Les Mikesell wrote:
On Sat, 2006-04-01 at 10:28, Craig White wrote:
I hear people talk about the lack of security in Windows but it seems to
me, exposing a Linux system to the Internet with shell accounts and weak
passwords is far more insecure than a typical Windows system.
There's about 50,000 reasons you are wrong, mostly in the form
I don't know how many systems there are with the root password
being "root", but I have personal knowlege of several hundred. And they
are open, with a modem set to "autoanswer".
of windows viruses that attack the rpc and similar services.
His point is, I believe, that *no* system is inherently secure,
unless the security is physical access. And, no computer is
inherently insecure.
I have an MSDOS machine which is absolutely secure. More secure than
any Linux machine with external access ever could hope to be. It has
no cable connected to anything outside my house, except for the power
cable. (And that goes through an UPS :-)
And, no system which has an external connection is absolutely secure,
no matter what OS it runs (or even if it doesn't run an OS).
[snip]
Not that your point about bad passwords is any less valid... The
missing piece on linux is an option to rate-limit password guessing
in ssh and automatically blacklist addresses that fail more than
a few times. There are some add-on wrappers, but sshd should
do it by itself with some sane defaults.
There is no such thing as a system which only has "one missing piece".
All systems without physical access level security have missing
the one key piece of security, physical access. Any system with
a point of ingress like a modem, regardless of how many layers
of software "guard" the machine, are insecure, full stop. Once
one has accepted that, then it is a matter of *degree* of security,
not a matter of security. Some systems are easier to achieve a
given level of security than others. MSDOS, for example, is easier
to secure than Linux, since unless one has done something foolish
like a CTTY COM1, no one can issue commands via a modem. And if
no software is listening to the modem, as it is not in MSDOS
unless one installs such software, it remains relatively secure.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!