These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Myths Of Unix Security

Classnotes | UNIX03 | RecentChanges | Preferences

One of the most common misconceptions about Unix systems is that they are inherently more secure than non-Unix systems. Often times you will hear in partiuclar that Linux is inherently more secure than Windows. This is not precisely true.

In a recent [article], Newsfactor pointed out that, according to official bugfixes released by their respective companies, Red Hat Linux 7.2 has had more bugfixes than Microsoft's XP Pro (158 to 27). Does this mean that Linux is more insecure than Windows, let's examine the facts:

  • Linux (and many Unixes, but not all) is Open Source, meaning that the source code is freely available to whomever wants it and that people can modify and redistribute the code. This means that instead of a small subset of people auditing the code for bugs and holes you get a very large number of eyes scanning for problems.

  • Known problems in Linux (and most Unix) environments typically get solved within hours of their general discovery, whereas known problems in Windows often take months or even years before a fix is released. (Take for example the "Netscape engineers are weenies" backdoor in Microsoft IIS that was exposed in 1997 and wasn't fixed until 2002!)

  • Let's not forget the fact that Red Hat 7.2 is a) not necessarily representative of all Linux distributions and b) is over two generations old.

In another article at Globe and Mail ([here]) claims that:

During August [2003], 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent.

Myths of Linux Security

The biggest problem with base installs of most Linux distributions is that they come with entirely too many features and services turned on. In this day when it is extremely easy to sniff packets, it is simply unacceptable from a security standpoint to have any semi-critical service that uses plain-text authentication. And yet, many such services come enabled by default by most Linux (and other Unix) systems.

The truth of Linux security is that it can be much more secure than many of its contemporaries (such as MS Windows), but only if the system administrator is careful and critical of their systems.

The strength of Linux security is that you have total control over your system and you are the one making the decisions of security.

Don your Tinfoil Hats

With respect to Unix and Linux security, it is best to be as paranoid as possible. To quote the X Files, "Trust no one!" Quite literally everyone is a potential threat. That little old lady in the grocery store, she could be an uber-pirate trying to get some insight into you to deduce your password! The clueless secretary working for your boss, they could be faking their ignorance and waiting for the day you will slip up! And most definitely, the annonymous IP that has been sending strange packets to your web-server all day is most likely someone looking to gain root access to your machine to store ripped DVDs on your drive or use your system as a jumping off point to Pentagon mainframes.

Suspect every oddity in your logs!



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 12, 2003 5:21 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.