Jump to content

Security of Linux vs. Windows


Recommended Posts

Well, security is difficult to compare. It depends on what version you use, and if you compare the default installation or a hardened system, etc.

Sometimes security limits what the user can do, and interferes with ease-of-use and productivity. It depends what you want to be able todo with the operating system.

An minimalist operating system without a network stack is probably very secure. :cake:

It can vary greatly depending on which Linux distribution you use. Actually there is a Linux distribution named "**** Vulnerable Linux", its actually intended to be as insecure as possible, in order for the user to learn how to secure it. It's not meant to be used though, its meant to be for learning.

Some of the most secure operating systems probably include the XTS-400 developed by defense contractor BAE Systems, it is the only general-purpose operating system with a Common Criteria assurance level rating of EAL5 or above.

OpenBSD which is a BSD Unix system with a strong focus on security. Only two remote holes in the default install, in more than 10 years.

And some Linux distribution with the SE-Linux kernel-patch by the NSA.

Edited by Synapse
Split 14 posts from "Most Secure OS" for getting Offtopic. http://www.lunarsoft.net/forum/index.php?showtopic=2041
Link to comment
Share on other sites

Of those, I like OpenBSD the best for general and server use. I agree with your comments about balancing security with usability, and feel that OpenBSD does a great job of finding that balance while remaining open source, standing on principle, and including strong crypto.

Link to comment
Share on other sites

sometimes i really wonder how "secure" Linux and Mac's are.

Tarun is indeed right though, with Windows being pretty much 95% of the worlds desktop computers, why would you bother "hacking" anything besides Windows.

Linux people hack windows to show how "vulnerable" Windows is.... (or to inflate their ego..., sorry but if i'm gonna steal "sensitive data" from ya, you'll know when ya wakeup and don't have a harddrive or computer anymore.)

Mac people don't care, and just live off in their little bubble of 2% of the world that uses Macs for more then just an Ipod. who also enjoy the propaganda..... err...... "Mac" ads..

Windows people, don't give a crap to hack Linux or Macs but sit back and enjoy their gaming, pr0n browsing, or reading email.

I've been using Windows since 3.1, putting me around 14 years of Windows Experience.... I've been "hacked"..... 0 times. I've had my share of Viruses, and Malware, sure... but why? 3 words.... 1. Norton 2. Internet Explorer 3. Dial-up (no software firewall or router).

so to base a secure OS off of a default installation is retarded, why?

1. Internet Explorer... Linux Comes with Firefox, and Mac comes with what Safari?..

2. Remote or Local?

Remote - hope ya love my Firewall, and Router.

Local - If you're local and want my data bad enough just take the comp, or i'll lock it up tighter than a nuns bum by not running any internet/lan based services, not letting you touch my computer, and disabling stupid services that "could" pose problems such as UPnP, NetMeeting Remote Desktop Sharing, Remote Registry Service, etc..... along with passwording my bios, putting a padlock around it, putting it into a steel plated vault... but unlike Linux users, i like to be able to use my computer freely.

check exploit videos, read past exploits... whats the main thing in common? "Internet Explorer".. if Microsoft scrapped IE and put Firefox on as Default, there would be a lot of lonely hackers out there.

but what am i saying, it's the user behind the comp that determines how secure an OS is..

Link to comment
Share on other sites

On Windows systems, it is very very common to run with full privileges on an superuser account like Administrator.

In other operating systems such as Linux and Mac OS X, this is very uncommon.

thats pretty stupid "protection".., put the right person at the back of a limited account linux/Mac box and they'll type in the password as many times as needed. it's the same with if you've ever put a Software Firewall on a Family or Friends comp.... we would know that "subsevenserver.exe" or "fndosifnsdofn.exe" shouldn't have access to the internet... what would people without knowledge do? "always accept this application".

Windows can be Secure, Linux/Mac just comes like that normally. and it doesn't help when 90% of the desktop systems are Windows, cause a good 80% of the world are morons anyways.

Link to comment
Share on other sites

That's just about put it in a nutshell.....

Windows can be Secure, Linux/Mac just comes like that normally. and it doesn't help when 90% of the desktop systems are Windows, cause a good 80% of the world are morons anyways

It partially is a system/OS fault but the main problem with any, and that means any, security system is the people using that system. There will always be someone who gets past the system, because they either want to (hackers) or just plain lazy (80% of PC users, of any OS).

