[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........



Your point is well taken - especially about a system only being as secure as
the admin controlling it.  However, it is much, much easier on *nix systems
(the open source ones anyway), when you find out about a security hole, to
patch it up.  I think the point that someone else made about the timing of the
security fixes is excellent - with any commercial O/S (be it Micro$oft, Sun,
Apple, etc.) you have to wait on the company to come out with the hotfix or
service pack, whatever, whereas with open source you can either fix it yourself
or find someone else who has a fix and not have to wait on that fix.  Also, you
made the point about compiling - if you do compile rather than using binary
packages you have that much more control over how open you are to attack.  I'm
not disagreeing with your point about anyone being a target, believe me, I
never thought my 56k dial-up modem at home would become a target until I found
some of my utilities replaced and found myself getting locked out of my own
system.  I would agree that everyone is a target, and that it is only a matter
of time before someone will succeed.  I guess I'm more agreeing with you than
not, but I do see advantages of open source O/S's (and software in general)
over commercial flavors.  I think one of the things that it really comes down
to is that the companies who produce commercial software (MS being my prime
example here) are in the business to make money.  Open source doesn't have that
concern most of the time.  The only reason a commercial software producer is
going to come back and provide a service pack, bug fix, etc., is because they
want people to buy their products again so they can make more money.  So they
push the software out in a semi-stable fashion and then release bug fixes as
fast as they can in order to keep business.  The open software community has
the goal of better software, or at least they aren't in it for the money (if
they are, their in the wrong place).  Anyway, I've gone off onto a tangent that
should probably be saved for another time and/or place.

--Nick
--- James <james mail nbsd org> wrote:
> I honestly do not believe it is a matter of which is inherently more secure
> or 
> not.
> 
> A Windows, Linux, BSD or EasyBakeOven based system will only be as secure as 
> the admin controlling it.
> 
> I think that because Windows is less intense in configuration (All GUI) than
> a 
> *Nix based OS (untar, compile, do configs, test, wash, rinse, repeat), some 
> admins tend to setup and forget and never apply patches.  An example of this
> is 
> Code Red.  I think the patch came out June 18th or so and it wasn't a month 
> later until CR hit big.
> 
> At the same time, Linux and *BSD can lull people into a false sense of 
> security.  Linux is secure, MS is flawed etc.  This won't work either.  How 
> many people hear have heard of a default Linux install, who shall go nameless
>  
> being compromised within 20 minutes of putting it on the internet?
> 
> Other misconceptions are that "since we are x, we won't be hacked, noone
> would 
> want to hack us."  The truth is, hackers love K12s and .edus.  Most have nice
> 
> bandwidth (at least T1) and usually poorly admined servers.  Whats better
> than 
> a 24/7 operational vulnerable target?  While they might not be high profile 
> defacement targets (unless they are a UC or MIT or similar), they are
> excellent 
> at a multitude of other things, especially *nix based systems.
> 
> The final reality, all OS/ideological zealotry aside: a server is only secure
> 
> as the admin operating it.
> 
> If you have firm security minded rules, are up to date on patches, and have 
> sound firewall policy, nearly any platform should do you fine.
> 
> While a OS' default security policies, like OpenBSD and to a lesser extent, 
> Debian and Slackware, can afford some level of security, you always need to 
> maintain vigilance.
> 
> - James
> 
> Quoting Kirk Rheinlander <kirk kpj2 com>:
> 
> >  From NTBUGTRAQ, about a year ago.......does not include the approximately 
> > "1 major MS product security hole per day" data that IDC and others have 
> > been quoting....
> > 
> > How Many Vulnerabilities Per Operating System?
> > 
> > You may all be aware that much used commercial software can be like
> > Swiss cheese when you look at security vulnerabilities. Some OS-es
> > are worse than others, but what are the numbers, and which one
> > is best? Perhaps you have heard of NTBUGTRAQ. They have a database
> > that tracks holes and this gives a good indication. Here goes, and
> > you'll be surprised.
> > 
> > - Commercial Unix : 271 (AIX, IRIX, Solaris, HP-UX and BSD/OS)
> > - Linux : 147 (aggregate)
> > - Windows NT/2000 : 146 (This is NT and IE together)
> > - Windows 3.1/9x : 61
> > - FreeBSD, OpenBSD: 42
> > - MAC OS : 6
> > - Novell Netware : 5
> > 
> > However, the big deal with OpenSource is that you can find and apply 
> > patches to the source, or even fix it yourself, and a huge community is 
> > working to fix these things as soon as they are identified.
> > 
> > Micro$oft places you at the mercy of
> > 1)is it important to M$? and
> > 2) when M$ gets around to fixing it
> > 3) we own the code, we do it our way, and if you don't like it, use 
> > something else.
> > 4) it's not a problem, it's a feature....
> 
> 
> 
> 
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]