i''ve been wondering lately, if linux is considered secure or not.... if you see any hacking tutorial they just repeat the same thing: hackers use linux, and attack linux boxes. so linux boxes are the targets of most hackers, and most tutorials teach you how to hack it. so i reach the conclusion: linux is one of the least secure systems. on the other hand, its largely said that windows are one of the most unsecure systems yet i dont hear much about hacking a windows system. so when am i more likely to be hacked ?!?! when using a linux system or a windows one ?! anyone can help clarify the these mis-leading, contradicting stuff ?!

Can''t answer your question,

first you have to define security.

Just like with Windows, Linux is only as secure as the person using it lets it be. If you don''t secure it, it won''t be secure.

Yes. Linux, IMHO, does provide a much better potential for ''higher security'' than Windows does, but if you don''t secure your system, then it won''t do anything for you. Just because there are many tutorials on hacking Linux doesn''t mean that it is less secure than Windows. Hackers may be more targeted towards Linuxes (because large corporations use them for servers), but most viruses, spyware, and all that is targeted towards Windows.

Security is not a product, though many manufacturers would like to convince you otherwise as a hook to keep selling you new products. Security is a set of behaviors. Exploits that could damage your system will often use perfectly legitimate means to get to you and count on your carelessness to deploy, such as opening suspicious email attachments.

The price of liberty - and security - is eternal vigilance.

Because of default windows security settings, it is quite easy for alot of things to be done to your system without your knowledge. For instance scripts over-the-internet installing malware/viruses on your computer. There are usualy ways to secure MOST of this (not always though), and it oftain requires outside software or advanced security methods.

On the other hand, linux by default doesent have these autorunning scripts, and you CAN know what when and how processes are running on your computer at any time. Though the biggest arguement for linux being secure is based on the fact that oftain times the users of linux are smarter.

As far as hacking into a computer, it doesent really have to do with the operating system itself. this is only done when your computer exposes a server of some sort to the outside world. Since alot of the free servers nowadays are done using linux and apache, most of the hacking is on these systems. IMHO the reasoning for this is, if they are spending the money to purchase expensive server software, chances are they are spending enough money to make it secure, so alot of hackers ignore it. Another reason hackers attack linux boxes is some distros, or people, install some servers to run on their computer, this then exposes these servers to the public, which is a major security hole.

quote: Original post by C-Junkie
Can''t answer your question,

first you have to define security.

i think i defined it as: having more chance of being
hacked while you are online.

and lets better take it from a computer literate
adminstrator, not a lame root.

quote: Original post by fyhuang
Linux, IMHO, does provide a much better potential for ''higher security'' than Windows does.

guess this answer means something:
''better potential''.

i''d love to hear more answers if possible :D

quote: Original post by zaidgs

quote: Original post by C-Junkie
Can''t answer your question,

first you have to define security.

i think i defined it as: having more chance of being
hacked while you are online.

Still not good enough. getting hacked? by a person? virus? roommate? mom, who just downloaded gator?

And WHO has more of a chance? web server? mail server? any server? on a PDA? just a desktop? desktop doing what? just getting mail and surfing web? programming? playing games?

I''ll assume that you mean getting attacked by either a person or a virus. I''ll also assume that you''re talking about a desktop that you might do any of the last four things mentioned.

In that case Linux kicks ass. Without running any servers, since its a desktop machine, Linux has nothing open to the net. Therefore, the only threat is the things YOU connect to and with what software.

And while Mozilla doesn''t have a spotless record (though IE''s is arguably worse), exploitation of client side applications is rare, except in the case of viruses. and linux viruses are almost nonexistant (i would say totally, but some would be quick to point out that there are one or two out there that might exploit vulnerabilities from years ago)

i see ur point C-Junkie !! :D
yes your assumption were what i was talking
about, an ADSL (or someother type excluding dial-ups)
NOT running server services like ftp or remote logins.
although i was not talking about viruses,
but it seems nice to know that the linux life
is almost virus free... what are the things behind
the wide-spread of virus in windows, but not linux ?!

A poorly configured machine is vulnerable regardless of the OS it is running. Still, Windows users are at a disadvantage.

Most arguments about the security of Linux vs. Windows really miss the guts of the issue. Windows and Microsoft have in my opinion, and my others, a worse track record than Linux and many other operating systems with regard to the number of bugs in their code. The type of bug most pertinent to security is generally the buffer overflow. A buffer overflow, for those who do not know, occurs when more data is copied into memory than was intended and the data spills past the end of the allocated region and overwrites other critical data in memory. The classic overflow, allows a user to supply data that will write past an array which allows the user to overwrite the return instruction pointer stored on the stack before the current function was called. The user can then force the program to do something nifty like supply them with a command prompt. This is generally only useful when a program is running with admin privileges (because the command prompt will also have those privileges) or when the program allows a remote attacker to reach a command prompt when they would not normally be able to.

I would argue that Linux has a better record with regard to buffer overflow conditions than Windows. However, other operating systems have much better records. Notably, OpenBSD has undergone continous scrutiny and code review that has made such conditions many times more scarce in the core source code for OpenBSD than any other publicly available operating systems.

Also, Linux and OpenBSD both have clever protection mechanisms available to prevent buffer overflow attacks including variations that are far more advanced than the one I mentioned. PaX is available for Linux while OpenBSD always ships with W^X. There are also compiler-based protection mechanisms available on *BSD systems and Linux. Propolice is available for FreeBSD and Linux; it is included in OpenBSD. Stackguard (which is similar to Propolice) is available for Linux as well. Microsoft has implemented compiler protection similar to Stackguard in Visual C++ using the /GS switch. This new protection is (last I heard) used to build Windows 2003 Server. The Microsoft implementation is unfortunately flawed and much easier to defeat. PaX and W^X both offer more advanced memory protections and address randomization (this stuff is important). Except through third-party vendors at a hefty price, this is not available for Windows. (www.smashguard.org) has a lot of information available on their buffer overflow page. Also, read phrack (www.phrack.org).

In addition, password protection is terribly weak under Windows. The MD5 and Blowfish password encryption mechanisms are available for Linux, *BSD and Solaris. They password encryption that is far stronger than Windows and a unique salt is used to compute each users password hash so a password cracker has to encrypt each possible password once for each user. So if you are trying to crack the passwords of 1000 users, every possible password has to be encrypted 1000 times whereas on Windows, you just need to encrypt it once. Also, sorting makes the comparison process far faster on Windows (you only have to compare to log n users).

The network authentication protocols used by Windows do not require that you actually know the password. They only require that you know the hash; if you break into the server and steal the hashes you don''t really need to crack them. Find the paper "Common Insecurities Fail Scrutiny" by the Hobbit.

Linux and *BSD Unix systems ship with flexible built-in packet filters (firewalls). The firewall shipped with Windows sucks. Microsoft''s ICF firewall only allows you to filter ICMP, TCP and UDP and does not allow you to filter based on many of the flags and options available in those protocols.

The thing that I like best about open-source systems (security-wise) is the ability for myself and other people to customize them. A lot of cutting-edge security mechanisms are not available for Windows because source-code access would be necessary to develop them. A number of automated source-code checking tools have been developed by researchers and not released to the public. These tools were tested against open-source products and prompted numerous previously undiscovered bugs to be fixed.

There is a lot more but I''ve probably rambled on long enough. For more security information read phrack, visit insecure.org, smashguard.org and packetfactory.net . If you''d like to understand network (and network security better)go out and buy TCP/IP Illustrated vol I by W. Richard Stevens. Have fun.