wadada
OSNN Senior Addict
- Joined
- 5 Nov 2002
- Messages
- 707
If you're someone who enjoys a good debate, step right up. There's a discussion (well, more like a donnybrook, actually) revving up, pitting those who believe with religious fervor that Linux is intrinsically more secure that Windows against those who believe just as strongly that poor Microsoft has just gotten all the bad press and attention because of its near-monopoly on the desktop. Just wait, they say, until the hackers start going after Linux.
Given IBM's increasing emphasis on Linux — and its wider adoption and implementation on the iSeries — who's right? Inquiring minds want to know.
Standing fast as the defenders of Windows are many of the big industry analyst firms. Yankee Group's Laura DiDio argues in a recent comparison study of the total cost of ownership of Linux and Windows that, "hype not withstanding, Linux's technical merits, while first-rate, are equivalent but, for the most part, not superior to Unix and Windows Server 2003." DiDio reports that 72 percent of the respondents in her study "rated Windows reliability equal to Linux."
DiDio also predicts that as Linux's popularity grows, so will the hackers' efforts to penetrate it. Within a couple of years, she says, "companies will be spending as much time securing their Linux environments as they would have with Microsoft."
Forrester Research analyst Laura Koetzle reaches much the same conclusion. Her March 2004 report " Is Linux More Secure than Windows? " concludes that Windows and Linux (in a variety of distributions) can all be deployed securely.
Jim Hurley, security analyst for Aberdeen Group, says that despite the fundamental differences of the operating systems, both Linux and Windows are open to Internet threats.
The baseline argument for many is that expressed by Carol Woodbury, president of SkyView Partners . "Hackers tend to go for the most readily available target," she says. "The more Linux deployments, the more readily available it will be to them. It will also become a larger target as more business-critical applications and installations are available. Hackers like to get notoriety, so they will go after the targets that bring them that. Windows has been a very easy target. If hackers feel that Linux is an easier target that will give them more notoriety, you'll start to see more attacks."
It's already happening, says Chaya Bouganim of Bsafe Sofware Solution's marketing department. "Linux is already expanding fast," she says, "accompanied by an increasing number of attacks on Linux and other open-source systems."
Bouganim cites attacks reported last month against Linux servers at Stanford University. "Last year, we saw an attempt to propagate a malicious program called CAN-2003-0434," she says, "which allowed PDF files to run system commands. Fortunately, it failed in its aims, but the malicious desires of its author remain."
But not everyone agrees that a wider deployment of Linux will lead to more widespread attacks. "Windows suffers from 'ease of use' exploits," says Mark Boltz, product manager for Stonesoft . "Linux exploits are of a different nature. Windows machines tend to suffer from worms and malicious code like Sasser and Blaster that are created with a very low 'run-level knowledge requirement.' In other words, Windows has tools available for the script kiddies with little or no skills who simply click on the options they want their worm or virus to have and then release it to the world."
Boltz sees an inverse relationship between the security and the usability of a system. Since Microsoft gears its applications and operating system toward usability, it will be hit more often. Linux hackers, on the other hand, tend to exploit coding errors "such as buffer overflow attacks," Boltz says, "which require a great deal more skill to exploit."
Of course, one of the hallmarks of Linux is that the code is published openly for everyone to see. But that doesn't necessarily provide a blueprint for hackers to find a way in.
"Linux is more securable than a proprietary product because of its transparency," says Bruce Lowry, Novell's public relations director. "Creating good, secure software requires a quality engineering process. You can get this in both the open-source community and the proprietary world. The security benefit of open source lies in the value of transparency that facilitates quick identification and repair of security breaches."
Which leads to another philosophical argument: which is more secure — something that is totally open that everyone can see, or something that is closed and has to be "broken into" in order to modify. This debate is much like asking which store on Main Street is more secure at night: the one with big glass windows and all the lights on, allowing anyone from the outside to see what's going on inside, or the one with all the lights out that's locked up like a bank vault. It might be real tough to get in, but once in there, you can go about your business in peace, knowing that no passersby will easily observe you.
