Linux and security

Just thought that some of your would find this to be of interest.

People can say what they want.  Carnegie Mellon University studied
operating systems for 4 years and arrived at the results as shown on
this web site:

http://news.zdnet.com/2100-1009_22-5489804.html

This certainly confirms in my mind that Linux is probably one of the
safest server-based operating systems available.  Possibly one of the
safest all-around operating systems available.  Despite "conventional
wisdom" Linux is not going to go away...particulary now that IBM has
embraced it.



Bob Wolfe
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~
When replying by e-mail, make sure that you correct the e-mail address.
Check out The Flexus COBOL Page at http://www.flexus.com

On 15-Dec-2004, "JerryMouse" <nospam@bisusa.com> wrote:

> Apples and oranges. Servers are a piddly percentage of boxes. Properly
> configured boxes, either Windows or that other one (can't think of its nam
e)
> don't get compromised. Further:

Which is meaningless if boxes aren't properly configured.   Or when this
definition keeps changing as new security breaches are discovered.

On Tue, 14 Dec 2004 16:54:04 GMT, Bob Wolfe <rtwolfe@flexus.com> wrote:

>Just thought that some of your would find this to be of interest.
>
>People can say what they want.  Carnegie Mellon University studied
>operating systems for 4 years and arrived at the results as shown on
>this web site:
>
>http://news.zdnet.com/2100-1009_22-5489804.html
>
>This certainly confirms in my mind that Linux is probably one of the
>safest server-based operating systems available.  Possibly one of the
>safest all-around operating systems available.  Despite "conventional
>wisdom" Linux is not going to go away...particulary now that IBM has
>embraced it.
>
>
>
>Bob Wolfe

Bob, does this mean Microsoft is lying?  I'm shocked, _shocked_!!


--
tim boyer
tim@denmantire.com

> Properly configured boxes, either Windows or that other one (can't
think of its name)
> don't get compromised. Further:

The vast majority of Windows boxes are not 'properly configured'. Most
home users for example don't know what SP2 is or are still running
Windows 98 or ME.  Many still run Outlook and IE because it is there.
With Outlook you can get a security breach merely by selecting an EMail
message unless the user has done something deliberate to stop that
happening, such as getting an update.  With IE you can get a security
breach merely by visting a site and using the scroll bar.

> But, again, most car wrecks are caused by drunk drivers, not the cars
themselves.

That comparison is entirely spurious.  With Windows one can buy a
machine at a retail store, connect it to the internet and, with no
action at all from the user, it could be breached within a few minutes.

This is equivalent to buying a car and putting it in the driveway and
having a tree fall on it.

Actually, these days, it is _not_ like a tree falling on it, it is like
someone attaches a trailer and gets a free ride. A recent survey of
several thousand machines found an average of 29 spyware and adware
items per Windows machine.

Yes, with Linux a direct attack can cause the system to crash if it
isn't configured properly, but it doesn't get silently 'pwn3d' (owned
in text speak).

> You're free to do whatever you wish with the software you write.

Yes, I can.  Writers using proprietry software may find that they are
restricted in what they do with their software.  The EULA is a contract
not a licence and this may impose restrictions. For example it may say
that I may not use this product to develop a product that competes with
any product from the suppier.  When a market succeeds, MS announces a
products and then prevents developers from 'competing' with theirs:

""" ---------------
First Microsoft encourages fleet tracking companies to grow the market.

Second they add confusing language to the EULA which seems to restrict
use for Tracking. (But they don't seem to enforce it. Hmmm, I wonder
why?)

Third, they come out with a product that is directed right at business
users, which is the core business of the fleet tracking companies.

Finally the coupe de grace, (this is my guess) Microsoft targets Fleet
Tracking companies clients. (They even know who the MapPoint users
are.) They starts enforcing the EULA and within 1-2 yrs, they are the
only company left providing fleet tracking with MapPoint.

Ever feel like you've been taken?
---------------------- """
'Freedom' means not having to put up with that sort of crap.

Bob Wolfe wrote:
> Just thought that some of your would find this to be of interest.
>
> People can say what they want.  Carnegie Mellon University studied
> operating systems for 4 years and arrived at the results as shown on
> this web site:
>
> http://news.zdnet.com/2100-1009_22-5489804.html
>
> This certainly confirms in my mind that Linux is probably one of the
> safest server-based operating systems available.  Possibly one of the
> safest all-around operating systems available.  Despite "conventional
> wisdom" Linux is not going to go away...particulary now that IBM has
> embraced it.
>
>
>
> Bob Wolfe
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~
> When replying by e-mail, make sure that you correct the e-mail address.
> Check out The Flexus COBOL Page at http://www.flexus.com
>

Facinatng that everyone here simply took it for granted that they were
finding valid bugs. Read the description:

 ========================================
=================================
The conclusion is the result of a four-year research project conducted
by code-analysis company Coverity, which plans to release its report on Tues
day

...

