[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........



I honestly do not believe it is a matter of which is inherently more secure or 
not.

A Windows, Linux, BSD or EasyBakeOven based system will only be as secure as 
the admin controlling it.

I think that because Windows is less intense in configuration (All GUI) than a 
*Nix based OS (untar, compile, do configs, test, wash, rinse, repeat), some 
admins tend to setup and forget and never apply patches.  An example of this is 
Code Red.  I think the patch came out June 18th or so and it wasn't a month 
later until CR hit big.

At the same time, Linux and *BSD can lull people into a false sense of 
security.  Linux is secure, MS is flawed etc.  This won't work either.  How 
many people hear have heard of a default Linux install, who shall go nameless  
being compromised within 20 minutes of putting it on the internet?

Other misconceptions are that "since we are x, we won't be hacked, noone would 
want to hack us."  The truth is, hackers love K12s and .edus.  Most have nice 
bandwidth (at least T1) and usually poorly admined servers.  Whats better than 
a 24/7 operational vulnerable target?  While they might not be high profile 
defacement targets (unless they are a UC or MIT or similar), they are excellent 
at a multitude of other things, especially *nix based systems.

The final reality, all OS/ideological zealotry aside: a server is only secure 
as the admin operating it.

If you have firm security minded rules, are up to date on patches, and have 
sound firewall policy, nearly any platform should do you fine.

While a OS' default security policies, like OpenBSD and to a lesser extent, 
Debian and Slackware, can afford some level of security, you always need to 
maintain vigilance.

- James

Quoting Kirk Rheinlander <kirk kpj2 com>:

>  From NTBUGTRAQ, about a year ago.......does not include the approximately 
> "1 major MS product security hole per day" data that IDC and others have 
> been quoting....
> 
> How Many Vulnerabilities Per Operating System?
> 
> You may all be aware that much used commercial software can be like
> Swiss cheese when you look at security vulnerabilities. Some OS-es
> are worse than others, but what are the numbers, and which one
> is best? Perhaps you have heard of NTBUGTRAQ. They have a database
> that tracks holes and this gives a good indication. Here goes, and
> you'll be surprised.
> 
> - Commercial Unix : 271 (AIX, IRIX, Solaris, HP-UX and BSD/OS)
> - Linux : 147 (aggregate)
> - Windows NT/2000 : 146 (This is NT and IE together)
> - Windows 3.1/9x : 61
> - FreeBSD, OpenBSD: 42
> - MAC OS : 6
> - Novell Netware : 5
> 
> However, the big deal with OpenSource is that you can find and apply 
> patches to the source, or even fix it yourself, and a huge community is 
> working to fix these things as soon as they are identified.
> 
> Micro$oft places you at the mercy of
> 1)is it important to M$? and
> 2) when M$ gets around to fixing it
> 3) we own the code, we do it our way, and if you don't like it, use 
> something else.
> 4) it's not a problem, it's a feature....







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]