Mark Cox, manager of Red Hat's Security Response Team, clearly opts for the lights-on approach. "According to surveys, the Apache Web server already powers over three-quarters of all public Web sites," he says, "and we already have situations where Linux is more widely deployed than other operating systems. I don't see that this trend will cause more widespread attacks. It may cause more people to scrutinize the code looking for flaws — but in the long term, this is actually beneficial."
Boltz, as well, believes that "code review over a much broader spectrum of programmers makes it much more likely that issues from coding, like buffer overflows, will be more likely to be found and corrected. This would only be true, however, for 'core Linux,' the kernel and related code and the most popular Linux applications like GNOME, KDE, and Mozilla, where there is a larger interest in the code."
Dave Boutcher, a senior technical staff member at IBM's Linux Technical Center, believes two additional factors make Linux more secure. "First of all, unlike Windows, if you are running a Linux server as a Web server, you only install the programs you need for that application," he says. "You wouldn't install the desktop applications, for example. By having less software installed, you reduce your exposure."
Secondly, Boutcher points out that "Linux installations are much less homogeneous. With any other operating system — such as OS/400 or Windows, for example — a large number of people have exactly the same code. With Linux you have a broader range of versions. Even with the SuSE and Red Had implementations, many people make modifications that make their installations slightly different than anyone else's. This makes it much harder for a single worm to affect a large number of people."
Scott Granneman, a senior consultant for Bryan Consulting, refers to this in his article, " Linux vs. Windows Viruses ". "Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells," he writes. He goes on to say that, "in the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability."
Granneman also attacks the design of Windows, which he believes invites danger. He points out that, "running as root (or Administrator) is common in the Windows world," and that "Windows XP ... automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind."
Bouganim agrees that this is a problem in Windows. However, she says that, "while it's true that Linux users are administrated by the root superuser, it is well known that cracking the superuser's ID and password opens up the system to anyone. The possibility of daemon programs enjoying superuser rights add to the vulnerability. The concern for a more secure Linux can be seen in Red Hat's Fedora project involving enhanced security features."
The Fedora project, explains Cox, is deploying new technologies that are designed to make machines look diverse and to help protect against common security flaws.
It's not likely the debate will be resolved any time soon. Only time will tell whether hackers will soon enjoy easy access to Linux. Or whether Granneman's thesis will be borne out: "To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."
http://www.iseriesnetwork.com/
Given IBM's increasing emphasis on Linux — and its wider adoption and implementation on the iSeries — who's right? Inquiring minds want to know.
Standing fast as the defenders of Windows are many of the big industry analyst firms. Yankee Group's Laura DiDio argues in a recent comparison study of the total cost of ownership of Linux and Windows that, "hype not withstanding, Linux's technical merits, while first-rate, are equivalent but, for the most part, not superior to Unix and Windows Server 2003." DiDio reports that 72 percent of the respondents in her study "rated Windows reliability equal to Linux."
DiDio also predicts that as Linux's popularity grows, so will the hackers' efforts to penetrate it. Within a couple of years, she says, "companies will be spending as much time securing their Linux environments as they would have with Microsoft."
Forrester Research analyst Laura Koetzle reaches much the same conclusion. Her March 2004 report " Is Linux More Secure than Windows? " concludes that Windows and Linux (in a variety of distributions) can all be deployed securely.
Jim Hurley, security analyst for Aberdeen Group, says that despite the fundamental differences of the operating systems, both Linux and Windows are open to Internet threats.
The baseline argument for many is that expressed by Carol Woodbury, president of SkyView Partners . "Hackers tend to go for the most readily available target," she says. "The more Linux deployments, the more readily available it will be to them. It will also become a larger target as more business-critical applications and installations are available. Hackers like to get notoriety, so they will go after the targets that bring them that. Windows has been a very easy target. If hackers feel that Linux is an easier target that will give them more notoriety, you'll start to see more attacks."
It's already happening, says Chaya Bouganim of Bsafe Sofware Solution's marketing department. "Linux is already expanding fast," she says, "accompanied by an increasing number of attacks on Linux and other open-source systems."
