Re: [SLUG] Vulnerabilities - linux v. windows
begin Silcock, Stephen quotation: - Default installations. I think you'd find more of these vulnerabilities are exploitable in a default install of Windows than a default install of say RedHat or Debian. I'd say there's really no such thing as a default install in Debian. One can consider that a bug or a feature, per inclination. But I will say that you'll never get pushed towards sendmail, wu-ftpd, or BIND v. 8.x -- so you're already slightly ahead, right there. In any event, once you add an alert system administrator into the picture, any *ix can be made security-tolerable with a bit of work. (I'll ignore the suggestion that one might do likewise for MS-Windows, else I'd risk hurting myself from laughter.) In case they're useful, here are some of the classic texts, helpful in adding that one essential ingredient -- an alert sysadmin: DNS and BIND, Cricket Liu, O'Reilly TCP/IP Network Administration, Craig Hunt, O'Reilly Unix System Administration Handbook, Evi Nemeth et al., Prentice Hall Essential System Administration, Aeleen Frisch, O'Reilly Linux System Administration; M Carling, Stephen Degler, Jim Dennis; New Riders (a different sort of book, but needed) Building Internet Firewalls, Brent Chapman et al., O'Reilly Firewalls and Internet Security, Wm. Cheswick Steven Bellovin, Addison-Wesley And some more of my recommendations are quoted here (along with those of lots of other people, so I can't be responsible for the latter): http://www.mezzaninereader.com/macosxbooks.html (It refers to something I try to hammer into people: Many of the really bad technical books are bad mainly because they're attempting to be both a tutorial and a reference at the same time -- which is not possible, and just makes the book useless as either one.) And some may find helpful an article of mine: http://www.itworld.com/Sec/2199/LWD000829hacking/ -- Is it not the beauty of an asynchronous form of discussion that one can go and make cups of tea, floss the cat, fluff the geraniums, open the kitchen window and scream out it with operatic force, volume, and decorum, and then return to the vexed glowing letters calmer of mind and soul? -- The Cube, forum3000.org -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Vulnerabilities - linux v. windows
quote who=Rick Moen - Default installations. I think you'd find more of these vulnerabilities are exploitable in a default install of Windows than a default install of say RedHat or Debian. I'd say there's really no such thing as a default install in Debian. One can consider that a bug or a feature, per inclination. There's the default setup of the packages though - inetd and snmpd are two good examples of non-good defaults in Debian packages. Every distro has this issue, it's a tough one to get right. [ I only think of inetd/snmp because they've come up in the past few days - more often than not the default setups you get with Debian packages are very good (see the apache package). ] Everyone should go lodge bugs on their favourite distros, it makes them kick more arse. :) - Jeff -- One World, one Web, one Browser. - Microsoft promotion Ein Volk, ein Reich, ein Fuhrer. - Adolf Hitler -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Vulnerabilities - linux v. windows
begin Jeff Waugh quotation: There's the default setup of the packages though - inetd and snmpd are two good examples of non-good defaults in Debian packages. Hmm. My Debian server's installation-default /etc/inetd.conf went in like this: #:INTERNAL: Internal services #echo stream tcp nowait rootinternal #echo dgram udp waitrootinternal #chargenstream tcp nowait rootinternal #chargendgram udp waitrootinternal discard stream tcp nowait rootinternal discard dgram udp waitrootinternal daytime stream tcp nowait rootinternal #daytimedgram udp waitrootinternal timestream tcp nowait rootinternal #time dgram udp waitrootinternal #:STANDARD: These are standard services. #:BSD: Shell, login, exec and talk are BSD protocols. #:MAIL: Mail, news and uucp services. smtpstream tcp nowait mail/usr/sbin/exim exim -bs #:INFO: Info services #:BOOT: Tftp service is provided primarily for booting. Most sites # run this only on machines acting as boot servers. #:RPC: RPC based services #:HAM-RADIO: amateur-radio services #:OTHER: Other services That's not bad. Of course, the default only lasted about five seconds. grin That's the result of that essential ingredient I mentioned. Every distro has this issue, it's a tough one to get right. I leave this debate for those who're obliged to worry about systems lacking the essential ingredient. Any alert sysadmin will only run the services he's decided on running, have installed only CGI scripts he's checked and decided he needs, etc. If you want a system that installs with all possible services firmly disabled by default, use OpenBSD. But I personally found that approach to be ludicrous and a pain