Windows vs Linux Security

Starting a new thread here, because "M$ Attack on Common Sense" is
getting long and wandering off topic. I'm no expert on computer
security, but I've been reading avidly this last week, after going
through hell the previous week. Here is what I've been able to learn.
Comments are welcome.

I see four lines of defense:
1) Hardware Defenses. Is the hardware designed so that there is no
way it can be damaged by anything that happens at the software level?
2) System Isolation. Is the core system designed so that there is no
way it can be damaged by anything that happens at the user level?
This would include viruses, hung programs, or any random code that
happens to accidentally fall into the instruction registers while in
"user mode".
3) User Isolation. Is the system and all of its users protected
against anything that can happen in another user's account? Viruses,
random code, etc.
4) Applications. Are all of the applications designed so that there
is no way malicious code can be run without tricking the user to run
it? Do these applications recognize a request to run code (even if it
is disguised as something else) and provide the user an easy way to
run it in isolation.

Seems to me that the Level 1 and 2 problems have been solved, Level 3
problems are still with us, but will be eventually solved, and Level 4
problems will be with us always. At level 4, the best we can do is
educate users to be wary about running any un-trusted code, push
application developers to provide warnings when such code is about to
be run, and push security companies for ever-better anti-virus
programs.

As a fairly competent user, I would be happy with a robust solution to
the Level 3 problems. That will at least isolate me from whatever
happens in the kid's accounts, or my own "junk" account. Better
programs at Level 4 would be nice (and probably essential for naive
users) but I personally can live with occasionally having to switch to
my "junk" account to open a strange email attachment.

Here is my current understanding of the Linux vs Windows security
situation.
Levels 1 and 2) No problem with either system.
Level 3) It looks like Linux has a very robust isolation of user
files and processes, and Windows does not. In the previous thread, I
got not a single response to my challenge for anyone to show me code
that could destroy anything or access "read-only" information outside
my "junk" account on Red Hat 8.

Microsoft is talking about building a new OS "from scratch".
http://www.pcmag.com/article2/0,4149,991132,00.asp This gives me a
feeling that Microsoft realizes the enormity of the security problem
and the impossibility of fixing it by adding a multi-user layer on top
of what is essentially a single user system. On the other hand,
Microsoft has demonstrated that it can make an enormous unstable
system stable. Maybe they can fix the security problems by "brute
force" and lots of money.

Level 4) I see no fundamental advantage of one system over another,
but a current advantage for Linux, because it is a less attractive
target than Windows. This is a result, not of anything inherent in
the OS, but simply that virus writers will attack the most popular
applications, and to some extent, a company they perceive as an "evil
empire".

I do see an advantage in open-source development, and to the extent
that Linux encourages such development, I believe Linux applications
will be more secure. But again, this is not inherent in the OS
itself. Open-source programs can be run on either platform.

As a user of both Windows and Linux, I am *not* alarmed by the long
list of bugs reported in Linux.
http://www.linuxsecurity.com/advisories/index.html In fact, I find it
re-assuring to get occasional alerts from Red Hat when one of these is
a security patch which affects my system. Almost always, these are
obscure problems that *could* be exploited, but haven't been. The
people who discover these problems get credit for their work, and that
may be one reason they use their talents for good, not evil.

Are there many more undiscovered holes at the application level? No
doubt there are. At the user-isolation layer? I don't think so, but
I am listening carefully for any evidence to the contrary.

- Dave

Dave

In comp.os.linux.misc Dave <> wrote:
: Here is my current understanding of the Linux vs Windows security
: situation.
: Levels 1 and 2) No problem with either system.
: Level 3) It looks like Linux has a very robust isolation of user
: files and processes, and Windows does not. In the previous thread, I
: got not a single response to my challenge for anyone to show me code
: that could destroy anything or access "read-only" information outside
: my "junk" account on Red Hat 8.

Am feeling contrary today, so:

I would challenge you or anyone else to show me any Windows code
that can do anything obnoxious outside of the user space for any
normal user in Windows. Like mess with system settings or another
user's files or kill another user's running processes or the like.

Level 3 above is well taken care of in Windows exactly the same
as in Linux but in both cases ONLY if the sys admin is setting
things up correctly. Logging in as "root" or as "administrator"
is equally powerful and dangerous on both systems.

As you note level 4 is the really challenging level.

Stan


--
Stan Bischof ("stan" at the below domain)
www.worldbadminton.com

nobody@nowhere.com

Dave wrote:

> Are there many more undiscovered holes at the application level? No
> doubt there are. At the user-isolation layer? I don't think so, but
> I am listening carefully for any evidence to the contrary.

.... keep this stuff to one or two newsgroups, please (not six).
this is mostly for advocacy, to be specific.
..
--
/// Michael J. Tobler: motorcyclist, surfer, skydiver, \\\
\\\ and author: "Inside Linux", "C++ HowTo", "C++ Unleashed" ///
\\\ http://pages.sbcglobal.net/mtobler/mjt_linux_page.html ///
Beneath this stone a virgin lies,
For her life held no terrors.
A virgin born, a virgin died:
No hits, no runs, no errors.

mjt

"mjt" <mjtobler@removethis_consultant.com> wrote in message
news:7Ao9b.747$.. .
> ... keep this stuff to one or two newsgroups, please (not six).
> this is mostly for advocacy, to be specific.

Good suggestion. Let's post only to:
comp.os.ms-windows.misc and
comp.os.linux.misc
Looks like the ideal group "comp.security" from the original thread does not
exist. Anyone interested from the other three groups, please join us in one
of the two above.

- Dave

macquigg

["Followup-To:" header set to comp.os.linux.misc.]
On 2003-09-15, <> wrote:

> In comp.os.linux.misc Dave <> wrote:
>:
>: Level 3) It looks like Linux has a very robust isolation of user
>: files and processes, and Windows does not. In the previous thread, I
>: got not a single response to my challenge for anyone to show me code
>: that could destroy anything or access "read-only" information outside
>: my "junk" account on Red Hat 8.

[...]

> Level 3 above is well taken care of in Windows exactly the same
> as in Linux but in both cases ONLY if the sys admin is setting
> things up correctly. Logging in as "root" or as "administrator"
> is equally powerful and dangerous on both systems.

Unfortunately, it is often very difficult to function as a mortal user in
Windows, so most people outside of corporate desktops end up running as
"administrator" most of the time anyway.

--

-John ()

John Thompson