[nfbcs] security, linux vs Windows

Littlefield, Tyler via nfbcs nfbcs at nfbnet.org
Thu May 22 19:37:27 UTC 2014 

I'm going to reply to your points inline because it makes them easier to 
address.
On 5/22/2014 3:03 PM, John Heim via nfbcs wrote:
> Tyler, you can't just dismiss the point about most viruses being 
> written for Windows. You sy you don't believe that matters? Why the 
> heck not? As a practical point, it would make sense for someone to 
> switch to linux just to avoid the vast majority of viruses.
>
It certainty would make sense to switch if your only issue is not 
getting viruses. For what it's worth, running on Windows if you keep 
some common sense about you you're not going to get a ton of viruses 
anyway. If the only requirement is that you are running on a system with 
a lower market share and thus less viruses, then more power to you. 
People used to say that about OSX too, until there were a few viruses 
out and about. The fact that there are more viruses for windows isn't a 
testament to the ease of writing for either platform, just the higher 
market share. while still far behind, Ubuntu and OSX are closing the 
gap, so this may not be the point for much longer.


> Your point about Windows coming with a firewall isafairly minor point. 
> First of all, "easier to make secure" and "more secure" aren't the 
> same thing. Secondly, just having a firewall at installation isn't 
> enough to make Windows easier to secure than linux. Installing a 
> firewall isn't the hard part, configuring it is. It takes about 2 
> seconds to install a firewall and that alone isn't a  significant 
> difference. It's like saying a Ford is a better car than a Rolls Royce 
> because it's easier to change the tires. Well, that may be a point in 
> favor of Ford but not a significant one.
>
Fair enough. My point was if a system built for the typical end-user is 
already protected, whether or not the protection is more open than you 
or I would like, it still says a lot for the deployment of that system 
and it's security out of the box. Most distros (Debian and Ubuntu for 
example, as I've already pointed out) come with services running that 
don't need to be by default and no default block input policy. obviously 
this doesn't make one more secure than another, but a user needs to know 
to disable those, or bind them to loopback or even just protect them 
with iptables.

> Open source software has, over all, been far less vulnerable to 
> exploits than  proprietary. Apache is far more secure than IIS, for 
> example.   In fact, unlike some of the exploits that were discovered 
> in Windows systems, including all the third party software for 
> Windows, the damage done by that openssl exploit was trivial. It was a 
> pain for all of us to have to change our passwords but very little 
> actual damage was done. Equivalent exploits in Windows programs have 
> caused far more damage. In a way, this is the flip side of the point 
> about viruses. The reason the openssl bug was so important was that 
> openssl is used everywhere. If so many servers weren't running linux, 
> it wouldn't have mattered so much. It's amazing how little damage was 
> done and that's because the good guys discovered it before the bad 
> guys. And the only reason they were able to do that is because it's 
> open source.
>
Where exactly are you getting your metrics about what damage was done 
with the OpenSSL bug and the fact that open source software has been 
less vulnorable than proprietary software? The heartbleed bug allowed an 
attacker to read ~64K data; it was already shown that passwords could be 
retrieved. Given that this existed for 2 years, nothing says that the 
bad guys didn't get it or even make use of it. There are a lot of 
problems with this specific bug: all certificates needed to be revoked 
and reissued, after which point all passwords had to be reset so that 
any compromised passwords would not work anymore. This lead to another 
issue in that a lot of end-users tend to use a select few passwords; one 
user's email password (which could've been compromised via this bug) 
would probably work for social networking sites, etc etc. Finally, there 
are currently a lot of revokation issues that are being drawn into the 
light [1]. the key point here is that a lot of browsers are still 
vulnerable to MITM attacks as a result of faulty handling of certificate 
revocations. You also mentioned that Apache is "far more secure than 
IIS." I'm particularly curious where you get these metrics, because [2] 
suggests that there are still a lot of problems with apache, as with any 
software.

Finally, you mentioned that the OpenSSL exploits were in some sense a 
testament to the wide-use of Linux. It is not just Linux that uses this 
library; many applications on Windows make use of it; for example, the 
heartbleed bug had a lot of far-reaching implications for TOR, both 
server and client, as well as messenger clients, IRC etc etc.

