Re: Re: January 15 is Personal Firewall Day, help the cause

["David F. Skoll" <dfs () roaringpenguin com>]

On Fri, 16 Jan 2004 jan.muenther () nruns com wrote:

> It can actually drive me mad to see how many Linux users entirely trust in
> their assumption that they're more secure by default simply because they
> don't run a Windows system.

A Linux user running a default installation of a modern Linux distribution
*IS* more secure by default than someone running a default installation
of Windows XP.

Modern Linux distros don't run many (or even any) services by default,
and they usually implement packet-filtering firewall rules.  WinXP does not.

> However, there are *plenty* incredibly vulnerable Linux boxes exposed to the
> Internet and I know for a fact that quite a few people simply download and
> install binary packages from any given source without a second thought.

With Windows, you have no choice but to do that, because there's very
little open-source software available for Windows.

> Even more ironically, a lot of people just compile and install
> anything with the usual ./configure / make /make install stupor.

This is a problem, I agree.

> ELF infectors do exist, and just because it's not quite so common, doesn't
> mean it doesn't happen.

But unless you run as root, it's not possible to infect system binaries
(without also exploiting a local root hole.)  The barrier to entry is
simply higher in *NIX than Windows.

> Also - wild theory - I'd say that people are less
> likely to notice a malware infected Linux box than a Win32 one, simply
> because of blind trust.

I strongly disagree.  People expect Windows boxes to be slow, cantankerous
and crash-prone.  When a Linux box starts acting wonky, people notice
immediately.  One of my servers started going nuts the other day,
and I noticed very quickly.  (It was a bad hard drive, not an attack,
but still...)

> I also disagree on the note that a single system exposed to the Internet
> doesn't form any type of threat at all. You can always beautifully serve as
> a hop or become a friendly member of a botnet or whatever.

I didn't say that.  I said that if our colocation server got compromised,
it wouldn't compromise our work machines (which are on another network.)

> I'm not saying Linux sucks security-wise,

OK.

> I'm not saying Win32 sucks security-wise.

But it does.

> It's what you do with it, how you handle it, and how much you assume.

Look, I'm sorry, there are fundamental flaws with Windows that make
it practically un-securable.  Linux has its bugs, but they are *bugs*, not
*design flaws*.  So-called "security experts" who don't admit that are
doing a disservice to everyone.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html