. Linux has its bugs, but they are *bugs*, not *design flaws*. So-called "security experts" who don't admit that are doing a disservice to everyone. Regards, David. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