Folks keep blaming the system/OS, however...... how many of these systems/OS write themselves? It's the people making them that can be blamed to a degree, especially if it's sloppy work, but you have to keep in mind that even though you think you've covered everything, someone else will come up with something (and it's usually simple) that you'd not considered.

As Eldmannen pointed out, there are some very secure systems out there, but I guarantee you, that someone with the right inclination, time and money could get in. About the only system (in this case code) that no-one was able to beat was by using the 'Windtalkers' in WWII (native Navajo language), but putting this into perspective, it was only a short term solution, eventually someone would have 'broken' it.

JMTs

Cheers :cake:

Link to comment
Share on other sites

put the right person at the back of a limited account linux/Mac box and they'll type in the password as many times as needed.

Brute force cracking a password by hand?

Good luck, with a decent password, it will take them a million years...

Link to comment
Share on other sites

put the right person at the back of a limited account linux/Mac box and they'll type in the password as many times as needed.

Brute force cracking a password by hand?

Good luck, with a decent password, it will take them a million years...

no not brute forcing... that would take as you said, a million years.

i'll give ya an example of what i mean though.

tell a linux person that doesn't know better to enter: "rm -rf /" (DO NOT enter that if anyone here is wondering what it does, it'll delete everything on /)

now.... even if it asks for a password, or i make an app/script that calls that command on linux, someone that doesn't know what that command is WILL type the password..

sure, a locked down linux box in a corporate enviroment would say that "User873" doesn't have access to that.... but a little social hacking can change that.

the biggest security hole in a network is the users on it.

95% of common users use passwords like "password", a pet name, a last name, or something similar.

Funny, but probably true! :cake:

yeap.

http://www.everything2.com/index.pl?node_i...stnode_id=18557

9th grade keyboarding teachers password..... "teacher" (retrieved using a keylogger from subseven or bo2k.. can't remeber which)

10th grade computer lab password "rose" (cracked using a dictionary attack on the PWL file in ~5 seconds)

11th grade computer applications password... "password" (retrieved by a friend of mine that watched the teacher type it.)

12th grade networking class password.... "monkey" (cracked by watching him** type the password after using some social hacking.)

(**who was also a linux fan boy that almost cost me my graduation as i told him to stick the linux penguin up his a** after i failed a linux test... and almost failed half a year of that class because i refused to learn linux. and was never mentioned in the class description of "Windows TCP/IP networking fundamentals"..)

Link to comment
Share on other sites

Well, dumb users is always a problem, and I guess they need to be taught, else there is people who pick dumb passwords such as "password", or write on big yellow post-it notes "My password: hellokitty" and stick it to their computer monitor. :cake:

As far as I know, the Windows TCP/IP network stack is derived from the BSD. Learning networking and TCP/IP on a Unix-like system makes sense, since networking and the Internet was born on Unix, thats where it originated. In the Windows didn't have so good network functionality, it didn't support things such as raw sockets, however this changed with Windows XP which included raw socket functionality. You can learn TCP/IP by programming, using a packet sniffer, setting up a firewall (such as iptables), configuring a router, studying common protocols such as TCP, UDP, ICMP, IGMP, and the classic OSI model, read Wikipedia articles, etc.

Link to comment
Share on other sites

Well, dumb users is always a problem, and I guess they need to be taught, else there is people who pick dumb passwords such as "password", or write on big yellow post-it notes "My password: hellokitty" and stick it to their computer monitor. :cake:

As far as I know, the Windows TCP/IP network stack is derived from the BSD. Learning networking and TCP/IP on a Unix-like system makes sense, since networking and the Internet was born on Unix, thats where it originated. In the Windows didn't have so good network functionality, it didn't support things such as raw sockets, however this changed with Windows XP which included raw socket functionality. You can learn TCP/IP by programming, using a packet sniffer, setting up a firewall (such as iptables), configuring a router, studying common protocols such as TCP, UDP, ICMP, IGMP, and the classic OSI model, read Wikipedia articles, etc.

thats what i was trying to point out the entire thread, ANY OS is only as secure as the people using them. Social Hacking can get "root" access or administrative rights. A good read on this would be Kevin Mitnick's "Art of Deception".

Derived from BSD? please find me factual proof of this. I don't want some morons blog, or some forum topic, or wikipedia, or some Linux Fanboy website like "linuxisgodeverythingintheworldcomesfromlinux.com"... i mean factual proof.

