On Aug 30, 2004, at 1:03 PM, Josh Coates wrote:
good thoughts grant. comments below.
Thanks, and a couple of rebuttals.
1) The study was for attacks in January 2004. Six months before that,
the numbers were radically different, with Windows account for 51%, and
Linux just 14% (this is from the MacWorld article, quoted from the
study)
yes, we have two data points now, with the second being second hand (though
probably true.) but given that a tech reported paraphrased it, we have no
idea the context (eg. it could have been a single anomalous month) and the
reason this is important is that tech reports are notoriously innacurate and
often purposely so (i promise you that i know this for sure.) in any case,
the historical implications are unclear.
On the contrary, I think they are quite clear, especially as the statistics are not from MacWorld but from mi2g. And, if the stats from that month are anomalous, it is quite possible/probable that the results from January 2004 are anomalous. The statement by mi2g is pretty clear as to why the numbers rose, so there should not be a lot of dispute there. That was _not_ a "notoriously inaccurate" quote, but one that clearly implies that the results of six months before were not anomalous, otherwise there would be no need to explain the rise in Linux compromises.
2) The reason for the number of hacked linux boxes is like this: Pointy-Haired-Boss says: "Hey, Windows Admins, windows sucks, we need to switch to Linux". Windows admins who know _nothing_ about linux download linux, install, don't configure or secure the box, and then wonder why the machine is cracked.
sure, go ahead and blame the windows admins for successful linux breaches.
;-)
sorry, but this is a lame excuse for linux. note that you offer a
counter-point with 'naive' users having no security problems because
everything is turned off by default. so if the "install, don't configure or
secure the box" then they should be just fine, right? ;-)
It is not a lame excuse for Linux, as the administrators conceivably know enough to turn on basic services such as Apache, Bind, LDAP, Samba, etc. (either during the install or post-install), but are perhaps not up on the nuances of iptables as oppossed to the GUI firewall software used on windows. We are not talking about your grandma or other non-techie who would be using Firebird, Thunderbird, Gaim, and not much else. So, it's not an excuse, it's a statement of what most likely occurred, and notice that I just gave my own interpretation of what Matai said, who is from mi2g. That's why he said "the swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge of how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of comprised Linux servers." That is a direct quote, not second-hand info.
Matai added: "Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications can have on overall safety and security.
interesting implications to the "non-techy use of linux is a good thing"
discussion.
Again, he is talking about the server arena, not home use. Two different areas. But home users would need a small bit of rudimentary training: "The foot is like the start menu" or "the K with the gear is like the start menu", etc, and it would most likely come from the Linux savvy user who installed the OS for them in the first place. Obviously there is a trade-off, as the home user would be protected from adware/malware, etc. but they would loose some ease of use (or perhaps familiarity) by going with Linux.
That is why this study does not mean what you are trying to make it mean.
look, the study concluded that successful linux attacks are on the rise, and
as of the date published, linux was the most vulnerable operating system to
attacks. that's what the study says. anything else about
point-haired-bosses and bad windows admins is fun speculation.
yes, successful attacks of linux are on the rise but Linux by design is not more vulnerable than Windows (which is why they leave out the virus, etc. attacks, because that would skew the numbers. Many more Windows systems were compromised because of inherent design flaws in Windows itself, as stated by Michael Torrie and seconded by most any other computer scientist and security researcher who is able to look objectively or somewhat objectively at the situation. This does not mean that Linux is perfect, only that it does not suffer from the same inherent design flaws that Windows does. If inherent design flaws in Linux are found, they will be much easier to patch because Linux is more loosely coupled than Windows. A bug in the kernel would most likely )
<snip>
Did you read the previous emails? Most desktop linux distros don't
turn things on by default nowadays, so the "naive" linux desktop user
is not at risk, as they don't know how to turn things on. "You're just
trying to be a pot-stirrer man thingy." :)
yes, i read the previous emails. guess what, naive linux desktop users can
install and run 3rd party apps just as well as anyone, thus making them even
more vulnerable. granted i am stirring the pot, but i'm a dedicated
techno-agnostic and i have a problem with techno-bigotry. oh, i also run
debian. ;-)
Installing software in Linux is not quite as easy as it is in Windows, which makes it less likely that non-techie users will be installing things in Linux (as most users are deathly afraid of the command-line). Even if they do, I don't know of any adware/malware/viruses that are commonly found in the wild for linux and would have the effect that such things do in Windows. Browsing to a webpage in Firefox will not infect your linux machine with a virus, where going to that same page in IE in Windows can. That is point we are trying to drive home here. Now, as for techno-agnostic, that is an interesting term. From the different definitions found on the web for agnostic, (google search for: define: agnostic), I see several possiblities for what that means:
1) You do not believe that we can prove technology exists
2) You believe that technology exists, but it does not care about you individually
3) You doubt the truth of all technology
Course if what you meant is you are technology-neutral (and running debian is proof of that), then I must say that I am as well. I run XP at work, Linux on my servers, and OS X at home. :)
just trying to help Josh keep it real and mildly entertaining while still disseminating the correct facts and information to the UUG
hey there pal - i hope you are not insinuating that i am not disseminating
correct facts. we're just having a friendly discussion. check yourself on
that. ;-)
Sorry, I should have said that you are not disseminating all the facts, and some of your conclusion are a bit shaky. :)
Grant Robinson
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