> [1]: 
> http://news.netcraft.com/archives/2014/04/11/heartbleed-certificate-revocation-tsunami-yet-to-arrive.html
[2]: http://httpd.apache.org/security/vulnerabilities_22.html
> On 05/22/14 11:49, Littlefield, Tyler via nfbcs wrote:
>> Hello:
>> My experiences come from watching the Vinux list a while back, though 
>> this may just be the point of view of some of the more radical vinux 
>> folks. I know a lot of people switch for various reasons, but for a 
>> long time, at least in the Vinux world a lot of people were switching 
>> over for some vague hope of higher security. This actually brings up 
>> a fun topic though, so I'm going to run with it, because I'm really 
>> curious what other people's thoughts are.
>>
>> I do not believe it really depends on how many viruses are written 
>> for what OS when you talk about security in general. My view of 
>> security is a system that is provided to the end-user with a very 
>> minimal attack surface. Obviously the only way to truly avoid that 
>> attack surface is to just unplug the system in question. So, lets 
>> look at this scenario. Many unix systems come with nothing at all 
>> enabled, which is great. Others come with stuff like Portmap for RPC, 
>> nfs and etc already enabled. Windows also comes with services enabled.
>>
>> The bonus points I'll give to Windows is they have a firewall, with a 
>> default slightly restrictive policy enabled that helps with some of 
>> these issues, where as any installation of Ubuntu or even Debian does 
>> not have a default iptables ruleset to prevent access to these attack 
>> vectors.
>>
>> Finally, Windows has pretty much kept up in terms of technologies 
>> like ASLR, etc. It might be easier to say that one system is by 
>> default more secure than another, but in this case I think it is 
>> -really- important to specify which Linux or even Unix derivative we 
>> are speaking of here. I also believe that with work, any system can 
>> be secured; out of the box security is hardly a viable options for 
>> end-user systems.
>>
>> Finally, I want to touch on the open source comment you gave, because 
>> I find that really interesting. I understand the ideas of open source 
>> vs closed source to a point, but I would argue that having millions 
>> of people staring at the code for a long time doesn't necessarily 
>> mean more secure code. Case and point: the most recent Open SSL 
>> heartbleed bug, which had apparently existed since late 2011. while I 
>> believe there is a greater chance of finding these vulnorabilities, 
>> the issue is going to be hampered by the vast amount of code that 
>> libraries like Open SSL contain. I would also argue that having 
>> people stare at the code doesn't even mean that those people are 
>> going to be compitant in terms of security. Really truly detecting 
>> security problems through a huge codebase requires people who know 
>> about security to fully audit the code, as is the current case with 
>> the Open BSD fork of Open SSL, as well as projects like Truecrypt, etc.
>>
>> On 5/22/2014 11:51 AM, John Heim via nfbcs wrote:
>>> I doubt the vinux or sonar developers ever put any thought into why 
>>> people might want to try linux. Why would they care if people are 
>>> trying it because they think it will help them get a job in IT or 
>>> because they think it's more secure?
>>>
>>> Your experience with people trying linux is certainly far different 
>>> from mine. I don't know anybody who has tried it because they think 
>>> it's more secure. Everybody I know who has tried it has done so 
>>> because they are are already in systems admin and want to find out 
>>> about linux.
>>>
>>> PS: I kind of object to your saying linux is not a more secure 
>>> operating system as if that's an established fact. That's a huge 
>>> matter of debate.  There is no denying that the vast majority of 
>>> viruses are written for Windows. I know the usual response is that 
>>> that is only because Windows is so much more popular than linux. But 
>>> then you have to get into theoretical issues about open source 
>>> versus proprietary software. I side with the open source people on 
>>> that issue too.
>>>
>>>
>>> On 05/22/14 10:21, Littlefield, Tyler via nfbcs wrote:
>>>> I don't think the goal was to aid in getting Linux-based 
>>>> employment; I think the overall goal was to provide an accessible 
>>>> distro. Generally you'll hear lots of rantings and ravings, but 
>>>> most people seemed to switch because they think linux is more 
>>>> "secure" by default with no bases for that assumption. At least 
>>>> it's generally what I hear and see advertised by all the blindness 
>>>> companies that are selling "custom" computers with Vinux installed.
>>>> On 5/22/2014 11:15 AM, Jim Barbour via nfbcs wrote:
>>>>> I will point out that this is why I'm not a fan of either distro.  
>>>>> The
>>>>> blindness world isn't big enough to command a lot of attention. The
>>>>> attention we get should be focused on making the distros themselves
>>>>> easier for us to use.  Efforts that try to fork distros, like Ubuntu