Born on Unix or Born on a napkin in some coffee shop makes no difference, I chose to learn Windows networking on.... *gasp* a WINDOWS box...

oh, and i do understand TCP/IP, I've done internet/network based programming, used a packet sniffer many many times (even made my own), set up my own firewall (don't give a crap about your iptables, probably have to manually configure it in a texteditor.. have fun with that.), configured a dozen routers, studied TCP and UDP and ICMP, and i know the OSI model. so yes, i know TCP/IP.

Link to comment
Share on other sites

If you studied networking, then you know its pretty similar across systems since the protocols follow RFC and standards. Though, implementations, API's and some applications can vary a bit.

If you done network programming, then you know call stuff like connect() the same way you do WSAConnect(), and then it compiles on Windows, Linux, Mac, BSD, Solaris, etc. I've done network programming in several different languages on several different operating systems, and used advanced functions such as raw sockets, ioctlsocket(), promiscuous mode, etc.

Yes, in iptables (and ipf, ipfw, ipfilter), allows you to write the rules by hand, which gives enormous flexibility and control, and allows you to learn much more than using a toy firewall with a "on" and "off" button.

Link to comment
Share on other sites

If you studied networking, then you know its pretty similar across systems since the protocols follow RFC and standards. Though, implementations, API's and some applications can vary a bit.

If you done network programming, then you know call stuff like connect() the same way you do WSAConnect(), and then it compiles on Windows, Linux, Mac, BSD, Solaris, etc. I've done network programming in several different languages on several different operating systems, and used advanced functions such as raw sockets, ioctlsocket(), promiscuous mode, etc.

Yes, in iptables (and ipf, ipfw, ipfilter), allows you to write the rules by hand, which gives enormous flexibility and control, and allows you to learn much more than using a toy firewall with a "on" and "off" button.

yea, protocols have to follow RFC and IEEE standards to maintain cross platform communication, without that I probably wouldn't even be able to connect to a linux based router such as the Linksys WRT54G. Since i wasn't sure if you meant how the packet structure or the actual Windows API i stopped early in my last post.

but as for API's, even though they follow the same layout doesn't mean that the windows API for the network stack is derived from unix/linux, it could be just to make it easier on programmers, which i think it's meant to be.

==Linux==

int connect(int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen);

==Windows==

int connect(SOCKET s, const struct sockaddr* name, int namelen);

int WSAConnect(SOCKET s, const struct sockaddr* name, int namelen, LPWSABUF lpCallerData, LPWSABUF lpCalleeData, LPQOS lpSQOS, LPQOS lpGQOS);

some diffrences, main note is the number of parameters in WSAConnect, plus if i remember right, also would need to enter some WSAData entries as well, though i'm quite foggy on C++ or actual WindowsAPI programming as i haven't done so in about a year now, and even then i was pretty nubbish in the language..

Instead, i write more in delphi using OOP controls such as the Indy Controls that come with Delphi... but only because i like languages that are made in english and easier to understand.

Hmm, maybe it's the non linux guy inside of me that saying this, but pressing "always block this program" and hitting Ok is a lot easier then.. typing up rules in whatever text editor linux uses, and accidently screwing up the rule my mistyping one area, that may go undetected for days, if not months.

oh... also not a good sign when you do a search for the name of it, and the whole first page of google is nothing but tutorials and how to's...

http://www.google.com/search?hl=en&q=iptables

then again in the windows world, if you search for a firewall you either get one of 2 things....

where to buy: http://www.google.com/search?hl=en&q=outpost

or

reviews: http://www.google.com/search?hl=en&q=comodo+firewall

guess its the whole having to read 15 sites on how to even use the firewall is a bit much..

Link to comment
Share on other sites

Yeah, you need to call WSAData once, to get it all initialized.

I like programs in English too, even though English is not my native language.

You can use whatever text editor you want, to write the rules. Or you could just use a program or script, that sets it up all for you, just like an average Windows firewall, if you don't like the complexity of messing with rules.

Yes, you probably have to read some, if you want to write your own rules, or you could look at a set of example rules, and adapt it to your likening. Iptables checks the file for errors, but sure, of course its possible if you write it wrong, that there is a broken rule. But after you write the rules, you can test them on some site such as GRC ShieldsUp! or something.

By writing your own rules, you can get an insight into how firewalls works, and learn some stuff about filtering and networking, it allows you to tweak the firewall as you want it, and make it as secure as you want.

It comes with a manual that covers much stuff, so you don't really have to read 15 sites. Setting up a firewall is fairly simple, but iptables do much more than that, and setting up NAT is a bit trickier.

I wrote a post about iptables on the forum, you should check it out.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...