Re: [clug-talk] Most vulnerable OS's

[Jason Becker]

Sorry about my prior message that was sent by accident. There was a 
thread on OS News about this mi2g research too: 
http://www.osnews.com/story.php?news_id=6098 My contribution to the 
thread was: -begin- I just want to second Justin's comments. I'm not a 
security expert AND I didn't read the original report but without 
knowing what daemons/services were running on these boxes it's pretty 
damn hard to compare apples to apples. i.e. Were the Linux boxes running 
wu-ftpd? For non-production workstations/servers simply using tools like 
nmap/Nessus and applying patches regularly should tighten your system 
enough without adversely affecting features and/or ease of use. Cheers 
-end- I agree with Aaron... the report is rubbish. Cheers
Message: 6 Date: Mon, 23 Feb 2004 09:17:54 -0700 From: "Aaron J. Seigo" 
<[EMAIL PROTECTED]> Subject: Re: [clug-talk] Most vulnerable OS's To: 
[EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> 
Content-Type: Text/Plain; charset=us-ascii -----BEGIN PGP SIGNED 
MESSAGE----- Hash: SHA1 On February 23, 2004 08:44, Jason Van Dellen wrote:

The results were suprising to me, what do you think?

http://slashdot.org/article.pl?sid=04/02/21/142239&mode=thread
 

surprising unless you think about it for about 2 seconds.

first off, the mi2g's "research" is flawed, as has been pointed out how many 
times in the past in various places? here's the cheat sheet:

o they don't discuss methodology, including what their sample set was. this 
makes accurately interpreting their numbers impossible.

o they dismiss automated attacks, as if those don't count. trust me, they do.

o they don't define the type of "breaches" counted, what software was 
affected, where the sstems existed (profile is often important, especially in 
non-automated attacks), etc... look at the recent wave of phpNuke attacks. 
would those count as breaches? are they really Linux breaches? or is that an 
OS agnostic attack that just happens to land most often on a Linux box due to 
deployment? is this an indictment of PHP and/or PHPNUke, which runs on 
Windows just as handily?

basically, this report is, IMHO, rubbish. i don't know what mi2g's angle is, 
but then if their website were actually working perhaps i'd be able to find 
out. =P

but they are correct about one thing: Linux adoption is rising fast. the 
number of users with security knowledge is being diluted. help newbies 
install software securely (regardless of the OS) and encourage automated 
sofwtare updated. help ensure a secure network in your area for everyone. the 
Linux distros are doing their part by not installing and starting every 
daemon under the sun ala 1999, but there's still a part to be played by us 
the users.

- -- 
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA  EE75 D6B7 2EB1 A7F1 DB43
while (!horse()); cart();
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAOiez1rcusafx20MRAvk6AJ0YVd6coAkjLGaRxZuDP+vWAI/5ZwCbB2B/
mfORN4LPJozHqUPn5N/EIJY=
=nNhb
-----END PGP SIGNATURE-----
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca