Comments on: Debian locks out developers after server hack

Linux project pulls access for programmers with weak passwords after discovering an intruder.

[catch23]

The silence is deafening

If an old WinNT4 server in the back room of some collage computer center is hacked, these forms are full of people pointing out how insecure Windows is and that no one should use it.

Where is everyone? Are the double standards to be that obvious?

[dahkness]

Agreed!

There are so many different version of Linux with no standardized patching/updating system service, there are literally millions of exploitable *nix servers on the net. At least you get steady security updates from Microsoft. God forbid you had to pay 99 bucks for that luxury.

[unigamer69]

Admittedly true.

I use Linux - but I'm not going to sit here and say Windows is crud, or 'nix is perfect.

Computer programs are written by humans, and humans make mistakes. The more lines of code, the higher the probability of bugs. Add to that the piecing together of parts of a program by different members of a team - whether around the world over the Net, or behind closed doors in a corporation - and the trouble grows further.

Throw on top of this application software (server or otherwise), and your problems go through the roof. In Windows, one would not know the internal workings of these things.. but in practice (NOT arguing theory here!), there's a good chance that someone who writes a program for 'nix wouldn't look closely at other source code, either.

The bugs crawl among us. Live with it. Keep up to date.

[Thrudheim]

Bad example

Actually, nobody would be surprised about a Windows box like
the one you described being hacked. It would be completely
unnewsworthy. Debian's servers being hacked, however, is
newsworthy.

Of course, all operating systems have flaws. News coverage of
these flaws is appropriate. The problem is placing these stories
in context. It seems clear, however, that there are some
Windows fans who want to jump on every story of holes in Linux
or the Mac OS as justification that other systems are no more
secure than Windows.

Meanwhile, Microsoft is busy working on User Account
Protection in Vista and telling us what a big security
improvement it will bring. User of *nix-based systems know all
about this, and benefit from it, already.

[bigpicture1]

Silence, what silence?

"There can be no learning without the associated emotional experience" Obviously you have not had the emotional experience so you have not learned.

I have had several emotional experiences with Windows all of the bad kind. You know the "blue screens" the "failure to boot", all of that wonderful drive you crazy stuff. I have had several infestations of the various famous virus and worm varieties, and that was even when I has Norton installed. I have had very few problems since I installed NOD and Zone Alarm, and turn off the computer when not in use.

BUT I have a PC with SUSE Linux installed that I never turn off, and is always connected to the internet, has no AV or Firewall software of any kind, and it NEVER has had any problems. NO irritation, NO need to vent, = SILENCE.

[rstinnett]

Gee, I thought Linux was all-secure?

Come on, where are all the Windows bashers at? Could it be that Linux has its flaws as well? Surely not!

[Johnny Mnemonic]

See the Clarification ...

Later in the forum...

[FutureGuy]

A hole in linux!!!

that too at kernel level, how on earth could that happen !!! isn't this OS low on features and usability high in Security or is that a myth?

[Johnny Mnemonic]

Except

They are exploitable at a local level vs global.

[justwally]

Passwords are OS's Weakest Link

Yeah, a hole in the form of a valid logon because of a weak password.

No OS is invulnerable to the local user.

[Stupendoussteve]

Not quite the same...

Being that Linux is just a kernel, and most of those "versions" are distributions, and most of those distributions have standard ways of updating and patching... your argument isn't quite up to par. Why is there less outcry? Because it happens a lot less.

[catch23]

No, it is talked about a lot less

Not exactly the same thing.
When MS released 18 patches, it was a "mega patch". Over 30 for Apple? They 'updated'.
Same here. Why do they call it a root kit, not an admin kit? Guess who just got hosed. No, actually, we will keep that hushed up.
A Windows laptop with sensitive information goes missing, and its MS's fault. Same thing would have happened if it was Linux, but why allow facts to get in the way of some good FUD.
Its the double standard I mind. All OS's have problems, and most are the folks in charge of them. I'm simply asking for even treatment.

[Johnny Mnemonic]

Some clarification

When we get security alerts for Linux it is a
completely different animal. I understand that this
is a consumer-based forum that is not as techincally
sophisticated as apposed to the kernel mailing
lists, but, I will try to explain the differences.

There are two primary levels of exploits. External
and local exploits. Local exploits are when an idiot
makes an easily guess-able login name and password
or an application can elevate it's priviledges
from a local account. Global or external exploits
are the majority of Windows flaws. These are the
kind that allow an external user access to the
system with "root level priviledges" or
"administation level priviledges" in the Windows
world.

There is an extremely important differnce. Most
if not all Linux and Unix exploits are at the
local level. We still consider this important
since Unix has always been a mulit-user operating
system and there may be a malixious local user.
This in essence brings us to the major difference
between Unix and Windows. Windows started it's life
as a single user MS only isolated system. When
MS was dragged into the modern Unix world of
highly inter-networked computers they had to
quickly retrofit their systems with a tcp/ip stack.
This stack (BSD) worked, but, all the other
priviledges (file, user, etc.) where missing.
Hence all exploits were immediatelty global or
local which could easily be elevated to global.

Ehat this all means is, Linux exploits are not
nearly as critical unless you have local malicious
users on your system. A potential problem that
might be exploited by a local user group versus
a global problem that could be exploited by the
world. Apples and Oranges.

I hope this was a helpful summary.

[Johnny Mnemonic]

Also...

It should be known that Debian has not included the
more advanced security mechanisms built into the
latest commercial distrivutions like RedHat or Suse.
Rehat includes the SELINUX kernel module that
essentially prevents priviledge escallation for
applications. Essentially the process that allowed
a local user to escalate priveledges in Debian
would be prevented in other major Linux distributions.
Debian has a reputation a being much slower in
accepting new code.

[Johnny Mnemonic]

If anyone is interested...

You can get all the Linux and Open Source news
and alerts at:

http://lwn.net

It's not the Linux kernel mailing list, but, it is
more approachable and you can use more critical
thinking to filter out the non-sense. Many kernel
folks actually subscribe to it and may answer your
questions. I recommend it to the CNET editors as
well. It will help you to filter out the sensational
reports of Linux flaws. Please refer to this site
before you write any more of these stories.
Thank you.

[Mendz]

I wonder why...

... Linux lovers are so protective about Linux flaws as if requiring everyone to seek more accurate information. On the otherhand, a news about Windows flaws is enough for these Linux lovers to react in even the most unintelligent manner possible as if there is no need to seek a more accurate information. Geeezzz...

[NoMoreMS]

And Thank you

Very much for the link!