[Hidden-tech] Windows security (sic)

[Ben Liyanage]

I do not use my administrative account on my windows system.  I have created
a dummy account for myself.  Also, I believe one can run services with
non-system level permissions... though you might have to log in with the
seperate account for the service to start.

I'm not completely sure how we got off the topic of desktop with virus
scanners.  I imagine many people would agree that *nix systems are more
stable and reliable than their windows conterparts.  Whether they are as
user friendly is a different issue, but not relevent when you are talking
about servers.  However, when using *nix machines as a desktop it is an
issue... making *nix machines more user friendly I imagine would add
additional security vulnerabilities.

Any system that is properly set up and used will be less vulnerable to
security breaches.  More or less this was my point from the begining--it's
coincidental that my desktop runs windows.

Ben Liyanage
ben at smartankgroup.com
410.336.2464

-----Original Message-----
From: Dan Fried [mailto:dan at creativeconstructs.com]
Sent: Sunday, May 29, 2005 8:34 PM
To: Ben Liyanage
Cc: Mailing List
Subject: Re: [Hidden-tech] Windows security (sic)


Ben,

This isn't quite right because "root" on Windows is fundamentally unlike
root on *nix based systems like Linux and Mac OS X.  Some of these are
rather fine points, but can be important nonetheless.

The most prominent difference is usage based.  When you get a new
Windows machine and create a new account, you do so with "admin"
privileges by default.  Without these admin privileges you cannot do
things like install software, which makes a non-admin based account
pretty useless for many people.  Unfortunately, because you are always
logged in as admin, any software that runs while you are logged in does
so with full admin privileges and can install and modify system files.
*nix systems, on the other hand, generally default to a user based
system and root access is only used when installing something that
requires it.  Mac OS X is kind of a hybrid system, but it still requires
am explicit re-entering of admin priviledged password when installing a
modification to a system file.

Services are another, technical, way the approaches differ.  In Windows,
services have to run as system processes.  This means that if your
system service (say IIS, the web server) is comprimised through a flaw
in the software, that process has full system access and the ability to
modify system files.  On a *nix system, it is not required that running
services (or daemons) run as root processes (equivelent to system
processes in Windows).  A default installation of Apache (the open
source web server) on a *nix system, will create a separate process
account for Apache that will not have privileges to access anything
else, so even if an exoloit for Apache is used, it will not have full
root privileges (unless the default settings were ignored by whoever
installed Apache).  This is part of the reason many of us laugh when
Microsoft tries to point out the number of known exploits for Apache as
being a sign that IIS is just as secure.

This is not to say that *nix is perfect and unbreachable, but a properly
set up system will require two exploits to get a root privileges in a
*nix system, one for the user process and one to get root access once
the process has been comprimised.  This brings us to the final security
advantage of *nix systems; Diversity.  An attack that comprimises a
particular version of Apache will then have to deal with one of about a
dozen major distributions, running any one of about a dozen kernel
versions (just counting recent releases), many of which will have been
recompiled with different optimizations and patches by their
administrators.  A single exploit could only affect a relative handful
of machines making automated attacks (like viruses) very difficult.

I'm not claiming that Windows is evil and everyone should switch to *nix
systems, but there is a fundamental difference in the level of security
available.

If there were 100 operating systems in the world, all with about the
same level of security as Windows, but each with equal market share, we
would be much less vulnerable to viruses and spyware.  (Of course if all
those systems had the security level of *nix, we would be even better
off).  The biggest problem we have is that because there is such
ubiquity in the computing world, viruses can run rampant and spread like
wildfire... because virus writers know that a single new virus can
affect more than 90% of the systems out there.

-Dan

Ben Liyanage wrote:

>   ** Be a Good Dobee and help the group
>   ** Fill out the survey/skills inventory in the member's area.
>   ** Remember you must be counted to post .
>
>This is the way windows virii work as well.  You 'get root' by convincing
>the user to run your application, thus infecting their computer.  To say
>that linux machines do not get virus because they dominate the server
market
>is a little excessive as well.  If the average person did not use his
>computer at all but instead left it running on his desk he would not get
>virii either.
>
>I'd also say that most people that use linux for their desktop systems are
>like me--people with a degree in computer science, and/or a divine
>fascination with computers.  We are less likely to infect our computers
with
>virii.
>
>This brings to mind a blurb that was on one of my old professors door that
>went something like this:
>
>If automobiles were built like a linux machine, the odometers, spedometers,
>or any other meter on the dash of the car would be replaced simply by a red
>exclamation mark that lit up when something went wrong--an experienced
linux
>administrator would already know what the problem was.
>
>-----Original Message-----
>From: hidden-discuss-bounces at lists.hidden-tech.net
>[mailto:hidden-discuss-bounces at lists.hidden-tech.net]On Behalf Of David
>Mertz, Ph.D.
>Sent: Saturday, May 28, 2005 9:46 PM
>To: Mailing List
>Subject: Re: [Hidden-tech] Windows security (sic)
>
>
>   ** Be a Good Dobee and help the group
>   ** Fill out the survey/skills inventory in the member's area.
>   ** Remember you must be counted to post .
>
>On May 27, 2005, at 1:50 PM, Mark Bucciarelli wrote:
>
>
>>It also doesn't hold up when you look at the virus counts and compare
>>to desktop share:
>>- there are about 60,000 viruses known for Windows, 40 or so for the
>>Macintosh, and perhaps 40 for Linux.
>>
>>
>
>Good points overall Mark.  But you vastly overstate the number of
>"viruses" for Mac OSX and/or Linux.  It certainly comes nowhere close
>to 40 for either (Mac Classic had a couple minor ones, it is true).
>What gets called a virus on those unix-like systems is always a
>"theoretical attack that might work if you can already 'get root', or
>if the user cooperates to a high degree with the attack."
>
>The number of historical "live" viruses for either OSX or Linux is
>exactly zero.  And the worst attack that could ever conceivably be
>developed for either is far less serious than the sort of thing a
>Windows machine gets infected with on a daily basis.
>
>Remember, friends don't let friends run Windows!
>
>-----------------------------------------------------------------------
>mertz@ | The specter of free information is haunting the `Net!  All the
>gnosis | powers of IP- and crypto-tyranny have entered into an unholy
>.cx    | alliance...ideas have nothing to lose but their chains.  Unite
>       | against "intellectual property" and anti-privacy regimes!
>
>_______________________________________________
>Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>Hidden-discuss at lists.hidden-tech.net
>
>You are receiving this because you are on the Hidden-Tech Discussion list.
>If you would like to change your list preferences, Go to the Members
>page on the Hidden Tech Web site.
>http://www.hidden-tech.net/members
>
>_______________________________________________
>Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>Hidden-discuss at lists.hidden-tech.net
>
>You are receiving this because you are on the Hidden-Tech Discussion list.
>If you would like to change your list preferences, Go to the Members
>page on the Hidden Tech Web site.
>http://www.hidden-tech.net/members
>
>
>
>
>