Full Disclosure mailing list archives
Re: RE: Linux (in)security
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 23 Oct 2003 10:11:24 -0500 (CDT)
On Wed, 22 Oct 2003, Peter Busser wrote:
Hi!I have never heard of a Linux vendor saying that Linux is "secure out of the box." Maybe Openwall or Engarde Linux, but most distos need to be made secure by the user.More than enough people assert that Linux is secure. Just enter "Linux is secure" in Google and you see what I mean: http://www.linuxunlimited.com/why-linux.htm ``Properly configured and maintained, Linux is one of the most secure operating systems available today.''
I see nothing wrong with this statement, as it's qualified properly: Properly configured and maintained...
http://www.faqs.org/docs/linux_intro/sect_01_04.html ``The security model used in Linux is based on the UNIX idea of security, which is known to be robust and of proven quality. But Linux is not only fit for use as a fort against enemy attacks from the Internet: it will adapt equally to other situations, utilizing the same high standards for security. Your development machine or control station will be as secure as your firewall.'' Note: The UNIX idea of security: You can trust users, especially the administrator (root). http://www.usermode.org/docs/whatslinux.html http://news.zdnet.co.uk/software/linuxunix/0,39020390,2075966,00.htm ``Linux is as secure as you can make a computer,'' ``First of all, Unix [on which Linux is based] is the paradigm that the computer is the network, so Linux is secure from the ground up.'' http://www.suse.co.uk/uk/company/schools/sheet.pdf ``As a desktop operating system Linux is secure, stable and easy to use.'' (SuSE is a vendor BTW) http://www.bio-itworld.com/news/022503_report2077.html ``The certification is "additional validation" that Linux is secure, ...''
And yet, none of these seem to be direct statements from the dist maintainers, more appearing to be media related links. Do you have actual links that support your claim made by those that maintain or distribute various dists?
The list goes on and on and on.Linux is the hands of someone with no interest or regard for security is the same as Windows or any other OS in the hands of the same clueless individual. The main difference between the Linux and Unix variants (i.e. BSD, Solaris, HP-UX) is that they have already learned their lesson regarded buffer overflows and kernel hardening and allowed the user more control in securing their systems.This is repeated over and over again, but it is simply not entirely true. It may protect against script kiddies, but not against more sophisticated crackers. The following URL proves that: http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it Both persons in this conversation have a Linux box which: 1) Has the latest security patches installed and 2) Is only running the necessary services. In other words, boxes that have ``been made secure by their users''.
And if one reads the thread, they will see that one box, rolled out with a flat ole debain package set was vulnerable, and the other box with the grsecrutiy module hooked and loaded varied on how they stood up to attack. A solid reading of the posting seems again, to not support the claims you are making here sir.
M$ has not, and that is unfortunate.Flaws in other products do not make Linux more secure.
But, they work to direct interest in the "other" products and away from
other platforms. Not that this buys one much over sec => oscurity, but
even that makes the work load of those admins running lunix systems
easier.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [inbox] Re: RE: Linux (in)security, (continued)
- Re: [inbox] Re: RE: Linux (in)security Dan Wilder (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Peter Busser (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Shawn McMahon (Oct 24)
- RE: [inbox] Re: RE: Linux (in)security Arcturus (Oct 23)
- Re: [inbox] Re: RE: Linux (in)security Peter Busser (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Shawn McMahon (Oct 24)
- Re: [inbox] Re: Linux (in)security Chris Ruvolo (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Valdis . Kletnieks (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Henning Brauer (Oct 30)
- Re: RE: Linux (in)security Ron DuFresne (Oct 23)
- Re: RE: Linux (in)security Peter Busser (Oct 23)
- Re: RE: Linux (in)security Ron DuFresne (Oct 23)
- Linux Exec Shield (was: Linux (in)security) Chris Ruvolo (Oct 23)
- Re: Linux Exec Shield (was: Linux (in)security) Peter Busser (Oct 23)
- Re: Linux Exec Shield (was: Linux (in)security) Arjan van de Ven (Oct 23)
- Re: Linux Exec Shield (was: Linux (in)security) Chris Ruvolo (Oct 24)
- Re: RE: Linux (in)security I.R. van Dongen (Oct 22)
- Re: RE: Linux (in)security Robert Brockway (Oct 22)