Really? How many people have ACTUALLY looked at the deep, nitty gritty bits of the linux kernel? I know quite a few computer savvy people who do regular linux development work and have even peeked into the more popular bits of the kernel once in a while. But none of them are looking at any of the bits of the kernel not directly related to their app dev work and certainly none of them are looking at the kernel from a security perspective in mind. I would wager that the actual code coverage of the kernel is a lot sparser than most people think.
Casual scanning of source is not enough to pick out subtle security flaws.
If you were in a position to say when Microsoft started “giving serious thought to security”, I would think you’d also be in a position to know that there’s no such thing as SP2 for Windows Server 2003.
Another problem with MS and security is that they basically ignored it for a long time. They would put out patches when holes were found and exploited but security was not a major focus. IIRC MS started the Trustworthy Computing initiative a couple years ago with the focus on making their stuff more secure. I seem to recall that they even stopped development for a while and did a security review of their code.
MS is getting better. Historically it seems to me that it always takes MS about three times to get things right. Once they get it right their products are pretty good, not great but not horrid either. If MS keeps focused on security they will get it right sooner or later. But they still need to get better(#1).
You can lock a Windows box down pretty tight but you have to know what you are doing.
Slee
#1. If I have physical access to a MS box I can break into it in about 5 minutes. This particular problem might have been fixed with SP2 but I am not sure about that. If it is on a network it’ll take a lot longer but I will get in.
I’m sure it’s a small percentage of the number of Linux users; less than 1%. Even so, that could easily be 20,000 people. I seriously doubt Microsoft has even 1/4 that many employees working on the Windows kernel alone.
It’s difficult to say just how secure the various unices are, since (as has been pointed out), they’re not as big a target for attacks. But it’s certain that Microsoft security is bad. I’ve seen an awful lot of Microsoft security holes, including many of the “Arbitrary user can run arbitrary code without any authorization” type. A system with even one such vulnerability cannot by any stretch of definitions be considered remotely close to secure.
Now, maybe Unix (or some flavor of Unix) has such a vulnerability, too, but if so, it’s never been found.
Now that’s a bold statement. The whole concept of a “rootkit” (which provides a way for an arbitrary user to run arbitrary code without authorization) was invented on unix, otherwise it would be called an “adminkit” or something.
Heck, there was a version of OpenSSH released a year or so ago that had a flaw that authorized root access if you simply left the password blank.
You may argue that those exploits are not in the kernel itself, but the same distinction goes for windows.
Unix systems do tend to be more secure, but it’s also a function of how they’re set up. People setting up a unix box tend to know that “disable all network services you’re not using, just in case one has a security hole” is a good practice, so the boxes end up locked down much better.
Don’t lose track of a point made earlier. Under Windows, you almost have to be an admin. I’m pretty good with computers, but I never figured out how to get Outlook to let my kids and wife see mail from their account, while I could see theirs and mine - without making them admin. They can’t play most games without being admin. (Setting up Runas should be possible, but weird things happen.) Under Linux, it is a piece of cake, no one is admin, except for root, and I never go online as root.
The other issue is the kind of security patches. My Suse Linux requires patches, but invariably the security warning is something like “blah blah blah and print something”. Whereas with Windows it is “blah blah blah and take over the computer.”
Linux is a very modular design, even if it isn’t technically a microkernel. You can, for example, load and unload device drivers without rebooting the system: There is an API they hook into and they aren’t really a part of the kernel proper, they just get closer to it than applications do. Even within the kernel there’s various components that are largely seperable from each other. This is a big deal when it comes to security. (Look for lsmod, insmod, and modprobe, which should exist on all modern Linux systems.)
Security is about minimizing complexity. The way computer people minimize complexity is to put an interface on top: They develop a mental model of how it should interact with the world and how the world should interact with it, and they implement that with code. No code outside the module touches anything beyond the interface. This is easier to understand and easier to fix when something goes wrong, either inside or outside the module.
Plus, interfaces can limit what damage you can do. If the interface doesn’t allow you to format the hard drive, no code written to talk to that interface can format the hard drive. This is perhaps less relevant if the code is running in kernelspace, but it’s still an important part in managing complexity and, therefore, boosting security.
Perhaps the most important evidence of how modular the kernel is is how many different architectures it runs on now, and how common it is for Linux to be ported to new systems. Porting doesn’t require a rewrite for most hardware systems, especially if gcc already supports that platform. You need only rewrite a handful files and headers.
The core OS in MacOS X is an open-source variation of UNIX, called BSD UNIX. As with Linux, thousands of eyeballs have looked at it and nitpicked the vulnerabilities to pieces.
Then throw in UNIX’s Primus-knows-how-many-years of development and use, and you’ve got yourself a very secure system.
Then throw in the fact that MacOS X ships by default with most vulnerabilities turned off (no root account enabled, no servers activated), and you’ve got one tight-ass mo’fo. The only security goof with MacOS X right now is that it doesn’t ship with the firewall turned on by default, but since all services are turned off by default, it’s not much of a concern.
Much better than Microsoft Windows. Note that the current number of active MacOS X viruses/trojans/exploits is still zero after all these years.
As others have noted, Windows is more vulnerable not because it ships with things that make things friendly for the user, but because it ships with things that make things easier for Microsoft – backwards compatibility with legacy software, remote access for customer support, mining of customer information, etc.
There is no reason why a system can’t be both secure and user-friendly; it’s simply a matter of careful design and planning.
Yes, if you had access to the machine, you could use a *nix boot disk and change the administrator password. I’ve done it many times myself for old clients.
Likewise, I could use a similar method to boot into linux, add a user root2, and change the root password.
The first step in any OS security is physical. You don’t let unauthorized users gain physical access to your box. A low-level password (ie: BIOS) wouldn’t hurt either, and would protect any OS equally. It might, however, make it difficult to remotely reboot the system, depending on your method of remote connectivity.
My impression (as a fairly experienced and competent Windows user/administrator and a relative, but not entirely uninformed, newbie to Linux) is that the security/access models in Windows and Linux seem to attack the problem from opposite directions;
By default, Windows seems to be fairly open for file and system access - the security protocols are like extra layers of protection around the system and its files - of one or more of these layers fails, the tendency is for the machine to be more vulnerable
In contrast, *nix seems by default to be highly suspicious of all activity - everyone is guilty (and therefore shut out) unless they can prove their innocence and good intentions; instead of layers of protection, there are channels of enablement that create specific modes of access to specifi resources - if one of these fails, the tendency is for the system to become more secure (that is, less accessible) - perhaps to the extent of not working at all.
…that’s my general impression, anyway and of course none of this might apply to vulnerabilities that are part and parcel of cock-ups in the kernel etc.
Unpatched systems are not always caused by apathy or laziness. In many cases, the admins have the patch and are eager to install it, but they will not do so until it has been properly vetted. There have been cases where the service packs and patches caused problems in other software and brought down a system. If you’re administering production webservers, it is “safer” from an uptime standpoint to leave the server unpatched and risk an attack rather than install an untested patch and leave the system completely unusable (and unrepairable since many patches can’t be rolled back). It takes time to test patches on development systems and guarantee that they won’t cause problems on production servers.
No, this doesn’t explain all the unpatched systems. Yes, laziness, apathy and stupidity account for most of them. But at the other extreme, you have the very best administrators running unpatched systems because the patch can’t be trusted (yet). Better to let all those admins in between the two extremes install the patches by reflex and see if they go down.
Note that the current number of active MacOS X viruses/trojans/exploits is still zero after all these years.