in the neck. I haven't used SNMP lately, so can't check to see what you mean. The other matter, which I alluded to briefly, strikes me as more of a real issue: Why should a distribution offer for installatiion as default selections BIND v. 8, sendmail, and wu-ftpd, in this day and age? Those all have hideously bad security histories, can be expected to have ongoing problems, and I'd not use any of them. (Again, the alert sysadmin _can and will_ fix that, by yanking them out and replacing them with better-designed alternatives. But it's a nuisance.) -- Is it not the beauty of an asynchronous form of discussion that one can go and make cups of tea, floss the cat, fluff the geraniums, open the kitchen window and scream out it with operatic force, volume, and decorum, and then return to the vexed glowing letters calmer of mind and soul? -- The Cube, forum3000.org -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Vulnerabilities - linux v. windows
On Wed, 3 Oct 2001 15:00:03 +1100 [EMAIL PROTECTED] wrote: Statistics can be taken to mean whatever you like. This doesn't seem to take account of the severity of particular vulnerabilities but I still thought other Sluggers may find it interesting. http://www.zdnet.com.au/newstech/os/story/0,224997,20260847,00.htm I think there was a followup to this on http:://www.thregister.co.uk . Turns out many of the Linux bugs were found during code reviews but do not or did not have an exploit at the time the bug became known. Every single M$ bug became known due to an exploit. The other point raised is that the Linux bugs were patched in a matter of days while the M$ ones weren't fixed for weeks or months. Erik -- +---+ Erik de Castro Lopo [EMAIL PROTECTED] (Yes it's valid) +---+ Hundreds of thousands of people couldn't care less about Kylix and what it runs on. It's there for the dying breed of die-hard Pascal fanatics who missed their 20 year window to migrate to C and C++. -- Kaz Kylheku in comp.os.linux.development.apps -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Vulnerabilities - linux v. windows
[EMAIL PROTECTED] wrote: Statistics can be taken to mean whatever you like. This doesn't seem to take account of the severity of particular vulnerabilities but I still thought other Sluggers may find it interesting. http://www.zdnet.com.au/newstech/os/story/0,224997,20260847,00.htm yes. Unfortunately the article just uses the number of bugs reported to Bugtraq, This tells us little about the security of either OS. Some of those bugs would have been found before exploitation and some may not even have an exploit for them yet. Thats goes for both OS's. You also need to take into account the severity of the bug, does it give user level access or root access or does it just crash a program? The numbers of bugs on Bugtraq is just that - numbers. Little can be drawn from it except that it has managed to fill a page on zdnet on a quiet day :-) Mike Will go back to reading www.kuro5hin.org :-) -- Michael Lake University of Technology, Sydney Email: mailto:[EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Linux enthusiast, active caver and interested in anything technical. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Vulnerabilities - linux v. windows
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 2:00 PM To: [EMAIL PROTECTED] Subject: [SLUG] Vulnerabilities - linux v. windows Statistics can be taken to mean whatever you like. This doesn't seem to take account of the severity of particular vulnerabilities but I still thought other Sluggers may find it interesting. http://www.zdnet.com.au/newstech/os/story/0,224997,20260847,00.htm regards Steven It also doesn't take into account a couple of other things... - Default installations. I think you'd find more of these vulnerabilities are exploitable in a default install of Windows than a default install of say RedHat or Debian. Windows has too much running by default. Though personally I'd say RedHat does too - even a Debian box has stuff I remove straight after install and it's pretty minimal. Microsoft could improve their security and image *considerably* by shipping the OS with everything off instead of everything on. - Source code availability. If you want to find a new hole in a Linux or BSD OS you can Use the Source Luke which can provide a wealth of information. For proprietary OS's you just have to hammer at it black box fashion until you get it to crack then try and work out exactly what happened and how to leverage it. Eeye have done some nice work in this area. That's just a coupla things I came up with off the top of my head too... there's plenty more to this argument. S. :) PLEASE NOTE: This email transmission is confidential and intended solely for the addressee. If you are not the intended addressee, you must not use, disclose or print this transmission and you should delete it from your system. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug