Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
> Which is to say - if Linux was the main OS in use, you can
> imagine that most of
> the users would not have updated ssh, and a few weeks or
> months later there
> would have been a worm on Linux which would have been every
> bit as nasty as this
> current Windows worm that is going around.
There are a couple of issues there.
Clearly linux sysadmins tend to be better trained than Windows ones, but
if linux became the largest OS things would be different in that
respect.
However, linux distributions all tend to be much more secure than
Windows by design. Using the blaster worm as an example, have you seen
the rigmarole you must go through to try and disable DCOM - that's a
service listening on an open port and you can't even easily disable it.
If you don't want a Windows service to listen on an open port you
generally have to stop the service or uninstall it. Often that's not
possible, because of the way everything in Windows is interlinked. With
linux you could leave it running, just stop it listening on your
internet connection.
Windows doesn't come with any sort of firewall, whereas every modern
linux distro comes with iptables. Even distros for home use come with
well chosen sets of default rules to protect your computer.
I think the linux flaw you mentioned was an SSL flaw rather than the SSH
one. It required gcc being installed and executable on the host - if
linux was being distributed, say on office desktops, sensible sysadmins
aren't going to leave gcc in the build. I think that at least one of the
big distros, either RedHat or SuSE no longer installs gcc by default.
Updating linux tends to be a lot easier too, and can be done remotely.
In a small office environment, I went round some time ago applying the
MS patch that stops Blaster - that involved sitting at every desktop and
rebooting. That quickly adds up to a lot of time. Updating IE tends to
be worse, typically you have to do a download at each client machine,
that can take an age. By making updates inconvenient, Microsoft almost
go out of their way to stop them being applied. On linux it'd be a case
of having an rpm or .deb on the local network. You could then use ssh to
log in to the client or use any one of a number of tools to deploy the
update automagically.
Nonetheless, the real problem with Blaster has been Windows techie staff
that simply haven't been doing their job. It's inexcusable in a business
environment that patches available since 26th March still haven't been
installed on the clients. If I employed any of those techies, they'd
have been shown the door - if this worm had carried a destructive
payload it could have been catastrophic for a business.
Russell.
_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact