[Hidden-tech] Windows security (sic)

Dan Fried dan at creativeconstructs.com
Sun May 29 20:33:30 EDT 2005
Previous message: [Hidden-tech] Windows security (sic)
Next message: [Hidden-tech] Windows security (sic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ben,

This isn't quite right because "root" on Windows is fundamentally unlike 
root on *nix based systems like Linux and Mac OS X.  Some of these are 
rather fine points, but can be important nonetheless.

The most prominent difference is usage based.  When you get a new 
Windows machine and create a new account, you do so with "admin" 
privileges by default.  Without these admin privileges you cannot do 
things like install software, which makes a non-admin based account 
pretty useless for many people.  Unfortunately, because you are always 
logged in as admin, any software that runs while you are logged in does 
so with full admin privileges and can install and modify system files.  
*nix systems, on the other hand, generally default to a user based 
system and root access is only used when installing something that 
requires it.  Mac OS X is kind of a hybrid system, but it still requires 
am explicit re-entering of admin priviledged password when installing a 
modification to a system file.

Services are another, technical, way the approaches differ.  In Windows, 
services have to run as system processes.  This means that if your 
system service (say IIS, the web server) is comprimised through a flaw 
in the software, that process has full system access and the ability to 
modify system files.  On a *nix system, it is not required that running 
services (or daemons) run as root processes (equivelent to system 
processes in Windows).  A default installation of Apache (the open 
source web server) on a *nix system, will create a separate process 
account for Apache that will not have privileges to access anything 
else, so even if an exoloit for Apache is used, it will not have full 
root privileges (unless the default settings were ignored by whoever 
installed Apache).  This is part of the reason many of us laugh when 
Microsoft tries to point out the number of known exploits for Apache as 
being a sign that IIS is just as secure.

This is not to say that *nix is perfect and unbreachable, but a properly 
set up system will require two exploits to get a root privileges in a 
*nix system, one for the user process and one to get root access once 
the process has been comprimised.  This brings us to the final security 
advantage of *nix systems; Diversity.  An attack that comprimises a 
particular version of Apache will then have to deal with one of about a 
dozen major distributions, running any one of about a dozen kernel 
versions (just counting recent releases), many of which will have been 
recompiled with different optimizations and patches by their 
administrators.  A single exploit could only affect a relative handful 
of machines making automated attacks (like viruses) very difficult.

I'm not claiming that Windows is evil and everyone should switch to *nix 
systems, but there is a fundamental difference in the level of security 
available.

If there were 100 operating systems in the world, all with about the 
same level of security as Windows, but each with equal market share, we 
would be much less vulnerable to viruses and spyware.  (Of course if all 
those systems had the security level of *nix, we would be even better 
off).  The biggest problem we have is that because there is such 
ubiquity in the computing world, viruses can run rampant and spread like 
wildfire... because virus writers know that a single new virus can 
affect more than 90% of the systems out there.

-Dan

Ben Liyanage wrote:

>   ** Be a Good Dobee and help the group
>   ** Fill out the survey/skills inventory in the member's area.
>   ** Remember you must be counted to post .
>
>This is the way windows virii work as well.  You 'get root' by convincing
>the user to run your application, thus infecting their computer.  To say
>that linux machines do not get virus because they dominate the server market
>is a little excessive as well.  If the average person did not use his
>computer at all but instead left it running on his desk he would not get
>virii either.
>
>I'd also say that most people that use linux for their desktop systems are
>like me--people with a degree in computer science, and/or a divine
>fascination with computers.  We are less likely to infect our computers with
>virii.
>
>This brings to mind a blurb that was on one of my old professors door that
>went something like this:
>
>If automobiles were built like a linux machine, the odometers, spedometers,
>or any other meter on the dash of the car would be replaced simply by a red
>exclamation mark that lit up when something went wrong--an experienced linux
>administrator would already know what the problem was.
>
>-----Original Message-----
>From: hidden-discuss-bounces at lists.hidden-tech.net
>[mailto:hidden-discuss-bounces at lists.hidden-tech.net]On Behalf Of David
>Mertz, Ph.D.
>Sent: Saturday, May 28, 2005 9:46 PM
>To: Mailing List
>Subject: Re: [Hidden-tech] Windows security (sic)
>
>
>   ** Be a Good Dobee and help the group
>   ** Fill out the survey/skills inventory in the member's area.
>   ** Remember you must be counted to post .
>
>On May 27, 2005, at 1:50 PM, Mark Bucciarelli wrote:
>  
>
>>It also doesn't hold up when you look at the virus counts and compare
>>to desktop share:
>>- there are about 60,000 viruses known for Windows, 40 or so for the
>>Macintosh, and perhaps 40 for Linux.
>>    
>>
>
>Good points overall Mark.  But you vastly overstate the number of
>"viruses" for Mac OSX and/or Linux.  It certainly comes nowhere close
>to 40 for either (Mac Classic had a couple minor ones, it is true).
>What gets called a virus on those unix-like systems is always a
>"theoretical attack that might work if you can already 'get root', or
>if the user cooperates to a high degree with the attack."
>
>The number of historical "live" viruses for either OSX or Linux is
>exactly zero.  And the worst attack that could ever conceivably be
>developed for either is far less serious than the sort of thing a
>Windows machine gets infected with on a daily basis.
>
>Remember, friends don't let friends run Windows!
>
>-----------------------------------------------------------------------
>mertz@ | The specter of free information is haunting the `Net!  All the
>gnosis | powers of IP- and crypto-tyranny have entered into an unholy
>.cx    | alliance...ideas have nothing to lose but their chains.  Unite
>       | against "intellectual property" and anti-privacy regimes!
>
>_______________________________________________
>Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>Hidden-discuss at lists.hidden-tech.net
>
>You are receiving this because you are on the Hidden-Tech Discussion list.
>If you would like to change your list preferences, Go to the Members
>page on the Hidden Tech Web site.
>http://www.hidden-tech.net/members
>
>_______________________________________________
>Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>Hidden-discuss at lists.hidden-tech.net
>
>You are receiving this because you are on the Hidden-Tech Discussion list.
>If you would like to change your list preferences, Go to the Members   
>page on the Hidden Tech Web site.
>http://www.hidden-tech.net/members
>
>
>
>  
>
Previous message: [Hidden-tech] Windows security (sic)
Next message: [Hidden-tech] Windows security (sic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Hidden-discuss mailing list