But historically the most 'successful' atttacks have been on Unix systems - which had some serious security holers in the past.

__________________
PIC programmer software, and PIC Tutorials at:
http://www.winpicprog.co.uk

 

That's true to some degree but the reason why Windows has been so insecure is because earlier versions didn't have a security model and the NT line sets the user accounts with administrator privileges by default.

The non NT versions of Windows (3.1, 95, 98, ME etc.) didn't have any security model at all. Any one could turn the computer on, install software, delete important files and even reformat the system. Software frequently saved its settings in system areas of the registry and hard disk where only operating system settings should belong.

Then MS came along with the NT range, it was the first real operating system produced by MS, it included permissions and, real passworded user areas. Users could be allowed to log on but only have write access to their own directories, all system directories were write protected and other users' directories were both read and write protected from the other users. The only user that had write permission to the system directories was the system administrator. This is the same with all other modern operating systems such as UNIX and is primarily why they are more secure.

At first NT was reserved for only servers and business users since it was so resource hungry no consumer could afford the hard ware to run it and it lacked direct X which was required to run games. Eventually the cost of hardware fell and MS decided to release it to the consumer as Windows XP.

Unfortunately most home users had crapware that wrote its settings to system areas so it wouldn't work when run under a restricted account so MS decided to give the default logon administrator privileges. The problem with this is if the user has write access to the entire system then so does all the programs they are running; all that's required is a hole in Internet Explorer to allow some nasty code though and bang the whole system is gripped. By contrast it's a lot harder to become infected when running under a limited user account because the system areas are all write protected, the rogue program needs to gain administrator rights in order to infect the system. One way is a buffer overflow (which can be prevented by enabling data protection execution in control panel). Another is social engineering where by the program pretends to be a useful program that the user actually wants to install and this is what gripped me.

I had been doing things properly, only using an administrator account to install software and hardware and using a limited user account for everything else. I have avoided the old software that requires to be run as admin and worked round it where ever possible. Some programs I've installed in a separate director which the normal user can write to, to get round the problem of writes to the program's own directory been refused and I've written a script to allow other pieces of software to be run as admin and none of the software running as admin has Internet access which helps a lot.

Microsoft says Vista will has restricted accounts as the default setting and will run old software through an emulator that tricks it into thinking it has access to system areas but I've heard there are a few bugs in this. Either way even if MS made Windows 100% secure it would still be liable to attack because users can be so easily tricked into executing programs as administrator. The only way to protect yourself 100% is to only use open source software and read every line of source code before you install it.

Here's a good article that goes in to more detail about what I've been talking about.

__________________
I also post at the following sites:
http://www.stop-microsoft.org http://www.heated-debates.com
Screen name: Aloone_Jonez

 

really...
So what would you say if I told you 70% of the world servers run LAMP setups (Linux,Apache,MySQL,PHP) and that the 5 root-DNS run linux...

Sure the desktop is one thing, but out in the real money-making world it is a very different story.

Likewise to think for a moment that people are not trying to create a worm for linux-system's is very nieve! (and as nigel pointed there have been some very big breach's via worms on *NIX systems).

__________________
Nothing is impossible.
Once a problem is realised, the rest is just details

 

Styx, I'd say numbers matter. I know servers are mostly run on as you said LAMP setups, but as the people that have created botnets out there very well know, they can shut down entire domain names and disrupt company networked communications with a well executed attack from the sheer number of zombie clients under their control. Server admins are (hopefully) more likley to keep their systems patched. Users, yeah good luck with that =)
One of my favorite quotes (I'm not sure who the originator is) is "50% of the population is bellow average intelligence) and at the end of that day is the people that use the systems. Vista's atempts to limit user access to it's own system is kind of creepy in my opinion, but after all 90% of the time the user is the problem, so it's probably a good thing.