Code-analysis tools typically use software-design principles to analyze a
program's source code and flag any possible problems
 ========================================
===================================

I've used a code analizer tool. Its a "super lint" that flags such items
as:

while (c = 'a') { ... }

Which certainly looks like an error, but isn't necessarily so.

In any case, all the article says is they are assuming the output of their
code analisis tool is a "bug" count. All it really means is it found less
constructs it didn't like.

A "bug" is a verifiable software problem. There is no automated tool that
can do this.


--
Samiam is Scott A. Moore

Personal web site: http:/www.moorecad.com/scott
My electronics engineering consulting site: http://www.moorecad.com
ISO 7185 Standard Pascal web site: http://www.moorecad.com/standardpascal
Classic Basic Games web site: http://www.moorecad.com/classicbasic
The IP Pascal web site, a high performance, highly portable ISO 7185 Pascal
compiler system: http://www.moorecad.com/ippas

Good does not always win. But good is more patient.

Scott:

Valid point and observation.

One should find it very interesting that only M/S and Linux are being
reported on / compaired.

Meanwhile, have most people, beyond the techie types, found it very
interesting that malicious code seems to be targetted toward the
systems easiest to compromise?

The answer is no, because marketing of Windoze is so heavy, that most
people have no idea that OS/2 used to be available. And most have no
idea what Linux is.

So when I have discussed this with supposed technical types, the answer
was that if the other systems were more prevalent (having more
exposure) you would see malicious code targetted to them.

It is my conjecture that since most of the reported attacks are against
M/S, it would seem that they have the most exposures that are the
easiest to exploit. If M/S actually starts doing regression testing and
the like, and closes holes in designs and implementation, the crackers
will move on to other systems looking for easy exploits.

The end result should be much tighter code and system by all software
companies.

Later,
Steve.T

steve.t wrote:

> It is my conjecture that since most of the reported attacks are
against
> M/S, it would seem that they have the most exposures that are the
> easiest to exploit.

The problem with Windows is that most of the exploits are not of bugs
(though buffer overruns have been exploited) but of _features_.  With
outlook, opening an email can cause the attachment to be executed
allowing virusees to be loaded.  The default for Windows is to _hide_
the file type because the typing is based on DOS, and thus an
attachment that is innocent.jpg.exe is shown as innocent.jpg and
appears to be an image but will execute when clicked.

A poorly designed and/or implemented feature is still a bug - logic
based, but still a defect or bug. Anytime you have incorrect-output,
you have a bug. And undesireable output that is because of a security
exposure is the worse kind.

Let me give an example: In the MVS world, IDCAMS (utility) is in the
books. However, because of what it can be used for, it detects if *you*
are authorized to perform functions. If it did not, you could use it to
delete/copy/modify files you are not authorized to use or see.

If you give that kind of power to common users (as M/S does), and bad
things happen, you can't really say that this is a feature and not a
bug. Yet it is precisely this kind of thing that people want to gloss
over and call a feature -- and not a glaring security error (bug).

Let us look at another issue. It is my opinion from doing D/R work that
the M/S Registry is a LARGE bug. Consider what happens if you have a
drive crash. Upon doing a restore, does the registry get correctly
restored? If it doesn't, software that has Windows API calls seem to
crash because information needed isn't in the directory (well the
registry data points to "D" but since the new drive was large enough to
hold all the data...). Talk about a DoS! This is a poorly thought out
situation that has come to bite several entities when they have had to
restore a system after a hard drive crash.

No other O/S that I know of and/or have used have such glaring
problems. Yet we all take these as "features" from M/S and allow them
to get away with it.

Later,
Steve.T

On 20-Dec-2004, "steve.t" <sthompson@ix.netcom.com> wrote:

> No other O/S that I know of and/or have used have such glaring
> problems. Yet we all take these as "features" from M/S and allow them
> to get away with it.

The philosophy was one of offering complete power to the user.   This worked
when there was one user per machine who owned and controlled everything on t
he
machine.   Everybody was a power user (and we do like being power users).

But the Internet changed that.   We no longer can guarantee that only our
decisions change our computers.   That philosophy that was so seductive does
n't
work anymore.