>>>>> and arch, into blindness focused ones, like vinux and sonar, do not
>>>>> really help the situation.
>>>>>
>>>>> Further, a blind person isn't going to be able to require that all
>>>>> unix machines they manage run a blindness friendly distro; so this
>>>>> definately doesn't help blind folks get LInux related employment.
>>>>>
>>>>> JIm
>>>>>
>>>>> On Thu, May 22, 2014 at 11:02:19AM -0400, Littlefield, Tyler via 
>>>>> nfbcs wrote:
>>>>>> That's pretty much how it happened. Bill was basically project 
>>>>>> lead and took
>>>>>> over everything with some guy from Ubuntu who was back and forth, 
>>>>>> think his
>>>>>> name was tony. Or maybe that was the main guy, it's been a while. 
>>>>>> Eventually
>>>>>> he just gave it up. My biggest issue is a lot of people call it a 
>>>>>> "secure
>>>>>> OS," including commtechusa if you care to look at that site. I 
>>>>>> was just
>>>>>> curious what they offered. Last I looked, Vinux recommended not 
>>>>>> updating and
>>>>>> they were on an older version of Ubuntu--both not really paths to 
>>>>>> security.
>>>>>> The updates was because things would break, but that still means 
>>>>>> you're not
>>>>>> all that secure if you ever leave your house and your personal 
>>>>>> router.
>>>>>> On 5/22/2014 9:44 AM, John Heim via nfbcs wrote:
>>>>>>> My experience as of about 1 year ago was that sonar was a way more
>>>>>>> polished product than vinux. I've seen a lot of questions about 
>>>>>>> vinux like
>>>>>>> when is the new version coming out, why is it still based on 
>>>>>>> some old
>>>>>>> version of ubuntu. Like so many open source projects, there was 
>>>>>>> probably
>>>>>>> one person, maybe two, driving the project and when they ran out 
>>>>>>> of steam,
>>>>>>> the project slowed to a crawl.
>>>>>>>
>>>>>>> I was so impressed with sonar that I put it on my machine at 
>>>>>>> home. And I
>>>>>>> put it on what I call my drop dead emergency machine here at 
>>>>>>> work. Sonar
>>>>>>> is that solid.
>>>>>>>
>>>>>>> The one problem I have with sonar is that they are switching 
>>>>>>> from basing
>>>>>>> their distro on ubuntu to basing it on arch linux. I will 
>>>>>>> probably drop
>>>>>>> sonar once that conversion is complete. I have to stay with a 
>>>>>>> debian fork
>>>>>>> because my job is to support debian.  What I'd really like is to 
>>>>>>> have
>>>>>>> debian be so accessible that we wouldn't need either sonar or 
>>>>>>> vinux. Well,
>>>>>>> one can dream.
>>>>>>>
>>>>>>> On 05/21/14 20:05, David Andrews via nfbcs wrote:
>>>>>>>> Hi Jim et al:
>>>>>>>>
>>>>>>>> I have a Windows XP laptop that I am thinking of installing a 
>>>>>>>> Linux
>>>>>>>> system on, to play and learn a little.  What are
>>>>>>>> advantages/disadvantages to Sonar versus Vinux?
>>>>>>>>
>>>>>>>> Dave
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nfbcs mailing list
>>>>>>>> nfbcs at nfbnet.org
>>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>>>>>> To unsubscribe, change your list options or get your account 
>>>>>>>> info for
>>>>>>>> nfbcs:
>>>>>>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jheim%40math.wisc.edu 
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nfbcs mailing list
>>>>>>> nfbcs at nfbnet.org
>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>>>>> To unsubscribe, change your list options or get your account 
>>>>>>> info for
>>>>>>> nfbcs:
>>>>>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com 
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Take care,
>>>>>> Ty
>>>>>> http://tds-solutions.net
>>>>>> He that will not reason is a bigot; he that cannot reason is a 
>>>>>> fool; he that dares not reason is a slave.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> nfbcs mailing list
>>>>>> nfbcs at nfbnet.org
>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>>>> To unsubscribe, change your list options or get your account info 
>>>>>> for nfbcs:
>>>>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jbar%40barcore.com 
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> nfbcs mailing list
>>>>> nfbcs at nfbnet.org
>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>>> To unsubscribe, change your list options or get your account info 
>>>>> for nfbcs:
>>>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com 
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> nfbcs mailing list
>>> nfbcs at nfbnet.org
>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>> To unsubscribe, change your list options or get your account info 
>>> for nfbcs:
>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com 
>>>
>>
>>
>
> _______________________________________________
> nfbcs mailing list
> nfbcs at nfbnet.org
> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> To unsubscribe, change your list options or get your account info for 
> nfbcs:
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com


-- 
Take care,
Ty
http://tds-solutions.net
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.

More information about the NFBCS mailing list