__________________

 

I can see what you are saying and it is just proof of the switch of tactics.
HomePC's are taken over to setup botnets for either span OR to create a grid
HomePC's are not the real target (the real target is DDoS attacks again hte big servers all running LAMP)

before hand ppl would hack those main servers but their security is such that attackers have had to move the the weakest common-denominator and that is Windows.


Linux isn't experiencing attacks due to "security by obscurity", it is experiencing attacks which are unsuccessful. Do you really want my to post my sshd logs from the last month (running openssh - a *NIX-only server) to show that not only are their script-kiddies attempting to guess usernam & passwd but more sofisitcated attacks on my home server?

Firefox has actually quite a few sever vuln and those vuln appear on all platforms it runs on, there is proven contruction of remote code execution on a *NIX machine due to firefox, the difference however is *NIX forces the user to run as a restricted user and thus code-execution fails, on windows XP forces the user to run as Admin

Likewise Linux follows the UNIX philosophuy of one program to do one job very well, thus if a flaw exists in that one program it does not propogate (and hence why OpenSSL is one of the most peer-reviewed and patched libs there is due to its critical nature in SSH servers and its single point of failure possibility).Windows tries to go for super-processes, svchost is a prime example

multiple copies of this a spawned depending on the arguements, if a flaw exists on one part of the code the whole application is vuln. Likewise the integration of some key things right into the system (eg ie) exposes the system such if an exploit is found it becomes a root-exploit (the number of these are EXTREAMLY high for windows, not really for linux)


Yes Vista has done alot to try to sort out the idiocity of the end-user (where part of the problem lies) by forcing the user to run as restricted user but they went and screwed it up by not only implementing the UAC such that it can be disabled and thus allowing users to run applications with admin-priv!

All code is going to be vuln, thats a given (a recent study caused MS PR machine to say that windows is more secure because it had less patchs in a given time, I am more interested in those un-known flaws - linux is peer-reviewd [and I do some code-checking btw ] and thus more eyes to spot bugs) the point is what explioits result in root-access. THOSE process's that have to run as root get such a looking over by some top hackers (as well as Apple,IBM,Novell...) that potential points are spotted and fixed

shite there was a flaw in thttpd recently and when it got announced in the GLSA by the time I actually re-synced my repo (and I do every day) a patch already in-place, how long does it take MS to fix? Shite there is still 2 known zero-day exploits (in hte wild!!!) for word!!!


if you want to use windows thats fine, just please don't spread FUD that linux is more secure becuase if its limited use cause that just isn't right

__________________
Nothing is impossible.
Once a problem is realised, the rest is just details

 

try antivir I think it has not much ahsle and you should be able to disable the auto update

__________________
I AM the exeption that disproves the rule in many ways but the rules still apply (unfortunately)

my site:www.simons-photography.com
http://rushdenrotaract.org.uk

 

It isn't that i dont want the auto update, as i think automatic updating is great! The problem is, i don't want the program to make such a big freaking deal about it!
Sure, i would like to know if something went wrong during the update, but when it tells the user that the update was successful, that is crossing the line!

__________________
There is no "I" in "team", unless Apple makes it... Then it would be iTeam.

 

Marks... it's free, you're lucky it works at all. Complaining about free software is like punching a guy for giving you a 20 dollar bill because it has a stain on it.

__________________

 

Just because it is free doesn't mean that it has to be anoying! Take linux for example... Free, but NO POPUPS!!!!!

__________________
There is no "I" in "team", unless Apple makes it... Then it would be iTeam.

 

Another one of my favourite statistics is that UNIX has more venerabilities than Windows. Well of course it doesm, 100s of operating systems are UNIX based while only a handful are NT based.

__________________
I also post at the following sites:
http://www.stop-microsoft.org http://www.heated-debates.com
Screen name: Aloone_Jonez

 

Let's keep it that way...

__________________
There is no "I" in "team", unless Apple makes it... Then it would be iTeam.

 

Now there's a great example of the power of positive thinking! Either that, or he's a risk taker since it's not a matter of IF, but WHEN!

__________________
Don't make me reach through this monitor to slap you a good one!