Bouganim cites attacks reported last month against Linux servers at Stanford University. "Last year, we saw an attempt to propagate a malicious program called CAN-2003-0434," she says, "which allowed PDF files to run system commands. Fortunately, it failed in its aims, but the malicious desires of its author remain."
But not everyone agrees that a wider deployment of Linux will lead to more widespread attacks. "Windows suffers from 'ease of use' exploits," says Mark Boltz, product manager for Stonesoft . "Linux exploits are of a different nature. Windows machines tend to suffer from worms and malicious code like Sasser and Blaster that are created with a very low 'run-level knowledge requirement.' In other words, Windows has tools available for the script kiddies with little or no skills who simply click on the options they want their worm or virus to have and then release it to the world."
Boltz sees an inverse relationship between the security and the usability of a system. Since Microsoft gears its applications and operating system toward usability, it will be hit more often. Linux hackers, on the other hand, tend to exploit coding errors "such as buffer overflow attacks," Boltz says, "which require a great deal more skill to exploit."
Of course, one of the hallmarks of Linux is that the code is published openly for everyone to see. But that doesn't necessarily provide a blueprint for hackers to find a way in.
"Linux is more securable than a proprietary product because of its transparency," says Bruce Lowry, Novell's public relations director. "Creating good, secure software requires a quality engineering process. You can get this in both the open-source community and the proprietary world. The security benefit of open source lies in the value of transparency that facilitates quick identification and repair of security breaches."
Which leads to another philosophical argument: which is more secure — something that is totally open that everyone can see, or something that is closed and has to be "broken into" in order to modify. This debate is much like asking which store on Main Street is more secure at night: the one with big glass windows and all the lights on, allowing anyone from the outside to see what's going on inside, or the one with all the lights out that's locked up like a bank vault. It might be real tough to get in, but once in there, you can go about your business in peace, knowing that no passersby will easily observe you.
Mark Cox, manager of Red Hat's Security Response Team, clearly opts for the lights-on approach. "According to surveys, the Apache Web server already powers over three-quarters of all public Web sites," he says, "and we already have situations where Linux is more widely deployed than other operating systems. I don't see that this trend will cause more widespread attacks. It may cause more people to scrutinize the code looking for flaws — but in the long term, this is actually beneficial."
Boltz, as well, believes that "code review over a much broader spectrum of programmers makes it much more likely that issues from coding, like buffer overflows, will be more likely to be found and corrected. This would only be true, however, for 'core Linux,' the kernel and related code and the most popular Linux applications like GNOME, KDE, and Mozilla, where there is a larger interest in the code."
Dave Boutcher, a senior technical staff member at IBM's Linux Technical Center, believes two additional factors make Linux more secure. "First of all, unlike Windows, if you are running a Linux server as a Web server, you only install the programs you need for that application," he says. "You wouldn't install the desktop applications, for example. By having less software installed, you reduce your exposure."
Secondly, Boutcher points out that "Linux installations are much less homogeneous. With any other operating system — such as OS/400 or Windows, for example — a large number of people have exactly the same code. With Linux you have a broader range of versions. Even with the SuSE and Red Had implementations, many people make modifications that make their installations slightly different than anyone else's. This makes it much harder for a single worm to affect a large number of people."
Scott Granneman, a senior consultant for Bryan Consulting, refers to this in his article, " Linux vs. Windows Viruses ". "Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells," he writes. He goes on to say that, "in the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability."
Granneman also attacks the design of Windows, which he believes invites danger. He points out that, "running as root (or Administrator) is common in the Windows world," and that "Windows XP ... automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind."
Bouganim agrees that this is a problem in Windows. However, she says that, "while it's true that Linux users are administrated by the root superuser, it is well known that cracking the superuser's ID and password opens up the system to anyone. The possibility of daemon programs enjoying superuser rights add to the vulnerability. The concern for a more secure Linux can be seen in Red Hat's Fedora project involving enhanced security features."
The Fedora project, explains Cox, is deploying new technologies that are designed to make machines look diverse and to help protect against common security flaws.
It's not likely the debate will be resolved any time soon. Only time will tell whether hackers will soon enjoy easy access to Linux. Or whether Granneman's thesis will be borne out: "To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."
http://www.iseriesnetwork.com/
